Commit Graph

102 Commits

Author SHA256 Message Date
Tomáš Chvátal
60b4dea541 - Version update to 3.6.4:
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
  ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
     gnutls_certificate_set_retrieve_function() which could not handle the case where
     no certificates were returned, or the callbacks were set to NULL (see #528).
  ** libgnutls: gnutls_handshake() on server returns early on handshake when no
     certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
     is specified.
  ** libgnutls: Added session ticket key rotation on server side with TOTP.
     The key set with gnutls_session_ticket_enable_server() is used as a
     master key to generate time-based keys for tickets. The rotation
     relates to the gnutls_db_set_cache_expiration() period.
  ** libgnutls: The 'record size limit' extension is added and preferred to the
     'max record size' extension when possible.
  ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
     This addresses the problem where the CA certificate doesn't have a subject key
     identifier whereas the end certificates have an authority key identifier (#569)
  ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
     gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
     and export GOST parameters in the "native" little endian format used for these
     curves. This is an intentional incompatible change with 3.6.3.
  ** libgnutls: Added support for seperately negotiating client and server certificate types
     as defined in RFC7250. This mechanism must be explicitly enabled via the
     GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=10
2018-10-15 08:27:49 +00:00
Tomáš Chvátal
65aedfc27d Accepting request 636362 from home:Andreas_Schwab:Factory
- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
  test/Makefile.in as autoreconf does not work

OBS-URL: https://build.opensuse.org/request/show/636362
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=8
2018-09-18 10:23:08 +00:00
Tomáš Chvátal
8fcb49658a * gnutls-3.6.3-backport-upstream-fixes.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=7
2018-09-14 13:37:02 +00:00
Tomáš Chvátal
3036ffa05f Accepting request 635768 from home:henrix:branches:security:tls
- Backport of upstream fixes (boo#1108450)
  Fixes taken from upstream commits:
  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
  The patch was taken from https://github.com/weechat/weechat/issues/1231

OBS-URL: https://build.opensuse.org/request/show/635768
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=6
2018-09-14 13:30:28 +00:00
Tomáš Chvátal
a081367f85 Accepting request 630992 from home:vitezslav_cizek:branches:security:tls
- Update to 3.6.3
  Fixes security issues:
  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
  Other Changes:
  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
     earlier and TLS 1.3.
  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
  ** Provide a uniform cipher list across supported TLS protocols
  ** The SSL 3.0 protocol is disabled on compile-time by default.
  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
     mode
  ** libgnutls: Introduced low-level function to assist applications attempting client
     hello extension parsing, prior to GnuTLS' parsing of the message.
  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
     modifications to the certificate.
  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
     which are preferred by the server.
  ** Improved counter-measures for TLS CBC record padding.
     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
     change for these functions which make them err towards safety.
  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
  ** certtool: It is now possible to specify certificate and serial CRL numbers greater

OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4
2018-08-23 07:10:46 +00:00
Dominique Leuenberger
31a755e11b Accepting request 626682 from security:tls
OBS-URL: https://build.opensuse.org/request/show/626682
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=111
2018-08-03 10:30:07 +00:00
Yuchen Lin
f1d38dc060 Accepting request 593004 from Base:System
OBS-URL: https://build.opensuse.org/request/show/593004
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=110
2018-04-10 07:48:38 +00:00
Dominique Leuenberger
a4e4513bc5 Accepting request 591143 from Base:System
OBS-URL: https://build.opensuse.org/request/show/591143
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=109
2018-03-30 09:56:05 +00:00
Dominique Leuenberger
bb22a0a779 Accepting request 587401 from Base:System
- gnutls.keyring: Nikos key refreshed to be unexpired

