From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: GnuTLS security update Date: Sun, 11 Sep 2016 22:54:09 +0200 Message-ID: <87zinei2dq.fsf@gnu.org> References: <20160911154108.GA13920@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39635) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjBlb-0007EX-C4 for guix-devel@gnu.org; Sun, 11 Sep 2016 16:54:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bjBlV-00073Y-HU for guix-devel@gnu.org; Sun, 11 Sep 2016 16:54:18 -0400 In-Reply-To: <20160911154108.GA13920@jasmine> (Leo Famulari's message of "Sun, 11 Sep 2016 11:41:08 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hi, Leo Famulari skribis: > For master, the naive approach of cherry-picking the patch [1] did not > work; the test 'system-prio-file' fails consistently with that change. I > could instead try grafting the updated version. These 3 GnuTLS commits appear to be related to this issue: --8<---------------cut here---------------start------------->8--- commit 8469db9dbcdd6ec22094a4f095201d80d981b9f0 Author: Nikos Mavrogiannopoulos Date: Sun Aug 28 00:55:30 2016 +0200 tests: added basic operational check of gnutls_ocsp_resp_get_single() commit 8a0c9bbae25f75e30a913c6f4b29f468940398ca Author: Nikos Mavrogiannopoulos Date: Sun Aug 28 00:40:49 2016 +0200 gnutls_ocsp_resp_get_single: reorganized function to eliminate memory l= eaks =20=20=20=20 Simplified and optimized the function operation, by removing unecessary memory allocations, as well as eliminate memory leaks on certain error cases. commit 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Author: Nikos Mavrogiannopoulos Date: Sat Aug 27 17:00:22 2016 +0200 ocsp: corrected the comparison of the serial size in OCSP response =20=20=20=20 Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't. =20=20=20=20 Reported by Stefan Buehler. --8<---------------cut here---------------end--------------->8--- If applying these patches on top of our current GnuTLS version (and then using it as a graft) works, we could do that. If not, using the later 3.5.x release should be OK (API- and ABI-compatible). Ludo=E2=80=99.