Navigation:
Browse pkgsrc
(this page)
security gnutls
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2025-04-17 23:53:13 by Thomas Klausner | Files touched by this commit (2449) |
Log message: *: recursive bump for icu 77 and libxml2 2.14 |
| 2025-03-03 22:32:28 by Nia Alarie | Files touched by this commit (12) |
Log message: mk: Introduce and use MASTER_SITE_GNUPG Various packages around the tree use a different variant of MASTER_SITES to access various GnuPG mirrors, let's just centralize them in one locaiton. While here, fix some lint warnings. |
2025-02-12 09:33:23 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message: gnutls: updated to 3.8.9 Version 3.8.9 (released 2025-02-07) ** libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with --with-leancrypto option instead of --with-liboqs. ** libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. ** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. ** libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243] ** API and ABI modifications: GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t |
| 2025-01-07 21:12:53 by Taylor R Campbell | Files touched by this commit (1) |
Log message: Revert "security/gnutls: Use system TLS trust anchors." This requires review of how SmartOS and macOS, at least, are supposed to handle TLS trust anchors for pkgsrc, which I didn't do -- it's practically guaranteed that referring to share/mozilla-rootcerts/cacert.pem is wrong on those platforms like it is on NetBSD, but I don't know offhand what the right alternative is and this can hold off until we determine that. |
| 2025-01-07 20:19:34 by Taylor R Campbell | Files touched by this commit (1) |
Log message:
security/gnutls: Use system TLS trust anchors.
Until 2018, gnutls would search at _build-time_ for one of various
files /etc/ssl/ca-bundle.pem, /etc/ssl/certs/ca-certificates.crt,
/etc/pki/tls/cert.pem, &c., for trust anchors, and bake that path
into the build product -- or, if none of those existed at build-time,
it would bake _nothing_ into the build product and require programs
doing TLS to specify trust anchors explicitly; the gnutls function
gnutls_x509_trust_list_add_system_trust would fail with
GNUTLS_E_UNIMPLEMENTED_FEATURE.
In 2018, gnutls was changed to depend on mozilla-rootcerts and use
${PREFIX}/share/mozilla-rootcerts/cacert.pem. This was expedient for
NetBSD which (a) had no trust anchors shipped out of the box until
10.0 but (b) would usually be configured with mozilla-rootcerts
anyway, but wrong, because:
1. The system may manage TLS trust anchors differently, e.g. on
Fedora they're somewhere in /etc/pki/tls, or even if you install
trust anchors from pkgsrc you might use security/ca-certificates
instead of security/mozilla-rootcerts.
2. Even if the system uses Mozilla's trust anchors, there is no way
for an operator to safely selectively override individual CA
certificates, like nixing Digi-Notar after their compromise --
${PREFIX}/share/mozilla-rootcerts/cacert.pem is a static file that
is not allowed to change, not an editable configuration file.
With this change, on platforms where mk/ssl.mk defines SSLCERTBUNDLE,
gnutls will look there; on platforms without it, gnutls will revert
to its original default of checking various paths at build-time. For
systems where the binary packages are built without trust anchors at
build-time, but where there is a fixed path known at build-time where
the trust anchors will be at run-time, mk/ssl.mk should be adapted to
set SSLCERTBUNDLE.
PR pkg/58143: security/gnutls uses wrong trust anchors
|
| 2024-11-14 23:22:33 by Thomas Klausner | Files touched by this commit (2428) |
Log message: *: recursive bump for icu 76 shlib major version bump |
| 2024-11-11 13:17:56 by Nia Alarie | Files touched by this commit (1) |
Log message: gnutls: gnu99 isn't valid for USE_CC_FEATURES |
| 2024-11-11 03:06:05 by David H. Gutteridge | Files touched by this commit (1) | |
Log message: gnutls: update test results comment |
New packages: