From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-742-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bmD3X1MCFz37FQ
	for <archive@lists.ipfire.org>; Mon, 21 Jul 2025 21:26:16 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bmD3S4RRQz34Kb
	for <development@lists.ipfire.org>; Mon, 21 Jul 2025 21:26:12 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4bmD3P4LM0z5H4;
	Mon, 21 Jul 2025 21:26:09 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1753133169;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2+8/08yh6JIkfc4zLxnIu1e8A1bnVaUXY1chyilmAN8=;
	b=YRGSRHRFx0Nyu0ts4Xqi1D+76YRk2ryHPBxt/PP3i3fzSBptSOFwrkSeHDKvCXTTXJkhys
	3j9M3ESJ9nwWQCDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1753133169;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2+8/08yh6JIkfc4zLxnIu1e8A1bnVaUXY1chyilmAN8=;
	b=YER2CodpSnA1IUGSD1TvQhWCVhTculBU+XmQOeenXG1dKX0QCWUM5EDU80HseW9EG3cL0k
	YfNV2KGy9oeYcncU2YHxCUXPimyanNqSWUrVcmxCPHo8fkYdzy76jWVFlhEFlOiFEl/ViV
	khBx8vb71E5FTQf6bS7PcmGQjeD0d4DkIEoU9z0qsp7jHvPZ0o2RkwfNtybAHUv15Xe77t
	6IwC4lz3ayQc5S3b5ynIqA5mX/oVR9n7ZgrmIEziiSDMUjpvAF3eaZBg+mPhpXm2hacfZy
	NjlKT4utoe6YQWYOcS1+J7QUiFXIUML8BAb3ngaqQGd9Z00lNVx86W272KYh7Q==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] gnutls: Update to version 3.8.10
Date: Mon, 21 Jul 2025 23:25:59 +0200
Message-ID: <20250721212601.3400729-11-adolf.belka@ipfire.org>
In-Reply-To: <20250721212601.3400729-1-adolf.belka@ipfire.org>
References: <20250721212601.3400729-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update from version 3.8.9 to 3.8.10
- Update of rootfile
- 4 CVE fixes in this version
- Changelog
    3.8.10
	** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
	   Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
	   [CVE-2025-6395]
	** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
	   Spotted by oss-fuzz and reported by OpenAI Security Research Team,
	   and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
	   CVSS: medium] [CVE-2025-32989]
	** libgnutls: Fix double-free upon error when exporting otherName in SAN
	   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
	   CVSS: low] [CVE-2025-32988]
	** certtool: Fix 1-byte write buffer overrun when parsing template
	   Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
	   CVSS: low] [CVE-2025-32990]
	** libgnutls: PKCS#11 modules can now be used to override the default
	   cryptographic backend. Use the [provider] section in the system-wide config
	   to specify path and pin to the module (see system-wide config Documentation).
	** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
	   support. The library running on the aforementioned version now utilizes the
	   kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
	   TLS session. The --enable-ktls configure option as well as the system-wide
	   kTLS configuration(see GnuTLS Documentation) are still required to enable
	   this feature.
	** libgnutls: liboqs support for PQC has been removed
	   For maintenance purposes, support for post-quantum cryptography
	   (PQC) is now only provided through leancrypto. The experimental key
	   exchange algorithm, X25519Kyber768Draft00, which is based on the
	   round 3 candidate of Kyber and only supported through liboqs has
	   also been removed altogether.
	** libgnutls: TLS certificate compression methods can now be set with
	   cert-compression-alg configuration option in the gnutls priority file.
	** libgnutls: All variants of ML-DSA private key formats are supported
	   While the previous implementation of ML-DSA was based on
	   draft-ietf-lamps-dilithium-certificates-04, this updates it to
	   draft-ietf-lamps-dilithium-certificates-12 with support for all 3
	   variants of private key formats: "seed", "expandedKey", and "both".
	** libgnutls: ML-DSA signatures can now be used in TLS
	   The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
	   ML-DSA-87, can now be used to digitally sign TLS handshake
	   messages.
	** API and ABI modifications:
	   GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
	   GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnutls | 2 +-
 lfs/gnutls                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 824631734..e86384325 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.3
+usr/lib/libgnutls.so.30.40.4
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30
diff --git a/lfs/gnutls b/lfs/gnutls
index cc5b255fb..25920dfe7 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.9
+VER        = 3.8.10
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
+$(DL_FILE)_BLAKE2 = 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d
 
 install : $(TARGET)
 
-- 
2.50.1