diff options
author | he <he@pkgsrc.org> | 2017-05-18 07:54:26 +0000 |
---|---|---|
committer | he <he@pkgsrc.org> | 2017-05-18 07:54:26 +0000 |
commit | 2791f4ac3955bc34af21f9502d658b639568a126 (patch) | |
tree | 8b34b72aa7678d57d591dc5361e4e290a9fd2fba | |
parent | b02cbffe1a1c47d2568ade916ba2bbefe0c093d3 (diff) | |
download | pkgsrc-2791f4ac3955bc34af21f9502d658b639568a126.tar.gz |
Update to GnuTLS 3.5.12.
Pkgsrc changes:
Adapt PLIST.
Upstream changes:
* Version 3.5.12 (released 2017-05-11)
** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.
** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
against DNS fields of certificate (CN or DNSname). The previous behavior
was to tolerate some misconfigured servers, but that was non-standard
and skipped any IP constraints present in higher level certificates.
** libgnutls: when converting to IDNA2008, fallback to IDNA2003
(i.e., transitional encoding) if the domain cannot be converted.
That provides maximum compatibility with browsers like firefox
that perform the same conversion.
** libgnutls: fix issue in RSA-PSK client callback which resulted
in no username being sent to the peer. Patch by Nicolas Dufresne.
** libgnutls: fix regression causing stapled extensions in trust modules not
to be considered.
** certtool: introduced the email_protection_key option. This
option was introduced in documentation for certtool without an
implementation of it. It is a shortcut for option 'key_purpose_oid
= 1.3.6.1.5.5.7.3.4'.
** certtool: made printing of key ID and key PIN consistent between
certificates, public keys, and private keys. That is the private
key printing now uses the same format as the rest.
** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
hostname advertised to the peer.
** API and ABI modifications:
No changes since last version.
* Version 3.5.11 (released 2017-04-07)
** gnutls.pc: do not include libtool options into Libs.private.
** libgnutls: Fixed issue when rehandshaking without a client certificate in
a session which initially used one. Reported by Frantisek Sumsal.
** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
certificate parsing. Issues found using oss-fuzz project and were fixed
by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824
** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
That allows PKCS#11 operations such as signing to be performed with the
same object from multiple threads.
** libgnutls: Added support for MacOSX key chain for obtaining
trust store's root CA certificates. That is,
gnutls_x509_trust_list_add_system_trust() and
gnutls_certificate_set_x509_system_trust() will load the certificates
from the key chain. That also means that we no longer check for a
default trust store file in configure when building on MacOSX (unless
explicitly asked to). Patch by David Caldwell.
** libgnutls: when disabling OpenPGP authentication, the resulting library
is ABI compatible (with openpgp related functions being stubs that fail
on invocation).
** API and ABI modifications:
No changes since last version.
* Version 3.5.10 (released 2017-03-06)
** gnutls.pc: do not include libidn2 in Requires.private. The
libidn2 versions available do not include libidn2.pc, thus the
inclusion was causing pkg-config issues. Instead we include
-lidn2 in Libs.private when compile against libidn2.
** libgnutls: optimized access to subject alternative names (SANs)
in parsed certificates. The previous implementation assumed a
small number of SANs in a certificate, with repeated calls to
ASN.1 decoding of the extension without any intermediate caching.
That caused delays in certificates with a long list of names in
functions such as gnutls_x509_crt_check_hostname(). With the
current code, the SANs are parsed once on certificate import.
Resolves gitlab issue #165.
** libgnutls: Addressed integer overflow resulting to invalid memory
write in OpenPGP certificate parsing. Issue found using oss-fuzz
project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
[GNUTLS-SA-2017-3A]
** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
certificate parsing. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
to private key parser. No longer allow OpenPGP certificates (public keys)
to contain private key sub-packets. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]
** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
could lead in out-of-memory condition. Issue found using oss-fuzz project,
and was fixed by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]
** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
when printing certificate information.
** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
flags can be set from the gnutls_certificate_verify_flags enumeration.
This allows the functions to pass the same flags available for certificates
to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
GNUTLS_VERIFY_ALLOW_BROKEN).
** libgnutls: gnutls_store_commitment() can accept flag
GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
in applications which use SHA1 for example, after SHA1 is deprecated.
