GNU bug report logs -
#68516
[PATCH] gnu: gnutls: Update to 3.8.3 [security-fixes]
Previous Next
Reported by: Jack Hill <jackhill <at> jackhill.us>
Date: Tue, 16 Jan 2024 19:07:02 UTC
Severity: normal
Tags: patch
Done: John Kehayias <john.kehayias <at> protonmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 68516 in the body.
You can then email your comments to 68516 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-security <at> gnu.org, guix-patches <at> gnu.org:
bug#68516; Package
guix-patches.
(Tue, 16 Jan 2024 19:07:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jack Hill <jackhill <at> jackhill.us>:
New bug report received and forwarded. Copy sent to
guix-security <at> gnu.org, guix-patches <at> gnu.org.
(Tue, 16 Jan 2024 19:07:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2024-0553 and CVE-2024-0567.
gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
---
gnu/packages/tls.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6441b8ed43..0af60c652e 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -309,7 +309,7 @@ (define-deprecated/public-alias gnutls-latest gnutls)
(define gnutls-3.8.2
(package
(inherit gnutls)
- (version "3.8.2")
+ (version "3.8.3")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnupg/gnutls/v"
@@ -318,7 +318,7 @@ (define gnutls-3.8.2
(patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
+ "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
--
2.41.0
Information forwarded
to
guix-security <at> gnu.org, guix-patches <at> gnu.org:
bug#68516; Package
guix-patches.
(Tue, 16 Jan 2024 19:47:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 68516 <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2024-0553 and CVE-2024-0567.
gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
---
Version 2 updates the variable name to match the sofware version.
gnu/packages/tls.scm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6441b8ed43..7be74a26b9 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,7 +200,7 @@ (define-public gnutls
(package
(name "gnutls")
(version "3.7.7")
- (replacement gnutls-3.8.2)
+ (replacement gnutls-3.8.3)
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -306,10 +306,10 @@ (define-deprecated/public-alias gnutls-latest gnutls)
;; Replacement for gnutls <at> 3.7.7 to address GNUTLS-SA-2020-07-14 /
;; CVE-2023-0361 and GNUTLS-SA-2023-10-23 / CVE-2023-5981.
-(define gnutls-3.8.2
+(define gnutls-3.8.3
(package
(inherit gnutls)
- (version "3.8.2")
+ (version "3.8.3")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnupg/gnutls/v"
@@ -318,7 +318,7 @@ (define gnutls-3.8.2
(patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
+ "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
--
2.41.0
Information forwarded
to
guix-security <at> gnu.org, guix-patches <at> gnu.org:
bug#68516; Package
guix-patches.
(Tue, 16 Jan 2024 20:00:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 68516 <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2024-0553 and CVE-2024-0567.
gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
---
Version 3 updates the code comment for the new CVEs
gnu/packages/tls.scm | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6441b8ed43..207763bdc2 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,7 +200,7 @@ (define-public gnutls
(package
(name "gnutls")
(version "3.7.7")
- (replacement gnutls-3.8.2)
+ (replacement gnutls-3.8.3)
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -305,11 +305,12 @@ (define-public gnutls
(define-deprecated/public-alias gnutls-latest gnutls)
;; Replacement for gnutls <at> 3.7.7 to address GNUTLS-SA-2020-07-14 /
-;; CVE-2023-0361 and GNUTLS-SA-2023-10-23 / CVE-2023-5981.
-(define gnutls-3.8.2
+;; CVE-2023-0361, GNUTLS-SA-2023-10-23 / CVE-2023-5981,
+;; GNUTLS-SA-2024-01-14 / CVE-2024-0553, and GNUTLS-SA-2024-01-09 / CVE-2024-0567
+(define gnutls-3.8.3
(package
(inherit gnutls)
- (version "3.8.2")
+ (version "3.8.3")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnupg/gnutls/v"
@@ -318,7 +319,7 @@ (define gnutls-3.8.2
(patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
+ "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
--
2.41.0
Reply sent
to
John Kehayias <john.kehayias <at> protonmail.com>:
You have taken responsibility.
(Sat, 20 Jan 2024 22:18:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jack Hill <jackhill <at> jackhill.us>:
bug acknowledged by developer.
(Sat, 20 Jan 2024 22:18:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 68516-done <at> debbugs.gnu.org (full text, mbox):
(apologies if this went through twice, wrong email used)
Hi Jack,
On Tue, Jan 16, 2024 at 02:58 PM, Jack Hill wrote:
> Fixes CVE-2024-0553 and CVE-2024-0567.
>
> gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
>
Thanks! I applied as 856b4a603ac5100be03d9c9bbd8f00dce030a79e where I
changed the replacement name to gnutls/fixed rather than using the
version number. I think that is a bit easier to maintain and pretty
common with our grafts.
And thank you for emailing the security list for this. Something we
should probably mention directly in the manual for patch
submission/teams.
John
> Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
> ---
>
> Version 3 updates the code comment for the new CVEs
>
> gnu/packages/tls.scm | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 6441b8ed43..207763bdc2 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -200,7 +200,7 @@ (define-public gnutls
> (package
> (name "gnutls")
> (version "3.7.7")
> - (replacement gnutls-3.8.2)
> + (replacement gnutls-3.8.3)
> (source (origin
> (method url-fetch)
> ;; Note: Releases are no longer on ftp.gnu.org since the
> @@ -305,11 +305,12 @@ (define-public gnutls
> (define-deprecated/public-alias gnutls-latest gnutls)
>
> ;; Replacement for gnutls <at> 3.7.7 to address GNUTLS-SA-2020-07-14 /
> -;; CVE-2023-0361 and GNUTLS-SA-2023-10-23 / CVE-2023-5981.
> -(define gnutls-3.8.2
> +;; CVE-2023-0361, GNUTLS-SA-2023-10-23 / CVE-2023-5981,
> +;; GNUTLS-SA-2024-01-14 / CVE-2024-0553, and GNUTLS-SA-2024-01-09 / CVE-2024-0567
> +(define gnutls-3.8.3
> (package
> (inherit gnutls)
> - (version "3.8.2")
> + (version "3.8.3")
> (source (origin
> (method url-fetch)
> (uri (string-append "mirror://gnupg/gnutls/v"
> @@ -318,7 +319,7 @@ (define gnutls-3.8.2
> (patches (search-patches "gnutls-skip-trust-store-test.patch"))
> (sha256
> (base32
> - "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
> + "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
>
> (define-public gnutls/dane
> ;; GnuTLS with build libgnutls-dane, implementing DNS-based
>
> base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
Information forwarded
to
guix-patches <at> gnu.org:
bug#68516; Package
guix-patches.
(Mon, 22 Jan 2024 01:25:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 68516-done <at> debbugs.gnu.org (full text, mbox):
On Sat, 20 Jan 2024, John Kehayias wrote:
> (apologies if this went through twice, wrong email used)
>
> Hi Jack,
>
> On Tue, Jan 16, 2024 at 02:58 PM, Jack Hill wrote:
>
>> Fixes CVE-2024-0553 and CVE-2024-0567.
>>
>> gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
>>
>
> Thanks! I applied as 856b4a603ac5100be03d9c9bbd8f00dce030a79e where I
> changed the replacement name to gnutls/fixed rather than using the
> version number. I think that is a bit easier to maintain and pretty
> common with our grafts.
>
> And thank you for emailing the security list for this. Something we
> should probably mention directly in the manual for patch
> submission/teams.
>
> John
Awesome, thank you!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 19 Feb 2024 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 121 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.