gnutls: Update to version 3.8.9

- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
   and that there had been some CVE's with libtasn1  which were then fixed later in the
   gnutls bundled version together with some fixes in the gnutls code. So this patch,
   as well updating the version has also removed the options to use the included
   versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
   and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
   gnutls-3.8.0 and the option is no longer recognised.
- Changelog
    3.8.9
	** libgnutls: leancrypto was added as an interim option for PQC
	   The library can now be built with leancrypto instead of liboqs for
	   post-quantum cryptography (PQC), when configured with
	   --with-leancrypto option instead of --with-liboqs.
	** libgnutls: Experimental support for ML-DSA signature algorithm
	   The library and certtool now support ML-DSA signature algorithm as
	   defined in FIPS 204 and based on
	   draft-ietf-lamps-dilithium-certificates-04. This feature is
	   currently marked as experimental and can only be enabled when
	   compiled with --with-leancrypto or --with-liboqs.
	   Contributed by David Dudas.
	** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
	   The support for ML-KEM post-quantum key encapsulation mechanisms
	   has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
	   MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
	   draft-kwiatkowski-tls-ecdhe-mlkem-03.
	** libgnutls: Fix potential DoS in handling certificates with numerous name
	   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
	   bundled copy of libtasn1 has also been updated to the latest 4.20.0
	   release to complete the fix.  Reported by Bing Shi (#1553).
	   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
	** API and ABI modifications:
	   GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
	   GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
	   GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 4f496435f2b6ff174d8e65db1598b786750a9b68..824631734347ff5e784c66c036d3bf562e7c699e 100644 (file)
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.2
+usr/lib/libgnutls.so.30.40.3
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30

diff --git a/lfs/gnutls b/lfs/gnutls
index ad82693382e4be5ef572aae0faf870fefd8bd6ef..cc5b255fb8b0038abbeedefa32f986ef8405e34b 100644 (file)
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.8
+VER        = 3.8.9
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8
+$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7
 
 install : $(TARGET)
 
@@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && \
                ./configure \
                        --prefix=/usr \
-                       --with-included-libtasn1 \
-                       --with-included-unistring \
                        --without-p11-kit \
                        --disable-openssl-compatibility \
                        --disable-guile