- GnuTLS 3.6.2:
  * libgnutls: When verifying against a self signed certificate ignore issuer.
    That is, ignore issuer when checking the issuer's parameters strength,
    resolving issue #347 which caused self signed certificates to be
    additionally marked as of insufficient security level.
  * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
    MTU calculation now, it correctly accounts for the fixed overhead due to
    padding (as 1 byte), while at the same time considers the rest of the
    padding as part of data MTU.
  * libgnutls: Address issue of loading of all PKCS#11 modules on startup
    on systems with a PKCS#11 trust store (as opposed to a file trust store).
    Introduced a multi-stage initialization which loads the trust modules, and
    other modules are deferred for the first pure PKCS#11 request.
  * libgnutls: The SRP authentication will reject any parameters outside
    RFC5054. This protects any client from potential MitM due to insecure
    parameters. That also brings SRP in par with the RFC7919 changes to
    Diffie-Hellman.
  * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
    for SRP authentication.
  * libgnutls: Addressed issue in the accelerated code affecting
    interoperability with versions of nettle >= 3.4.
  * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
  * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
    Vitezslav Cizek).
  * srptool: the --create-conf option no longer includes 1024-bit parameters.
  * p11tool: Fixed the deletion of objects in batch mode.
- Dropped gnutls-check_aes_keysize.patch as it is included upstream now.

OBS-URL: https://build.opensuse.org/request/show/587401
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=108
2018-03-16 09:33:36 +00:00
Dominique Leuenberger
e8abc4150e Accepting request 580155 from Base:System
OBS-URL: https://build.opensuse.org/request/show/580155
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=107
2018-02-28 18:55:27 +00:00
Dominique Leuenberger
5886f877a6 Accepting request 574115 from Base:System
OBS-URL: https://build.opensuse.org/request/show/574115
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=106
2018-02-12 09:09:02 +00:00
Dominique Leuenberger
4d1ca43878 Accepting request 539293 from Base:System
OBS-URL: https://build.opensuse.org/request/show/539293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=105
2017-11-10 13:40:23 +00:00
Dominique Leuenberger
ca879abd51 Accepting request 528289 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/528289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=104
2017-09-25 11:50:29 +00:00
Dominique Leuenberger
47b12d2a8f Accepting request 523074 from Base:System
- Buildrequire iproute2: the test suite calls /usr/bin/ss and as
  such we have to ensure to pull it in. (forwarded request 523062 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/523074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=103
2017-09-12 17:38:08 +00:00
Dominique Leuenberger
8d07de9229 Accepting request 518750 from Base:System
GnuTLS 3.5.15 (forwarded request 518746 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/518750
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=102
2017-08-29 09:40:38 +00:00
Dominique Leuenberger
11af4ad0f5 Accepting request 502802 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/502802
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=101
2017-06-16 08:48:11 +00:00
Dominique Leuenberger
74bc5eea8e Accepting request 496936 from Base:System
- skip trust-store tests to avoid build cycle with
  ca-certificates-mozilla, add gnutls-3.5.11-skip-trust-store-tests.patch (forwarded request 495815 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/496936
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=100
2017-05-20 12:31:57 +00:00
Dominique Leuenberger
071ff154dc Accepting request 493998 from Base:System
GnuTLS 3.5.11
bsc#1038337
CVE-2017-7869 bsc#1034173
bsc#901857 (forwarded request 493933 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/493998
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=99
2017-05-20 12:28:31 +00:00
Dominique Leuenberger
15d5bd65c7 Accepting request 492632 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/492632
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=98
2017-05-06 16:25:05 +00:00
Dominique Leuenberger
ffec47260a Accepting request 459188 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/459188
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=97
2017-02-22 12:50:20 +00:00
Dominique Leuenberger
556f692995 Accepting request 449317 from Base:System
- Version 3.5.8 (released 2016-01-09)
  * libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
    functions will not leave the verification profiles field to an
    undefined state. The last call will take precedence.
  * libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
    by PKCS#8 decryption functions when an invalid key is provided. This
    addresses regression on decrypting certain PKCS#8 keys.
  * libgnutls: Introduced option to override the default priority string
    used by the library. The intention is to allow support of system-wide
    priority strings (as set with --with-system-priority-file). The
    configure option is --with-default-priority-string.
  * libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
    This prevents crashes when decrypting malformed PKCS#8 keys.
  * libgnutls: Fix crash on the loading of malformed private keys with certain
    parameters set to zero.
  * libgnutls: Fix double free in certificate information printing. If the PKIX
    extension proxy was set with a policy language set but no policy specified,
    that could lead to a double free.
  * libgnutls: Addressed memory leaks in client and server side error paths
    (issues found using oss-fuzz project)
  * libgnutls: Addressed memory leaks in X.509 certificate printing error paths
    (issues found using oss-fuzz project)
  * libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
    parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
  * libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
    (issues found using oss-fuzz project)
- security issues fixed: GNUTLS-SA-2017-1 GNUTLS-SA-2017-2

