Debian Patches

Status for gnutls28/3.7.9-2+deb12u7

Patch Description Author Forwarded Bugs Origin Last update
14_version_gettextcat.diff Version filename of locale data (gnutls30.mo instead of gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
co-installable.		 Andreas Metzler <ametzler@debian.org> no 2020-09-06
30_guile-snarf.diff Work around guile-snarf hardcoding the at-build default compiler which breaks when it changes ion Debian. Andreas Metzler <ametzler@debian.org> no debian vendor 2014-08-24
40_srptest_doubletimeout.diff Increase timeout for srp test, fixing build error on mipsel Andreas Metzler <ametzler@debian.org> yes upstream vendor 2022-04-13
50_Fix-removal-of-duplicate-certs-during-verification.patch Fix removal of duplicate certs during verification Zoltan Fridrich <zfridric@redhat.com> no 2022-10-17
51_add-gnulib-linkedhash-list-module.diff Result of rebootstrapping with linkedhash-list module Needed for 50_Fix-removal-of-duplicate-certs-during-verification.patch
.
Add linkedhash-list to gnulib_modules= in bootstrap.conf and run
./bootstrap		 Andreas Metzler <ametzler@debian.org> not-needed vendor 2022-10-31
53-fips-fix-checking-on-hash-algorithm-used-in-ECDSA.patch [PATCH 08/29] fips: fix checking on hash algorithm used in ECDSA
Previously we checked against the "preferred" hash algorithm based on
the curve, instead of the one actually used.		 Daiki Ueno <ueno@gnu.org> no 2022-09-20
54-fips-mark-composite-signature-API-not-approved.patch [PATCH 09/29] fips: mark composite signature API not-approved
This makes the FIPS service indicator to transit to not-approved when
gnutls_privkey_sign_hash* is used. In FIPS, single-shot
API (gnutls_privkey_sign_data*) is preferred over composite API.		 Daiki Ueno <ueno@gnu.org> no 2022-09-29
60-auth-rsa_psk-side-step-potential-side-channel.patch [PATCH 11/29] auth/rsa_psk: side-step potential side-channel
This removes branching that depends on secret data, porting changes
for regular RSA key exchange from
4804febddc2ed958e5ae774de2a8f85edeeff538 and
80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
allow_wrong_pms as it was used sorely to control debug output
depending on the branching.		 Daiki Ueno <ueno@gnu.org> no 2023-10-23
61-x509-detect-loop-in-certificate-chain.patch [PATCH 12/29] x509: detect loop in certificate chain
There can be a loop in a certificate chain, when multiple CA
certificates are cross-signed with each other, such as A → B, B → C,
and C → A. Previously, the verification logic was not capable of
handling this scenario while sorting the certificates in the chain in
_gnutls_sort_clist, resulting in an assertion failure. This patch
properly detects such loop and aborts further processing in a graceful
manner.		 Daiki Ueno <ueno@gnu.org> no 2024-01-11
62-rsa-psk-minimize-branching-after-decryption.patch [PATCH 13/29] rsa-psk: minimize branching after decryption
This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption. This also avoids an extra memcpy to session->key.key.		 Daiki Ueno <ueno@gnu.org> no 2024-01-10
63_01-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch [PATCH 1/5] gnutls_x509_trust_list_verify_crt2: remove length limit of input

Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
chain verification logic crashed with assertion failure. This patch
removes the restriction while keeping the maximum number of
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.		 Daiki Ueno <ueno@gnu.org> no 2024-01-29
63_02-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch [PATCH 2/5] nettle: avoid normalization of mpz_t in deterministic ECDSA

This removes function calls that potentially leak bit-length of a
private key used to calculate a nonce in deterministic ECDSA. Namely:

- _gnutls_dsa_compute_k has been rewritten to work on always
zero-padded mp_limb_t arrays instead of mpz_t
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
by a byte array instead of an mpz_t value		 Daiki Ueno <ueno@gnu.org> no 2024-01-12
63_03-serv-fix-memleak-when-a-connected-client-disappears.patch [PATCH 3/5] serv: fix memleak when a connected client disappears
Reported by Hubert Kario.		 Daiki Ueno <ueno@gnu.org> no 2024-01-27
63_04-lib-fix-a-segfault-in-_gnutls13_recv_end_of_early_da.patch [PATCH 4/5] lib: fix a segfault in _gnutls13_recv_end_of_early_data
A crash occur in my app that uses gnutls13 early data, stack trace:

