[ubuntu/questing-proposed] gnutls28 3.8.9-3ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Jul 11 16:43:18 UTC 2025 

gnutls28 (3.8.9-3ubuntu1) questing; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - Enable CET.
    - Set default priority string to only allow TLS1.2, DTLS1.2, and
      TLS1.3 with medium security profile (2048 RSA keys minimum, and
      similar).
    - Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
    - Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
    - d/patches/crypto-config.patch: also read configuration from
      /var/lib/crypto-config/profiles/current/gnutls.conf
    - Pull patches between 3.8.9 and 2025/03/19:
      + post-3.8.9/*: add upstream patches from git

gnutls28 (3.8.9-3) unstable; urgency=medium

  * Cherry-pick fixes from 3.8.10 release:
    + libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits
      PSK Reported by Stefan Bühler.
      [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
    + libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS
      timestamps Spotted by oss-fuzz and reported by OpenAI Security
      Research Team, and fix developed by Andrew Hamilton.
      [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
    + libgnutls: Fix double-free upon error when exporting otherName in
      SAN Reported by OpenAI Security Research Team.
      [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
    + certtool: Fix 1-byte write buffer overrun when parsing template
      Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low]
      [CVE-2025-32990]
    + Fixes for memory leaks in lib/x509/x509_ext.c andlib/hello_ext.c.
    + Fix uninitialized memory read while processing the "pre_shared_key"
      extension in TLS 1.3.
    + Avoid uninitialized use of crq version.

Date: Fri, 11 Jul 2025 10:39:03 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/gnutls28/3.8.9-3ubuntu1
-------------- next part --------------
Format: 1.8
Date: Fri, 11 Jul 2025 10:39:03 -0400
Source: gnutls28
Built-For-Profiles: noudeb
Architecture: source
Version: 3.8.9-3ubuntu1
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 gnutls28 (3.8.9-3ubuntu1) questing; urgency=medium
 .
   * Merge from Debian unstable. Remaining changes:
     - Enable CET.
     - Set default priority string to only allow TLS1.2, DTLS1.2, and
       TLS1.3 with medium security profile (2048 RSA keys minimum, and
       similar).
     - Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
     - Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
     - d/patches/crypto-config.patch: also read configuration from
       /var/lib/crypto-config/profiles/current/gnutls.conf
     - Pull patches between 3.8.9 and 2025/03/19:
       + post-3.8.9/*: add upstream patches from git
 .
 gnutls28 (3.8.9-3) unstable; urgency=medium
 .
   * Cherry-pick fixes from 3.8.10 release:
     + libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits
       PSK Reported by Stefan Bühler.
       [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
     + libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS
       timestamps Spotted by oss-fuzz and reported by OpenAI Security
       Research Team, and fix developed by Andrew Hamilton.
       [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
     + libgnutls: Fix double-free upon error when exporting otherName in
       SAN Reported by OpenAI Security Research Team.
       [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
     + certtool: Fix 1-byte write buffer overrun when parsing template
       Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low]
       [CVE-2025-32990]
     + Fixes for memory leaks in lib/x509/x509_ext.c andlib/hello_ext.c.
     + Fix uninitialized memory read while processing the "pre_shared_key"
       extension in TLS 1.3.
     + Avoid uninitialized use of crq version.
Checksums-Sha1:
 46f03650aa6ee6099e8a64ef70355043f1bd5896 3343 gnutls28_3.8.9-3ubuntu1.dsc
 4bacfbfcba06b67e91bbd3535c275b04ef89a61f 6847364 gnutls28_3.8.9.orig.tar.xz
 2d96a7aa8a204014dc40b14030b9120edad27174 833 gnutls28_3.8.9.orig.tar.xz.asc
 688e13a69c4a660c6a27935f4e8ebb19ab7de140 93052 gnutls28_3.8.9-3ubuntu1.debian.tar.xz
 d8e802f5d25d3cdd8784aad22085cfcbf16db7f2 7915 gnutls28_3.8.9-3ubuntu1_source.buildinfo
Checksums-Sha256:
 5a1f0059d44fb9be71c7b8d3a5ca004c67e226f9050ce785c5212824d114b278 3343 gnutls28_3.8.9-3ubuntu1.dsc
 69e113d802d1670c4d5ac1b99040b1f2d5c7c05daec5003813c049b5184820ed 6847364 gnutls28_3.8.9.orig.tar.xz
 7631d47762865d4ef494492cca794cf0fe6a8be892a4aa02f362ae29006d3054 833 gnutls28_3.8.9.orig.tar.xz.asc
 865f0b146939087edcfb10eb500799c137bad7cf80888ab750717e963ce97828 93052 gnutls28_3.8.9-3ubuntu1.debian.tar.xz
 a9760cb73fd1de3078184c65d8c4425b9180d1fb348873bd583f540900bc4775 7915 gnutls28_3.8.9-3ubuntu1_source.buildinfo
Files:
 968e421713cf9799a78d46534b4d7791 3343 libs optional gnutls28_3.8.9-3ubuntu1.dsc
 33f4c800c20af2983c45223a803da865 6847364 libs optional gnutls28_3.8.9.orig.tar.xz
 70e70e5e8822e3649e5e07e3cb87c5cd 833 libs optional gnutls28_3.8.9.orig.tar.xz.asc
 6c345d6e175dfbb555435f78ba511d5f 93052 libs optional gnutls28_3.8.9-3ubuntu1.debian.tar.xz
 dc051d681c6847afe4c4f3c9dfd697b2 7915 libs optional gnutls28_3.8.9-3ubuntu1_source.buildinfo
Original-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint at lists.alioth.debian.org>

More information about the Questing-changes mailing list