[pkgsrc/trunk]: pkgsrc/security/gnutls Update to 2.8.3. Changes:

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/a8ecbb0526ec
branches:  trunk
changeset: 397475:a8ecbb0526ec
user:      snj <snj%pkgsrc.org@localhost>
date:      Thu Aug 13 18:56:32 2009 +0000

description:
Update to 2.8.3.  Changes:

* Version 2.8.3 (released 2009-08-13)

** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations.  Reported by Tomas Hoger <thoger%redhat.com@localhost>.  A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].

** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.

** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.

** tests: Made self-test mini-eagain take less time.

** doc: Typo fixes.

** API and ABI modifications:
No changes since last version.

* Version 2.8.2 (released 2009-08-10)

** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate.  Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates.  Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions.  The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA.  It does not apply to client authenticated TLS
sessions.  Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger%redhat.com@localhost>
for providing one part of the patch.  [GNUTLS-SA-2009-4].

** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false.  Reported by Peter Hendrickson
<pdh%wiredyne.com@localhost> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.

** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs.  Reported by Tim Kosse
<tim.kosse%filezilla-project.org@localhost> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.

** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits.  Before the reported value was
overestimated.  Reported by Peter Hendrickson <pdh%wiredyne.com@localhost> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.

** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse%filezilla-project.org@localhost> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.

** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
that the runtime usage is above the minimum required.  Reported by
Marco d'Itri <md%linux.it@localhost> via Andreas Metzler
<ametzler%downhill.at.eu.org@localhost> in <http://bugs.debian.org/540449>.

** minitasn1: Internal copy updated to libtasn1 v2.3.

** tests: Fix failure in "chainverify" because a certificate have expired.

** API and ABI modifications:
No changes since last version.

diffstat:

 security/gnutls/Makefile         |   5 ++---
 security/gnutls/distinfo         |  12 ++++++------
 security/gnutls/patches/patch-ak |  10 +++++-----
 security/gnutls/patches/patch-al |  10 +++++-----
 4 files changed, 18 insertions(+), 19 deletions(-)

diffs (75 lines):

diff -r cd3809fd365c -r a8ecbb0526ec security/gnutls/Makefile
--- a/security/gnutls/Makefile  Thu Aug 13 18:18:56 2009 +0000
+++ b/security/gnutls/Makefile  Thu Aug 13 18:56:32 2009 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.85 2009/07/22 16:50:07 drochner Exp $
+# $NetBSD: Makefile,v 1.86 2009/08/13 18:56:32 snj Exp $
 
-DISTNAME=      gnutls-2.8.1
-PKGREVISION=   1
+DISTNAME=      gnutls-2.8.3
 CATEGORIES=    security devel
 MASTER_SITES=  ftp://ftp.gnutls.org/pub/gnutls/ \
                ftp://ftp.gnupg.org/gcrypt/gnutls/ \
diff -r cd3809fd365c -r a8ecbb0526ec security/gnutls/distinfo
--- a/security/gnutls/distinfo  Thu Aug 13 18:18:56 2009 +0000
+++ b/security/gnutls/distinfo  Thu Aug 13 18:56:32 2009 +0000
@@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.59 2009/07/22 16:50:07 drochner Exp $
+$NetBSD: distinfo,v 1.60 2009/08/13 18:56:32 snj Exp $
 
-SHA1 (gnutls-2.8.1.tar.bz2) = b5fd364848709393d05def7e926caddd27169525
-RMD160 (gnutls-2.8.1.tar.bz2) = 3b0d7a80a60dfc3222357d2c83a7ec32bd2c8e33
-Size (gnutls-2.8.1.tar.bz2) = 6178662 bytes
+SHA1 (gnutls-2.8.3.tar.bz2) = c25fb354258777f9ee34b79b08eb87c024cada75
+RMD160 (gnutls-2.8.3.tar.bz2) = 01763fad93e4b76e18dcfb1881c5f09011804dca
+Size (gnutls-2.8.3.tar.bz2) = 6198273 bytes
 SHA1 (patch-ab) = 4b6801f6c8f00b8da8e78f7277450c6f53366fb4
 SHA1 (patch-ae) = f505476ce0477dc547e8698d205d6ba26fe85f48
 SHA1 (patch-af) = bd4701640dfef5bfdce87d620befd93098b0dff3
 SHA1 (patch-ai) = 2c5c181ec6de9622cac66c2d5fe2cc8f3f89fbe8
 SHA1 (patch-aj) = 55187c2a07d67f789678b1a404c6b119b311fc82
-SHA1 (patch-ak) = ba01d607e6fad2108aed0ba2ef4a7c1168b42048
-SHA1 (patch-al) = 5b2e6bab1bc91b6e508915b984dcfa4e6030a8a6
+SHA1 (patch-ak) = f2f4e6f1c6f937eca67235cb01aff1b32cbe4fd8
+SHA1 (patch-al) = f1c9def7d8150d93e14678b1acdbbc1534099452
diff -r cd3809fd365c -r a8ecbb0526ec security/gnutls/patches/patch-ak
--- a/security/gnutls/patches/patch-ak  Thu Aug 13 18:18:56 2009 +0000
+++ b/security/gnutls/patches/patch-ak  Thu Aug 13 18:56:32 2009 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-ak,v 1.1 2009/07/22 16:50:07 drochner Exp $
+$NetBSD: patch-ak,v 1.2 2009/08/13 18:56:32 snj Exp $
 
---- configure.orig     2009-06-17 20:42:30.000000000 +0200
-+++ configure
-@@ -8587,7 +8587,7 @@ $as_echo "#define GNUTLS_POINTER_TO_INT_
+--- configure.orig     2009-08-13 02:54:16.000000000 -0700
++++ configure  2009-08-13 10:50:08.000000000 -0700
+@@ -8651,7 +8651,7 @@ done
  $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; }
    # Check whether --enable-openssl-compatibility was given.
- if test "${enable_openssl_compatibility+set}" = set; then
+ if test "${enable_openssl_compatibility+set}" = set; then :
 -  enableval=$enable_openssl_compatibility; enable_openssl=$withval
 +  enableval=$enable_openssl_compatibility; enable_openssl=$enableval
  else
diff -r cd3809fd365c -r a8ecbb0526ec security/gnutls/patches/patch-al
--- a/security/gnutls/patches/patch-al  Thu Aug 13 18:18:56 2009 +0000
+++ b/security/gnutls/patches/patch-al  Thu Aug 13 18:56:32 2009 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-al,v 1.1 2009/07/22 16:50:07 drochner Exp $
+$NetBSD: patch-al,v 1.2 2009/08/13 18:56:32 snj Exp $
 
---- libextra/configure.orig    2009-06-17 20:47:38.000000000 +0200
-+++ libextra/configure
-@@ -12996,7 +12996,7 @@ $as_echo "#define GNUTLS_POINTER_TO_INT_
+--- libextra/configure.orig    2009-08-13 02:54:00.000000000 -0700
++++ libextra/configure 2009-08-13 10:51:47.000000000 -0700
+@@ -13170,7 +13170,7 @@ done
  $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; }
    # Check whether --enable-openssl-compatibility was given.
- if test "${enable_openssl_compatibility+set}" = set; then
+ if test "${enable_openssl_compatibility+set}" = set; then :
 -  enableval=$enable_openssl_compatibility; enable_openssl=$withval
 +  enableval=$enable_openssl_compatibility; enable_openssl=$enableval
  else