Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1495094066274820"
MIME-Version: 1.0
Date: Thu, 18 May 2017 07:54:26 +0000
From: "Havard Eidnes" <he@netbsd.org>
Subject: CVS commit: pkgsrc/security/gnutls
To: pkgsrc-changes@NetBSD.org
Reply-To: he@netbsd.org
Message-Id: <20170518075426.5F5DCFBE4@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1495094066274820
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	he
Date:		Thu May 18 07:54:26 UTC 2017

Modified Files:
	pkgsrc/security/gnutls: Makefile PLIST distinfo

Log Message:
Update to GnuTLS 3.5.12.

Pkgsrc changes:
Adapt PLIST.

Upstream changes:

* Version 3.5.12 (released 2017-05-11)

** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.

** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.

** libgnutls: when converting to IDNA2008, fallback to IDNA2003
   (i.e., transitional encoding) if the domain cannot be converted.
   That provides maximum compatibility with browsers like firefox
   that perform the same conversion.

** libgnutls: fix issue in RSA-PSK client callback which resulted
   in no username being sent to the peer. Patch by Nicolas Dufresne.

** libgnutls: fix regression causing stapled extensions in trust modules not
   to be considered.

** certtool: introduced the email_protection_key option.  This
   option was introduced in documentation for certtool without an
   implementation of it.  It is a shortcut for option 'key_purpose_oid
   = 1.3.6.1.5.5.7.3.4'.

** certtool: made printing of key ID and key PIN consistent between
   certificates, public keys, and private keys. That is the private
   key printing now uses the same format as the rest.

** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
   hostname advertised to the peer.

** API and ABI modifications:
No changes since last version.

* Version 3.5.11 (released 2017-04-07)

** gnutls.pc: do not include libtool options into Libs.private.

** libgnutls: Fixed issue when rehandshaking without a client certificate in
   a session which initially used one. Reported by Frantisek Sumsal.

** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
   certificate parsing. Issues found using oss-fuzz project and were fixed
   by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824

** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
   That allows PKCS#11 operations such as signing to be performed with the
   same object from multiple threads.

** libgnutls: Added support for MacOSX key chain for obtaining
   trust store's root CA certificates. That is,
   gnutls_x509_trust_list_add_system_trust() and
   gnutls_certificate_set_x509_system_trust() will load the certificates
   from the key chain. That also means that we no longer check for a
   default trust store file in configure when building on MacOSX (unless
   explicitly asked to).  Patch by David Caldwell.

** libgnutls: when disabling OpenPGP authentication, the resulting library
   is ABI compatible (with openpgp related functions being stubs that fail
   on invocation).

** API and ABI modifications:
No changes since last version.

* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The
   libidn2 versions available do not include libidn2.pc, thus the
   inclusion was causing pkg-config issues. Instead we include
   -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs)
   in parsed certificates. The previous implementation assumed a
   small number of SANs in a certificate, with repeated calls to
   ASN.1 decoding of the extension without any intermediate caching.
   That caused delays in certificates with a long list of names in
   functions such as gnutls_x509_crt_check_hostname().  With the
   current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory
   write in OpenPGP certificate parsing. Issue found using oss-fuzz
   project:  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
   [GNUTLS-SA-2017-3A]

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
   GNUTLS_VERIFY_ALLOW_BROKEN).

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.


To generate a diff of this commit:
cvs rdiff -u -r1.170 -r1.171 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.55 -r1.56 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.124 -r1.125 pkgsrc/security/gnutls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1495094066274820
Content-Disposition: inline
Content-Length: 3172
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.170 pkgsrc/security/gnutls/Makefile:1.171
--- pkgsrc/security/gnutls/Makefile:1.170	Sun Feb 26 09:19:56 2017
+++ pkgsrc/security/gnutls/Makefile	Thu May 18 07:54:26 2017
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.170 2017/02/26 09:19:56 adam Exp $
+# $NetBSD: Makefile,v 1.171 2017/05/18 07:54:26 he Exp $
 
