Accepting request 691550 from home:jsikes:branches:security:tls

Forgot changelog entry.

OBS-URL: https://build.opensuse.org/request/show/691550
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=19

gnutls-3.6.0-disable-flaky-dtls_resume-test.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.6.5/tests/Makefile.am
+Index: gnutls-3.6.7/tests/Makefile.am
 ===================================================================
---- gnutls-3.6.5.orig/tests/Makefile.am	2019-01-04 14:11:28.196622546 +0100
-+++ gnutls-3.6.5/tests/Makefile.am	2019-01-04 14:11:29.080627637 +0100
-@@ -445,7 +445,7 @@ if !WINDOWS
+--- gnutls-3.6.7.orig/tests/Makefile.am
++++ gnutls-3.6.7/tests/Makefile.am
+@@ -453,7 +453,7 @@ if !WINDOWS
  # List of tests not available/functional under windows
  #
  
@@ -11,11 +11,11 @@ Index: gnutls-3.6.5/tests/Makefile.am
  
  indirect_tests += dtls-stress
  
-Index: gnutls-3.6.5/tests/Makefile.in
+Index: gnutls-3.6.7/tests/Makefile.in
 ===================================================================
---- gnutls-3.6.5.orig/tests/Makefile.in	2019-01-04 14:11:28.200622568 +0100
-+++ gnutls-3.6.5/tests/Makefile.in	2019-01-04 14:11:44.352715599 +0100
-@@ -164,7 +164,7 @@ host_triplet = @host@
+--- gnutls-3.6.7.orig/tests/Makefile.in
++++ gnutls-3.6.7/tests/Makefile.in
+@@ -165,7 +165,7 @@ host_triplet = @host@
  #
  # List of tests not available/functional under windows
  #
@@ -23,13 +23,13 @@ Index: gnutls-3.6.5/tests/Makefile.in
 +@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \
  @WINDOWS_FALSE@	pkgconfig.sh starttls.sh starttls-ftp.sh \
  @WINDOWS_FALSE@	starttls-smtp.sh starttls-lmtp.sh \
- @WINDOWS_FALSE@	starttls-pop3.sh starttls-nntp.sh \
-@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
+ @WINDOWS_FALSE@	starttls-pop3.sh starttls-xmpp.sh \
+@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
  	$(am__DEPENDENCIES_2)
  am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \
  	rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \
 -	dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \
 +	fastopen.sh pkgconfig.sh starttls.sh \
  	starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \
- 	starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \
- 	ocsp-tests/ocsp-tls-connection \
+ 	starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \
+ 	starttls-sieve.sh ocsp-tests/ocsp-tls-connection \

gnutls-3.6.6-set_guile_site_dir.patch

@@ -0,0 +1,13 @@
+Index: gnutls-3.6.6/configure
+===================================================================
+--- gnutls-3.6.6.orig/configure
++++ gnutls-3.6.6/configure
+@@ -62868,7 +62868,7 @@
+ 
+   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
+ $as_echo_n "checking for Guile site directory... " >&6; }
+-  GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION`
++  GUILE_SITE=/usr/share/guile
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
+ $as_echo "$GUILE_SITE" >&6; }
+   if test "$GUILE_SITE" = ""; then

gnutls-3.6.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7
-size 8257612

gnutls-3.6.7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8a188e2
+size 8153728

