[Bug 1660915] Re: gnutls.pc should not directly link to libz.so in Libs.private

Launchpad Bug Tracker 1660915 at bugs.launchpad.net
Fri Feb 2 17:07:14 UTC 2018 

This bug was fixed in the package gnutls28 - 3.5.17-1ubuntu1

---------------
gnutls28 (3.5.17-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/patches/disable_global_init_override_test.patch: disable
      failing test.
    - debian/patches/add-openssl-test-link.patch: add link for libssl
  * Build with --with-included-unistring for now as our libunistring is
    too old and needs a transition.

gnutls28 (3.5.17-1) unstable; urgency=low

  * New upstream version.
    + When verifying against a self signed certificate ignore issuer. That
      is, ignore issuer when checking the issuer's parameters strength,
      resolving issue #347 which caused self signed certificates to be
      additionally marked as of insufficient security level.
      Closes: #885127

gnutls28 (3.5.16-1) unstable; urgency=medium

  * New upstream version.
    + Fixes interoperability issue with openssl when safe renegotiation was
      used. Closes: #873055
  * 35_modernize_gtkdoc.diff from upstream GIT master: Modernize gtk-doc
    support. Update gtk-doc.make, m4/gtk-doc.m4 and doc/reference/Makefile.am
    from gtk-doc git head (that is 1.26 +
    c08cc78562c59082fc83b55b58747177510b7a70). Disable gtkdoc-check.
    Closes: #876587

gnutls28 (3.5.15-2) unstable; urgency=medium

  * Upload to unstable.

gnutls28 (3.5.15-1) experimental; urgency=medium

  * New upstream version. Drop unneeded patches.
    (31_arm64ilp32-unaccelerated.patch
    35_record-added-sanity-checking-in-the-record-layer-ver.patch
    36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch)

gnutls28 (3.5.14-3) unstable; urgency=low

  * 35_record-added-sanity-checking-in-the-record-layer-ver.patch from
    upstream  gnutls_3_5_x branch: Prevent crash on calling gnutls_bye() on an
    already terminated or deinitialized session. Closes: #867303
  * 36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch from
    upstream  gnutls_3_5_x branch: parse_pem_cert_mem: fixed issue resulting
    to accessing past the input data.
  * 31_arm64ilp32-unaccelerated.patch by Wookey: Disable assembly
    code on arm64ilp32 to fix FTBFS. Closes: #872454
  * Use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog, except for
    the compatibility code for setting SOURCE_DATE_EPOCH with dpkg << 1.18.8.
  * Standards-Version 4.0.1, update priorities (extra->optional).

gnutls28 (3.5.14-2) unstable; urgency=medium

  * Upload to unstable.

gnutls28 (3.5.14-1) experimental; urgency=low

  [ Dan Nicholson ]
  * Build with --disable-rpath. Closes: #865674

  [ Andreas Metzler ]
  * New upstream version.
  * Build against external libunistring.

gnutls28 (3.5.13-2) unstable; urgency=medium

  * Upload to unstable, merge changelogs.

gnutls28 (3.5.13-1) experimental; urgency=low

  * New upstream version.
    + Drop 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch.
    + Fixes GNUTLS-SA-2017-4/CVE-2017-7507 - Crash due to a null pointer
      dereference. #864560

gnutls28 (3.5.12-2) experimental; urgency=medium

  * 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch: Correct
    typo preventing the run of openpgp test.
  * Stop disabling heartbeat support. Closes: #861193

gnutls28 (3.5.12-1) experimental; urgency=medium

  * New upstream version.
  * Bump dep info on gnutls_session_ext_register.

gnutls28 (3.5.11-1) experimental; urgency=medium

  * New upstream version.
  * gnutls.pc: do not include libtool options into Libs.private.
    Closes: #857943
  * gnutls.pc does not refer to e.g. zlib in *both* Requires.private and
    Libs.private. (LP: #1660915)
  * OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
    which includes TLS1.2 support. Closes: #857436
  * Add b-d on ca-certificates, needed for trust-store check.

gnutls28 (3.5.10-1) experimental; urgency=medium

  * New upstream version.
    + gnutls.pc: do not include libidn2 in Requires.private. Closes: #855888
    + Includes fixes for GNUTLS-SA-2017-3[ABC].
    + Bump info for gnutls_store_commitment, gnutls_ocsp_resp_verify_direct
      and gnutls_ocsp_resp_verify which now accept (more) flags.

gnutls28 (3.5.9-1) experimental; urgency=medium

  * New upstream version.
    + Drop debian/patches/35_0*.
    + Update symbol file, adding gnutls_idna_map and gnutls_idna_reverse_map.
  * Build with IDNA 2008 support, b-d on libidn2-0-dev instead of
    libidn11-dev.

 -- Julian Andres Klode <juliank at ubuntu.com>  Mon, 22 Jan 2018 13:24:04
+0100

** Changed in: gnutls28 (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7507

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1660915

Title:
  gnutls.pc should not directly link to libz.so in Libs.private

Status in gnutls28 package in Ubuntu:
  Fix Released

Bug description:
  # Description
  In /usr/lib/x86_64-linux-gnu/pkgconfig/gnutls.pc installed by libgnutls-dev :

  Libs.private is used by pkg-config to give link flags when using the "
  --static" option.

  So Libs.private should contains internal libs used by gnutls to allow user to link statically with
  gnutls.

  If there is a direct link to a .so file, it's break static
  compilation.

  The direct path to libz.so should be replace by "-lz"

  # Ubuntu version
  Ubuntu 16.04, 16.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1660915/+subscriptions

More information about the foundations-bugs mailing list