changelog

gnutls28 (3.4.10-4ubuntu1.8) xenial; urgency=medium

  * d/p/50_Update-session_ticket.c-to-add-support-for-zero-leng.patch:
    - add support for zero length  session tickets returned from the server,
      thanks Rod for the backport and testing! (lp: #1876286)

 -- Sebastien Bacher <seb128@ubuntu.com>  Wed, 17 Jun 2020 23:06:13 +0200

gnutls28 (3.4.10-4ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Allow re-enabling SHA1 for certificate signing with a
    priority string (LP: #1860656)
    - debian/patches/allow_broken_priority_string.patch: introduce the
      %VERIFY_ALLOW_BROKEN priority string option.
    - debian/patches/allow_sha1_priority_string.patch: introduce the
      %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string option.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 23 Jan 2020 08:47:43 -0500

gnutls28 (3.4.10-4ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Mark SHA1 as insecure for certificate signing
    - debian/patches/insecuresha1-*.patch: backport upstream patches to
      allow marking SHA1 as insecure, but only for certificate signing.
    - debian/libgnutls30.symbols: added new symbol.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 08 Jan 2020 12:52:12 -0500

gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Lucky-13 issues
    - debian/patches/CVE-2018-1084x-1.patch: correctly account the length
      field in SHA384 HMAC in lib/algorithms/mac.c, lib/gnutls_cipher.c.
    - debian/patches/CVE-2018-1084x-2.patch: always hash the same amount of
      blocks that would have been on minimum pad in lib/gnutls_cipher.c.
    - debian/patches/CVE-2018-1084x-3.patch: require minimum padding under
      SSL3.0 in lib/gnutls_cipher.c.
    - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
      ciphersuites were removed from defaults in lib/gnutls_priority.c,
      tests/priorities.c.
    - debian/patches/CVE-2018-1084x-5.patch: fix test for SHA512 in
      tests/pkcs12_encode.c.
    - CVE-2018-10844
    - CVE-2018-10845
    - CVE-2018-10846

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 28 May 2019 13:32:56 -0400

gnutls28 (3.4.10-4ubuntu1.4) xenial; urgency=medium

  * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
    OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
    which includes TLS1.2 support. (LP: #1709193)

 -- Simon Deziel <simon.deziel@gmail.com>  Mon, 07 Aug 2017 23:04:43 +0000

gnutls28 (3.4.10-4ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference via status response TLS
    extension decoding
    - debian/patches/CVE-2017-7507-1.patch: ensure response IDs are
      properly deinitialized in lib/ext/status_request.c.
    - debian/patches/CVE-2017-7507-2.patch: remove parsing of responder IDs
      from client extension in lib/ext/status_request.c.
    - debian/patches/CVE-2017-7507-3.patch: documented requirements for
      parameters in lib/ext/status_request.c.
    - CVE-2017-7507
  * SECURITY UPDATE: DoS and possible code execution via OpenPGP
    certificate decoding
    - debian/patches/CVE-2017-7869.patch: enforce packet limits in
      lib/opencdk/read-packet.c.
    - CVE-2017-7869

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 12 Jun 2017 09:32:37 -0400

gnutls28 (3.4.10-4ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: OCSP validation issue
    - debian/patches/CVE-2016-7444.patch: correctly verify the serial
      length in lib/x509/ocsp.c.
    - CVE-2016-7444
  * SECURITY UPDATE: denial of service via warning alerts
    - debian/patches/CVE-2016-8610.patch: set a maximum number of warning
      messages in lib/gnutls_int.h, lib/gnutls_handshake.c,
      lib/gnutls_state.c.
    - CVE-2016-8610
  * SECURITY UPDATE: double-free when reading proxy language
    - debian/patches/CVE-2017-5334.patch: fix double-free in
      lib/x509/x509_ext.c.
    - CVE-2017-5334
  * SECURITY UPDATE: out of memory error in stream reading functions
    - debian/patches/CVE-2017-5335.patch: add error checking to
      lib/opencdk/read-packet.c.
    - CVE-2017-5335
  * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid
    - debian/patches/CVE-2017-5336.patch: check return code in
      lib/opencdk/pubkey.c.
    - CVE-2017-5336
  * SECURITY UPDATE: heap read overflow when reading streams
    - debian/patches/CVE-2017-5337.patch: add more precise checks to
      lib/opencdk/read-packet.c.
    - CVE-2017-5337
  * debian/patches/fix_expired_certs.patch: use datefudge to fix test with
    expired certs.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 26 Jan 2017 10:14:03 -0500

gnutls28 (3.4.10-4ubuntu1.1) xenial-proposed; urgency=medium

  * SRU: LP: #1592693.
  * gnutls-doc: Don't install the sgml files, not building with gtk-doc-tools
    in xenial.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 15 Jun 2016 10:00:17 +0200

gnutls28 (3.4.10-4ubuntu1) xenial; urgency=medium

  * Merge with Debian; remaining changes:
    - Make gnutls28 default.
    - debian/patches/disable_global_init_override_test.patch: disable failing
      test.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 21 Mar 2016 14:53:18 +0100

gnutls28 (3.4.10-4) unstable; urgency=medium

  * 43_fix_cpucapoverride.diff by Nikos Mavrogiannopoulos: Fix
    GNUTLS_CPUID_OVERRIDE function, stopping it from enabling SSE3 when it is
    unavailable. Closes: #818341

