diff --git a/gnutls-3.8.2.tar.xz b/gnutls-3.8.2.tar.xz deleted file mode 100644 index 6705100..0000000 --- a/gnutls-3.8.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77 -size 6456540 diff --git a/gnutls-3.8.2.tar.xz.sig b/gnutls-3.8.2.tar.xz.sig deleted file mode 100644 index 43978a0..0000000 Binary files a/gnutls-3.8.2.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.8.3.tar.xz b/gnutls-3.8.3.tar.xz new file mode 100644 index 0000000..e8cb6d8 --- /dev/null +++ b/gnutls-3.8.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f74fc5954b27d4ec6dfbb11dea987888b5b124289a3703afcada0ee520f4173e +size 6463720 diff --git a/gnutls-3.8.3.tar.xz.sig b/gnutls-3.8.3.tar.xz.sig new file mode 100644 index 0000000..0531c45 Binary files /dev/null and b/gnutls-3.8.3.tar.xz.sig differ diff --git a/gnutls-FIPS-140-3-references.patch b/gnutls-FIPS-140-3-references.patch index 7d12ce0..526e342 100644 --- a/gnutls-FIPS-140-3-references.patch +++ b/gnutls-FIPS-140-3-references.patch @@ -1,7 +1,7 @@ -Index: gnutls-3.8.2/configure.ac +Index: gnutls-3.8.3/configure.ac =================================================================== ---- gnutls-3.8.2.orig/configure.ac -+++ gnutls-3.8.2/configure.ac +--- gnutls-3.8.3.orig/configure.ac ++++ gnutls-3.8.3/configure.ac @@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared AC_LIB_HAVE_LINKFLAGS(dl,, [#include ], [dladdr (0, 0);]) @@ -25,10 +25,10 @@ Index: gnutls-3.8.2/configure.ac AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], [specify the FIPS140 module name]), -Index: gnutls-3.8.2/doc/cha-gtls-app.texi +Index: gnutls-3.8.3/doc/cha-gtls-app.texi =================================================================== ---- gnutls-3.8.2.orig/doc/cha-gtls-app.texi -+++ gnutls-3.8.2/doc/cha-gtls-app.texi +--- gnutls-3.8.3.orig/doc/cha-gtls-app.texi ++++ gnutls-3.8.3/doc/cha-gtls-app.texi @@ -222,7 +222,7 @@ CPU. The currently available options are @end itemize @@ -38,10 +38,10 @@ Index: gnutls-3.8.2/doc/cha-gtls-app.texi if set to one it will force the FIPS mode enablement. @end multitable -Index: gnutls-3.8.2/doc/cha-internals.texi +Index: gnutls-3.8.3/doc/cha-internals.texi =================================================================== ---- gnutls-3.8.2.orig/doc/cha-internals.texi -+++ gnutls-3.8.2/doc/cha-internals.texi +--- gnutls-3.8.3.orig/doc/cha-internals.texi ++++ gnutls-3.8.3/doc/cha-internals.texi @@ -14,7 +14,7 @@ happens inside the black box. * TLS Hello Extension Handling:: * Cryptographic Backend:: @@ -162,10 +162,10 @@ Index: gnutls-3.8.2/doc/cha-internals.texi operation. It can be attached to the current execution thread with @funcref{gnutls_fips140_push_context} and its internal state will be updated until it is detached with -Index: gnutls-3.8.2/doc/enums.texi +Index: gnutls-3.8.3/doc/enums.texi =================================================================== ---- gnutls-3.8.2.orig/doc/enums.texi -+++ gnutls-3.8.2/doc/enums.texi +--- gnutls-3.8.3.orig/doc/enums.texi ++++ gnutls-3.8.3/doc/enums.texi @@ -1188,7 +1188,7 @@ application traffic secret is installed @c gnutls_fips_mode_t @table @code @@ -186,10 +186,10 @@ Index: gnutls-3.8.2/doc/enums.texi application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility). @item GNUTLS_@-FIPS140_@-LOG -Index: gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode +Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode =================================================================== ---- gnutls-3.8.2.orig/doc/functions/gnutls_fips140_set_mode -+++ gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode +--- gnutls-3.8.3.orig/doc/functions/gnutls_fips140_set_mode ++++ gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode @@ -3,7 +3,7 @@ @@ -215,10 +215,10 @@ Index: gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library switches to @code{GNUTLS_FIPS140_STRICT} mode. -Index: gnutls-3.8.2/doc/gnutls.html +Index: gnutls-3.8.3/doc/gnutls.html =================================================================== ---- gnutls-3.8.2.orig/doc/gnutls.html -+++ gnutls-3.8.2/doc/gnutls.html +--- gnutls-3.8.3.orig/doc/gnutls.html ++++ gnutls-3.8.3/doc/gnutls.html @@ -484,7 +484,7 @@ Documentation License”.
  • 11.4 TLS Extension Handling
  • 11.5 Cryptographic Backend
    • @@ -430,7 +430,7 @@ Index: gnutls-3.8.2/doc/gnutls.html values for mode or to GNUTLS_FIPS140_SELFTESTS mode, the library switches to GNUTLS_FIPS140_STRICT mode.

