Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2014-02-19 09:09:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2013-12-23 12:33:47.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2014-02-19 09:09:50.000000000 +0100 @@ -1,0 +2,75 @@ +Thu Feb 13 20:12:06 UTC 2014 - meiss...@suse.com + +- Upgraded to 3.2.11 + + ** libgnutls: Tolerate servers that send the SUPPORTED ECC extension. + + ** libgnutls: Reduced the TLS and DTLS version requirements for all + ciphersuites that are not GCM. + + ** libgnutls: When two initial keywords are specified then treat the + second as having the '+' modifier. + + ** libgnutls: When using a PKCS #11 module for verification ensure that + it has been marked a trusted policy module in p11-kit. Moreover, when an + empty (i.e., "pkcs11:") URL is specified, then try all trusted modules + in the system for verification. + http://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html + + ** libgnutls: Fixed bug that prevented the rejection of v1 intermediate + CA certificates. Reported and investigated by Suman Jana. + CVE-2014-1959 / bnc#863989 + + ** certtool: Added the --ask-pass option. +- gnutls-3.2.10-supported-ecc.patch: upstreamed +- gnutls-fix-missing-ipv6.patch: upstreamed + +------------------------------------------------------------------- +Tue Feb 11 12:16:48 UTC 2014 - meiss...@suse.com + +- Upgrade to 3.1.20 (released 2014-01-31) + ** libgnutls: fixed null pointer derefence when printing a certificate + DN and an LDAP description isn't present. + ** libgnutls: gnutls_db_check_entry_time will correctly report the time; + report and patch by Jonathan Roudiere. + +- Upgrade to 3.2.9 (released 2014-01-24) + + ** libgnutls: The %DUMBFW option in priority string only + appends data to client hello if the expected size is in the + "black hole" range. + + ** libgnutls: %COMPAT implies %DUMBFW. + + ** libgnutls: gnutls_session_get_desc() returns a more compact + ciphersuite description. + + * libgnutls: In PKCS #11 allow deleting multiple non-certificate data. + + ** libgnutls: When a PKCS #11 trust store is specified (e.g. using the + configure option --with-default-trust-store-pkcs11), then the PKCS #11 + token is used on demand to obtain the trusted anchors, rather than + preloading all trusted certificates. That delegates CA certificate + management and blacklist checking to the PKCS #11 module. + + ** libgnutls: When a PKCS #11 trust store is specified in configure + option or in gnutls_x509_trust_list_add_trust_file(), then the module is + used to obtain the verification anchors and any required blacklists as + in + http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html + + ** libgnutls: Fix in OCSP certificate status extension handling + in non-blocking servers. Patch by Nils Maier. + + ** p11tool: Added --so-login option to force login as security + officer (admin). + +- reenable ECDHE after review of modern cryptographic practices. + +- gnutls-fix-missing-ipv6.patch: handle getaddrinfo/socket availability + issues in gnutls-serv + +- gnutls-3.2.10-supported-ecc.patch: do not abort gnutls-cli on sites + sending the client only ECC extension (www.bsi.de) + +------------------------------------------------------------------- Old: ---- gnutls-3.2.8-noecc.patch gnutls-3.2.8.tar.xz gnutls-3.2.8.tar.xz.sig New: ---- gnutls-3.2.11.tar.xz gnutls-3.2.11.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.Nlhpt8/_old 2014-02-19 09:09:51.000000000 +0100 +++ /var/tmp/diff_new_pack.Nlhpt8/_new 2014-02-19 09:09:51.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ %define gnutls_ossl_sover 27 Name: gnutls -Version: 3.2.8 +Version: 3.2.11 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ @@ -36,8 +36,6 @@ # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stie...@gmx.de -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch -# Disable elliptic curves for reasons. - meissner&cfarrell -Patch5: gnutls-3.2.8-noecc.patch Patch6: gnutls-implement-trust-store-dir-3.2.8.diff BuildRequires: automake @@ -138,21 +136,19 @@ %prep %setup -q %patch3 -%patch5 -p1 %patch6 -p1 %build autoreconf -if -# echde explicitly disabled - meissner&cfarrell %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ --disable-static \ --with-pic \ --disable-rpath \ + --disable-srp \ --disable-silent-rules \ --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ - --disable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} ++++++ gnutls-3.2.8.tar.xz -> gnutls-3.2.11.tar.xz ++++++ ++++ 119581 lines of diff (skipped) ++++++ gnutls-implement-trust-store-dir-3.2.8.diff ++++++ --- /var/tmp/diff_new_pack.Nlhpt8/_old 2014-02-19 09:09:54.000000000 +0100 +++ /var/tmp/diff_new_pack.Nlhpt8/_new 2014-02-19 09:09:54.000000000 +0100 @@ -1,8 +1,8 @@ -Index: gnutls-3.2.8/configure.ac +Index: gnutls-3.2.10/configure.ac =================================================================== ---- gnutls-3.2.8.orig/configure.ac -+++ gnutls-3.2.8/configure.ac -@@ -457,6 +457,25 @@ if test "$with_default_trust_store_file" +--- gnutls-3.2.10.orig/configure.ac ++++ gnutls-3.2.10/configure.ac +@@ -466,6 +466,25 @@ if test "$with_default_trust_store_file" with_default_trust_store_file="" fi @@ -28,7 +28,7 @@ AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) -@@ -470,6 +489,11 @@ if test "x$with_default_trust_store_file +@@ -479,6 +498,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi @@ -40,19 +40,19 @@ if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) -@@ -761,6 +785,7 @@ AC_MSG_NOTICE([System files: +@@ -770,6 +794,7 @@ AC_MSG_NOTICE([System files: - Trust store pkcs: $with_default_trust_store_pkcs11 + Trust store pkcs11: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir Blacklist file: $with_default_blacklist_file CRL file: $with_default_crl_file DNSSEC root key file: $unbound_root_key_file -Index: gnutls-3.2.8/lib/system.c +Index: gnutls-3.2.10/lib/system.c =================================================================== ---- gnutls-3.2.8.orig/lib/system.c -+++ gnutls-3.2.8/lib/system.c -@@ -357,7 +357,45 @@ int _gnutls_find_config_path(char *path, +--- gnutls-3.2.10.orig/lib/system.c ++++ gnutls-3.2.10/lib/system.c +@@ -364,7 +364,45 @@ int _gnutls_find_config_path(char *path, return 0; } @@ -99,7 +99,7 @@ static int add_system_trust(gnutls_x509_trust_list_t list, -@@ -393,6 +431,12 @@ add_system_trust(gnutls_x509_trust_list_ +@@ -400,6 +438,12 @@ add_system_trust(gnutls_x509_trust_list_ r += ret; #endif @@ -112,7 +112,7 @@ #ifdef DEFAULT_BLACKLIST_FILE ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { -@@ -467,41 +511,6 @@ int add_system_trust(gnutls_x509_trust_l +@@ -474,41 +518,6 @@ int add_system_trust(gnutls_x509_trust_l return r; } #elif defined(ANDROID) || defined(__ANDROID__) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org