Accepting request 811391 from home:vitezslav_cizek:branches:security:tls

- Update to 3.6.14
  * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
    The TLS server would not bind the session ticket encryption key with a
    value supplied by the application until the initial key rotation, allowing
    attacker to bypass authentication in TLS 1.3 and recover previous
    conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
    [GNUTLS-SA-2020-06-03, CVSS: high]
  * libgnutls: Fixed handling of certificate chain with cross-signed
    intermediate CA certificates (#1008). (bsc#1172461)
  * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
  * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
    (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
    Key Identifier (AKI) properly (#989, #991).
  * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
  * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
    Also both accelerated and non-accelerated implementations check key block
    according to FIPS-140-2 IG A.9 (!1233).
  * libgnutls: Added support for AES-SIV ciphers (#463).
  * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
  * libgnutls: No longer use internal symbols exported from Nettle (!1235)
  * API and ABI modifications:
    GNUTLS_CIPHER_AES_128_SIV: Added
    GNUTLS_CIPHER_AES_256_SIV: Added
    GNUTLS_CIPHER_AES_192_GCM: Added
    gnutls_pkcs7_print_signature_info: Added
- Add key D605848ED7E69871: public key "Daiki Ueno <ueno@unixuser.org>" to
  the keyring
- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)

OBS-URL: https://build.opensuse.org/request/show/811391
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=34

gnutls-3.6.13.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38
-size 5958956

gnutls-3.6.14.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63
+size 6069088

gnutls-fips_correct_nettle_soversion.patch

@@ -1,13 +0,0 @@
-Index: gnutls-3.6.12/lib/fips.c
-===================================================================
---- gnutls-3.6.12.orig/lib/fips.c	2019-06-27 06:40:43.000000000 +0200
-+++ gnutls-3.6.12/lib/fips.c	2020-03-16 09:29:39.056332128 +0100
-@@ -136,7 +136,7 @@ void _gnutls_fips_mode_reset_zombie(void
- }
- 
- #define GNUTLS_LIBRARY_NAME "libgnutls.so.30"
--#define NETTLE_LIBRARY_NAME "libnettle.so.6"
-+#define NETTLE_LIBRARY_NAME "libnettle.so.7"
- #define HOGWEED_LIBRARY_NAME "libhogweed.so.4"
- #define GMP_LIBRARY_NAME "libgmp.so.10"
- 

gnutls.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Thu Jun  4 09:39:58 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.6.14
+  * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
+    The TLS server would not bind the session ticket encryption key with a
+    value supplied by the application until the initial key rotation, allowing
+    attacker to bypass authentication in TLS 1.3 and recover previous
+    conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
+    [GNUTLS-SA-2020-06-03, CVSS: high]
+  * libgnutls: Fixed handling of certificate chain with cross-signed
+    intermediate CA certificates (#1008). (bsc#1172461)
+  * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
+  * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
+    (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
+    Key Identifier (AKI) properly (#989, #991).
+  * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
+  * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
+    Also both accelerated and non-accelerated implementations check key block
+    according to FIPS-140-2 IG A.9 (!1233).
+  * libgnutls: Added support for AES-SIV ciphers (#463).
+  * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
+  * libgnutls: No longer use internal symbols exported from Nettle (!1235)
+  * API and ABI modifications:
+    GNUTLS_CIPHER_AES_128_SIV: Added
+    GNUTLS_CIPHER_AES_256_SIV: Added
+    GNUTLS_CIPHER_AES_192_GCM: Added
+    gnutls_pkcs7_print_signature_info: Added
+- Add key D605848ED7E69871: public key "Daiki Ueno <ueno@unixuser.org>" to
+  the keyring
+- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)
+
 -------------------------------------------------------------------
 Thu Apr  2 09:32:01 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

gnutls.spec

@@ -28,7 +28,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.13
+Version:        3.6.14
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -39,7 +39,6 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
-Patch2:         gnutls-fips_correct_nettle_soversion.patch
 Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
 BuildRequires:  autogen
 BuildRequires:  automake