    -@@ -46924,7 +46924,7 @@ Next: gnutls_fingerprintCore TLS API gnutls_fips140_context_deinitCore TLS API gnutls_fips140_context_initCore TLS API @@ -439,11 +439,11 @@ Index: gnutls-3.8.2/doc/gnutls.html gnutls_fips140_get_operation_stateCore TLS API gnutls_fips140_mode_enabledCore TLS API gnutls_fips140_pop_contextCore TLS API -Index: gnutls-3.8.2/doc/gnutls.info-3 +Index: gnutls-3.8.3/doc/gnutls.info-3 =================================================================== ---- gnutls-3.8.2.orig/doc/gnutls.info-3 -+++ gnutls-3.8.2/doc/gnutls.info-3 -@@ -2248,7 +2248,7 @@ to ‘more’. Both will exit with a st +--- gnutls-3.8.3.orig/doc/gnutls.info-3 ++++ gnutls-3.8.3/doc/gnutls.info-3 +@@ -2247,7 +2247,7 @@ to ‘more’. Both will exit with a st --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -452,7 +452,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -@@ -3401,7 +3401,7 @@ to know what happens inside the black bo +@@ -3400,7 +3400,7 @@ to know what happens inside the black bo * TLS Hello Extension Handling:: * Cryptographic Backend:: * Random Number Generators-internals:: @@ -461,7 +461,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3  File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS -@@ -3933,7 +3933,7 @@ and abstract key types::. +@@ -3932,7 +3932,7 @@ and abstract key types::. kernel implementation of ‘/dev/crypto’.  @@ -470,7 +470,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 11.6 Random Number Generators ============================= -@@ -3943,7 +3943,7 @@ About the generators +@@ -3942,7 +3942,7 @@ About the generators GnuTLS provides two random generators. The default, and the AES-DRBG random generator which is only used when the library is compiled with @@ -479,7 +479,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 The default generator - inner workings -------------------------------------- -@@ -4175,7 +4175,7 @@ in *note Figure 11.5: gnutls_fips_mode_t +@@ -4174,7 +4174,7 @@ in *note Figure 11.5: gnutls_fips_mode_t Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration. The intention of this API is to be used by applications which may run in @@ -488,7 +488,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. -@@ -4199,10 +4199,10 @@ are macros to simplify the following seq +@@ -4198,10 +4198,10 @@ are macros to simplify the following seq The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous calls is to localize the change in the mode. Note also, that such a @@ -501,7 +501,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); Service indicator -@@ -4684,8 +4684,8 @@ There are certifications from national o +@@ -4683,8 +4683,8 @@ There are certifications from national o practices, such as unit testing and reliance on well known crypto primitives. @@ -512,7 +512,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3  File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top -@@ -9152,7 +9152,7 @@ gnutls_fips140_set_mode +@@ -9151,7 +9151,7 @@ gnutls_fips140_set_mode -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, unsigned FLAGS) @@ -521,10 +521,10 @@ Index: gnutls-3.8.2/doc/gnutls.info-3 FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’ -Index: gnutls-3.8.2/doc/invoke-gnutls-cli.texi +Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi =================================================================== ---- gnutls-3.8.2.orig/doc/invoke-gnutls-cli.texi -+++ gnutls-3.8.2/doc/invoke-gnutls-cli.texi +--- gnutls-3.8.3.orig/doc/invoke-gnutls-cli.texi ++++ gnutls-3.8.3/doc/invoke-gnutls-cli.texi @@ -102,7 +102,7 @@ None: --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library @@ -534,10 +534,10 @@ Index: gnutls-3.8.2/doc/invoke-gnutls-cli.texi --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -Index: gnutls-3.8.2/doc/manpages/gnutls-cli.1 +Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1 =================================================================== ---- gnutls-3.8.2.orig/doc/manpages/gnutls-cli.1 -+++ gnutls-3.8.2/doc/manpages/gnutls-cli.1 +--- gnutls-3.8.3.orig/doc/manpages/gnutls-cli.1 ++++ gnutls-3.8.3/doc/manpages/gnutls-cli.1 @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. This will override the default options in /etc/gnutls/pkcs11.conf .TP @@ -547,10 +547,10 @@ Index: gnutls-3.8.2/doc/manpages/gnutls-cli.1 .sp .TP .NOP \f\*[B-Font]\-\-list\-config\f[] -Index: gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html +Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html =================================================================== ---- gnutls-3.8.2.orig/doc/reference/html/gnutls-gnutls.html -+++ gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html +--- gnutls-3.8.3.orig/doc/reference/html/gnutls-gnutls.html ++++ gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html @@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode ( + +- Update to 3.8.3: + * libgnutls: Fix more timing side-channel inside RSA-PSK key + exchange. [GNUTLS-SA-2024-01-14, CVSS: medium] + [bsc#1218865, CVE-2024-0553] + * libgnutls: Fix assertion failure when verifying a certificate + chain with a cycle of cross signatures. + [GNUTLS-SA-2024-01-09, CVSS: medium] [bsc#1218862, CVE-2024-0567] + * libgnutls: Fix regression in handling Ed25519 keys stored in + PKCS#11 token certtool was unable to handle Ed25519 keys + generated on PKCS#11 with pkcs11-tool (OpenSC). + This is a regression introduced in 3.8.2. + * Rebase gnutls-FIPS-140-3-references.patch + * Updated upstream gnutls.keyring + ------------------------------------------------------------------- Fri Nov 17 10:17:02 UTC 2023 - Pedro Monreal diff --git a/gnutls.keyring b/gnutls.keyring index 25b14b4..ec5c623 100644 Binary files a/gnutls.keyring and b/gnutls.keyring differ diff --git a/gnutls.spec b/gnutls.spec index 0403417..977e6c2 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,7 +40,7 @@ %endif %bcond_with tpm Name: gnutls -Version: 3.8.2 +Version: 3.8.3 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later