I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything.
Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified as working in staging environments, and I believe we have to come to a decision.
Maintaining my own version of gnutls for the next 4 years doesn't really appeal to me either..
Also, in my experience it is not uncommon to use home brewed root certificates without the basicConstraints extension, i.e. for authentication of the directory service. This configuration fails with the current ubuntu version.
I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything.
Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified as working in staging environments, and I believe we have to come to a decision.
Maintaining my own version of gnutls for the next 4 years doesn't really appeal to me either..
Also, in my experience it is not uncommon to use home brewed root certificates without the basicConstraints extension, i.e. for authentication of the directory service. This configuration fails with the current ubuntu version.