Bug 726886 - gnutls-2.12.23 is available
gnutls-2.12.23 is available
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
rawhide
Unspecified Unspecified
high Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
RejectedBlocker
: FutureFeature, Triaged
: 747396 (view as bug list)
Depends On: 837331
Blocks: FE-Legal
  Show dependency treegraph
 
Reported: 2011-07-30 06:16 EDT by Upstream Release Monitoring
Modified: 2013-05-07 02:47 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-07 02:47:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Upstream Release Monitoring 2011-07-30 06:16:06 EDT
Latest upstream release: 3.0.0
Current version in Fedora Rawhide: 2.12.7
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 1 Tomas Mraz 2011-08-01 04:03:39 EDT
This will not be an easy update as:
1. it is ABI incompatible -> requires rebuilds of dependencies
2. it does not use libgcrypt as a crypto backend anymore - impacts the proliferation of crypto libraries in the distribution.
Comment 2 Upstream Release Monitoring 2011-08-21 06:16:19 EDT
Latest upstream release: 3.0.1
Current version in Fedora Rawhide: 2.12.8
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 3 Upstream Release Monitoring 2011-09-01 06:17:09 EDT
Latest upstream release: 3.0.2
Current version in Fedora Rawhide: 2.12.9
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 4 Upstream Release Monitoring 2011-09-19 06:19:13 EDT
Latest upstream release: 3.0.3
Current version in Fedora Rawhide: 2.12.9
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 5 Upstream Release Monitoring 2011-10-15 06:26:42 EDT
Latest upstream release: 3.0.4
Current version in Fedora Rawhide: 2.12.11
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 6 Tomas Mraz 2011-10-19 14:30:12 EDT
*** Bug 747396 has been marked as a duplicate of this bug. ***
Comment 7 Upstream Release Monitoring 2011-10-28 06:20:53 EDT
Latest upstream release: 3.0.5
Current version in Fedora Rawhide: 2.12.11
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 8 Upstream Release Monitoring 2011-11-08 06:20:50 EST
Latest upstream release: 3.0.7
Current version in Fedora Rawhide: 2.12.12
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 9 Upstream Release Monitoring 2011-11-14 06:20:05 EST
Latest upstream release: 3.0.8
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 10 Account closed by user 2011-12-09 14:43:36 EST
(In reply to comment #1)

> This will not be an easy update as:
> 1. it is ABI incompatible -> requires rebuilds of dependencies
> 2. it does not use libgcrypt as a crypto backend anymore - impacts the
> proliferation of crypto libraries in the distribution.

API changes/compatibility test results for the GnuTLS library

  http://upstream-tracker.org/versions/gnutls.html
Comment 11 Upstream Release Monitoring 2011-12-14 06:17:24 EST
Latest upstream release: 3.0.9
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 12 Upstream Release Monitoring 2012-01-13 06:20:16 EST
Latest upstream release: 3.0.11
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 13 Upstream Release Monitoring 2012-01-21 06:17:21 EST
Latest upstream release: 3.0.12
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 14 Upstream Release Monitoring 2012-02-19 08:06:19 EST
Latest upstream release: 3.0.13
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 15 Upstream Release Monitoring 2012-02-27 06:19:32 EST
Latest upstream release: 3.0.14
Current version in Fedora Rawhide: 2.12.14
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 16 Upstream Release Monitoring 2012-03-13 15:00:33 EDT
Latest upstream release: 3.0.15
Current version in Fedora Rawhide: 2.12.17
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 17 Upstream Release Monitoring 2012-03-18 13:21:00 EDT
Latest upstream release: 3.0.17
Current version in Fedora Rawhide: 2.12.17
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 18 Upstream Release Monitoring 2012-04-03 06:21:37 EDT
Latest upstream release: 3.0.18
Current version in Fedora Rawhide: 2.12.18
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 19 Upstream Release Monitoring 2012-04-23 06:18:51 EDT
Latest upstream release: 3.0.19
Current version in Fedora Rawhide: 2.12.18
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 20 Upstream Release Monitoring 2012-06-05 16:32:34 EDT
Latest upstream release: 3.0.20
Current version in Fedora Rawhide: 2.12.19
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 21 David Woodhouse 2012-06-10 06:08:30 EDT
Eep, Fedora 17 shipped and is *still* stuck on GnuTLS 2.12. I've ported the OpenConnect VPN client to GnuTLS to solve KDE licensing issues with OpenSSL, and it requires DTLS support...