#0 free (libc.so.6 + 0x97bf0)
#1 _gnutls_buffer_clear (libgnutls.so.30 + 0x77c8c)
#2 _gnutls13_recv_end_of_early_data (libgnutls.so.30 + 0xaf308)
#3 _gnutls13_handshake_server (libgnutls.so.30 + 0x42d6c)
#4 handshake_server (libgnutls.so.30 + 0x4ff6c)

The root cause is that _gnutls_buffer_clear() was trying to free
'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
flag is set on server side.

This patch fixes it by simply initializing buf at the begginning of
_gnutls13_recv_end_of_early_data().		 Xin Long <lucien.xin@gmail.com> no 2024-02-01
63_05-lib-fix-a-potential-segfault-in-_gnutls13_recv_finis.patch [PATCH 5/5] lib: fix a potential segfault in _gnutls13_recv_finished
In _gnutls13_recv_finished(), 'buf' is not initialized or set when
_gnutls13_compute_finished() returns an err, and goto cleanup may
cause a segfault crash as it frees the uninitialized buf.allocd in
_gnutls_buffer_clear().

So fix it by return if _gnutls13_compute_finished() returns an err
in _gnutls13_recv_finished().		 Xin Long <lucien.xin@gmail.com> no 2024-02-01
65-x509-optimize-name-constraints-processing.patch x509: optimize name constraints processing
This switches the representation name constraints from linked lists to
array lists to optimize the lookup performance from O(n) to O(1), also
enforces a limit of name constraint checks against subject alternative
names.		 Daiki Ueno <ueno@gnu.org> no 2024-11-18
67_lib-x509-x509_ext.c-Add-gnutls_free-to-avoid-memory-.patch lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
68_lib-hello_ext.c-Add-gnutls_free-to-avoid-memory-leak.patch lib/hello_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
69_0001-x509-fix-read-buffer-overrun-in-SCT-timestamps.patch [PATCH 1/6] x509: fix read buffer overrun in SCT timestamps
Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
69_0002-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch [PATCH 2/6] psk: fix read buffer overrun in the "pre_shared_key" extension

While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
69_0003-x509-reject-zero-length-version-in-certificate-reque.patch [PATCH 3/6] x509: reject zero-length version in certificate request
Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
69_0004-x509-avoid-double-free-when-exporting-othernames-in-.patch [PATCH 4/6] x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.

Reported by OpenAI Security Research Team.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
69_0005-certtool-avoid-1-byte-write-buffer-overrun-when-pars.patch [PATCH 5/6] certtool: avoid 1-byte write buffer overrun when parsing template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
69_0006-handshake-clear-HSK_PSK_SELECTED-is-when-resetting-b.patch [PATCH 6/6] handshake: clear HSK_PSK_SELECTED is when resetting binders

When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.

Reported by Stefan Bühler.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
70_0001-pkcs11-try-to-initialize-modules-in-thread-safe-mode.patch pkcs11: try to initialize modules in thread-safe mode
When modules are initialized without CKF_OS_LOCKING_OK nor custom
locking functions, they may skip their internal locking assuming that
the applications will take care of thread-safety, which is costly and
GnuTLS currently doesn't do that.

