Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 523190

Summary: =net-libs/gnutls-3.2.18 and -3.3.8 version bump
Product: Gentoo Linux Reporter: Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Component: [OLD] LibraryAssignee: Crypto team [DISABLED] <crypto+disabled>
Status: RESOLVED FIXED    
Severity: enhancement CC: alonbl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.gnutls.org/news.html#2014-09-18
Whiteboard:
Package list:
Runtime testing required: ---

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-09-19 06:30:39 UTC 
* Version 3.2.18 (released 2014-09-18)

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.

** API and ABI modifications:
No changes since last version.



* Version 3.3.8 (released 2014-09-18)

** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.

** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.

** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David
Woodhouse.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.

** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).

** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.

** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.

** p11tool: when listing tokens, list their type as well.

** p11tool: when listing objects from a trust module print any attached
extensions on certificates.

** API and ABI modifications:
gnutls_x509_crq_get_extension_by_oid2: Added
gnutls_x509_crt_get_extension_by_oid2: Added
gnutls_x509_trust_list_verify_crt2: Added
gnutls_x509_ext_print: Added
gnutls_x509_ext_deinit: Added
gnutls_x509_othername_to_virtual: Added
gnutls_pkcs11_obj_get_exts: Added
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2014-09-19 08:47:10 UTC 
thanks! added.