-DISTNAME=	gnutls-3.5.9
+DISTNAME=	gnutls-3.5.12
 CATEGORIES=	security devel
 MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/
 EXTRACT_SUFX=	.tar.xz

Index: pkgsrc/security/gnutls/PLIST
diff -u pkgsrc/security/gnutls/PLIST:1.55 pkgsrc/security/gnutls/PLIST:1.56
--- pkgsrc/security/gnutls/PLIST:1.55	Sun Feb 26 09:19:56 2017
+++ pkgsrc/security/gnutls/PLIST	Thu May 18 07:54:26 2017
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.55 2017/02/26 09:19:56 adam Exp $
+@comment $NetBSD: PLIST,v 1.56 2017/05/18 07:54:26 he Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -1079,6 +1079,15 @@ man/man3/gnutls_x509_trust_list_remove_t
 man/man3/gnutls_x509_trust_list_verify_crt.3
 man/man3/gnutls_x509_trust_list_verify_crt2.3
 man/man3/gnutls_x509_trust_list_verify_named_crt.3
+share/doc/gnutls/gnutls-client-server-use-case.png
+share/doc/gnutls/gnutls-handshake-sequence.png
+share/doc/gnutls/gnutls-handshake-state.png
+share/doc/gnutls/gnutls-internals.png
+share/doc/gnutls/gnutls-layers.png
+share/doc/gnutls/gnutls-logo.png
+share/doc/gnutls/gnutls-modauth.png
+share/doc/gnutls/gnutls-x509.png
+share/doc/gnutls/pkcs11-vision.png
 share/examples/gnutls/ex-alert.c
 share/examples/gnutls/ex-cert-select-pkcs11.c
 share/examples/gnutls/ex-cert-select.c
@@ -1121,3 +1130,4 @@ share/locale/sv/LC_MESSAGES/gnutls.mo
 share/locale/uk/LC_MESSAGES/gnutls.mo
 share/locale/vi/LC_MESSAGES/gnutls.mo
 share/locale/zh_CN/LC_MESSAGES/gnutls.mo
+

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.124 pkgsrc/security/gnutls/distinfo:1.125
--- pkgsrc/security/gnutls/distinfo:1.124	Mon Apr 10 10:43:49 2017
+++ pkgsrc/security/gnutls/distinfo	Thu May 18 07:54:26 2017
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.124 2017/04/10 10:43:49 jperkin Exp $
+$NetBSD: distinfo,v 1.125 2017/05/18 07:54:26 he Exp $
 
-SHA1 (gnutls-3.5.9.tar.xz) = f3f184a92f128af1c2fb29b29a4d325af65694a5
-RMD160 (gnutls-3.5.9.tar.xz) = a200b078cf9204f70dfaae7c045fc2f762a22809
-SHA512 (gnutls-3.5.9.tar.xz) = 17a05143eaa70ee61b149a5f09ae7a688cb3f314ad1e67ce41a778e5960717e276cc780f3db9b6923c14c4d998e17563c134cab5297502181cd2dabb47da3515
-Size (gnutls-3.5.9.tar.xz) = 7166932 bytes
+SHA1 (gnutls-3.5.12.tar.xz) = 9f453686bc6b1e6ebc04197158a2bc123c0272df
+RMD160 (gnutls-3.5.12.tar.xz) = ffdd1b7af9376cee94e81fefd929ee6a41cd8fcb
+SHA512 (gnutls-3.5.12.tar.xz) = 8fec23e7e494a2e15e0f938115cae1ba3fee952d634db387f983b01096f68ca4313b23bc4c439d3c7fdd07c861eac4913a7c2343c8704961588ae195886ec90c
+Size (gnutls-3.5.12.tar.xz) = 7212652 bytes
 SHA1 (patch-ae) = 5e020483ac14ef6ccc45a53e351242ab16c860f1
 SHA1 (patch-lib_Makefile.in) = d0e292e632a91a9f19e39bd2c2d205a086ba5588
 SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4


--_----------=_1495094066274820--