SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mingw64-gnutls-3.7.7-1.63.noarch.rpm :

* Wed Aug 03 2022 Ralf Habacker - Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
* libgnutls: Fixed double free during verification of pkcs7 signatures. CVE-2022-2509
* libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3.
* libgnutls: Length limit for TLS PSK usernames has been increased from 128 to 65535 characters
* libgnutls: AES-GCM encryption function now limits plaintext length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
* libgnutls: New block cipher functions have been added to transparently handle padding. gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove padding if the length of the original plaintext is not a multiple of the block size.
* libgnutls: New function for manual FIPS self-testing.
* API and ABI modifications: - gnutls_fips140_run_self_tests: New function - gnutls_cipher_encrypt3: New function - gnutls_cipher_decrypt3: New function - gnutls_cipher_padding_flags_t: New enum
* guile: Guile 1.8 is no longer supported
* guile: Session record port treats premature termination as EOF Previously, a \'gnutls-error\' exception with the \'error/premature-termination\' value would be thrown while reading from a session record port when the underlying session was terminated prematurely. This was inconvenient since users of the port may not be prepared to handle such an exception. Reading from the session record port now returns the end-of-file object instead of throwing an exception, just like it would for a proper session termination.
* guile: Session record ports can have a \'close\' procedure. The \'session-record-port\' procedure now takes an optional second parameter, and a new \'set-session-record-port-close!\' procedure is provided to specify a \'close\' procedure for a session record port. This \'close\' procedure lets users specify cleanup operations for when the port is closed, such as closing the file descriptor or port that backs the underlying session.- Fixed several obsolete-not-provided warnings
* Thu May 05 2022 Ralf Habacker - Add gtk-doc as build requirement to fix build error \'Can\'t exec \"gtkdocize\"\' on Tumbleweed
* Mon Jul 12 2021 Ralf Habacker - Update to version 3.7.2
* Added Linux kernel AF_ALG based acceleration
* Fixed timing of early data exchange
* The priority string option DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode
* The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to GNUTLS_NO_IMPLICIT_INIT to reflect the purpose
* certtool:
* When signing a CSR, CRL distribution point (CDP) is no longer copied from the signing CA by default
* When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale- Fixed warning related to obsolete packages- The update also fixes a bug where wine could not find ncrypt.dll.BCryptOpenAlgorithmProvider (boo#1188208)
* Tue Jul 06 2021 Ralf Habacker - Add patch to fix compiling 3.6.14 with mingw
* gnutls-3.6.14-compile-fix.patch
* Wed Jun 10 2020 Ralf Habacker - Update to Version 3.6.14
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008).
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt
* API if available (!1255).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added- Disabled building documentation because of build failures in doc examples
* Thu Apr 02 2020 Vítězslav Čížek - Update to 3.6.13
* libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol (#960) [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
* libgnutls: Added new APIs to access KDF algorithms (#813).
* libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality.
* libgnutls: Added support for non-null terminated usernames in PSK negotiation (#586).
* gnutls-cli-debug: Improved support for old servers that only support SSL 3.0.
* Tue Feb 04 2020 Ondřej Súkup - gnutls 3.6.12
* libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829).
* libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86).
* libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string.
* libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers.
* libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
* libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time
* libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887).
* libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877).
* libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
* libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the \'GNUTLS_CERT_INVALID\' flag.
* libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling
* libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const.
* certtool: Added the --verify-profile option to set a certificate verification profile. Use \'--verify-profile low\' for certificate verification to apply the \'NORMAL\' verification profile.
* certtool: The add_extension template option is considered even when generating a certificate from a certificate request.
* Tue Dec 03 2019 Andreas Stieger - gnutls 3.6.11.1:
* libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption
* libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations
* libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle.
* certtool: CRL distribution points will be set in CA certificates even when non self-signed
* gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and - -rawpkfile flags.
* Thu Oct 10 2019 Andreas Stieger - gnutls 3.6.10:
* Add support for deterministic ECDSA/DSA (RFC6979)
* Add functions for in-place encryption/decryption of data buffers
* server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first
* Add support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT)
* certtool: when outputting an encrypted private key do not insert the textual description of it
* Wed Jul 31 2019 Andreas Stieger - gnutls 3.6.9:
* add support for copying digest or MAC contexts
* Mark the crypto implementation override APIs as deprecated
* Add support for AES-GMAC, as a separate to GCM, MAC algorithm
* Add support for Generalname registeredID
* The priority configuration was enhanced to allow more elaborate system-wide configuration of the library- includes changes from 3.6.8:
* Add support for AES-XTS cipher
* Fix calculation of Streebog digests
* During Diffie-Hellman operations in TLS, verify that the peer\'s public key is on the right subgroup (y^q=1 mod p), when q is available (under TLS 1.3 and under earlier versions when RFC7919 parameters are used).
* Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion
* certtool: allow the digital signature key usage flag in CA certificates
* gnutls-cli/serv: add the --keymatexport and --keymatexportsize options. These allow testing the RFC5705 using these tools
* Thu Apr 04 2019 Jason Sikes - Update gnutls to 3.6.7
*
* libgnutls, gnutls tools: Every gnutls_free() will automatically set the free\'d pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
*
* libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829)
*
* libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836)
*
* libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
*
* libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server.
*
* libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
*
* libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled (#713).
*
* libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721).
*
* libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated (#689).
*
* gnutls-cli: Added option --logfile to redirect informational messages output.
* Mon Feb 04 2019 Vítězslav Čížek - Update to 3.6.6
*
* libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key (#640).
*
* libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
*
* libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients.
*
* libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set (#667).
*
* libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled.
*
* libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional (#609).- drop no longer needed gnutls-enbale-guile-2.2.patch
* Wed Jan 02 2019 Vítězslav Čížek - Update to 3.6.5
*
* libgnutls: Provide the option of transparent re-handshake/reauthentication when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
*
* libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
*
* libgnutls: The priority functions will ignore and not enable TLS1.3 if requested with legacy TLS versions enabled but not TLS1.2. That is because if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) servers which do not support TLS1.3 will negotiate TLS1.2 which will be rejected by the client as disabled (#621).
*
* libgnutls: Change RSA decryption to use a new side-channel silent function. This addresses a security issue where memory access patterns as well as timing on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher attacks. Side-channel resistant code is slower due to the need to mask access and timings. When used in TLS the new functions cause RSA based handshakes to be between 13% and 28% slower on average (Numbers are indicative, the tests where performed on a relatively modern Intel CPU, results vary depending on the CPU and architecture used). This change makes nettle 3.4.1 the minimum requirement of gnutls (#630). [CVSS: medium]
*
* libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword in the priority string. It is only accepted as legacy option and is ignored.
*
* libgnutls: Added support for EdDSA under PKCS#11 (#417)
*
* libgnutls: Added support for AES-CFB8 cipher (#357)
*
* libgnutls: Added support for AES-CMAC MAC (#351)
*
* libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now.
*
* libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016.
*
* gnutls-serv: It applies the default settings when no --priority option is given, using gnutls_set_default_priority().
*
* p11tool: Fix initialization of security officer\'s PIN with the --initialize-so-pin option (#561)
*
* certtool: Add parameter --no-text that prevents certtool from outputting text before PEM-encoded private key, public key, certificate, CRL or CSR.- minimum required libnettle is now 3.4.1
  
ICM