diffstat of debian/ for gnutls28_3.6.4-2 gnutls28_3.6.4-2ubuntu1

 changelog                                                               |  108 ++++++++++
 control                                                                 |    3 
 patches/0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch |   65 ++++++
 patches/add-openssl-test-link.patch                                     |   14 +
 patches/disable_global_init_override_test.patch                         |   15 +
 patches/series                                                          |    3 
 6 files changed, 207 insertions(+), 1 deletion(-)

diff -Nru gnutls28-3.6.4/debian/changelog gnutls28-3.6.4/debian/changelog
--- gnutls28-3.6.4/debian/changelog	2018-09-29 05:05:20.000000000 +0000
+++ gnutls28-3.6.4/debian/changelog	2018-10-05 16:12:04.000000000 +0000
@@ -1,3 +1,15 @@
+gnutls28 (3.6.4-2ubuntu1) cosmic; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/patches/disable_global_init_override_test.patch: disable
+      failing test.
+    - debian/patches/add-openssl-test-link.patch: add link for libssl
+  * 0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch:
+    cherrypick upstream patch to fix test-suite with symbolic-functions
+  * This upstream release includes TLS 1.3 support.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 05 Oct 2018 17:12:04 +0100
+
 gnutls28 (3.6.4-2) experimental; urgency=medium
 
   * Delete 50_fedora_gnutls-3.6.3-rollback-fix.patch.
@@ -279,6 +291,36 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 12 Feb 2017 19:37:32 +0100
 
+gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium
+
+  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
+    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch                             
+      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from                        
+      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa                           
+      signatures. LP: #1714506
+    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from                           
+      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and                       
+      decryption on aarch64. LP: #1707172
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Sat, 02 Sep 2017 16:12:49 +0200
+
+gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium
+
+  * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
+    OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
+    which includes TLS1.2 support. (LP: #1709193)
+
+ -- Simon Deziel <simon.deziel@gmail.com>  Thu, 10 Aug 2017 00:34:06 +0000
+
+gnutls28 (3.5.8-6ubuntu1) artful; urgency=medium
+
+  * Merge with Debian. Remaining changes:
+    - debian/patches/disable_global_init_override_test.patch: disable
+      failing test.
+    - debian/patches/add-openssl-test-link.patch: add link for libssl
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 13 Jun 2017 13:19:05 -0400
+
 gnutls28 (3.5.8-6) unstable; urgency=high
 
   * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving
@@ -287,6 +329,15 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 11 Jun 2017 10:44:33 +0200
 
+gnutls28 (3.5.8-5ubuntu1) artful; urgency=medium
+
+  * Merge with Debian. Remaining changes:
+    - debian/patches/disable_global_init_override_test.patch: disable
+      failing test.
+    - debian/patches/add-openssl-test-link.patch: add link for libssl
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 03 May 2017 10:00:32 -0400
+
 gnutls28 (3.5.8-5) unstable; urgency=medium
 
   * 35_01_z_opencdk-read-packet.c-corrected-typo-in-type-cast.patch: Fix typo
@@ -435,6 +486,54 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 13 Nov 2016 19:09:55 +0100
 
