gnutls: Update to version 3.8.10
Commit Message
- Update from version 3.8.9 to 3.8.10
- Update of rootfile
- 4 CVE fixes in this version
- Changelog
3.8.10
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
[CVE-2025-6395]
** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
Spotted by oss-fuzz and reported by OpenAI Security Research Team,
and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
CVSS: medium] [CVE-2025-32989]
** libgnutls: Fix double-free upon error when exporting otherName in SAN
Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
CVSS: low] [CVE-2025-32988]
** certtool: Fix 1-byte write buffer overrun when parsing template
Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
CVSS: low] [CVE-2025-32990]
** libgnutls: PKCS#11 modules can now be used to override the default
cryptographic backend. Use the [provider] section in the system-wide config
to specify path and pin to the module (see system-wide config Documentation).
** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
support. The library running on the aforementioned version now utilizes the
kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
TLS session. The --enable-ktls configure option as well as the system-wide
kTLS configuration(see GnuTLS Documentation) are still required to enable
this feature.
** libgnutls: liboqs support for PQC has been removed
For maintenance purposes, support for post-quantum cryptography
(PQC) is now only provided through leancrypto. The experimental key
exchange algorithm, X25519Kyber768Draft00, which is based on the
round 3 candidate of Kyber and only supported through liboqs has
also been removed altogether.
** libgnutls: TLS certificate compression methods can now be set with
cert-compression-alg configuration option in the gnutls priority file.
** libgnutls: All variants of ML-DSA private key formats are supported
While the previous implementation of ML-DSA was based on
draft-ietf-lamps-dilithium-certificates-04, this updates it to
draft-ietf-lamps-dilithium-certificates-12 with support for all 3
variants of private key formats: "seed", "expandedKey", and "both".
** libgnutls: ML-DSA signatures can now be used in TLS
The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
ML-DSA-87, can now be used to digitally sign TLS handshake
messages.
** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/gnutls | 2 +-
lfs/gnutls | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
#usr/lib/libgnutls.la
#usr/lib/libgnutls.so
usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.3
+usr/lib/libgnutls.so.30.40.4
#usr/lib/libgnutlsxx.la
#usr/lib/libgnutlsxx.so
usr/lib/libgnutlsxx.so.30
@@ -24,7 +24,7 @@
include Config
-VER = 3.8.9
+VER = 3.8.10
THISAPP = gnutls-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
+$(DL_FILE)_BLAKE2 = 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d
install : $(TARGET)