To mitigate this, this patch changes the module initialization code to
tell the modules to guarantee thread-safety by themselves. If they are
unable to do that, this falls back to the normal initialization
without C_Initialize parameters. This also omits the custom_init flag,
which indicated whether the module is initialized with
p11_kit_module_initialize or a direct call to C_Initialize, now that
modules are always initialized with C_Initialize.		 Daiki Ueno <ueno@gnu.org> no 2025-09-02
70_0002-pkcs11-avoid-stack-overwrite-when-initializing-a-tok.patch pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.		 Daiki Ueno <ueno@gnu.org> no 2025-11-18
71_0001-x509-name_constraints-use-actual-zeroes-in-universal.patch [PATCH 1/9] x509/name_constraints: use actual zeroes in universal exclude IP NC Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
71_0002-tests-name-constraints-ip-stop-swallowing-errors.patch [PATCH 2/9] tests/name-constraints-ip: stop swallowing errors...
... now when it started to pass		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
71_0003-x509-name_constraints-reject-some-malformed-domain-n.patch [PATCH 3/9] x509/name_constraints: reject some malformed domain names Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
71_0004-x509-name_constraints-name_constraints_node_add_-new.patch [PATCH 4/9] x509/name_constraints: name_constraints_node_add_{new,copy} Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-05
71_0005-x509-name_constraints-introduce-a-rich-comparator.patch [PATCH 5/9] x509/name_constraints: introduce a rich comparator
These are preparatory changes before implementing N * log N intersection
over sorted lists of constraints.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
71_0006-x509-name_constraints-add-sorted_view-in-preparation.patch [PATCH 6/9] x509/name_constraints: add sorted_view in preparation...
... for actually using it later for performance gains.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
71_0007-x509-name_constraints-implement-name_constraints_nod.patch [PATCH 7/9] x509/name_constraints: implement name_constraints_node_list_union Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
71_0008-x509-name_constraints-make-types_with_empty_intersec.patch [PATCH 8/9] x509/name_constraints: make types_with_empty_intersection a bitmask Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
71_0009-x509-name_constraints-name_constraints_node_list_int.patch [PATCH 9/9] x509/name_constraints: name_constraints_node_list_intersect over sorted Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.00.patch [PATCH 1/8] tests/mini-dtls-fragments: implement a basic DTLS test Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-20
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.01.patch [PATCH 2/8] buffers: reformat ssmerge_handshake_packet Alexander Sosedkin <asosedkin@redhat.com> no 2026-05-04
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.02.patch [PATCH 3/8] buffers: shorten merge_handshake_packet using recv_buf
I had vague concerns about thread-safety of this,
but then this pattern already exists within the file.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-17
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.03.patch [PATCH 4/8] buffers: add more checks to DTLS reassembly
Previously, gnutls didn't check that DTLS fragments claimed
a consistent message_length value.
Additionally, a crucial array size check was missing,
enabling an attacker to cause a heap overwrite.
The updated version rejects fragments with mismatching length
and adds a missing boundary check.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-17
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.04.patch [PATCH 5/8] tests/mini-dtls-fragments: extend with a #1816 reproducer Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-01
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.05.patch [PATCH 6/8] tests/mini-dtls-fragments: extend with fragmenting ClientHello Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-20
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.06.patch [PATCH 7/8] buffers: match DTLS datagrams by sequence number
DTLS handshake fragment reassembly previously matched incoming fragments
by handshake type only, without checking the sequence number.
This allowed fragments from different handshake messages
to be merged into the same reassembly buffer.

Now sequence number is accounted for during reassembly,
ensuring fragments are only merged when they belong
to the same handshake message.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-20
72_0001_gnutls-3.6.16-CVE-2026-33846-dtls-len.07.patch [PATCH 8/8] tests/mini-dtls-fragments: #1839 mismatching message_seq Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-20
72_0002_gnutls-3.6.16-CVE-2026-42009-dtls-qsort.00.patch [PATCH 1/2] lib/buffers: ensure packets have differing sequence numbers

There should normally be no packets with same sequence number and
differing handshake type, unless an adversary crafts them.
Discarding them allows to get rid of packets
with duplicate sequence ID in the buffer,
relieving us from the question of how to sort them later.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
72_0002_gnutls-3.6.16-CVE-2026-42009-dtls-qsort.01.patch [PATCH 2/2] buffers: fix handshake_compare when sequence numbers match

The comparator function used for ordering DTLS packets
by sequence numbers did not follow qsort comparator contracts
in case of packets with duplicate sequence numbers,
which could lead to unstable ordering or undefined behaviour.
Returning 0 in such cases makes the sorting stable.		 Joshua Rogers <joshua@joshua.hu> no 2026-04-21
72_0003_gnutls-3.6.16-CVE-2026-33845-dtls-uflow.00.patch [PATCH 1/5] buffers: rename a variable in parse_handshake_header Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-22
72_0003_gnutls-3.6.16-CVE-2026-33845-dtls-uflow.01.patch [PATCH 2/5] buffers: switch from end_offset over to frag_length
Instead of maintaining an inclusive [start_offset, end_offset] range
when reassembling DTLS handshake,
track start_offset and a relative frag_length instead.

