Log message:
Packaged gnutls 3.2.20

* Version 3.2.20 (released 2014-11-10)

** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.

** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].

** API and ABI modifications:
No changes since last version.

Log message:
Packaged gnutls 3.2.19

* Version 3.2.19 (released 2014-10-13)

** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.

** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.

** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.

** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.

** guile: new 'set-session-server-name!' procedure; see the manual for
details.

** API and ABI modifications:
No changes since last version.

Log message:
Changes 3.2.18:

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.

Log message:
Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.

Log message:
Changes 3.2.17:
** libgnutls: initialize parameters variable on PKCS 8 decryption.
** libgnutls: Explicitly set the exponent in PKCS 11 key generation.
That improves compatibility with certain PKCS 11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** API and ABI modifications:
No changes since last version.

Log message:
Update to 3.2.15:

* Version 3.2.15 (released 2014-05-30)

** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.

** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.

** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.

** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.

** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.

** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

** API and ABI modifications:
No changes since last version.

* Version 3.2.14 (released 2014-05-06)

** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.

** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.

** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.

** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.

** libgnutls: Several small bug fixes found by coverity.

** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.

** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.

** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.

** API and ABI modifications:
No changes since last version.

* Version 3.2.13 (released 2014-04-07)

** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
if there are no base64 data. Report and patch by Ramkumar Chinchani.

** libgnutls: gnutls_record_send is now safe to be called under DTLS when
in corked mode.

** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
these algorithms.

** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
Wildcards are only accepted when there are more than two domain components
after the wildcard. This drops support for the permissive RFC2818 wildcards
and adds more conservative support based on the suggestions in RFC6125. Suggested
by Jeffrey Walton.

** certtool: When no password is provided to export a PKCS #8 keys, do
not encrypt by default. This reverts to the certtool behavior of gnutls
3.0. The previous behavior of encrypting using an empty password can be
replicating using the new parameter --empty-password.

** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
the --provider option is given.

** API and ABI modifications:
No changes since last version.

Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.

Log message:
Changes 3.2.12:

** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)

** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.

** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.

** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.

** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.

** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.

** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.

** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.

** API and ABI modifications:
No changes since last version.

Log message:
update to 3.2.11
changes:
Fix bug that prevented the rejection of v1 intermediate CA certificates
(CVE-2014-1959)

Log message:
Add patch from GnuTLS repository to fix build of assembler routines
under Mac OS X. Crucial hint provided by Nikos Mavrogiannopoulos.