gnutls.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Thu Apr  4 13:34:03 UTC 2019 - Jason Sikes <jsikes@suse.de>
+
+- Update gnutls to 3.6.7
+  ** libgnutls, gnutls tools: Every gnutls_free() will automatically set
+     the free'd pointer to NULL. This prevents possible use-after-free and
+     double free issues. Use-after-free will be turned into NULL dereference.
+     The counter-measure does not extend to applications using gnutls_free().
+
+  ** libgnutls: Fixed a memory corruption (double free) vulnerability in the
+     certificate verification API. Reported by Tavis Ormandy; addressed with
+     the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829)
+
+  ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
+     Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836)
+
+  ** libgnutls: enforce key usage limitations on certificates more actively.
+     Previously we would enforce it for TLS1.2 protocol, now we enforce it
+     even when TLS1.3 is negotiated, or on client certificates as well. When
+     an inappropriate for TLS1.3 certificate is seen on the credentials structure
+     GnuTLS will disable TLS1.3 support for that session (#690).
+
+  ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to
+     two. This makes it easier for clients which perform multiple connections
+     to the server to use the tickets sent by a default server.
+
+  ** libgnutls: enforce the equality of the two signature parameters fields in
+     a certificate. We were already enforcing the signature algorithm, but there
+     was a bug in parameter checking code.
+
+  ** libgnutls: fixed issue preventing sending and receiving from different
+     threads when false start was enabled (#713).
+
+  ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
+     session, as non-writeable security officer sessions are undefined in PKCS#11
+     (#721).
+
+  ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
+     Previously the sentinel value was embedded to early in version
+     negotiation and was sent even on TLS 1.3. It is now sent only when
+     TLS 1.2 or earlier is negotiated (#689).
+
+  ** gnutls-cli: Added option --logfile to redirect informational messages output.
+
+- Disabled dane support in SLE since dane is not shipped there
+
+- Changed configure script to hardware guile site directory since command-line
+  option '--with-guile-site-dir=' was removed from the configure script.
+
+  ** Added gnutls-3.6.6-set_guile_site_dir.patch
+
+- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix
+  compilation issues on PPC
+
 -------------------------------------------------------------------
 Mon Feb  4 12:41:43 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 

gnutls.spec

@@ -20,8 +20,8 @@
 %define gnutlsxx_sover 28
 %define gnutls_dane_sover 0
 
-# unbound isn't in SLE12 (bsc#1086428)
-%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
+# unbound isn't in SLE (bsc#1086428)
+%if 0%{?is_opensuse}
 %bcond_without dane
 %else
 %bcond_with dane
@@ -29,7 +29,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.6
+Version:        3.6.7
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -42,6 +42,7 @@ Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
 Patch3:         disable-psk-file-test.patch
+Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -83,7 +84,7 @@ BuildRequires:  guile-devel
 %description
 The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
-of the IETF's TLS working group.
+of the IETFs TLS working group.
 
 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
@@ -93,8 +94,9 @@ Group:          System/Libraries
 %description -n libgnutls%{gnutls_sover}
 The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
-of the IETF's TLS working group.
+of the IETFs TLS working group.
 
+%if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@@ -104,6 +106,7 @@ Group:          System/Libraries
 The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer.
 This package contains the "DANE" part of gnutls.
+%endif
 
 %package -n libgnutlsxx%{gnutlsxx_sover}
 Summary:        C++ API for the GNU Transport Layer Security Library
@@ -113,7 +116,7 @@ Group:          System/Libraries
 %description -n libgnutlsxx%{gnutlsxx_sover}
 The GnuTLS library provides a secure layer over a reliable transport
 layer.
-implements the proposed standards of the IETF's TLS working group.
+implements the proposed standards of the IETF TLS working group.
 
 %package -n libgnutls-devel
 Summary:        Development package for the GnuTLS C API
@@ -127,6 +130,7 @@ Provides:       gnutls-devel = %{version}-%{release}
 %description -n libgnutls-devel
 Files needed for software development using gnutls.
 
+%if %{with dane}
 %package -n libgnutls-dane-devel
 Summary:        Development package for GnuTLS DANE component
 License:        LGPL-2.1-or-later
@@ -135,6 +139,7 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 
 %description -n libgnutls-dane-devel
 Files needed for software development using gnutls.
+%endif
 
 %package -n libgnutlsxx-devel
 Summary:        Development package for the GnuTLS C++ API
@@ -161,6 +166,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %setup -q
 %patch1 -p1
 %patch3 -p1
+%patch4 -p1
 # dtls-resume test fails on PPC
 %ifarch ppc64 ppc64le ppc
 %patch2 -p1
@@ -179,7 +185,6 @@ export CXXFLAGS="%{optflags} -fPIE"
         --disable-silent-rules \
 	--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
         --with-sysroot=/%{?_sysroot} \
-        --with-guile-site-dir=%{_datadir}/guile \
 %if %{without tpm}
         --without-tpm \
 %endif