Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2026-02-11 19:12:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Wed Feb 11 19:12:07 2026 rev:166 rq:1332202 version:3.8.12 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2025-11-25 15:53:19.367684684 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls.changes 2026-02-11 19:12:09.964342655 +0100 @@ -1,0 +2,31 @@ +Tue Feb 10 08:50:55 UTC 2026 - Pedro Monreal <[email protected]> + +- Update to 3.8.12: + * Security fixes: + - CVE-2026-1584: NULL pointer dereference in PSK binder verification (bsc#1257978) + - CVE-2025-14831: Fix name constraint processing performance issue (bsc#1257960) + * libgnutls: Fix NULL pointer dereference in PSK binder verification + A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello + could lead to a denial of service attack via crashing the server. + The updated code guards against the problematic dereference. + [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] + * libgnutls: Fix name constraint processing performance issue + Verifying certificates with pathological amounts of name constraints + could lead to a denial of service attack via resource exhaustion. + Reworked processing algorithms exhibit better performance characteristics. + [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] + * libgnutls: Fix multiple unexploitable overflows (#1783, #1786). + * libgnutls: Fall back to thread-unsafe module initialization + Improve fallback handling for PKCS#11 modules that + don't support thread-safe initialization (#1774). + Also return filename from p11_kit_module_get_name() for unconfigured modules. + * libgnutls: Accept NULL as digest argument for gnutls_hash_output + The accelerated implementation of gnutls_hash_output() now + properly accepts NULL as the digest argument, matching the + behavior of the reference implementation (#1769). + * srptool: Avoid a stack buffer overflow when processing large SRP groups (#1777). + * Rebase patches: + - gnutls-FIPS-jitterentropy.patch + - gnutls-FIPS-140-3-references.patch + +------------------------------------------------------------------- Old: ---- gnutls-3.8.11.tar.xz gnutls-3.8.11.tar.xz.sig New: ---- gnutls-3.8.12.tar.xz gnutls-3.8.12.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.n7ILMW/_old 2026-02-11 19:12:10.752375836 +0100 +++ /var/tmp/diff_new_pack.n7ILMW/_new 2026-02-11 19:12:10.752375836 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2025 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -42,7 +42,7 @@ %bcond_with tpm %bcond_without leancrypto Name: gnutls -Version: 3.8.11 +Version: 3.8.12 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later ++++++ gnutls-3.8.11.tar.xz -> gnutls-3.8.12.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.8.11.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls-3.8.12.tar.xz differ: char 15, line 1 ++++++ gnutls-FIPS-140-3-references.patch ++++++ ++++ 682 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls-FIPS-140-3-references.patch ++++ and /work/SRC/openSUSE:Factory/.gnutls.new.1670/gnutls-FIPS-140-3-references.patch ++++++ gnutls-FIPS-jitterentropy.patch ++++++ --- /var/tmp/diff_new_pack.n7ILMW/_old 2026-02-11 19:12:10.852380047 +0100 +++ /var/tmp/diff_new_pack.n7ILMW/_new 2026-02-11 19:12:10.860380384 +0100 @@ -1,7 +1,7 @@ -Index: gnutls-3.8.11/lib/nettle/sysrng-linux.c +Index: gnutls-3.8.12/lib/nettle/sysrng-linux.c =================================================================== ---- gnutls-3.8.11.orig/lib/nettle/sysrng-linux.c -+++ gnutls-3.8.11/lib/nettle/sysrng-linux.c +--- gnutls-3.8.12.orig/lib/nettle/sysrng-linux.c ++++ gnutls-3.8.12/lib/nettle/sysrng-linux.c @@ -49,6 +49,15 @@ get_entropy_func _rnd_get_system_entropy = NULL; @@ -158,10 +158,10 @@ +#endif return; } -Index: gnutls-3.8.11/lib/nettle/Makefile.in +Index: gnutls-3.8.12/lib/nettle/Makefile.in =================================================================== ---- gnutls-3.8.11.orig/lib/nettle/Makefile.in -+++ gnutls-3.8.11/lib/nettle/Makefile.in +--- gnutls-3.8.12.orig/lib/nettle/Makefile.in ++++ gnutls-3.8.12/lib/nettle/Makefile.in @@ -522,7 +522,7 @@ am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -171,10 +171,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; -Index: gnutls-3.8.11/lib/nettle/Makefile.am +Index: gnutls-3.8.12/lib/nettle/Makefile.am =================================================================== ---- gnutls-3.8.11.orig/lib/nettle/Makefile.am -+++ gnutls-3.8.11/lib/nettle/Makefile.am +--- gnutls-3.8.12.orig/lib/nettle/Makefile.am ++++ gnutls-3.8.12/lib/nettle/Makefile.am @@ -20,7 +20,7 @@ include $(top_srcdir)/lib/common.mk @@ -184,10 +184,10 @@ AM_CPPFLAGS += \ -I$(srcdir)/int \ -Index: gnutls-3.8.11/lib/nettle/rnd-fips.c +Index: gnutls-3.8.12/lib/nettle/rnd-fips.c =================================================================== ---- gnutls-3.8.11.orig/lib/nettle/rnd-fips.c -+++ gnutls-3.8.11/lib/nettle/rnd-fips.c +--- gnutls-3.8.12.orig/lib/nettle/rnd-fips.c ++++ gnutls-3.8.12/lib/nettle/rnd-fips.c @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc uint8_t buffer[DRBG_AES_SEED_SIZE]; int ret; @@ -210,10 +210,10 @@ ret = get_entropy(fctx, buffer, sizeof(buffer)); if (ret < 0) { _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -Index: gnutls-3.8.11/tests/Makefile.am +Index: gnutls-3.8.12/tests/Makefile.am =================================================================== ---- gnutls-3.8.11.orig/tests/Makefile.am -+++ gnutls-3.8.11/tests/Makefile.am +--- gnutls-3.8.12.orig/tests/Makefile.am ++++ gnutls-3.8.12/tests/Makefile.am @@ -214,7 +214,7 @@ ctests += mini-record-2 simple gnutls_hm dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \ keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ @@ -223,10 +223,10 @@ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \ -Index: gnutls-3.8.11/lib/state.c +Index: gnutls-3.8.12/lib/state.c =================================================================== ---- gnutls-3.8.11.orig/lib/state.c -+++ gnutls-3.8.11/lib/state.c +--- gnutls-3.8.12.orig/lib/state.c ++++ gnutls-3.8.12/lib/state.c @@ -834,6 +834,12 @@ void gnutls_deinit(gnutls_session_t sess gnutls_mutex_deinit(&session->internals.post_negotiation_lock); gnutls_mutex_deinit(&session->internals.epoch_lock); @@ -240,11 +240,11 @@ gnutls_free(session); } -Index: gnutls-3.8.11/lib/nettle/rnd.c +Index: gnutls-3.8.12/lib/nettle/rnd.c =================================================================== ---- gnutls-3.8.11.orig/lib/nettle/rnd.c -+++ gnutls-3.8.11/lib/nettle/rnd.c -@@ -79,6 +79,12 @@ struct generators_ctx_st { +--- gnutls-3.8.12.orig/lib/nettle/rnd.c ++++ gnutls-3.8.12/lib/nettle/rnd.c +@@ -79,6 +79,11 @@ struct generators_ctx_st { static void wrap_nettle_rnd_deinit(void *_ctx) { @@ -253,8 +253,7 @@ + _rnd_system_entropy_deinit(); +# endif +#endif -+ + zeroize_key(_ctx, sizeof(struct generators_ctx_st)); gnutls_free(_ctx); } -
