Bug#1067463: marked as done (gnutls28: CVE-2024-28835)

Debian Bug Tracking System Sat, 23 Mar 2024 05:03:23 -0700

Your message dated Sat, 23 Mar 2024 12:58:43 +0100
with message-id <[email protected]>
and subject line Fixed in gnutls28 (3.8.4-1) experimental
has caused the Debian Bug report #1067463,
regarding gnutls28: CVE-2024-28835
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1067463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067463
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: gnutls28
Version: 3.8.3-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1525
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for gnutls28.

CVE-2024-28835[0]:
| A flaw has been discovered in GnuTLS where an application crash can
| be induced when attempting to verify a specially crafted .pem bundle
| using the "certtool --verify-chain" command.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28835
    https://www.cve.org/CVERecord?id=CVE-2024-28835
[1] https://gitlab.com/gnutls/gnutls/-/issues/1525
[2] https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
[3] https://www.gnutls.org/security-new.html#GNUTLS-SA-2024-01-23

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 3.8.4-1

 gnutls28 (3.8.4-1) experimental; urgency=medium
 .
   * New upstream version.
     + Fix side-channel in the deterministic ECDSA.
       Reported by George Pantelakis (#1516).
       [GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
       Closes: #1067464
     + libgnutls: Fixed a bug where certtool crashed when verifying a
       certificate chain with more than 16 certificates. Reported by William
       Woodruff (#1525) and yixiangzhike (#1527).
       [GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835] Closes: #1067463
     + Update copyright info.
     + Update symbol file.

--- End Message ---

Bug#1067463: marked as done (gnutls28: CVE-2024-28835)

Reply via email to