CVS commit: pkgsrc/security/gnutls

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/gnutls
From: Tobias Nygren <tnn%netbsd.org@localhost>
Date: Sat, 2 May 2009 20:04:33 +0000

Module Name:    pkgsrc
Committed By:   tnn
Date:           Sat May  2 20:04:33 UTC 2009

Modified Files:
        pkgsrc/security/gnutls: Makefile distinfo

Log Message:
Update to gnutls-2.6.6.

* Version 2.6.6 (released 2009-04-30)

libgnutls: Corrected double free on signature verification failure.
  Reported by Miroslav Kratochvil.  See the advisory
  for more details.  [GNUTLS-SA-2009-1] [CVE-2009-1415]

libgnutls: Fix DSA key generation.
  Noticed when investigating the previous GNUTLS-SA-2009-1 problem.  All
  DSA keys generated using GnuTLS 2.6.x are corrupt.  See the advisory
  for more details.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

libgnutls: Check expiration/activation time on untrusted certificates.
  Reported by Romain Francoise.  Before the
  library did not check activation/expiration times on certificates, and
  was documented as not doing so.  We have realized that many
  applications that use libgnutls, including gnutls-cli, fail to perform
  proper checks.  Implementing similar logic in all applications leads
  to code duplication.  Hence, we decided to check whether the current
  time (as reported by the time function) is within the
  activation/expiration period of certificates when verifying untrusted
  certificates.

This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2.  We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.  We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.

API and ABI modifications:
  gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
  gnutls_certificate_verify_peers: Likewise.
  gnutls_certificate_verify_peers2: Likewise.
  GNUTLS_CERT_NOT_ACTIVATED: ADDED.
  GNUTLS_CERT_EXPIRED: ADDED.
  GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.


To generate a diff of this commit:
cvs rdiff -u -r1.79 -r1.80 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.53 -r1.54 pkgsrc/security/gnutls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/graphics/freetype2
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/graphics/freetype2
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index