Package "gnutls28"
| Name: |
gnutls28
|
Description: |
This package is just an umbrella for a group of other packages,
it has no description.
Description samples from packages in group:
- GNU TLS library - documentation and examples
- GNU TLS library - DANE security support
- GNU TLS library - OpenSSL wrapper
- GNU TLS library - development files
|
| Latest version: |
3.8.12-2ubuntu1.1 |
| Release: |
resolute (26.04) |
| Level: |
security |
| Repository: |
main |
Links
Other versions of "gnutls28" in Resolute
Packages in group
Deleted packages are displayed in grey.
Changelog
|
gnutls28 (3.8.12-2ubuntu1.1) resolute-security; urgency=medium
* SECURITY UPDATE: buffer overflow in DTLS handshake fragment reassembly
- debian/patches/CVE-2026-33846-pre1.patch: buffers: shorten
merge_handshake_packet using recv_buf in lib/buffers.c.
- debian/patches/CVE-2026-33846.patch: buffers: add more checks to DTLS
reassembly in lib/buffers.c.
- CVE-2026-33846
* SECURITY UPDATE: DTLS packets sequence number ordering issue
- debian/patches/CVE-2026-42009-pre1.patch: buffers: match DTLS datagrams by
sequence number in lib/buffers.c.
- debian/patches/CVE-2026-42009-1.patch: lib/buffers: ensure packets have
differing sequence numbers in lib/buffers.c.
- debian/patches/CVE-2026-42009-2.patch: buffers: fix handshake_compare when
sequence numbers match in lib/buffers.c.
- CVE-2026-42009
* SECURITY UPDATE: OOB read via malformed fragments with zero length and
non-zero offset
- debian/patches/CVE-2026-33845-pre1.patch: buffers: rename a variable in
parse_handshake_header in lib/buffers.c.
- debian/patches/CVE-2026-33845.patch: buffers: switch from end_offset over
to frag_length in lib/buffers.c, lib/gnutls_int.h.
- debian/patches/CVE-2026-33845-2.patch: buffers: simplify and tighten
parse_handshake_header checks in lib/buffers.c.
- CVE-2026-33845
* SECURITY UPDATE: malformed OCSP response issue
- debian/patches/CVE-2026-3832.patch: cert-session: fix multi-entry OCSP
revocation bypass in lib/cert-session.c.
- CVE-2026-3832
* SECURITY UPDATE: policy bypass via x509 case-sensitive comparisons
- debian/patches/CVE-2026-3833.patch: x509/name-constraints: compare domain
names case-insensitive in lib/x509/name_constraints.c.
- CVE-2026-3833
* SECURITY UPDATE: permitted name constrains were incorrectly ignored
- debian/patches/CVE-2026-42011.patch: x509/name_constraints: fix
intersecting empty constraints in lib/x509/name_constraints.c.
- CVE-2026-42011
* SECURITY UPDATE:
- debian/patches/CVE-2026-42010.patch: lib/auth/rsa_psk: fix binary PSK
identity lookup in lib/auth/rsa_psk.c.
- CVE-2026-42010
* SECURITY UPDATE: incorrect username parsing with NUL characters
- debian/patches/CVE-2026-5260-1.patch: lib/auth/rsa: check that ciphertext
matches the modulus size in lib/auth/rsa.c, lib/auth/rsa_psk.c.
- debian/patches/CVE-2026-5260-2.patch: lib/pkcs11_privkey: guard against
overreading on short ciphertexts in lib/pkcs11_privkey.c.
- CVE-2026-5260
* SECURITY UPDATE:
- debian/patches/CVE-2026-42012-pre1.patch: x509/hostname-verify: refactor
and simplify CN fallback logic in lib/x509/hostname-verify.c.
- debian/patches/CVE-2026-42012-pre2.patch: x509: add bare-bones awareness
of SRV virtual SAN in lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,
lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,
lib/x509/x509.c.
- debian/patches/CVE-2026-42012.patch: x509/hostname-verify: make URI/SRV
SAN preclude CN fallback in lib/x509/hostname-verify.c.
- CVE-2026-42012
* SECURITY UPDATE: incorrect URI or SRV Subject Alternative Names checking
- debian/patches/CVE-2026-42013-pre1.patch: x509/email-verify: call
fallback DN fallback in lib/x509/email-verify.c.
- debian/patches/CVE-2026-42013.patch: x509: prevent fallback on oversized
SAN in lib/x509/email-verify.c, lib/x509/hostname-verify.c.
- CVE-2026-42013
* SECURITY UPDATE: UaF when changing the Security Officer PIN
- debian/patches/CVE-2026-42014.patch: pkcs11_write: fix UAF and leak in
gnutls_pkcs11_token_set_pin in lib/pkcs11_write.c.
- CVE-2026-42014
* SECURITY UPDATE: buffer overflow when appending to a PKCS#12 bag
- debian/patches/CVE-2026-42015.patch: x509/pkcs12_bag: fix off-by-one in
bag element bounds check in lib/x509/pkcs12_bag.c.
- CVE-2026-42015
* SECURITY UPDATE: non constant-time PKCS#7 padding check
- debian/patches/CVE-2026-5419.patch: gnutls_cipher_decrypt3: make PKCS#7
unpadding branch free in lib/crypto-api.c, lib/libgnutls.map,
tests/Makefile.am, tests/pkcs7-pad.c.
- debian/patches/CVE-2026-5419-2.patch: _gnutls_pkcs7_unpad: add missing
declaration in lib/crypto-api.c.
- CVE-2026-5419
-- Marc Deslauriers <email address hidden> Fri, 08 May 2026 10:11:31 -0400
|
| CVE-2026-33846 |
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() w |
| CVE-2026-42009 |
A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The com |
| CVE-2026-33845 |
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reass |
| CVE-2026-3832 |
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol ( |
| CVE-2026-3833 |
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically fo |
| CVE-2026-42011 |
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authoriti |
| CVE-2026-42010 |
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL ch |
|
About
-
Send Feedback to @ubuntu_updates
