From 81109c4f0efa7f860668dbe0ba343eff764e6385 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 30 2020 16:25:43 +0000 Subject: import gnutls-3.6.8-10.el8_2 --- diff --git a/SOURCES/gnutls-3.6.12-dtls-random.patch b/SOURCES/gnutls-3.6.12-dtls-random.patch new file mode 100644 index 0000000..b308af7 --- /dev/null +++ b/SOURCES/gnutls-3.6.12-dtls-random.patch @@ -0,0 +1,29 @@ +From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20B=C3=BChler?= +Date: Fri, 27 Mar 2020 17:17:57 +0100 +Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This broke with bcf4de03 "handshake: treat reply to HRR as a reply to +hello verify request", which failed to "De Morgan" properly. + +Signed-off-by: Stefan Bühler +--- + lib/handshake.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gnutls-3.6.8/lib/handshake.c +=================================================================== +--- gnutls-3.6.8.orig/lib/handshake.c ++++ gnutls-3.6.8/lib/handshake.c +@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_sess + /* Generate random data + */ + if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && +- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) { ++ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) { + ret = _gnutls_gen_client_random(session); + if (ret < 0) { + gnutls_assert(); diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 007d302..ea01f2b 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -1,5 +1,5 @@ Version: 3.6.8 -Release: 9%{?dist} +Release: 10%{?dist} Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.6.4-no-now-guile.patch Patch3: gnutls-3.6.5-fix-fips-signature-post.patch @@ -14,6 +14,7 @@ Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch Patch12: gnutls-3.6.8-decr-len.patch Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch +Patch15: gnutls-3.6.12-dtls-random.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -297,6 +298,9 @@ fi %endif %changelog +* Tue Apr 21 2020 Daiki Ueno - 3.6.8-10 +- Fix CVE-2020-11501 (#1826176) + * Wed Nov 6 2019 Daiki Ueno - 3.6.8-9 - Fix CFB8 decryption when repeatedly called (#1757848) - Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856)