CVS commit: [pkgsrc-2025Q2] pkgsrc/security/gnutls

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2025Q2] pkgsrc/security/gnutls
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 17 Jul 2025 01:37:36 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu Jul 17 01:37:36 UTC 2025

Modified Files:
        pkgsrc/security/gnutls [pkgsrc-2025Q2]: Makefile distinfo

Log Message:
Pullup ticket #6984 - requested by taca
security/gnutls: Security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.268
- security/gnutls/distinfo                                      1.168

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Wed Jul  9 11:55:37 UTC 2025

   Modified Files:
           pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   gnutls: updated to 3.8.10

   Version 3.8.10 (released 2025-07-08)

   ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
      Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
      [CVE-2025-6395]

   ** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
      Spotted by oss-fuzz and reported by OpenAI Security Research Team,
      and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
      CVSS: medium] [CVE-2025-32989]

   ** libgnutls: Fix double-free upon error when exporting otherName in SAN
      Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
      CVSS: low] [CVE-2025-32988]

   ** certtool: Fix 1-byte write buffer overrun when parsing template
      Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
      CVSS: low] [CVE-2025-32990]

   ** libgnutls: PKCS#11 modules can now be used to override the default
      cryptographic backend. Use the [provider] section in the system-wide config
      to specify path and pin to the module (see system-wide config Documentation).

   ** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
      support. The library running on the aforementioned version now utilizes the
      kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
      TLS session. The --enable-ktls configure option as well as the system-wide
      kTLS configuration(see GnuTLS Documentation) are still required to enable
      this feature.

   ** libgnutls: liboqs support for PQC has been removed
      For maintenance purposes, support for post-quantum cryptography
      (PQC) is now only provided through leancrypto. The experimental key
      exchange algorithm, X25519Kyber768Draft00, which is based on the
      round 3 candidate of Kyber and only supported through liboqs has
      also been removed altogether.

   ** libgnutls: TLS certificate compression methods can now be set with
      cert-compression-alg configuration option in the gnutls priority file.

   ** libgnutls: All variants of ML-DSA private key formats are supported
      While the previous implementation of ML-DSA was based on
      draft-ietf-lamps-dilithium-certificates-04, this updates it to
      draft-ietf-lamps-dilithium-certificates-12 with support for all 3
      variants of private key formats: "seed", "expandedKey", and "both".

   ** libgnutls: ML-DSA signatures can now be used in TLS
      The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
      ML-DSA-87, can now be used to digitally sign TLS handshake
      messages.

   ** API and ABI modifications:
   GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
   GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t


To generate a diff of this commit:
cvs rdiff -u -r1.267 -r1.267.2.1 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.167 -r1.167.4.1 pkgsrc/security/gnutls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.267 pkgsrc/security/gnutls/Makefile:1.267.2.1
--- pkgsrc/security/gnutls/Makefile:1.267       Thu Apr 17 21:52:14 2025
+++ pkgsrc/security/gnutls/Makefile     Thu Jul 17 01:37:36 2025
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.267 2025/04/17 21:52:14 wiz Exp $
+# $NetBSD: Makefile,v 1.267.2.1 2025/07/17 01:37:36 maya Exp $
 
-DISTNAME=      gnutls-3.8.9
-PKGREVISION=   1
+DISTNAME=      gnutls-3.8.10
 CATEGORIES=    security devel
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnutls/v${PKGVERSION_NOREV:R}/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.167 pkgsrc/security/gnutls/distinfo:1.167.4.1
--- pkgsrc/security/gnutls/distinfo:1.167       Wed Feb 12 08:33:23 2025
+++ pkgsrc/security/gnutls/distinfo     Thu Jul 17 01:37:36 2025
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.167 2025/02/12 08:33:23 adam Exp $
+$NetBSD: distinfo,v 1.167.4.1 2025/07/17 01:37:36 maya Exp $
 
-BLAKE2s (gnutls-3.8.9.tar.xz) = 17ff18b116978c860a1b01cfa2f14ab35afa731b67c6cb3c7c28be000930d01e
-SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7
-Size (gnutls-3.8.9.tar.xz) = 6847364 bytes
+BLAKE2s (gnutls-3.8.10.tar.xz) = 33a7ef08a81bbecb5f66a5eb52a685bb018e8351e507bbd2fb03f0d25e001b21
+SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
+Size (gnutls-3.8.10.tar.xz) = 6909856 bytes
 SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2025Q2] pkgsrc/net/samba4
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2025Q2] pkgsrc/net/samba4
Indexes:

Home | Main Index | Thread Index | Old Index