rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 630992 from home:vitezslav_cizek:branches:security:tls

Browse Source 
- Update to 3.6.3
  Fixes security issues:
  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
  Other Changes:
  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
     earlier and TLS 1.3.
  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
  ** Provide a uniform cipher list across supported TLS protocols
  ** The SSL 3.0 protocol is disabled on compile-time by default.
  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
     mode
  ** libgnutls: Introduced low-level function to assist applications attempting client
     hello extension parsing, prior to GnuTLS' parsing of the message.
  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
     modifications to the certificate.
  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
     which are preferred by the server.
  ** Improved counter-measures for TLS CBC record padding.
     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
     change for these functions which make them err towards safety.
  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
  ** certtool: It is now possible to specify certificate and serial CRL numbers greater

OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4
This commit is contained in:
Tomáš Chvátal
2018-08-23 07:10:46 +00:00
committed by Git OBS Bridge
parent 31a755e11b
commit a081367f85
6 changed files with 44 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
gnutls.changes
View File

@@ -1,3 +1,40 @@
-------------------------------------------------------------------
Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
- Update to 3.6.3
Fixes security issues:
CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
(bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
Other Changes:
** libgnutls: Introduced support for draft-ietf-tls-tls13-28
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
** Provide a uniform cipher list across supported TLS protocols
** The SSL 3.0 protocol is disabled on compile-time by default.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate.
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server.
** Improved counter-measures for TLS CBC record padding.
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random.
- don't run autoreconf to avoid pulling in gtk-doc
-------------------------------------------------------------------
Tue Jul 31 10:04:17 UTC 2018 - schwab@suse.de