 -- Andreas Metzler <ametzler@debian.org>  Thu, 17 Mar 2016 19:41:22 +0100

gnutls28 (3.4.10-3) unstable; urgency=medium

  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Mon, 14 Mar 2016 18:29:53 +0100

gnutls28 (3.4.10-2) experimental; urgency=medium

  * Simplify override_dh_auto_test target. (Thanks, Steven Chamberlain)
  * Add debian/patches/42_mini-loss-time-improved-timeout-detection.patch,
    another try for Closes: #813598

 -- Andreas Metzler <ametzler@debian.org>  Mon, 07 Mar 2016 19:22:57 +0100

gnutls28 (3.4.10-1) experimental; urgency=medium

  * Pull 40_src-added-systemkey-args-to-BUILT_SOURCES.patch from upstream GIT
    master to fix FTBFS with parallel builds. Closes: #816148
  * New upstream version.
  * Pull 41_tests-mini-loss-time-ensure-client-timeouts.diff from upstream
    master branch to fix occasional testsuite error. Closes: #813598

 -- Andreas Metzler <ametzler@debian.org>  Sat, 05 Mar 2016 08:45:52 +0100

gnutls28 (3.4.9-2ubuntu1) xenial; urgency=medium

  * Merge with Debian; remaining changes:
    - Make gnutls28 default.
    - debian/patches/disable_global_init_override_test.patch: disable failing
      test.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 20:47:48 +0100

gnutls28 (3.4.9-2) unstable; urgency=medium

  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 07 Feb 2016 15:18:46 +0100

gnutls28 (3.4.9-1) experimental; urgency=medium

  * New upstream version.
  * Drop 35_Revert-Fix-out-of-bounds-read-in-gnutls_x509_ext_exp.patch and
    36_Revert-tests-updated-to-account-for-cert-generation.patch.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 06 Feb 2016 15:57:24 +0100

gnutls28 (3.4.8-3) unstable; urgency=medium

  * Pull 35_Revert-Fix-out-of-bounds-read-in-gnutls_x509_ext_exp.patch and
    36_Revert-tests-updated-to-account-for-cert-generation.patch
    from upstream GIT. Closes: #813243

 -- Andreas Metzler <ametzler@debian.org>  Sun, 31 Jan 2016 17:28:05 +0100

gnutls28 (3.4.8-2) unstable; urgency=medium

  * Merge master branch into experimental.
    + Drop ancient Conflicts/Replaces: gnutls0, gnutls0.4.
    + libgnutls-deb0-28 temporarily Conflicts with libnettle4, libhogweed2.
      This is a kludge and technically wrong, but will prevent partial
      upgrades from stable. See: #788735
  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 21 Jan 2016 15:45:49 +0100

gnutls28 (3.4.8-1) experimental; urgency=medium

  * Migrate from libgnutls30-dbg to ddebs. dh_strip's --ddeb-migration
    option was added to debhelper/unstable with version 9.20150628, bump
    build-dependency accordingly.
  * autoreconf requires automake 1.12.2, add build-dependency.
  * New upstream version.
    + Update symbol file.
  * Move Vcs-* from git/http to https.

 -- Andreas Metzler <ametzler@debian.org>  Fri, 08 Jan 2016 19:30:07 +0100

gnutls28 (3.4.7-1) experimental; urgency=medium

  * New upstream version.
    + Update symbol file.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 22 Nov 2015 15:29:19 +0100

gnutls28 (3.4.6-1) experimental; urgency=medium

  * Make use of autogen's MAN_PAGE_DATE (available in version 5.18.6 and
    later) to improve reproducibility of build.
  * New upstream version.
    + Update symbol file.
  * Bump debhelper build-dependency to >= 9.20141010 and add b-d on dpkg-dev
    (>= 1.17.14). Both are required for build-profile support added in
    previous upload. (Thanks, lintian.)

 -- Andreas Metzler <ametzler@debian.org>  Tue, 20 Oct 2015 20:00:55 +0200

gnutls28 (3.4.5-1) experimental; urgency=medium

  [ Helmut Grohne ]
  * Turn Build-Depends: datefudge optional via <!nocheck> profile.
    Closes: #797544

  [ Andreas Metzler ]
  * New upstream version.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 26 Sep 2015 13:48:12 +0200

gnutls28 (3.4.4.1-1) experimental; urgency=medium

  * New upstream version.
    + GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY added to gnutls_pkcs11_obj_flags,
      bump dependency info for functions taking it as argument or returning it.
    + Bump dependency info on private symbols.
    + Update debian/copyright.
    + Fixes double free in DN decoding [GNUTLS-SA-2015-3]. Closes: #795068
      CVE-2015-6251

 -- Andreas Metzler <ametzler@debian.org>  Tue, 11 Aug 2015 20:12:46 +0200

gnutls28 (3.4.3-1) experimental; urgency=medium

  * Re-enable libidn-support, use versioned b-d on libidn11-dev >= 1.31.
  * New upstream version.
    + Bump dependency info on gnutls_pkcs11_token_get_info due to changed enum
      gnutls_pkcs11_token_info_t.
    + Add dependency info for new symbols, bump private symbol dependency.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 12 Jul 2015 20:01:09 +0200

gnutls28 (3.4.2-2) experimental; urgency=medium

  * Disable libidn support because CVE-2015-2059 is still not fixed. See
    <https://gitlab.com/gnutls/gnutls/issues/10>. This also disables building
    of crywrap.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 05 Jul 2015 14:18:06 +0200

gnutls28 (3.4.2-1) experimental; urgency=medium

  * New upstream version.
    + Drop 50_updated-sign-md5-rep-to-reduce-false-failures.patch.
    + Update libgnutls30.symbols. (Add new fuctions, bump private symbol
      version, bump gnutls_init() due to newly added GNUTLS_NO_SIGNAL flag.)

 -- Andreas Metzler <ametzler@debian.org>  Sat, 20 Jun 2015 08:45:14 +0200

gnutls28 (3.4.1-1) experimental; urgency=medium

  * New upstream version.
    + Bump (build)-depends on nettle and p11-kit.
    + Drop 20_debian_specific_soname.diff, 40_no_more_ssl3.diff and
      55_nettle3.patch.
    + Update 14_version_gettextcat.diff.
    + Soname bump, library package renamed from libgnutls-deb0-28 to
      libgnutls30.
    + OpenSSL compat layer is not built by default anymore, pass
      --enable-openssl-compatibility to ./configure.
    + Update symbol file.
    + libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
      restricted to the corresponding protocols only, and the VERS-ALL
      string is introduced to catch all possible protocols. Closes: #773145
    + Since the pkg-config file gnutls.pc now lists libidn in Requires.private
      "pkg-config --exists gnutls" will fail if libidn.pc is not present. Add
      dependency on libidn11-dev to libgnutls28-dev.
  * Fix typo in debian/rules
    (s/-disable-silent-rules/--disable-silent-rules).

 -- Andreas Metzler <ametzler@debian.org>  Fri, 05 Jun 2015 11:39:19 +0200

gnutls28 (3.3.20-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - Make gnutls28 default.
  * debian/patches/disable_global_init_override_test.patch: disable failing
    test.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 Jan 2016 08:58:40 -0500

gnutls28 (3.3.20-1) unstable; urgency=medium

  * autoreconf requires automake 1.12.2, add build-dependency.
  * New upstream version.
  * Move Vcs-* from git/http to https.

 -- Andreas Metzler <ametzler@debian.org>  Fri, 08 Jan 2016 18:57:41 +0100

gnutls28 (3.3.19-1) unstable; urgency=medium

  * New upstream version.
   + Refresh 20_debian_specific_soname.diff.
   + Update symbol file.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 22 Nov 2015 17:48:27 +0100

gnutls28 (3.3.18-1ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - Make gnutls28 default.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 30 Oct 2015 08:32:53 -0400

gnutls28 (3.3.18-1) unstable; urgency=medium

  * New upstream version.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 30 Sep 2015 18:49:13 +0200

gnutls28 (3.3.17-1) unstable; urgency=medium

  * New upstream version.
   + Drop superfluous patches.
    (45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch,
     46_safe-renegotiation-handle-case-where-client-didn-t-s.patch,
     47_safe-renegotiation-simulate-receiving-the-extension-.patch)
   + GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY added to gnutls_pkcs11_obj_flags,
     bump dependency info for functions taking it as argument or returning it.
   + Bump dependency info on private symbols.
   + Fixes double free in DN decoding [GNUTLS-SA-2015-3]. Closes: #795068
     CVE-2015-6251

 -- Andreas Metzler <ametzler@debian.org>  Mon, 10 Aug 2015 19:48:11 +0200

gnutls28 (3.3.16-2) unstable; urgency=medium

  * Refresh 40_no_more_ssl3.diff.
  * 45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch
    46_safe-renegotiation-handle-case-where-client-didn-t-s.patch
    47_safe-renegotiation-simulate-receiving-the-extension-.patch
    Pull three patches from upstream GIT to fix issue with server side sending
    the status request extension even when not requested.
    <http://article.gmane.org/gmane.network.gnutls.general/3929>

 -- Andreas Metzler <ametzler@debian.org>  Sat, 01 Aug 2015 11:30:17 +0200

gnutls28 (3.3.16-1) unstable; urgency=medium

  * Limit watchfile to 3.3.x versions.
  * New upstream version.
    + Drop superfluous patches
      (50_updated-sign-md5-rep-to-reduce-false-failures.patch,
      55_nettle3.patch,
      56_Corrected-camellia256-set-key-in-nettle3-compat-mode.patch)
    + Bump private symbol versioning.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 12 Jul 2015 19:00:04 +0200

gnutls28 (3.3.15-7) unstable; urgency=medium

  * libgnutls-deb0-28 temporarily Conflicts with libnettle4, libhogweed2. This
    is a kludge and technically wrong, but will prevent partial upgrades from
    stable. Closes: #788735
  * Drop ancient Conflicts/Replaces: gnutls0, gnutls0.4.

