From 0a5979b6776c0a56d85d54b3f141713bbf7e81ae819230872d619da524c2e072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Tue, 4 Feb 2020 10:06:09 +0000 Subject: [PATCH] Accepting request 769920 from home:mimi_vx:branches:security:tls - gnutls 3.6.12 * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). * libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. * libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. * libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time * libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). * libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). * libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can OBS-URL: https://build.opensuse.org/request/show/769920 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=30 --- gnutls-3.6.11.1.tar.xz | 3 --- gnutls-3.6.11.1.tar.xz.sig | Bin 310 -> 0 bytes gnutls-3.6.12.tar.xz | 3 +++ gnutls-3.6.12.tar.xz.sig | Bin 0 -> 310 bytes gnutls.changes | 46 +++++++++++++++++++++++++++++++++++++ gnutls.spec | 4 ++-- 6 files changed, 51 insertions(+), 5 deletions(-) delete mode 100644 gnutls-3.6.11.1.tar.xz delete mode 100644 gnutls-3.6.11.1.tar.xz.sig create mode 100644 gnutls-3.6.12.tar.xz create mode 100644 gnutls-3.6.12.tar.xz.sig diff --git a/gnutls-3.6.11.1.tar.xz b/gnutls-3.6.11.1.tar.xz deleted file mode 100644 index 7002adc..0000000 --- a/gnutls-3.6.11.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fbba12f3db9a55dbf027e14111755817ec44b57eabec3e8089aac8ac6f533cf8 -size 5902328 diff --git a/gnutls-3.6.11.1.tar.xz.sig b/gnutls-3.6.11.1.tar.xz.sig deleted file mode 100644 index c07fa78fb08c6a1529412fd8024cf66ebf0a2203f70833f5c4d561b844ea0e52..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$t@kN&pH85ZD|@ zhw*2cWoq09|5Fn0Uzx!JW@(@NeF)8!zO_$SYI3;nw8*>;k?aXys9SRmS$e5y)w$E#nU}ej{R}UjIV<5sKj5Nh@vsaGNKqYcu2oq7SKXv{~0e@^uN<{yVHL z^2aA-Kkne)(Z;bY4qY;u>Xj;Cd13``VSVyH3UOu~>a80@4e6{OnGP(zHtm`Opu}_C z!X&RY7R+Ubqt-qLlIDVUAR^M2n-vjVY=ypFLEi1Qf@4#ZahahYc!*2xrH}u?&JQXQ Ih9I1A?OVi;4gdfE diff --git a/gnutls-3.6.12.tar.xz b/gnutls-3.6.12.tar.xz new file mode 100644 index 0000000..84557d0 --- /dev/null +++ b/gnutls-3.6.12.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfacf16e342949ffd977a9232556092c47164bd26e166736cf3459a870506c4b +size 5942064 diff --git a/gnutls-3.6.12.tar.xz.sig b/gnutls-3.6.12.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..f00331ed8f1546dbe258bbf3210a1f0121c8d8ae202807dfc7f81c790ba2fec2 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$w%s-2e&+5ZD|@ zhw*2cWo;b@0F!@p=vfrY_ZIuQ92NcXBoZy?>&wp!z;a{HT;AFaee=GB zF?K}xq}s}Rfxpdpp*}{-v-vx9Zr%jC_1c&EP@jSiKa&{d + +- gnutls 3.6.12 + * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) + to identify sessions that client request OCSP status request (#829). + * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 + signature algorithm (RFC 8032) under TLS (#86). + * libgnutls: Added the default-priority-string option to system configuration; + it allows overriding the compiled-in default-priority-string. + * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by + draft-smyshlyaev-tls12-gost-suites-07). + By default this ciphersuite is disabled. It can be enabled by adding + +GOST to priority string. In the future this priority string may enable + other GOST ciphersuites as well. Note, that server will fail to negotiate + GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It + is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites + are enabled on GnuTLS-based servers. + * libgnutls: added priority shortcuts for different GOST categories like + CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. + * libgnutls: Reject certificates with invalid time fields. That is we reject + certificates with invalid characters in Time fields, or invalid time formatting + To continue accepting the invalid form compile with --disable-strict-der-time + * libgnutls: Reject certificates which contain duplicate extensions. We were + previously printing warnings when printing such a certificate, but that is + not always sufficient to flag such certificates as invalid. Instead we now + refuse to import them (#887). + * libgnutls: If a CA is found in the trusted list, check in addition to + time validity, whether the algorithms comply to the expected level prior + to accepting it. This addresses the problem of accepting CAs which would + have been marked as insecure otherwise (#877). + * libgnutls: The min-verification-profile from system configuration applies + for all certificate verifications, not only under TLS. The configuration can + be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. + * libgnutls: The stapled OCSP certificate verification adheres to the convention + used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. + * libgnutls: On client side only send OCSP staples if they have been requested + by the server, and on server side always advertise that we support OCSP stapling + * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible + with gnutls_ocsp_req_t but const. + * certtool: Added the --verify-profile option to set a certificate + verification profile. Use '--verify-profile low' for certificate verification + to apply the 'NORMAL' verification profile. + * certtool: The add_extension template option is considered even when generating + a certificate from a certificate request. + ------------------------------------------------------------------- Tue Dec 3 19:34:20 UTC 2019 - Andreas Stieger diff --git a/gnutls.spec b/gnutls.spec index cdd7923..543f9c2 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,7 +28,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.11.1 +Version: 3.6.12 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later