All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13
@ 2020-04-07  7:36 Stefan Sørensen
  2020-04-08 20:51 ` Thomas Petazzoni
  2020-04-09  6:09 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Stefan Sørensen @ 2020-04-07  7:36 UTC (permalink / raw)
  To: buildroot

Fixes the following security issue:

 * CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a
   regression in the DTLS protocol implementation. This caused the DTLS
   client to not contribute any randomness to the DTLS negotiation
   breaking the security guarantees of the DTLS protocol.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/gnutls/gnutls.hash | 4 ++--
 package/gnutls/gnutls.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/gnutls/gnutls.hash b/package/gnutls/gnutls.hash
index c8a1e1cbca..99279bfb6b 100644
--- a/package/gnutls/gnutls.hash
+++ b/package/gnutls/gnutls.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking pgp signature
-# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.10.tar.xz.sig
-sha256 b1f3ca67673b05b746a961acf2243eaae0ffe658b6a6494265c648e7c7812293        gnutls-3.6.10.tar.xz
+# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.13.tar.xz.sig
+sha256 32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38        gnutls-3.6.13.tar.xz
 # Locally calculated
 sha256 e79e9c8a0c85d735ff98185918ec94ed7d175efc377012787aebcf3b80f0d90b        doc/COPYING
 sha256 6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3        doc/COPYING.LESSER
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index efdcd21d9d..a1dfce62a2 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -5,7 +5,7 @@
 ################################################################################

 GNUTLS_VERSION_MAJOR = 3.6
-GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).10
+GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).13
 GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
 GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
 GNUTLS_LICENSE = LGPL-2.1+ (core library)
--
2.25.1



Spectralink Disclaimer:
"The information transmitted by this email is intended only for the person or entity to which it is addressed. This email may contain proprietary, confidential and/or privileged material. If you are not the intended recipient of this message, please notify the sender by reply email immediately and delete this message without reading further or forwarding to others. The contents of this email may be protected by copyright law. This email is not intended to be a contract or other legally binding obligation".

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13
  2020-04-07  7:36 [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13 Stefan Sørensen
@ 2020-04-08 20:51 ` Thomas Petazzoni
  2020-04-09  6:09 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2020-04-08 20:51 UTC (permalink / raw)
  To: buildroot

On Tue,  7 Apr 2020 09:36:44 +0200
Stefan S?rensen <stefan.sorensen@spectralink.com> wrote:

> Fixes the following security issue:
> 
>  * CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a
>    regression in the DTLS protocol implementation. This caused the DTLS
>    client to not contribute any randomness to the DTLS negotiation
>    breaking the security guarantees of the DTLS protocol.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  package/gnutls/gnutls.hash | 4 ++--
>  package/gnutls/gnutls.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)

Your patch didn't apply cleanly for some reason, perhaps your SMTP
server screws it up when adding the confidentiality footer or something
like that. I fixed that up and applied. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13
  2020-04-07  7:36 [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13 Stefan Sørensen
  2020-04-08 20:51 ` Thomas Petazzoni
@ 2020-04-09  6:09 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-04-09  6:09 UTC (permalink / raw)
  To: buildroot

>>>>> "Stefan" == Stefan S?rensen <stefan.sorensen@spectralink.com> writes:

 > Fixes the following security issue:
 >  * CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a
 >    regression in the DTLS protocol implementation. This caused the DTLS
 >    client to not contribute any randomness to the DTLS negotiation
 >    breaking the security guarantees of the DTLS protocol.

Committed to 2019.02.x, 2019.11.x and 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-09  6:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-07  7:36 [Buildroot] [PATCH 1/1] package/gnutls: security bump to 3.6.13 Stefan Sørensen
2020-04-08 20:51 ` Thomas Petazzoni
2020-04-09  6:09 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.