690750 – net-libs/gnutls-3.6.9 version bump

Bug 690750 - net-libs/gnutls-3.6.9 version bump

Summary: net-libs/gnutls-3.6.9 version bump

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Crypto team [DISABLED]

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-26 09:02 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified:	2019-08-19 11:30 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2019-07-26 09:02:22 UTC

* Version 3.6.9 (released 2019-07-25)

** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
   of digest or MAC context. Copying contexts for externally-registered digest and MAC
   contexts is unupported (#787).

** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
   used, are for a niche use case, but have significant side effects, such as preventing
   any internal re-organization and extension of the internal cipher API. The APIs remain
   functional though a compiler warning will be issued, and a future minor version update
   may transform them to a no-op while keeping ABI compatibility (#789).

** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).

** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
   flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().

** libgnutls: Added support for Generalname registeredID.

** The priority configuration was enhanced to allow more elaborate
   system-wide configuration of the library (#587).
   The following changes were included:
    - The file is read as an ini file with '#' indicating a comment.
    - The section "[priorities]" or global follows the existing semantics of
      the configuration file, and allows to specify system-wide priority strings
      which are accessed with the '@' prefix.
    - The section "[overrides]" is added with the parameters "insecure-hash",
      "insecure-sig", "insecure-sig-for-cert", "disabled-curve",
      "disabled-version", "min-verification-profile", "tls-disabled-cipher",
      "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
      specific algorithms or options globally. Existing algorithms in the
      library can be marked as disabled and insecure, but no hard-coded
      insecure algorithm can be marked as secure (so that the configuration
      cannot be abused to make the system vulnerable).
    - Unknown sections or options are skipped with a debug message, unless
      the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
      set to 1.

** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
    - 0x20: Enable SHA_NI instruction set

** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added


* Version 3.6.8 (released 2019-05-28)

** libgnutls: Added gnutls_prf_early() function to retrieve early keying
   material (#329)

** libgnutls: Added support for AES-XTS cipher (#354)

** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
   512 bit addition)

** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
   public key is on the right subgroup (y^q=1 mod p), when q is available (under
   TLS 1.3 and under earlier versions when RFC7919 parameters are used).

** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
   with the 8192 parameters as well (#995).

** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
   gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)

** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
   clients to communicate with the server advertising smaller limits than 512

** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
   hostname/domain crafting via IDNA conversion (#720)

** certtool: allow the digital signature key usage flag in CA certificates.
   Previously certtool would ignore this flag for CA certificates even if
   specified (#767)

** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
   These allow testing the RFC5705 using these tools.

** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added

Comment 1 Larry the Git Cow gentoo-dev

2019-08-19 11:30:42 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11a8fe91186ee139b677d8891f7309086262b323

commit 11a8fe91186ee139b677d8891f7309086262b323
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-08-19 11:13:43 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-08-19 11:13:43 +0000

    net-libs/gnutls: Bump to version 3.6.9
    
    with kind permission from K_F
    
    Closes: https://bugs.gentoo.org/690750
    Package-Manager: Portage-2.3.72, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/gnutls/Manifest            |   1 +
 net-libs/gnutls/gnutls-3.6.9.ebuild | 127 ++++++++++++++++++++++++++++++++++++
 2 files changed, 128 insertions(+)