From patchwork Mon Dec  1 16:11:07 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 9345
Return-Path: <development+bounces-1390-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dKpmj47k4z3wpB
	for <patchwork@web04.haj.ipfire.org>; Mon, 01 Dec 2025 16:11:17 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org
 [IPv6:2001:678:b28::201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4dKpmg5Ts7z4km
	for <patchwork@ipfire.org>; Mon, 01 Dec 2025 16:11:15 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dKpmg4k8Tz308m
	for <patchwork@ipfire.org>; Mon, 01 Dec 2025 16:11:15 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org
 [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dKpmc2cYcz2y1f
	for <development@lists.ipfire.org>; Mon, 01 Dec 2025 16:11:12 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4dKpmb39xNz26n;
	Mon, 01 Dec 2025 16:11:11 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1764605471;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cn+fQ2HMSTwv7+OctSHg85ibUXlNQCe17G9BU2fawB0=;
	b=UdvmPfzRNmdSgMWa3Sh13jEtfIlsf00zdkJ13bCbhAyB8XggxdeYs7WLOmz0JIHU6+oWyW
	e8pxAn/GuYd6YtAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1764605471;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cn+fQ2HMSTwv7+OctSHg85ibUXlNQCe17G9BU2fawB0=;
	b=W/1sAM2t1XfultnlvNkqtpX8nMM6bNJyXwT2hrwcgR14jklh4xv3TsVoOOMsUZpSnPzNhc
	V/Ci9mJY/4xNFxHnbAloKey5gj2qXp6k/0PndVNoy5Tkf0w9ETT/lGDqmzNPsmzwuERY1T
	OddozWFq0EiB+5+q3+JWzbZPeZ2mMUGSLMSBbNFWM6dKI8TAvNbvaAUeQAUmSy7te6kW3v
	ngvJfwBSXFq1x1As12lXrvfqX2jvcXRkhcFjygO4TjK2vUDD5yEi7iJLesz9KZeqxsRiVi
	w1m4zFar2XqwyzknSDeqLiEmJ9cio5JeJcBvWW0UOzMUb40e7FKIv8UXg/UBhg==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] gnutls: Update to version 3.8.11
Date: Mon,  1 Dec 2025 17:11:07 +0100
Message-ID: <20251201161107.23245-2-adolf.belka@ipfire.org>
In-Reply-To: <20251201161107.23245-1-adolf.belka@ipfire.org>
References: <20251201161107.23245-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

- Update from version 3.8.10 to 3.8.11
- Update of rootfile
- One CVE fix
- Changelog
    3.8.11
	libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
	   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
	   CVSS: low] [CVE-2025-9820]
	libgnutls: MAC algorithms for PSK binders is now configurable
	   The previous implementation assumed HMAC-SHA256 to calculate the
	   PSK binders. With the new gnutls_psk_allocate_client_credentials2()
	   and gnutls_psk_allocate_server_credentials2() functions, the
	   application can use other MAC algorithms such as HMAC-SHA384.
	libgnutls: Expose a new function to provide the maximum record send size
	   A new function gnutls_record_get_max_send_size() has been added to
	   determine the maximum size of a TLS record to be sent to the peer.
	libgnutls: Expose a new function to update keys without sending a KeyUpdate
	   to the peer. A new function gnutls_handshake_update_receiving_key()
	   has been added to allow updating the local receiving key without
	   sending any KeyUpdate messages.
	libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
	   instead of a module path. To allow using a PKCS#11 module exposing
	   multiple tokens, the "path" configuration keyword was replaced with
	   the "url" keyword.
	libgnutls: Support crypto-auditing probe points
	   crypto-auditing is a project to monitor which cryptographic
	   operations are taking place in the library at run time, through
	   eBPF. This adds necessary probe points for that, in public key
	   cryptography and the TLS use-case. To enable this, run configure
	   with --enable-crypto-auditing.
	build: The minimum version of Nettle has been updated to 3.10
	   Given Nettle 3.10 is ABI compatible with 3.6 and includes several
	   security relevant fixes, the library's minimum requirement of
	   Nettle is updated to 3.10.
	build: The default priority file path is now constructed from sysconfdir
	   Previously, the location of the default priority file was
	   hard-coded to be /etc/gnutls/config. Now it takes into account of
	   the --sysconfdir option given to the configure script.
	API and ABI modifications:
	   gnutls_psk_allocate_client_credentials2: New function
	   gnutls_psk_allocate_server_credentials2: New function
	   gnutls_record_get_max_send_size: New function
	   gnutls_handshake_update_receiving_key: New function
	   gnutls_audit_push_context: New function
	   gnutls_audit_pop_context: New function
	   gnutls_audit_current_context: New function

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnutls | 9 ++++++++-
 lfs/gnutls                     | 4 ++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index e86384325..52c3b6764 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.4
+usr/lib/libgnutls.so.30.41.0
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30
@@ -143,6 +143,9 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_anti_replay_set_add_function.3
 #usr/share/man/man3/gnutls_anti_replay_set_ptr.3
 #usr/share/man/man3/gnutls_anti_replay_set_window.3
+#usr/share/man/man3/gnutls_audit_current_context.3
+#usr/share/man/man3/gnutls_audit_pop_context.3
+#usr/share/man/man3/gnutls_audit_push_context.3
 #usr/share/man/man3/gnutls_auth_client_get_type.3
 #usr/share/man/man3/gnutls_auth_get_type.3
 #usr/share/man/man3/gnutls_auth_server_get_type.3
@@ -360,6 +363,7 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_handshake_set_read_function.3
 #usr/share/man/man3/gnutls_handshake_set_secret_function.3
 #usr/share/man/man3/gnutls_handshake_set_timeout.3
+#usr/share/man/man3/gnutls_handshake_update_receiving_key.3
 #usr/share/man/man3/gnutls_handshake_write.3
 #usr/share/man/man3/gnutls_hash.3
 #usr/share/man/man3/gnutls_hash_copy.3
@@ -684,7 +688,9 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_protocol_list.3
 #usr/share/man/man3/gnutls_protocol_set_enabled.3
 #usr/share/man/man3/gnutls_psk_allocate_client_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_client_credentials2.3
 #usr/share/man/man3/gnutls_psk_allocate_server_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_server_credentials2.3
 #usr/share/man/man3/gnutls_psk_client_get_hint.3
 #usr/share/man/man3/gnutls_psk_format_imported_identity.3
 #usr/share/man/man3/gnutls_psk_free_client_credentials.3
@@ -761,6 +767,7 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_record_get_direction.3
 #usr/share/man/man3/gnutls_record_get_discarded.3
 #usr/share/man/man3/gnutls_record_get_max_early_data_size.3
+#usr/share/man/man3/gnutls_record_get_max_send_size.3
 #usr/share/man/man3/gnutls_record_get_max_size.3
 #usr/share/man/man3/gnutls_record_get_state.3
 #usr/share/man/man3/gnutls_record_overhead_size.3
diff --git a/lfs/gnutls b/lfs/gnutls
index 25920dfe7..15d0362dd 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.10
+VER        = 3.8.11
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d
+$(DL_FILE)_BLAKE2 = 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6
 
 install : $(TARGET)