Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit gnutls for openSUSE:Factory
Hello community,

here is the log from the commit of package gnutls for openSUSE:Factory checked
in at 2019-04-10 23:10:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
and /work/SRC/openSUSE:Factory/.gnutls.new.27019 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gnutls"

Wed Apr 10 23:10:32 2019 rev:117 rq:692241 version:3.6.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2019-02-04
21:25:14.943597851 +0100
+++ /work/SRC/openSUSE:Factory/.gnutls.new.27019/gnutls.changes 2019-04-10
23:10:36.979934400 +0200
@@ -1,0 +2,60 @@
+Thu Apr 4 20:31:19 UTC 2019 - Jan Engelhardt <jengelh@xxxxxxx>
+
+- Trim useless %if..%endif guards that do not affect the build.
+- Fix language errors in description again.
+
+-------------------------------------------------------------------
+Thu Apr 4 13:34:03 UTC 2019 - Jason Sikes <jsikes@xxxxxxx>
+
+- Update gnutls to 3.6.7
+ ** libgnutls, gnutls tools: Every gnutls_free() will automatically set
+ the free'd pointer to NULL. This prevents possible use-after-free and
+ double free issues. Use-after-free will be turned into NULL dereference.
+ The counter-measure does not extend to applications using gnutls_free().
+
+ ** libgnutls: Fixed a memory corruption (double free) vulnerability in the
+ certificate verification API. Reported by Tavis Ormandy; addressed with
+ the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681]
(CVE-2019-3829)
+
+ ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async
messages;
+ Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682]
(CVE-2019-3836)
+
+ ** libgnutls: enforce key usage limitations on certificates more actively.
+ Previously we would enforce it for TLS1.2 protocol, now we enforce it
+ even when TLS1.3 is negotiated, or on client certificates as well. When
+ an inappropriate for TLS1.3 certificate is seen on the credentials
structure
+ GnuTLS will disable TLS1.3 support for that session (#690).
+
+ ** libgnutls: the default number of tickets sent under TLS 1.3 was increased
to
+ two. This makes it easier for clients which perform multiple connections
+ to the server to use the tickets sent by a default server.
+
+ ** libgnutls: enforce the equality of the two signature parameters fields in
+ a certificate. We were already enforcing the signature algorithm, but
there
+ was a bug in parameter checking code.
+
+ ** libgnutls: fixed issue preventing sending and receiving from different
+ threads when false start was enabled (#713).
+
+ ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
+ session, as non-writeable security officer sessions are undefined in
PKCS#11
+ (#721).
+
+ ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
+ Previously the sentinel value was embedded to early in version
+ negotiation and was sent even on TLS 1.3. It is now sent only when
+ TLS 1.2 or earlier is negotiated (#689).
+
+ ** gnutls-cli: Added option --logfile to redirect informational messages
output.
+
+- Disabled dane support in SLE since dane is not shipped there
+
+- Changed configure script to hardware guile site directory since command-line
+ option '--with-guile-site-dir=' was removed from the configure script.
+
+ ** Added gnutls-3.6.6-set_guile_site_dir.patch
+
+- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix
+ compilation issues on PPC
+
+-------------------------------------------------------------------

Old:
----
gnutls-3.6.6.tar.xz
gnutls-3.6.6.tar.xz.sig

New:
----
gnutls-3.6.6-set_guile_site_dir.patch
gnutls-3.6.7.tar.xz
gnutls-3.6.7.tar.xz.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gnutls.spec ++++++
--- /var/tmp/diff_new_pack.bMijxU/_old 2019-04-10 23:10:37.983935541 +0200
+++ /var/tmp/diff_new_pack.bMijxU/_new 2019-04-10 23:10:37.987935545 +0200
@@ -20,8 +20,8 @@
%define gnutlsxx_sover 28
%define gnutls_dane_sover 0