You'd think it'd be a no-op, but it fixes:

* 0-length fragments triggering completion if message was 1 byte long
* a remotely triggerable underflow and an ensuing heap overrun		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-23
72_0003_gnutls-3.6.16-CVE-2026-33845-dtls-uflow.02.patch [PATCH 3/5] buffers: simplify and tighten parse_handshake_header checks

* frag_size > data_size is now rejected even when length == 0
* length == 0 && frag_size > 0 is now rejected even when start_offset == 0
* start_offset > length is now rejected even when frag_size == 0		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-23
72_0003_gnutls-3.6.16-CVE-2026-33845-dtls-uflow.03.patch [PATCH 4/5] tests/mini-dtls-fragments: test injecting 0-length ones Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-20
72_0003_gnutls-3.6.16-CVE-2026-33845-dtls-uflow.04.patch [PATCH 5/5] tests/mini-dtls-fragments: test #1811 crashing datagram Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-23
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.00.patch [PATCH 1/6] tests/pskself2: reformat Alexander Sosedkin <asosedkin@redhat.com> no 2026-05-04
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.01.patch [PATCH 2/6] tests/pskself2: extend with RSA-PSK support Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.02.patch [PATCH 3/6] lib/auth/rsa_psk: fix binary PSK identity lookup
A server looking up PSK username with a NUL-character in it
was wrongfully matching username truncated at a NUL-character.
Fix the check to compare up to the full username length.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.03.patch [PATCH 4/6] tests/pskself2: test username with NUL in the middle (#1850) Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.04.patch [PATCH 5/6] tests/pskself2: sprinkle NUL into key for good measure Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
72_0004_gnutls-3.6.16-CVE-2026-42010-psk-nul.05.patch [PATCH 6/6] lib/auth/psk_passwd: limit the length of the comparison
Comparing a long username from a password file
to a short username from the wire
could lead to a heap overread up to the difference in their lengths.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-27
72_0005_gnutls-3.6.16-CVE-2026-3833-nc-case.00.patch [PATCH 1/2] x509/name-constraints: compare domain names case-insensitive

RFC 5280 7.2:
> When comparing DNS names for equality, conforming implementations
> MUST perform a case-insensitive exact match on the entire DNS name.
> When evaluating name constraints, conforming implementations MUST
> perform a case-insensitive exact match on a label-by-label basis.

Domain name comparison during name constraints processing
was case-sensitive. For excluded name constraints, this could lead to
incorrectly accepting domain names that should've been rejected.
The code for comparing domain names and domain name parts of emails
has been modified to perform case-insensitive comparison instead.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-16
72_0005_gnutls-3.6.16-CVE-2026-3833-nc-case.01.patch [PATCH 2/2] tests/name-constraints: add case-sensitivity check Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-16
72_0006_gnutls-3.6.16-CVE-2026-42011-nc-intersect.00.patch [PATCH 1/2] x509/name_constraints: fix intersecting empty constraints
Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.

With this change, they are taken into account and propagate.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14
72_0006_gnutls-3.6.16-CVE-2026-42011-nc-intersect.01.patch [PATCH 2/2] tests/name-constraints-merge: extend to cover #1824 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.00.patch [PATCH 1/6] x509/virt-san: a small OOM-correctness fix Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-28
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.01.patch [PATCH 2/6] x509: add bare-bones awareness of SRV virtual SAN
There's no support for constraints, no certtool support, no nothing.
Just added what's easy to add because I needed a virtual SAN for them.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-13
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.02.patch [PATCH 3/6] x509/hostname-verify: use memchr for embedded-null check
_gnutls_has_embedded_null uses strlen, which reads past the buffer if
there is no NUL within the first size bytes. memchr(p, '\0', size) is
the bounded equivalent.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-05-04
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.03.patch [PATCH 3/6] x509/hostname-verify: refactor and simplify CN fallback logic Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-13
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.04.patch [PATCH 5/6] x509/hostname-verify: make URI/SRV SAN preclude CN fallback

URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
> a client MUST NOT seek a match for a reference identifier of CN-ID
> if the presented identifiers include a DNS-ID, *SRV-ID*, *URI-ID*,
> or any application-specific identifier types supported by the client.

