diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2021-05-29 05:14:30.000000000 -0500 +++ gnutls28-3.7.1/debian/changelog 2021-08-12 13:55:56.000000000 -0500 @@ -1,3 +1,15 @@ +gnutls28 (3.7.1-5ubuntu1) impish; urgency=low + + * Merge from Debian unstable (LP: #1939739). Remaining changes: + - Enable CET. + - Set default priority string to only allow TLS1.2, DTLS1.2, and + TLS1.3 with medium security profile (2048 RSA keys minimum, and + similar). + - Reduce parallelism in build to 2 to address FTBFS with lto + * Add LP bug number to previous merge entry in changelog + + -- William 'jawn-smith' Wilson Thu, 12 Aug 2021 13:17:53 -0600 + gnutls28 (3.7.1-5) unstable; urgency=medium * Another fix from 3.7.2: @@ -7,6 +19,17 @@ -- Andreas Metzler Sat, 29 May 2021 12:14:30 +0200 +gnutls28 (3.7.1-4ubuntu1) impish; urgency=low + + * Merge from Debian unstable (LP: #1929229). Remaining changes: + - Enable CET. + - Set default priority string to only allow TLS1.2, DTLS1.2, and + TLS1.3 with medium security profile (2048 RSA keys minimum, and + similar). + * Fix FTBFS with lto - reduce parallelism to 2. LP: #1922004 + + -- William 'jawn-smith' Wilson Fri, 21 May 2021 10:29:32 -0600 + gnutls28 (3.7.1-4) unstable; urgency=medium * Pull fixes from upstream Git master @@ -30,6 +53,18 @@ -- Andreas Metzler Sun, 25 Apr 2021 12:55:14 +0200 +gnutls28 (3.7.1-3ubuntu1) hirsute; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Enable CET. + - Set default priority string to only allow TLS1.2, DTLS1.2, and + TLS1.3 with medium security profile (2048 RSA keys minimum, and + similar). + * Fix FTBFS with lto - reduce parallelism to 2. LP: #1922004 + * Merge CVE fixes CVE-2021-20231 CVE-2021-20232 + + -- Dimitri John Ledkov Wed, 14 Apr 2021 15:44:37 +0100 + gnutls28 (3.7.1-3) unstable; urgency=low * Rename/refetch @@ -98,6 +133,16 @@ -- Andreas Metzler Mon, 08 Feb 2021 18:04:21 +0100 +gnutls28 (3.7.0-5ubuntu1) hirsute; urgency=low + + * Merge from Debian unstable LP: #1893924. Remaining changes: + - Enable CET. + - Set default priority string to only allow TLS1.2, DTLS1.2, and + TLS1.3 with medium security profile (2048 RSA keys minimum, and + similar). + + -- Dimitri John Ledkov Thu, 31 Dec 2020 15:56:50 +0000 + gnutls28 (3.7.0-5) unstable; urgency=low * Update from upstream GIT master, replace patches, add new ones. @@ -149,6 +194,17 @@ -- Andreas Metzler Thu, 03 Dec 2020 18:40:03 +0100 +gnutls28 (3.6.15-4ubuntu2) groovy; urgency=low + + * Merge from Debian unstable LP: #1893924. Remaining changes: + - Enable CET. + - Set default priority string to only allow TLS1.2, DTLS1.2, and + TLS1.3 with medium security profile (2048 RSA keys minimum, and + similar). + * Add patch to fix ftbfs gnulib with new glibc. + + -- Dimitri John Ledkov Thu, 24 Sep 2020 12:03:44 +0100 + gnutls28 (3.6.15-4) unstable; urgency=medium * autopkgtest: Require build-essential. @@ -221,6 +277,45 @@ -- Andreas Metzler Sat, 06 Jun 2020 14:11:30 +0200 +gnutls28 (3.6.13-4ubuntu5) groovy; urgency=medium + + * SECURITY UPDATE: null pointer deref via no_renegotiation alert + - debian/patches/CVE-2020-24659.patch: reject no_renegotiation alert if + handshake is incomplete in lib/gnutls_int.h, lib/handshake.c. + - CVE-2020-24659 + + -- Marc Deslauriers Tue, 08 Sep 2020 10:09:39 -0400 + +gnutls28 (3.6.13-4ubuntu4) groovy; urgency=medium + + * No change rebuild against new libnettle8 and libhogweed6 ABI. + + -- Dimitri John Ledkov Mon, 29 Jun 2020 22:24:52 +0100 + +gnutls28 (3.6.13-4ubuntu3) groovy; urgency=medium + + * Enable CET. + + -- Dimitri John Ledkov Sun, 28 Jun 2020 23:48:44 +0100 + +gnutls28 (3.6.13-4ubuntu2) groovy; urgency=medium + + * SECURITY UPDATE: flaw in TLS session ticket key construction + - debian/patches/CVE-2020-13777.patch: differentiate initial state from + valid time window of TOTP in lib/stek.c, + tests/resume-with-previous-stek.c, tests/tls13/prf-early.c. + - CVE-2020-13777 + + -- Marc Deslauriers Fri, 05 Jun 2020 13:12:39 -0400 + +gnutls28 (3.6.13-4ubuntu1) groovy; urgency=medium + + * Resynchronize with Debian; remaining changes: + Set default priority string to only allow TLS1.2, DTLS1.2, and TLS1.3 + with medium security profile (2048 RSA keys minimum, and similar). + + -- Sebastien Bacher Fri, 05 Jun 2020 15:12:03 +0200 + gnutls28 (3.6.13-4) unstable; urgency=medium * Output some network related debugging from debian/rules. @@ -3970,3 +4065,4 @@ * debian/rules: Run auto* after the patches have been applied. -- Ivo Timmermans Fri, 31 Oct 2003 18:47:09 +0100 + diff -Nru gnutls28-3.7.1/debian/control gnutls28-3.7.1/debian/control --- gnutls28-3.7.1/debian/control 2021-05-16 07:16:06.000000000 -0500 +++ gnutls28-3.7.1/debian/control 2021-05-30 07:42:54.000000000 -0500 @@ -1,7 +1,8 @@ Source: gnutls28 Section: libs Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , diff -Nru gnutls28-3.7.1/debian/patches/9259100633b77a0dc03f83047d7cf778466bf9f3.patch gnutls28-3.7.1/debian/patches/9259100633b77a0dc03f83047d7cf778466bf9f3.patch --- gnutls28-3.7.1/debian/patches/9259100633b77a0dc03f83047d7cf778466bf9f3.patch 1969-12-31 18:00:00.000000000 -0600 +++ gnutls28-3.7.1/debian/patches/9259100633b77a0dc03f83047d7cf778466bf9f3.patch 2021-04-14 09:24:04.000000000 -0500 @@ -0,0 +1,384 @@ +From 9259100633b77a0dc03f83047d7cf778466bf9f3 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Fri, 28 Feb 2020 14:02:21 -0800 +Subject: [PATCH] Update x86-64 assembly codes with CET support + +--- + lib/accelerated/x86/elf/aes-ssse3-x86_64.s | 21 +++++++++++++++ + lib/accelerated/x86/elf/aesni-gcm-x86_64.s | 16 +++++++++++ + lib/accelerated/x86/elf/aesni-x86_64.s | 27 +++++++++++++++++++ + lib/accelerated/x86/elf/e_padlock-x86_64.s | 16 +++++++++++ + lib/accelerated/x86/elf/ghash-x86_64.s | 22 +++++++++++++++ + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s | 16 +++++++++++ + lib/accelerated/x86/elf/sha256-ssse3-x86_64.s | 16 +++++++++++ + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s | 16 +++++++++++ + 8 files changed, 150 insertions(+) + +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aes-ssse3-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/aes-ssse3-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aes-ssse3-x86_64.s +@@ -635,6 +635,7 @@ _vpaes_schedule_mangle: + .align 16 + vpaes_set_encrypt_key: + .cfi_startproc ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -653,6 +654,7 @@ vpaes_set_encrypt_key: + .align 16 + vpaes_set_decrypt_key: + .cfi_startproc ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -676,6 +678,7 @@ vpaes_set_decrypt_key: + .align 16 + vpaes_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_encrypt_core +@@ -689,6 +692,7 @@ vpaes_encrypt: + .align 16 + vpaes_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_decrypt_core +@@ -701,6 +705,7 @@ vpaes_decrypt: + .align 16 + vpaes_cbc_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + xchgq %rcx,%rdx + subq $16,%rcx + jc .Lcbc_abort +@@ -865,3 +870,19 @@ _vpaes_consts: + .size _vpaes_consts,.-_vpaes_consts + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/aesni-gcm-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +@@ -828,3 +828,19 @@ aesni_gcm_encrypt: + .align 64 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aesni-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/aesni-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/aesni-x86_64.s +@@ -44,6 +44,7 @@ + .align 16 + aesni_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -70,6 +71,7 @@ aesni_encrypt: + .align 16 + aesni_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -557,6 +559,7 @@ _aesni_decrypt8: + .align 16 + aesni_ecb_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + andq $-16,%rdx + jz .Lecb_ret + +@@ -901,6 +904,7 @@ aesni_ecb_encrypt: + .align 16 + aesni_ccm64_encrypt_blocks: + .cfi_startproc ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movdqu (%r8),%xmm6 + movdqa .Lincrement64(%rip),%xmm9 +@@ -966,6 +970,7 @@ aesni_ccm64_encrypt_blocks: + .align 16 + aesni_ccm64_decrypt_blocks: + .cfi_startproc ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movups (%r8),%xmm6 + movdqu (%r9),%xmm3 +@@ -1065,6 +1070,7 @@ aesni_ccm64_decrypt_blocks: + .align 16 + aesni_ctr32_encrypt_blocks: + .cfi_startproc ++.byte 243,15,30,250 + cmpq $1,%rdx + jne .Lctr32_bulk + +@@ -1643,6 +1649,7 @@ aesni_ctr32_encrypt_blocks: + .align 16 + aesni_xts_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%r11 + .cfi_def_cfa_register %r11 + pushq %rbp +@@ -2113,6 +2120,7 @@ aesni_xts_encrypt: + .align 16 + aesni_xts_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%r11 + .cfi_def_cfa_register %r11 + pushq %rbp +@@ -2620,6 +2628,7 @@ aesni_xts_decrypt: + .align 32 + aesni_ocb_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + .cfi_adjust_cfa_offset 8 +@@ -3047,6 +3056,7 @@ __ocb_encrypt1: + .align 32 + aesni_ocb_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + .cfi_adjust_cfa_offset 8 +@@ -3484,6 +3494,7 @@ __ocb_decrypt1: + .align 16 + aesni_cbc_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + testq %rdx,%rdx + jz .Lcbc_ret + +@@ -4513,3 +4524,19 @@ __aesni_set_encrypt_key: + .align 64 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/e_padlock-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/e_padlock-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/e_padlock-x86_64.s +@@ -1068,3 +1068,19 @@ padlock_ctr32_encrypt: + .section .note.GNU-stack,"",%progbits + + ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/ghash-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/ghash-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/ghash-x86_64.s +@@ -45,6 +45,7 @@ + .align 16 + gcm_gmult_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -156,6 +157,7 @@ gcm_gmult_4bit: + .align 16 + gcm_ghash_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -903,6 +905,7 @@ gcm_init_clmul: + .align 16 + gcm_gmult_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_gmult_clmul: + movdqu (%rdi),%xmm0 + movdqa .Lbswap_mask(%rip),%xmm5 +@@ -956,6 +959,7 @@ gcm_gmult_clmul: + .align 32 + gcm_ghash_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_ghash_clmul: + movdqa .Lbswap_mask(%rip),%xmm10 + +@@ -1450,6 +1454,7 @@ gcm_init_avx: + .align 32 + gcm_gmult_avx: + .cfi_startproc ++.byte 243,15,30,250 + jmp .L_gmult_clmul + .cfi_endproc + .size gcm_gmult_avx,.-gcm_gmult_avx +@@ -1458,6 +1463,7 @@ gcm_gmult_avx: + .align 32 + gcm_ghash_avx: + .cfi_startproc ++.byte 243,15,30,250 + vzeroupper + + vmovdqu (%rdi),%xmm10 +@@ -1886,3 +1892,19 @@ gcm_ghash_avx: + .align 64 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +@@ -5489,3 +5489,19 @@ K_XX_XX: + .align 64 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +@@ -5495,3 +5495,19 @@ sha256_block_data_order_avx2: + .size sha256_block_data_order_avx2,.-sha256_block_data_order_avx2 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: +Index: gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +=================================================================== +--- gnutls28-3.7.0-5ubuntu1.orig/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s ++++ gnutls28-3.7.0-5ubuntu1/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +@@ -5500,3 +5500,19 @@ sha512_block_data_order_avx2: + .size sha512_block_data_order_avx2,.-sha512_block_data_order_avx2 + + .section .note.GNU-stack,"",%progbits ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series --- gnutls28-3.7.1/debian/patches/series 2021-05-29 04:37:38.000000000 -0500 +++ gnutls28-3.7.1/debian/patches/series 2021-05-30 07:42:54.000000000 -0500 @@ -8,6 +8,7 @@ 56_04-examples-avoid-memory-leak-in-tlsproxy.patch 56_05-examples-avoid-memory-leak-in-ex-verify.patch 56_10-build-doc-install-missing-image-file-gnutls-crypto-l.patch +9259100633b77a0dc03f83047d7cf778466bf9f3.patch 56_15-mem-add-_gnutls_reallocarray-and-_gnutls_reallocarra.patch 56_16-pkcs11x-find_ext_cb-fix-error-propagation.patch 56_17-build-avoid-potential-integer-overflow-in-array-allo.patch diff -Nru gnutls28-3.7.1/debian/rules gnutls28-3.7.1/debian/rules --- gnutls28-3.7.1/debian/rules 2021-05-16 07:16:06.000000000 -0500 +++ gnutls28-3.7.1/debian/rules 2021-05-30 07:42:54.000000000 -0500 @@ -35,6 +35,7 @@ --with-packager=Debian \ --with-packager-bug-reports=http://bugs.debian.org/ \ --with-packager-version=$(DEB_VERSION) \ + --with-default-priority-string='NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2:%PROFILE_MEDIUM' BDIR = -O--builddirectory=b4deb @@ -124,4 +125,4 @@ dh_dwz -O--builddirectory=b4deb -Xextra.go -Xgnutls.go %: - dh $@ --builddirectory=b4deb + dh $@ --builddirectory=b4deb --max-parallel=2