bug#66195: closed ([PATCH] gnu: gnutls: Replace with 3.8.1.)

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66195: closed ([PATCH] gnu: gnutls: Replace with 3.8.1.)

From:	GNU bug Tracking System
Subject:	bug#66195: closed ([PATCH] gnu: gnutls: Replace with 3.8.1.)
Date:	Fri, 20 Oct 2023 11:48:01 +0000

Your message dated Fri, 20 Oct 2023 12:42:41 +0100
with message-id <87h6ml4iub.fsf@cbaines.net>
and subject line Re: [bug#66195] [PATCH] gnu: gnutls: Replace with 3.8.1.
has caused the debbugs.gnu.org bug report #66195,
regarding [PATCH] gnu: gnutls: Replace with 3.8.1.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
66195: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66195
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: [PATCH] gnu: gnutls: Replace with 3.8.1. Date: Mon, 25 Sep 2023 20:06:51 +0100

The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.

* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
 gnu/packages/tls.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
   (package
     (name "gnutls")
     (version "3.7.7")
+    (replacement gnutls-3.8.1)
     (source (origin
               (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
 
 (define-deprecated/public-alias gnutls-latest gnutls)
 
+(define-public gnutls-3.8.1
+  (package
+    (inherit gnutls)
+    (version "3.8.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+              (sha256
+               (base32
+                "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
 (define-public gnutls/dane
   ;; GnuTLS with build libgnutls-dane, implementing DNS-based
   ;; Authentication of Named Entities.  This is required for GNS functionality

base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
-- 
2.41.0

--- End Message ---

--- Begin Message --- Subject: Re: [bug#66195] [PATCH] gnu: gnutls: Replace with 3.8.1. Date: Fri, 20 Oct 2023 12:42:41 +0100 User-agent: mu4e 1.10.5; emacs 28.2

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Christopher Baines <mail@cbaines.net> skribis:
>
>> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
>> upgrade to 3.8.0 or later.
>>
>> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
>> (gnutls)[replacement]: Use it.
>
> Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
> 3.7.7 as currently packaged.
>
>> +(define-public gnutls-3.8.1
>
> Maybe add a comment here with the SA and CVE references.

Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88.

> Then, assuming the ABIs are compatible (which can be checked with
> libabigail’s abidiff), LGTM.

→ abidiff 
/gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so 
/gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 8 Added function symbols not 
referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not 
referenced by debug info

8 Added function symbols not referenced by debug info:

  [A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4
  [A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4
  [A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1
  [A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1
  [A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1


Thanks for taking a look,

Chris

signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66195: closed ([PATCH] gnu: gnutls: Replace with 3.8.1.), GNU bug Tracking System <=

Prev by Date: Processed (with 1 errors): control message for bug #14523
Next by Date: bug#66587: closed ([PATCH] gnu: emacs-disk-usage: Update to 1.3.3-0.b0d803f.)
Previous by thread: Processed (with 1 errors): control message for bug #14523
Next by thread: bug#66587: closed ([PATCH] gnu: emacs-disk-usage: Update to 1.3.3-0.b0d803f.)
Index(es):
- Date
- Thread