Ludovic Courtès writes: > Hi, > > Christopher Baines skribis: > >> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to >> upgrade to 3.8.0 or later. >> >> * gnu/packages/tls.scm (gnutls-3.8.1): New variable. >> (gnutls)[replacement]: Use it. > > Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with > 3.7.7 as currently packaged. > >> +(define-public gnutls-3.8.1 > > Maybe add a comment here with the SA and CVE references. Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88. > Then, assuming the ABIs are compatible (which can be checked with > libabigail’s abidiff), LGTM. → abidiff /gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so /gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 8 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 8 Added function symbols not referenced by debug info: [A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4 [A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4 [A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4 [A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4 [A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4 [A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1 [A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1 [A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1 Thanks for taking a look, Chris