From 9c5b7534c42142ca5146d71e6df12734f25e4557 Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Dec 04 2008 16:50:10 +0000 Subject: - upgrade to a new upstream version --- diff --git a/.cvsignore b/.cvsignore index 1a5c4fa..979e26b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -gnutls-2.4.2-nosrp.tar.bz2 +gnutls-2.6.2-nosrp.tar.bz2 diff --git a/gnutls-1.4.1-cve-2008-4989.patch b/gnutls-1.4.1-cve-2008-4989.patch deleted file mode 100644 index c7f5bc7..0000000 --- a/gnutls-1.4.1-cve-2008-4989.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c ---- gnutls-1.4.1/lib/x509/verify.c.chain-verify 2008-11-11 10:55:19.000000000 +0100 -+++ gnutls-1.4.1/lib/x509/verify.c 2008-11-11 10:58:54.000000000 +0100 -@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g - int i = 0, ret; - unsigned int status = 0, output; - -+ /* Check if the last certificate in the path is self signed. -+ * In that case ignore it (a certificate is trusted only if it -+ * leads to a trusted party by us, not the server's). -+ */ -+ if (clist_size > 1 && -+ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], -+ certificate_list[clist_size - 1]) > 0) -+ { -+ clist_size--; -+ } -+ - /* Verify the last certificate in the certificate path - * against the trusted CA certificate list. - * -@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g - } - #endif - -- /* Check if the last certificate in the path is self signed. -- * In that case ignore it (a certificate is trusted only if it -- * leads to a trusted party by us, not the server's). -- */ -- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], -- certificate_list[clist_size - 1]) > 0 -- && clist_size > 0) -- { -- clist_size--; -- } -- - /* Verify the certificate path (chain) - */ - for (i = clist_size - 1; i > 0; i--) diff --git a/gnutls-2.4.0-nosrp.patch b/gnutls-2.4.0-nosrp.patch deleted file mode 100644 index ddfb9a5..0000000 --- a/gnutls-2.4.0-nosrp.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up gnutls-2.4.0/lib/gnutlsxx.cpp.nosrp gnutls-2.4.0/lib/gnutlsxx.cpp ---- gnutls-2.4.0/lib/gnutlsxx.cpp.nosrp 2008-05-19 10:01:43.000000000 +0200 -+++ gnutls-2.4.0/lib/gnutlsxx.cpp 2008-06-23 20:11:26.000000000 +0200 -@@ -398,7 +398,11 @@ void session::set_credentials( credentia - - const char* server_session::get_srp_username() const - { -+#ifdef ENABLE_SRP - return gnutls_srp_server_get_username( s); -+#else -+ return NULL; -+#endif - } - - const char* server_session::get_psk_username() const -@@ -677,7 +681,7 @@ void certificate_client_credentials::set - } - - // SRP -- -+#ifdef ENABLE_SRP - srp_server_credentials::srp_server_credentials() : credentials(GNUTLS_CRD_SRP) - { - RETWRAP(gnutls_srp_allocate_server_credentials( &cred)); -@@ -721,7 +725,7 @@ void srp_client_credentials::set_credent - { - gnutls_srp_set_client_credentials_function( cred, func); - } -- -+#endif - // PSK - - psk_server_credentials::psk_server_credentials() : credentials(GNUTLS_CRD_PSK) diff --git a/gnutls-2.6.2-chain-verify.patch b/gnutls-2.6.2-chain-verify.patch new file mode 100644 index 0000000..529b160 --- /dev/null +++ b/gnutls-2.6.2-chain-verify.patch @@ -0,0 +1,21 @@ +diff -up gnutls-2.6.2/lib/x509/verify.c.chain-verify gnutls-2.6.2/lib/x509/verify.c +--- gnutls-2.6.2/lib/x509/verify.c.chain-verify 2008-11-12 15:01:46.000000000 +0100 ++++ gnutls-2.6.2/lib/x509/verify.c 2008-12-04 14:35:52.000000000 +0100 +@@ -374,6 +374,17 @@ _gnutls_x509_verify_certificate (const g + int i = 0, ret; + unsigned int status = 0, output; + ++ /* Check if the last certificate in the path is self signed. ++ * In that case ignore it (a certificate is trusted only if it ++ * leads to a trusted party by us, not the server's). ++ */ ++ if (clist_size > 1 && ++ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], ++ certificate_list[clist_size - 1]) > 0) ++ { ++ clist_size--; ++ } ++ + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * diff --git a/gnutls-2.6.2-nosrp.patch b/gnutls-2.6.2-nosrp.patch new file mode 100644 index 0000000..9bcdfeb --- /dev/null +++ b/gnutls-2.6.2-nosrp.patch @@ -0,0 +1,20 @@ +diff -up gnutls-2.6.2/lib/gnutlsxx.cpp.nosrp gnutls-2.6.2/lib/gnutlsxx.cpp +--- gnutls-2.6.2/lib/gnutlsxx.cpp.nosrp 2008-11-12 10:56:28.000000000 +0100 ++++ gnutls-2.6.2/lib/gnutlsxx.cpp 2008-12-04 14:34:10.000000000 +0100 +@@ -396,12 +396,14 @@ void session::set_credentials( credentia + RETWRAP(gnutls_credentials_set( s, cred.get_type(), cred.ptr())); + } + +-#ifdef ENABLE_SRP + const char* server_session::get_srp_username() const + { ++#ifdef ENABLE_SRP + return gnutls_srp_server_get_username( s); +-} ++#else ++ return NULL; + #endif ++} + + const char* server_session::get_psk_username() const + { diff --git a/gnutls.spec b/gnutls.spec index 165ec62..112b6b6 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ Summary: A TLS protocol implementation Name: gnutls -Version: 2.4.2 -Release: 3%{?dist} +Version: 2.6.2 +Release: 1%{?dist} # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -15,8 +15,8 @@ URL: http://www.gnutls.org/ # XXX patent tainted SRP code removed. Source0: %{name}-%{version}-nosrp.tar.bz2 Source1: libgnutls-config -Patch1: gnutls-2.4.0-nosrp.patch -Patch5: gnutls-1.4.1-cve-2008-4989.patch +Patch1: gnutls-2.6.2-nosrp.patch +Patch5: gnutls-2.6.2-chain-verify.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: libgcrypt >= 1.2.2 @@ -150,6 +150,9 @@ fi %{_datadir}/guile/site/gnutls.scm %changelog +* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 +- upgrade to a new upstream version + * Tue Nov 11 2008 Tomas Mraz 2.4.2-3 - fix chain verification issue CVE-2008-4989 (#470079) diff --git a/sources b/sources index 8be6413..9fd6cc3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -dcc09099518f4560a01d3b153bcafc5d gnutls-2.4.2-nosrp.tar.bz2 +b74cfcc8af6a81fa3a51fc798660af0b gnutls-2.6.2-nosrp.tar.bz2