+gnutls28 (3.5.6-4ubuntu4) zesty; urgency=medium
+
+  * Fix FTBFS because of failing test (LP: #1679868)
+    - debian/patches/fix_tests_timezone.patch: address test suite failure
+      due to timezone differences in tests/cert-tests/pkcs7.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 05 Apr 2017 10:06:24 -0400
+
+gnutls28 (3.5.6-4ubuntu3) zesty; urgency=medium
+
+  * SECURITY UPDATE: double-free when reading proxy language
+    - debian/patches/CVE-2017-5334.patch: fix double-free in
+      lib/x509/x509_ext.c.
+    - CVE-2017-5334
+  * SECURITY UPDATE: out of memory error in stream reading functions
+    - debian/patches/CVE-2017-5335.patch: add error checking to
+      lib/opencdk/read-packet.c.
+    - CVE-2017-5335
+  * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid
+    - debian/patches/CVE-2017-5336.patch: check return code in
+      lib/opencdk/pubkey.c.
+    - CVE-2017-5336
+  * SECURITY UPDATE: heap read overflow when reading streams
+    - debian/patches/CVE-2017-5337.patch: add more precise checks to
+      lib/opencdk/read-packet.c.
+    - CVE-2017-5337
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 01 Feb 2017 14:21:40 -0500
+
+gnutls28 (3.5.6-4ubuntu2) zesty; urgency=medium
+
+  * d/p/dname-api-*.patch fix gnutls api breakage on dname order in
+    gnutls 3.5.6 (LP: #1641615)
+    - d/libgnutls30.symbols add new symbols added by the upstream fix
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 17 Nov 2016 08:39:43 +0100
+
+gnutls28 (3.5.6-4ubuntu1) zesty; urgency=medium
+
+  * Merge with Debian.  Remaining changes:
+    - debian/patches/disable_global_init_override_test.patch: disable failing
+      test.
+    - debian/patches/add-openssl-test-link.patch: add link for libssl
+  * New upstream version avoids getrandom() at initialization which caused
+    NetworkManager to hang at boot. (LP: #1622893)
+
+ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 14 Nov 2016 12:47:23 +0100
+
 gnutls28 (3.5.6-4) unstable; urgency=medium
 
   * Pull 40_01_sockets-only-use-gnutls_bye-on-a-valid-socket-sessio.patch
@@ -540,6 +639,15 @@
 
  -- Andreas Metzler <ametzler@debian.org>  Sat, 10 Sep 2016 14:45:06 +0200
 
+gnutls28 (3.5.3-5ubuntu1) yakkety; urgency=medium
+
+  * Merge with Debian (LP: #1624856).  Remaining changes:
+    - debian/patches/disable_global_init_override_test.patch: disable failing
+      test.
+    - debian/patches/add-openssl-test-link.patch: add link for libssl
+
+ -- Anders Kaseorg <andersk@mit.edu>  Sun, 18 Sep 2016 08:03:47 -0400
+
 gnutls28 (3.5.3-5) experimental; urgency=medium
 