OBS-URL: https://build.opensuse.org/request/show/449317
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=96
2017-01-11 10:57:36 +00:00
Ludwig Nussel
9d4c48404b Accepting request 447177 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/447177
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=95
2016-12-29 21:41:21 +00:00
Dominique Leuenberger
342e0cae5e Accepting request 433003 from Base:System
update to 3.4.15 (forwarded request 432668 from ecsos)

OBS-URL: https://build.opensuse.org/request/show/433003
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=94
2016-10-10 14:16:31 +00:00
Dominique Leuenberger
65cd0f52fa Accepting request 407873 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/407873
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=93
2016-07-18 19:19:48 +00:00
Dominique Leuenberger
1683bf17ea Accepting request 405821 from Base:System
- Fix a problem with expired test certificate by using datefudge
  (boo#987139)
  * add 0001-tests-use-datefudge-in-name-constraints-test.patch (forwarded request 405618 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/405821
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=92
2016-07-09 07:21:14 +00:00
Dominique Leuenberger
58772c3a5d Accepting request 391813 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/391813
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=91
2016-05-04 06:17:29 +00:00
Dominique Leuenberger
f317abc1db Accepting request 387555 from Base:System
- Updated to 3.4.11
  * Version 3.4.11 (released 2016-04-11)
  ** libgnutls: Fixes in gnutls_record_get/set_state() with DTLS. 
     Reported by Fridolin Pokorny.
  ** libgnutls: Fixes in DSA key generation under PKCS #11. Report and
     patches by Jan Vcelak.
  ** libgnutls: Corrected behavior of ALPN extension parsing during
     session resumption. Report and patches by Yuriy M. Kaminskiy.
  ** libgnutls: Corrected regression (since 3.4.0) in 
     gnutls_server_name_set() which caused it not to accept non-null-
     terminated hostnames. Reported by Tim Ruehsen.
  ** libgnutls: Corrected printing of the IP Adress name constraints.
  ** ocsptool: use HTTP/1.0 for requests. This avoids issue with servers
     serving chunk encoding which ocsptool doesn't support. Reported by
     Thomas Klute.
  ** certtool: do not require a CA for OCSP signing tag. This follows the
     recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate
     OCSP signing to another certificate without requiring it to be a CA.
     Reported by Thomas Klute.
  * Version 3.4.10 (released 2016-03-03)
  ** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes
     to be used with hashing functions.
  ** libgnutls: Corrected leaks and other issues in
     gnutls_x509_crt_list_import().
  ** libgnutls: Fixes in DSA key handling for PKCS #11. Report and 
     patches by Jan Vcelak.
  ** libgnutls: Several fixes to prevent relying on undefined behavior
     of C (found with libubsan).
  * Version 3.4.9 (released 2016-02-03)
  ** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would

OBS-URL: https://build.opensuse.org/request/show/387555
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=90
2016-04-16 20:06:59 +00:00
Dominique Leuenberger
3480fdb8cf Accepting request 360180 from Base:System
- follow the work in the unbound package and use the
  libunbound-devel symbol for the buildrequires. we override it for
  the distro build with libunbound-devel-mini to avoid build loops. (forwarded request 360179 from darix)

