Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pkgsrc changes: Adapt PLIST. Upstream changes: * Version 3.5.12 (released 2017-05-11) ** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen. ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses against DNS fields of certificate (CN or DNSname). The previous behavior was to tolerate some misconfigured servers, but that was non-standard and skipped any IP constraints present in higher level certificates. ** libgnutls: when converting to IDNA2008, fallback to IDNA2003 (i.e., transitional encoding) if the domain cannot be converted. That provides maximum compatibility with browsers like firefox that perform the same conversion. ** libgnutls: fix issue in RSA-PSK client callback which resulted in no username being sent to the peer. Patch by Nicolas Dufresne. ** libgnutls: fix regression causing stapled extensions in trust modules not to be considered. ** certtool: introduced the email_protection_key option. This option was introduced in documentation for certtool without an implementation of it. It is a shortcut for option 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'. ** certtool: made printing of key ID and key PIN consistent between certificates, public keys, and private keys. That is the private key printing now uses the same format as the rest. ** gnutls-cli: introduced the --sni-hostname option. This allows overriding the hostname advertised to the peer. ** API and ABI modifications: No changes since last version. * Version 3.5.11 (released 2017-04-07) ** gnutls.pc: do not include libtool options into Libs.private. ** libgnutls: Fixed issue when rehandshaking without a client certificate in a session which initially used one. Reported by Frantisek Sumsal. ** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP certificate parsing. Issues found using oss-fuzz project and were fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824 ** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. That allows PKCS#11 operations such as signing to be performed with the same object from multiple threads. ** libgnutls: Added support for MacOSX key chain for obtaining trust store's root CA certificates. That is, gnutls_x509_trust_list_add_system_trust() and gnutls_certificate_set_x509_system_trust() will load the certificates from the key chain. That also means that we no longer check for a default trust store file in configure when building on MacOSX (unless explicitly asked to). Patch by David Caldwell. ** libgnutls: when disabling OpenPGP authentication, the resulting library is ABI compatible (with openpgp related functions being stubs that fail on invocation). ** API and ABI modifications: No changes since last version. * Version 3.5.10 (released 2017-03-06) ** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions available do not include libidn2.pc, thus the inclusion was causing pkg-config issues. Instead we include -lidn2 in Libs.private when compile against libidn2. ** libgnutls: optimized access to subject alternative names (SANs) in parsed certificates. The previous implementation assumed a small number of SANs in a certificate, with repeated calls to ASN.1 decoding of the extension without any intermediate caching. That caused delays in certificates with a long list of names in functions such as gnutls_x509_crt_check_hostname(). With the current code, the SANs are parsed once on certificate import. Resolves gitlab issue #165. ** libgnutls: Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] ** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 ** libgnutls: Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] ** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] ** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 when printing certificate information. ** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() flags can be set from the gnutls_certificate_verify_flags enumeration. This allows the functions to pass the same flags available for certificates to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or GNUTLS_VERIFY_ALLOW_BROKEN). ** libgnutls: gnutls_store_commitment() can accept flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate in applications which use SHA1 for example, after SHA1 is deprecated. ** certtool: No longer ignore the 'add_critical_extension' template option if the 'add_extension' option is not present. ** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the starttls-proto command. Patch by Robert Scheck. ** API and ABI modifications: No changes since last version.
- Loading branch information