* [PATCH 1/6] gnutls: Update to version 3.8.9
@ 2025-07-04 16:32 Adolf Belka
2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:32 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
and that there had been some CVE's with libtasn1 which were then fixed later in the
gnutls bundled version together with some fixes in the gnutls code. So this patch,
as well updating the version has also removed the options to use the included
versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
gnutls-3.8.0 and the option is no longer recognised.
- Changelog
3.8.9
** libgnutls: leancrypto was added as an interim option for PQC
The library can now be built with leancrypto instead of liboqs for
post-quantum cryptography (PQC), when configured with
--with-leancrypto option instead of --with-liboqs.
** libgnutls: Experimental support for ML-DSA signature algorithm
The library and certtool now support ML-DSA signature algorithm as
defined in FIPS 204 and based on
draft-ietf-lamps-dilithium-certificates-04. This feature is
currently marked as experimental and can only be enabled when
compiled with --with-leancrypto or --with-liboqs.
Contributed by David Dudas.
** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
The support for ML-KEM post-quantum key encapsulation mechanisms
has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
draft-kwiatkowski-tls-ecdhe-mlkem-03.
** libgnutls: Fix potential DoS in handling certificates with numerous name
constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/gnutls | 2 +-
lfs/gnutls | 8 +++-----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 4f496435f..824631734 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
#usr/lib/libgnutls.la
#usr/lib/libgnutls.so
usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.2
+usr/lib/libgnutls.so.30.40.3
#usr/lib/libgnutlsxx.la
#usr/lib/libgnutlsxx.so
usr/lib/libgnutlsxx.so.30
diff --git a/lfs/gnutls b/lfs/gnutls
index ad8269338..cc5b255fb 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 3.8.8
+VER = 3.8.9
THISAPP = gnutls-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8
+$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
install : $(TARGET)
@@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && \
./configure \
--prefix=/usr \
- --with-included-libtasn1 \
- --with-included-unistring \
--without-p11-kit \
--disable-openssl-compatibility \
--disable-guile
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 4.19.0 to 4.20.0
- Update of rootfile
- Move earlier in make.sh so that the library can be used by gnutls in place of the
gnutls bundled version.
- Fix for a CVE
- Changelog
4.20.0
- The release tarball is now reproducible.
- We publish a minimal source-only tarball generated by 'git archive'.
- Update gnulib files and various build/maintenance fixes.
- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or
SET OF elements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/libtasn1 | 2 +-
lfs/libtasn1 | 10 +++++-----
make.sh | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/config/rootfiles/common/libtasn1 b/config/rootfiles/common/libtasn1
index 87fd4ce5f..fad23cf03 100644
--- a/config/rootfiles/common/libtasn1
+++ b/config/rootfiles/common/libtasn1
@@ -5,7 +5,7 @@
#usr/lib/libtasn1.la
#usr/lib/libtasn1.so
usr/lib/libtasn1.so.6
-usr/lib/libtasn1.so.6.6.3
+usr/lib/libtasn1.so.6.6.4
#usr/lib/pkgconfig/libtasn1.pc
#usr/share/info/libtasn1.info
#usr/share/man/man1/asn1Coding.1
diff --git a/lfs/libtasn1 b/lfs/libtasn1
index 86c436306..aeb3c8b87 100644
--- a/lfs/libtasn1
+++ b/lfs/libtasn1
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 4.19.0
+VER = 4.20.0
THISAPP = libtasn1-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 6e8232590cd87da3bfd9182ed44eccdfbdfcc85e88d8cf19fffdb3d600e04694b77079b95bbd822d2c3fff29458ddae0f0440f9c1c19c711923a2507bd19270f
+$(DL_FILE)_BLAKE2 = 3219b48e691abd7f6f4e32164ab708bc7c29832a2a7669aa03751d4a519dffb78d5a5f94530a3f35cd6516b39400da9e634d7f46245ab934465c305a1d387561
install : $(TARGET)
@@ -74,8 +74,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure \
- --prefix=/usr \
- --disable-static
+ --prefix=/usr \
+ --disable-static
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
diff --git a/make.sh b/make.sh
index 486937997..8bf452c37 100755
--- a/make.sh
+++ b/make.sh
@@ -1535,6 +1535,7 @@ build_system() {
lfsmake2 apr
lfsmake2 aprutil
lfsmake2 unbound
+ lfsmake2 libtasn1
lfsmake2 gnutls
lfsmake2 libuv
lfsmake2 liburcu
@@ -1665,7 +1666,6 @@ build_system() {
lfsmake2 mandoc
lfsmake2 efivar
lfsmake2 efibootmgr
- lfsmake2 libtasn1
lfsmake2 p11-kit
lfsmake2 ca-certificates
lfsmake2 fireinfo
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 3/6] libunistring: New package to replace bundled version in gnutls
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/libunistring | 53 ++++++++++++++++++
lfs/libunistring | 82 ++++++++++++++++++++++++++++
make.sh | 1 +
3 files changed, 136 insertions(+)
create mode 100644 config/rootfiles/common/libunistring
create mode 100644 lfs/libunistring
diff --git a/config/rootfiles/common/libunistring b/config/rootfiles/common/libunistring
new file mode 100644
index 000000000..0811a695d
--- /dev/null
+++ b/config/rootfiles/common/libunistring
@@ -0,0 +1,53 @@
+#usr/include/unicase.h
+#usr/include/uniconv.h
+#usr/include/unictype.h
