GNU bug report logs -
#66195
[PATCH] gnu: gnutls: Replace with 3.8.1.
Previous Next
Reported by: Christopher Baines <mail <at> cbaines.net>
Date: Mon, 25 Sep 2023 19:08:01 UTC
Severity: normal
Tags: patch
Done: Christopher Baines <mail <at> cbaines.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66195 in the body.
You can then email your comments to 66195 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#66195
; Package
guix-patches
.
(Mon, 25 Sep 2023 19:08:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Christopher Baines <mail <at> cbaines.net>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Mon, 25 Sep 2023 19:08:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.
* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
gnu/packages/tls.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
(package
(name "gnutls")
(version "3.7.7")
+ (replacement gnutls-3.8.1)
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
(define-deprecated/public-alias gnutls-latest gnutls)
+(define-public gnutls-3.8.1
+ (package
+ (inherit gnutls)
+ (version "3.8.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+ (sha256
+ (base32
+ "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
;; Authentication of Named Entities. This is required for GNS functionality
base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org
:
bug#66195
; Package
guix-patches
.
(Thu, 19 Oct 2023 20:19:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 66195 <at> debbugs.gnu.org (full text, mbox):
Hi,
Christopher Baines <mail <at> cbaines.net> skribis:
> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
> upgrade to 3.8.0 or later.
>
> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
> (gnutls)[replacement]: Use it.
Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
3.7.7 as currently packaged.
> +(define-public gnutls-3.8.1
Maybe add a comment here with the SA and CVE references.
Then, assuming the ABIs are compatible (which can be checked with
libabigail’s abidiff), LGTM.
Thanks,
Ludo’.
Reply sent
to
Christopher Baines <mail <at> cbaines.net>
:
You have taken responsibility.
(Fri, 20 Oct 2023 11:48:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Christopher Baines <mail <at> cbaines.net>
:
bug acknowledged by developer.
(Fri, 20 Oct 2023 11:48:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 66195-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi,
>
> Christopher Baines <mail <at> cbaines.net> skribis:
>
>> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
>> upgrade to 3.8.0 or later.
>>
>> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
>> (gnutls)[replacement]: Use it.
>
> Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
> 3.7.7 as currently packaged.
>
>> +(define-public gnutls-3.8.1
>
> Maybe add a comment here with the SA and CVE references.
Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88.
> Then, assuming the ABIs are compatible (which can be checked with
> libabigail’s abidiff), LGTM.
→ abidiff /gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so /gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 8 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
8 Added function symbols not referenced by debug info:
[A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4
[A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4
[A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1
[A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1
[A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1
Thanks for taking a look,
Chris
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 17 Nov 2023 12:24:13 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 197 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.