CVS commit: pkgsrc/security/gnutls

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/gnutls
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Wed, 9 Jul 2025 11:55:37 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed Jul  9 11:55:37 UTC 2025

Modified Files:
        pkgsrc/security/gnutls: Makefile distinfo

Log Message:
gnutls: updated to 3.8.10

Version 3.8.10 (released 2025-07-08)

** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
   Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
   [CVE-2025-6395]

** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
   Spotted by oss-fuzz and reported by OpenAI Security Research Team,
   and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
   CVSS: medium] [CVE-2025-32989]

** libgnutls: Fix double-free upon error when exporting otherName in SAN
   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
   CVSS: low] [CVE-2025-32988]

** certtool: Fix 1-byte write buffer overrun when parsing template
   Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
   CVSS: low] [CVE-2025-32990]

** libgnutls: PKCS#11 modules can now be used to override the default
   cryptographic backend. Use the [provider] section in the system-wide config
   to specify path and pin to the module (see system-wide config Documentation).

** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
   support. The library running on the aforementioned version now utilizes the
   kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
   TLS session. The --enable-ktls configure option as well as the system-wide
   kTLS configuration(see GnuTLS Documentation) are still required to enable
   this feature.

** libgnutls: liboqs support for PQC has been removed
   For maintenance purposes, support for post-quantum cryptography
   (PQC) is now only provided through leancrypto. The experimental key
   exchange algorithm, X25519Kyber768Draft00, which is based on the
   round 3 candidate of Kyber and only supported through liboqs has
   also been removed altogether.

** libgnutls: TLS certificate compression methods can now be set with
   cert-compression-alg configuration option in the gnutls priority file.

** libgnutls: All variants of ML-DSA private key formats are supported
   While the previous implementation of ML-DSA was based on
   draft-ietf-lamps-dilithium-certificates-04, this updates it to
   draft-ietf-lamps-dilithium-certificates-12 with support for all 3
   variants of private key formats: "seed", "expandedKey", and "both".

** libgnutls: ML-DSA signatures can now be used in TLS
   The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
   ML-DSA-87, can now be used to digitally sign TLS handshake
   messages.

** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t


To generate a diff of this commit:
cvs rdiff -u -r1.267 -r1.268 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.167 -r1.168 pkgsrc/security/gnutls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.267 pkgsrc/security/gnutls/Makefile:1.268
--- pkgsrc/security/gnutls/Makefile:1.267       Thu Apr 17 21:52:14 2025
+++ pkgsrc/security/gnutls/Makefile     Wed Jul  9 11:55:36 2025
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.267 2025/04/17 21:52:14 wiz Exp $
+# $NetBSD: Makefile,v 1.268 2025/07/09 11:55:36 adam Exp $
 
-DISTNAME=      gnutls-3.8.9
-PKGREVISION=   1
+DISTNAME=      gnutls-3.8.10
 CATEGORIES=    security devel
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnutls/v${PKGVERSION_NOREV:R}/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.167 pkgsrc/security/gnutls/distinfo:1.168
--- pkgsrc/security/gnutls/distinfo:1.167       Wed Feb 12 08:33:23 2025
+++ pkgsrc/security/gnutls/distinfo     Wed Jul  9 11:55:36 2025
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.167 2025/02/12 08:33:23 adam Exp $
+$NetBSD: distinfo,v 1.168 2025/07/09 11:55:36 adam Exp $
 
-BLAKE2s (gnutls-3.8.9.tar.xz) = 17ff18b116978c860a1b01cfa2f14ab35afa731b67c6cb3c7c28be000930d01e
-SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7
-Size (gnutls-3.8.9.tar.xz) = 6847364 bytes
+BLAKE2s (gnutls-3.8.10.tar.xz) = 33a7ef08a81bbecb5f66a5eb52a685bb018e8351e507bbd2fb03f0d25e001b21
+SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
+Size (gnutls-3.8.10.tar.xz) = 6909856 bytes
 SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139

Prev by Date: CVS commit: pkgsrc/devel/git-lfs
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/devel/git-lfs
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index