CVS commit: pkgsrc/security/gnutls

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/gnutls
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Thu, 20 Nov 2025 20:55:29 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Nov 20 20:55:29 UTC 2025

Modified Files:
        pkgsrc/security/gnutls: Makefile PLIST distinfo

Log Message:
gnutls: update to 3.8.11.

* Version 3.8.11 (released 2025-11-18)

** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
   CVSS: low] [CVE-2025-9820]

** libgnutls: MAC algorithms for PSK binders is now configurable
   The previous implementation assumed HMAC-SHA256 to calculate the
   PSK binders. With the new gnutls_psk_allocate_client_credentials2()
   and gnutls_psk_allocate_server_credentials2() functions, the
   application can use other MAC algorithms such as HMAC-SHA384.

** libgnutls: Expose a new function to provide the maximum record send size
   A new function gnutls_record_get_max_send_size() has been added to
   determine the maximum size of a TLS record to be sent to the peer.

** libgnutls: Expose a new function to update keys without sending a KeyUpdate
   to the peer. A new function gnutls_handshake_update_receiving_key()
   has been added to allow updating the local receiving key without
   sending any KeyUpdate messages.

** libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
   instead of a module path. To allow using a PKCS#11 module exposing
   multiple tokens, the "path" configuration keyword was replaced with
   the "url" keyword.

** libgnutls: Support crypto-auditing probe points
   crypto-auditing is a project to monitor which cryptographic
   operations are taking place in the library at run time, through
   eBPF. This adds necessary probe points for that, in public key
   cryptography and the TLS use-case. To enable this, run configure
   with --enable-crypto-auditing.

** build: The minimum version of Nettle has been updated to 3.10
   Given Nettle 3.10 is ABI compatible with 3.6 and includes several
   security relevant fixes, the library's minimum requirement of
   Nettle is updated to 3.10.

** build: The default priority file path is now constructed from sysconfdir
   Previously, the location of the default priority file was
   hard-coded to be /etc/gnutls/config. Now it takes into account of
   the --sysconfdir option given to the configure script.


To generate a diff of this commit:
cvs rdiff -u -r1.268 -r1.269 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.168 -r1.169 pkgsrc/security/gnutls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.268 pkgsrc/security/gnutls/Makefile:1.269
--- pkgsrc/security/gnutls/Makefile:1.268       Wed Jul  9 11:55:36 2025
+++ pkgsrc/security/gnutls/Makefile     Thu Nov 20 20:55:29 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.268 2025/07/09 11:55:36 adam Exp $
+# $NetBSD: Makefile,v 1.269 2025/11/20 20:55:29 wiz Exp $
 
-DISTNAME=      gnutls-3.8.10
+DISTNAME=      gnutls-3.8.11
 CATEGORIES=    security devel
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnutls/v${PKGVERSION_NOREV:R}/}
 EXTRACT_SUFX=  .tar.xz
@@ -36,8 +36,8 @@ CONFIGURE_ARGS.FreeBSD+=      ac_cv_type_max_
 
 .include "options.mk"
 
-# Four failures on NetBSD 9.4_STABLE as of 3.8.8:
-# simple, crq_apis, gnutls-strcodes, system-override-allow-rsa-pkcs1-encrypt.sh
+# Failures on NetBSD 11 as of 3.8.11:
+# test-parse-datetime, test-realloc-posix
 TEST_TARGET=           check
 
 INFO_FILES=            yes
@@ -105,7 +105,7 @@ CHECK_BUILTIN.zlib:=yes
 .include "../../devel/zlib/buildlink3.mk"
 BUILDLINK_API_DEPENDS.libtasn1+=       libtasn1>=4.9
 .include "../../security/libtasn1/buildlink3.mk"
-BUILDLINK_API_DEPENDS.nettle+=         nettle>=3.6
+BUILDLINK_API_DEPENDS.nettle+=         nettle>=3.10
 .include "../../security/nettle/buildlink3.mk"
 .include "../../textproc/libunistring/buildlink3.mk"
 .include "../../mk/readline.buildlink3.mk"

