diff options
author | spz <spz> | 2009-08-29 09:49:13 +0000 |
---|---|---|
committer | spz <spz> | 2009-08-29 09:49:13 +0000 |
commit | 764b5cd970795579caaab5a2d9d7734cf15dceb0 (patch) | |
tree | 2220a7e9de290e9a43763f904cb417de6d4e57ba /security | |
parent | a6b7486ea160c3e5a50dbcf20416eaf439eefa6e (diff) | |
download | pkgsrc-764b5cd970795579caaab5a2d9d7734cf15dceb0.tar.gz |
Pullup ticket 2874 - requested by tron
security update
Revisions pulled up:
- pkgsrc/security/gnutls/Makefile 1.86
- pkgsrc/security/gnutls/PLIST 1.36
- pkgsrc/security/gnutls/distinfo 1.60
Files added:
pkgsrc/security/gnutls/patches/patch-ak 1.2
pkgsrc/security/gnutls/patches/patch-al 1.2
Module Name: pkgsrc
Committed By: wiz
Date: Sat Jul 18 10:32:32 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
Log Message:
Update to 2.8.1:
* Version 2.8.1 (released 2009-06-10)
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc=
le.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.
** API and ABI modifications:
No changes since last version.
To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo
----------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Wed Jul 22 16:50:07 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile PLIST distinfo
Added Files:
pkgsrc/security/gnutls/patches: patch-ak patch-al
Log Message:
disable the openssl compatibility library -- no pkg I know of needs
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)
To generate a diff of this commit:
cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \
pkgsrc/security/gnutls/patches/patch-al
----------------------------------------------------------------------
Module Name: pkgsrc
Committed By: snj
Date: Thu Aug 13 18:56:32 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
pkgsrc/security/gnutls/patches: patch-ak patch-al
Log Message:
Update to 2.8.3. Changes:
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta=
tus.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \
pkgsrc/security/gnutls/patches/patch-al
Diffstat (limited to 'security')
-rw-r--r-- | security/gnutls/Makefile | 9 | ||||
-rw-r--r-- | security/gnutls/PLIST | 4 | ||||
-rw-r--r-- | security/gnutls/distinfo | 10 | ||||
-rw-r--r-- | security/gnutls/patches/patch-ak | 13 | ||||
-rw-r--r-- | security/gnutls/patches/patch-al | 13 |
5 files changed, 39 insertions, 10 deletions
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index 32d47024fa6..29e603a23ac 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.83 2009/06/09 18:56:37 wiz Exp $ +# $NetBSD: Makefile,v 1.83.2.1 2009/08/29 09:49:13 spz Exp $ -DISTNAME= gnutls-2.8.0 +DISTNAME= gnutls-2.8.3 CATEGORIES= security devel MASTER_SITES= ftp://ftp.gnutls.org/pub/gnutls/ \ ftp://ftp.gnupg.org/gcrypt/gnutls/ \ @@ -10,7 +10,7 @@ EXTRACT_SUFX= .tar.bz2 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.gnutls.org/ COMMENT= GNU Transport Layer Security library -#LICENSE= gnu-gpl-v3 AND gnu-lgpl-v2.1 +LICENSE= gnu-gpl-v3 AND gnu-lgpl-v2.1 PKG_INSTALLATION_TYPES= overwrite pkgviews PKG_DESTDIR_SUPPORT= user-destdir @@ -23,6 +23,9 @@ GNU_CONFIGURE= yes TEST_TARGET= check INFO_FILES= yes +# this library duplicates (and conflicts with) openssl +CONFIGURE_ARGS+= --disable-openssl-compatibility + PKGCONFIG_OVERRIDE= lib/gnutls.pc.in PKGCONFIG_OVERRIDE+= libextra/gnutls-extra.pc.in diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST index 743c41af0d2..b7aaa864cf6 100644 --- a/security/gnutls/PLIST +++ b/security/gnutls/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.35 2009/06/14 18:13:29 joerg Exp $ +@comment $NetBSD: PLIST,v 1.35.2.1 2009/08/29 09:49:14 spz Exp $ bin/certtool bin/gnutls-cli bin/gnutls-cli-debug @@ -11,7 +11,6 @@ include/gnutls/extra.h include/gnutls/gnutls.h include/gnutls/gnutlsxx.h include/gnutls/openpgp.h -include/gnutls/openssl.h include/gnutls/pkcs12.h include/gnutls/x509.h info/gnutls-certificate-user-use-case.png @@ -28,7 +27,6 @@ info/gnutls-pgp.png info/gnutls-x509.png info/gnutls.info lib/libgnutls-extra.la -lib/libgnutls-openssl.la lib/libgnutls.la lib/libgnutlsxx.la lib/pkgconfig/gnutls-extra.pc diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo index bdf52ef2ee1..f32aceab7be 100644 --- a/security/gnutls/distinfo +++ b/security/gnutls/distinfo @@ -1,10 +1,12 @@ -$NetBSD: distinfo,v 1.57 2009/06/18 10:19:47 drochner Exp $ +$NetBSD: distinfo,v 1.57.2.1 2009/08/29 09:49:14 spz Exp $ -SHA1 (gnutls-2.8.0.tar.bz2) = 7c102253bb4e817f393b9979a62c647010312eac -RMD160 (gnutls-2.8.0.tar.bz2) = ad9d356ab55567ffc65c7fa4f48d8594a1cd5981 -Size (gnutls-2.8.0.tar.bz2) = 6177498 bytes +SHA1 (gnutls-2.8.3.tar.bz2) = c25fb354258777f9ee34b79b08eb87c024cada75 +RMD160 (gnutls-2.8.3.tar.bz2) = 01763fad93e4b76e18dcfb1881c5f09011804dca +Size (gnutls-2.8.3.tar.bz2) = 6198273 bytes SHA1 (patch-ab) = 4b6801f6c8f00b8da8e78f7277450c6f53366fb4 SHA1 (patch-ae) = f505476ce0477dc547e8698d205d6ba26fe85f48 SHA1 (patch-af) = bd4701640dfef5bfdce87d620befd93098b0dff3 SHA1 (patch-ai) = 2c5c181ec6de9622cac66c2d5fe2cc8f3f89fbe8 SHA1 (patch-aj) = 55187c2a07d67f789678b1a404c6b119b311fc82 +SHA1 (patch-ak) = f2f4e6f1c6f937eca67235cb01aff1b32cbe4fd8 +SHA1 (patch-al) = f1c9def7d8150d93e14678b1acdbbc1534099452 diff --git a/security/gnutls/patches/patch-ak b/security/gnutls/patches/patch-ak new file mode 100644 index 00000000000..5c897618a40 --- /dev/null +++ b/security/gnutls/patches/patch-ak @@ -0,0 +1,13 @@ +$NetBSD: patch-ak,v 1.2.2.2 2009/08/29 09:49:14 spz Exp $ + +--- configure.orig 2009-08-13 02:54:16.000000000 -0700 ++++ configure 2009-08-13 10:50:08.000000000 -0700 +@@ -8651,7 +8651,7 @@ done + $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } + # Check whether --enable-openssl-compatibility was given. + if test "${enable_openssl_compatibility+set}" = set; then : +- enableval=$enable_openssl_compatibility; enable_openssl=$withval ++ enableval=$enable_openssl_compatibility; enable_openssl=$enableval + else + enable_openssl=yes + fi diff --git a/security/gnutls/patches/patch-al b/security/gnutls/patches/patch-al new file mode 100644 index 00000000000..1271c51c7f4 --- /dev/null +++ b/security/gnutls/patches/patch-al @@ -0,0 +1,13 @@ +$NetBSD: patch-al,v 1.2.2.2 2009/08/29 09:49:14 spz Exp $ + +--- libextra/configure.orig 2009-08-13 02:54:00.000000000 -0700 ++++ libextra/configure 2009-08-13 10:51:47.000000000 -0700 +@@ -13170,7 +13170,7 @@ done + $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } + # Check whether --enable-openssl-compatibility was given. + if test "${enable_openssl_compatibility+set}" = set; then : +- enableval=$enable_openssl_compatibility; enable_openssl=$withval ++ enableval=$enable_openssl_compatibility; enable_openssl=$enableval + else + enable_openssl=yes + fi |