Accepting request 630992 from home:vitezslav_cizek:branches:security:tls

- Update to 3.6.3
  Fixes security issues:
  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
  Other Changes:
  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
     earlier and TLS 1.3.
  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
  ** Provide a uniform cipher list across supported TLS protocols
  ** The SSL 3.0 protocol is disabled on compile-time by default.
  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
     mode
  ** libgnutls: Introduced low-level function to assist applications attempting client
     hello extension parsing, prior to GnuTLS' parsing of the message.
  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
     modifications to the certificate.
  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
     which are preferred by the server.
  ** Improved counter-measures for TLS CBC record padding.
     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
     change for these functions which make them err towards safety.
  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
  ** certtool: It is now possible to specify certificate and serial CRL numbers greater

OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4

gnutls-3.6.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bcd5db7b234e02267f36b5d13cf5214baac232b7056a506252b7574ea7738d1f
-size 8093304

gnutls-3.6.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ed642b66a4ecf4851ab2d809cd1475c297b6201d8e8bd14b4d1c08b53ffca993
+size 8010284

gnutls.changes

@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
+
+- Update to 3.6.3
+  Fixes security issues:
+  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
+  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
+  Other Changes:
+  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
+  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
+     earlier and TLS 1.3.
+  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
+  ** Provide a uniform cipher list across supported TLS protocols
+  ** The SSL 3.0 protocol is disabled on compile-time by default.
+  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
+     mode
+  ** libgnutls: Introduced low-level function to assist applications attempting client
+     hello extension parsing, prior to GnuTLS' parsing of the message.
+  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
+     modifications to the certificate.
+  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
+     which are preferred by the server.
+  ** Improved counter-measures for TLS CBC record padding.
+     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
+     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
+  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
+     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
+  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
+     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
+     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
+     change for these functions which make them err towards safety.
+  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
+  ** certtool: It is now possible to specify certificate and serial CRL numbers greater
+     than 2**63-2 as a hex-encoded string both when prompted and in a template file.
+     Default certificate serial numbers are now fully random.
+- don't run autoreconf to avoid pulling in gtk-doc
+
 -------------------------------------------------------------------
 Tue Jul 31 10:04:17 UTC 2018 - schwab@suse.de
 

gnutls.spec

@@ -29,7 +29,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.2
+Version:        3.6.3
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -168,7 +168,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 export LDFLAGS="-pie"
 export CFLAGS="%{optflags} -fPIE"
 export CXXFLAGS="%{optflags} -fPIE"
-autoreconf -fiv
+#autoreconf -fiv
 %configure \
         gl_cv_func_printf_directive_n=yes \
         gl_cv_func_printf_infinite_long_double=yes \
@@ -177,7 +177,7 @@ autoreconf -fiv
         --disable-silent-rules \
 	--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
         --with-sysroot=/%{?_sysroot} \
-        --with-guile-site-dir=no \
+        --with-guile-site-dir=%{_datadir}/guile \
 %if %{without tpm}
         --without-tpm \
 %endif
@@ -307,7 +307,7 @@ make %{?_smp_mflags} check || {
 %if %{with guile}
 %files guile
 %{_libdir}/guile/*
-%{_datadir}/guile/site/gnutls*
+%{_datadir}/guile/gnutls*
 %endif
 
 %changelog