With this change, certificates containing URI or SRV SAN
no longer pass DNS hostname checks via CN fallback
to avoid potential misuse of such certificates
beyond their original purpose.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-13
72_0007_gnutls-3.6.16-CVE-2026-42012-url-san-cn.05.patch [PATCH 6/6] tests/hostname-check: extend to exercise no-CN-fallback Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-13
72_0008_gnutls-3.6.16-CVE-2026-42013-oversized-san.00.patch [PATCH 1/3] x509/email-verify: call fallback DN fallback
A comment was inaccurately referring to DN email field fallback
as CN fallback.
Rename a few things as well to match x509/hostname-verify more closely.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-15
72_0008_gnutls-3.6.16-CVE-2026-42013-oversized-san.01.patch [PATCH 2/3] x509: prevent fallback on oversized SAN
Passing oversized SAN did not preclude CN (or DN email) fallback
during verification, which is an RFC 6125 6.4.4 violation.

Now oversized SAN are skipped over,
but prevent the fallback from happening.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-15
72_0008_gnutls-3.6.16-CVE-2026-42013-oversized-san.02.patch [PATCH 3/3] tests/cert-tests: add tests for #1825 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-15
72_0009_gnutls-3.6.16-CVE-2026-42014-so-pin-uaf.00.patch pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
oldpin == NULL for a token that lacks a protected authentication path
led to a use-after-free.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-18
72_0010_gnutls-3.6.16-CVE-2026-5260-p11-rsa-overread.00.patch [PATCH 1/2] lib/auth/rsa: check that ciphertext matches the modulus size

A client sending extremely short premaster secret as part of an
RSA key exchange could've theoretically triggered a short heap overread
to nowhere when the RSA key was backed with a PKCS#11 token.
With this fix, the internal decryption function will not be called
with an mismatching plaintext length specified, avoiding the overread.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-30
72_0010_gnutls-3.6.16-CVE-2026-5260-p11-rsa-overread.01.patch [PATCH 2/2] lib/pkcs11_privkey: guard against overreading on short ciphertexts

This is an alternative fix for the callee side.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-30
72_0011_gnutls-3.6.16-CVE-2026-42015-p12-bag32.00.patch x509/pkcs12_bag: fix off-by-one in bag element bounds check
Appending elements to a PKCS#12 bag had a bounds check that
prevented adding the 32nd element.
On the other hand, it is possible to import one that already has 32.
Subsequent appending then led to writing past the 32-element array,
smashing its length.

Tighten the check to reject any bag with 32 or more elements.

We'll treat this vulnerability as a Low due to how contrived
the requirements are: for the code to be vulnerable,
it needs to append to an imported untrusted unencrypted PKCS#12 structure.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-20
72_0014_gnutls-3.6.16-1808-psk-rehandshake.00.patch [PATCH 1/3] handshake-checks: fix username comparison during rehandshake

This is definitely a security issue
subverting the GNUTLS_ALLOW_ID_CHANGE protection,
but its real-life exploitability is under question.		 Joshua Rogers <joshua@joshua.hu> no 2026-03-18
72_0014_gnutls-3.6.16-1808-psk-rehandshake.01.patch [PATCH 2/3] tests/rehandshake-switch-psk-id: refactor a bit Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-18
72_0014_gnutls-3.6.16-1808-psk-rehandshake.02.patch [PATCH 3/3] tests/rehandshake-switch-psk-id: test usernames of varied length Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-18
72_0015_gnutls-3.6.16-1810-ocsp-truncated-eku.00.patch [PATCH 1/3] x509/ocsp: check OCSP delegated signer EKU OID to full length

The retrieved certificate purpose OID was compared against the expected
1.3.6.1.5.5.7.3.9 value without checking if the lengths were identical,
allowing a value that constitutes a prefix to match.
The check now compares the length as well.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-19
72_0015_gnutls-3.6.16-1810-ocsp-truncated-eku.01.patch [PATCH 2/3] tests/ocsp: test against a truncated EKU OID Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-19
72_0015_gnutls-3.6.16-1810-ocsp-truncated-eku.02.patch [PATCH 3/3] tests/ocsp: do not exit(1), fail does that Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-23
72_0015_gnutls-3.6.16-1810-ocsp-truncated-eku.10.patch Adapt backported (from 3.8 to 3.6) for 3.7 Andreas Metzler <ametzler@debian.org> not-needed backport 2026-05-10
72_0017_gnutls-3.6.16-1818-rsa-coprime.00.patch nettle/pk: check RSA key coprimality in verify_params
Previously, gnutls_privkey_verify_params has overlooked
the scenario of p and q not being co-prime,
and proceeded with undefined behaviour that was extremely likely
to error out in practice anyway.
Now it returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
72_0018_gnutls-3.6.16-1818-pem-parsing.00.patch [PATCH 1/2] lib/x509/privkey_openssl: mind header size more carefully
When parsing private keys in OpenSSL PEM format, GnuTLS did not perform
sufficient bounds checking for the length of the PEM header being parsed.
For specially crafted inputs, this could lead to heap overreads.
There was no confidentiality risk and
the crash potential was limited to instrumented builds in practice.
This change instates the overlooked bounds checking.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
72_0018_gnutls-3.6.16-1818-pem-parsing.01.patch [PATCH 2/2] tests/key-openssl: add a test for #1818.4 OpenSSL PEM parsing Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
72_0019_gnutls-3.6.16-1819-dblfree-mid-import.00.patch lib/x509: fix cleanup when gnutls_x509_crt_list_import_pkcs11 fails

Previously gnutls_x509_trust_list_remove_trust_file tried to free
the entire xcrt_list, even though one source of failures is
gnutls_pkcs11_obj_list_import_url2 that deinits it up to the correct
position.

With this change, both functions zero unused entries.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-10
72_0022_gnutls-3.6.16-1817-security-parameters.00.patch session_pack: validate session_id_size on unpacking
A check for session_id_size not exceeding GNUTLS_MAX_SESSION_ID_SIZE
on loading persisted TLS session data was overlooked,
leading to a heap overflow
were the data corrupted in a malicious manner.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
72_0025_gnutls-3.8.10-CVE-2026-5419-p7-constant-time00.patch [PATCH 1/2] gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free
This tries to make the logic of PKCS#7 padding removal constant-time,
by removing potential branching operations.		 Daiki Ueno <ueno@gnu.org> no 2026-04-01
72_0025_gnutls-3.8.10-CVE-2026-5419-p7-constant-time01.patch [PATCH 2/2] tests/cipher-padding: exercise invalid padding case
This adds a negative test case, where a PKCS#7 padding is manipulated.		 Daiki Ueno <ueno@gnu.org> no 2026-04-01
72_0026_gnutls-3.8.10-1822-sct-overread.patch lib/x509/x509_ext: avoid a heap overread in SCT extension parser

Parsing a specially crafted SCT extension could previously lead to
a short heap overread.
The list-length validation didn't account for the 2-byte length field.

The fix now accounts for the header field length,
ensuring the parsing stays within the buffer.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-13
72_0027_gnutls-3.8.10-1823-cfg-clear-options00.patch [PATCH 1/2] src/cfg: fix iterating in clear_options, on the error path

Calling testing tools bundled with GnuTLS with malformed arguments
could lead to crashing them.
This change makes the error path of option parsing more robust.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14
72_0027_gnutls-3.8.10-1823-cfg-clear-options01.patch [PATCH 2/2] src/cfg: avoid a data leak in clear_options, on the error path Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14

All known versions for source package 'gnutls28'

Links