   * Pull DTLS fixes from upstream GIT master.
diff -Nru gnutls28-3.6.4/debian/control gnutls28-3.6.4/debian/control
--- gnutls28-3.6.4/debian/control	2018-09-22 15:18:26.000000000 +0000
+++ gnutls28-3.6.4/debian/control	2018-10-05 16:11:05.000000000 +0000
@@ -1,7 +1,8 @@
 Source: gnutls28
 Section: libs
 Priority: optional
-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
 Uploaders: Andreas Metzler <ametzler@debian.org>,
  Eric Dorland <eric@debian.org>,
  James Westby <jw+debian@jameswestby.net>,
diff -Nru gnutls28-3.6.4/debian/patches/0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch gnutls28-3.6.4/debian/patches/0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch
--- gnutls28-3.6.4/debian/patches/0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.6.4/debian/patches/0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch	2018-10-05 16:12:04.000000000 +0000
@@ -0,0 +1,65 @@
+From 7095d5577ff25bb41ca3171903ac03809cea9f35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Mon, 8 Oct 2018 11:25:23 +0200
+Subject: [PATCH] Skip tests/tls13/prf.c if visibility 'protected' doesn't work
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Overriding gnutls_rnd() with visibility 'protected' doesn't always work.
+E.g. LDFLAGS="-Wl,-Bsymbolic-functions" seems to have priority on
+Debian derived systems.
+
+Fixes #584
+
+Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
+---
+ .gitlab-ci.yml    | 2 +-
+ tests/tls13/prf.c | 9 +++++++++
+ tests/utils.h     | 5 ++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/tests/tls13/prf.c
++++ b/tests/tls13/prf.c
+@@ -70,9 +70,13 @@
+ static const
+ gnutls_datum_t hsrnd = {(void*)"\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32};
+ 
++static int gnutls_rnd_works;
++
+ int __attribute__ ((visibility ("protected")))
+ gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
+ {
++	gnutls_rnd_works = 1;
++
+ 	memset(data, 0xff, len);
+ 
+ 	/* Flip the first byte to avoid infinite loop in the RSA
+@@ -135,6 +139,11 @@
+ 	unsigned char key_material[512];
+ 	int ret;
+ 
++	if (!gnutls_rnd_works) {
++		fprintf(stderr, "gnutls_rnd() could not be overridden, see #584\n");
++		exit(77);
++	}
++
+ 	TRY_OLD(13, "key expansion", 34, (uint8_t*)KEY_EXP_VALUE);
+ 	TRY_OLD(6, "hello", 31, (uint8_t*)HELLO_VALUE);
+ 
+--- a/tests/utils.h
++++ b/tests/utils.h
+@@ -152,9 +152,12 @@
+ 		if (WIFSIGNALED(status)) {
+ 			fail("Child died with signal %d\n", WTERMSIG(status));
+ 		} else {
+-			if (!sigonly)
++			if (!sigonly) {
++				if (WEXITSTATUS(status) == 77)
++					exit(77);
+ 				fail("Child died with status %d\n",
+ 				     WEXITSTATUS(status));
++			}
+ 		}
+ 	}
+ #endif
diff -Nru gnutls28-3.6.4/debian/patches/add-openssl-test-link.patch gnutls28-3.6.4/debian/patches/add-openssl-test-link.patch
--- gnutls28-3.6.4/debian/patches/add-openssl-test-link.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.6.4/debian/patches/add-openssl-test-link.patch	2018-10-05 16:12:04.000000000 +0000
@@ -0,0 +1,14 @@
+Description: avoid link failure because of missing ssl
+Author: Gianfranco Costamagna <locutusofborg@debian.org>
+
+--- a/tests/slow/Makefile.am
++++ b/tests/slow/Makefile.am
+@@ -53,7 +53,7 @@
+ TESTS = $(ctests) test-ciphers.sh override-ciphers test-hash-large.sh crypto test-ciphers-api.sh
+ 
+ if HAVE_LIBCRYPTO
+-cipher_openssl_compat_LDFLAGS = $(LDADD) $(LIBCRYPTO)
++cipher_openssl_compat_LDADD = $(LDADD) $(LIBCRYPTO)
+ 
+ dist_check_SCRIPTS += test-ciphers-openssl.sh
+ check_PROGRAMS += cipher-openssl-compat
diff -Nru gnutls28-3.6.4/debian/patches/disable_global_init_override_test.patch gnutls28-3.6.4/debian/patches/disable_global_init_override_test.patch
--- gnutls28-3.6.4/debian/patches/disable_global_init_override_test.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnutls28-3.6.4/debian/patches/disable_global_init_override_test.patch	2018-10-05 16:12:04.000000000 +0000
@@ -0,0 +1,15 @@
+Description: disable failing test
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Forwarded: no
+
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -172,7 +172,7 @@
+ 	 fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \
+ 	 key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \
+ 	 record-timeouts mini-dtls-hello-verify-48 set-default-prio \
+-	 tls12-anon-upgrade global-init-override tlsext-decoding rsa-psk-cb \
++	 tls12-anon-upgrade tlsext-decoding rsa-psk-cb \
+ 	 rehandshake-switch-cert rehandshake-switch-cert-allow rehandshake-switch-cert-client \
+ 	 rehandshake-switch-cert-client-allow handshake-versions dtls-handshake-versions \
+ 	 dtls-max-record tls12-max-record alpn-server-prec ocsp-filename-memleak \
diff -Nru gnutls28-3.6.4/debian/patches/series gnutls28-3.6.4/debian/patches/series
--- gnutls28-3.6.4/debian/patches/series	2018-09-29 05:04:55.000000000 +0000
+++ gnutls28-3.6.4/debian/patches/series	2018-10-05 16:12:04.000000000 +0000
@@ -1,3 +1,6 @@
 14_version_gettextcat.diff
 30_guile-snarf.diff
 40_add_missingm4.diff
+add-openssl-test-link.patch
+disable_global_init_override_test.patch
+0001-Skip-tests-tls13-prf.c-if-visibility-protected-doesn.patch