- Version 3.2.15 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon. (CVE-2014-3466 / bnc#880730)
** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.
** ocsptool: Include path in ocsp request. This resolves#108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
- Version 3.2.14 (released 2014-05-06)
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
OBS-URL: https://build.opensuse.org/request/show/236129
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=74
- Upgraded to 3.2.11
** libgnutls: Tolerate servers that send the SUPPORTED ECC extension.
** libgnutls: Reduced the TLS and DTLS version requirements for all
ciphersuites that are not GCM.
** libgnutls: When two initial keywords are specified then treat the
second as having the '+' modifier.
** libgnutls: When using a PKCS #11 module for verification ensure that
it has been marked a trusted policy module in p11-kit. Moreover, when an
empty (i.e., "pkcs11:") URL is specified, then try all trusted modules
in the system for verification.
http://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
** libgnutls: Fixed bug that prevented the rejection of v1 intermediate
CA certificates. Reported and investigated by Suman Jana.
CVE-2014-1959 / bnc#863989
** certtool: Added the --ask-pass option.
- gnutls-3.2.10-supported-ecc.patch: upstreamed
- gnutls-fix-missing-ipv6.patch: upstreamed
- Upgrade to 3.1.20 (released 2014-01-31)
** libgnutls: fixed null pointer derefence when printing a certificate
DN and an LDAP description isn't present.
** libgnutls: gnutls_db_check_entry_time will correctly report the time;
report and patch by Jonathan Roudiere.
- Upgrade to 3.2.9 (released 2014-01-24)
** libgnutls: The %DUMBFW option in priority string only
appends data to client hello if the expected size is in the
"black hole" range.
** libgnutls: %COMPAT implies %DUMBFW.
** libgnutls: gnutls_session_get_desc() returns a more compact
ciphersuite description.
OBS-URL: https://build.opensuse.org/request/show/222335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=69
- Upgrade to 3.2.5
** libgnutls: Documentation and build-time fixes.
** libgnutls: Allow the generation of DH groups of less than 700 bits.
** libgnutls: Added several combinations of ciphersuites with SHA256 and
SHA384 as MAC, as well as Camellia with GCM.
** libdane: Added interfaces to allow initialization of dane_query_t
from external DNS resolutions, and to allow direct verification of a
certificate chain against a dane_query_t. Contributed by Christian Grothoff.
** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and
fix by Christian Grothoff.
** srptool: Fixed index command line option. Patch by Attila Molnar.
** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.
** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.
** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added
Add files: make-obs-happy-with-gnutls_3.2.5.patch, gnutls-3.2.5.tar.xz,
gnutls-3.2.5.tar.xz.sig, gnutls-3.2.5-noecc.patch
Delete files: gnutls-3.2.4.tar.xz, gnutls-3.2.4.tar.xz.sig,
make-obs-happy-with-gnutls_3.2.4.patch, gnutls-3.2.4-noecc.patch
OBS-URL: https://build.opensuse.org/request/show/205088
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=66
- Updated to 3.2.3
** libgnutls: Fixes in parsing of priority strings. Patch by Stefan
Buehler.
** libgnutls: Solve issue with received TLS packets that exceed 2^14.
(this fixes a bug that was accidentally introduced in 3.2.2)
** libgnutls: Removed gnulib modules under LGPLv3 that could possibly
be used by the library.
** libgnutls: Fixes in gnutls_record_send_range(). Report and initial
fix by Alfredo Pironti.
- Updated to 3.2.2
** libgnutls: Several optimizations in the related to packet processing
subsystems.
** libgnutls: DTLS replay detection can now be disabled (to be used
in certain transport layers like SCTP).
** libgnutls: Fixes in SRTP extension generation when MKI is being used.
** libgnutls: Added ability to set hooks before or
after sending or receiving any handshake message with
gnutls_handshake_set_hook_function().
- gnutls-3.2.3-noecc.patch: updated to disable ECC.
- automake-1.12.patch: upstream, dropped
- gnutls-32bit.patch: upstream, dropped
- gnutls-3.2.1-pkcs11.diff: upstream, dropped
OBS-URL: https://build.opensuse.org/request/show/185475
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=62
- Disable all ECC algorithms.
- gnutls-32bit.patch: upstream patch to make test
work with 32bit time_t.
- gnutls-implement-trust-store-dir.diff
currently not yet forward ported.
- Updated to GnuTLS 3.2.1
** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
openssl versions.
** libgnutls: Fixes in interrupted function resumption. Report
and patch by Tim Kosse.
** libgnutls: Corrected issue when receiving client hello verify
requests in DTLS.
** libgnutls: Fixes in DTLS record overhead size calculations.
** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by
Mann Ern Kang.
- Updated to GnuTLS 3.2.0
** libgnutls: Use nettle's elliptic curve implementation.
** libgnutls: Added Salsa20 cipher
** libgnutls: Added UMAC-96 and UMAC-128
** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
As they are not standardized they are defined using private ciphersuite numbers.
** libgnutls: Added support for DTLS 1.2.
** libgnutls: Added support for the Application Layer Protocol
Negotiation (ALPN) extension.
** libgnutls: Removed support for the RSA-EXPORT ciphersuites.
** libgnutls: Avoid linking to librt (that also avoids unnecessary
linking to pthreads if p11-kit isn't used).