OBS-URL: https://build.opensuse.org/request/show/360180
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=89
2016-02-24 13:25:15 +00:00
Dominique Leuenberger
89b81992fd Accepting request 354655 from Base:System
- Update to 3.4.8
  All changes since 3.4.4:
  * libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey()
    when used with PKCS #11 keys.
  * libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
    their public keys from either a public key object or a certificate.
    That is, because private keys do not contain all the required
    parameters for a direct import.
  * libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
    tokens.
  * libgnutls: Fixed out-of-bounds read in 
    gnutls_x509_ext_export_key_usage()
  * libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to 
    conform to draft-ietf-tls-chacha20-poly1305-02.
  * libgnutls: Several fixes in PKCS #7 signing which improve 
    compatibility with the MacOSX tools.
  * libgnutls: The max-record extension not negotiated on DTLS. This
    resolves issue with the max-record being negotiated but ignored.
  * certtool: Added the --p7-include-cert and --p7-show-data options.
  * libgnutls: Properly require TLS 1.2 in all CBC-SHA256 and CBC-SHA384
    ciphersuites. This solves an interoperability issue with openssl.
  * libgnutls: Corrected the setting of salt size in 
    gnutls_pkcs12_mac_info().
  * libgnutls: On a rehandshake allow switching from anonymous to ECDHE 
    and DHE ciphersuites.
  * libgnutls: Corrected regression from 3.3.x which prevented 
    ARCFOUR128 from using arbitrary key sizes.
  * libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs
    skipping the implicit global initialization.
  * gnutls.pc: Don't include libtool specific options to link flags. (forwarded request 354652 from namtrac)

OBS-URL: https://build.opensuse.org/request/show/354655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=88
2016-01-23 00:03:23 +00:00
Stephan Kulow
0043dc9411 Accepting request 324612 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/324612
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=87
2015-08-25 05:17:02 +00:00
Stephan Kulow
a9c2e27421 Accepting request 306733 from Base:System
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/306733
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=86
2015-05-16 05:12:25 +00:00
Dominique Leuenberger
62fa285feb Accepting request 305469 from Base:System
- Updated to 3.4.1 (released 2015-05-03)
  ** libgnutls: gnutls_certificate_get_ours: will return the certificate even
  if a callback was used to send it.
  ** libgnutls: Check for invalid length in the X.509 version field. Without
  the check certificates with invalid length would be detected as having an
  arbitrary version. Reported by Hanno Böck.
  ** libgnutls: Handle DNS name constraints with a leading dot. Patch by
  Fotis Loukos.
  ** libgnutls: Updated system-keys support for windows to compile in more
  versions of mingw. Patch by Tim Kosse.
  ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
  Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. bsc#929690
  ** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout
  by default. That caused issues with non-blocking programs.
  ** certtool: It can generate SHA256 key IDs.
  ** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos.
  ** API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added
- gnutls-fix-double-mans.patch: fixed upstream

OBS-URL: https://build.opensuse.org/request/show/305469
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=85
2015-05-06 09:18:34 +00:00
Stephan Kulow
03f6e10195 Accepting request 304179 from Base:System
- Disable buggy valgrind on armv7l (forwarded request 304053 from AndreasSchwab)

OBS-URL: https://build.opensuse.org/request/show/304179
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=84
2015-04-28 18:42:20 +00:00
Dominique Leuenberger
10f4b520f9 Accepting request 295655 from Base:System
- updated to 3.4.0 (released 2015-04-08)
  ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
  ciphersuites. The former are enabled by default, the latter need to be
  explicitly enabled, since they reduce the overall security level.
  ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
  draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
  That is currently provided as technology preview and is not enabled by
  default, since there are no assigned ciphersuite points by IETF and there 
  is no guarrantee of compatibility between draft versions. The ciphersuite
  priority string to enable it is "+CHACHA20-POLY1305".
  ** libgnutls: Added support for encrypt-then-authenticate in CBC
  ciphersuites (RFC7366 -taking into account its errata text). This is
  enabled by default and can be disabled using the %NO_ETM priority
  string.
  ** libgnutls: Added support for the extended master secret
  (triple-handshake fix) following draft-ietf-tls-session-hash-02.
  ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
  ** libgnutls: SSL 3.0 is no longer included in the default priorities
  list. It has to be explicitly enabled, e.g., with a string like
  "NORMAL:+VERS-SSL3.0".
  ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
  list. It has to be explicitly enabled, e.g., with a string like
  "NORMAL:+ARCFOUR-128".
  ** libgnutls: DSA signatures and DHE-DSS are no longer included in the
  default priorities list. They have to be explicitly enabled, e.g., with
  a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
  DSA ciphersuites were dropped because they had no deployment at all
  on the internet, to justify their inclusion.
  ** libgnutls: The priority string EXPORT was completely removed. The string

OBS-URL: https://build.opensuse.org/request/show/295655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83
2015-04-18 08:38:18 +00:00
Dominique Leuenberger
368ef4383b Accepting request 294011 from Base:System
- updated to 3.3.13 (released 2015-03-30)
  ** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
  structures use BER to decode them (requires libtasn1 4.3). That allows
  to decode some more complex structures.
  ** libgnutls: When an end-certificate with no name is present and there
  are CA name constraints, don't reject the certificate. This follows RFC5280
  advice closely. Reported by Fotis Loukos.
  ** libgnutls: Fixed handling of supplemental data with types > 255.
  Patch by Thierry Quemerais.
  ** libgnutls: Fixed double free in the parsing of CRL distribution points certificate
  extension. Reported by Robert Święcki.
  ** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
  protocol is not enabled by default (used by openconnect VPN).
  ** libgnutls: The maximum user data send size is set to be the same for
  block and non-block ciphersuites. This addresses a regression with wine:
  https://bugs.winehq.org/show_bug.cgi?id=37500
  ** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
  and CKA_DECRYPT when needed.
  ** libgnutls: Allow names with zero size to be set using
  gnutls_server_name_set(). That will disable the Server Name Indication.
  Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2

OBS-URL: https://build.opensuse.org/request/show/294011
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=82
2015-04-07 07:28:38 +00:00
Dominique Leuenberger
b8f9fbb1e2 Accepting request 293173 from Base:System
some tweaks for your perusal (forwarded request 293171 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/293173
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=81
2015-03-30 17:32:11 +00:00
Dominique Leuenberger
a06553bba5 Accepting request 266910 from Base:System
- build with PIE for commandline tools

- Updated to 3.2.21 (released 2014-12-11)
  - libgnutls: Corrected regression introduced in 3.2.19 related to
    session renegotiation. Reported by Dan Winship.
  - libgnutls: Corrected parsing issue with OCSP responses. (forwarded request 266909 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/266910
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=80
2015-01-03 21:03:04 +00:00
Dominique Leuenberger
1827cfd454 Accepting request 262808 from Base:System
- Updated to 3.2.20 (released 2014-11-10)
  ** libgnutls: Removed superfluous random generator refresh on every
     call of gnutls_deinit(). That reduces load and usage of /dev/urandom.
  ** libgnutls: Corrected issue in export of ECC parameters to X9.63
     format.  Reported by Sean Burford [GNUTLS-SA-2014-5].
  (CVE-2014-8564 bnc#904603)
- Updated to 3.2.19 (released 2014-10-13)
  ** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
     Reported by Joseph Peruski.
  ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
     handshake's hash buffer, in applications using the heartbeat extension
     or DTLS. Reported by Joeri de Ruiter.
  ** libgnutls: fix issue in DTLS retransmission when session tickets were
     in use; reported by Manuel Pégourié-Gonnard.
  ** libgnutls: Prevent abort() in library if getrusage() fails. Try to
     detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
  ** guile: new 'set-session-server-name!' procedure; see the manual
     for details.

