Subject: CVS commit: [pkgsrc-2014Q1] pkgsrc/security/gnutls
From: Eric Schnoebelen
Date: 2014-06-04 18:15:38
Message id: 20140604161539.0897D96@cvs.netbsd.org

Log Message:
Pullup ticket #4430 - requested by tron
security/gnutls: security update

Revisions pulled up:
- security/gnutls/Makefile                                      1.146
- security/gnutls/distinfo                                      1.106

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri May 30 13:20:23 UTC 2014

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 3.2.15:

   * Version 3.2.15 (released 2014-05-30)

   ** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
   Issue reported by Joonas Kuorilehto of Codenomicon.

   ** libgnutls: Several memory leaks caused by error conditions were
   fixed. The leaks were identified using valgrind and the Codenomicon
   TLS test suite.

   ** libgnutls: Increased the maximum certificate size buffer
   in the PKCS #11 subsystem.

   ** libgnutls: Check the return code of getpwuid_r() instead of relying
   on the result value. That avoids issue in certain systems, when using
   tofu authentication and the home path cannot be determined. Issue reported
   by Viktor Dukhovni.

   ** gnutls-cli: if dane is requested but not PKIX verification, then
   only do verify the end certificate.

   ** ocsptool: Include path in ocsp request. This resolves #108582
   (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.2.14 (released 2014-05-06)

   ** libgnutls: Fixed issue with the check of incoming data when two
   different recv and send pointers have been specified. Reported and
   investigated by JMRecio.

   ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
   result to illegal memory access if a server hint was provided.

   ** libgnutls: Fixed client memory leak in the PSK key exchange, if a
   server hint was provided.

   ** libgnutls: Several small bug fixes identified using valgrind and
   the Codenomicon TLS test suite.

   ** libgnutls: Several small bug fixes found by coverity.

   ** libgnutls-dane: Accept a certificate using DANE if there is at least one
   entry that matches the certificate. Patch by simon [at] arlott.org.

   ** configure: Added --with-nettle-mini option, which allows linking
   with a libnettle that contains gmp.

   ** certtool: The ECDSA keys generated by default use the SECP256R1 curve
   which is supported more widely than the previously used SECP224R1.

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.2.13 (released 2014-04-07)

   ** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
   if there are no base64 data. Report and patch by Ramkumar Chinchani.

   ** libgnutls: gnutls_record_send is now safe to be called under DTLS when
   in corked mode.

   ** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
   only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
   these algorithms.

   ** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
   Wildcards are only accepted when there are more than two domain components
   after the wildcard. This drops support for the permissive RFC2818 wildcards
   and adds more conservative support based on the suggestions in RFC6125. Suggested
   by Jeffrey Walton.

   ** certtool: When no password is provided to export a PKCS #8 keys, do
   not encrypt by default. This reverts to the certtool behavior of gnutls
   3.0. The previous behavior of encrypting using an empty password can be
   replicating using the new parameter --empty-password.

   ** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
   the --provider option is given.

   ** API and ABI modifications:
   No changes since last version.

Files:
RevisionActionfile
1.144.2.1modifypkgsrc/security/gnutls/Makefile
1.105.2.1modifypkgsrc/security/gnutls/distinfo