---
- branch: MAIN
  date: Fri Jul  6 16:15:28 UTC 2018
  files:
  - new: '1.183'
    old: '1.182'
    path: pkgsrc/security/gnutls/Makefile
    pathrev: pkgsrc/security/gnutls/Makefile@1.183
    type: modified
  - new: '1.129'
    old: '1.128'
    path: pkgsrc/security/gnutls/distinfo
    pathrev: pkgsrc/security/gnutls/distinfo@1.129
    type: modified
  - new: '0'
    old: '1.1'
    path: pkgsrc/security/gnutls/patches/patch-fuzz_Makefile.in
    pathrev: pkgsrc/security/gnutls/patches/patch-fuzz_Makefile.in@0
    type: deleted
  - new: '0'
    old: '1.1'
    path: pkgsrc/security/gnutls/patches/patch-lib_atomic.h
    pathrev: pkgsrc/security/gnutls/patches/patch-lib_atomic.h@0
    type: deleted
  - new: '0'
    old: '1.1'
    path: pkgsrc/security/gnutls/patches/patch-tests_suite_Makefile.in
    pathrev: pkgsrc/security/gnutls/patches/patch-tests_suite_Makefile.in@0
    type: deleted
  - new: '1.9'
    old: '1.8'
    path: pkgsrc/security/gnutls/patches/patch-lib_Makefile.in
    pathrev: pkgsrc/security/gnutls/patches/patch-lib_Makefile.in@1.9
    type: modified
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c
    pathrev: pkgsrc/security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c@1.2
    type: modified
  id: 20180706T161528Z.3f0ecead2cfb592428ed243a3b5d7f724537f514
  log: |
    Update gnutls to 3.6.2

    * Version 3.6.2 (released 2018-02-16)

    ** libgnutls: When verifying against a self signed certificate ignore issuer.
       That is, ignore issuer when checking the issuer's parameters strength, resolving
       issue #347 which caused self signed certificates to be additionally marked as of
       insufficient security level.

    ** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
       MTU calculation now, it correctly accounts for the fixed overhead due to
       padding (as 1 byte), while at the same time considers the rest of the
       padding as part of data MTU.

    ** libgnutls: Address issue of loading of all PKCS#11 modules on startup
       on systems with a PKCS#11 trust store (as opposed to a file trust store).
       Introduced a multi-stage initialization which loads the trust modules, and
       other modules are deferred for the first pure PKCS#11 request.

    ** libgnutls: The SRP authentication will reject any parameters outside
       RFC5054. This protects any client from potential MitM due to insecure
       parameters. That also brings SRP in par with the RFC7919 changes to
       Diffie-Hellman.

    ** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
       for SRP authentication.

    ** libgnutls: Addressed issue in the accelerated code affecting interoperability
       with versions of nettle >= 3.4.

    ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

    ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
       Vitezslav Cizek).

    ** srptool: the --create-conf option no longer includes 1024-bit parameters.

    ** p11tool: Fixed the deletion of objects in batch mode.

    ** API and ABI modifications:
    gnutls_srp_8192_group_generator: Added
    gnutls_srp_8192_group_prime: Added

    * Version 3.6.1 (released 2017-10-21)

    ** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
       used. Resolves gitlab issue #259.

    ** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
       gnutls_x509_crq_sign, were modified to sign with a better algorithm than
       SHA1. They will now sign with an algorithm that corresponds to the security
       level of the signer's key.

    ** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
       accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
       the function to auto-detect an appropriate hash algorithm to use.

    ** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
       TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
       in TLS 1.2. As such, no reason to keep supporting it.

    ** libgnutls: Refuse to use client certificates containing disallowed
       algorithms for a session. That reverts a change on 3.5.5, which allowed
       a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
       to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
       The previous approach was to allow a smooth move for client infrastructure
       after the DSA algorithm became disabled by default, and is no longer necessary
       as DSA is now being universally deprecated.

    ** libgnutls: Refuse to resume a session which had a different SNI advertised. That
       improves RFC6066 support in server side. Reported by Thomas Klute.

    ** p11tool: Mark all generated objects as sensitive by default.

    ** p11tool: added options --sign-params and --hash. This allows testing
       signature with multiple algorithms, including RSA-PSS.

    ** API and ABI modifications:
    No changes since last version.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/gnutls'
  unixtime: '1530893728'
  user: prlw1