Index: pkgsrc/security/gnutls/PLIST
diff -u pkgsrc/security/gnutls/PLIST:1.83 pkgsrc/security/gnutls/PLIST:1.84
--- pkgsrc/security/gnutls/PLIST:1.83   Thu Jul  4 10:02:09 2024
+++ pkgsrc/security/gnutls/PLIST        Thu Nov 20 20:55:29 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.83 2024/07/04 10:02:09 adam Exp $
+@comment $NetBSD: PLIST,v 1.84 2025/11/20 20:55:29 wiz Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -94,6 +94,9 @@ man/man3/gnutls_anti_replay_init.3
 man/man3/gnutls_anti_replay_set_add_function.3
 man/man3/gnutls_anti_replay_set_ptr.3
 man/man3/gnutls_anti_replay_set_window.3
+man/man3/gnutls_audit_current_context.3
+man/man3/gnutls_audit_pop_context.3
+man/man3/gnutls_audit_push_context.3
 man/man3/gnutls_auth_client_get_type.3
 man/man3/gnutls_auth_get_type.3
 man/man3/gnutls_auth_server_get_type.3
@@ -311,6 +314,7 @@ man/man3/gnutls_handshake_set_random.3
 man/man3/gnutls_handshake_set_read_function.3
 man/man3/gnutls_handshake_set_secret_function.3
 man/man3/gnutls_handshake_set_timeout.3
+man/man3/gnutls_handshake_update_receiving_key.3
 man/man3/gnutls_handshake_write.3
 man/man3/gnutls_hash.3
 man/man3/gnutls_hash_copy.3
@@ -635,7 +639,9 @@ man/man3/gnutls_protocol_get_version.3
 man/man3/gnutls_protocol_list.3
 man/man3/gnutls_protocol_set_enabled.3
 man/man3/gnutls_psk_allocate_client_credentials.3
+man/man3/gnutls_psk_allocate_client_credentials2.3
 man/man3/gnutls_psk_allocate_server_credentials.3
+man/man3/gnutls_psk_allocate_server_credentials2.3
 man/man3/gnutls_psk_client_get_hint.3
 man/man3/gnutls_psk_format_imported_identity.3
 man/man3/gnutls_psk_free_client_credentials.3
@@ -712,6 +718,7 @@ man/man3/gnutls_record_discard_queued.3
 man/man3/gnutls_record_get_direction.3
 man/man3/gnutls_record_get_discarded.3
 man/man3/gnutls_record_get_max_early_data_size.3
+man/man3/gnutls_record_get_max_send_size.3
 man/man3/gnutls_record_get_max_size.3
 man/man3/gnutls_record_get_state.3
 man/man3/gnutls_record_overhead_size.3

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.168 pkgsrc/security/gnutls/distinfo:1.169
--- pkgsrc/security/gnutls/distinfo:1.168       Wed Jul  9 11:55:36 2025
+++ pkgsrc/security/gnutls/distinfo     Thu Nov 20 20:55:29 2025
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.168 2025/07/09 11:55:36 adam Exp $
+$NetBSD: distinfo,v 1.169 2025/11/20 20:55:29 wiz Exp $
 
-BLAKE2s (gnutls-3.8.10.tar.xz) = 33a7ef08a81bbecb5f66a5eb52a685bb018e8351e507bbd2fb03f0d25e001b21
-SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
-Size (gnutls-3.8.10.tar.xz) = 6909856 bytes
+BLAKE2s (gnutls-3.8.11.tar.xz) = ef0cf4a456a747a3dd396d0fdcede21358bf7ef56e714d12464fd438123f2370
+SHA512 (gnutls-3.8.11.tar.xz) = 68f9e5bec3aa6686fd3319cc9c88a5cc44e2a75144049fc9de5fb55fef2241b4e16996af4be5dd48308abbee8cfaed6c862903f6bb89aff5dfa5410075bd7386
+Size (gnutls-3.8.11.tar.xz) = 6939944 bytes
 SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139

Prev by Date: CVS commit: pkgsrc/archivers/kf6-karchive
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/archivers/kf6-karchive
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index