diff --git a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch index 34ea17b..4746cac 100644 --- a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch +++ b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.5/tests/Makefile.am +Index: gnutls-3.6.7/tests/Makefile.am =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546 +0100 -+++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100 -@@ -445,7 +445,7 @@ if !WINDOWS +--- gnutls-3.6.7.orig/tests/Makefile.am ++++ gnutls-3.6.7/tests/Makefile.am +@@ -453,7 +453,7 @@ if !WINDOWS # List of tests not available/functional under windows # @@ -11,11 +11,11 @@ Index: gnutls-3.6.5/tests/Makefile.am indirect_tests += dtls-stress -Index: gnutls-3.6.5/tests/Makefile.in +Index: gnutls-3.6.7/tests/Makefile.in =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568 +0100 -+++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100 -@@ -164,7 +164,7 @@ host_triplet = @host@ +--- gnutls-3.6.7.orig/tests/Makefile.in ++++ gnutls-3.6.7/tests/Makefile.in +@@ -165,7 +165,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # @@ -23,13 +23,13 @@ Index: gnutls-3.6.5/tests/Makefile.in +@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ - @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \ -@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM + @WINDOWS_FALSE@ starttls-pop3.sh starttls-xmpp.sh \ +@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ - dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \ + fastopen.sh pkgconfig.sh starttls.sh \ starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \ - starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \ - ocsp-tests/ocsp-tls-connection \ + starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \ + starttls-sieve.sh ocsp-tests/ocsp-tls-connection \ diff --git a/gnutls-3.6.6-set_guile_site_dir.patch b/gnutls-3.6.6-set_guile_site_dir.patch new file mode 100644 index 0000000..f6b07e1 --- /dev/null +++ b/gnutls-3.6.6-set_guile_site_dir.patch @@ -0,0 +1,13 @@ +Index: gnutls-3.6.6/configure +=================================================================== +--- gnutls-3.6.6.orig/configure ++++ gnutls-3.6.6/configure +@@ -62868,7 +62868,7 @@ + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 + $as_echo_n "checking for Guile site directory... " >&6; } +- GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` ++ GUILE_SITE=/usr/share/guile + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 + $as_echo "$GUILE_SITE" >&6; } + if test "$GUILE_SITE" = ""; then diff --git a/gnutls-3.6.6.tar.xz b/gnutls-3.6.6.tar.xz deleted file mode 100644 index f5e0afd..0000000 --- a/gnutls-3.6.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7 -size 8257612 diff --git a/gnutls-3.6.6.tar.xz.sig b/gnutls-3.6.6.tar.xz.sig deleted file mode 100644 index 6d74eae..0000000 Binary files a/gnutls-3.6.6.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.6.7.tar.xz b/gnutls-3.6.7.tar.xz new file mode 100644 index 0000000..b861f28 --- /dev/null +++ b/gnutls-3.6.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8a188e2 +size 8153728 diff --git a/gnutls-3.6.7.tar.xz.sig b/gnutls-3.6.7.tar.xz.sig new file mode 100644 index 0000000..0b8b615 Binary files /dev/null and b/gnutls-3.6.7.tar.xz.sig differ diff --git a/gnutls.changes b/gnutls.changes index d69f7a3..11a557f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Thu Apr 4 13:34:03 UTC 2019 - Jason Sikes + +- Update gnutls to 3.6.7 + ** libgnutls, gnutls tools: Every gnutls_free() will automatically set + the free'd pointer to NULL. This prevents possible use-after-free and + double free issues. Use-after-free will be turned into NULL dereference. + The counter-measure does not extend to applications using gnutls_free(). + + ** libgnutls: Fixed a memory corruption (double free) vulnerability in the + certificate verification API. Reported by Tavis Ormandy; addressed with + the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) + + ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; + Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) + + ** libgnutls: enforce key usage limitations on certificates more actively. + Previously we would enforce it for TLS1.2 protocol, now we enforce it + even when TLS1.3 is negotiated, or on client certificates as well. When + an inappropriate for TLS1.3 certificate is seen on the credentials structure + GnuTLS will disable TLS1.3 support for that session (#690). + + ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to + two. This makes it easier for clients which perform multiple connections + to the server to use the tickets sent by a default server. + + ** libgnutls: enforce the equality of the two signature parameters fields in + a certificate. We were already enforcing the signature algorithm, but there + was a bug in parameter checking code. + + ** libgnutls: fixed issue preventing sending and receiving from different + threads when false start was enabled (#713). + + ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. + Previously the sentinel value was embedded to early in version + negotiation and was sent even on TLS 1.3. It is now sent only when + TLS 1.2 or earlier is negotiated (#689). + + ** gnutls-cli: Added option --logfile to redirect informational messages output. + +- Disabled dane support in SLE since dane is not shipped there + +- Changed configure script to hardware guile site directory since command-line + option '--with-guile-site-dir=' was removed from the configure script. + + ** Added gnutls-3.6.6-set_guile_site_dir.patch + +- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix + compilation issues on PPC + ------------------------------------------------------------------- Mon Feb 4 12:41:43 UTC 2019 - Vítězslav Čížek diff --git a/gnutls.spec b/gnutls.spec index 22a6772..dd78ec8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,8 +20,8 @@ %define gnutlsxx_sover 28 %define gnutls_dane_sover 0 -# unbound isn't in SLE12 (bsc#1086428) -%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500 +# unbound isn't in SLE (bsc#1086428) +%if 0%{?is_opensuse} %bcond_without dane %else %bcond_with dane @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.6 +Version: 3.6.7 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -42,6 +42,7 @@ Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch +Patch4: gnutls-3.6.6-set_guile_site_dir.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -83,7 +84,7 @@ BuildRequires: guile-devel %description The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETF's TLS working group. +of the IETFs TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library @@ -93,8 +94,9 @@ Group: System/Libraries %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards -of the IETF's TLS working group. +of the IETFs TLS working group. +%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -104,6 +106,7 @@ Group: System/Libraries The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. +%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library @@ -113,7 +116,7 @@ Group: System/Libraries %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport layer. -implements the proposed standards of the IETF's TLS working group. +implements the proposed standards of the IETF TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API @@ -127,6 +130,7 @@ Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. +%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -135,6 +139,7 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. +%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API @@ -161,6 +166,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme. %setup -q %patch1 -p1 %patch3 -p1 +%patch4 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 @@ -179,7 +185,6 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ - --with-guile-site-dir=%{_datadir}/guile \ %if %{without tpm} --without-tpm \ %endif