 -- Andreas Metzler <ametzler@debian.org>  Tue, 16 Jun 2015 19:06:09 +0200

gnutls28 (3.3.15-6) unstable; urgency=high

  * Pull 56_Corrected-camellia256-set-key-in-nettle3-compat-mode.patch
    Closes: #788011

 -- Andreas Metzler <ametzler@debian.org>  Fri, 12 Jun 2015 19:10:33 +0200

gnutls28 (3.3.15-5ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: Double free in certificate DN decoding
    - debian/patches/CVE-2015-6251.patch: Reset the output value on error
      in lib/x509/common.c.
    - CVE-2015-6251

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 31 Aug 2015 14:45:42 -0400

gnutls28 (3.3.15-5ubuntu1) wily; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - Make gnutls28 default.

 -- Adam Conrad <adconrad@ubuntu.com>  Thu, 11 Jun 2015 14:47:40 -0600

gnutls28 (3.3.15-5) unstable; urgency=medium

  * Upload to unstable.
  * Downgrade nettle-dev b-d to 2.7, this upload should build correctly
    against both 2.7 and 3.x.

 -- Andreas Metzler <ametzler@debian.org>  Tue, 02 Jun 2015 19:21:57 +0200

gnutls28 (3.3.15-4) experimental; urgency=medium

  * 55_nettle3.patch: Use version from GnuTLS GIT gnutls_3_3_x branch, it
    allows compilation against both nettle 2.7 and 3.x.
  * Drop >= version requirements of libgnutls28-dev dependencies on nettle-dev
    and libtasn1-6-dev, the =${binary:Version} dependency of the development
    packages on the respective library packages should make this superfluous.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 16 May 2015 12:45:19 +0200

gnutls28 (3.3.15-3) experimental; urgency=medium

  * Add 55_nettle3.patch from
    http://pkgs.fedoraproject.org/cgit/compat-gnutls28.git/ to allow building
    against nettle3.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 13 May 2015 19:20:07 +0200

gnutls28 (3.3.15-2ubuntu1) wily; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - Make gnutls28 default.
  * Dropped patches included in new version:
    - debian/patches/CVE-2015-0294.patch
    - debian/patches/CVE-2014-8564.patch

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 May 2015 08:47:19 -0400

gnutls28 (3.3.15-2) unstable; urgency=medium

  * 50_updated-sign-md5-rep-to-reduce-false-failures.patch from upstream GIT,
    fixing a testsuite error on kfreebsd-*.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 06 May 2015 19:06:03 +0200

gnutls28 (3.3.15-1) unstable; urgency=medium

  * New upstream stable release.
    + Fix for MD5 downgrade in TLS 1.2 signatures. [GNUTLS-SA-2015-2].

 -- Andreas Metzler <ametzler@debian.org>  Mon, 04 May 2015 19:24:42 +0200

gnutls28 (3.3.14-3) experimental; urgency=medium

  * 50_nettle3_*.patch: Update to head of upstream gnutls_3_3_x branch.
  * (Build-)depend on nettle-dev >= 3.0.

 -- Andreas Metzler <ametzler@debian.org>  Fri, 01 May 2015 11:49:04 +0200

gnutls28 (3.3.14-2) unstable; urgency=medium

  * Upload to unstable.
  * Sync version of Depends and Build-Depends on libtasn1-6-dev.

 -- Andreas Metzler <ametzler@debian.org>  Mon, 27 Apr 2015 09:27:50 +0200

gnutls28 (3.3.14-1) experimental; urgency=medium

  * New upstream version.
    + Bump libtasn b-d to >= 4.3.

