Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2019-04-10 23:10:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.27019 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Wed Apr 10 23:10:32 2019 rev:117 rq:692241 version:3.6.7 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2019-02-04 21:25:14.943597851 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new.27019/gnutls.changes 2019-04-10 23:10:36.979934400 +0200 @@ -1,0 +2,60 @@ +Thu Apr 4 20:31:19 UTC 2019 - Jan Engelhardt <[email protected]> + +- Trim useless %if..%endif guards that do not affect the build. +- Fix language errors in description again. + +------------------------------------------------------------------- +Thu Apr 4 13:34:03 UTC 2019 - Jason Sikes <[email protected]> + +- Update gnutls to 3.6.7 + ** libgnutls, gnutls tools: Every gnutls_free() will automatically set + the free'd pointer to NULL. This prevents possible use-after-free and + double free issues. Use-after-free will be turned into NULL dereference. + The counter-measure does not extend to applications using gnutls_free(). + + ** libgnutls: Fixed a memory corruption (double free) vulnerability in the + certificate verification API. Reported by Tavis Ormandy; addressed with + the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) + + ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; + Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) + + ** libgnutls: enforce key usage limitations on certificates more actively. + Previously we would enforce it for TLS1.2 protocol, now we enforce it + even when TLS1.3 is negotiated, or on client certificates as well. When + an inappropriate for TLS1.3 certificate is seen on the credentials structure + GnuTLS will disable TLS1.3 support for that session (#690). + + ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to + two. This makes it easier for clients which perform multiple connections + to the server to use the tickets sent by a default server. + + ** libgnutls: enforce the equality of the two signature parameters fields in + a certificate. We were already enforcing the signature algorithm, but there + was a bug in parameter checking code. + + ** libgnutls: fixed issue preventing sending and receiving from different + threads when false start was enabled (#713). + + ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. + Previously the sentinel value was embedded to early in version + negotiation and was sent even on TLS 1.3. It is now sent only when + TLS 1.2 or earlier is negotiated (#689). + + ** gnutls-cli: Added option --logfile to redirect informational messages output. + +- Disabled dane support in SLE since dane is not shipped there + +- Changed configure script to hardware guile site directory since command-line + option '--with-guile-site-dir=' was removed from the configure script. + + ** Added gnutls-3.6.6-set_guile_site_dir.patch + +- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix + compilation issues on PPC + +------------------------------------------------------------------- Old: ---- gnutls-3.6.6.tar.xz gnutls-3.6.6.tar.xz.sig New: ---- gnutls-3.6.6-set_guile_site_dir.patch gnutls-3.6.7.tar.xz gnutls-3.6.7.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.bMijxU/_old 2019-04-10 23:10:37.983935541 +0200 +++ /var/tmp/diff_new_pack.bMijxU/_new 2019-04-10 23:10:37.987935545 +0200 @@ -20,8 +20,8 @@ %define gnutlsxx_sover 28 %define gnutls_dane_sover 0 -# unbound isn't in SLE12 (bsc#1086428) -%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500 +# unbound isn't in SLE (bsc#1086428) +%if 0%{?is_opensuse} %bcond_without dane %else %bcond_with dane @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.6 +Version: 3.6.7 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -42,6 +42,7 @@ Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch +Patch4: gnutls-3.6.6-set_guile_site_dir.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -112,8 +113,8 @@ %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS library provides a secure layer over a reliable transport -layer. -implements the proposed standards of the IETF's TLS working group. +layer. Currently the GnuTLS library implements the proposed standards +of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for the GnuTLS C API @@ -161,6 +162,7 @@ %setup -q %patch1 -p1 %patch3 -p1 +%patch4 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 @@ -179,7 +181,6 @@ --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ - --with-guile-site-dir=%{_datadir}/guile \ %if %{without tpm} --without-tpm \ %endif ++++++ gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ++++++ --- /var/tmp/diff_new_pack.bMijxU/_old 2019-04-10 23:10:38.015935577 +0200 +++ /var/tmp/diff_new_pack.bMijxU/_new 2019-04-10 23:10:38.015935577 +0200 @@ -1,8 +1,8 @@ -Index: gnutls-3.6.5/tests/Makefile.am +Index: gnutls-3.6.7/tests/Makefile.am =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546 +0100 -+++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100 -@@ -445,7 +445,7 @@ if !WINDOWS +--- gnutls-3.6.7.orig/tests/Makefile.am ++++ gnutls-3.6.7/tests/Makefile.am +@@ -453,7 +453,7 @@ if !WINDOWS # List of tests not available/functional under windows # @@ -11,11 +11,11 @@ indirect_tests += dtls-stress -Index: gnutls-3.6.5/tests/Makefile.in +Index: gnutls-3.6.7/tests/Makefile.in =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568 +0100 -+++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100 -@@ -164,7 +164,7 @@ host_triplet = @host@ +--- gnutls-3.6.7.orig/tests/Makefile.in ++++ gnutls-3.6.7/tests/Makefile.in +@@ -165,7 +165,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # @@ -23,13 +23,13 @@ +@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ - @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \ -@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM + @WINDOWS_FALSE@ starttls-pop3.sh starttls-xmpp.sh \ +@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ - dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \ + fastopen.sh pkgconfig.sh starttls.sh \ starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \ - starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \ - ocsp-tests/ocsp-tls-connection \ + starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \ + starttls-sieve.sh ocsp-tests/ocsp-tls-connection \ ++++++ gnutls-3.6.6-set_guile_site_dir.patch ++++++ Index: gnutls-3.6.6/configure =================================================================== --- gnutls-3.6.6.orig/configure +++ gnutls-3.6.6/configure @@ -62868,7 +62868,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 $as_echo_n "checking for Guile site directory... " >&6; } - GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION` + GUILE_SITE=/usr/share/guile { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5 $as_echo "$GUILE_SITE" >&6; } if test "$GUILE_SITE" = ""; then ++++++ gnutls-3.6.6.tar.xz -> gnutls-3.6.7.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.6.6.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.27019/gnutls-3.6.7.tar.xz differ: char 26, line 1
