On 2017-04-19 21:37:30, Ola Lundqvist wrote:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of gnutls26:
> https://security-tracker.debian.org/tracker/CVE-2017-5337
> https://security-tracker.debian.org/tracker/CVE-2017-5336
> https://security-tracker.debian.org/tracker/CVE-2017-5335
> https://security-tracker.debian.org/tracker/CVE-2017-7869
> (The last one is a minor issue but an easy fix so it is probably
> worth fixing anyway).
Actually, all 4 of those are minor issues, in my opinion. They have been
marked "no-dsa" by the Debian security team, and upstream said:
Recommendation: The support of OpenPGP certificates in GnuTLS is
considered obsolete. As such, it is not recommended to use OpenPGP
certificates with GnuTLS. To address the issues found upgrade to
GnuTLS 3.5.10 or later versions.
Indeed, two weeks ago, OpenPGP support was completely disabled upstream
for newer GnuTLS releases.
As someone who has worked a lot in integrating the OpenPGP web of trust
into TLS, I have never used GnuTLS's OpenPGP support, so I doubt
*anyone* is actually using this.
So after a long reflexion (I've look at those CVEs a few times already),
I have marked the 4 CVEs as "no-dsa".
Feel free to say so if you are actually using those extensions and want
us to take a look again.
To the GnuTLS maintainers: of course, if you want to produce an update
for wheezy (and, for that matter, jessie), we'd be happy to assist you.
A.
--
If builders built houses the way programmers built programs,
The first woodpecker to come along would destroy civilization.
- Gerald Weinberg
