Debian alert DLA-4492-1 (gnutls28)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4492-1] gnutls28 security update | |
| Date: | Wed, 25 Feb 2026 10:13:00 +0100 | |
| Message-ID: | <aZ69HJugXyF6vnaD@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4492-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 25, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : gnutls28 Version : 3.7.1-5+deb11u9 CVE ID : CVE-2025-9820 CVE-2025-14831 Debian Bug : 1121146 Vulnerabilities were found in GnuTLS, a portable library which implements the Transport Layer Security and Datagram Transport Layer Security protocols, which may lead to Denial of Service. CVE-2025-9820 An out-of-bound write issue was discovered when a PKCS#11 token is initialized with the `gnutls_pkcs11_token_init()` function and it is passed a token label longer than 32 characters. CVE-2025-14831 Tim Scheckenbach discovered that verifying specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs) could lead to resource exhaustion. For Debian 11 bullseye, these problems have been fixed in version 3.7.1-5+deb11u9. We recommend that you upgrade your gnutls28 packages. For the detailed security status of gnutls28 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnutls28 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmmevRwACgkQ05pJnDwh pVIb0w//cHeEUGX5e7byV4g9PMhsC0hEicxtYyPNxnx1X8lB+quH6/RfZJ2lCfCl afDku63cHIF54C8ErR7mAqELlM28fO4Rofs5GOoro5uFEqi1RNRTYuFJcQZ7rQ0g HXGT2bgeGXqTuI+Momnh17PrrNW1PHMnQSZY0LJJWoM0LZ2WLREBP37T0TcDVEOK 3BEZ4yCYb/BqHRY7WxVOC3zl80GmwzBSQ/sPppEZqQryVbLaSvqdrqQtTVe+bhA4 d9UUevIdxsFq0k0+RK02qjfzwlC1pB07E/fUY+07DMTeBTtT355GR/KSTOd0dbuq gQIyAjXmDWFjYGgHkyqFohdhgMok1qEf9PnadA0slPOw4d6S99EWfgBOtppLEkJG XbDtCiCItJhmXVBs1rZFotjfEC70m8zwSeJjOEVcuhawVNiBrUGfsdGfczvnMilT wpDVkmoUK9grP6GYDaeHmlmnagjLvqijtQU/Zr5+ELsZ17Tr6T18RxgxX995lYPm kkOcRhzLrflJeigJYkKT48nYlJ5uWG3NvqqlhwfNKKaLqLxjQUo6Riv8NBt8xC6G GxdRNoJzWe+uJqJDo61rAd9v9ZOoE+0962DuskMp7NgKhP3kt8t00EF9QYxyta2d XOb2O+YHdN//Ilae4KusJS75pkiUWQhzFfzDYLMorY7yPCsm2ow= =WOeQ -----END PGP SIGNATURE-----