Commit cdca72a
committed
Pullup ticket #6984 - requested by taca
security/gnutls: Security fix
Revisions pulled up:
- security/gnutls/Makefile 1.268
- security/gnutls/distinfo 1.168
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Jul 9 11:55:37 UTC 2025
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
Log Message:
gnutls: updated to 3.8.10
Version 3.8.10 (released 2025-07-08)
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
[CVE-2025-6395]
** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
Spotted by oss-fuzz and reported by OpenAI Security Research Team,
and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
CVSS: medium] [CVE-2025-32989]
** libgnutls: Fix double-free upon error when exporting otherName in SAN
Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
CVSS: low] [CVE-2025-32988]
** certtool: Fix 1-byte write buffer overrun when parsing template
Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
CVSS: low] [CVE-2025-32990]
** libgnutls: PKCS#11 modules can now be used to override the default
cryptographic backend. Use the [provider] section in the system-wide config
to specify path and pin to the module (see system-wide config Documentation).
** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
support. The library running on the aforementioned version now utilizes the
kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
TLS session. The --enable-ktls configure option as well as the system-wide
kTLS configuration(see GnuTLS Documentation) are still required to enable
this feature.
** libgnutls: liboqs support for PQC has been removed
For maintenance purposes, support for post-quantum cryptography
(PQC) is now only provided through leancrypto. The experimental key
exchange algorithm, X25519Kyber768Draft00, which is based on the
round 3 candidate of Kyber and only supported through liboqs has
also been removed altogether.
** libgnutls: TLS certificate compression methods can now be set with
cert-compression-alg configuration option in the gnutls priority file.
** libgnutls: All variants of ML-DSA private key formats are supported
While the previous implementation of ML-DSA was based on
draft-ietf-lamps-dilithium-certificates-04, this updates it to
draft-ietf-lamps-dilithium-certificates-12 with support for all 3
variants of private key formats: "seed", "expandedKey", and "both".
** libgnutls: ML-DSA signatures can now be used in TLS
The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
ML-DSA-87, can now be used to digitally sign TLS handshake
messages.
** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t1 parent 2cab9c1 commit cdca72a
2 files changed
Lines changed: 6 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | | - | |
4 | | - | |
| 3 | + | |
5 | 4 | | |
6 | 5 | | |
7 | 6 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | | - | |
4 | | - | |
5 | | - | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
6 | 6 | | |
0 commit comments