SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for libgnutls-dane0-3.7.4-lp156.6.8.x86_64.rpm :

* Wed May 11 2022 Marcus Meissner - disable kcapi usage for now, as kernel-obs-build not adjusted to contain the algorithms. bsc#1189283
* Fri Mar 18 2022 Pedro Monreal - FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
* The IG 10.3.A and SP800-132 require some minimum parameters for the salt length, password length and iteration count. These parameters should be also used in the KAT.
* Add gnutls-FIPS-PBKDF2-KAT-requirements.patch- Enable to run the regression tests also in FIPS mode.
* Fri Mar 18 2022 Pedro Monreal - Update to 3.7.4:
* libgnutls: Added support for certificate compression as defined in RFC8879.
* certtool: Added option --compress-cert that allows user to specify compression methods for certificate compression.
* libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure option to enforce stricter certificate sanity checks that are compliant with RFC5280.
* libgnutls: Removed IA5String type from DirectoryString within issuer and subject name to make DirectoryString RFC5280 compliant.
* libgnutls: Added function to retrieve the name of current ciphersuite from session.
* Bump libgnutlsxx soname due to ABI break
* API and ABI modifications: - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member - gnutls_compress_certificate_get_selected_method: Added - gnutls_compress_certificate_set_methods: Added
* Update gnutls.keyring
* Sun Feb 27 2022 Dirk Müller - build with lto- build with -Wl,-z,now -Wl,-z,relro- build without -fanalyzer, which cuts build time in ~ half
* Tue Jan 18 2022 Pedro Monreal - Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for generating command-line option handling, template file parsing in certtool, and documentation generation (#773, #774). This change also removes run-time or bundled dependency on the libopts library, and requires Python 3.6 or later to regenerate the distribution tarball. Note that this brings in known backward incompatibility in command-line tools, such as long options are now case sensitive, while previously they were treated in a case insensitive manner: for example --RSA is no longer a valid option of certtool. The existing scripts using GnuTLS tools may need adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and used as a gnutls_privkey_t (#594). The code was originally written for the OpenConnect VPN project by David Woodhouse. To generate such blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel TLS) when the feature is compiled in with --enable-ktls configuration option (#1113). If the KTLS initialization fails it automatically falls back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency (RFC 6962) SCT extension (#232). New API functions are also provided to access and manipulate the extension values.
* certtool: The certtool command can now generate, manipulate, and evaluate x25519 and x448 public keys, private keys, and certificates.
* libgnutls: Disabling a hashing algorithm through \"insecure-hash\" configuration directive now also disables TLS ciphersuites that use it as a PRF algorithm.
* libgnutls: PKCS#12 files are now created with modern algorithms by default (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the default PBKDF2 iteration count has been increased to 600000.
* libgnutls: PKCS#12 keys derived using GOST algorithm now uses HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to conform with the latest TC-26 requirements (#1225).
* libgnutls: The library now provides a means to report the status of approved cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this complements the existing mechanism to prohibit the use of unapproved algorithms by making the library unusable state.
* gnutls-cli: The gnutls-cli command now provides a --list-config option to print the library configuration (!1508).
* libgnutls: Fixed possible race condition in gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
* API and ABI modifications: GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags gnutls_ecc_curve_set_enabled: Added. gnutls_sign_set_secure: Added. gnutls_sign_set_secure_for_certs: Added. gnutls_digest_set_secure: Added. gnutls_protocol_set_enabled: Added. gnutls_fips140_context_init: New function gnutls_fips140_context_deinit: New function gnutls_fips140_push_context: New function gnutls_fips140_pop_context: New function gnutls_fips140_get_operation_state: New function gnutls_fips140_operation_state_t: New enum gnutls_transport_is_ktls_enabled: New function gnutls_get_library_configuration: New function
* Remove patches fixed in the update: - gnutls-FIPS-module-version.patch - gnutls-FIPS-service-indicator.patch - gnutls-FIPS-service-indicator-public-key.patch - gnutls-FIPS-service-indicator-symmetric-key.patch - gnutls-FIPS-RSA-PSS-flags.patch - gnutls-FIPS-RSA-mod-sizes.patch
* Tue Jan 18 2022 Pedro Monreal - FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
* Add gnutls-FIPS-disable-failing-tests.patch
* Remove patches: - gnutls-temporarily_disable_broken_guile_reauth_test.patch - disable-psk-file-test.patch
* Mon Jan 17 2022 Pedro Monreal - FIPS: Provide module identifier and version [bsc#1190796]
* Add configurable options to output the module name/identifier (--with-fips140-module-name) and the module version (--with-fips140-module-version).
