GNU bug report logs - #66195
[PATCH] gnu: gnutls: Replace with 3.8.1.

Previous Next

Package: guix-patches;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Mon, 25 Sep 2023 19:08:01 UTC

Severity: normal

Tags: patch

Done: Christopher Baines <mail <at> cbaines.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66195 in the body.
You can then email your comments to 66195 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#66195; Package guix-patches. (Mon, 25 Sep 2023 19:08:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christopher Baines <mail <at> cbaines.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 25 Sep 2023 19:08:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: gnutls: Replace with 3.8.1.
Date: Mon, 25 Sep 2023 20:06:51 +0100
The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.

* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
 gnu/packages/tls.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
   (package
     (name "gnutls")
     (version "3.7.7")
+    (replacement gnutls-3.8.1)
     (source (origin
               (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
 
 (define-deprecated/public-alias gnutls-latest gnutls)
 
+(define-public gnutls-3.8.1
+  (package
+    (inherit gnutls)
+    (version "3.8.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+              (sha256
+               (base32
+                "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
 (define-public gnutls/dane
   ;; GnuTLS with build libgnutls-dane, implementing DNS-based
   ;; Authentication of Named Entities.  This is required for GNS functionality

base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
-- 
2.41.0





Information forwarded to guix-patches <at> gnu.org:
bug#66195; Package guix-patches. (Thu, 19 Oct 2023 20:19:02 GMT) Full text and rfc822 format available.

Message #8 received at 66195 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 66195 <at> debbugs.gnu.org
Subject: Re: [bug#66195] [PATCH] gnu: gnutls: Replace with 3.8.1.
Date: Thu, 19 Oct 2023 22:17:41 +0200
Hi,

Christopher Baines <mail <at> cbaines.net> skribis:

> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
> upgrade to 3.8.0 or later.
>
> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
> (gnutls)[replacement]: Use it.

Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
3.7.7 as currently packaged.

> +(define-public gnutls-3.8.1

Maybe add a comment here with the SA and CVE references.

Then, assuming the ABIs are compatible (which can be checked with
libabigail’s abidiff), LGTM.

Thanks,
Ludo’.




Reply sent to Christopher Baines <mail <at> cbaines.net>:
You have taken responsibility. (Fri, 20 Oct 2023 11:48:01 GMT) Full text and rfc822 format available.

Notification sent to Christopher Baines <mail <at> cbaines.net>:
bug acknowledged by developer. (Fri, 20 Oct 2023 11:48:02 GMT) Full text and rfc822 format available.

Message #13 received at 66195-done <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 66195-done <at> debbugs.gnu.org
Subject: Re: [bug#66195] [PATCH] gnu: gnutls: Replace with 3.8.1.
Date: Fri, 20 Oct 2023 12:42:41 +0100
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Christopher Baines <mail <at> cbaines.net> skribis:
>
>> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
>> upgrade to 3.8.0 or later.
>>
>> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
>> (gnutls)[replacement]: Use it.
>
> Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
> 3.7.7 as currently packaged.
>
>> +(define-public gnutls-3.8.1
>
> Maybe add a comment here with the SA and CVE references.

Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88.

> Then, assuming the ABIs are compatible (which can be checked with
> libabigail’s abidiff), LGTM.

→ abidiff /gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so /gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 8 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

8 Added function symbols not referenced by debug info:

  [A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4
  [A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1
  [A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1
  [A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1


Thanks for taking a look,

Chris
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 17 Nov 2023 12:24:13 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 197 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.