[Bug 1326779] Re: libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty

Tyler Hicks tyhicks at canonical.com
Thu Jun 11 16:08:28 UTC 2015 

Hi LocutusOfBorg - Thank you for the debdiff. I've made some adjustments
to it in order to follow our security update packing guidelines
(https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging):

 - Pocket should be trusty-security instead of trusty
 - Version should be 3.2.11-2ubuntu1.1 instead of 3.2.11-2ubuntu2
 - Patch was missing the DEP3 origin patch tag
 - Changelog did not follow the "SECURITY UPDATE:" style

Additionally, I folded in upstream's test patch
(https://www.gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf7ce52b36474c157f782d9ca977).
Build tests are always a nice thing to add.

Thanks!

** Changed in: gnutls28 (Ubuntu)
       Status: Triaged => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1326779

Title:
  libgnutls28 appears to not have been updated for CVE-2014-3466 in
  Trusty

Status in gnutls28 package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  Although you've pushed out a patch for CVE-2014-3466 to libgnutls26 in
  the current stable LTS Ubuntu release (Trusty) you've not pushed out a
  corresponding patch for libgnutls28 (which is used by some packages).

  Looking at the apt-cache policy output:

  $ apt-cache policy libgnutls28
  libgnutls28:
    Installed: 3.2.11-2ubuntu1
    Candidate: 3.2.11-2ubuntu1
    Version table:
   *** 3.2.11-2ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
          100 /var/lib/dpkg/status

  This would look like a vulnerable version according to the CVE report
  (also launchpad shows this package as not having been updated since
  the 5th of March).

  http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-3466

  Can you please push out this patch asap, especially given that the
  vulnerability has been widely publicised in the media as of yesterday?

  Thanks,
  Dr Owain Kenway

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1326779/+subscriptions

More information about the foundations-bugs mailing list