| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All patches automatically refreshed.
The most important changes are two "medium" CVEs fixed in GnuTLS 3.8.4:
- CVE-2024-28834 / GNUTLS-SA-2023-12-04
A vulnerability was found that the deterministic ECDSA code leaks
bit-length of random nonce which allows for full recovery of the
private key used after observing a few hundreds to a few thousands of
signatures on known messages, due to the application of lattice
techniques.
The issue was reported in the issue tracker as [#1516](https://gitlab.com/gnutls/gnutls/-/issues/1516).
- CVE-2024-28835 / GNUTLS-SA-2024-01-23
When validating a certificate chain with more then 16 certificates
GnuTLS applications crash with an assertion failure.
The issue was reported in the issue tracker as [#1527](https://gitlab.com/gnutls/gnutls/-/issues/1527) and [#1525](https://gitlab.com/gnutls/gnutls/-/issues/1525).
Augmented copy/extract from upstream's NEWS file since GnuTLS 3.8.3:
- Version 3.8.5 (released 2024-04-04)
- libgnutls: Due to majority of usages and implementations of
RSA decryption with PKCS#1 v1.5 padding being incorrect,
leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
is being deprecated (encryption and decryption) and will be
disabled in the future. A new option `allow-rsa-pkcs1-encrypt`
has been added into the system-wide library configuration which
allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
RSAES-PKCS1-v1_5 is enabled by default.
- libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
backward compatibility with GCR.
- libgnutls: A couple of memory related issues have been fixed in RSA PKCS#1
v1.5 decryption error handling and deterministic ECDSA with earlier
versions of GMP. These were a regression introduced in the 3.8.4
release. See [#1535](https://gitlab.com/gnutls/gnutls/-/issues/1535) and [!1827](https://gitlab.com/gnutls/gnutls/-/merge_requests/1827).
- build: Fixed a bug where building gnutls statically failed due
to a duplicate definition of `nettle_rsa_compute_root_tr()`.
- API and ABI modifications:
- `GNUTLS_PKCS_PBES1_DES_SHA1`: New enum member of `gnutls_pkcs_encrypt_flags_t`.
- Version 3.8.4 (released 2024-03-18)
- libgnutls: RSA-OAEP encryption scheme is now supported
To use it with an unrestricted RSA private key, one would need to
initialize a `gnutls_x509_spki_t` object with necessary parameters
for RSA-OAEP and attach it to the private key. It is also possible
to import restricted private keys if they are stored in PKCS#8
format.
- libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis ([#1516](https://gitlab.com/gnutls/gnutls/-/issues/1516)).
[GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
- libgnutls: Fixed a bug where certtool crashed when verifying a certificate
chain with more than 16 certificates. Reported by William Woodruff ([#1525](https://gitlab.com/gnutls/gnutls/-/issues/1525))
and yixiangzhike ([#1527](https://gitlab.com/gnutls/gnutls/-/issues/1527)).
[GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835]
- libgnutls: Compression libraries are now loaded dynamically as needed
instead of all being loaded during gnutls library initialization.
As a result, the library initialization should be faster.
- build: The gnutls library can now be linked with the static library
of GMP. Note that in order for this to work libgmp.a needs to be
compiled with -fPIC and libhogweed in Nettle also has to be linked
to the static library of GMP. This can be used to prevent custom
memory allocators from being overriden by other applications.
- API and ABI modifications:
- `gnutls_x509_spki_get_rsa_oaep_params`: New function.
- `gnutls_x509_spki_set_rsa_oaep_params`: New function.
- `GNUTLS_PK_RSA_OAEP`: New enum member of `gnutls_pk_algorithm_t`.
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zabbix verifies the version of gnutls by search in the header gnutls.h.
This is done with 'cat' and 'egrep'. The problem here is now that the
preprocess definition did changed in gnutls.h, so the regex does not
match anymore.
The following error message acourse in the log:
> configure: error: GnuTLS library version requirement not met (>= 3.1.18)
To fix this backport an upstream patch to let the regex work again.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since a few days staging_dir/host/share/aclocal/ contains new m4 files
(libunistring-base.m4, libunistring-optional.m4, libunistring.m4 etc.)
that get applied during autoreconf. This changes the libunistring setup
enough that we run into problem (builds fail).
Load the libunistring-optional gnulib module in configure.ac to be able
to add/use the new configure switch "--with-included-libunistring".
This is at most a workaround. This should be followed up with gnutls
upstream to clean this up.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes: https://github.com/openwrt/openwrt/issues/12542
The detailed list of changes follows:
* Version 3.8.0 (released 2023-02-09)
** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
[GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
** libgnutls: C++ library is now header only. All definitions from
gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++
interface have two options:
1. include gnutlsxx.h in their application and link against
the C library. (default)
2. include gnutlsxx.h in their application, compile with
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
against the C++ library.
** libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
priority modifier have been added to allow disabling of the
status_request TLS extension in the client side.
** libgnutls: TLS heartbeat is disabled by default.
The heartbeat extension in TLS (RFC 6520) is not widely used given
other implementations dropped support for it. To enable back
support for it, supply --enable-heartbeat-support to configure
script.
** libgnutls: SRP authentication is now disabled by default.
It is disabled because the SRP authentication in TLS is not up to
date with the latest TLS standards and its ciphersuites are based
on the CBC mode and SHA-1. To enable it back, supply
--enable-srp-authentication option to configure script.
** libgnutls: All code has been indented using "indent -ppi1 -linux".
CI/CD has been adjusted to catch regressions. This is implemented
through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
commit-check. You may run devel/indent-gnutls to fix any
indentation issues if you make code modifications.
** guile: Guile-bindings removed.
They have been extracted into a separate project to reduce complexity
and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.
** minitasn1: Upgraded to libtasn1 version 4.19.
** API and ABI modifications:
GNUTLS_NO_STATUS_REQUEST: New flag
GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
Signed-off-by: Antonio Flores <antflores627@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump to latest upstream release. Rebased existing patches.
This version introduces certificate compression support, and with that,
optional dependencies on zlib and zstd. When configure picks them up,
build will fail due to missing dependencies:
Package libgnutls is missing dependencies for the following libraries:
libz.so.1
libzstd.so.1
Disable zlib and zstd support to avoid that.
Signed-off-by: John Audia <graysky@archlinux.us>
[disable zlib and zstd]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the --install parameter when running aclocal. The --install
argument is used to copy third-party files to the first -I directory.
gnutls has -I m4 first, which would copy files to its local build
directory. However, openwrt prepends the staging dir m4 directory,
causing aclocal --install to copy an old definition of
ax_code_coverage.m4 into the staging dir.
If strace is built after gnutls, compilation will fail:
Makefile:9303: *** missing separator. Stop.
The version of ax_code_coverage.m4 that gets installed does not define
@CODE_COVERAGE_RULES@.
Removing the --install parameter in gnutls solves the issue.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
| |
Fixes #16083
This reverts commit 59a39d4c6fbe9c0179b16a714bf1a0c3afcbef5e.
|
| |
|
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes
CVE-2021-20231
CVE-2021-20232
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
|
|
|
|
| |
Added autoreconf to fix bad linking under Arch Linux.
Added patch to fix compilation with autoreconf.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
It was causing regressions in systems without some particular
development tools (see #8129)
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Resolves #640
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|