From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-673-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bYfMH3fLMz36Vr
	for <archive@lists.ipfire.org>; Fri,  4 Jul 2025 16:33:15 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bYfMC6hhHz2yqG
	for <development@lists.ipfire.org>; Fri,  4 Jul 2025 16:33:11 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4bYfM975J2z27Z;
	Fri,  4 Jul 2025 16:33:09 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1751646790;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=SYyEvzkwgnC+kTnkGOdebH3iHbcnmF0Y9q8IR/Yiy5U=;
	b=LIrIWj/l79klGCqCzZz2jHOvERO3qR/4whptd/g9DukbzSfLke+RG2nsQjOw6D/F9mP2yJ
	Fj2UD+Dq7fwGePBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1751646790;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=SYyEvzkwgnC+kTnkGOdebH3iHbcnmF0Y9q8IR/Yiy5U=;
	b=efAM5W1lQfRMXF6ktm2ed+KeDHVzH5d9HzXeFyp7b45OZyazitUfbtkuPspc0BEeEiQT8i
	3MVe3IQn/9UWzkmA+V63YjyHBYtasixZ9WOlZ8jm3m2kKwHUjPfux0SJsMnTR8tuP2v5Qn
	uBk8bIVgpWQ8oOJ1V5d/ey7D9k7tQ7tjpVxeLSckJG5F7KW+K9RizzL/2F9Yok03kkSzjw
	Vs/+IW3hi9WjqGxcsupTuFAwWP5/zpdkVS4jCtVsg/nTFAEg3ykHD9XNQiilrMXfYP6mer
	P6/Be1GnlxaOwp9Ia8MnF+cRhJI9tfHqpSpmcdM5e8kO2CXm6UxuvJ4ef2dBcQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH 1/6] gnutls: Update to version 3.8.9
Date: Fri,  4 Jul 2025 18:32:59 +0200
Message-ID: <20250704163304.589703-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
   and that there had been some CVE's with libtasn1  which were then fixed later in the
   gnutls bundled version together with some fixes in the gnutls code. So this patch,
   as well updating the version has also removed the options to use the included
   versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
   and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
   gnutls-3.8.0 and the option is no longer recognised.
- Changelog
    3.8.9
	** libgnutls: leancrypto was added as an interim option for PQC
	   The library can now be built with leancrypto instead of liboqs for
	   post-quantum cryptography (PQC), when configured with
	   --with-leancrypto option instead of --with-liboqs.
	** libgnutls: Experimental support for ML-DSA signature algorithm
	   The library and certtool now support ML-DSA signature algorithm as
	   defined in FIPS 204 and based on
	   draft-ietf-lamps-dilithium-certificates-04. This feature is
	   currently marked as experimental and can only be enabled when
	   compiled with --with-leancrypto or --with-liboqs.
	   Contributed by David Dudas.
	** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
	   The support for ML-KEM post-quantum key encapsulation mechanisms
	   has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
	   MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
	   draft-kwiatkowski-tls-ecdhe-mlkem-03.
	** libgnutls: Fix potential DoS in handling certificates with numerous name
	   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
	   bundled copy of libtasn1 has also been updated to the latest 4.20.0
	   release to complete the fix.  Reported by Bing Shi (#1553).
	   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
	** API and ABI modifications:
	   GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnutls | 2 +-
 lfs/gnutls                     | 8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 4f496435f..824631734 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.2
+usr/lib/libgnutls.so.30.40.3
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30
diff --git a/lfs/gnutls b/lfs/gnutls
index ad8269338..cc5b255fb 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.8
+VER        = 3.8.9
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8
+$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
 
 install : $(TARGET)
 
@@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && \
 		./configure \
 			--prefix=/usr \
-			--with-included-libtasn1 \
-			--with-included-unistring \
 			--without-p11-kit \
 			--disable-openssl-compatibility \
 			--disable-guile
-- 
2.50.0