rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 493998 from Base:System

Browse Source 
GnuTLS 3.5.11
bsc#1038337
CVE-2017-7869 bsc#1034173
bsc#901857 (forwarded request 493933 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/493998
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=99
This commit is contained in:
Dominique Leuenberger 2017-05-20 12:28:31 +00:00 committed by Git OBS Bridge
parent 15d5bd65c7
commit 071ff154dc
8 changed files with 95 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.5.11.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:51765cc5579e250da77fbd7871507c517d01b15353cc40af7b67e9ec7b6fe28f
size 7208068

BIN
gnutls-3.5.11.tar.xz.sig Normal file
View File

Binary file not shown.

53
gnutls-3.5.9-pkgconfig.patch
View File

@ -1,53 +0,0 @@
From 35c6a78f3b24bf4192e3f01ee6322b42b6fc27fb Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 15 Feb 2017 18:42:22 +0100
Subject: [PATCH] gnutls.pc: do not include libidn2 in Requires.private
The libidn2 versions available do not include libidn2.pc,
thus the inclusion was causing problems when using pkg-config.
Instead we include -lidn2 in Libs.private.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
configure.ac | 12 +++++++-----
lib/gnutls.pc.in | 2 +-
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6907b215f..4cad4fa3a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -492,11 +492,13 @@ if test "$try_libidn" = yes;then
idna_support="IDNA 2008 (libidn2)"
AC_DEFINE([HAVE_LIBIDN2], 1, [Define if IDNA 2008 support is enabled.])
AC_SUBST([LIBIDN_LIBS], [-lidn2])
- if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
- GNUTLS_REQUIRES_PRIVATE="Requires.private: libidn2"
- else
- GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libidn2"
- fi
+ AC_SUBST([LIBIDN2_LIBS], [-lidn2]) dnl used in gnutls.pc.in
+dnl enable once libidn2.pc is widespread; and remove LIBIDN2_LIBS from gnutls.pc.in (Libs.private)
+dnl if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
+dnl GNUTLS_REQUIRES_PRIVATE="Requires.private: libidn2"
+dnl else
+dnl GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libidn2"
+dnl fi
],[
with_libidn2=no;
AC_MSG_WARN(*** LIBIDN2 was not found. You will not be able to use IDN2008 support)
diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in
index 441b45db0..c03757928 100644
--- a/lib/gnutls.pc.in
+++ b/lib/gnutls.pc.in
@@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system
URL: http://www.gnutls.org/
Version: @VERSION@
Libs: -L${libdir} -lgnutls
-Libs.private: @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBNSL@ @LTLIBPTHREAD@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LTLIBUNISTRING@
+Libs.private: @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBNSL@ @LTLIBPTHREAD@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LTLIBUNISTRING@ @LIBIDN2_LIBS@
@GNUTLS_REQUIRES_PRIVATE@
Cflags: -I${includedir}
--
2.11.1

3
gnutls-3.5.9.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:82b10f0c4ef18f4e64ad8cef5dbaf14be732f5095a41cf366b4ecb4050382951
size 7166932

BIN
gnutls-3.5.9.tar.xz.sig
View File

Binary file not shown.

39
gnutls-broken-openpgp-tests.patch Normal file
View File

@ -0,0 +1,39 @@
Index: gnutls-3.5.11/tests/Makefile.am
===================================================================
--- gnutls-3.5.11.orig/tests/Makefile.am
+++ gnutls-3.5.11/tests/Makefile.am
@@ -19,7 +19,7 @@
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-SUBDIRS = . cert-tests ocsp-tests key-tests slow dtls windows
+SUBDIRS = . cert-tests ocsp-tests key-tests slow windows
if WANT_TEST_SUITE
SUBDIRS += suite
@@ -91,7 +91,7 @@ ctests = mini-record-2 simple gc set_pkc
crlverify mini-dtls-discard init_fds mini-record-failure \
tls-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
- mini-dtls-record-asym openpgp-callback key-import-export \
+ mini-dtls-record-asym key-import-export \
mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \
strict-der tls-ext-register tls-supplemental mini-dtls0-9 \
mini-record-retvals mini-server-name tls-etm x509-cert-callback \
@@ -236,6 +236,7 @@ endif
endif
if ENABLE_OPENPGP
+SUBDIRS += dtls
ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu
endif
@@ -244,7 +245,7 @@ ctests += x509self x509dn anonself pskse
setcredcrash resume-x509 resume-psk resume-anon
if ENABLE_OPENPGP
-ctests += openpgpself
+ctests += openpgpself openpgp-callback
endif
endif

48
gnutls.changes
View File

@ -1,8 +1,56 @@
-------------------------------------------------------------------
Tue May 9 19:55:33 UTC 2017 - astieger@suse.com
- GnuTLS 3.5.11:
* gnutls.pc: do not include libtool options into Libs.private.
* libgnutls: Fixed issue when rehandshaking without a client certificate in
a session which initially used one
* libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
certificate parsing (bsc#1038337)
* libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
That allows PKCS#11 operations such as signing to be performed with the
same object from multiple threads.
* libgnutls: when disabling OpenPGP authentication, the resulting library
is ABI compatible (will openpgp related functions being stubs that fail
on invocation).
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Apr 29 20:03:38 UTC 2017 - bwiedemann@suse.com Sat Apr 29 20:03:38 UTC 2017 - bwiedemann@suse.com
- call gzip -n to make build fully reproducible - call gzip -n to make build fully reproducible
-------------------------------------------------------------------
Wed Apr 26 14:53:45 UTC 2017 - vcizek@suse.com
- update to 3.5.10
* addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173
* gnutls.pc: do not include libidn2 in Requires.private
* libgnutls: optimized access to subject alternative names (SANs) in parsed
certificates
* libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
when printing certificate information.
* libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
flags can be set from the gnutls_certificate_verify_flags enumeration.
This allows the functions to pass the same flags available for certificates
to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
GNUTLS_VERIFY_ALLOW_BROKEN).
* libgnutls: gnutls_store_commitment() can accept flag
GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
in applications which use SHA1 for example, after SHA1 is deprecated.
* certtool: No longer ignore the 'add_critical_extension' template option if
the 'add_extension' option is not present.
* gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream)
- drop gnutls-3.5.9-pkgconfig.patch (upstream)
- remove unknown --disable-srp flag (bsc#901857)
-------------------------------------------------------------------
Wed Apr 26 14:53:06 UTC 2017 - vcizek@suse.com
- disable the deprecated OpenPGP authentication support
* see https://gitlab.com/gnutls/gnutls/issues/102
- add gnutls-broken-openpgp-tests.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 20 09:52:38 UTC 2017 - astieger@suse.com Mon Feb 20 09:52:38 UTC 2017 - astieger@suse.com

8
gnutls.spec
View File

@ -29,7 +29,7 @@
%define gnutls_dane_sover 0 %define gnutls_dane_sover 0
%endif %endif
Name: gnutls Name: gnutls
Version: 3.5.9 Version: 3.5.11
Release: 0 Release: 0
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+ and GPL-3.0+ License: LGPL-2.1+ and GPL-3.0+
@ -40,9 +40,10 @@ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.x
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig
Source2: %{name}.keyring Source2: %{name}.keyring
Source3: baselibs.conf Source3: baselibs.conf
Patch0: gnutls-3.5.9-pkgconfig.patch Patch0: gnutls-broken-openpgp-tests.patch
BuildRequires: autogen BuildRequires: autogen
BuildRequires: automake BuildRequires: automake
BuildRequires: ca-certificates-mozilla
BuildRequires: datefudge BuildRequires: datefudge
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -211,11 +212,11 @@ autoreconf -if
--disable-static \ --disable-static \
--with-pic \ --with-pic \
--disable-rpath \ --disable-rpath \
--disable-srp \
--disable-silent-rules \ --disable-silent-rules \
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
--with-sysroot=/%{?_sysroot} \ --with-sysroot=/%{?_sysroot} \
--with-guile-site-dir=no \ --with-guile-site-dir=no \
--disable-openpgp-authentication \
%if %{without tpm} %if %{without tpm}
--without-tpm \ --without-tpm \
%endif %endif
@ -247,6 +248,7 @@ cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
# PNG files are replaced with the compressed files and that breaks # PNG files are replaced with the compressed files and that breaks
# deduplication, this is workaround # deduplication, this is workaround
find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} + find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
rm -rf %{buildroot}/usr/share/doc/gnutls
%fdupes -s %{buildroot}%{_datadir} %fdupes -s %{buildroot}%{_datadir}
%find_lang libgnutls --all-name %find_lang libgnutls --all-name