From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bYfMH3fLMz36Vr for ; Fri, 4 Jul 2025 16:33:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bYfMC6hhHz2yqG for ; Fri, 4 Jul 2025 16:33:11 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4bYfM975J2z27Z; Fri, 4 Jul 2025 16:33:09 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1751646790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=SYyEvzkwgnC+kTnkGOdebH3iHbcnmF0Y9q8IR/Yiy5U=; b=LIrIWj/l79klGCqCzZz2jHOvERO3qR/4whptd/g9DukbzSfLke+RG2nsQjOw6D/F9mP2yJ Fj2UD+Dq7fwGePBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1751646790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=SYyEvzkwgnC+kTnkGOdebH3iHbcnmF0Y9q8IR/Yiy5U=; b=efAM5W1lQfRMXF6ktm2ed+KeDHVzH5d9HzXeFyp7b45OZyazitUfbtkuPspc0BEeEiQT8i 3MVe3IQn/9UWzkmA+V63YjyHBYtasixZ9WOlZ8jm3m2kKwHUjPfux0SJsMnTR8tuP2v5Qn uBk8bIVgpWQ8oOJ1V5d/ey7D9k7tQ7tjpVxeLSckJG5F7KW+K9RizzL/2F9Yok03kkSzjw Vs/+IW3hi9WjqGxcsupTuFAwWP5/zpdkVS4jCtVsg/nTFAEg3ykHD9XNQiilrMXfYP6mer P6/Be1GnlxaOwp9Ia8MnF+cRhJI9tfHqpSpmcdM5e8kO2CXm6UxuvJ4ef2dBcQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/6] gnutls: Update to version 3.8.9 Date: Fri, 4 Jul 2025 18:32:59 +0200 Message-ID: <20250704163304.589703-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit - Update from version 3.8.8 to 3.8.9 - Update of rootfile - I found that gnutls was using its own bundled versions of libtasn1 and libunistring and that there had been some CVE's with libtasn1 which were then fixed later in the gnutls bundled version together with some fixes in the gnutls code. So this patch, as well updating the version has also removed the options to use the included versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire and just needed to be moved to before gnutls. libunistring had to be added in. - The disable-guile option was removed as the guile bindings were removed in gnutls-3.8.0 and the option is no longer recognised. - Changelog 3.8.9 ** libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with --with-leancrypto option instead of --with-liboqs. ** libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. ** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. ** libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. Reported by Bing Shi (#1553). [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243] ** API and ABI modifications: GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t Signed-off-by: Adolf Belka --- config/rootfiles/common/gnutls | 2 +- lfs/gnutls | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 4f496435f..824631734 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.40.2 +usr/lib/libgnutls.so.30.40.3 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.30 diff --git a/lfs/gnutls b/lfs/gnutls index ad8269338..cc5b255fb 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 3.8.8 +VER = 3.8.9 THISAPP = gnutls-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8 +$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7 install : $(TARGET) @@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ - --with-included-libtasn1 \ - --with-included-unistring \ --without-p11-kit \ --disable-openssl-compatibility \ --disable-guile -- 2.50.0