SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mingw64-gnutls-debug-3.7.7-2.221.noarch.rpm :

* Wed Aug 03 2022 Ralf Habacker - Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
* libgnutls: Fixed double free during verification of pkcs7 signatures. CVE-2022-2509
* libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3.
* libgnutls: Length limit for TLS PSK usernames has been increased from 128 to 65535 characters
* libgnutls: AES-GCM encryption function now limits plaintext length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
* libgnutls: New block cipher functions have been added to transparently handle padding. gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove padding if the length of the original plaintext is not a multiple of the block size.
* libgnutls: New function for manual FIPS self-testing.
* API and ABI modifications: - gnutls_fips140_run_self_tests: New function - gnutls_cipher_encrypt3: New function - gnutls_cipher_decrypt3: New function - gnutls_cipher_padding_flags_t: New enum
* guile: Guile 1.8 is no longer supported
* guile: Session record port treats premature termination as EOF Previously, a \'gnutls-error\' exception with the \'error/premature-termination\' value would be thrown while reading from a session record port when the underlying session was terminated prematurely. This was inconvenient since users of the port may not be prepared to handle such an exception. Reading from the session record port now returns the end-of-file object instead of throwing an exception, just like it would for a proper session termination.
* guile: Session record ports can have a \'close\' procedure. The \'session-record-port\' procedure now takes an optional second parameter, and a new \'set-session-record-port-close!\' procedure is provided to specify a \'close\' procedure for a session record port. This \'close\' procedure lets users specify cleanup operations for when the port is closed, such as closing the file descriptor or port that backs the underlying session.- Fixed several obsolete-not-provided warnings
* Thu May 05 2022 Ralf Habacker - Add gtk-doc as build requirement to fix build error \'Can\'t exec \"gtkdocize\"\' on Tumbleweed
* Mon Jul 12 2021 Ralf Habacker - Update to version 3.7.2
* Added Linux kernel AF_ALG based acceleration
* Fixed timing of early data exchange
* The priority string option DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode
* The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to GNUTLS_NO_IMPLICIT_INIT to reflect the purpose
* certtool:
* When signing a CSR, CRL distribution point (CDP) is no longer copied from the signing CA by default
* When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale- Fixed warning related to obsolete packages- The update also fixes a bug where wine could not find ncrypt.dll.BCryptOpenAlgorithmProvider (boo#1188208)
* Tue Jul 06 2021 Ralf Habacker - Add patch to fix compiling 3.6.14 with mingw
* gnutls-3.6.14-compile-fix.patch
* Wed Jun 10 2020 Ralf Habacker - Update to Version 3.6.14
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008).
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt
* API if available (!1255).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added- Disabled building documentation because of build failures in doc examples
* Thu Apr 02 2020 Vítězslav Čížek - Update to 3.6.13
* libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol (#960) [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
* libgnutls: Added new APIs to access KDF algorithms (#813).
* libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality.
* libgnutls: Added support for non-null terminated usernames in PSK negotiation (#586).
* gnutls-cli-debug: Improved support for old servers that only support SSL 3.0.
* Tue Feb 04 2020 Ondřej Súkup - gnutls 3.6.12
* libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829).
* libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86).
* libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string.
* libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers.
* libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
* libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time
* libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887).
* libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877).
* libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
* libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the \'GNUTLS_CERT_INVALID\' flag.
* libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling
* libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const.
* certtool: Added the --verify-profile option to set a certificate verification profile. Use \'--verify-profile low\' for certificate verification to apply the \'NORMAL\' verification profile.
* certtool: The add_extension template option is considered even when generating a certificate from a certificate request.
* Tue Dec 03 2019 Andreas Stieger - gnutls 3.6.11.1:
* libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption
* libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations
* libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle.
* certtool: CRL distribution points will be set in CA certificates even when non self-signed
* gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and - -rawpkfile flags.
* Thu Oct 10 2019 Andreas Stieger - gnutls 3.6.10:
* Add support for deterministic ECDSA/DSA (RFC6979)
* Add functions for in-place encryption/decryption of data buffers
* server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first
* Add support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT)
* certtool: when outputting an encrypted private key do not insert the textual description of it
* Wed Jul 31 2019 Andreas Stieger - gnutls 3.6.9:
* add support for copying digest or MAC contexts
* Mark the crypto implementation override APIs as deprecated
* Add support for AES-GMAC, as a separate to GCM, MAC algorithm
* Add support for Generalname registeredID
* The priority configuration was enhanced to allow more elaborate system-wide configuration of the library- includes changes from 3.6.8:
* Add support for AES-XTS cipher
* Fix calculation of Streebog digests
* During Diffie-Hellman operations in TLS, verify that the peer\'s public key is on the right subgroup (y^q=1 mod p), when q is available (under TLS 1.3 and under earlier versions when RFC7919 parameters are used).
* Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion
* certtool: allow the digital signature key usage flag in CA certificates
* gnutls-cli/serv: add the --keymatexport and --keymatexportsize options. These allow testing the RFC5705 using these tools
  
ICM