DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:date:message-id:from:subject:to
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=Itthd3NiL4/5wd7FDd+uAgCYkrhc7apnNnKoTYiUVUVwZHfRuIB2x
	v9OR6vDwxTZm3Dmzk9mZQYp3F756iHSOaAxvS5R7OPimu/LCP9RH0MqNhtFuo0jP
	Q+P7nm4OcseNKxP3g+jFRUBTCpmI/bKcpoer1DprzBKhAzeKuw0cnE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Reply-To: cygwin AT cygwin DOT com
Date: Thu, 20 Nov 2014 12:07:51 +0100
Message-Id: <announce.87mw7mf7ug.fsf@leila.volkerzell.de>
From: "Dr. Volker Zell" <dr DOT volker DOT zell AT oracle DOT com>
Subject: [ANNOUNCEMENT] Updated: {gnutls/libgnutls28/gnutls-devel/gnutls-doc/gnutls-guile}-3.2.20-1: Library implementing TLS 1.0 and SSL 3.0 protocols
To: cygwin AT cygwin DOT com
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi

New versions of 'gnutls/libgnutls28/gnutls-devel/gnutls-doc/gnutls-guile' have been uploaded to a server near you.

 o Update to latest upstream version
 o Build for cygwin 1.7.33 with gcc-4.8.3


gnutls NEWS:
============
  
* Version 3.2.20 (released 2014-11-10)

** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.

** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].

** API and ABI modifications:
No changes since last version.


* Version 3.2.19 (released 2014-10-13)

** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.

** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.

** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.

** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.

** guile: new 'set-session-server-name!' procedure; see the manual for
details.

** API and ABI modifications:
No changes since last version.


* Version 3.2.18 (released 2014-09-18)

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.

** API and ABI modifications:
No changes since last version.


* Version 3.2.17 (released 2014-08-24)

** libgnutls: initialize parameters variable on PKCS #8 decryption.

** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
That improves compatibility with certain PKCS #11 modules. Contributed by
Wolfgang Meyer zu Bergsten.

** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.

** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.

** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.

** API and ABI modifications:
No changes since last version.


* Version 3.2.16 (released 2014-07-23)

** libgnutls: Do not call the post client hello callback twice when resuming
using session tickets.

** libgnutls: When the decoding of a printable DN element fails, then treat
it as unknown and print its hex value rather than failing. That works around
an issue in a TURKTRST root certificate which improperly encodes the
X520countryName element.

** libgnutls: IP addresses are printed using inet_ntop() when available.

** libgnutls: gnutls_x509_crt_check_hostname will also check IP addresses
and match documented behavior. Reported by David Woodhouse.

** libgnutls: Fixed PKCS #11 ECDSA key generation.

** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.

** p11tool: will not implicitly enable so-login for certain types of
objects. That avoids issues with tokens that require different login
types.

** API and ABI modifications:
No changes since last version.


* Version 3.2.15 (released 2014-05-30)

** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.

** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.

** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.

** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.

** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.

** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

** API and ABI modifications:
No changes since last version.


* Version 3.2.14 (released 2014-05-06)

** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.

** libgnutls: Fixed issue in the RSA-PSK key exchange, which would 
result to illegal memory access if a server hint was provided.

** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.

** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.

** libgnutls: Several small bug fixes found by coverity.

** libgnutls-dane: Accept a certificate using DANE if there is at least one 
entry that matches the certificate. Patch by simon [at] arlott.org.

** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.

** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.

** API and ABI modifications:
No changes since last version.


* Version 3.2.13 (released 2014-04-07)

** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
if there are no base64 data. Report and patch by Ramkumar Chinchani.

** libgnutls: gnutls_record_send is now safe to be called under DTLS when
in corked mode.

** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
these algorithms.

** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
Wildcards are only accepted when there are more than two domain components
after the wildcard. This drops support for the permissive RFC2818 wildcards
and adds more conservative support based on the suggestions in RFC6125. Suggested 
by Jeffrey Walton.

** certtool: When no password is provided to export a PKCS #8 keys, do
not encrypt by default. This reverts to the certtool behavior of gnutls
3.0. The previous behavior of encrypting using an empty password can be
replicating using the new parameter --empty-password.

** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
the --provider option is given.

** API and ABI modifications:
No changes since last version.


* Version 3.2.12.1 (released 2014-03-04)

** libgnutls: Reverted change that broke ABI. Reported by Andreas Metzler.

** API and ABI modifications:
No changes since last version.


* Version 3.2.12 (released 2014-03-03)

** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)

** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.

** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.

** libgnutls: Removed unconditional not-trusted message in 
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.

** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.

** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.

** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.

** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.

** API and ABI modifications:
No changes since last version.


* Version 3.2.11 (released 2014-02-13)

** libgnutls: Tolerate servers that send the SUPPORTED ECC extension.

** libgnutls: Reduced the TLS and DTLS version requirements for all
ciphersuites that are not GCM.

** libgnutls: When two initial keywords are specified then treat the
second as having the '+' modifier.

** libgnutls:  When using a PKCS #11 module for verification ensure that
it has been marked a trusted policy module in p11-kit. Moreover, when an
empty (i.e., "pkcs11:") URL is specified, then try all trusted modules
in the system for verification.
http://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html

** libgnutls: Fixed bug that prevented the rejection of v1 intermediate
CA certificates. Reported and investigated by Suman Jana.

** certtool: Added the --ask-pass option.

** API and ABI modifications:
GNUTLS_PKCS11_TOKEN_TRUSTED: Added
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE: Added


* Version 3.2.10 (released 2014-01-31)

** libgnutls: fixed null pointer derefence when printing a certificate
DN and an LDAP description isn't present.

** libgnutls: When obtaining usage statistics for the random generator
use system calls outside the mutex locks to prevent them from becoming bottleneck.

** libgnutls: gnutls_db_check_entry_time will correctly report the time;
report and patch by Jonathan Roudiere.

** API and ABI modifications:
gnutls_x509_policy_release: Exported
gnutls_pubkey_set_key_usage: Exported
gnutls_x509_privkey_import_rsa_raw2: Exported
gnutls_pkcs11_token_get_flags: Exported
gnutls_pubkey_get_pk_ecc_x962: Exported
gnutls_pubkey_import_ecc_x962: Exported
gnutls_rnd_refresh: Exported
gnutls_mac_get_nonce_size: Exported
gnutls_x509_crl_get_raw_issuer_dn: Exported
gnutls_certificate_get_crt_raw: Exported
gnutls_db_get_default_cache_expiration: Added


* Version 3.2.9 (released 2014-01-24)

** libgnutls: The %DUMBFW option in priority string only
appends data to client hello if the expected size is in the
"black hole" range.

** libgnutls: %COMPAT implies %DUMBFW.

** libgnutls: gnutls_session_get_desc() returns a more compact
ciphersuite description.

* libgnutls: In PKCS #11 allow deleting multiple non-certificate data.

** libgnutls: When a PKCS #11 trust store is specified (e.g. using the
configure option --with-default-trust-store-pkcs11), then the PKCS #11
token is used on demand to obtain the trusted anchors, rather than
preloading all trusted certificates. That delegates CA certificate management
and blacklist checking to the PKCS #11 module.

** libgnutls: When a PKCS #11 trust store is specified in configure option
or in gnutls_x509_trust_list_add_trust_file(), then the module is used
to obtain the verification anchors and any required blacklists as in
http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html

** libgnutls: Fix in OCSP certificate status extension handling
in non-blocking servers. Patch by Nils Maier.

** p11tool: Added --so-login option to force login as security
officer (admin).

** API and ABI modifications:
No changes since last version.


* Version 3.2.8 (released 2013-12-20)

** libgnutls: Updated code for AES-NI. That prevents an uninitialized
variable complaint from valgrind.

** libgnutls: Enforce a maximum size for DH primes.

** libgnutls: Added SSSE3 optimized SHA1, and SHA256, using Andy Polyakov's 
code.

** libgnutls: Added SSSE3 optimized AES using Mike Hamburg's code.

** libgnutls: It only links to librt if the required functions are
not present in libc. This also prevents an indirect linking to libpthread.

** libgnutls: Fixed issue with gnulib strerror replacement by adding
the strerror gnulib module.

** libgnutls: The time provided in the TLS random values is only precise
on its first 3 bytes. That prevents leakage of the precise system
time (at least on the client side when only few connections are
done on a single server).

** certtool: The --verify option will use the system CAs if the
load-ca-certificate option is not provided.

** configure: Added option --with-default-blacklist-file to allow
specifying a certificate blacklist file.

** configure: Added --disable-non-suiteb-curves option. This option
restricts the supported curves to SuiteB curves.

** API and ABI modifications:
gnutls_record_check_corked: Added


* Version 3.2.7 (released 2013-11-23)

** libgnutls: gnutls_cipher_get_iv_size() now returns the correct IV size in
GCM ciphers (previously it returned the implicit IV used in TLS).

** libgnutls: gnutls_certificate_set_x509_key_file() et al when provided
with a PKCS #11 URL pointing to a certificate, will attempt to load the whole 
chain.

** libgnutls: When traversing PKCS #11 tokens looking for an object, avoid
looking in unrelated to the object tokens.

** libgnutls: Added an experimental %DUMBFW option in priority strings. This 
avoids a black hole behavior in some firewalls by sending a large client hello. 
See http://www.ietf.org/mail-archive/web/tls/current/msg10423.html

** libgnutls: The GNUTLS_DEBUG_LEVEL variable if set to a log level number
will force output of debug messages to stderr.

** libgnutls: Fixed the setting of the ciphersuite when gnutls_premaster_set() 
is used with another protocol than the GNUTLS_DTLS0_9 protocol.

** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no well defined
expiration date when (time_t)-1 is specified as date.

** libgnutls: Session tickets are encrypted using AES-GCM.

** libgnutls: Corrected issue in record decompression. Issue pinpointed
by Frank Zschockel.

** libgnutls: Forbid all compression methods in DTLS.

** gnutls-serv: Fixed issue with IPv6 address in UDP mode.

** certtool: When exporting an encrypted PEM private key do not output the key
parameters.

** certtool: Expiration days template option allows for a -1 value which
will set to the no well defined expiration date (RFC5280), and no longer
chokes on integer overflows. Suggested by Stefan Buehler.

** certtool: Added new template options: 'activation_date', and
'expiration_date'.

** tools: The environment variable GNUTLS_PIN can be used to read any PIN
requested from tokens.

** tools: The installed version of libopts is used if the autogen tool is
present.

** API and ABI modifications:
gnutls_pkcs11_obj_export3: Added
gnutls_pkcs11_get_raw_issuer: Added
gnutls_est_record_overhead_size: Exported


* Version 3.2.6 (released 2013-10-31)

** libgnutls: Support for TPM via trousers is now enabled by default.

** libgnutls: Camellia in GCM mode has been added in default priorities, and
GCM mode is prioritized over CBC in all of the default priority strings.

** libgnutls: Added ciphersuite GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384.

** libgnutls: Fixed ciphersuites GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384,
GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and GNUTLS_PSK_CAMELLIA_128_GCM_SHA256. 
Reported by Stefan Buehler.

** libgnutls: Added support for ISO OID for RSA-SHA1 signatures.

** libgnutls: Minimum acceptable DH group parameters were increased to 767
bits from 727.

** libgnutls: Added function to obtain random data from PKCS #11 tokens.
Contributed by Wolfgang Meyer zu Bergsten.

** gnulib: updated.

** libdane: Fixed a one-off bug in dane_query_tlsa() introduced by the
previous fix. Reported by Tomas Mraz.

** p11tool: Added option generate-random.

** API and ABI modifications:
gnutls_pkcs11_token_get_random: Added


* Version 3.2.5 (released 2013-10-23)

** libgnutls: Documentation and build-time fixes.

** libgnutls: Allow the generation of DH groups of less than 700 bits.

** libgnutls: Added several combinations of ciphersuites with SHA256 and SHA384 as MAC,
as well as Camellia with GCM.

** libdane: Added interfaces to allow initialization of dane_query_t from
external DNS resolutions, and to allow direct verification of a certificate
chain against a dane_query_t. Contributed by Christian Grothoff.

** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and fix
by Christian Grothoff.

** srptool: Fixed index command line option. Patch by Attila Molnar.

** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.	

** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.

** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added


CYGWIN-ANNOUNCE UNSUBSCRIBE INFO
================================


If you want to unsubscribe from the cygwin-announce mailing list, please
use the automated form at:


http://cygwin.com/lists.html#subscribe-unsubscribe

If this does not work, then look at the "List-Unsubscribe: " tag in the
email header of this message.  Send email to the address specified
there.  It will be in the format:


cygwin-announce-unsubscribe-you=yourdomain.com <at> cygwin.com

If you need more information on unsubscribing, start reading here:

http://sourceware.org/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple