gnutls: Update to version 3.8.13

- Update from version 3.8.11 to 3.8.13
- Update of rootfile
- 13 CVE Fixes in 3.8.13
- 2 CVE Fixes in 3.8.12
- Changelog
3.8.13
** libgnutls: Add more checks to DTLS reassembly
   Previously, gnutls didn't check that DTLS fragments claimed
   a consistent message_length value.
   Additionally, a crucial array size check was missing,
   enabling an attacker to cause a heap overwrite.
   Reject fragments with mismatching length and add a missing boundary check.
   Independently reported by
   Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
   [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]
** libgnutls: Fix qsort comparator in DTLS reassembly
   The comparator function used for ordering DTLS packets
   by sequence numbers did not follow qsort comparator contracts
   in case of packets with duplicate sequence numbers,
   which could lead to unstable ordering or undefined behaviour.
   Return 0 in such cases makes the sorting stable.
   Additionally, discard packets with same sequence numbers
   and differing handshake type,
   so that they don't end up being sorted in the first place.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009]
** libgnutls: Fix crashing on an underflow with a DTLS datagram
   A remotely triggerable underflow in the DTLS reassembly code led to
   a heap overrun.
   Prevent the underflow from happening.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845]
** libgnutls: Fix RSA-PSK identity truncation
   Servers configured with RSA-PSK have wrongfully matched usernames with NUL
   character in them to ones truncated to NUL character,
   which could lead to an authentication bypass.
   Fix the check to perform comparison up to the full username length.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]
** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
   Domain name comparison during name constraints processing
   was case-sensitive, violating RFC 5280 section 7.2.
   For excluded name constraints, this could lead to
   incorrectly accepting domain names that should've been rejected.
   DNS name comparison and the domain part of email names
   now perform case-insensitive comparison.
   Independently reported by Oleh Konko (1seal) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
** libgnutls: Fix intersecting empty constraints
   Permitted name constraints were wrongfully ignored
   when prior CAs only had excluded name constraints,
   resulting in a name constraint bypass.
   Reported by Haruto Kimura (Stella).
   [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011]
** libgnutls: Suppress CN fallback in presence of URI and SRV SAN
   Certificates containing URI or SRV Subject Alternative Names
   no longer fall back to checking DNS hostnames against Common Name
   to avoid potential misuse of such certificates
   beyond their original purpose.
   Reported by Oleh Konko (1seal).
   [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012]
** libgnutls: Suppress CN fallback for oversized SAN
   Validation of certificates with oversized Subject Alternative Names
   no longer falls back to checking DNS hostnames against Common Name.
   Independently reported by Haruto Kimura (Stella) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013]
** libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
   Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin()
   with oldpin == NULL for a token lacking a protected authentication path
   led to a use-after-free.
   Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014]
** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
   For a server using an RSA key backed by a PKCS#11 token,
   a client sending an extremely short premaster secret
   during an RSA key exchange could trigger a short heap overread.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260]
** libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
   Appending to a PKCS#12 bag that already contained 32 elements
   could write past the bag's internal array.
   Reported by Zou Dikai.
   [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015]
** libgnutls: Fix multi-entry OCSP response revocation bypass
   When validating a certificate against a multi-entry OCSP response,
   the revocation status was always checked for the first entry
   instead of the entry matching the certificate,
   which could lead to accepting revoked certificates.
   Independently reported by Oleh Konko (1seal) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832]
** libgnutls: Fix timing side-channel in PKCS#7 padding removal
   The PKCS#7 padding check performed during decryption was not constant-time,
   potentially leaking information about the padding bytes
   through timing differences.
   Rewritten to remove padding in a branch-free manner.
   Reported by Doria Tang of Stony Brook University.
   [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419]
** libgnutls: Fix PSK username comparison during rehandshake
   Rehandshaking to a username with embedded NUL character could theoretically
   allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808).
   Reported and fixed by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix OID length check for OCSP delegated signer EKU
   The OCSP signing EKU OID was compared without verifying its length,
   allowing a shorter OID that shares the same prefix to match.
   The check now verifies the length as well (#1810).
   Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix AES keys persisting with pkcs11-provider
   When using the pkcs11-provider, AES keys used for cipher operations
   were created as persistent objects and accumulating.
   They are now ephemeral (#1813).
** libgnutls: Fix missing RSA key coprimality check in verify_params
   gnutls_privkey_verify_params overlooked the scenario of p and q
   not being co-prime.
   It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818).
   Reported by Kamil Frankowicz.
** libgnutls: Fix overread when parsing OpenSSL PEM private keys
   Insufficient bounds checking on the PEM header length could lead
   to short heap overreads on specially crafted inputs (#1854).
   Independently reported by Kamil Frankowicz and
   Joshua Rogers of AISLE Research Team.
** libgnutls: Fix a theoretical double-free during certificate import
   If gnutls_x509_crt_list_import_pkcs11 failed partway through,
   the trust list cleanup code would try to free already-deinitialized
   certificate entries, leading to a double-free (#1819).
   Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix heap overread in SCT extension parser
   The list-length validation didn't account for the 2-byte length field,
   allowing a specially crafted SCT extension to cause
   a 2-byte overread past the buffer (#1822).
   Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Zeroize shared secret derived during hybrid key exchange
   The derived shared secret was not zeroized before being freed (#1841).
   Reported by liyue.
** build: Support building with Nettle 4.0
   Nettle 4.0 was released in Feburary 2026, with API incompatibile
   changes from 3.10. The library can now compile with it, while
   Nettle 3.10 is still supported (#1791).
** libgnutls: Support deriving ML-DSA public key from an expanded private key
   RFC 9881 defines 3 private key formats for ML-DSA: "seed",
   "expandedKey" and both. It is now possible to derive a public key
   from a private key in the "expandedKey" format (#1723).
** libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
   For compatibility reasons, the library supports two formats for
   EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
   (DER). Previously, loading a private key in the former format
   resulted in a failure, which is now fixed (#1749).
** libgnutls: HPKE (RFC 9180) is now supported as a technology preview
   The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
   protocol which enables to encrypt arbitrary data to a recipient, by
   combining key encapsulation mechanism (KEM) and authenticated
   encryption with additional data (AEAD). GnuTLS now includes the
   implementation contributed by David Dudas. Given this is a
   technology preview, the implementation and the API might suffer
   modification in the following period. Use --enable-hpke to turn on
   this feature (#1506).
** libgnutls: Fix TLS 1.3 client certificate selection
   For servers that send a signature_algorithms extension in CertificateRequest
   with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
   the client now properly considers RSA when selecting a certificate to send.
   This fixes TLS 1.3 interoperability with newer Java servers
   when using client certificates.
   Contributed by Romain Tartière (#1842).
** libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2
   When using kTLS with ChaCha20-Poly1305 under TLS 1.2,
   an incorrect value was passed as the IV to the kernel,
   causing connections to fail early.
** libgnutls: Allow fetching object type metadata for PKCS#11 keys
   A new library function, gnutls_pkcs11_obj_get_pk_algorithm,
   has been added to check the public key algorithms of PKCS#11 key objects.
   Object types other than CKO_PRIVATE_KEY are currently not supported.
   Contributed by Ghadi Elie Rahme (!2074).
** API and ABI modifications:
	gnutls_hpke_kem_t: New enum
	gnutls_hpke_kdf_t: New enum
	gnutls_hpke_aead_t: New enum
	gnutls_hpke_mode_t: New enum
	gnutls_hpke_role_t: New enum
	gnutls_hpke_context_st: New context structure
	gnutls_hpke_init: New function
	gnutls_hpke_deinit: New function
	gnutls_hpke_encap: New function
	gnutls_hpke_seal: New function
	gnutls_hpke_decap: New function
	gnutls_hpke_open: New function
	gnutls_hpke_derive_keypair: New function
	gnutls_hpke_export: New function
	gnutls_pkcs11_obj_get_pk_algorithm: New function
3.8.12
** libgnutls: Fix NULL pointer dereference in PSK binder verification
   A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
   could lead to a denial of service attack via crashing the server.
   The updated code guards against the problematic dereference.
   Reported by Jaehun Lee.
   [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
** libgnutls: Fix name constraint processing performance issue
   Verifying certificates with pathological amounts of name constraints
   could lead to a denial of service attack via resource exhaustion.
   Reworked processing algorithms exhibit better performance characteristics.
   Reported by Tim Scheckenbach.
   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
** libgnutls: Fix multiple unexploitable overflows
   Reported by Tim Rühsen (#1783, #1786).
** libgnutls: Fall back to thread-unsafe module initialization
   Improve fallback handling for PKCS#11 modules that
   don't support thread-safe initialization (#1774).
   Also return filename from p11_kit_module_get_name() for unconfigured modules.
** libgnutls: Accept NULL as digest argument for gnutls_hash_output
   The accelerated implementation of gnutls_hash_output() now
   properly accepts NULL as the digest argument, matching the
   behavior of the reference implementation (#1769).
** srptool: Avoid a stack buffer overflow when processing large SRP groups.
   Reported and fixed by Mikhail Dmitrichenko (#1777).
** API and ABI modifications:
	No changes since last version.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnutls | 12 +++++++++++-
 lfs/gnutls                     | 13 ++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)