gnutls: Update to version 3.8.11

- Update from version 3.8.10 to 3.8.11
- Update of rootfile
- One CVE fix
- Changelog
    3.8.11
	libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
	   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
	   CVSS: low] [CVE-2025-9820]
	libgnutls: MAC algorithms for PSK binders is now configurable
	   The previous implementation assumed HMAC-SHA256 to calculate the
	   PSK binders. With the new gnutls_psk_allocate_client_credentials2()
	   and gnutls_psk_allocate_server_credentials2() functions, the
	   application can use other MAC algorithms such as HMAC-SHA384.
	libgnutls: Expose a new function to provide the maximum record send size
	   A new function gnutls_record_get_max_send_size() has been added to
	   determine the maximum size of a TLS record to be sent to the peer.
	libgnutls: Expose a new function to update keys without sending a KeyUpdate
	   to the peer. A new function gnutls_handshake_update_receiving_key()
	   has been added to allow updating the local receiving key without
	   sending any KeyUpdate messages.
	libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
	   instead of a module path. To allow using a PKCS#11 module exposing
	   multiple tokens, the "path" configuration keyword was replaced with
	   the "url" keyword.
	libgnutls: Support crypto-auditing probe points
	   crypto-auditing is a project to monitor which cryptographic
	   operations are taking place in the library at run time, through
	   eBPF. This adds necessary probe points for that, in public key
	   cryptography and the TLS use-case. To enable this, run configure
	   with --enable-crypto-auditing.
	build: The minimum version of Nettle has been updated to 3.10
	   Given Nettle 3.10 is ABI compatible with 3.6 and includes several
	   security relevant fixes, the library's minimum requirement of
	   Nettle is updated to 3.10.
	build: The default priority file path is now constructed from sysconfdir
	   Previously, the location of the default priority file was
	   hard-coded to be /etc/gnutls/config. Now it takes into account of
	   the --sysconfdir option given to the configure script.
	API and ABI modifications:
	   gnutls_psk_allocate_client_credentials2: New function
	   gnutls_psk_allocate_server_credentials2: New function
	   gnutls_record_get_max_send_size: New function
	   gnutls_handshake_update_receiving_key: New function
	   gnutls_audit_push_context: New function
	   gnutls_audit_pop_context: New function
	   gnutls_audit_current_context: New function

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index e863843258d1d7b1d194b74ff3028d6188147aac..52c3b676476cacf8a5fda42a06012c0a4eaf8e68 100644 (file)
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
 #usr/lib/libgnutls.la
 #usr/lib/libgnutls.so
 usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.40.4
+usr/lib/libgnutls.so.30.41.0
 #usr/lib/libgnutlsxx.la
 #usr/lib/libgnutlsxx.so
 usr/lib/libgnutlsxx.so.30
@@ -143,6 +143,9 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_anti_replay_set_add_function.3
 #usr/share/man/man3/gnutls_anti_replay_set_ptr.3
 #usr/share/man/man3/gnutls_anti_replay_set_window.3
+#usr/share/man/man3/gnutls_audit_current_context.3
+#usr/share/man/man3/gnutls_audit_pop_context.3
+#usr/share/man/man3/gnutls_audit_push_context.3
 #usr/share/man/man3/gnutls_auth_client_get_type.3
 #usr/share/man/man3/gnutls_auth_get_type.3
 #usr/share/man/man3/gnutls_auth_server_get_type.3
@@ -360,6 +363,7 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_handshake_set_read_function.3
 #usr/share/man/man3/gnutls_handshake_set_secret_function.3
 #usr/share/man/man3/gnutls_handshake_set_timeout.3
+#usr/share/man/man3/gnutls_handshake_update_receiving_key.3
 #usr/share/man/man3/gnutls_handshake_write.3
 #usr/share/man/man3/gnutls_hash.3
 #usr/share/man/man3/gnutls_hash_copy.3
@@ -684,7 +688,9 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_protocol_list.3
 #usr/share/man/man3/gnutls_protocol_set_enabled.3
 #usr/share/man/man3/gnutls_psk_allocate_client_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_client_credentials2.3
 #usr/share/man/man3/gnutls_psk_allocate_server_credentials.3
+#usr/share/man/man3/gnutls_psk_allocate_server_credentials2.3
 #usr/share/man/man3/gnutls_psk_client_get_hint.3
 #usr/share/man/man3/gnutls_psk_format_imported_identity.3
 #usr/share/man/man3/gnutls_psk_free_client_credentials.3
@@ -761,6 +767,7 @@ usr/lib/libgnutlsxx.so.30.0.0
 #usr/share/man/man3/gnutls_record_get_direction.3
 #usr/share/man/man3/gnutls_record_get_discarded.3
 #usr/share/man/man3/gnutls_record_get_max_early_data_size.3
+#usr/share/man/man3/gnutls_record_get_max_send_size.3
 #usr/share/man/man3/gnutls_record_get_max_size.3
 #usr/share/man/man3/gnutls_record_get_state.3
 #usr/share/man/man3/gnutls_record_overhead_size.3

diff --git a/lfs/gnutls b/lfs/gnutls
index 25920dfe7754cae83d2eefba5c0f56ae15298b0f..15d0362dd66ac24e9ad350b4938195be61ef4063 100644 (file)
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.8.10
+VER        = 3.8.11
 
 THISAPP    = gnutls-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d
+$(DL_FILE)_BLAKE2 = 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6
 
 install : $(TARGET)