 -- Andreas Metzler <ametzler@debian.org>  Tue, 31 Mar 2015 18:29:42 +0200

gnutls28 (3.3.13-1) experimental; urgency=medium

  * New upstream version.
    + Includes fix for CVE-2015-0294, a certificate algorithm consistency
      checking issue.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Feb 2015 08:27:10 +0100

gnutls28 (3.3.12-1) experimental; urgency=medium

  * New upstream version.
    + gnutls-cli-debug STARTTLS is working. Closes: #467022

 -- Andreas Metzler <ametzler@debian.org>  Sat, 17 Jan 2015 12:42:06 +0100

gnutls28 (3.3.11-1) experimental; urgency=medium

  * New upstream version.
    + Includes fix for OCSP response parsing issue. Closes: #772055

 -- Andreas Metzler <ametzler@debian.org>  Thu, 11 Dec 2014 19:07:23 +0100

gnutls28 (3.3.10-2) experimental; urgency=medium

  * Remove SSL 3.0 from default priorities list.
    Closes: #769904

 -- Andreas Metzler <ametzler@debian.org>  Wed, 19 Nov 2014 19:33:23 +0100

gnutls28 (3.3.10-1) experimental; urgency=medium

  * debian/rules: fix pattern for removal (and re-generation) of autogen-ed
    manpages.
  * New upstream version.
    + Includes fix for a denial of service issue CVE-2014-8564 /
      GNUTLS-SA-2014-5.
    + When gnutls_global_init() is called for a second time, it will check
      whether the /dev/urandom fd kept is still open and matches the original
      one. That behavior works around issues with servers that close all file
      descriptors. This should take care of #760476.

 -- Andreas Metzler <ametzler@debian.org>  Mon, 10 Nov 2014 19:29:30 +0100

gnutls28 (3.3.9-1) experimental; urgency=medium

  * New upstream version.
    + Unfuzz 20_debian_specific_soname.diff.
    + Drop 31_fallback_to_RUSAGE_SELF.diff.
    + Bump private symbol dependency info.
    + Bump dependency version of gnutls_certificate_get_issuer() and
      gnutls_x509_trust_list_get_issuer() because of newly added
      GNUTLS_TL_GET_COPY flag.

 -- Andreas Metzler <ametzler@debian.org>  Mon, 13 Oct 2014 20:08:58 +0200

gnutls28 (3.3.8-7) unstable; urgency=medium

  * 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
    Pull two patches from upstream to a use-after-free flaw in
    gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
    Closes: #782776

 -- Andreas Metzler <ametzler@debian.org>  Sat, 18 Apr 2015 19:11:01 +0200

gnutls28 (3.3.8-6) unstable; urgency=medium

  * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
    6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
    certificate import check whether the two signature algorithms match.
    CVE-2015-0294. Closes: #779428

 -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Feb 2015 14:17:21 +0100

gnutls28 (3.3.8-5) unstable; urgency=medium

  * Remove SSL 3.0 from default priorities list.
    Closes: #769904

 -- Andreas Metzler <ametzler@debian.org>  Thu, 20 Nov 2014 19:25:20 +0100

gnutls28 (3.3.8-4) unstable; urgency=high

  * Drop 31_fallback_to_RUSAGE_SELF.diff.
  * 35_recheck_urandom_fd.diff:  When gnutls_global_init() is called manually
    from the application check the urandom fd for validity. Closes: #768841
    and takes care of #760476.
  * 36_less_refresh-rnd-state.diff: do not explicitly refresh rnd state on
    session deinit. It is already being refreshed during the session lifetime.
  * 37_X9.63_sanity_check.diff: when exporting curve coordinates to X9.63
    format, perform additional sanity checks on input.
    CVE-2014-8564 / GNUTLS-SA-2014-5. Closes: #769154
  * 38_testforsanitycheck.diff adds a test for CVE-2014-8564. (As the test
    uses a cert in binary der-format which is not representable in a quilt
    patches and we want to limit debian.tar.xz to modify stuff in debian/ we
    have some special handling in debian/rules.)

 -- Andreas Metzler <ametzler@debian.org>  Wed, 12 Nov 2014 19:31:07 +0100

gnutls28 (3.3.8-3ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: certificate algorithm consistency issue
    - debian/patches/CVE-2015-0294.patch: make sure the two signature
      algorithms match on cert import in lib/x509/x509.c.
    - CVE-2015-0294

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 20 Mar 2015 08:16:02 -0400

gnutls28 (3.3.8-3ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    elliptic curves parameter printing
    - debian/patches/CVE-2014-8564.patch: add more sanity checks in
      lib/gnutls_ecc.c.
    - CVE-2014-8564

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 10 Nov 2014 15:18:59 -0500

gnutls28 (3.3.8-3ubuntu1) vivid; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Make gnutls28 default.

 -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 30 Oct 2014 15:21:33 +0100

gnutls28 (3.3.8-3) unstable; urgency=high

  [ Daniel Kahn Gillmor ]
  * Add list of executables to gnutls-bin package description.
    Closes: #763671

  [ Andreas Metzler ]
  * 31_fallback_to_RUSAGE_SELF.diff from upstream GIT: if RUSAGE_THREAD fails
    try RUSAGE_SELF, which should fix a crash in cups. (Thanks, Nikos
    Mavrogiannopoulos!) Closes: #760476

