[gnutls-devel] gnutls 3.5.10

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls 3.5.10

Nikos Mavrogiannopoulos
Hello, 
 I've just released gnutls 3.5.10. This is a bug fix release on the
3.5.x branch.

* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions
   available do not include libidn2.pc, thus the inclusion was causing pkg-config
   issues. Instead we include -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs) in parsed
   certificates. The previous implementation assumed a small number of
   SANs in a certificate, with repeated calls to ASN.1 decoding of the extension
   without any intermediate caching. That caused delays in certificates with
   a long list of names in functions such as gnutls_x509_crt_check_hostname().
   With the current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory write
   in OpenPGP certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A]

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
   GNUTLS_VERIFY_ALLOW_BROKEN).

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Filipp Gunbin
Thanks for the release!

I've got problem building, it's something with guile.  I have
guile-2.0.14 built & installed.

File guile/src/guile-gnutls-v-2.la is present.

Thanks!
Filipp

...
  GUILEC   modules/gnutls.go
Backtrace:
In ice-9/eval.scm:
 432: 19 [eval # #]
In /usr/local/bin/guild:
  72: 18 [main #]
In srfi/srfi-1.scm:
 616: 17 [for-each #<procedure 10e765a00 at scripts/compile.scm:187:14 (file)> #]
In scripts/compile.scm:
 190: 16 [#<procedure 10e765a00 at scripts/compile.scm:187:14 (file)> "modules/gnutls.scm"]
In system/base/target.scm:
  59: 15 [with-target "x86_64-apple-darwin16.4.0" ...]
In system/base/compile.scm:
 152: 14 [compile-file "modules/gnutls.scm" #:output-file ...]
  43: 13 [call-once #<procedure 10e7ebc80 at system/base/compile.scm:56:5 ()>]
In ice-9/boot-9.scm:
 174: 12 [with-throw-handler #t ...]
In system/base/compile.scm:
  59: 11 [#<procedure 10e7ebc40 at system/base/compile.scm:58:9 ()>]
 155: 10 [#<procedure 10e7ebcc0 at system/base/compile.scm:153:8 (port)> #<closed: file 0>]
 218: 9 [read-and-compile #<input: modules/gnutls.scm 10> #:from ...]
 234: 8 [lp (#<tree-il #> #<tree-il #>) #<directory (gnutls) 10eb2aa00> ...]
 182: 7 [lp (#<procedure compile-tree-il (x e opts)>) (eval-when # # ...) ...]
In ice-9/boot-9.scm:
2412: 6 [save-module-excursion #<procedure 10eb6f3f0 at language/scheme/compile-tree-il.scm:29:3 ()>]
In language/scheme/compile-tree-il.scm:
  31: 5 [#<procedure 10eb6f3f0 at language/scheme/compile-tree-il.scm:29:3 ()>]
In ice-9/psyntax.scm:
1107: 4 [expand-top-sequence ((eval-when # # #)) () ((top)) ...]
 990: 3 [scan ((eval-when (expand load eval) (define %libdir #) ...)) () ...]
 279: 2 [scan ((load-extension # "scm_init_gnutls")) () ((top)) ...]
In unknown file:
   ?: 1 [load-extension "/Users/fgunbin/src/gnutls-3.5.10/guile/src/guile-gnutls-v-2" ...]
In ice-9/boot-9.scm:
 109: 0 [#<procedure 10e7ebc00 at ice-9/boot-9.scm:100:6 (thrown-k . args)> misc-error ...]

ice-9/boot-9.scm:109:20: In procedure #<procedure 10e7ebc00 at ice-9/boot-9.scm:100:6 (thrown-k . args)>:
ice-9/boot-9.scm:109:20: In procedure dynamic-link: file: "/Users/fgunbin/src/gnutls-3.5.10/guile/src/guile-gnutls-v-2", message: "file not found"
make[3]: *** [modules/gnutls.go] Error 1

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Martin Storsjö
In reply to this post by Nikos Mavrogiannopoulos
On Mon, 6 Mar 2017, Nikos Mavrogiannopoulos wrote:

> GnuTLS may be downloaded directly from
> <ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
> found at <http://www.gnutls.org/download.html>.
>
> Here are the XZ compressed sources:
>
>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz

I can't find this release in any of the mirrors, only on the main FTP. Is
this expected?

// Martin
_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Nikos Mavrogiannopoulos
On Fri, 2017-03-17 at 23:46 +0200, Martin Storsjö wrote:

> On Mon, 6 Mar 2017, Nikos Mavrogiannopoulos wrote:
>
> > GnuTLS may be downloaded directly from
> > <ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors
> can be
> > found at <http://www.gnutls.org/download.html>.
> >
> > Here are the XZ compressed sources:
> >
> >   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz
>
> I can't find this release in any of the mirrors, only on the main
> FTP. Is this expected?

No (adding Werner). I've did a quick scan of the mirrors and got the
following results.

The following did not respond:
ftp://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org
ftp://ftp.iasi.roedu.net/pub/mirrors/ftp.gnupg.org/
ftp://ftp.gnupg.ca/

The following did not update (gnutls) since last month's release:
https://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
http://artfiles.org/gnupg.org
http://gd.tuwien.ac.at/privacy/gnupg/

The following did not mirror gnutls at all:
ftp://ftp.surfnet.nl/pub/security/gnupg/
ftp://ftp.bit.nl/mirror/gnupg/

The rest of the servers look ok.