-# unbound isn't in SLE12 (bsc#1086428)
-%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
+# unbound isn't in SLE (bsc#1086428)
+%if 0%{?is_opensuse}
%bcond_without dane
%else
%bcond_with dane
@@ -29,7 +29,7 @@
%bcond_with tpm
%bcond_without guile
Name: gnutls
-Version: 3.6.6
+Version: 3.6.7
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -42,6 +42,7 @@
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
Patch3: disable-psk-file-test.patch
+Patch4: gnutls-3.6.6-set_guile_site_dir.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -112,8 +113,8 @@

%description -n libgnutlsxx%{gnutlsxx_sover}
The GnuTLS library provides a secure layer over a reliable transport
-layer.
-implements the proposed standards of the IETF's TLS working group.
+layer. Currently the GnuTLS library implements the proposed standards
+of the IETF's TLS working group.

%package -n libgnutls-devel
Summary: Development package for the GnuTLS C API
@@ -161,6 +162,7 @@
%setup -q
%patch1 -p1
%patch3 -p1
+%patch4 -p1
# dtls-resume test fails on PPC
%ifarch ppc64 ppc64le ppc
%patch2 -p1
@@ -179,7 +181,6 @@
--disable-silent-rules \

--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
--with-sysroot=/%{?_sysroot} \
- --with-guile-site-dir=%{_datadir}/guile \
%if %{without tpm}
--without-tpm \
%endif

++++++ gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ++++++
--- /var/tmp/diff_new_pack.bMijxU/_old 2019-04-10 23:10:38.015935577 +0200
+++ /var/tmp/diff_new_pack.bMijxU/_new 2019-04-10 23:10:38.015935577 +0200
@@ -1,8 +1,8 @@
-Index: gnutls-3.6.5/tests/Makefile.am
+Index: gnutls-3.6.7/tests/Makefile.am
===================================================================
---- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546
+0100
-+++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100
-@@ -445,7 +445,7 @@ if !WINDOWS
+--- gnutls-3.6.7.orig/tests/Makefile.am
++++ gnutls-3.6.7/tests/Makefile.am
+@@ -453,7 +453,7 @@ if !WINDOWS
# List of tests not available/functional under windows
#

@@ -11,11 +11,11 @@

indirect_tests += dtls-stress

-Index: gnutls-3.6.5/tests/Makefile.in
+Index: gnutls-3.6.7/tests/Makefile.in
===================================================================
---- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568
+0100
-+++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100
-@@ -164,7 +164,7 @@ host_triplet = @host@
+--- gnutls-3.6.7.orig/tests/Makefile.in
++++ gnutls-3.6.7/tests/Makefile.in
+@@ -165,7 +165,7 @@ host_triplet = @host@
#
# List of tests not available/functional under windows
#
@@ -23,13 +23,13 @@
+@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \
@WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \
@WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \
- @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \
-@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
+ @WINDOWS_FALSE@ starttls-pop3.sh starttls-xmpp.sh \
+@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
$(am__DEPENDENCIES_2)
am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \
rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \
- dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \
+ fastopen.sh pkgconfig.sh starttls.sh \
starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \
- starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \
- ocsp-tests/ocsp-tls-connection \
+ starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \
+ starttls-sieve.sh ocsp-tests/ocsp-tls-connection \

++++++ gnutls-3.6.6-set_guile_site_dir.patch ++++++
Index: gnutls-3.6.6/configure
===================================================================
--- gnutls-3.6.6.orig/configure
+++ gnutls-3.6.6/configure
@@ -62868,7 +62868,7 @@

{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory"
&5
$as_echo_n "checking for Guile site directory... " >&6; }
- GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir
guile-$GUILE_EFFECTIVE_VERSION`
+ GUILE_SITE=/usr/share/guile
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
$as_echo "$GUILE_SITE" >&6; }
if test "$GUILE_SITE" = ""; then
++++++ gnutls-3.6.6.tar.xz -> gnutls-3.6.7.tar.xz ++++++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.6.6.tar.xz
/work/SRC/openSUSE:Factory/.gnutls.new.27019/gnutls-3.6.7.tar.xz differ: char
26, line 1



< Previous Next >
This Thread
  • No further messages