From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] gnutls: Update to version 3.8.11
Date: Mon, 1 Dec 2025 17:11:07 +0100 [thread overview]
Message-ID: <20251201161107.23245-2-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20251201161107.23245-1-adolf.belka@ipfire.org>
- Update from version 3.8.10 to 3.8.11
- Update of rootfile
- One CVE fix
- Changelog
3.8.11
libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
CVSS: low] [CVE-2025-9820]
libgnutls: MAC algorithms for PSK binders is now configurable
The previous implementation assumed HMAC-SHA256 to calculate the
PSK binders. With the new gnutls_psk_allocate_client_credentials2()
and gnutls_psk_allocate_server_credentials2() functions, the
application can use other MAC algorithms such as HMAC-SHA384.
libgnutls: Expose a new function to provide the maximum record send size
A new function gnutls_record_get_max_send_size() has been added to
determine the maximum size of a TLS record to be sent to the peer.
libgnutls: Expose a new function to update keys without sending a KeyUpdate
to the peer. A new function gnutls_handshake_update_receiving_key()
has been added to allow updating the local receiving key without
sending any KeyUpdate messages.
libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
instead of a module path. To allow using a PKCS#11 module exposing
multiple tokens, the "path" configuration keyword was replaced with
the "url" keyword.
libgnutls: Support crypto-auditing probe points
crypto-auditing is a project to monitor which cryptographic
operations are taking place in the library at run time, through
eBPF. This adds necessary probe points for that, in public key
cryptography and the TLS use-case. To enable this, run configure
with --enable-crypto-auditing.
build: The minimum version of Nettle has been updated to 3.10
Given Nettle 3.10 is ABI compatible with 3.6 and includes several
security relevant fixes, the library's minimum requirement of
Nettle is updated to 3.10.
build: The default priority file path is now constructed from sysconfdir
Previously, the location of the default priority file was
hard-coded to be /etc/gnutls/config. Now it takes into account of
the --sysconfdir option given to the configure script.
API and ABI modifications:
gnutls_psk_allocate_client_credentials2: New function
gnutls_psk_allocate_server_credentials2: New function
gnutls_record_get_max_send_size: New function
gnutls_handshake_update_receiving_key: New function
gnutls_audit_push_context: New function
gnutls_audit_pop_context: New function
gnutls_audit_current_context: New function
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/gnutls | 9 ++++++++-
lfs/gnutls | 4 ++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index e86384325..52c3b6764 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
#usr/lib/libgnutls.la
#usr/lib/libgnutls.so
usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.4
+usr/lib/libgnutls.so.30.41.0
#usr/lib/libgnutlsxx.la
#usr/lib/libgnutlsxx.so
usr/lib/libgnutlsxx.so.30
@@ -143,6 +143,9 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_anti_replay_set_add_function.3
#usr/share/man/man3/gnutls_anti_replay_set_ptr.3
#usr/share/man/man3/gnutls_anti_replay_set_window.3
+#usr/share/man/man3/gnutls_audit_current_context.3
+#usr/share/man/man3/gnutls_audit_pop_context.3
+#usr/share/man/man3/gnutls_audit_push_context.3
#usr/share/man/man3/gnutls_auth_client_get_type.3
#usr/share/man/man3/gnutls_auth_get_type.3
#usr/share/man/man3/gnutls_auth_server_get_type.3
@@ -360,6 +363,7 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_handshake_set_read_function.3
#usr/share/man/man3/gnutls_handshake_set_secret_function.3
#usr/share/man/man3/gnutls_handshake_set_timeout.3
+#usr/share/man/man3/gnutls_handshake_update_receiving_key.3
#usr/share/man/man3/gnutls_handshake_write.3
#usr/share/man/man3/gnutls_hash.3
#usr/share/man/man3/gnutls_hash_copy.3
@@ -684,7 +688,9 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_protocol_list.3
#usr/share/man/man3/gnutls_protocol_set_enabled.3
#usr/share/man/man3/gnutls_psk_allocate_client_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_client_credentials2.3
#usr/share/man/man3/gnutls_psk_allocate_server_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_server_credentials2.3
#usr/share/man/man3/gnutls_psk_client_get_hint.3
#usr/share/man/man3/gnutls_psk_format_imported_identity.3
#usr/share/man/man3/gnutls_psk_free_client_credentials.3
@@ -761,6 +767,7 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_record_get_direction.3
#usr/share/man/man3/gnutls_record_get_discarded.3
#usr/share/man/man3/gnutls_record_get_max_early_data_size.3
+#usr/share/man/man3/gnutls_record_get_max_send_size.3
#usr/share/man/man3/gnutls_record_get_max_size.3
#usr/share/man/man3/gnutls_record_get_state.3
#usr/share/man/man3/gnutls_record_overhead_size.3
diff --git a/lfs/gnutls b/lfs/gnutls
index 25920dfe7..15d0362dd 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -24,7 +24,7 @@
include Config
-VER = 3.8.10
+VER = 3.8.11
THISAPP = gnutls-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d
+$(DL_FILE)_BLAKE2 = 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6
install : $(TARGET)
--
2.52.0
prev parent reply other threads:[~2025-12-01 16:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 16:11 [PATCH] core200: Ship gnutls Adolf Belka
2025-12-01 16:11 ` Adolf Belka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201161107.23245-2-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox