Bug#1135319: marked as done (gnutls28: CVE-2026-3832 CVE-2026-3833 CVE-2026-5260 CVE-2026-5419 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015)

[Debian Bug Tracking System]

Your message dated Fri, 22 May 2026 21:49:19 +0000
with message-id <e1wqxk7-00000008ljs-0...@fasolo.debian.org>
and subject line Bug#1135319: fixed in gnutls28 3.7.9-2+deb12u7
has caused the Debian Bug report #1135319,
regarding gnutls28: CVE-2026-3832 CVE-2026-3833 CVE-2026-5260 CVE-2026-5419 
CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 
CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1135319: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: gnutls28
Version: 3.8.12-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for gnutls28.

CVE-2026-3832[0], CVE-2026-3833[1], CVE-2026-5260[2],
CVE-2026-5419[3], CVE-2026-33845[4], CVE-2026-33846[5],
CVE-2026-42009[6], CVE-2026-42010[7], CVE-2026-42011[8],
CVE-2026-42012[9], CVE-2026-42013[10], CVE-2026-42014[11],
CVE-2026-42015[12].

Sorry Andreas for the very unspecific bug, it is merely to bring it on
to your readar, probably was not needed though. We will have to decide
how important the set of issues is for DSA or point release update.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-3832
    https://www.cve.org/CVERecord?id=CVE-2026-3832
[1] https://security-tracker.debian.org/tracker/CVE-2026-3833
    https://www.cve.org/CVERecord?id=CVE-2026-3833
[2] https://security-tracker.debian.org/tracker/CVE-2026-5260
    https://www.cve.org/CVERecord?id=CVE-2026-5260
[3] https://security-tracker.debian.org/tracker/CVE-2026-5419
    https://www.cve.org/CVERecord?id=CVE-2026-5419
[4] https://security-tracker.debian.org/tracker/CVE-2026-33845
    https://www.cve.org/CVERecord?id=CVE-2026-33845
[5] https://security-tracker.debian.org/tracker/CVE-2026-33846
    https://www.cve.org/CVERecord?id=CVE-2026-33846
[6] https://security-tracker.debian.org/tracker/CVE-2026-42009
    https://www.cve.org/CVERecord?id=CVE-2026-42009
[7] https://security-tracker.debian.org/tracker/CVE-2026-42010
    https://www.cve.org/CVERecord?id=CVE-2026-42010
[8] https://security-tracker.debian.org/tracker/CVE-2026-42011
    https://www.cve.org/CVERecord?id=CVE-2026-42011
[9] https://security-tracker.debian.org/tracker/CVE-2026-42012
    https://www.cve.org/CVERecord?id=CVE-2026-42012
[10] https://security-tracker.debian.org/tracker/CVE-2026-42013
    https://www.cve.org/CVERecord?id=CVE-2026-42013
[11] https://security-tracker.debian.org/tracker/CVE-2026-42014
    https://www.cve.org/CVERecord?id=CVE-2026-42014
[12] https://security-tracker.debian.org/tracker/CVE-2026-42015
    https://www.cve.org/CVERecord?id=CVE-2026-42015

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: gnutls28
Source-Version: 3.7.9-2+deb12u7
Done: Andreas Metzler <ametz...@debian.org>

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 May 2026 13:57:52 +0200
Source: gnutls28
Architecture: source
Version: 3.7.9-2+deb12u7
Distribution: bookworm-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Closes: 1135319
Changes:
 gnutls28 (3.7.9-2+deb12u7) bookworm-security; urgency=high
 .
   * Cherry-pick fixes from 3.8.13 release for oldstable.
     + This includes fixes for these issues: CVE-2026-3833 CVE-2026-5260
       CVE-2026-5419 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009
       CVE-2026-42010 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013
       CVE-2026-42014 CVE-2026-42015.
     + CVE-2026-3832 only applied to release 3.8.9 and later, no patch needed.
     + Patchset pulled from CentOS c8s (3.6.16), split into patchlets, unfuzzed,
       adapted for 3.7 (adds
       72_0015_gnutls-3.6.16-1810-ocsp-truncated-eku.10.patch). Also added
       those patches from CentOS c9s (3.8.10) that are relevant for 3.7.9 (but
       where not for 3.6.16).
     Closes: #1135319
Checksums-Sha1: 
 39d8882c6435eb9c804a5b924bde5830b4ea3836 3421 gnutls28_3.7.9-2+deb12u7.dsc
 ca11670f3997c32da1e6b2c3a1069a500c35f8cb 164116 
gnutls28_3.7.9-2+deb12u7.debian.tar.xz
Checksums-Sha256: 
 027b2f60e38add78ee611d099dbf34e977a6600d446cc39673534b736a182cb6 3421 
gnutls28_3.7.9-2+deb12u7.dsc
 bcfcf396482ce7635df255abeff1c811321a84f016c95677db28f56908b25595 164116 
gnutls28_3.7.9-2+deb12u7.debian.tar.xz
Files: 
 64b1647a9ea7ba7f400e665e957f7ad1 3421 libs optional 
gnutls28_3.7.9-2+deb12u7.dsc
 a476ae166b36b494aa9b2118681368fd 164116 libs optional 
gnutls28_3.7.9-2+deb12u7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmoHHBgACgkQpU8BhUOC
FIR6KxAAg5G/AqwbxAHPcZX8gJfX1tL0ld1cNZXYTEguSrkqbCoGWMsa/JPRgL05
WNRBlGE5/L2XN1bbVoQBCpTS7aqk5+g1E98G4NkQjNBM7QlwHsGyAbQzTD3WDTHh
2JuUO0KescbLP6MVHkBcRwFl6IBA9lqIZOf2dsyPVqgZpc96X7yApqdKbyqq785I
dAN8x+1vkL9SYTkxqf5efkOrr3VbAGdJXyhV15lQhQceGmck20ihJKdT0j77+SNl
XfCjLspisewxXAQiqNvHKm9fdwFmRt2LwnH4R+wVbtaphyV6orfnxICciMAavMcv
zdAGpRhhVr+n3wVxHTzhrnTis/0ieYMW2yCo45l7XdjTy1a8XbLZdJSEJVTN4sbf
4VkhJpLSp6Z1LMK/TTLrB9uvoap1PBkOWux23SSB32E8B6rSrQ60XOu3ZXTG2j/F
dJDMisfUDS1ij0Ahl28AdKXbdS+2is5ZxwHO38jDDeqiwi8W4CXcVSuLz46h+cH/
Jwt/lFJu+A9yYXKAZytPwmHRe8WGQKvcNvGksqPravmpZxcsYGdPcpvgDB+ydOSK
ztxTRZh5N7QezJIE8hbb0SMXU3qsjxJc4Ru75tqFBv9RgkKQUtJSI9u0IS8z8vX0
M8MUXJc3iFHi0B5h8fm6jtoCEmmleMRsma9BcNzTDBPobFp9Us8=
=Du+g
-----END PGP SIGNATURE-----

pgptXx0C1K6o0.pgp
Description: PGP signature

--- End Message ---