On 2017-04-24 Antoine Beaupré <anar...@orangeseeds.org> wrote: > On 2017-04-19 21:37:30, Ola Lundqvist wrote: >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of gnutls26: >> https://security-tracker.debian.org/tracker/CVE-2017-5337 >> https://security-tracker.debian.org/tracker/CVE-2017-5336 >> https://security-tracker.debian.org/tracker/CVE-2017-5335 >> https://security-tracker.debian.org/tracker/CVE-2017-7869 >> (The last one is a minor issue but an easy fix so it is probably >> worth fixing anyway).
> Actually, all 4 of those are minor issues, in my opinion. They have been > marked "no-dsa" by the Debian security team, and upstream said: > Recommendation: The support of OpenPGP certificates in GnuTLS is > considered obsolete. As such, it is not recommended to use OpenPGP > certificates with GnuTLS. To address the issues found upgrade to > GnuTLS 3.5.10 or later versions. > Indeed, two weeks ago, OpenPGP support was completely disabled upstream > for newer GnuTLS releases. [...] > So after a long reflexion (I've look at those CVEs a few times already), > I have marked the 4 CVEs as "no-dsa". > Feel free to say so if you are actually using those extensions and want > us to take a look again. > To the GnuTLS maintainers: of course, if you want to produce an update > for wheezy (and, for that matter, jessie), we'd be happy to assist you. Hello, Just for completeness sake: Although they are marked no-dsa, we intend to fix them for stable <https://bugs.debian.org/856872>. Regarding LTS I would rather not touch GnuTLS 2.x anymore. If this box was opened it probably would make sense to upgrade to 2.12.24. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
