[PATCH 1/6] gnutls: Update to version 3.8.9

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH 1/6] gnutls: Update to version 3.8.9
@ 2025-07-04 16:32 Adolf Belka
  2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:32 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
   and that there had been some CVE's with libtasn1  which were then fixed later in the
   gnutls bundled version together with some fixes in the gnutls code. So this patch,
   as well updating the version has also removed the options to use the included
   versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
   and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
   gnutls-3.8.0 and the option is no longer recognised.
- Changelog
    3.8.9
	** libgnutls: leancrypto was added as an interim option for PQC
	   The library can now be built with leancrypto instead of liboqs for
	   post-quantum cryptography (PQC), when configured with
	   --with-leancrypto option instead of --with-liboqs.
	** libgnutls: Experimental support for ML-DSA signature algorithm
	   The library and certtool now support ML-DSA signature algorithm as
	   defined in FIPS 204 and based on
	   draft-ietf-lamps-dilithium-certificates-04. This feature is
	   currently marked as experimental and can only be enabled when
	   compiled with --with-leancrypto or --with-liboqs.
	   Contributed by David Dudas.
	** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
	   The support for ML-KEM post-quantum key encapsulation mechanisms
	   has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
	   MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
	   draft-kwiatkowski-tls-ecdhe-mlkem-03.
	** libgnutls: Fix potential DoS in handling certificates with numerous name
	   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
	   bundled copy of libtasn1 has also been updated to the latest 4.20.0
	   release to complete the fix.  Reported by Bing Shi (#1553).
	   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
	** API and ABI modifications:
	   GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnutls | 2 +-
 lfs/gnutls                     | 8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 4f496435f..824631734 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.2
+usr/lib/libgnutls.so.30.40.3
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30
diff --git a/lfs/gnutls b/lfs/gnutls
index ad8269338..cc5b255fb 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.8
+VER        = 3.8.9
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8
+$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
 
 install : $(TARGET)
 
@@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && \
 		./configure \
 			--prefix=/usr \
-			--with-included-libtasn1 \
-			--with-included-unistring \
 			--without-p11-kit \
 			--disable-openssl-compatibility \
 			--disable-guile
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls
  2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
  2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

- Update from version 4.19.0 to 4.20.0
- Update of rootfile
- Move earlier in make.sh so that the library can be used by gnutls in place of the
   gnutls bundled version.
- Fix for a CVE
- Changelog
    4.20.0
	- The release tarball is now reproducible.
	- We publish a minimal source-only tarball generated by 'git archive'.
	- Update gnulib files and various build/maintenance fixes.
	- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or
	  SET OF elements

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/libtasn1 |  2 +-
 lfs/libtasn1                     | 10 +++++-----
 make.sh                          |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/libtasn1 b/config/rootfiles/common/libtasn1
index 87fd4ce5f..fad23cf03 100644
--- a/config/rootfiles/common/libtasn1
+++ b/config/rootfiles/common/libtasn1
@@ -5,7 +5,7 @@
 #usr/lib/libtasn1.la
 #usr/lib/libtasn1.so
 usr/lib/libtasn1.so.6
-usr/lib/libtasn1.so.6.6.3
+usr/lib/libtasn1.so.6.6.4
 #usr/lib/pkgconfig/libtasn1.pc
 #usr/share/info/libtasn1.info
 #usr/share/man/man1/asn1Coding.1
diff --git a/lfs/libtasn1 b/lfs/libtasn1
index 86c436306..aeb3c8b87 100644
--- a/lfs/libtasn1
+++ b/lfs/libtasn1
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.19.0
+VER        = 4.20.0
 
 THISAPP    = libtasn1-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 6e8232590cd87da3bfd9182ed44eccdfbdfcc85e88d8cf19fffdb3d600e04694b77079b95bbd822d2c3fff29458ddae0f0440f9c1c19c711923a2507bd19270f
+$(DL_FILE)_BLAKE2 = 3219b48e691abd7f6f4e32164ab708bc7c29832a2a7669aa03751d4a519dffb78d5a5f94530a3f35cd6516b39400da9e634d7f46245ab934465c305a1d387561
 
 install : $(TARGET)
 
