From 0043dc94110c92df2509a357bc71ce34676a464c0a5f7b9e0850cf47df26ebf1 Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Tue, 25 Aug 2015 05:17:02 +0000
Subject: [PATCH] Accepting request 324612 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/324612
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=87
---
 gnutls-3.4.1.tar.xz     |   3 --
 gnutls-3.4.1.tar.xz.sig | Bin 287 -> 0 bytes
 gnutls-3.4.4.tar.xz     |   3 ++
 gnutls-3.4.4.tar.xz.sig | Bin 0 -> 287 bytes
 gnutls.changes          |  68 ++++++++++++++++++++++++++++++++++++++++
 gnutls.spec             |   7 +++--
 6 files changed, 76 insertions(+), 5 deletions(-)
 delete mode 100644 gnutls-3.4.1.tar.xz
 delete mode 100644 gnutls-3.4.1.tar.xz.sig
 create mode 100644 gnutls-3.4.4.tar.xz
 create mode 100644 gnutls-3.4.4.tar.xz.sig

diff --git a/gnutls-3.4.1.tar.xz b/gnutls-3.4.1.tar.xz
deleted file mode 100644
index cbe1c30..0000000
--- a/gnutls-3.4.1.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e9b5f58becf34756464216056cd5abbf04315eda80a374d02699dee83f80b12e
-size 6469756
diff --git a/gnutls-3.4.1.tar.xz.sig b/gnutls-3.4.1.tar.xz.sig
deleted file mode 100644
index a744a7ca81a5b9c552b235376625d2b2c12e91b60a72dbea533b1b5296f51a18..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 287
zcmV+)0pR|L0UQJX0RjL91p-w@T$un02@suLs`ii*xI$Be2me)TxV5qFW9eA*34u&@
zW9YFO4q$<uE{vBU%(v(Zi`d_k7QTpu%g(DRr5>o`<<DCpgnjoAqLvDP2a%h%k_@2x
z)zgPyU-d=OKw|v&S))Lfg3mx9d);a&6f8RziX7N}T=M;)%hg&V`G39nash>mrh&z}
zNa@p0lq4is+u<X#hK#_ISKT6=dr&38w>@O&CH<HTK>dX+dEt9NYqio`>3R{ZW{FnY
zM38-KP>gtsaFy1YX`&F$yafXHBkx$e1}7$+ttzcBN*f8=@xB)R@D-^h{Y#~_FpsOf
l_{_C(WMYlP90BOkN`=CjA^&v>r>bt0f-CY#{i4LkS7#RNjpYCU

diff --git a/gnutls-3.4.4.tar.xz b/gnutls-3.4.4.tar.xz
new file mode 100644
index 0000000..b7a69f3
--- /dev/null
+++ b/gnutls-3.4.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:06dacb1352792b9f05200eff33c9a9093ba3c706f4f88cb29ecbfb784b24b34a
+size 6567656
diff --git a/gnutls-3.4.4.tar.xz.sig b/gnutls-3.4.4.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..5a69487f9f500472831ccbdb173471a2e890a11cd5f58a80450a5b6ddc546aee
GIT binary patch
literal 287
zcmV+)0pR|L0UQJX0SEvF1p-ybO@9Ci2@suLs`ii*xIzU|2meS7k;ISPN9TP06jlEI
zxlK+Yk}QrQ@aMV_YmGIjZ-!H{f4N|m^vQyRfTRvd6o{tH(}XKc&K+>@z(9>~rOZxN
z#vmsyd4L{!Ux5Cf4T+w&v5sTn*~KpjiT0g|xI2bHNnji-bi9WSEIo7om5mk6-Px>S
zp*_{D`?E_D?-e<WrT+kg5GuY+@zkA}C*0`2!!lO9nGD2ZjHn)>M+~IKzAqOPjQsDN
zth3c+gFND-C&pz~x{=(vBt)zEkOas(+pLFB>gD*8zjBi@;B#gVIe^F!cE%uctzT=K
lW`g2_0=GVn1jf-k{M$b+(ufGbT>Lb`+>aw%0E;JIduWR5itPXZ

literal 0
HcmV?d00001

diff --git a/gnutls.changes b/gnutls.changes
index 13c7b36..8f999d1 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Aug 18 22:40:28 UTC 2015 - astieger@suse.com
+
+- Update to 3.4.4
+  This update contains a fix for a denial of service vulnerability:
+  * Allow the parsing of very long DNs. Also fixes double free
+    in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251
+  Other changes:
+  * Add high level API (gnutls_prf_rfc5705) to access the PRF as
+    specified by RFC5705.
+  * Link to trousers (TPM library) dynamically when this
+    functionality is requested. (disabled in SUSE package)
+  * Fix issue with server side sending the status request extension
+    even when not requested.
+  * Add support for RFC7507 by introducing the %FALLBACK_SCSV
+    priority string option.
+  * gnutls_pkcs11_privkey_generate2() will store the generated
+    public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
+    flag is specified.
+  * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback.
+  * API and ABI modifications:
+    gnutls_prf_rfc5705: Added
+    gnutls_hex_encode2: Added
+    gnutls_hex_decode2: Added
+- build with autogen for libopts compatibility
+- fix failures in test suite, add upstream commits
+  0001-certtool-lifted-limits-on-file-size-to-load.patch
+  0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch
+
+-------------------------------------------------------------------
+Thu Jul 30 15:39:34 UTC 2015 - vcizek@suse.com
+
+- update to 3.4.3
+  ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
+     dates prior to 2050.
+  ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it
+     was done only when cryptodev was enabled).
+  ** libgnutls: Removed support for pthread_atfork() as it has undefined
+     semantics when used with dlopen(), and may lead to a crash.
+  ** libgnutls: corrected failure when importing plain files 
+     with gnutls_x509_privkey_import2(), and a password was provided.
+  ** libgnutls: Don't reject certificates if a CA has the URI or IP address
+     name constraints, and the end certificate doesn't have an IP address 
+     name or a URI set.
+  ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.
+  ** p11tool: Added --list-token-urls option, and print the token module name
+     in list-tokens.
+  ** libgnutls: DTLS blocking API is more robust against infinite blocking,
+     and will notify of more possible timeouts.
+  ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
+     by Manuel Pegourie-Gonnard.
+  ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+     allows to disable SIGPIPE for writes done within gnutls.
+  ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
+     of structures. API moved to gnutls/pkcs7.h header.
+  ** certtool: Added options to generate PKCS #7 bundles and signed
+     structures.
+- includes changes from 3.4.2:
+  * DTLS blocking API is more robust against infinite blocking,
+    and will notify of more possible timeouts.
+  * Correct regression with Camellia-256-GCM cipher.
+  * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+    allows to disable SIGPIPE for writes done within gnutls.
+  * Enhance the PKCS #7 API to allow signing and verification
+    of structures. Move API to gnutls/pkcs7.h header.
+  * certtool: Added options to generate PKCS #7 bundles and signed
+    structures.
+
 -------------------------------------------------------------------
 Tue May  5 19:06:29 UTC 2015 - dmueller@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index 8716029..e21822f 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -29,7 +29,7 @@
 %bcond_with tpm
 
 Name:           gnutls
-Version:        3.4.1
+Version:        3.4.4
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
@@ -41,6 +41,7 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.x
 Source2:        %name.keyring
 Source3:        baselibs.conf
 
+BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libidn-devel
@@ -58,7 +59,8 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 # disabled armv7l - valgrind appears to mishandle some insns
 # disabled aarch64 - valgrind mishandles exclusive load/store causing deadlocks
 %ifarch %ix86 x86_64 ppc64 s390x ppc64le
-BuildRequires:  valgrind
+# disabled all, valgrind breaks tests in 3.4.4
+#BuildRequires:  valgrind
 %endif
 %if %suse_version >= 1230
 BuildRequires:  makeinfo
@@ -295,6 +297,7 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_includedir}/%{name}/gnutls.h
 %{_includedir}/%{name}/openpgp.h
 %{_includedir}/%{name}/ocsp.h
+%{_includedir}/%{name}/pkcs7.h
 %{_includedir}/%{name}/pkcs11.h
 %{_includedir}/%{name}/pkcs12.h
 %{_includedir}/%{name}/self-test.h