** certtool: No longer ignore the 'add_critical_extension' template option if
the 'add_extension' option is not present.
** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
starttls-proto command. Patch by Robert Scheck.
** API and ABI modifications:
No changes since last version.
-rw-r--r-- | security/gnutls/Makefile | 4 | ||||
-rw-r--r-- | security/gnutls/PLIST | 12 | ||||
-rw-r--r-- | security/gnutls/distinfo | 10 |
3 files changed, 18 insertions, 8 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index ce35a17c28f..9e413b3f3bb 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.170 2017/02/26 09:19:56 adam Exp $ +# $NetBSD: Makefile,v 1.171 2017/05/18 07:54:26 he Exp $ -DISTNAME= gnutls-3.5.9 +DISTNAME= gnutls-3.5.12 CATEGORIES= security devel MASTER_SITES= ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/ EXTRACT_SUFX= .tar.xz diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST index b521e8c2c19..f734836dfb8 100644 --- a/security/gnutls/PLIST +++ b/security/gnutls/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.55 2017/02/26 09:19:56 adam Exp $ +@comment $NetBSD: PLIST,v 1.56 2017/05/18 07:54:26 he Exp $ bin/certtool bin/gnutls-cli bin/gnutls-cli-debug @@ -1079,6 +1079,15 @@ man/man3/gnutls_x509_trust_list_remove_trust_mem.3 man/man3/gnutls_x509_trust_list_verify_crt.3 man/man3/gnutls_x509_trust_list_verify_crt2.3 man/man3/gnutls_x509_trust_list_verify_named_crt.3 +share/doc/gnutls/gnutls-client-server-use-case.png +share/doc/gnutls/gnutls-handshake-sequence.png +share/doc/gnutls/gnutls-handshake-state.png +share/doc/gnutls/gnutls-internals.png +share/doc/gnutls/gnutls-layers.png +share/doc/gnutls/gnutls-logo.png +share/doc/gnutls/gnutls-modauth.png +share/doc/gnutls/gnutls-x509.png +share/doc/gnutls/pkcs11-vision.png share/examples/gnutls/ex-alert.c share/examples/gnutls/ex-cert-select-pkcs11.c share/examples/gnutls/ex-cert-select.c @@ -1121,3 +1130,4 @@ share/locale/sv/LC_MESSAGES/gnutls.mo share/locale/uk/LC_MESSAGES/gnutls.mo share/locale/vi/LC_MESSAGES/gnutls.mo share/locale/zh_CN/LC_MESSAGES/gnutls.mo + diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo index d49394e736b..eadced15e20 100644 --- a/security/gnutls/distinfo +++ b/security/gnutls/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.124 2017/04/10 10:43:49 jperkin Exp $ +$NetBSD: distinfo,v 1.125 2017/05/18 07:54:26 he Exp $ -SHA1 (gnutls-3.5.9.tar.xz) = f3f184a92f128af1c2fb29b29a4d325af65694a5 -RMD160 (gnutls-3.5.9.tar.xz) = a200b078cf9204f70dfaae7c045fc2f762a22809 -SHA512 (gnutls-3.5.9.tar.xz) = 17a05143eaa70ee61b149a5f09ae7a688cb3f314ad1e67ce41a778e5960717e276cc780f3db9b6923c14c4d998e17563c134cab5297502181cd2dabb47da3515 -Size (gnutls-3.5.9.tar.xz) = 7166932 bytes +SHA1 (gnutls-3.5.12.tar.xz) = 9f453686bc6b1e6ebc04197158a2bc123c0272df +RMD160 (gnutls-3.5.12.tar.xz) = ffdd1b7af9376cee94e81fefd929ee6a41cd8fcb +SHA512 (gnutls-3.5.12.tar.xz) = 8fec23e7e494a2e15e0f938115cae1ba3fee952d634db387f983b01096f68ca4313b23bc4c439d3c7fdd07c861eac4913a7c2343c8704961588ae195886ec90c +Size (gnutls-3.5.12.tar.xz) = 7212652 bytes SHA1 (patch-ae) = 5e020483ac14ef6ccc45a53e351242ab16c860f1 SHA1 (patch-lib_Makefile.in) = d0e292e632a91a9f19e39bd2c2d205a086ba5588 SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4 |