Quantcast

[gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Andreas Metzler-3
Hello,

Debian/stretch will soon be frozen. Starting February 5 automatic
migration from debian/unstable to sid is stopped and updates of packages
require approval by release managers. i.e. to enter jessie before this
deadline I will need to upload before about January 25.

We currently have 3.5.7 plus PKCS#8-encrypted key decoding bugfix
(e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 and
441d87cdd5548dc03765cc40c3ffc15eb722b474). Are there other severe issues
already fixed in GIT that I should cherrypick? the 3.5.x branch has
loads of changes after 3.5.7 and afact only one of these is a feature
addition (-with-default-priority-string) but I would rather not ship a
GIT snapshot in Debian/stable. ;-)

thanks for your assistance, cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Nikos Mavrogiannopoulos
On Sat, Jan 7, 2017 at 5:33 PM, Andreas Metzler <[hidden email]> wrote:

> Hello,
>
> Debian/stretch will soon be frozen. Starting February 5 automatic
> migration from debian/unstable to sid is stopped and updates of packages
> require approval by release managers. i.e. to enter jessie before this
> deadline I will need to upload before about January 25.
>
> We currently have 3.5.7 plus PKCS#8-encrypted key decoding bugfix
> (e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 and
> 441d87cdd5548dc03765cc40c3ffc15eb722b474). Are there other severe issues
> already fixed in GIT that I should cherrypick? the 3.5.x branch has
> loads of changes after 3.5.7 and afact only one of these is a feature
> addition (-with-default-priority-string) but I would rather not ship a
> GIT snapshot in Debian/stable. ;-)

Hi,
 My goal is to make a 3.5.x release the next few days, which will be
the first marked as stable 3.5.x release. I'd suggest to go with it
(or if not possible to get all changes from gnutls_3_5_x branch).


regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Andreas Metzler-3
On 2017-01-08 Nikos Mavrogiannopoulos <[hidden email]> wrote:
> On Sat, Jan 7, 2017 at 5:33 PM, Andreas Metzler <[hidden email]> wrote:
>> Debian/stretch will soon be frozen. Starting February 5 automatic
>> migration from debian/unstable to sid is stopped and updates of packages
>> require approval by release managers. i.e. to enter jessie before this
>> deadline I will need to upload before about January 25.

>> We currently have 3.5.7 plus PKCS#8-encrypted key decoding bugfix
>> (e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 and
>> 441d87cdd5548dc03765cc40c3ffc15eb722b474). Are there other severe issues
>> already fixed in GIT that I should cherrypick? the 3.5.x branch has
>> loads of changes after 3.5.7 and afact only one of these is a feature
>> addition (-with-default-priority-string) but I would rather not ship a
>> GIT snapshot in Debian/stable. ;-)

> Hi,
>  My goal is to make a 3.5.x release the next few days, which will be
> the first marked as stable 3.5.x release. I'd suggest to go with it
> (or if not possible to get all changes from gnutls_3_5_x branch).

Splendid.

I have just uploaded gnutls_3_5_x GIT HEAD to experimental to get some
more testbuilds.

Find attached a fix for make dist and a typo fix.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

0001-Fix-make-dist.patch (1K) Download Attachment
0002-typo-fix.patch (893 bytes) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Nikos Mavrogiannopoulos-2
In reply to this post by Andreas Metzler-3
On Sat, 2017-01-07 at 17:33 +0100, Andreas Metzler wrote:
> Hello,
>
> Debian/stretch will soon be frozen. Starting February 5 automatic
> migration from debian/unstable to sid is stopped and updates of
> packages
> require approval by release managers. i.e. to enter jessie before
> this
> deadline I will need to upload before about January 25.

A bit late, but some more bug fixes you may be interested to are:

IDNA2008 support: https://gitlab.com/gnutls/gnutls/merge_requests/240
While it is a feature, on certain occasions sticking to IDNA2003 can be
considered a vulnerability because of incompatibilities between the
mappings of UTF-8 DNS names to ascii format [0]. That is a quite large
bunch of patches, but in the long run  I think it is better to support
IDNA2008 rather than sticking to IDNA2003 which may cause potential
CVEs later.

A fix on AVX detection to allow gnutls run on certain virtual systems:
https://gitlab.com/gnutls/gnutls/commit/ef78a758cb899609d7eb4578017bc752272cb423

regards,
Nikos

[0]. https://www.plesk.com/blog/what-is-the-problem-with-s/


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Andreas Metzler-3
On 2017-01-28 Nikos Mavrogiannopoulos <[hidden email]> wrote:
[...]
> A bit late, but some more bug fixes you may be interested to are:

> IDNA2008 support: https://gitlab.com/gnutls/gnutls/merge_requests/240
> While it is a feature, on certain occasions sticking to IDNA2003 can be
> considered a vulnerability because of incompatibilities between the
> mappings of UTF-8 DNS names to ascii format [0]. That is a quite large
> bunch of patches, but in the long run  I think it is better to support
> IDNA2008 rather than sticking to IDNA2003 which may cause potential
> CVEs later.

> A fix on AVX detection to allow gnutls run on certain virtual systems:
> https://gitlab.com/gnutls/gnutls/commit/ef78a758cb899609d7eb4578017bc752272cb423
[...]

Thanks for the heads-up. Will definitily pull AVX fix. I will probably
hold back with IDNA 2008. It is a too big change to try to squeeze in
quickly.

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GnuTLS 3.5.7 - any patches should I pick for Debian/stretch release?

Tim Ruehsen
On Samstag, 28. Januar 2017 18:33:57 CET Andreas Metzler wrote:

> On 2017-01-28 Nikos Mavrogiannopoulos <[hidden email]> wrote:
> [...]
>
> > A bit late, but some more bug fixes you may be interested to are:
> >
> > IDNA2008 support: https://gitlab.com/gnutls/gnutls/merge_requests/240
> > While it is a feature, on certain occasions sticking to IDNA2003 can be
> > considered a vulnerability because of incompatibilities between the
> > mappings of UTF-8 DNS names to ascii format [0]. That is a quite large
> > bunch of patches, but in the long run  I think it is better to support
> > IDNA2008 rather than sticking to IDNA2003 which may cause potential
> > CVEs later.
> >
> > A fix on AVX detection to allow gnutls run on certain virtual systems:
> > https://gitlab.com/gnutls/gnutls/commit/ef78a758cb899609d7eb4578017bc75227
> > 2cb423
> [...]
>
> Thanks for the heads-up. Will definitily pull AVX fix. I will probably
> hold back with IDNA 2008. It is a too big change to try to squeeze in
> quickly.
Just want to mention that
- IDNA2008 is a bug + security fix to IDNA2003 (see https://curl.haxx.se/docs/
adv_20161102K.html)
- libcurl/curl now uses IDNA2008 + TR46 (libidn2 0.14+). Likely in testing
already.
- libpsl uses IDNA2008 + TR46 (in testing)
- the german registry already uses IDNA2008
- the european registry already uses IDNA2008

AFAIK, firefox uses  IDNA2008, Chromium is still at 2003 (but this might change
at will).

Moving to IDNA2008 cuts some ropes, some characters are disallowed that have
been allowed before (not sure if any registry allowed those before at all).

While it is fine not pushing IDNA2008 in a hurry into the coming stable, you
still have some good arguments on your side if you do ;-)

Regards, Tim

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (849 bytes) Download Attachment
Loading...