Comments

41 Comments

@cmorris afaik crypto-policies needs some update too, but the key format change doesn't affect the connecting scenarios (unless you are using client authentication), because it is only about private keys.

Infrastructure issue, maybe? I don't think this update has anything to do with that failure.

karma

I'm afraid this liboqs package can only be used with openssl applications for now, as it has an implicit dependency on libcrypto functions:

nm -g /usr/lib/debug/usr/lib64/liboqs.so.0.12.0-0.12.0-1.fc40.x86_64.debug | grep '^[[:space:]]*U '
                 U __assert_fail@GLIBC_2.2.5
                 U CRYPTO_free

I guess we could use the native memory allocation functions by removing defined(OQS_DLOPEN_OPENSSL) condition from the #if's in src/common/common.[ch].

@cmorris good catch, I can lower the liboqs requirement to enable PQC support in F41 as well, though it would also be ok to drop the gnutls build from this update, as it turned out that gnutls didn't use liboqs in F41 or earlier @dbelyavs.

BZ#2294905 CVE-2024-6387 openssh: Possible remote code execution due to a race condition in signal handling [fedora-39]
User Icon ueno commented & provided feedback on gnutls-3.8.2-1.fc38 a year ago

I wouldn't say https://gitlab.com/gnutls/gnutls/-/issues/1515 alone should be treated as a blocker, now that rawhide and F39 are updated to 3.8.2. We can include a fix in another iteration.

This update has been unpushed.

User Icon ueno commented & provided feedback on wine-7.9-1.fc35 3 years ago
karma

This update fixes the CI issue in GnuTLS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1594

BZ#2073650 wine-7.9 is available

@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:

$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
[...]
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705

I'll try to update the command output later.

Re-added ca-certificates with a versioned dependency on p11-kit.

@cmadams right, re-added ca-certificates with a versioned dependency on p11-kit. thanks!

@cmadams, yes, that's why this update contains both ca-certificates and p11-kit. @pizzadude, that's interesting; maybe the flatpak runtime needs an updated p11-kit.

Anyway I will drop ca-cerfificate from this update for now.

karma

This seems to fix the false-positives we hit on the p11-kit CI: https://travis-ci.org/p11-glue/p11-kit/jobs/633789977#L1534

This update has been unpushed.

Given that the AVC denials are through rtkit, updating only nspr/nss packages shouldn't cause any new denials. So I am dropping firefox for now.