OBS-URL: https://build.opensuse.org/request/show/262808
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=79
2014-11-28 07:46:04 +00:00
Stephan Kulow
cb95dcfd35 Accepting request 251823 from Base:System
Upgrade to GnuTLS 3.2.18; Delete files: gnutls-3.2.17.tar.xz, gnutls-3.2.17.tar.xz.sig; Add files: gnutls-3.2.18.tar.xz, gnutls-3.2.18.tar.xz.sig (forwarded request 251822 from citypw)

OBS-URL: https://build.opensuse.org/request/show/251823
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=78
2014-09-26 08:51:25 +00:00
Stephan Kulow
da0f97d0a3 Accepting request 247074 from Base:System
Upgrade to Version 3.2.17 (released 2014-08-24); Delete files: gnutls-3.2.16.tar.xz, gnutls-3.2.16.tar.xz.sig; Add files: gnutls-3.2.17.tar.xz, gnutls-3.2.17.tar.xz.sig (forwarded request 246980 from citypw)

OBS-URL: https://build.opensuse.org/request/show/247074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=77
2014-09-03 16:21:27 +00:00
53d426ba00 Accepting request 244206 from Base:System
Upgrade to Version 3.2.16 (released 2014-07-23); delete files: gnutls-3.2.15.tar.xz, gnutls-3.2.15.tar.xz.sig, audit-improve.patch( already in upstream); Add files: gnutls-3.2.16.tar.xz, gnutls-3.2.16.tar.xz.sig (forwarded request 243536 from citypw)

OBS-URL: https://build.opensuse.org/request/show/244206
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=75
2014-08-13 15:19:55 +00:00
Stephan Kulow
b0904801b3 Accepting request 236129 from Base:System
- Version 3.2.15 (released 2014-05-30)
  
  ** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
  Issue reported by Joonas Kuorilehto of Codenomicon. (CVE-2014-3466 / bnc#880730)
  ** libgnutls: Several memory leaks caused by error conditions were
  fixed. The leaks were identified using valgrind and the Codenomicon
  TLS test suite.
  ** libgnutls: Increased the maximum certificate size buffer
  in the PKCS #11 subsystem.
  ** libgnutls: Check the return code of getpwuid_r() instead of relying
  on the result value. That avoids issue in certain systems, when using
  tofu authentication and the home path cannot be determined. Issue reported
  by Viktor Dukhovni.
  ** gnutls-cli: if dane is requested but not PKIX verification, then
  only do verify the end certificate.
  ** ocsptool: Include path in ocsp request. This resolves #108582
  (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
- Version 3.2.14 (released 2014-05-06)
  ** libgnutls: Fixed issue with the check of incoming data when two
  different recv and send pointers have been specified. Reported and
  investigated by JMRecio.
  ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would 
  result to illegal memory access if a server hint was provided.
  ** libgnutls: Fixed client memory leak in the PSK key exchange, if a
  server hint was provided.
  ** libgnutls: Several small bug fixes identified using valgrind and
  the Codenomicon TLS test suite.
  ** libgnutls: Several small bug fixes found by coverity.
  ** libgnutls-dane: Accept a certificate using DANE if there is at least one 
  entry that matches the certificate. Patch by simon [at] arlott.org.

OBS-URL: https://build.opensuse.org/request/show/236129
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=74
2014-06-06 12:36:14 +00:00
Stephan Kulow
46f6ba47ef Accepting request 233678 from Base:System
- Improvement after code audit (audit-improve.patch)
  * Use unsigned type for encode()
  * tolerate NULL in strdup()
  Modify files: lib/gnutls_mem.c, lib/auth/srp_sb64.c

OBS-URL: https://build.opensuse.org/request/show/233678
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=73
2014-05-14 08:50:25 +00:00
Stephan Kulow
6327ee3b7e Accepting request 229559 from Base:System
Upgrade to 3.2.13; Add files: gnutls-3.2.13.tar.xz, gnutls-3.2.13.tar.xz.sig; Delete files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig (forwarded request 229542 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/229559
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=72
2014-04-12 19:28:46 +00:00
Stephan Kulow
e0a2fbfd43 Accepting request 224736 from Base:System
Upgrade to 3.2.12.1; Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz; Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig (forwarded request 224729 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/224736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=71
2014-03-06 18:18:08 +00:00
Stephan Kulow
71f2bb57a3 Accepting request 224392 from Base:System
Fix bug [ bnc#865804] gnutls: CVE-2014-0092, insufficient X.509 certificate verification; Add patch file: CVE-2014-0092.patch (forwarded request 224391 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/224392
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=70
2014-03-04 12:14:12 +00:00
Stephan Kulow
b35c84d979 Accepting request 222335 from Base:System
- Upgraded to 3.2.11
  ** libgnutls: Tolerate servers that send the SUPPORTED ECC extension.
  ** libgnutls: Reduced the TLS and DTLS version requirements for all
     ciphersuites that are not GCM.
  ** libgnutls: When two initial keywords are specified then treat the
     second as having the '+' modifier.
  ** libgnutls:  When using a PKCS #11 module for verification ensure that
     it has been marked a trusted policy module in p11-kit. Moreover, when an
     empty (i.e., "pkcs11:") URL is specified, then try all trusted modules
     in the system for verification.
     http://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
  ** libgnutls: Fixed bug that prevented the rejection of v1 intermediate
     CA certificates. Reported and investigated by Suman Jana.
     CVE-2014-1959 / bnc#863989
  ** certtool: Added the --ask-pass option.
- gnutls-3.2.10-supported-ecc.patch: upstreamed
- gnutls-fix-missing-ipv6.patch: upstreamed

- Upgrade to 3.1.20 (released 2014-01-31)
  ** libgnutls: fixed null pointer derefence when printing a certificate
     DN and an LDAP description isn't present.
  ** libgnutls: gnutls_db_check_entry_time will correctly report the time;
     report and patch by Jonathan Roudiere.
- Upgrade to 3.2.9 (released 2014-01-24)
  ** libgnutls: The %DUMBFW option in priority string only
     appends data to client hello if the expected size is in the
     "black hole" range.
  ** libgnutls: %COMPAT implies %DUMBFW.
  ** libgnutls: gnutls_session_get_desc() returns a more compact
     ciphersuite description.

OBS-URL: https://build.opensuse.org/request/show/222335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=69
2014-02-19 08:09:49 +00:00
Tomáš Chvátal
f088877e49 Accepting request 211992 from Base:System
Upgrade to GNUTLS-3.2.8 (forwarded request 211991 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/211992
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=68
2013-12-23 11:33:44 +00:00
Stephan Kulow
fbbe0b4946 Accepting request 205686 from Base:System
Upgrade to 3.2.6 (forwarded request 205591 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/205686
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=67
2013-11-04 13:58:23 +00:00
Stephan Kulow
ee8692fe69 Accepting request 205088 from Base:System
- Upgrade to 3.2.5
** libgnutls: Documentation and build-time fixes.
** libgnutls: Allow the generation of DH groups of less than 700 bits.
** libgnutls: Added several combinations of ciphersuites with SHA256 and
SHA384 as MAC, as well as Camellia with GCM.
** libdane: Added interfaces to allow initialization of dane_query_t
from external DNS resolutions, and to allow direct verification of a
certificate chain against a dane_query_t. Contributed by Christian Grothoff.
** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and
fix by Christian Grothoff.
** srptool: Fixed index command line option. Patch by Attila Molnar.
** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.	
** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.
** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added 
Add files: make-obs-happy-with-gnutls_3.2.5.patch, gnutls-3.2.5.tar.xz,
gnutls-3.2.5.tar.xz.sig, gnutls-3.2.5-noecc.patch
Delete files: gnutls-3.2.4.tar.xz, gnutls-3.2.4.tar.xz.sig, 
make-obs-happy-with-gnutls_3.2.4.patch, gnutls-3.2.4-noecc.patch

OBS-URL: https://build.opensuse.org/request/show/205088
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=66
2013-10-29 12:52:00 +00:00