* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
@ 2019-04-03 6:14 Sørensen, Stefan
2019-04-03 8:01 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Sørensen, Stefan @ 2019-04-03 6:14 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
package/gnutls/gnutls.hash | 4 ++--
package/gnutls/gnutls.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/gnutls/gnutls.hash b/package/gnutls/gnutls.hash
index 1af0e2d45d..e6bf7faaa9 100644
--- a/package/gnutls/gnutls.hash
+++ b/package/gnutls/gnutls.hash
@@ -1,6 +1,6 @@
# Locally calculated after checking pgp signature
-# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.6.tar.xz.sig
-sha256 bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7 gnutls-3.6.6.tar.xz
+# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.7.1.tar.xz.sig
+sha256 881b26409ecd8ea4c514fd3fbdb6fae5fab422ca7b71116260e263940a4bbbad gnutls-3.6.7.1.tar.xz
# Locally calculated
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 doc/COPYING
sha256 6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3 doc/COPYING.LESSER
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index c6d2d72771..e7c5968204 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -5,7 +5,7 @@
################################################################################
GNUTLS_VERSION_MAJOR = 3.6
-GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).6
+GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).7.1
GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
GNUTLS_LICENSE = LGPL-2.1+ (core library), GPL-3.0+ (gnutls-openssl library)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
2019-04-03 6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
@ 2019-04-03 8:01 ` Peter Korsgaard
2019-04-03 8:11 ` Sørensen, Stefan
2019-04-07 20:54 ` Peter Korsgaard
2019-04-14 21:17 ` Peter Korsgaard
2 siblings, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-03 8:01 UTC (permalink / raw)
To: buildroot
>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:
> Fixes the following security issues:
> * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
> that there is an uninitialized pointer access in gnutls versions 3.6.3 or
> later which can be triggered by certain post-handshake messages
> * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
> before 3.6.7. A memory corruption (double free) vulnerability in the
> certificate verification API. Any client or server application that
> verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
announced yet, what is the delta?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
2019-04-03 8:01 ` Peter Korsgaard
@ 2019-04-03 8:11 ` Sørensen, Stefan
2019-04-03 19:56 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Sørensen, Stefan @ 2019-04-03 8:11 UTC (permalink / raw)
To: buildroot
On Wed, 2019-04-03 at 10:01 +0200, Peter Korsgaard wrote:
> These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
> announced yet, what is the delta?
Guess I might have jumped the gun a bit...
Only change is that a file was missing from the release tarball:
https://gitlab.com/gnutls/gnutls/issues/745
Stefan
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
2019-04-03 8:11 ` Sørensen, Stefan
@ 2019-04-03 19:56 ` Thomas Petazzoni
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2019-04-03 19:56 UTC (permalink / raw)
To: buildroot
Hello Stefan,
On Wed, 3 Apr 2019 08:11:35 +0000
"S?rensen, Stefan" <Stefan.Sorensen@spectralink.com> wrote:
> On Wed, 2019-04-03 at 10:01 +0200, Peter Korsgaard wrote:
>
> > These issues were fixed in 3.6.7, weren't they? I don't see 3.6.7.1
> > announced yet, what is the delta?
>
> Guess I might have jumped the gun a bit...
>
> Only change is that a file was missing from the release tarball:
> https://gitlab.com/gnutls/gnutls/issues/745
There is a 3.6.7.1 tarball: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
However, your patch breaks legal-info for gnutls:
ERROR: doc/COPYING has wrong sha256 hash:
ERROR: expected: 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903
ERROR: got : e79e9c8a0c85d735ff98185918ec94ed7d175efc377012787aebcf3b80f0d90b
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Note: don't do just a hash update: compare the COPYING file
before/after the bump, and document the change in the commit log to
explain why the hash has changed.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
2019-04-03 6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
2019-04-03 8:01 ` Peter Korsgaard
@ 2019-04-07 20:54 ` Peter Korsgaard
2019-04-14 21:17 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-07 20:54 UTC (permalink / raw)
To: buildroot
>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:
> Fixes the following security issues:
> * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
> that there is an uninitialized pointer access in gnutls versions 3.6.3 or
> later which can be triggered by certain post-handshake messages
> * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
> before 3.6.7. A memory corruption (double free) vulnerability in the
> certificate verification API. Any client or server application that
> verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
Committed after fixing the license file hash and adding a note that
3.6.7.1 fixes a tarball packaging issue, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1
2019-04-03 6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
2019-04-03 8:01 ` Peter Korsgaard
2019-04-07 20:54 ` Peter Korsgaard
@ 2019-04-14 21:17 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2019-04-14 21:17 UTC (permalink / raw)
To: buildroot
>>>>> "S?rensen," == S?rensen, Stefan <Stefan.Sorensen@spectralink.com> writes:
> Fixes the following security issues:
> * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
> that there is an uninitialized pointer access in gnutls versions 3.6.3 or
> later which can be triggered by certain post-handshake messages
> * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
> before 3.6.7. A memory corruption (double free) vulnerability in the
> certificate verification API. Any client or server application that
> verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
Committed to 2019.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-04-14 21:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-03 6:14 [Buildroot] [PATCH] gnutls: security bump to 3.6.7.1 Sørensen, Stefan
2019-04-03 8:01 ` Peter Korsgaard
2019-04-03 8:11 ` Sørensen, Stefan
2019-04-03 19:56 ` Thomas Petazzoni
2019-04-07 20:54 ` Peter Korsgaard
2019-04-14 21:17 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.