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Martin Storsjö
On Sat, 18 Mar 2017, Nikos Mavrogiannopoulos wrote:

> On Fri, 2017-03-17 at 23:46 +0200, Martin Storsjö wrote:
>> On Mon, 6 Mar 2017, Nikos Mavrogiannopoulos wrote:
>>
>>> GnuTLS may be downloaded directly from
>>> <ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors
>> can be
>>> found at <http://www.gnutls.org/download.html>.
>>>
>>> Here are the XZ compressed sources:
>>>
>>>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz
>>
>> I can't find this release in any of the mirrors, only on the main
>> FTP. Is this expected?
>
> No (adding Werner). I've did a quick scan of the mirrors and got the
> following results.
>
> The following did not respond:
> ftp://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org
> ftp://ftp.iasi.roedu.net/pub/mirrors/ftp.gnupg.org/
> ftp://ftp.gnupg.ca/
>
> The following did not update (gnutls) since last month's release:
> https://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
> http://artfiles.org/gnupg.org
> http://gd.tuwien.ac.at/privacy/gnupg/
>
> The following did not mirror gnutls at all:
> ftp://ftp.surfnet.nl/pub/security/gnupg/
> ftp://ftp.bit.nl/mirror/gnupg/
>
> The rest of the servers look ok.
I can't find it in the listing here either:

https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/

Despite that, it does seem to exist on disk at that path though, so it
just seems like the listing isn't refreshed after the last release was
added.

// Martin
_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Werner Koch
On Sat, 18 Mar 2017 21:22, [hidden email] said:

> Despite that, it does seem to exist on disk at that path though, so it
> just seems like the listing isn't refreshed after the last release was

Hmmm, the cron jobs re-creates the index every 3 hours:

# Create HTML index files for the FTP server
20  20/3 * * *   root    /etc/mk-ftp-index.html.sh

it seems that it did not worked this time.  I just kicked it and the
index is now updated.  I attach the script in case someone wants to
check it for for a bug.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

#!/bin/sh

# The script is a bit complicate because we need to make sure that
# the directory entries do not change while processing them.  A changed
# dir entry will lead to a different index.html file and thus they will
# always be re-created.

set -e
top=/home/ftp
scratch=/home/ftp/.scratch
cd "$top"

INDEXER=/usr/local/lib/boa/boa_indexer
if [ ! -x $INDEXER ]; then
  INDEXER=/usr/lib/boa/boa_indexer
fi  
if [ ! -x $INDEXER ]; then
  echo "mk-ftp-index.html.sh: Index tool $INDEXER not found - aborting" >&2
  exit 1
fi

skip_index() {
  awk '/href="index.html"/ {skip=1}; !skip {print;next}; /<\/tr>/ {skip=0}'
}

(find . -type d ! -name '\.*' ! -name dev ! -name index.html; echo .) |\
 while read dir rest; do
  dir=${dir##./}
  if cd "$dir"; then
    if [ "$dir" = "." ]; then
      desc="ftp.gnupg.org"
    else
      desc="ftp.gnupg.org/$dir"
    fi
   
    [ -f $scratch/index.html ] && rm $scratch/index.html
    [ -f index.html ] && cat index.html >$scratch/index.html
    if [ -f README ]; then
      $INDEXER . "$desc" |\
        sed '\!</table>! { a \
<h2>README</h2>\
<pre>
 r README
a \
</pre>
}' | sed 's/^\.[ ]*$//' | skip_index >$scratch/index.html.new
    else
      $INDEXER . "$desc" | skip_index >$scratch/index.html.new
    fi
    if [ -f $scratch/index.html ]; then
      grep -v '^Index generated' $scratch/index.html     >$scratch/index.html.x
      grep -v '^Index generated' $scratch/index.html.new >$scratch/index.html.new.x
      if ! cmp -s $scratch/index.html.x $scratch/index.html.new.x ; then
         mv $scratch/index.html.new index.html
      fi
      rm $scratch/index.html
      [ -f $scratch/index.html.new ] && rm $scratch/index.html.new
    else
      mv $scratch/index.html.new index.html
    fi
  fi
  cd "$top"
done

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.10

Martin Storsjö
Hi Werner,

On Sun, 19 Mar 2017, Werner Koch wrote:

> On Sat, 18 Mar 2017 21:22, [hidden email] said:
>
>> Despite that, it does seem to exist on disk at that path though, so it
>> just seems like the listing isn't refreshed after the last release was
>
> Hmmm, the cron jobs re-creates the index every 3 hours:
>
> # Create HTML index files for the FTP server
> 20  20/3 * * *   root    /etc/mk-ftp-index.html.sh
>
> it seems that it did not worked this time.  I just kicked it and the
> index is now updated.  I attach the script in case someone wants to
> check it for for a bug.

Thanks - when you manually ran it last time, it did work properly, but the
newly released 3.5.11 still doesn't show up at
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/. Is there perhaps some perms
issue/difference betwen when running from cron versus when run manually?

// Martin

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...