* Add the CLI option list-config that reports the configuration of the library.
* Add gnutls-FIPS-module-version.patch
* Wed Dec 22 2021 Pedro Monreal - FIPS: Provide a service-level indicator [bsc#1190698]
* Add support for a \"service indicator\" as required in the FIPS140-3 Implementation Guidance in section 2.4.C
* Add patches: - gnutls-FIPS-service-indicator.patch - gnutls-FIPS-service-indicator-public-key.patch - gnutls-FIPS-service-indicator-symmetric-key.patch - gnutls-FIPS-RSA-PSS-flags.patch
* Thu Dec 16 2021 Pedro Monreal - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008]
* fips: allow more RSA modulus sizes
* Add gnutls-FIPS-RSA-mod-sizes.patch
* Delete gnutls-3.6.7-fips-rsa-4096.patch
* Fri Nov 26 2021 Dominique Leuenberger - Drop bogus condition \"> 1550\": that would mean \'more recent than Tumbleweed\' which is technically impossible, as Tumbleweed is the leading project (and the condition causes issues as Tumbleweed needs to move away from 1550 due to CODE 15 SP5 plans).
* Fri Oct 15 2021 Pedro Monreal - Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]- Add DANE guards
* Wed Jul 21 2021 Pedro Monreal - Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch since its already working.
* Tue Jun 01 2021 Ferdinand Thiessen - Update to version 3.7.2
* Added Linux kernel AF_ALG based acceleration
* Fixed timing of early data exchange
* The priority string option DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode
* The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to GNUTLS_NO_IMPLICIT_INIT to reflect the purpose
* certtool:
* When signing a CSR, CRL distribution point (CDP) is no longer copied from the signing CA by default
* When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale
* Wed May 26 2021 Pedro Monreal - Rework the crypto-policies dependencies in libraries [bsc#1186385]
* Thu May 13 2021 Pedro Monreal - Compute the FIPS hmac file without re-defining the __os_install_post macro, use the brp-50-generate-fips-hmac script instead. [bsc#1184555]
* Thu Mar 18 2021 Pedro Monreal - Require the main package in devel and lib packages as the default priorities are now set via crypto-policies. [bsc#1183082]
* Fri Mar 12 2021 Pedro Monreal - Update to 3.7.1: [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
* Fixed potential use-after-free in sending \"key_share\" and \"pre_shared_key\" extensions.
* Fixed a regression in handling duplicated certs in a chain.
* Fixed sending of session ID in TLS 1.3 middlebox compatibility mode. In that mode the client shall always send a non-zero session ID to make the handshake resemble the TLS 1.2 resumption; this was not true in the previous versions.
* Removed dependency on the external \'fipscheck\' package, when compiled with --enable-fips140-mode.
* Added padlock acceleration for AES-192-CBC.- Remove patches upstream:
* gnutls-gnutls-cli-debug.patch
* gnutls-ignore-duplicate-certificates.patch
* gnutls-test-fixes.patch
* Wed Feb 10 2021 Pedro Monreal - Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
* Don\'t unset system priority settings in gnutls-cli-debug.sh
* Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387- Add gnutls-gnutls-cli-debug.patch
* Wed Feb 10 2021 Pedro Monreal - Fix: Test certificates in tests/testpkcs11-certs have expired
* Upstream bug: gitlab.com/gnutls/gnutls/issues/1135- Add gnutls-test-fixes.patch
* Mon Feb 08 2021 Pedro Monreal - gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
* Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131- Add gnutls-ignore-duplicate-certificates.patch
* Wed Jan 27 2021 Pedro Monreal - Update to 3.7.0
* Depend on nettle 3.6
* Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains
* Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification
* OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
* Added a new set of API to enable QUIC implementation
* The crypto implementation override APIs deprecated in 3.6.9 are now no-op
* Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
* Support for padlock has been fixed to make it work with Zhaoxin CPU
* The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes- Remove patch fixed upstream:
* gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch- Add version guards for the crypto-policies package- Fix threading bug in libgnutls [bsc#1173434]
* Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
  
ICM