From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Feb 4 14:20:05 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8C5F6184 for ; Mon, 4 Feb 2013 14:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 7C8BC1E31 for ; Mon, 4 Feb 2013 14:20:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r14EK3RL068299 for ; Mon, 4 Feb 2013 14:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r14EK3od068298; Mon, 4 Feb 2013 14:20:03 GMT (envelope-from gnats) Resent-Date: Mon, 4 Feb 2013 14:20:03 GMT Resent-Message-Id: <201302041420.r14EK3od068298@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Phil Pennock Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 47874CF0 for ; Mon, 4 Feb 2013 14:12:32 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 207631DCF for ; Mon, 4 Feb 2013 14:12:32 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r14ECV0O067203 for ; Mon, 4 Feb 2013 14:12:31 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r14ECVgL067202; Mon, 4 Feb 2013 14:12:31 GMT (envelope-from nobody) Message-Id: <201302041412.r14ECVgL067202@red.freebsd.org> Date: Mon, 4 Feb 2013 14:12:31 GMT From: Phil Pennock To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/175831: [SECURITY] security/gnutls security update (2.12.23) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2013 14:20:05 -0000 >Number: 175831 >Category: ports >Synopsis: [SECURITY] security/gnutls security update (2.12.23) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Feb 04 14:20:02 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Phil Pennock >Release: n/a >Organization: Apcera, Inc. >Environment: n/a >Description: Announcements on the GnuTLS mailing-lists for releases 2.12.23, 3.0.28 and 3.1.7 of GnuTLS include this item in the list of changes: ** libgnutls: Fixes in record padding parsing to prevent a timing attack. Issue reported by Kenny Patterson and Nadhem Alfardan. The change diff shows that it's an attack against CBC modes. The patches in Ports adjust the library version numbers, which suggest that it's unsafe to just override Ports current version and install anyway, as we'll end up with library .so version discrepancies, so this one needs an update from the Port maintainer >How-To-Repeat: Subscribe to GnuTLS mailing-lists, see announcements, pay attention when reading them. >Fix: Upgrade to latest release on branch. Also: gnutls-devel is "2.99.4" which is ... rather dated. That should probably be on either the 3.0 or 3.1 branch. >Release-Note: >Audit-Trail: >Unformatted: