Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11]) by www.NetBSD.org (Postfix) with ESMTP id 3BC8263C131 for ; Sat, 2 May 2009 20:04:35 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 0) id DA9D663B225; Sat, 2 May 2009 20:04:34 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 3554D63B21F for ; Sat, 2 May 2009 20:04:33 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 209C9175D0; Sat, 2 May 2009 20:04:33 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain Date: Sat, 2 May 2009 20:04:33 +0000 From: Tobias Nygren Subject: CVS commit: pkgsrc/security/gnutls To: pkgsrc-changes@NetBSD.org Reply-To: tnn@netbsd.org X-Mailer: log_accum Message-Id: <20090502200433.209C9175D0@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes Precedence: list Module Name: pkgsrc Committed By: tnn Date: Sat May 2 20:04:33 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to gnutls-2.6.6. * Version 2.6.6 (released 2009-04-30) libgnutls: Corrected double free on signature verification failure. Reported by Miroslav Kratochvil. See the advisory for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415] libgnutls: Fix DSA key generation. Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416] libgnutls: Check expiration/activation time on untrusted certificates. Reported by Romain Francoise. Before the library did not check activation/expiration times on certificates, and was documented as not doing so. We have realized that many applications that use libgnutls, including gnutls-cli, fail to perform proper checks. Implementing similar logic in all applications leads to code duplication. Hence, we decided to check whether the current time (as reported by the time function) is within the activation/expiration period of certificates when verifying untrusted certificates. This changes the semantics of gnutls_x509_crt_list_verify, which in turn is used by gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2. We add two new gnutls_certificate_status_t codes for reporting the new error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also add a new gnutls_certificate_verify_flags flag, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new behaviour. API and ABI modifications: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.53 -r1.54 pkgsrc/security/gnutls/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.