From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] gnutls: Update to 3.6.14
Date: Thu, 11 Jun 2020 13:15:17 +0100 [thread overview]
Message-ID: <D2DFB260-473F-46F5-9DB2-0950E08420D8@ipfire.org> (raw)
In-Reply-To: <cb75545d-28e5-b477-c7ed-0e5074e18ece@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 12533 bytes --]
Hi,
> On 11 Jun 2020, at 11:09, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>
> Hi,
>
> On 11.06.2020 10:44, Michael Tremer wrote:
>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>
>> Looks good.
>>
>> Did you check if there is a new version of gcrypt? That kind of is part of this group, too.
>
> Software is buggy => evil... *sigh* ;-)
>
> I did take a look.
>
> I found:
>
> libgcrypt => 1.8.5
> libgpg-error => 1.38
> libassuan => 2.5.3
> gnupg => 2.2.0
>
> Could you also please take a look at:
>
> https://patchwork.ipfire.org/patch/3196/
>
> or
>
> https://patchwork.ipfire.org/patch/3198/
>
> and
>
> https://patchwork.ipfire.org/patch/3199/
I have received them all. They are also on the list:
https://lists.ipfire.org/pipermail/development/2020-June/007914.html
https://lists.ipfire.org/pipermail/development/2020-June/007913.html
It is just that you might not have received a copy of them because t-online.de is bouncing emails to you all day long. I hope you will read this.
Maybe change to a mailbox hosted on our servers?
-Michael
>
> Somehow these patches (gmp => 6.2.0 + fix for lfs) didn't make it to the
> list. Blacklisted because of URL!?
>
> Best,
> Matthias
>
>> -Michael
>>
>>> On 10 Jun 2020, at 23:08, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>
>>> For details see:
>>> https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
>>>
>>> "** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
>>> The TLS server would not bind the session ticket encryption key with a
>>> value supplied by the application until the initial key rotation, allowing
>>> attacker to bypass authentication in TLS 1.3 and recover previous
>>> conversations in TLS 1.2 (#1011).
>>> [GNUTLS-SA-2020-06-03, CVSS: high]
>>>
>>> ** libgnutls: Fixed handling of certificate chain with cross-signed
>>> intermediate CA certificates (#1008).
>>>
>>> ** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
>>>
>>> ** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
>>> (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
>>> Key Identifier (AKI) properly (#989, #991).
>>>
>>> ** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
>>>
>>> ** libgnutls: Added several improvements on Windows Vista and later releases
>>> (!1257, !1254, !1256). Most notably the system random number generator now
>>> uses Windows BCrypt* API if available (!1255).
>>>
>>> ** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
>>> Also both accelerated and non-accelerated implementations check key block
>>> according to FIPS-140-2 IG A.9 (!1233).
>>>
>>> ** libgnutls: Added support for AES-SIV ciphers (#463).
>>>
>>> ** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
>>>
>>> ** libgnutls: No longer use internal symbols exported from Nettle (!1235)
>>>
>>> ** API and ABI modifications:
>>> GNUTLS_CIPHER_AES_128_SIV: Added
>>> GNUTLS_CIPHER_AES_256_SIV: Added
>>> GNUTLS_CIPHER_AES_192_GCM: Added
>>> gnutls_pkcs7_print_signature_info: Added"
>>>
>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/gnutls | 25 ++++++++++++++++++++++++-
>>> lfs/gnutls | 9 ++++-----
>>> 2 files changed, 28 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
>>> index b8adaa9d9..cb7ecf8e5 100644
>>> --- a/config/rootfiles/common/gnutls
>>> +++ b/config/rootfiles/common/gnutls
>>> @@ -33,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1
>>> #usr/lib/libgnutls.la
>>> #usr/lib/libgnutls.so
>>> usr/lib/libgnutls.so.30
>>> -usr/lib/libgnutls.so.30.23.2
>>> +usr/lib/libgnutls.so.30.28.0
>>> #usr/lib/libgnutlsxx.la
>>> #usr/lib/libgnutlsxx.so
>>> usr/lib/libgnutlsxx.so.28
>>> @@ -113,9 +113,11 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/dane_verify_crt_raw.3
>>> #usr/share/man/man3/dane_verify_session_crt.3
