Accepting request 324612 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/324612
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=87

gnutls.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Aug 18 22:40:28 UTC 2015 - astieger@suse.com
+
+- Update to 3.4.4
+  This update contains a fix for a denial of service vulnerability:
+  * Allow the parsing of very long DNs. Also fixes double free
+    in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251
+  Other changes:
+  * Add high level API (gnutls_prf_rfc5705) to access the PRF as
+    specified by RFC5705.
+  * Link to trousers (TPM library) dynamically when this
+    functionality is requested. (disabled in SUSE package)
+  * Fix issue with server side sending the status request extension
+    even when not requested.
+  * Add support for RFC7507 by introducing the %FALLBACK_SCSV
+    priority string option.
+  * gnutls_pkcs11_privkey_generate2() will store the generated
+    public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
+    flag is specified.
+  * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback.
+  * API and ABI modifications:
+    gnutls_prf_rfc5705: Added
+    gnutls_hex_encode2: Added
+    gnutls_hex_decode2: Added
+- build with autogen for libopts compatibility
+- fix failures in test suite, add upstream commits
+  0001-certtool-lifted-limits-on-file-size-to-load.patch
+  0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch
+
+-------------------------------------------------------------------
+Thu Jul 30 15:39:34 UTC 2015 - vcizek@suse.com
+
+- update to 3.4.3
+  ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
+     dates prior to 2050.
+  ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it
+     was done only when cryptodev was enabled).
+  ** libgnutls: Removed support for pthread_atfork() as it has undefined
+     semantics when used with dlopen(), and may lead to a crash.
+  ** libgnutls: corrected failure when importing plain files 
+     with gnutls_x509_privkey_import2(), and a password was provided.
+  ** libgnutls: Don't reject certificates if a CA has the URI or IP address
+     name constraints, and the end certificate doesn't have an IP address 
+     name or a URI set.
+  ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.
+  ** p11tool: Added --list-token-urls option, and print the token module name
+     in list-tokens.
+  ** libgnutls: DTLS blocking API is more robust against infinite blocking,
+     and will notify of more possible timeouts.
+  ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
+     by Manuel Pegourie-Gonnard.
+  ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+     allows to disable SIGPIPE for writes done within gnutls.
+  ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
+     of structures. API moved to gnutls/pkcs7.h header.
+  ** certtool: Added options to generate PKCS #7 bundles and signed
+     structures.
+- includes changes from 3.4.2:
+  * DTLS blocking API is more robust against infinite blocking,
+    and will notify of more possible timeouts.
+  * Correct regression with Camellia-256-GCM cipher.
+  * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
+    allows to disable SIGPIPE for writes done within gnutls.
+  * Enhance the PKCS #7 API to allow signing and verification
+    of structures. Move API to gnutls/pkcs7.h header.
+  * certtool: Added options to generate PKCS #7 bundles and signed
+    structures.
+
 -------------------------------------------------------------------
 Tue May  5 19:06:29 UTC 2015 - dmueller@suse.com