Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2022-08-04 13:22:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.1521 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Thu Aug 4 13:22:41 2022 rev:140 rq:991995 version:3.7.7 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2022-05-31 15:47:12.039980985 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new.1521/gnutls.changes 2022-08-04 13:22:47.260383625 +0200 @@ -1,0 +2,49 @@ +Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal <pmonr...@suse.com> + +- Update to 3.7.7: [bsc#1202020, CVE-2022-2509] + * libgnutls: Fixed double free during verification of pkcs7 + signatures. CVE-2022-2509 + * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument + less than or equal to 255 times hash digest size, to comply with + RFC 5869 2.3. + * libgnutls: Length limit for TLS PSK usernames has been increased + from 128 to 65535 characters + * libgnutls: AES-GCM encryption function now limits plaintext + length to 2^39-256 bits, according to SP800-38D 5.2.1.1. + * libgnutls: New block cipher functions have been added to + transparently handle padding. gnutls_cipher_encrypt3 and + gnutls_cipher_decrypt3 can be used in combination of + GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove + padding if the length of the original plaintext is not a multiple + of the block size. + * libgnutls: New function for manual FIPS self-testing. + * API and ABI modifications: + - gnutls_fips140_run_self_tests: New function + - gnutls_cipher_encrypt3: New function + - gnutls_cipher_decrypt3: New function + - gnutls_cipher_padding_flags_t: New enum + * guile: Guile 1.8 is no longer supported + * guile: Session record port treats premature termination as EOF Previously, + a 'gnutls-error' exception with the 'error/premature-termination' value + would be thrown while reading from a session record port when the + underlying session was terminated prematurely. This was inconvenient + since users of the port may not be prepared to handle such an exception. + Reading from the session record port now returns the end-of-file object + instead of throwing an exception, just like it would for a proper + session termination. + * guile: Session record ports can have a 'close' procedure. The + 'session-record-port' procedure now takes an optional second parameter, + and a new 'set-session-record-port-close!' procedure is provided to + specify a 'close' procedure for a session record port. This 'close' + procedure lets users specify cleanup operations for when the port is + closed, such as closing the file descriptor or port that backs the + underlying session. + * Rebase patches: + - gnutls-3.6.6-set_guile_site_dir.patch + - gnutls-FIPS-TLS_KDF_selftest.patch + - gnutls-FIPS-disable-failing-tests.patch + * Remove patch merged upstream: + - gnutls-FIPS-PBKDF2-KAT-requirements.patch + - https://gitlab.com/gnutls/gnutls/merge_requests/1561 + +------------------------------------------------------------------- Old: ---- gnutls-3.7.6.tar.xz gnutls-3.7.6.tar.xz.sig gnutls-FIPS-PBKDF2-KAT-requirements.patch New: ---- gnutls-3.7.7.tar.xz gnutls-3.7.7.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.YHbOBq/_old 2022-08-04 13:22:48.152386155 +0200 +++ /var/tmp/diff_new_pack.YHbOBq/_new 2022-08-04 13:22:48.156386167 +0200 @@ -36,7 +36,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.7.6 +Version: 3.7.7 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -50,8 +50,6 @@ Patch1: gnutls-3.6.6-set_guile_site_dir.patch Patch2: gnutls-FIPS-TLS_KDF_selftest.patch Patch3: gnutls-FIPS-disable-failing-tests.patch -#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT -Patch4: gnutls-FIPS-PBKDF2-KAT-requirements.