CVS commit: pkgsrc/security/gnutls

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Feb  9 19:35:36 UTC 2026

Modified Files:
        pkgsrc/security/gnutls: Makefile buildlink3.mk distinfo options.mk

Log Message:
gnutls: updated to 3.8.12

Version 3.8.12 (released 2026-02-09)

** libgnutls: Fix NULL pointer dereference in PSK binder verification
   A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
   could lead to a denial of service attack via crashing the server.
   The updated code guards against the problematic dereference.
   Reported by Jaehun Lee.
   [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]

** libgnutls: Fix name constraint processing performance issue
   Verifying certificates with pathological amounts of name constraints
   could lead to a denial of service attack via resource exhaustion.
   Reworked processing algorithms exhibit better performance characteristics.
   Reported by Tim Scheckenbach.
   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]

** libgnutls: Fix multiple unexploitable overflows

** libgnutls: Fall back to thread-unsafe module initialization
   Improve fallback handling for PKCS#11 modules that
   don't support thread-safe initialization.
   Also return filename from p11_kit_module_get_name() for unconfigured modules.

** libgnutls: Accept NULL as digest argument for gnutls_hash_output
   The accelerated implementation of gnutls_hash_output() now
   properly accepts NULL as the digest argument, matching the
   behavior of the reference implementation.

** srptool: Avoid a stack buffer overflow when processing large SRP groups.
   Reported and fixed by Mikhail Dmitrichenko.

** API and ABI modifications:
No changes since last version.


To generate a diff of this commit:
cvs rdiff -u -r1.273 -r1.274 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/buildlink3.mk
cvs rdiff -u -r1.170 -r1.171 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/security/gnutls/options.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.273 pkgsrc/security/gnutls/Makefile:1.274
--- pkgsrc/security/gnutls/Makefile:1.273       Fri Feb  6 10:05:47 2026
+++ pkgsrc/security/gnutls/Makefile     Mon Feb  9 19:35:36 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.273 2026/02/06 10:05:47 wiz Exp $
+# $NetBSD: Makefile,v 1.274 2026/02/09 19:35:36 adam Exp $
 
-DISTNAME=      gnutls-3.8.11
-PKGREVISION=   3
+DISTNAME=      gnutls-3.8.12
 CATEGORIES=    security devel
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnutls/v${PKGVERSION_NOREV:R}/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/security/gnutls/buildlink3.mk
diff -u pkgsrc/security/gnutls/buildlink3.mk:1.59 pkgsrc/security/gnutls/buildlink3.mk:1.60
--- pkgsrc/security/gnutls/buildlink3.mk:1.59   Fri Feb  6 10:05:47 2026
+++ pkgsrc/security/gnutls/buildlink3.mk        Mon Feb  9 19:35:36 2026
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.59 2026/02/06 10:05:47 wiz Exp $
+# $NetBSD: buildlink3.mk,v 1.60 2026/02/09 19:35:36 adam Exp $
 
 BUILDLINK_TREE+=       gnutls
 
@@ -23,6 +23,12 @@ pkgbase := gnutls
 .if ${PKG_BUILD_OPTIONS.gnutls:Mpkcs11}
 .include "../../security/p11-kit/buildlink3.mk"
 .endif
+.if ${PKG_BUILD_OPTIONS.gnutls:Mbrotli}
+.include "../../archivers/brotli/buildlink3.mk"
+.endif
+.if ${PKG_BUILD_OPTIONS.gnutls:Mzstd}
+.include "../../archivers/zstd/buildlink3.mk"
+.endif
 .endif # GNUTLS_BUILDLINK3_MK
 
 BUILDLINK_TREE+=       -gnutls

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.170 pkgsrc/security/gnutls/distinfo:1.171
--- pkgsrc/security/gnutls/distinfo:1.170       Fri Nov 21 16:44:12 2025
+++ pkgsrc/security/gnutls/distinfo     Mon Feb  9 19:35:36 2026
@@ -1,8 +1,7 @@
-$NetBSD: distinfo,v 1.170 2025/11/21 16:44:12 manu Exp $
+$NetBSD: distinfo,v 1.171 2026/02/09 19:35:36 adam Exp $
 
-BLAKE2s (gnutls-3.8.11.tar.xz) = ef0cf4a456a747a3dd396d0fdcede21358bf7ef56e714d12464fd438123f2370
-SHA512 (gnutls-3.8.11.tar.xz) = 68f9e5bec3aa6686fd3319cc9c88a5cc44e2a75144049fc9de5fb55fef2241b4e16996af4be5dd48308abbee8cfaed6c862903f6bb89aff5dfa5410075bd7386
-Size (gnutls-3.8.11.tar.xz) = 6939944 bytes
+BLAKE2s (gnutls-3.8.12.tar.xz) = 9955320f8dff9824a2a33c46533b0d889a3d8336de4b6fb02f92a49187f2b072
+SHA512 (gnutls-3.8.12.tar.xz) = 332a8e5200461517c7f08515e3aaab0bec6222747422e33e9e7d25d35613e3d0695a803fce226bd6a83f723054f551328bd99dcf0573e142be777dcf358e1a3b
+Size (gnutls-3.8.12.tar.xz) = 6949604 bytes
 SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139
 SHA1 (patch-doc_examples_tlsproxy_tlsproxy.c) = 5062df3a73e69abca25710d016b949eef62af453
-SHA1 (patch-lib_crau_crau.h) = 02c36d3cbb638de0c8ec3662f9688dfdce596fed

Index: pkgsrc/security/gnutls/options.mk
diff -u pkgsrc/security/gnutls/options.mk:1.7 pkgsrc/security/gnutls/options.mk:1.8
--- pkgsrc/security/gnutls/options.mk:1.7       Wed May 15 08:13:25 2024
+++ pkgsrc/security/gnutls/options.mk   Mon Feb  9 19:35:36 2026
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.7 2024/05/15 08:13:25 nia Exp $
+# $NetBSD: options.mk,v 1.8 2026/02/09 19:35:36 adam Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.gnutls
-PKG_SUPPORTED_OPTIONS= dane pkcs11
+PKG_SUPPORTED_OPTIONS= brotli dane pkcs11 zstd
 PKG_SUGGESTED_OPTIONS= pkcs11
 
 .include "../../mk/bsd.options.mk"
@@ -22,3 +22,17 @@ BUILDLINK_API_DEPENDS.p11-kit+=      p11-kit>
 .else
 CONFIGURE_ARGS+=       --without-p11-kit
 .endif
+
+.if !empty(PKG_OPTIONS:Mbrotli)
+CONFIGURE_ARGS+=       --with-brotli
+.include "../../archivers/brotli/buildlink3.mk"
+.else
+CONFIGURE_ARGS+=       --without-brotli
+.endif
+
+.if !empty(PKG_OPTIONS:Mzstd)
+CONFIGURE_ARGS+=       --with-zstd
+.include "../../archivers/zstd/buildlink3.mk"
+.else
+CONFIGURE_ARGS+=       --without-zstd
+.endif