From patchwork Mon Sep 25 19:06:51 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christopher Baines <mail@cbaines.net>
X-Patchwork-Id: 54281
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 93D9727BBEA; Mon, 25 Sep 2023 20:08:05 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 0DC2B27BBE2
	for <patchwork@mira.cbaines.net>; Mon, 25 Sep 2023 20:08:05 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1qkqvu-00021z-Rg; Mon, 25 Sep 2023 15:07:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qkqvt-00021i-Ju
 for guix-patches@gnu.org; Mon, 25 Sep 2023 15:07:49 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qkqvt-0006tt-Ao
 for guix-patches@gnu.org; Mon, 25 Sep 2023 15:07:49 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qkqw5-0002Qr-RU
 for guix-patches@gnu.org; Mon, 25 Sep 2023 15:08:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#66195] [PATCH] gnu: gnutls: Replace with 3.8.1.
Resent-From: Christopher Baines <mail@cbaines.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 25 Sep 2023 19:08:01 +0000
Resent-Message-ID: <handler.66195.B.16956688409288@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 66195
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 66195@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16956688409288
 (code B ref -1); Mon, 25 Sep 2023 19:08:01 +0000
Received: (at submit) by debbugs.gnu.org; 25 Sep 2023 19:07:20 +0000
Received: from localhost ([127.0.0.1]:46683 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qkqvP-0002Pj-Kk
 for submit@debbugs.gnu.org; Mon, 25 Sep 2023 15:07:19 -0400
Received: from lists.gnu.org ([2001:470:142::17]:47634)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@cbaines.net>) id 1qkqvM-0002PS-2V
 for submit@debbugs.gnu.org; Mon, 25 Sep 2023 15:07:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mail@cbaines.net>) id 1qkqv4-0001jd-45
 for guix-patches@gnu.org; Mon, 25 Sep 2023 15:06:58 -0400
Received: from mira.cbaines.net ([212.71.252.8])
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <mail@cbaines.net>) id 1qkqv2-0006nn-HY
 for guix-patches@gnu.org; Mon, 25 Sep 2023 15:06:57 -0400
Received: from localhost (unknown [79.173.170.234])
 by mira.cbaines.net (Postfix) with ESMTPSA id 009E427BBE2
 for <guix-patches@gnu.org>; Mon, 25 Sep 2023 20:06:54 +0100 (BST)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 63e685c9
 for <guix-patches@gnu.org>; Mon, 25 Sep 2023 19:06:51 +0000 (UTC)
From: Christopher Baines <mail@cbaines.net>
Date: Mon, 25 Sep 2023 20:06:51 +0100
Message-ID: 
 <4f21f3a5aba2851c7b943c283f5f6a21b93444eb.1695668811.git.mail@cbaines.net>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Received-SPF: pass client-ip=212.71.252.8; envelope-from=mail@cbaines.net;
 helo=mira.cbaines.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.

* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
 gnu/packages/tls.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)


base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
   (package
     (name "gnutls")
     (version "3.7.7")
+    (replacement gnutls-3.8.1)
     (source (origin
               (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
 
 (define-deprecated/public-alias gnutls-latest gnutls)
 
+(define-public gnutls-3.8.1
+  (package
+    (inherit gnutls)
+    (version "3.8.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+              (sha256
+               (base32
+                "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
 (define-public gnutls/dane
   ;; GnuTLS with build libgnutls-dane, implementing DNS-based
   ;; Authentication of Named Entities.  This is required for GNS functionality