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -91,7 +89,7 @@ %endif %endif %if %{with guile} -BuildRequires: guile-devel +BuildRequires: guile-devel > 1.8 %endif %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 BuildRequires: crypto-policies @@ -194,7 +192,7 @@ Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later Group: Development/Libraries/Other -Requires: guile +Requires: guile > 1.8 %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. ++++++ gnutls-3.6.6-set_guile_site_dir.patch ++++++ --- /var/tmp/diff_new_pack.YHbOBq/_old 2022-08-04 13:22:48.192386269 +0200 +++ /var/tmp/diff_new_pack.YHbOBq/_new 2022-08-04 13:22:48.196386280 +0200 @@ -1,14 +1,14 @@ -Index: gnutls-3.6.15/configure +Index: gnutls-3.7.7/configure =================================================================== ---- gnutls-3.6.15.orig/configure 2020-09-08 10:24:22.362083215 +0200 -+++ gnutls-3.6.15/configure 2020-09-08 10:24:28.510124171 +0200 -@@ -69365,7 +69365,7 @@ fi +--- gnutls-3.7.7.orig/configure ++++ gnutls-3.7.7/configure +@@ -74223,7 +74223,7 @@ fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 - $as_echo_n "checking for Guile site directory... " >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 + printf %s "checking for Guile site directory... " >&6; } - GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` + GUILE_SITE=/usr/share/guile - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 - $as_echo "$GUILE_SITE" >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 + printf "%s\n" "$GUILE_SITE" >&6; } if test "$GUILE_SITE" = ""; then ++++++ gnutls-3.7.6.tar.xz -> gnutls-3.7.7.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.7.6.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.1521/gnutls-3.7.7.tar.xz differ: char 26, line 1 ++++++ gnutls-FIPS-TLS_KDF_selftest.patch ++++++ --- /var/tmp/diff_new_pack.YHbOBq/_old 2022-08-04 13:22:48.232386382 +0200 +++ /var/tmp/diff_new_pack.YHbOBq/_new 2022-08-04 13:22:48.236386394 +0200 @@ -1,9 +1,9 @@ -Index: gnutls-3.6.15/lib/fips.c +Index: gnutls-3.7.7/lib/fips.c =================================================================== ---- gnutls-3.6.15.orig/lib/fips.c 2020-09-03 16:59:05.000000000 +0200 -+++ gnutls-3.6.15/lib/fips.c 2020-11-10 12:51:40.420071675 +0100 -@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo - goto error; +--- gnutls-3.7.7.orig/lib/fips.c ++++ gnutls-3.7.7/lib/fips.c +@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo + return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); } + /* KDF */ @@ -18,14 +18,12 @@ + ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, + label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); + if (ret < 0) { -+ gnutls_assert(); -+ goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + + ret = memcmp(derived, expected.data, expected.size); + if (ret != 0) { -+ gnutls_assert(); -+ goto error; ++ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); + } + /* PK */ ++++++ gnutls-FIPS-disable-failing-tests.patch ++++++ --- /var/tmp/diff_new_pack.YHbOBq/_old 2022-08-04 13:22:48.248386428 +0200 +++ /var/tmp/diff_new_pack.YHbOBq/_new 2022-08-04 13:22:48.248386428 +0200 @@ -1,8 +1,8 @@ -Index: gnutls-3.7.3/guile/Makefile.am +Index: gnutls-3.7.7/guile/Makefile.am =================================================================== ---- gnutls-3.7.3.orig/guile/Makefile.am -+++ gnutls-3.7.3/guile/Makefile.am -@@ -102,8 +102,6 @@ endif HAVE_GUILD +--- gnutls-3.7.7.orig/guile/Makefile.am ++++ gnutls-3.7.7/guile/Makefile.am +@@ -102,14 +102,11 @@ endif HAVE_GUILD # TESTS = \ @@ -11,11 +11,17 @@ tests/pkcs-import-export.scm \ tests/errors.scm \ tests/x509-certificates.scm \ -Index: gnutls-3.7.3/guile/Makefile.in + tests/x509-auth.scm \ + tests/reauth.scm \ +- tests/premature-termination.scm \ + tests/priorities.scm + + if ENABLE_SRP +Index: gnutls-3.7.7/guile/Makefile.in =================================================================== ---- gnutls-3.7.3.orig/guile/Makefile.in -+++ gnutls-3.7.3/guile/Makefile.in -@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap +--- gnutls-3.7.7.orig/guile/Makefile.in ++++ gnutls-3.7.7/guile/Makefile.in +@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap # # Tests. # @@ -23,6 +29,9 @@ - tests/pkcs-import-export.scm tests/errors.scm \ +TESTS = tests/pkcs-import-export.scm tests/errors.scm \ tests/x509-certificates.scm tests/x509-auth.scm \ - tests/reauth.scm tests/priorities.scm $(am__append_2) +- tests/reauth.scm tests/premature-termination.scm \ ++ tests/reauth.scm \ + tests/priorities.scm $(am__append_2) TESTS_ENVIRONMENT = \ + GUILE_AUTO_COMPILE=0 \