 -- Andreas Metzler <ametzler@debian.org>  Sat, 11 Oct 2014 16:16:00 +0200

gnutls28 (3.3.8-2) unstable; urgency=medium

  * Correct libtasn1-6-dev (build-)dependency version requirement, GnuTLS
    3.3.8 requires libtasn1 >= 3.9.
  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 21 Sep 2014 11:52:40 +0200

gnutls28 (3.3.8-1) experimental; urgency=medium

  * New upstream version.
    + Refresh 20_debian_specific_soname.diff.
    + Bump libp11-kit-dev b-d to >= 0.20.7, add (temporary) build-conflicts
      with old experimental upload 0.21.2-1
    + Add newly added symbols to libgnutls-deb0-28.symbols, bump version of
      some functions in the gnutls_pkcs11_* family due to new members in enums
      gnutls_pkcs11_obj_type_t and gnutls_pkcs11_obj_flags, bump private
      symbol dependency info, and bump shlibs.
  * Drop version from libgnutls28-dev's dependency on libp11-kit-dev.
    The GnuTLS library package automatically gets a dependency on libp11-kit0
    (>= the-version-in-build-depends). OTOH libp11-kit-dev depends on
    libp11-kit0 (= ${binary:Version}). Therefore these dependencies already
    enforce a version on libp11-kit-dev and we do not need to duplicate the
    info.
  * Add explicit build-dependency on libopts25-dev. Closes: #761618

 -- Andreas Metzler <ametzler@debian.org>  Sat, 20 Sep 2014 12:11:01 +0200

gnutls28 (3.3.7-2) unstable; urgency=medium

  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 30 Aug 2014 08:01:51 +0200

gnutls28 (3.3.7-1) experimental; urgency=medium

  * New upstream release.
    + Refresh 20_debian_specific_soname.diff.
    + Add newly added symbols to libgnutls-deb0-28.symbols, bump private
      symbol dependency info, and bump shlibs.
    + New member in gnutls_pkcs11_obj_attr_t, bump version of
      gnutls_pkcs11_obj_list_import_url*.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 24 Aug 2014 13:35:44 +0200

gnutls28 (3.3.6-2) unstable; urgency=medium

  * Upload to unstable. We want 3.3 in jessie, as it is (going to be) GnuTLS
    lastest stable at freeze time.
  * 30_guile-snarf.diff: Work around #759096 (guile-snarf hard-codes the
    at-build-time-default-compiler) by exporting @CPP@.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 24 Aug 2014 09:32:36 +0200

gnutls28 (3.3.6-1) experimental; urgency=medium

  * [debian/copright]: Replace reference to GPLv2.1 (which does not exist)
    with one to GPLv2. (Thanks, Jakub Wilk) Closes: #754160
  * New upstream release.
    + Refresh 20_debian_specific_soname.diff.
    + Add newly added symbols to libgnutls-deb0-28.symbols and bump private
      symbol dependency info.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 24 Jul 2014 08:50:01 +0200

gnutls28 (3.3.5-1) experimental; urgency=medium

  * New upstream version.
  * Refresh patches/20_debian_specific_soname.diff.
  * Drop 30_Updated-asm-sources.patch.
  * Add new public symbols to symbol file, bump shlibs.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 28 Jun 2014 13:53:06 +0200

gnutls28 (3.3.3-1) experimental; urgency=medium

  * New upstream version, including a fix for GNUTLS-SA-2014-3
    CVE-2014-3466.
  * Refresh 20_debian_specific_soname.diff.
  * 30_Updated-asm-sources.patch: Updated asm code pulled from upstream git.
  * New symbol gnutls_credentials_get, update symbol file and bump shlibs.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 31 May 2014 07:58:37 +0200

gnutls28 (3.3.2-2) experimental; urgency=high

  * Fix crashes due to symbol clashes when a binary ends up being linked
    against GnuTLS v2 and v3 by bumping library symbol-versioning (and
    therefore also the soname) in a Debian specific way, to make sure there is
    no conflict with future:
    + 20_debian_specific_soname.diff
      - Symbol versions: GNUTLS_* -> GNUTLS_DEBIAN_0_*
      - Add "-release deb0" to libtool link command.
    + Rename libgnutls28 to libgnutls-deb0-28, matching the new soname.
    + Adapt symbol file accordingly.
    + Change 14_version_gettextcat.diff, too.
      Closes: #748742
   * Drop libgnutls28-dbg Conflicts with libgnutls13-dbg, libgnutls26-dbg.
     These have been unnecessary since we started using dh compat v9, where
     debugging symbols are installed to /usr/lib/debug/.build-id.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 24 May 2014 19:27:01 +0200

gnutls28 (3.3.2-1) experimental; urgency=medium

  * Do not build-depend on guile-2.0 on m68k. Closes: #745461
  * Manually version libgnutls28's dependency on libgmp10 as (>= 2:6), to
    enforce a dual-licensed (GPLv2+/LGPLv2.1+) version of GMP. Also add a
    corresponding versioned build-dependency, to prevent building of
    uninstallable packages.
  * New upstream version. Drop 20_guile_no_override_allocation.diff and
    21_Treat-othername-as-printable.diff.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 08 May 2014 19:47:09 +0200

gnutls28 (3.3.1-1) experimental; urgency=medium

  * New upstream version.
    + Drop 20_sparc_chainverify_buserror.diff.
    + Pull 20_guile_no_override_allocation.diff and
      21_Treat-othername-as-printable.diff from upstream GIT.
    + Drop gnutls_secure_calloc@GNUTLS_1_4 from symbol file. It was dropped
      upstream since it was never exported in a public header and is not
      used according to codesearch.d.o.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 19 Apr 2014 19:25:11 +0200

gnutls28 (3.3.0-2) experimental; urgency=medium

  * Drop last remains of -xssl from debian/.
  * Add debian/libgnutls28.symbols.
  * 20_sparc_chainverify_buserror.diff from upstream GIT: In chainverify test
    increase the space available for certificates to fix sparc testsuite
    error.
  * Build OpenSSL wrapper from gnutls28, provide libgnutls-openssl-dev from
    libgnutls28-dev.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 17 Apr 2014 19:53:30 +0200

gnutls28 (3.3.0-1) experimental; urgency=medium

  * New upstream version.
    + Bump shlibs.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 12 Apr 2014 07:49:11 +0200

gnutls28 (3.3.0~pre0-1) experimental; urgency=medium

  * Also version the p11-kit dependency.
  * New upstream version.
    + Set --enable-static, as only shared libs are built by default.
    + libgnutls-xssl is no more.
    + Bump shlibs.
  * Upload to experimental.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 29 Mar 2014 19:19:37 +0100

gnutls28 (3.2.16-1ubuntu2) utopic; urgency=medium

  * No-change rebuild to get debug symbols on all architectures.

 -- Brian Murray <brian@ubuntu.com>  Tue, 21 Oct 2014 14:15:57 -0700

gnutls28 (3.2.16-1ubuntu1) utopic; urgency=medium

  * Make gnutls28 default.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 08 Aug 2014 08:24:17 +0100

gnutls28 (3.2.16-1) unstable; urgency=medium

  * New upstream version.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 23 Jul 2014 12:36:32 +0200

gnutls28 (3.2.15-3) unstable; urgency=medium

  * [debian/copright]: Replace reference to GPLv2.1 (which does not exist)
    with one to GPLv2. (Thanks, Jakub Wilk) Closes: #754160
  * Stop shipping libgnutls-xssl0, it has been removed in upstream's 3.3
    series.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 12 Jul 2014 13:55:48 +0200

gnutls28 (3.2.15-2) unstable; urgency=high

  * Fix crashes due to symbol clashes when a binary ends up being linked
    against GnuTLS v2 and v3 by bumping library symbol-versioning (and
    therefore also the soname) in a Debian specific way, to make sure there is
    no conflict with future:
    + 20_debian_specific_soname.diff
      - Symbol versions: GNUTLS_* -> GNUTLS_DEBIAN_0_*
      - Add "-release deb0" to libtool link command.
    + Rename libgnutls28 to libgnutls-deb0-28, matching the new soname.
    + Change 14_version_gettextcat.diff, too.
    Closes: #74874
  * Drop libgnutls28-dbg Conflicts with libgnutls13-dbg, libgnutls26-dbg.
    These have been unnecessary since we started using dh compat v9, where
    debugging symbols are installed to /usr/lib/debug/.build-id.
  * debian/copyright: Add info about GPLv2 compatibility.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 05 Jun 2014 18:56:03 +0200

gnutls28 (3.2.15-1) unstable; urgency=high

  * New upstream version.
    + Includes a fix for GNUTLS-SA-2014-3 / CVE-2014-3466.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 31 May 2014 08:37:00 +0200

gnutls28 (3.2.14-1) unstable; urgency=medium

  * Do not build-depend on guile-2.0 on m68k. Closes: #745461
  * New upstream version.
  * Manually version libgnutls28's dependency on libgmp10 as (>= 2:6), to
    enforce a dual-licensed (GPLv2+/LGPLv2.1+) version of GMP. Also add a
    corresponding versioned build-dependency, to prevent building of
    uninstallable packages.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 07 May 2014 19:29:26 +0200

gnutls28 (3.2.13-2) unstable; urgency=medium

  * Build OpenSSL wrapper from gnutls28, provide libgnutls-openssl-dev from
    libgnutls28-dev.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 16 Apr 2014 19:24:25 +0200

gnutls28 (3.2.13-1) unstable; urgency=medium

  * Also version the p11-kit dependency.
  * New upstream version.

