Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2017-05-20 14:28:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Sat May 20 14:28:31 2017 rev:99 rq:493998 version:3.5.11 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2017-05-06 18:25:06.473694459 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2017-05-20 14:28:37.958448893 +0200 @@ -1,0 +2,16 @@ +Tue May 9 19:55:33 UTC 2017 - astie...@suse.com + +- GnuTLS 3.5.11: + * gnutls.pc: do not include libtool options into Libs.private. + * libgnutls: Fixed issue when rehandshaking without a client certificate in + a session which initially used one + * libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP + certificate parsing (bsc#1038337) + * libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. + That allows PKCS#11 operations such as signing to be performed with the + same object from multiple threads. + * libgnutls: when disabling OpenPGP authentication, the resulting library + is ABI compatible (will openpgp related functions being stubs that fail + on invocation). + +------------------------------------------------------------------- @@ -4,0 +21,32 @@ + +------------------------------------------------------------------- +Wed Apr 26 14:53:45 UTC 2017 - vci...@suse.com + +- update to 3.5.10 + * addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173 + * gnutls.pc: do not include libidn2 in Requires.private + * libgnutls: optimized access to subject alternative names (SANs) in parsed + certificates + * libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 + when printing certificate information. + * libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() + flags can be set from the gnutls_certificate_verify_flags enumeration. + This allows the functions to pass the same flags available for certificates + to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or + GNUTLS_VERIFY_ALLOW_BROKEN). + * libgnutls: gnutls_store_commitment() can accept flag + GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate + in applications which use SHA1 for example, after SHA1 is deprecated. + * certtool: No longer ignore the 'add_critical_extension' template option if + the 'add_extension' option is not present. + * gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the + starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream) +- drop gnutls-3.5.9-pkgconfig.patch (upstream) +- remove unknown --disable-srp flag (bsc#901857) + +------------------------------------------------------------------- +Wed Apr 26 14:53:06 UTC 2017 - vci...@suse.com + +- disable the deprecated OpenPGP authentication support + * see https://gitlab.com/gnutls/gnutls/issues/102 +- add gnutls-broken-openpgp-tests.patch Old: ---- gnutls-3.5.9-pkgconfig.patch gnutls-3.5.9.tar.xz gnutls-3.5.9.tar.xz.sig New: ---- gnutls-3.5.11.tar.xz gnutls-3.5.11.tar.xz.sig gnutls-broken-openpgp-tests.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.cQYRPt/_old 2017-05-20 14:28:39.034296677 +0200 +++ /var/tmp/diff_new_pack.cQYRPt/_new 2017-05-20 14:28:39.038296111 +0200 @@ -29,7 +29,7 @@ %define gnutls_dane_sover 0 %endif Name: gnutls -Version: 3.5.9 +Version: 3.5.11 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ @@ -40,9 +40,10 @@ Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig Source2: %{name}.keyring Source3: baselibs.conf -Patch0: gnutls-3.5.9-pkgconfig.patch +Patch0: gnutls-broken-openpgp-tests.patch BuildRequires: autogen BuildRequires: automake +BuildRequires: ca-certificates-mozilla BuildRequires: datefudge BuildRequires: fdupes BuildRequires: gcc-c++ @@ -211,11 +212,11 @@ --disable-static \ --with-pic \ --disable-rpath \ - --disable-srp \ --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ --with-guile-site-dir=no \ + --disable-openpgp-authentication \ %if %{without tpm} --without-tpm \ %endif @@ -247,6 +248,7 @@ # PNG files are replaced with the compressed files and that breaks # deduplication, this is workaround find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} + +rm -rf %{buildroot}/usr/share/doc/gnutls %fdupes -s %{buildroot}%{_datadir} %find_lang libgnutls --all-name ++++++ gnutls-3.5.9.tar.xz -> gnutls-3.5.11.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.5.9.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new/gnutls-3.5.11.tar.xz differ: char 26, line 1 ++++++ gnutls-broken-openpgp-tests.patch ++++++ Index: gnutls-3.5.11/tests/Makefile.am =================================================================== --- gnutls-3.5.11.orig/tests/Makefile.am +++ gnutls-3.5.11/tests/Makefile.am @@ -19,7 +19,7 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -SUBDIRS = . cert-tests ocsp-tests key-tests slow dtls windows +SUBDIRS = . cert-tests ocsp-tests key-tests slow windows if WANT_TEST_SUITE SUBDIRS += suite @@ -91,7 +91,7 @@ ctests = mini-record-2 simple gc set_pkc crlverify mini-dtls-discard init_fds mini-record-failure \ tls-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \ mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \ - mini-dtls-record-asym openpgp-callback key-import-export \ + mini-dtls-record-asym key-import-export \ mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \ strict-der tls-ext-register tls-supplemental mini-dtls0-9 \ mini-record-retvals mini-server-name tls-etm x509-cert-callback \ @@ -236,6 +236,7 @@ endif endif if ENABLE_OPENPGP +SUBDIRS += dtls ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu endif @@ -244,7 +245,7 @@ ctests += x509self x509dn anonself pskse setcredcrash resume-x509 resume-psk resume-anon if ENABLE_OPENPGP -ctests += openpgpself +ctests += openpgpself openpgp-callback endif endif