Hi, > On 11 Jun 2020, at 11:09, Matthias Fischer wrote: > > Hi, > > On 11.06.2020 10:44, Michael Tremer wrote: >> Reviewed-by: Michael Tremer >> >> Looks good. >> >> Did you check if there is a new version of gcrypt? That kind of is part of this group, too. > > Software is buggy => evil... *sigh* ;-) > > I did take a look. > > I found: > > libgcrypt => 1.8.5 > libgpg-error => 1.38 > libassuan => 2.5.3 > gnupg => 2.2.0 > > Could you also please take a look at: > > https://patchwork.ipfire.org/patch/3196/ > > or > > https://patchwork.ipfire.org/patch/3198/ > > and > > https://patchwork.ipfire.org/patch/3199/ I have received them all. They are also on the list: https://lists.ipfire.org/pipermail/development/2020-June/007914.html https://lists.ipfire.org/pipermail/development/2020-June/007913.html It is just that you might not have received a copy of them because t-online.de is bouncing emails to you all day long. I hope you will read this. Maybe change to a mailbox hosted on our servers? -Michael > > Somehow these patches (gmp => 6.2.0 + fix for lfs) didn't make it to the > list. Blacklisted because of URL!? > > Best, > Matthias > >> -Michael >> >>> On 10 Jun 2020, at 23:08, Matthias Fischer wrote: >>> >>> For details see: >>> https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html >>> >>> "** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. >>> The TLS server would not bind the session ticket encryption key with a >>> value supplied by the application until the initial key rotation, allowing >>> attacker to bypass authentication in TLS 1.3 and recover previous >>> conversations in TLS 1.2 (#1011). >>> [GNUTLS-SA-2020-06-03, CVSS: high] >>> >>> ** libgnutls: Fixed handling of certificate chain with cross-signed >>> intermediate CA certificates (#1008). >>> >>> ** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). >>> >>> ** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName >>> (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority >>> Key Identifier (AKI) properly (#989, #991). >>> >>> ** certtool: PKCS #7 attributes are now printed with symbolic names (!1246). >>> >>> ** libgnutls: Added several improvements on Windows Vista and later releases >>> (!1257, !1254, !1256). Most notably the system random number generator now >>> uses Windows BCrypt* API if available (!1255). >>> >>> ** libgnutls: Use accelerated AES-XTS implementation if possible (!1244). >>> Also both accelerated and non-accelerated implementations check key block >>> according to FIPS-140-2 IG A.9 (!1233). >>> >>> ** libgnutls: Added support for AES-SIV ciphers (#463). >>> >>> ** libgnutls: Added support for 192-bit AES-GCM cipher (!1267). >>> >>> ** libgnutls: No longer use internal symbols exported from Nettle (!1235) >>> >>> ** API and ABI modifications: >>> GNUTLS_CIPHER_AES_128_SIV: Added >>> GNUTLS_CIPHER_AES_256_SIV: Added >>> GNUTLS_CIPHER_AES_192_GCM: Added >>> gnutls_pkcs7_print_signature_info: Added" >>> >>> Signed-off-by: Matthias Fischer >>> --- >>> config/rootfiles/common/gnutls | 25 ++++++++++++++++++++++++- >>> lfs/gnutls | 9 ++++----- >>> 2 files changed, 28 insertions(+), 6 deletions(-) >>> >>> diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls >>> index b8adaa9d9..cb7ecf8e5 100644 >>> --- a/config/rootfiles/common/gnutls >>> +++ b/config/rootfiles/common/gnutls >>> @@ -33,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1 >>> #usr/lib/libgnutls.la >>> #usr/lib/libgnutls.so >>> usr/lib/libgnutls.so.30 >>> -usr/lib/libgnutls.so.30.23.2 >>> +usr/lib/libgnutls.so.30.28.0 >>> #usr/lib/libgnutlsxx.la >>> #usr/lib/libgnutlsxx.so >>> usr/lib/libgnutlsxx.so.28 >>> @@ -113,9 +113,11 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/dane_verify_crt_raw.3 >>> #usr/share/man/man3/dane_verify_session_crt.3 >>> #usr/share/man/man3/gnutls_aead_cipher_decrypt.3 >>> +#usr/share/man/man3/gnutls_aead_cipher_decryptv2.3 >>> #usr/share/man/man3/gnutls_aead_cipher_deinit.3 >>> #usr/share/man/man3/gnutls_aead_cipher_encrypt.3 >>> #usr/share/man/man3/gnutls_aead_cipher_encryptv.3 >>> +#usr/share/man/man3/gnutls_aead_cipher_encryptv2.3 >>> #usr/share/man/man3/gnutls_aead_cipher_init.3 >>> #usr/share/man/man3/gnutls_alert_get.3 >>> #usr/share/man/man3/gnutls_alert_get_name.3 >>> @@ -206,6 +208,8 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_certificate_type_get_id.3 >>> #usr/share/man/man3/gnutls_certificate_type_get_name.3 >>> #usr/share/man/man3/gnutls_certificate_type_list.3 >>> +#usr/share/man/man3/gnutls_certificate_verification_profile_get_id.3 >>> +#usr/share/man/man3/gnutls_certificate_verification_profile_get_name.3 >>> #usr/share/man/man3/gnutls_certificate_verification_status_print.3 >>> #usr/share/man/man3/gnutls_certificate_verify_peers.3 >>> #usr/share/man/man3/gnutls_certificate_verify_peers2.3 >>> @@ -271,6 +275,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_dh_params_import_pkcs3.3 >>> #usr/share/man/man3/gnutls_dh_params_import_raw.3 >>> #usr/share/man/man3/gnutls_dh_params_import_raw2.3 >>> +#usr/share/man/man3/gnutls_dh_params_import_raw3.3 >>> #usr/share/man/man3/gnutls_dh_params_init.3 >>> #usr/share/man/man3/gnutls_dh_set_prime_bits.3 >>> #usr/share/man/man3/gnutls_digest_get_id.3 >>> @@ -302,12 +307,14 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_ext_get_current_msg.3 >>> #usr/share/man/man3/gnutls_ext_get_data.3 >>> #usr/share/man/man3/gnutls_ext_get_name.3 >>> +#usr/share/man/man3/gnutls_ext_get_name2.3 >>> #usr/share/man/man3/gnutls_ext_raw_parse.3 >>> #usr/share/man/man3/gnutls_ext_register.3 >>> #usr/share/man/man3/gnutls_ext_set_data.3 >>> #usr/share/man/man3/gnutls_fingerprint.3 >>> #usr/share/man/man3/gnutls_fips140_mode_enabled.3 >>> #usr/share/man/man3/gnutls_fips140_set_mode.3 >>> +#usr/share/man/man3/gnutls_get_system_config_file.3 >>> #usr/share/man/man3/gnutls_global_deinit.3 >>> #usr/share/man/man3/gnutls_global_init.3 >>> #usr/share/man/man3/gnutls_global_set_audit_log_function.3 >>> @@ -333,6 +340,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_handshake_set_random.3 >>> #usr/share/man/man3/gnutls_handshake_set_timeout.3 >>> #usr/share/man/man3/gnutls_hash.3 >>> +#usr/share/man/man3/gnutls_hash_copy.3 >>> #usr/share/man/man3/gnutls_hash_deinit.3 >>> #usr/share/man/man3/gnutls_hash_fast.3 >>> #usr/share/man/man3/gnutls_hash_get_len.3 >>> @@ -349,9 +357,13 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_hex_decode2.3 >>> #usr/share/man/man3/gnutls_hex_encode.3 >>> #usr/share/man/man3/gnutls_hex_encode2.3 >>> +#usr/share/man/man3/gnutls_hkdf_expand.3 >>> +#usr/share/man/man3/gnutls_hkdf_extract.3 >>> #usr/share/man/man3/gnutls_hmac.3 >>> +#usr/share/man/man3/gnutls_hmac_copy.3 >>> #usr/share/man/man3/gnutls_hmac_deinit.3 >>> #usr/share/man/man3/gnutls_hmac_fast.3 >>> +#usr/share/man/man3/gnutls_hmac_get_key_size.3 >>> #usr/share/man/man3/gnutls_hmac_get_len.3 >>> #usr/share/man/man3/gnutls_hmac_init.3 >>> #usr/share/man/man3/gnutls_hmac_output.3 >>> @@ -425,6 +437,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_openpgp_send_cert.3 >>> #usr/share/man/man3/gnutls_packet_deinit.3 >>> #usr/share/man/man3/gnutls_packet_get.3 >>> +#usr/share/man/man3/gnutls_pbkdf2.3 >>> #usr/share/man/man3/gnutls_pcert_deinit.3 >>> #usr/share/man/man3/gnutls_pcert_export_openpgp.3 >>> #usr/share/man/man3/gnutls_pcert_export_x509.3 >>> @@ -557,6 +570,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_pkcs7_import.3 >>> #usr/share/man/man3/gnutls_pkcs7_init.3 >>> #usr/share/man/man3/gnutls_pkcs7_print.3 >>> +#usr/share/man/man3/gnutls_pkcs7_print_signature_info.3 >>> #usr/share/man/man3/gnutls_pkcs7_set_crl.3 >>> #usr/share/man/man3/gnutls_pkcs7_set_crl_raw.3 >>> #usr/share/man/man3/gnutls_pkcs7_set_crt.3 >>> @@ -569,6 +583,8 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_pkcs_schema_get_name.3 >>> #usr/share/man/man3/gnutls_pkcs_schema_get_oid.3 >>> #usr/share/man/man3/gnutls_prf.3 >>> +#usr/share/man/man3/gnutls_prf_early.3 >>> +#usr/share/man/man3/gnutls_prf_hash_get.3 >>> #usr/share/man/man3/gnutls_prf_raw.3 >>> #usr/share/man/man3/gnutls_prf_rfc5705.3 >>> #usr/share/man/man3/gnutls_priority_certificate_type_list.3 >>> @@ -645,11 +661,15 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_psk_free_client_credentials.3 >>> #usr/share/man/man3/gnutls_psk_free_server_credentials.3 >>> #usr/share/man/man3/gnutls_psk_server_get_username.3 >>> +#usr/share/man/man3/gnutls_psk_server_get_username2.3 >>> #usr/share/man/man3/gnutls_psk_set_client_credentials.3 >>> +#usr/share/man/man3/gnutls_psk_set_client_credentials2.3 >>> #usr/share/man/man3/gnutls_psk_set_client_credentials_function.3 >>> +#usr/share/man/man3/gnutls_psk_set_client_credentials_function2.3 >>> #usr/share/man/man3/gnutls_psk_set_params_function.3 >>> #usr/share/man/man3/gnutls_psk_set_server_credentials_file.3 >>> #usr/share/man/man3/gnutls_psk_set_server_credentials_function.3 >>> +#usr/share/man/man3/gnutls_psk_set_server_credentials_function2.3 >>> #usr/share/man/man3/gnutls_psk_set_server_credentials_hint.3 >>> #usr/share/man/man3/gnutls_psk_set_server_dh_params.3 >>> #usr/share/man/man3/gnutls_psk_set_server_known_dh_params.3 >>> @@ -720,6 +740,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_record_send_early_data.3 >>> #usr/share/man/man3/gnutls_record_send_range.3 >>> #usr/share/man/man3/gnutls_record_set_max_early_data_size.3 >>> +#usr/share/man/man3/gnutls_record_set_max_recv_size.3 >>> #usr/share/man/man3/gnutls_record_set_max_size.3 >>> #usr/share/man/man3/gnutls_record_set_state.3 >>> #usr/share/man/man3/gnutls_record_set_timeout.3 >>> @@ -746,6 +767,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_session_get_flags.3 >>> #usr/share/man/man3/gnutls_session_get_id.3 >>> #usr/share/man/man3/gnutls_session_get_id2.3 >>> +#usr/share/man/man3/gnutls_session_get_keylog_function.3 >>> #usr/share/man/man3/gnutls_session_get_master_secret.3 >>> #usr/share/man/man3/gnutls_session_get_ptr.3 >>> #usr/share/man/man3/gnutls_session_get_random.3 >>> @@ -755,6 +777,7 @@ usr/lib/libgnutlsxx.so.28.1.0 >>> #usr/share/man/man3/gnutls_session_resumption_requested.3 >>> #usr/share/man/man3/gnutls_session_set_data.3 >>> #usr/share/man/man3/gnutls_session_set_id.3 >>> +#usr/share/man/man3/gnutls_session_set_keylog_function.3 >>> #usr/share/man/man3/gnutls_session_set_premaster.3 >>> #usr/share/man/man3/gnutls_session_set_ptr.3 >>> #usr/share/man/man3/gnutls_session_set_verify_cert.3 >>> diff --git a/lfs/gnutls b/lfs/gnutls >>> index 6d24800b8..07344a8c4 100644 >>> --- a/lfs/gnutls >>> +++ b/lfs/gnutls >>> @@ -1,7 +1,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2019 IPFire Team # >>> +# Copyright (C) 2007-2020 IPFire Team # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -24,11 +24,10 @@ >>> >>> include Config >>> >>> -VER = 3.6.7 >>> -SUBVER = .1 >>> +VER = 3.6.14 >>> >>> THISAPP = gnutls-$(VER) >>> -DL_FILE = $(THISAPP)$(SUBVER).tar.xz >>> +DL_FILE = $(THISAPP).tar.xz >>> DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> @@ -41,7 +40,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = 92a8049e618afa60e2c852da1884c457 >>> +$(DL_FILE)_MD5 = bf70632d420e421baff482247f01dbfe >>> >>> install : $(TARGET) >>> >>> -- >>> 2.17.1 >>> >> >