- Update to 3.6.3
Fixes security issues:
CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
(bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
Other Changes:
** libgnutls: Introduced support for draft-ietf-tls-tls13-28
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
** Provide a uniform cipher list across supported TLS protocols
** The SSL 3.0 protocol is disabled on compile-time by default.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate.
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server.
** Improved counter-measures for TLS CBC record padding.
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4