 -- Andreas Metzler <ametzler@debian.org>  Thu, 10 Apr 2014 19:08:40 +0200

gnutls28 (3.2.12.1-2) unstable; urgency=medium

  * Upload to unstable.
  * Sync from Ubuntu (Colin Watson):
    + Add arm64 and ppc64el to the list of non-ia64 architectures on which
      guile-gnutls is built.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 12 Mar 2014 17:50:43 +0100

gnutls28 (3.2.12.1-1) experimental; urgency=medium

  * New upstream version.
    + Drop superfluous patches: 
      20_bug-in-gnutls_pcert_list_import_x509_raw.patch
      20_CVE-2014-0092.diff

 -- Andreas Metzler <ametzler@debian.org>  Wed, 05 Mar 2014 19:40:42 +0100

gnutls28 (3.2.11-2) unstable; urgency=high

  * Bump version of Build-Depends on libp11-kit-dev, as required by 3.2.11.
  * 20_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate
    validation issue. CVE-2014-0092

 -- Andreas Metzler <ametzler@debian.org>  Sat, 01 Mar 2014 08:48:21 +0100

gnutls28 (3.2.11-1) unstable; urgency=high

  * New upstream version. (Closes CVE-2014-1959 / GNUTLS-SA-2014-1)
  * Pull 20_bug-in-gnutls_pcert_list_import_x509_raw.patch from upstream git.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 15 Feb 2014 14:38:52 +0100

gnutls28 (3.2.10-2) unstable; urgency=high

  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 02 Feb 2014 12:10:16 +0100

gnutls28 (3.2.10-1) experimental; urgency=high

  * New upstream version.
  * New symbols exported, bump shlibs.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 01 Feb 2014 09:22:36 +0100

gnutls28 (3.2.9-2) unstable; urgency=medium

  * Upload to unstable.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 29 Jan 2014 19:05:05 +0100

gnutls28 (3.2.9-1) experimental; urgency=medium

  * New upstream version.
    + %COMPAT implies %DUMBFW. (See #733039)
  * Drop 40_guilenoparallel.diff, which did not have any effect after enabling
    dh_autoreconf.
  * Stop dh_clean from removing *.bak, upstream tarball actually contains
    files named such in src/ subdirectory.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 25 Jan 2014 19:00:11 +0100

gnutls28 (3.2.8.1-3) unstable; urgency=medium

  * Correct c'n'p error in Vcs-Git field.
  * Update debian/copyright from upstream's README. (Thanks, Kurt Roeckx)

 -- Andreas Metzler <ametzler@debian.org>  Sun, 19 Jan 2014 13:23:46 +0100

gnutls28 (3.2.8.1-2) unstable; urgency=low

  * Upload to unstable, without libgnutls-openssl27.

 -- Andreas Metzler <ametzler@debian.org>  Fri, 27 Dec 2013 15:45:39 +0100

gnutls28 (3.2.8.1-1) experimental; urgency=low

  * New upstream version.
    + Drop debian/patches/45_add_strerror-module.patch, which was pulled from
      upstream.
    + Bump shlibs.
  * Add debian/upstream-signing-key.pgp (listed in
    debian/source/include-binaries) and update watchfile to check
    upstream signature.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 21 Dec 2013 16:59:19 +0100

gnutls28 (3.2.7-4) experimental; urgency=low

  * Upload to experimental, with libgnutls-openssl27.
  * Version libgnutls-openssl27 shlibs. (Mainly to identify rebuilt packages.)

 -- Andreas Metzler <ametzler@debian.org>  Sun, 08 Dec 2013 18:43:16 +0100

gnutls28 (3.2.7-3) unstable; urgency=low

  * Point vcs* to git.
  * Upload to unstable, without libgnutls-openssl27.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 08 Dec 2013 18:15:43 +0100

gnutls28 (3.2.7-2) experimental; urgency=low

  * Fix kfreebsd FTBFS.
    + 45_add_strerror-module.patch add gnulib strerror module.
    + Use dh_autoreconf.

 -- Andreas Metzler <ametzler@debian.org>  Fri, 29 Nov 2013 19:10:39 +0100

gnutls28 (3.2.7-1) experimental; urgency=low

  * New upstream version.
    + Add b-d on bison.
    + Bump shlibs.
    + Drop 30_forcesystemlibopts.diff 50_Ignore-SIGPIPE.patch.
    + Simplify debian/rules, stop removing autogened files.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 27 Nov 2013 19:30:00 +0100

gnutls28 (3.2.6-2) experimental; urgency=low

  * Print out test-suite.log on test-suite-error. (Thanks, Steven Chamberlain
    for the hint.)
  * 50_Ignore-SIGPIPE.patch - fix spurious FTBFS due to race condition.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 10 Nov 2013 13:54:49 +0100

gnutls28 (3.2.6-1) experimental; urgency=low

  * New upstream version.
    + Bump shlibs.

 -- Andreas Metzler <ametzler@debian.org>  Tue, 05 Nov 2013 19:25:51 +0100

gnutls28 (3.2.5-1) experimental; urgency=low

  * New upstream version.
    + Bump shlibs.
  * Ship examples/examples.h which is needed for building examples/*.c. Also
    add ex-cxx.cpp, while we are at it. (Thanks, Daniel Kahn Gillmor)
    Closes: #726971

 -- Andreas Metzler <ametzler@debian.org>  Sat, 26 Oct 2013 14:40:05 +0200

gnutls28 (3.2.4-5) experimental; urgency=low