+#usr/include/unigbrk.h
+#usr/include/unilbrk.h
+#usr/include/unimetadata.h
+#usr/include/uniname.h
+#usr/include/uninorm.h
+#usr/include/unistdio.h
+#usr/include/unistr.h
+#usr/include/unistring
+#usr/include/unistring/cdefs.h
+#usr/include/unistring/iconveh.h
+#usr/include/unistring/inline.h
+#usr/include/unistring/localcharset.h
+#usr/include/unistring/stdint.h
+#usr/include/unistring/version.h
+#usr/include/unistring/woe32dll.h
+#usr/include/unitypes.h
+#usr/include/uniwbrk.h
+#usr/include/uniwidth.h
+#usr/lib/libunistring.la
+#usr/lib/libunistring.so
+usr/lib/libunistring.so.5
+usr/lib/libunistring.so.5.2.0
+#usr/share/doc/libunistring
+#usr/share/doc/libunistring/libunistring_1.html
+#usr/share/doc/libunistring/libunistring_10.html
+#usr/share/doc/libunistring/libunistring_11.html
+#usr/share/doc/libunistring/libunistring_12.html
+#usr/share/doc/libunistring/libunistring_13.html
+#usr/share/doc/libunistring/libunistring_14.html
+#usr/share/doc/libunistring/libunistring_15.html
+#usr/share/doc/libunistring/libunistring_16.html
+#usr/share/doc/libunistring/libunistring_17.html
+#usr/share/doc/libunistring/libunistring_18.html
+#usr/share/doc/libunistring/libunistring_19.html
+#usr/share/doc/libunistring/libunistring_2.html
+#usr/share/doc/libunistring/libunistring_20.html
+#usr/share/doc/libunistring/libunistring_21.html
+#usr/share/doc/libunistring/libunistring_22.html
+#usr/share/doc/libunistring/libunistring_23.html
+#usr/share/doc/libunistring/libunistring_3.html
+#usr/share/doc/libunistring/libunistring_4.html
+#usr/share/doc/libunistring/libunistring_5.html
+#usr/share/doc/libunistring/libunistring_6.html
+#usr/share/doc/libunistring/libunistring_7.html
+#usr/share/doc/libunistring/libunistring_8.html
+#usr/share/doc/libunistring/libunistring_9.html
+#usr/share/doc/libunistring/libunistring_abt.html
+#usr/share/doc/libunistring/libunistring_fot.html
+#usr/share/doc/libunistring/libunistring_toc.html
+#usr/share/info/libunistring.info
diff --git a/lfs/libunistring b/lfs/libunistring
new file mode 100644
index 000000000..1ea398d39
--- /dev/null
+++ b/lfs/libunistring
@@ -0,0 +1,82 @@
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 1.3
+
+THISAPP = libunistring-$(VER)
+DL_FILE = $(THISAPP).tar.xz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+CFLAGS += -fcommon
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_BLAKE2 = 213d24ea4ba5e960a030bd83fc1b6c9d9a5e33d63ade8874e2a15d1b7a0acbe4b2d03df18065f6c17f01bfed94f7e70ef474e713f5c5ad2375cf2438457b0379
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+b2 : $(subst %,%_BLAKE2,$(objects))
+
+###############################################################################
+# Downloading, checking, b2sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_BLAKE2,$(objects)) :
+ @$(B2SUM)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ $(UPDATE_AUTOMAKE)
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --disable-static
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 8bf452c37..1bcb4f42c 100755
--- a/make.sh
+++ b/make.sh
@@ -1536,6 +1536,7 @@ build_system() {
lfsmake2 aprutil
lfsmake2 unbound
lfsmake2 libtasn1
+ lfsmake2 libunistring
lfsmake2 gnutls
lfsmake2 libuv
lfsmake2 liburcu
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 4/6] core197: Ship gnutls
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka
4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/core/197/filelists/gnutls | 1 +
1 file changed, 1 insertion(+)
create mode 120000 config/rootfiles/core/197/filelists/gnutls
diff --git a/config/rootfiles/core/197/filelists/gnutls b/config/rootfiles/core/197/filelists/gnutls
new file mode 120000
index 000000000..8dbe60bc3
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/gnutls
@@ -0,0 +1 @@
+../../../common/gnutls
\ No newline at end of file
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 5/6] core197: Ship libtasn1
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
` (2 preceding siblings ...)
2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka
4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/core/197/filelists/libtasn1 | 1 +
1 file changed, 1 insertion(+)
create mode 120000 config/rootfiles/core/197/filelists/libtasn1
diff --git a/config/rootfiles/core/197/filelists/libtasn1 b/config/rootfiles/core/197/filelists/libtasn1
new file mode 120000
index 000000000..b6297f1fe
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/libtasn1
@@ -0,0 +1 @@
+../../../common/libtasn1
\ No newline at end of file
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 6/6] core197: Ship libunistring
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
` (3 preceding siblings ...)
2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/core/197/filelists/libunistring | 1 +
1 file changed, 1 insertion(+)
create mode 120000 config/rootfiles/core/197/filelists/libunistring
diff --git a/config/rootfiles/core/197/filelists/libunistring b/config/rootfiles/core/197/filelists/libunistring
new file mode 120000
index 000000000..9a892f438
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/libunistring
@@ -0,0 +1 @@
+../../../common/libunistring
\ No newline at end of file
--
2.50.0
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-04 16:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox