All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
@ 2019-04-03  6:14 Sørensen, Stefan
  2019-04-03  8:01 ` Peter Korsgaard
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Sørensen, Stefan @ 2019-04-03  6:14 UTC (permalink / raw)
  To: buildroot

Fixes the following security issues:

 * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
   that there is an uninitialized pointer access in gnutls versions 3.6.3 or
   later which can be triggered by certain post-handshake messages

 * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
   before 3.6.7. A memory corruption (double free) vulnerability in the
   certificate verification API. Any client or server application that
   verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/gnutls/gnutls.hash | 4 ++--
 package/gnutls/gnutls.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/gnutls/gnutls.hash b/package/gnutls/gnutls.hash
index 1af0e2d45d..e6bf7faaa9 100644
--- a/package/gnutls/gnutls.hash
+++ b/package/gnutls/gnutls.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking pgp signature
-# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.6.tar.xz.sig
-sha256	bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7	gnutls-3.6.6.tar.xz
+# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.7.1.tar.xz.sig
+sha256	881b26409ecd8ea4c514fd3fbdb6fae5fab422ca7b71116260e263940a4bbbad	gnutls-3.6.7.1.tar.xz
 # Locally calculated
 sha256	8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903	doc/COPYING
 sha256	6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3	doc/COPYING.LESSER
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index c6d2d72771..e7c5968204 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 GNUTLS_VERSION_MAJOR = 3.6
-GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).6
+GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).7.1
 GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
 GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
 GNUTLS_LICENSE = LGPL-2.1+ (core library), GPL-3.0+ (gnutls-openssl library)
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
  2019-04-03  6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
@ 2019-04-03  8:01 ` Peter Korsgaard
  2019-04-03  8:11   ` Sørensen, Stefan
  2019-04-07 20:54 ` Peter Korsgaard
  2019-04-14 21:17 ` Peter Korsgaard
  2 siblings, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-03  8:01 UTC (permalink / raw)
  To: buildroot

>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:

 > Fixes the following security issues:
 >  * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
 >    that there is an uninitialized pointer access in gnutls versions 3.6.3 or
 >    later which can be triggered by certain post-handshake messages

 >  * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
 >    before 3.6.7. A memory corruption (double free) vulnerability in the
 >    certificate verification API. Any client or server application that
 >    verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
announced yet, what is the delta?

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
  2019-04-03  8:01 ` Peter Korsgaard
@ 2019-04-03  8:11   ` Sørensen, Stefan
  2019-04-03 19:56     ` Thomas Petazzoni
  0 siblings, 1 reply; 6+ messages in thread
From: Sørensen, Stefan @ 2019-04-03  8:11 UTC (permalink / raw)
  To: buildroot

On Wed, 2019-04-03 at 10:01 +0200, Peter Korsgaard wrote:

> These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
> announced yet, what is the delta?

Guess I might have jumped the gun a bit...

Only change is that a file was missing from the release tarball:
https://gitlab.com/gnutls/gnutls/issues/745

Stefan

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
  2019-04-03  8:11   ` Sørensen, Stefan
@ 2019-04-03 19:56     ` Thomas Petazzoni
  0 siblings, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2019-04-03 19:56 UTC (permalink / raw)
  To: buildroot

Hello Stefan,

On Wed, 3 Apr 2019 08:11:35 +0000
"S?rensen, Stefan" <Stefan.Sorensen@spectralink.com> wrote:

> On Wed, 2019-04-03 at 10:01 +0200, Peter Korsgaard wrote:
> 
> > These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
> > announced yet, what is the delta?  
> 
> Guess I might have jumped the gun a bit...
> 
> Only change is that a file was missing from the release tarball:
> https://gitlab.com/gnutls/gnutls/issues/745

There is a 3.6.7.1 tarball: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/

However, your patch breaks legal-info for gnutls:

ERROR: doc/COPYING has wrong sha256 hash:
ERROR: expected: 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903
ERROR: got     : e79e9c8a0c85d735ff98185918ec94ed7d175efc377012787aebcf3b80f0d90b
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

Note: don't do just a hash update: compare the COPYING file
before/after the bump, and document the change in the commit log to
explain why the hash has changed.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
  2019-04-03  6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
  2019-04-03  8:01 ` Peter Korsgaard
@ 2019-04-07 20:54 ` Peter Korsgaard
  2019-04-14 21:17 ` Peter Korsgaard
  2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-07 20:54 UTC (permalink / raw)
  To: buildroot

>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:

 > Fixes the following security issues:
 >  * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
 >    that there is an uninitialized pointer access in gnutls versions 3.6.3 or
 >    later which can be triggered by certain post-handshake messages

 >  * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
 >    before 3.6.7. A memory corruption (double free) vulnerability in the
 >    certificate verification API. Any client or server application that
 >    verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

 > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Committed after fixing the license file hash and adding a note that
3.6.7.1 fixes a tarball packaging issue, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
  2019-04-03  6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
  2019-04-03  8:01 ` Peter Korsgaard
  2019-04-07 20:54 ` Peter Korsgaard
@ 2019-04-14 21:17 ` Peter Korsgaard
  2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-14 21:17 UTC (permalink / raw)
  To: buildroot

>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:

 > Fixes the following security issues:
 >  * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
 >    that there is an uninitialized pointer access in gnutls versions 3.6.3 or
 >    later which can be triggered by certain post-handshake messages

 >  * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
 >    before 3.6.7. A memory corruption (double free) vulnerability in the
 >    certificate verification API. Any client or server application that
 >    verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

 > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Committed to 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-04-14 21:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-03  6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
2019-04-03  8:01 ` Peter Korsgaard
2019-04-03  8:11   ` Sørensen, Stefan
2019-04-03 19:56     ` Thomas Petazzoni
2019-04-07 20:54 ` Peter Korsgaard
2019-04-14 21:17 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.