From a081367f850e8fcc5f7fcd5ef1b002bd559a9b0fc9a5b1cbf6d23de5286a9008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 23 Aug 2018 07:10:46 +0000 Subject: [PATCH] Accepting request 630992 from home:vitezslav_cizek:branches:security:tls - Update to 3.6.3 Fixes security issues: CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790 (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002) Other Changes: ** libgnutls: Introduced support for draft-ietf-tls-tls13-28 ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or earlier and TLS 1.3. ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. ** Provide a uniform cipher list across supported TLS protocols ** The SSL 3.0 protocol is disabled on compile-time by default. ** libgnutls: Introduced function to switch the current FIPS140-2 operational mode ** libgnutls: Introduced low-level function to assist applications attempting client hello extension parsing, prior to GnuTLS' parsing of the message. ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no modifications to the certificate. ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups which are preferred by the server. ** Improved counter-measures for TLS CBC record padding. ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API change for these functions which make them err towards safety. ** libgnutls: improved aarch64 cpu features detection by using getauxval(). ** certtool: It is now possible to specify certificate and serial CRL numbers greater OBS-URL: https://build.opensuse.org/request/show/630992 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4 --- gnutls-3.6.2.tar.xz | 3 --- gnutls-3.6.2.tar.xz.sig | Bin 310 -> 0 bytes gnutls-3.6.3.tar.xz | 3 +++ gnutls-3.6.3.tar.xz.sig | Bin 0 -> 310 bytes gnutls.changes | 37 +++++++++++++++++++++++++++++++++++++ gnutls.spec | 8 ++++---- 6 files changed, 44 insertions(+), 7 deletions(-) delete mode 100644 gnutls-3.6.2.tar.xz delete mode 100644 gnutls-3.6.2.tar.xz.sig create mode 100644 gnutls-3.6.3.tar.xz create mode 100644 gnutls-3.6.3.tar.xz.sig diff --git a/gnutls-3.6.2.tar.xz b/gnutls-3.6.2.tar.xz deleted file mode 100644 index 25f7e8c..0000000 --- a/gnutls-3.6.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bcd5db7b234e02267f36b5d13cf5214baac232b7056a506252b7574ea7738d1f -size 8093304 diff --git a/gnutls-3.6.2.tar.xz.sig b/gnutls-3.6.2.tar.xz.sig deleted file mode 100644 index d892f76a37afab1a31fba8d9bfa215345f7c6a5dc8cc316b8307a9282ebd8218..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$PTNxc~|Y5ZD|@ zhw*2cWhjRS`vl^hd7v#InYo}qkUuq|_DT!LaMqtDUmJ^((y=^_$IQ(vfHF0+}%nluFK zoQnE5bctt%SnXr<4-=C?mS~b`^Q~~}c#bC%+T+#xzguonw~l&H7uhQ9fyoUHHT=)d z)u&gqNi(){gyX4J|7nKsOfXI!ERW8z7)RPw_LFg z2P2qhW*VQBLa|nULu|oaN%}T=Iq8UoP$?foLOfi);(J(+s%BWxO;`{Zp#1P=ges;A I!vl4SrfzSLssI20 diff --git a/gnutls-3.6.3.tar.xz b/gnutls-3.6.3.tar.xz new file mode 100644 index 0000000..1a9c38b --- /dev/null +++ b/gnutls-3.6.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ed642b66a4ecf4851ab2d809cd1475c297b6201d8e8bd14b4d1c08b53ffca993 +size 8010284 diff --git a/gnutls-3.6.3.tar.xz.sig b/gnutls-3.6.3.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..40737635f8ea03187e2c3da469f25dfc8a931e40795063e6dd216123ed365a98 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$WTzrT_{F5ZD|@ zhw*2cWx{O-|9DYQbf@FmLFKV++K+oBGCPrIXF>A-!)Ei6erqy({I?}u;f2yZJoeED z1&`*<2cj}9@AD~;&C&Y*9ELJ1{%CQ_xSNaiv-7OXE5t-9fr?Nltl1NO>?ta$(B3l#_miihz;dHCzDJWBj z2?;=GPk3U3%aU|=^-1+ODrDjNHQ;3?7k`Tfk~^#WD@QFyC)twOinlMtcLN*Svrt=O z%-Xh8b{fKyl7stId+WuNSn%J}3B09Z9-3b!1J$Glb+D`>eIlbK^)ODveM|ADvlRPe Ij*+beP$5>7NB{r; literal 0 HcmV?d00001 diff --git a/gnutls.changes b/gnutls.changes index 63bce13..2bc1754 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com + +- Update to 3.6.3 + Fixes security issues: + CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790 + (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002) + Other Changes: + ** libgnutls: Introduced support for draft-ietf-tls-tls13-28 + ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or + earlier and TLS 1.3. + ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. + ** Provide a uniform cipher list across supported TLS protocols + ** The SSL 3.0 protocol is disabled on compile-time by default. + ** libgnutls: Introduced function to switch the current FIPS140-2 operational + mode + ** libgnutls: Introduced low-level function to assist applications attempting client + hello extension parsing, prior to GnuTLS' parsing of the message. + ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no + modifications to the certificate. + ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups + which are preferred by the server. + ** Improved counter-measures for TLS CBC record padding. + ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation + of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. + ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the + GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. + ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, + gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default + unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API + change for these functions which make them err towards safety. + ** libgnutls: improved aarch64 cpu features detection by using getauxval(). + ** certtool: It is now possible to specify certificate and serial CRL numbers greater + than 2**63-2 as a hex-encoded string both when prompted and in a template file. + Default certificate serial numbers are now fully random. +- don't run autoreconf to avoid pulling in gtk-doc + ------------------------------------------------------------------- Tue Jul 31 10:04:17 UTC 2018 - schwab@suse.de diff --git a/gnutls.spec b/gnutls.spec index e3f97f3..d971435 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.2 +Version: 3.6.3 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -168,7 +168,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme. export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" -autoreconf -fiv +#autoreconf -fiv %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ @@ -177,7 +177,7 @@ autoreconf -fiv --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ - --with-guile-site-dir=no \ + --with-guile-site-dir=%{_datadir}/guile \ %if %{without tpm} --without-tpm \ %endif @@ -307,7 +307,7 @@ make %{?_smp_mflags} check || { %if %{with guile} %files guile %{_libdir}/guile/* -%{_datadir}/guile/site/gnutls* +%{_datadir}/guile/gnutls* %endif %changelog