@@ -74,8 +74,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	$(UPDATE_AUTOMAKE)
 	cd $(DIR_APP) && ./configure \
-	                --prefix=/usr \
-	                --disable-static
+	                	--prefix=/usr \
+	                	--disable-static
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)
diff --git a/make.sh b/make.sh
index 486937997..8bf452c37 100755
--- a/make.sh
+++ b/make.sh
@@ -1535,6 +1535,7 @@ build_system() {
 	lfsmake2 apr
 	lfsmake2 aprutil
 	lfsmake2 unbound
+	lfsmake2 libtasn1
 	lfsmake2 gnutls
 	lfsmake2 libuv
 	lfsmake2 liburcu
@@ -1665,7 +1666,6 @@ build_system() {
 	lfsmake2 mandoc
 	lfsmake2 efivar
 	lfsmake2 efibootmgr
-	lfsmake2 libtasn1
 	lfsmake2 p11-kit
 	lfsmake2 ca-certificates
 	lfsmake2 fireinfo
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 3/6] libunistring: New package to replace bundled version in gnutls
  2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
  2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
  2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/libunistring | 53 ++++++++++++++++++
 lfs/libunistring                     | 82 ++++++++++++++++++++++++++++
 make.sh                              |  1 +
 3 files changed, 136 insertions(+)
 create mode 100644 config/rootfiles/common/libunistring
 create mode 100644 lfs/libunistring

diff --git a/config/rootfiles/common/libunistring b/config/rootfiles/common/libunistring
new file mode 100644
index 000000000..0811a695d
--- /dev/null
+++ b/config/rootfiles/common/libunistring
@@ -0,0 +1,53 @@
+#usr/include/unicase.h
+#usr/include/uniconv.h
+#usr/include/unictype.h
+#usr/include/unigbrk.h
+#usr/include/unilbrk.h
+#usr/include/unimetadata.h
+#usr/include/uniname.h
+#usr/include/uninorm.h
+#usr/include/unistdio.h
+#usr/include/unistr.h
+#usr/include/unistring
+#usr/include/unistring/cdefs.h
+#usr/include/unistring/iconveh.h
+#usr/include/unistring/inline.h
+#usr/include/unistring/localcharset.h
+#usr/include/unistring/stdint.h
+#usr/include/unistring/version.h
+#usr/include/unistring/woe32dll.h
+#usr/include/unitypes.h
+#usr/include/uniwbrk.h
+#usr/include/uniwidth.h
+#usr/lib/libunistring.la
+#usr/lib/libunistring.so
+usr/lib/libunistring.so.5
+usr/lib/libunistring.so.5.2.0
+#usr/share/doc/libunistring
+#usr/share/doc/libunistring/libunistring_1.html
+#usr/share/doc/libunistring/libunistring_10.html
+#usr/share/doc/libunistring/libunistring_11.html
+#usr/share/doc/libunistring/libunistring_12.html
+#usr/share/doc/libunistring/libunistring_13.html
+#usr/share/doc/libunistring/libunistring_14.html
+#usr/share/doc/libunistring/libunistring_15.html
+#usr/share/doc/libunistring/libunistring_16.html
+#usr/share/doc/libunistring/libunistring_17.html
+#usr/share/doc/libunistring/libunistring_18.html
+#usr/share/doc/libunistring/libunistring_19.html
+#usr/share/doc/libunistring/libunistring_2.html
+#usr/share/doc/libunistring/libunistring_20.html
+#usr/share/doc/libunistring/libunistring_21.html
+#usr/share/doc/libunistring/libunistring_22.html
+#usr/share/doc/libunistring/libunistring_23.html
+#usr/share/doc/libunistring/libunistring_3.html
+#usr/share/doc/libunistring/libunistring_4.html
+#usr/share/doc/libunistring/libunistring_5.html
+#usr/share/doc/libunistring/libunistring_6.html
+#usr/share/doc/libunistring/libunistring_7.html
+#usr/share/doc/libunistring/libunistring_8.html
+#usr/share/doc/libunistring/libunistring_9.html
+#usr/share/doc/libunistring/libunistring_abt.html
+#usr/share/doc/libunistring/libunistring_fot.html
+#usr/share/doc/libunistring/libunistring_toc.html
+#usr/share/info/libunistring.info
diff --git a/lfs/libunistring b/lfs/libunistring
new file mode 100644
index 000000000..1ea398d39
--- /dev/null
+++ b/lfs/libunistring
@@ -0,0 +1,82 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 1.3
+
+THISAPP    = libunistring-$(VER)
+DL_FILE    = $(THISAPP).tar.xz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+CFLAGS    += -fcommon
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_BLAKE2 = 213d24ea4ba5e960a030bd83fc1b6c9d9a5e33d63ade8874e2a15d1b7a0acbe4b2d03df18065f6c17f01bfed94f7e70ef474e713f5c5ad2375cf2438457b0379
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+b2 : $(subst %,%_BLAKE2,$(objects))
+
+###############################################################################
+# Downloading, checking, b2sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_BLAKE2,$(objects)) :
+	@$(B2SUM)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	$(UPDATE_AUTOMAKE)
+	cd $(DIR_APP) && ./configure \
+	                	--prefix=/usr \
+	                	--disable-static
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 8bf452c37..1bcb4f42c 100755
--- a/make.sh
+++ b/make.sh
@@ -1536,6 +1536,7 @@ build_system() {
 	lfsmake2 aprutil
 	lfsmake2 unbound
 	lfsmake2 libtasn1
+	lfsmake2 libunistring
 	lfsmake2 gnutls
 	lfsmake2 libuv
 	lfsmake2 liburcu
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 4/6] core197: Ship gnutls
  2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
  2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
  2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
  2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
  2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka
  4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/197/filelists/gnutls | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/197/filelists/gnutls

diff --git a/config/rootfiles/core/197/filelists/gnutls b/config/rootfiles/core/197/filelists/gnutls
new file mode 120000
index 000000000..8dbe60bc3
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/gnutls
@@ -0,0 +1 @@
+../../../common/gnutls
\ No newline at end of file
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 5/6] core197: Ship libtasn1
  2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
                   ` (2 preceding siblings ...)
  2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
  2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka
  4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/197/filelists/libtasn1 | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/197/filelists/libtasn1

diff --git a/config/rootfiles/core/197/filelists/libtasn1 b/config/rootfiles/core/197/filelists/libtasn1
new file mode 120000
index 000000000..b6297f1fe
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/libtasn1
@@ -0,0 +1 @@
+../../../common/libtasn1
\ No newline at end of file
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 6/6] core197: Ship libunistring
  2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
                   ` (3 preceding siblings ...)
  2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
@ 2025-07-04 16:33 ` Adolf Belka
  4 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2025-07-04 16:33 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/197/filelists/libunistring | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/197/filelists/libunistring

diff --git a/config/rootfiles/core/197/filelists/libunistring b/config/rootfiles/core/197/filelists/libunistring
new file mode 120000
index 000000000..9a892f438
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/libunistring
@@ -0,0 +1 @@
+../../../common/libunistring
\ No newline at end of file
-- 
2.50.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-07-04 16:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-04 16:32 [PATCH 1/6] gnutls: Update to version 3.8.9 Adolf Belka
2025-07-04 16:33 ` [PATCH 2/6] libtasn1: Update to version 4.20.0 & move before gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 3/6] libunistring: New package to replace bundled version in gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 4/6] core197: Ship gnutls Adolf Belka
2025-07-04 16:33 ` [PATCH 5/6] core197: Ship libtasn1 Adolf Belka
2025-07-04 16:33 ` [PATCH 6/6] core197: Ship libunistring Adolf Belka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox