From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] gnutls: Update to 3.6.16 Date: Thu, 03 Jun 2021 14:20:27 +0200 Message-ID: <20210603122027.683629-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4830504431332513316==" List-Id: --===============4830504431332513316== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from 3.6.14 to 3.6.16 - Update rootfile - Changelog * Version 3.6.16 (released 2021-05-24) ** libgnutls: Fixed potential miscalculation of ECDSA/EdDSA code backpor= ted from Nettle. In GnuTLS, as long as it is built and linked against the fix= ed version of Nettle, this only affects GOST curves. [CVE-2021-20305] ** libgnutls: Fixed potential use-after-free in sending "key_share" and "pre_shared_key" extensions. When sending those extensions, the client may dereference a pointer no longer valid after realloc. This happens only when the client sends a large Client Hello message, e.g., when HRR is sent in a resumed session previously negotiated large FFDHE parameters, because the initial allocation of the buffer is large enough without having to call realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low] * Version 3.6.15 (released 2020-09-04) ** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timin= g. The server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake was able to cause a TLS 1.3 c= lient to crash via a null-pointer dereference. The crash happens in the applic= ation's error handling path, where the gnutls_deinit function is called after detecting a handshake failure (#1071). [GNUTLS-SA-2020-09-04, CVSS: = medium] ** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled= () now indicates that with a false return value (!1306). ** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are che= cked accordingly to SP800-56A rev 3 (!1295, !1299). ** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rath= er than the size of the internal base64 blob (#1025). The new behavior aligns= to the existing documentation. ** libgnutls: Certificate verification failue due to OCSP must-stapling = is not honered is now correctly marked with the GNUTLS_CERT_INVALID flag (!1317). The new behavior aligns to the existing documentation. ** libgnutls: The audit log message for weak hashes is no longer printed= twice (!1301). ** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS = 1.2 is disabled in the priority string. Previously, even when TLS 1.2 is exp= licitly disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS= 1.3 is enabled (#1054). Signed-off-by: Adolf Belka --- config/rootfiles/common/gnutls | 2 +- lfs/gnutls | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index cb7ecf8e5..e59c1a84f 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -33,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.28.0 +usr/lib/libgnutls.so.30.28.2 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.28 diff --git a/lfs/gnutls b/lfs/gnutls index 07344a8c4..65db67b0c 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 3.6.14 +VER =3D 3.6.16 =20 THISAPP =3D gnutls-$(VER) DL_FILE =3D $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D bf70632d420e421baff482247f01dbfe +$(DL_FILE)_MD5 =3D 5db1678931fa6bbd40beed235c6a0a37 =20 install : $(TARGET) =20 --=20 2.31.1 --===============4830504431332513316==--