- Updated to GnuTLS 3.1.10 (released 2013-03-22)
** certtool: When generating PKCS #12 files use by default the
ARCFOUR (RC4) cipher to be compatible with devices that don't
OBS-URL: https://build.opensuse.org/request/show/181378
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=58
- Updated to GnuTLS 3.0.28
- libgnutls: Fixes in server side of DTLS-0.9.
- libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD
ciphers (i.e., AES-GCM).
- libgnutls: Fixes in record padding parsing to prevent a timing
attack. Issue reported by Kenny Patterson and Nadhem Alfardan.
bnc#802184
- libgnutls: DN variable 'T' was expanded to 'title'.
- Updated to GnuTLS 3.0.27
- libgnutls: Fixed record padding parsing issue.
- libgnutls: Stricter RSA PKCS #1 1.5 encoding.
- libgnutls-guile: Fixed parallel compilation issue.
- API and ABI modifications: No changes since last version.
OBS-URL: https://build.opensuse.org/request/show/151314
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=56
- include LGPL-3.0+ text in COPYING.LESSER
- run regression tests, but move "make check" to %check section
- add gnutls-3.0.26-skip-test-fwrite.patch to skip a failing test
- no longer manipulate doc/examples tree in %install section, the
deletion of Makefiles breaks "make check" in %check
- install documentation, reference and examples in %install section
to fetch them for the package without unneccessary files (forwarded request 142825 from AndreasStieger)
OBS-URL: https://build.opensuse.org/request/show/142850
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=53
- update to latest stable version 3.0.21:
libgnutls: fixed bug in gnutls_x509_privkey_import()
that prevented the loading of EC private keys when DER
encoded. Reported by David Woodhouse.
libgnutls: In DTLS larger to mtu records result to
GNUTLS_E_LARGE_PACKET instead of being truncated.
libgnutls: gnutls_dtls_get_data_mtu() is more precise. Based
on patch by David Woodhouse.
libgnutls: Fixed memory leak in PKCS #8 key import.
libgnutls: Added support for an old version of the DTLS protocol
used by openconnect vpn client for compatibility with Cisco's AnyConnect
SSL VPN. It is marked as GNUTLS_DTLS0_9. Do not use it for newer protocols
as it has issues.
libgnutls: Corrected bug that prevented resolving PKCS #11 URLs
if only the label is specified. Patch by David Woodhouse.
libgnutls: When EMSGSIZE errno is seen then GNUTLS_E_LARGE_PACKET
is returned.
API and ABI modifications:
gnutls_dtls_set_data_mtu: Added
gnutls_session_set_premaster: Added
OBS-URL: https://build.opensuse.org/request/show/136172
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=52
- Updated to version 3.0.20:
libgnutls: Corrected bug which prevented the parsing of
handshake packets spanning multiple records.
libgnutls: Check key identifiers when checking for an issuer.
libgnutls: Added gnutls_pubkey_verify_hash2()
libgnutls: Added gnutls_certificate_set_x509_system_trust()
that loads the trusted CA certificates from system locations
(e.g. trusted storage in windows and CA bundle files in other systems).
certtool: Added support for the URI subject alternative
name type in certtool.
certtool: Increase to 128 the maximum number of distinct options
(e.g. dns_names) allowed.
gnutls-cli: If --print-cert is given, print the certificate,
even on verification failure.
** API and ABI modifications:
gnutls_pk_to_sign: Added
gnutls_pubkey_verify_hash2: Added
gnutls_certificate_set_x509_system_trust: Added
OBS-URL: https://build.opensuse.org/request/show/125757
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=50
- Update to version 3.0.19:
+ libgnutls:
- When decoding a PKCS #11 URL the pin-source field
is assumed to be a file that stores the pin. Based on patch
by David Smith.
- gnutls_record_check_pending() no longer
returns unprocessed data, and thus ensure the non-blocking
of the next call to gnutls_record_recv().
- Added strict tests in Diffie-Hellman and
SRP key exchange public keys.
- in ECDSA and DSA TLS 1.2 authentication be less
strict in hash selection, and allow a stronger hash to
be used than the appropriate, to improve interoperability
with openssl.
+ tests:
- Disabled floating point test, and corrections
in pkcs12 decoding tests.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.18:
+ certtool:
- Avoid a Y2K38 bug when generating certificates.
Patch by Robert Millan.
+ libgnutls:
- Make sure that GNUTLS_E_PREMATURE_TERMINATION
- is returned on premature termination (and added unit test).
- Fixes for W64 API. Patch by B. Scott Michel.
- Corrected VIA padlock detection for old
VIA processors. Reported by Kris Karas.
- Updated assembler files.
OBS-URL: https://build.opensuse.org/request/show/121255
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=44
- Update to version 3.0.0. many fixes see NEWS for details This
changelog only describes important package changes or features.
* Main reason for update is to support Intel AES-NI CPU extensions.
* Bump sonames in the library package accordingly
* C++ apps must now buildrequire libgnutls++-devel
* Software using the openssl emulation must buildrequire
libgnutls-openssl-devel or better use openssl directly.
* Upstream no longer uses libgcrypt but libnettle.
* Upstream now requires the use of p11-kit
* Add post-release upstream patches critical for improving AES-NI
support. (forwarded request 79252 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/79281
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=31