summaryrefslogtreecommitdiffstats
path: root/debian/libgnutls30.NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/libgnutls30.NEWS')
-rw-r--r--debian/libgnutls30.NEWS55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/libgnutls30.NEWS b/debian/libgnutls30.NEWS
new file mode 100644
index 0000000..c30ea2c
--- /dev/null
+++ b/debian/libgnutls30.NEWS
@@ -0,0 +1,55 @@
+gnutls28 (3.0.0-1) experimental; urgency=low
+
+ GnuTLS is now using nettle instead of libgcrypt as crypto backend.
+
+ Related to this change (nettle uses LGPLv3+ licensed GMP) the licensing has
+ change. GnuTLS is LGPLv3+ now, GnuTLS-EXTRA GPLv3+. GnuTLS can therefore not
+ be used by projects using GPLv2 without the "or later" clause.
+
+ -- Andreas Metzler <ametzler@downhill.g.la> Sun, 14 Aug 2011 14:27:12 +0200
+
+gnutls26 (2.6.6-1) unstable; urgency=high
+
+ libgnutls: Check expiration/activation time on untrusted certificates.
+ Before the library did not check activation/expiration times on
+ certificates, and was documented as not doing so. We have realized that
+ many applications that use libgnutls, including gnutls-cli, fail to
+ perform proper checks. Implementing similar logic in all applications
+ leads to code duplication. Hence, we decided to check whether the
+ current time (as reported by the time function) is within the
+ activation/expiration period of certificates when verifying untrusted
+ certificates.
+
+ This changes the semantics of gnutls_x509_crt_list_verify, which in
+ turn is used by gnutls_certificate_verify_peers and
+ gnutls_certificate_verify_peers2. We add two new
+ gnutls_certificate_status_t codes for reporting the new error
+ condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also
+ add a new gnutls_certificate_verify_flags flag,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
+ behaviour.
+ GNUTLS-SA-2009-3 CVE-2009-1417
+ http://www.gnu.org/software/gnutls/security.html
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 30 Apr 2009 19:00:21 +0200
+
+gnutls26 (2.4.2-5) unstable; urgency=medium
+
+ * The gnutls certificate verification code has been changed to stop
+ trusting some weak algoritms. Verifying untrusted X.509 certificates
+ signed with RSA-MD2 or RSA-MD5 will now fail with a
+ GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+
+ See <http://www.win.tue.nl/hashclash/rogue-ca/>,
+ <http://bugs.debian.org/514578> and
+ <http://www.gnu.org/software/gnutls/manual/gnutls.html#Digital-signatures>
+
+ "certtool -i < signature.pem" will inform about the algoritm used for
+ signing (Search for "Signature Algorithm" in its output.). The proper
+ fix is to re-issue the certificates with a more secure algoritm. As a
+ hotfix the respective certicate itself can be added to the list of
+ trusted certificates. Obviously this should only be done after
+ verifying the certificate by different means than relying on the weak
+ signature.
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 07 Feb 2009 12:58:51 +0100
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-18 06:20:10 +0000