Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gnutls28. The only change is a patch from upstream to disable the obsolete protocol SSLv3. OpenSSL in jessie also has SSLv3 disabled. unblock gnutls28/3.3.8-5 Thanks, Thijs
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2014-11-12 19:31:53.000000000 +0100 +++ gnutls28-3.3.8/debian/changelog 2014-11-20 19:25:24.000000000 +0100 @@ -1,3 +1,10 @@ +gnutls28 (3.3.8-5) unstable; urgency=medium + + * Remove SSL 3.0 from default priorities list. + Closes: #769904 + + -- Andreas Metzler <ametz...@debian.org> Thu, 20 Nov 2014 19:25:20 +0100 + gnutls28 (3.3.8-4) unstable; urgency=high * Drop 31_fallback_to_RUSAGE_SELF.diff. diff -Nru gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff --- gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff 2014-11-20 19:20:46.000000000 +0100 @@ -0,0 +1,64 @@ +Description: Remove SSL 3.0 from default priorities list. + . + This cherry-picks 0e75ac18627f8e92a2186cc7769df4851415ae4f (code change) + and ee83078f806d5ca6eccdbfd84371179589a37570 (doc update) from upstream + master branch. + . + Requested by Debian security for consistency with OpenSSL in jessie. +Author: Nikos Mavrogiannopoulos <n...@redhat.com> +Origin: upstream +Bug-Debian: https://bugs.debian.org/769904 +Last-Update: 2014-11-19 + +--- gnutls28-3.3.10.orig/doc/cha-gtls-app.texi ++++ gnutls28-3.3.10/doc/cha-gtls-app.texi +@@ -992,7 +992,7 @@ algorithms to be enabled. + @end float + + Unless the initial keyword is "NONE" the defaults (in preference +-order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for ++order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0; for + compression NULL; for certificate types X.509. + In key exchange algorithms when in NORMAL or SECURE levels the + perfect forward secrecy algorithms take precedence of the other +@@ -1054,8 +1054,8 @@ GCM ciphers only). All algorithms from N + COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL. + + @item TLS versions @tab +-VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, +-VERS-TLS1.2, VERS-DTLS1.2, VERS-DTLS1.0. ++VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, ++VERS-DTLS1.0, VERS-DTLS1.2. + Catch all is VERS-TLS-ALL and VERS-DTLS-ALL. + + @item Signature algorithms @tab +@@ -1199,8 +1199,8 @@ Specifying RSA with AES-128-CBC: + Specifying the defaults except ARCFOUR-128: + "NORMAL:-ARCFOUR-128" + +-Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling compression: +- "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE" ++Enabling the 128-bit secure ciphers, while disabling TLS 1.0 and enabling compression: ++ "SECURE128:-VERS-TLS1.0:+COMP-DEFLATE" + + Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions + except TLS 1.2: +@@ -1593,7 +1593,7 @@ options that are known to cause compatib + NORMAL:%COMPAT + @end verbatim + +-For broken peers that do not tolerate TLS version numbers over TLS 1.0 ++For very old broken peers that do not tolerate TLS version numbers over TLS 1.0 + another priority string is: + @verbatim + NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT +--- gnutls28-3.3.10.orig/lib/gnutls_priority.c ++++ gnutls28-3.3.10/lib/gnutls_priority.c +@@ -273,7 +273,6 @@ static const int protocol_priority[] = { + GNUTLS_TLS1_2, + GNUTLS_TLS1_1, + GNUTLS_TLS1_0, +- GNUTLS_SSL3, + GNUTLS_DTLS1_2, + GNUTLS_DTLS1_0, + 0 diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2014-11-12 19:16:31.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/series 2014-11-20 19:20:49.000000000 +0100 @@ -5,3 +5,4 @@ 36_less_refresh-rnd-state.diff 37_X9.63_sanity_check.diff 38_testforsanitycheck.diff +40_no_more_ssl3.diff