I understand why it was non-trivial to update in an existing release, but we really ought to have worked it out by now, surely?

Has the feedback in comment #1 been given to the GnuTLS maintainers, and has anything been done to attempt to resolve the issue?
Comment 22 Account closed by user 2012-06-10 07:25:27 EDT
Version 2.12.20 (released 2012-06-10)

** libgnutls: Fixed memory leak in PKCS #8 key import.

** libgnutls: Check key identifiers when checking for an issuer.

** API and ABI modifications:
No changes since last version.
Comment 23 David Woodhouse 2012-06-10 21:19:13 EDT
With GnuTLS we can't even
Comment 24 Tomas Mraz 2012-06-11 02:30:58 EDT
I'm sorry David, but I do not plan to update to 3.0.20 any time soon. Definitely not earlier than after F18 branching. The problem with 3.0.20 is drop of libgcrypt backend and basically unconditional inclusion of Eliptic Curve support which we cannot ship due to ECC being patent minefield.
Comment 25 David Woodhouse 2012-06-11 06:13:33 EDT
GnuTLS 3.0 has been out for almost a year now. Can you point me to any discussion that has been had with the upstream maintainers about these issues?

I note that in duplicate bug #747396, last October, the response was 'not before F17'. Now the response, even this early in the cycle, is 'not before F18'.

If we check back in another 6 months, will it have changed to 'not before F19'?
Comment 26 David Woodhouse 2012-06-12 03:26:46 EDT
I asked the maintainer about this, and received the following response:

> I think their policy on elliptic curves is outdated. IETF has
> published the ecc fundamental parts that are not known to be covered
> by patents in [0] and these are the parts we use in gnutls. In any
> case it is their policy. It is doable though to isolate the elliptic
> curves  parts but it is not trivial work and I have no plans to do it
> unless there is a real reason.
> 
> regards,
> Nikos
> 
> [0]. http://www.rfc-editor.org/rfc/rfc6090.txt

Has this been referred to the legal team for an opinion?
Comment 27 David Woodhouse 2012-06-18 06:25:28 EDT
For now I've managed to work around most of the limitations of GnuTLS 2.12, and even enable PKCS#11 and TPM support in the OpenConnect VPN client in Fedora. It's not pretty, but it builds and is *almost* fully functional.

The one thing that's still broken with our ancient version of GnuTLS is filed as bug 832729. Because the get_issuer() function returns incorrect results, we sometimes fail to authenticate against the server.

Valgrind also shows some memory leaks which don't exist with GnuTLS 3.0.
Comment 28 David Woodhouse 2012-06-18 12:18:56 EDT
There's an updated specfile for nettle 2.4 at http://david.woodhou.se/nettle.spec which I'm now using for my local OpenConnect builds with GnuTLS 3.0
Comment 29 David Woodhouse 2012-06-19 19:15:48 EDT
And a gnutls specfile based on the current Fedora master at 2.12.19-1 (commit a201b9b4): http://david.woodhou.se/gnutls.spec

I didn't bother to rip out SRP; it really does look like the noise about SRP patents was just FUD, and it doesn't seem to have been repeated in the last few years. If we were going to rip stuff out based on such dubious rumours of patents, then we should take Ogg out too because of the nonsense the MPEG-LA are spouting about it infringing MP3 patents.
Comment 30 Upstream Release Monitoring 2012-07-03 06:12:54 EDT
Latest upstream release: 3.0.21
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 31 David Woodhouse 2012-07-03 10:06:00 EDT
(In reply to comment #26)
> I asked the maintainer about this, and received the following response:
> 
> > I think their policy on elliptic curves is outdated. IETF has
> > published the ecc fundamental parts that are not known to be covered
> > by patents in [0] and these are the parts we use in gnutls. In any
> > case it is their policy. It is doable though to isolate the elliptic
> > curves  parts but it is not trivial work and I have no plans to do it
> > unless there is a real reason.
> > 
> > regards,
> > Nikos
> > 
> > [0]. http://www.rfc-editor.org/rfc/rfc6090.txt
> 
> Has this been referred to the legal team for an opinion?

I've just had another look at RFC6090. It seems to have been published with the *express* intention of documenting the fundamental parts of ECC, using normative references published no later than 1994 (i.e. which cannot possibly be covered by non-expired patents). It even goes so far as to define MAY/SHOULD/MUST/etc. for itself rather than referring to RFC2119 for their definitions, because RFC2119 was published after 1994 ☺

The concern about patents on elliptic curve cryptography, at least as implemented in GnuTLS, definitely seems to be unfounded.
Comment 32 David Woodhouse 2012-07-03 10:23:21 EDT
Tomas, I'm happy to comaintain this package and push a v3 update for Fedora 18 if you are willing.
Comment 33 David Woodhouse 2012-07-03 11:33:24 EDT
http://david.woodhou.se/gnutls.spec updated to 3.0.21.
Comment 34 David Woodhouse 2012-07-06 03:14:00 EDT
Scratch build (now that nettle is back in the distro) at http://koji.fedoraproject.org/koji/taskinfo?taskID=4222205
Comment 35 Tomas Mraz 2012-07-09 04:37:59 EDT
I am sorry, but I really do not want this update before Fedora 18 release. And the inclusion of the ECC code in Fedora must be acked by Fedora legal. Even the scratch build is not OK in this regard.
Comment 36 Kalev Lember 2012-07-28 06:55:46 EDT
It might make sense to create parallel installable gnutls 3 / gnutls 2 packages to avoid requiring a rebuild of all the gnutls packages. Though this could lead to hard-to-diagnose problems when both gnutls 3 and gnutls 2 somehow get pulled into the same process.

However, there's still the issue with ECC code requiring Fedora Legal approval.
Comment 37 Adam Williamson 2012-08-03 19:40:51 EDT
Discussed at the blocker bug review meeting of 2012-08-03: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-08-03/f18-alpha-blocker-review-1.2012-08-03-17.01.log.html .

Rejected as a blocker on the grounds that it does not appear to violate any release criteria, this is merely an engineering/packaging issue. Just because you _want_ something to be sorted out by a given deadline doesn't mean it _must_ be sorted out by that point. We don't violate any of our Alpha criteria by shipping Alpha with an older gnutls.

Please re-propose if there are genuine grounds for this blocking Alpha release that we missed, with reference to the criteria: https://fedoraproject.org/wiki/Fedora_18_Alpha_Release_Criteria
Comment 38 Upstream Release Monitoring 2012-08-05 05:28:43 EDT
Latest upstream release: 3.0.22
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 39 Upstream Release Monitoring 2012-08-16 07:23:50 EDT
Latest upstream release: 3.1.0
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 40 Upstream Release Monitoring 2012-09-02 15:18:19 EDT
Latest upstream release: 3.1.1
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 41 Upstream Release Monitoring 2012-09-27 03:10:09 EDT
Latest upstream release: 3.1.2
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 42 Upstream Release Monitoring 2012-10-12 13:23:32 EDT
Latest upstream release: 3.1.3
Current version in Fedora Rawhide: 2.12.20
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 43 Upstream Release Monitoring 2012-11-12 09:46:03 EST
Latest upstream release: 3.1.4
Current version in Fedora Rawhide: 2.12.21
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 44 Upstream Release Monitoring 2012-11-25 12:10:18 EST
Latest upstream release: 3.1.5
Current version in Fedora Rawhide: 2.12.21
URL: http://ftp.gnu.org/gnu/gnutls/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 45 Account closed by user 2012-12-07 12:05:18 EST
ping! Fedora 19 is open.
Comment 46 Dan Winship 2013-02-04 08:01:29 EST
gnutls 2.12 is being end-of-lifed, so soon there won't be any more security fixes to it...

http://lists.gnupg.org/pipermail/gnutls-devel/2013-February/006086.html
Comment 47 Tomas Mraz 2013-02-04 08:12:54 EST
I'm currently working on gnutls-3.1 for Fedora 19. I hope to complete it before the mass rebuild.
Comment 48 Account closed by user 2013-02-04 08:15:25 EST
Latest upstream release: 2.12.23
Current version in Fedora Rawhide: 2.12.22
URL: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/



Version 2.12.23 (released 2012-02-04)

** libgnutls: Eliminated memory leak in PCKS #11 initialization.
Report and fix by Sam Varshavchik.

** libgnutls: Fixes in record padding parsing to prevent a timing attack. 
Issue reported by Kenny Patterson and Nadhem Alfardan.

** libgnutls: DN variable 'T' was expanded to 'title'.

** API and ABI modifications:
No changes since last version.
Comment 49 Upstream Release Monitoring 2013-02-05 04:40:05 EST
Latest upstream release: 2.12.23
Current version in Fedora Rawhide: 2.12.22
URL: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Comment 50 Tomas Mraz 2013-05-07 02:47:12 EDT
Rawhide now contains 3.1.10.

Note You need to log in before you can comment on or make changes to this bug.