>>> #usr/share/man/man3/gnutls_aead_cipher_decrypt.3
>>> +#usr/share/man/man3/gnutls_aead_cipher_decryptv2.3
>>> #usr/share/man/man3/gnutls_aead_cipher_deinit.3
>>> #usr/share/man/man3/gnutls_aead_cipher_encrypt.3
>>> #usr/share/man/man3/gnutls_aead_cipher_encryptv.3
>>> +#usr/share/man/man3/gnutls_aead_cipher_encryptv2.3
>>> #usr/share/man/man3/gnutls_aead_cipher_init.3
>>> #usr/share/man/man3/gnutls_alert_get.3
>>> #usr/share/man/man3/gnutls_alert_get_name.3
>>> @@ -206,6 +208,8 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_certificate_type_get_id.3
>>> #usr/share/man/man3/gnutls_certificate_type_get_name.3
>>> #usr/share/man/man3/gnutls_certificate_type_list.3
>>> +#usr/share/man/man3/gnutls_certificate_verification_profile_get_id.3
>>> +#usr/share/man/man3/gnutls_certificate_verification_profile_get_name.3
>>> #usr/share/man/man3/gnutls_certificate_verification_status_print.3
>>> #usr/share/man/man3/gnutls_certificate_verify_peers.3
>>> #usr/share/man/man3/gnutls_certificate_verify_peers2.3
>>> @@ -271,6 +275,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_dh_params_import_pkcs3.3
>>> #usr/share/man/man3/gnutls_dh_params_import_raw.3
>>> #usr/share/man/man3/gnutls_dh_params_import_raw2.3
>>> +#usr/share/man/man3/gnutls_dh_params_import_raw3.3
>>> #usr/share/man/man3/gnutls_dh_params_init.3
>>> #usr/share/man/man3/gnutls_dh_set_prime_bits.3
>>> #usr/share/man/man3/gnutls_digest_get_id.3
>>> @@ -302,12 +307,14 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_ext_get_current_msg.3
>>> #usr/share/man/man3/gnutls_ext_get_data.3
>>> #usr/share/man/man3/gnutls_ext_get_name.3
>>> +#usr/share/man/man3/gnutls_ext_get_name2.3
>>> #usr/share/man/man3/gnutls_ext_raw_parse.3
>>> #usr/share/man/man3/gnutls_ext_register.3
>>> #usr/share/man/man3/gnutls_ext_set_data.3
>>> #usr/share/man/man3/gnutls_fingerprint.3
>>> #usr/share/man/man3/gnutls_fips140_mode_enabled.3
>>> #usr/share/man/man3/gnutls_fips140_set_mode.3
>>> +#usr/share/man/man3/gnutls_get_system_config_file.3
>>> #usr/share/man/man3/gnutls_global_deinit.3
>>> #usr/share/man/man3/gnutls_global_init.3
>>> #usr/share/man/man3/gnutls_global_set_audit_log_function.3
>>> @@ -333,6 +340,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_handshake_set_random.3
>>> #usr/share/man/man3/gnutls_handshake_set_timeout.3
>>> #usr/share/man/man3/gnutls_hash.3
>>> +#usr/share/man/man3/gnutls_hash_copy.3
>>> #usr/share/man/man3/gnutls_hash_deinit.3
>>> #usr/share/man/man3/gnutls_hash_fast.3
>>> #usr/share/man/man3/gnutls_hash_get_len.3
>>> @@ -349,9 +357,13 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_hex_decode2.3
>>> #usr/share/man/man3/gnutls_hex_encode.3
>>> #usr/share/man/man3/gnutls_hex_encode2.3
>>> +#usr/share/man/man3/gnutls_hkdf_expand.3
>>> +#usr/share/man/man3/gnutls_hkdf_extract.3
>>> #usr/share/man/man3/gnutls_hmac.3
>>> +#usr/share/man/man3/gnutls_hmac_copy.3
>>> #usr/share/man/man3/gnutls_hmac_deinit.3
>>> #usr/share/man/man3/gnutls_hmac_fast.3
>>> +#usr/share/man/man3/gnutls_hmac_get_key_size.3
>>> #usr/share/man/man3/gnutls_hmac_get_len.3
>>> #usr/share/man/man3/gnutls_hmac_init.3
>>> #usr/share/man/man3/gnutls_hmac_output.3
>>> @@ -425,6 +437,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_openpgp_send_cert.3
>>> #usr/share/man/man3/gnutls_packet_deinit.3
>>> #usr/share/man/man3/gnutls_packet_get.3
>>> +#usr/share/man/man3/gnutls_pbkdf2.3
>>> #usr/share/man/man3/gnutls_pcert_deinit.3
>>> #usr/share/man/man3/gnutls_pcert_export_openpgp.3
>>> #usr/share/man/man3/gnutls_pcert_export_x509.3
>>> @@ -557,6 +570,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_pkcs7_import.3
>>> #usr/share/man/man3/gnutls_pkcs7_init.3
>>> #usr/share/man/man3/gnutls_pkcs7_print.3
>>> +#usr/share/man/man3/gnutls_pkcs7_print_signature_info.3
>>> #usr/share/man/man3/gnutls_pkcs7_set_crl.3
>>> #usr/share/man/man3/gnutls_pkcs7_set_crl_raw.3
>>> #usr/share/man/man3/gnutls_pkcs7_set_crt.3
>>> @@ -569,6 +583,8 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_pkcs_schema_get_name.3
>>> #usr/share/man/man3/gnutls_pkcs_schema_get_oid.3
>>> #usr/share/man/man3/gnutls_prf.3
