GNU bug report logs - #68516
[PATCH] gnu: gnutls: Update to 3.8.3 [security-fixes]

Previous Next

Package: guix-patches;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Tue, 16 Jan 2024 19:07:02 UTC

Severity: normal

Tags: patch

Done: John Kehayias <john.kehayias <at> protonmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: John Kehayias <john.kehayias <at> protonmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#68516: closed ([PATCH] gnu: gnutls: Update to 3.8.3
 [security-fixes])
Date: Sat, 20 Jan 2024 22:18:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sat, 20 Jan 2024 22:17:28 +0000
with message-id <87cytvd4zw.fsf <at> protonmail.com>
and subject line Re: [bug#68516] [PATCH v3] gnu: gnutls: Update to 3.8.3 [security-fixes]
has caused the debbugs.gnu.org bug report #68516,
regarding [PATCH] gnu: gnutls: Update to 3.8.3 [security-fixes]
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
68516: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=68516
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Jack Hill <jackhill <at> jackhill.us>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: gnutls: Update to 3.8.3 [security-fixes]
Date: Tue, 16 Jan 2024 14:05:53 -0500

Fixes CVE-2024-0553 and CVE-2024-0567.

gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.

Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6441b8ed43..0af60c652e 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -309,7 +309,7 @@ (define-deprecated/public-alias gnutls-latest gnutls)
 (define gnutls-3.8.2
   (package
     (inherit gnutls)
-    (version "3.8.2")
+    (version "3.8.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnutls/v"
@@ -318,7 +318,7 @@ (define gnutls-3.8.2
               (patches (search-patches "gnutls-skip-trust-store-test.patch"))
               (sha256
                (base32
-                "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
+                "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
 
 (define-public gnutls/dane
   ;; GnuTLS with build libgnutls-dane, implementing DNS-based

base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
-- 
2.41.0




[Message part 3 (message/rfc822, inline)]
From: John Kehayias <john.kehayias <at> protonmail.com>
To: Jack Hill <jackhill <at> jackhill.us>
Cc: 68516-done <at> debbugs.gnu.org, guix-security <at> gnu.org
Subject: Re: [bug#68516] [PATCH v3] gnu: gnutls: Update to 3.8.3
 [security-fixes]
Date: Sat, 20 Jan 2024 22:17:28 +0000

(apologies if this went through twice, wrong email used)

Hi Jack,

On Tue, Jan 16, 2024 at 02:58 PM, Jack Hill wrote:

> Fixes CVE-2024-0553 and CVE-2024-0567.
>
> gnu/packages/tls.scm (gnutls): Update grafted version to 3.8.3.
>

Thanks! I applied as 856b4a603ac5100be03d9c9bbd8f00dce030a79e where I
changed the replacement name to gnutls/fixed rather than using the
version number. I think that is a bit easier to maintain and pretty
common with our grafts.

And thank you for emailing the security list for this. Something we
should probably mention directly in the manual for patch
submission/teams.

John

> Change-Id: Ic44b3b0481ffd51cdc42a2d71a598f001b43c6f7
> ---
>
> Version 3 updates the code comment for the new CVEs
>
>  gnu/packages/tls.scm | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 6441b8ed43..207763bdc2 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -200,7 +200,7 @@ (define-public gnutls
>    (package
>      (name "gnutls")
>      (version "3.7.7")
> -    (replacement gnutls-3.8.2)
> +    (replacement gnutls-3.8.3)
>      (source (origin
>                (method url-fetch)
>                ;; Note: Releases are no longer on ftp.gnu.org since the
> @@ -305,11 +305,12 @@ (define-public gnutls
>  (define-deprecated/public-alias gnutls-latest gnutls)
>
>  ;; Replacement for gnutls <at> 3.7.7 to address GNUTLS-SA-2020-07-14 /
> -;; CVE-2023-0361 and GNUTLS-SA-2023-10-23 / CVE-2023-5981.
> -(define gnutls-3.8.2
> +;; CVE-2023-0361, GNUTLS-SA-2023-10-23 / CVE-2023-5981,
> +;; GNUTLS-SA-2024-01-14 / CVE-2024-0553, and GNUTLS-SA-2024-01-09 / CVE-2024-0567
> +(define gnutls-3.8.3
>    (package
>      (inherit gnutls)
> -    (version "3.8.2")
> +    (version "3.8.3")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "mirror://gnupg/gnutls/v"
> @@ -318,7 +319,7 @@ (define gnutls-3.8.2
>                (patches (search-patches "gnutls-skip-trust-store-test.patch"))
>                (sha256
>                 (base32
> -                "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
> +                "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
>
>  (define-public gnutls/dane
>    ;; GnuTLS with build libgnutls-dane, implementing DNS-based
>
> base-commit: 20606ca9af1ac019073f4ed872a9ad9960ff0725
This bug report was last modified 1 year and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.