head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.8 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.6 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.4 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.2 pkgsrc-2011Q2-base:1.3 pkgsrc-2010Q2:1.2.0.10 pkgsrc-2010Q2-base:1.2 pkgsrc-2010Q1:1.2.0.8 pkgsrc-2010Q1-base:1.2 pkgsrc-2009Q4:1.2.0.6 pkgsrc-2009Q4-base:1.2 pkgsrc-2009Q3:1.2.0.4 pkgsrc-2009Q3-base:1.2 pkgsrc-2009Q2:1.2.0.2; locks; strict; comment @# @; 1.3 date 2010.09.01.16.32.17; author drochner; state dead; branches; next 1.2; 1.2 date 2009.08.13.18.56.32; author snj; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2009.07.22.16.50.07; author drochner; state Exp; branches; next ; 1.2.2.1 date 2009.08.13.18.56.32; author spz; state dead; branches; next 1.2.2.2; 1.2.2.2 date 2009.08.29.09.49.14; author spz; state Exp; branches; next ; desc @@ 1.3 log @update to 2.10.1 many fixes and API extensions, but still binary compatible afaict @ text @$NetBSD: patch-ak,v 1.2 2009/08/13 18:56:32 snj Exp $ --- configure.orig 2009-08-13 02:54:16.000000000 -0700 +++ configure 2009-08-13 10:50:08.000000000 -0700 @@@@ -8651,7 +8651,7 @@@@ done $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } # Check whether --enable-openssl-compatibility was given. if test "${enable_openssl_compatibility+set}" = set; then : - enableval=$enable_openssl_compatibility; enable_openssl=$withval + enableval=$enable_openssl_compatibility; enable_openssl=$enableval else enable_openssl=yes fi @ 1.2 log @Update to 2.8.3. Changes: * Version 2.8.3 (released 2009-08-13) ** libgnutls: Fix patch for NUL in CN/SAN in last release. Code intended to be removed would lead to an read-out-bound error in some situations. Reported by Tomas Hoger . A CVE code have been allocated for the vulnerability: [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build error. ** tests: Made self-test mini-eagain take less time. ** doc: Typo fixes. ** API and ABI modifications: No changes since last version. * Version 2.8.2 (released 2009-08-10) ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4]. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v2.3. ** tests: Fix failure in "chainverify" because a certificate have expired. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD$ @ 1.2.2.1 log @file patch-ak was added on branch pkgsrc-2009Q2 on 2009-08-29 09:49:14 +0000 @ text @d1 13 @ 1.2.2.2 log @Pullup ticket 2874 - requested by tron security update Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.86 - pkgsrc/security/gnutls/PLIST 1.36 - pkgsrc/security/gnutls/distinfo 1.60 Files added: pkgsrc/security/gnutls/patches/patch-ak 1.2 pkgsrc/security/gnutls/patches/patch-al 1.2 Module Name: pkgsrc Committed By: wiz Date: Sat Jul 18 10:32:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 2.8.1: * Version 2.8.1 (released 2009-06-10) ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc= le. Forwarded by Martin von Gagern from . ** libgnutls: Fix PKCS#12 decryption from password. The encryption key derived from the password was incorrect for (on average) 1 in every 128 input for random inputs. Reported by "Kukosa, Tomas" in . ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Wed Jul 22 16:50:07 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Added Files: pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: disable the openssl compatibility library -- no pkg I know of needs it, and it only has a potential to conflict with the real openssl (bad things will happen if a program links or dlopen()s both) bump PKGREVISION (the bug fixed in the added patches is already fixed upstream, will be in the next release) To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: snj Date: Thu Aug 13 18:56:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: Update to 2.8.3. Changes: * Version 2.8.3 (released 2009-08-13) ** libgnutls: Fix patch for NUL in CN/SAN in last release. Code intended to be removed would lead to an read-out-bound error in some situations. Reported by Tomas Hoger . A CVE code have been allocated for the vulnerability: [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build error. ** tests: Made self-test mini-eagain take less time. ** doc: Typo fixes. ** API and ABI modifications: No changes since last version. * Version 2.8.2 (released 2009-08-10) ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4]. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta= tus. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v2.3. ** tests: Fix failure in "chainverify" because a certificate have expired. ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al @ text @a0 13 $NetBSD: patch-ak,v 1.2 2009/08/13 18:56:32 snj Exp $ --- configure.orig 2009-08-13 02:54:16.000000000 -0700 +++ configure 2009-08-13 10:50:08.000000000 -0700 @@@@ -8651,7 +8651,7 @@@@ done $as_echo_n "checking whether to disable OpenSSL compatibility layer... " >&6; } # Check whether --enable-openssl-compatibility was given. if test "${enable_openssl_compatibility+set}" = set; then : - enableval=$enable_openssl_compatibility; enable_openssl=$withval + enableval=$enable_openssl_compatibility; enable_openssl=$enableval else enable_openssl=yes fi @ 1.1 log @disable the openssl compatibility library -- no pkg I know of needs it, and it only has a potential to conflict with the real openssl (bad things will happen if a program links or dlopen()s both) bump PKGREVISION (the bug fixed in the added patches is already fixed upstream, will be in the next release) @ text @d3 3 a5 3 --- configure.orig 2009-06-17 20:42:30.000000000 +0200 +++ configure @@@@ -8587,7 +8587,7 @@@@ $as_echo "#define GNUTLS_POINTER_TO_INT_ d8 1 a8 1 if test "${enable_openssl_compatibility+set}" = set; then @