>>> +#usr/share/man/man3/gnutls_prf_early.3
>>> +#usr/share/man/man3/gnutls_prf_hash_get.3
>>> #usr/share/man/man3/gnutls_prf_raw.3
>>> #usr/share/man/man3/gnutls_prf_rfc5705.3
>>> #usr/share/man/man3/gnutls_priority_certificate_type_list.3
>>> @@ -645,11 +661,15 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_psk_free_client_credentials.3
>>> #usr/share/man/man3/gnutls_psk_free_server_credentials.3
>>> #usr/share/man/man3/gnutls_psk_server_get_username.3
>>> +#usr/share/man/man3/gnutls_psk_server_get_username2.3
>>> #usr/share/man/man3/gnutls_psk_set_client_credentials.3
>>> +#usr/share/man/man3/gnutls_psk_set_client_credentials2.3
>>> #usr/share/man/man3/gnutls_psk_set_client_credentials_function.3
>>> +#usr/share/man/man3/gnutls_psk_set_client_credentials_function2.3
>>> #usr/share/man/man3/gnutls_psk_set_params_function.3
>>> #usr/share/man/man3/gnutls_psk_set_server_credentials_file.3
>>> #usr/share/man/man3/gnutls_psk_set_server_credentials_function.3
>>> +#usr/share/man/man3/gnutls_psk_set_server_credentials_function2.3
>>> #usr/share/man/man3/gnutls_psk_set_server_credentials_hint.3
>>> #usr/share/man/man3/gnutls_psk_set_server_dh_params.3
>>> #usr/share/man/man3/gnutls_psk_set_server_known_dh_params.3
>>> @@ -720,6 +740,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_record_send_early_data.3
>>> #usr/share/man/man3/gnutls_record_send_range.3
>>> #usr/share/man/man3/gnutls_record_set_max_early_data_size.3
>>> +#usr/share/man/man3/gnutls_record_set_max_recv_size.3
>>> #usr/share/man/man3/gnutls_record_set_max_size.3
>>> #usr/share/man/man3/gnutls_record_set_state.3
>>> #usr/share/man/man3/gnutls_record_set_timeout.3
>>> @@ -746,6 +767,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_session_get_flags.3
>>> #usr/share/man/man3/gnutls_session_get_id.3
>>> #usr/share/man/man3/gnutls_session_get_id2.3
>>> +#usr/share/man/man3/gnutls_session_get_keylog_function.3
>>> #usr/share/man/man3/gnutls_session_get_master_secret.3
>>> #usr/share/man/man3/gnutls_session_get_ptr.3
>>> #usr/share/man/man3/gnutls_session_get_random.3
>>> @@ -755,6 +777,7 @@ usr/lib/libgnutlsxx.so.28.1.0
>>> #usr/share/man/man3/gnutls_session_resumption_requested.3
>>> #usr/share/man/man3/gnutls_session_set_data.3
>>> #usr/share/man/man3/gnutls_session_set_id.3
>>> +#usr/share/man/man3/gnutls_session_set_keylog_function.3
>>> #usr/share/man/man3/gnutls_session_set_premaster.3
>>> #usr/share/man/man3/gnutls_session_set_ptr.3
>>> #usr/share/man/man3/gnutls_session_set_verify_cert.3
>>> diff --git a/lfs/gnutls b/lfs/gnutls
>>> index 6d24800b8..07344a8c4 100644
>>> --- a/lfs/gnutls
>>> +++ b/lfs/gnutls
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> # #
>>> # IPFire.org - A linux based firewall #
>>> -# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
>>> +# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
>>> # #
>>> # This program is free software: you can redistribute it and/or modify #
>>> # it under the terms of the GNU General Public License as published by #
>>> @@ -24,11 +24,10 @@
>>>
>>> include Config
>>>
>>> -VER = 3.6.7
>>> -SUBVER = .1
>>> +VER = 3.6.14
>>>
>>> THISAPP = gnutls-$(VER)
>>> -DL_FILE = $(THISAPP)$(SUBVER).tar.xz
>>> +DL_FILE = $(THISAPP).tar.xz
>>> DL_FROM = $(URL_IPFIRE)
>>> DIR_APP = $(DIR_SRC)/$(THISAPP)
>>> TARGET = $(DIR_INFO)/$(THISAPP)
>>> @@ -41,7 +40,7 @@ objects = $(DL_FILE)
>>>
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>
>>> -$(DL_FILE)_MD5 = 92a8049e618afa60e2c852da1884c457
>>> +$(DL_FILE)_MD5 = bf70632d420e421baff482247f01dbfe
>>>
>>> install : $(TARGET)
>>>
>>> --
>>> 2.17.1
>>>
>>
>
prev parent reply other threads:[~2020-06-11 12:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-10 22:08 Matthias Fischer
2020-06-10 22:08 ` [PATCH 2/2] gmp: Update to 6.2.0 Matthias Fischer
2020-06-11 8:44 ` Michael Tremer
2020-06-11 8:44 ` [PATCH 1/2] gnutls: Update to 3.6.14 Michael Tremer
2020-06-11 10:09 ` Matthias Fischer
2020-06-11 12:15 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D2DFB260-473F-46F5-9DB2-0950E08420D8@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox