Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id B88A563C284
	for <mhonarc+pkgsrc-changes@mail-index.netbsd.org>; Thu, 13 Aug 2009 18:56:35 +0000 (UTC)
Received: by mail.netbsd.org (Postfix, from userid 0)
	id 5783F63B16B; Thu, 13 Aug 2009 18:56:35 +0000 (UTC)
Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd])
	by mail.netbsd.org (Postfix) with ESMTP id 6759763B131
	for <pkgsrc-changes@NetBSD.org>; Thu, 13 Aug 2009 18:56:33 +0000 (UTC)
Received: by cvs.netbsd.org (Postfix, from userid 500)
	id 056FD175D0; Thu, 13 Aug 2009 18:56:32 +0000 (UTC)
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Type: text/plain
Date: Thu, 13 Aug 2009 18:56:32 +0000
From: Soren Jacobsen <snj@netbsd.org>
Subject: CVS commit: pkgsrc/security/gnutls
To: pkgsrc-changes@NetBSD.org
Reply-To: snj@netbsd.org
X-Mailer: log_accum
Message-Id: <20090813185633.056FD175D0@cvs.netbsd.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes
Precedence: list

Module Name:	pkgsrc
Committed By:	snj
Date:		Thu Aug 13 18:56:32 UTC 2009

Modified Files:
	pkgsrc/security/gnutls: Makefile distinfo
	pkgsrc/security/gnutls/patches: patch-ak patch-al

Log Message:
Update to 2.8.3.  Changes:

* Version 2.8.3 (released 2009-08-13)

** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations.  Reported by Tomas Hoger <thoger@redhat.com>.  A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].

** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.

** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.

** tests: Made self-test mini-eagain take less time.

** doc: Typo fixes.

** API and ABI modifications:
No changes since last version.

* Version 2.8.2 (released 2009-08-10)

** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate.  Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates.  Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions.  The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA.  It does not apply to client authenticated TLS
sessions.  Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch.  [GNUTLS-SA-2009-4].

** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false.  Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.

** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs.  Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.

** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits.  Before the reported value was
overestimated.  Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.

** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.

** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
that the runtime usage is above the minimum required.  Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.

** minitasn1: Internal copy updated to libtasn1 v2.3.

** tests: Fix failure in "chainverify" because a certificate have expired.

** API and ABI modifications:
No changes since last version.


To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \
    pkgsrc/security/gnutls/patches/patch-al

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.