diff options
| author | Adam Weinberger <adamw@FreeBSD.org> | 2020-09-04 02:20:42 +0000 |
|---|---|---|
| committer | Adam Weinberger <adamw@FreeBSD.org> | 2020-09-04 02:20:42 +0000 |
| commit | 127f603f0c41ecbaa740533a5b4eaa80b31e4b67 (patch) | |
| tree | 73db6e78464b4cdb8f902140f6f112764e576bec /security | |
| parent | f1362cbd80ea06493ff2efd4203cffde7e10c2d3 (diff) | |
| download | ports-127f603f0c41ecbaa740533a5b4eaa80b31e4b67.tar.gz ports-127f603f0c41ecbaa740533a5b4eaa80b31e4b67.zip | |
MFH: r541749 r546681 r547499
Approved by: portmgr (with hat)
gnupg: Update to 2.2.21
* gpg: Improve symmetric decryption speed by about 25%.
See commit 144b95cc9d.
* gpg: Support decryption of AEAD encrypted data packets.
* gpg: Add option --no-include-key-block. [#4856]
* gpg: Allow for extra padding in ECDH. [#4908]
* gpg: Only a single pinentry is shown for symmetric encryption if
the pinentry supports this. [#4971]
* gpg: Print a note if no keys are given to --delete-key. [#4959]
* gpg,gpgsm: The ridiculous passphrase quality bar is not anymore
shown. [#2103]
* gpgsm: Certificates without a CRL distribution point are now
considered valid without looking up a CRL. The new option
--enable-issuer-based-crl-check can be used to revert to the
former behaviour.
* gpgsm: Support rsaPSS signature verification. [#4538]
* gpgsm: Unless CRL checking is disabled lookup a missing issuer
certificate using the certificate's authorityInfoAccess. [#4898]
* gpgsm: Print the certificate's serial number also in decimal
notation.
* gpgsm: Fix possible NULL-deref in messages of --gen-key. [#4895]
* scd: Support the CardOS 5 based D-Trust Card 3.1.
* dirmngr: Allow http URLs with "LOOKUP --url".
* wkd: Take name of sendmail from configure. Fixes an OpenBSD
specific bug. [#4886]
Release-info: https://dev.gnupg.org/T4897
security/gnupg: Update to 2.2.22
Also, sort plist. The new gpgsplit binary is getting installed as
gpgsplit2 to avoid a conflict with security/gnupg1.
Noteworthy changes in version 2.2.22
====================================
* gpg: Change the default key algorithm to rsa3072.
* gpg: Add regular expression support for Trust Signatures on all
platforms. [#4843]
* gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat
option. [#4991]
* gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]
* gpgsm: Make rsaPSS a de-vs compliant scheme.
* gpgsm: Show also the SHA256 fingerprint in key listings.
* gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]
* gpg-agent: Default to extended key format and record the creation
time of keys. Add new option --disable-extended-key-format.
* gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist. [#4866]
* gpg-agent: Make the Pinentry work even if the envvar TERM is set
to the empty string. [#4137]
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly
incremented the error counter when using the "verify" command of
"gpg --edit-key" with only the signature key being present.
* dirmngr: Better handle systems with disabled IPv6. [#4977]
* gpgpslit: Install tool. It was not installed in the past to avoid
conflicts with the version installed by GnuPG 1.4. [#5023]
(We're installing it as gpgsplit2 to avoid conflict with security/gnupg1)
* gpgtar: Handle Unicode file names on Windows correctly (requires
libgpg-error 1.39). [#4083]
* gpgtar: Make --files-from and --null work as documented. [#5027]
* Build the Windows installer with the new Ntbtls 0.2.0 so that TLS
connections succeed for servers demanding GCM.
Release-info: https://dev.gnupg.org/T5030
security/gnupg: Update to 2.2.23
Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.
Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.
Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.
Security: CVE-2020-25125
Notes
Notes:
svn path=/branches/2020Q3/; revision=547501
Diffstat (limited to 'security')
| -rw-r--r-- | security/gnupg/Makefile | 6 | ||||
| -rw-r--r-- | security/gnupg/distinfo | 6 | ||||
| -rw-r--r-- | security/gnupg/files/patch-doc_Makefile.in | 16 | ||||
| -rw-r--r-- | security/gnupg/pkg-plist | 11 |
4 files changed, 29 insertions, 10 deletions
diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index c380fcc90884..b566f6c60ead 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= gnupg -PORTVERSION= 2.2.20 +PORTVERSION= 2.2.23 CATEGORIES= security MASTER_SITES= GNUPG @@ -31,6 +31,7 @@ CONFIGURE_ARGS= --disable-ntbtls --enable-gpg-is-gpg2 --enable-symcryptrun GNU_CONFIGURE= yes INFO= gnupg TEST_TARGET= check +TEST_ARGS= TESTARGS=--parallel SUB_FILES= pkg-message @@ -66,6 +67,7 @@ pre-build: @${TOUCH} ${WRKSRC}/doc/*.texi post-install: - @${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR} + ${MV} ${STAGEDIR}${PREFIX}/bin/gpgsplit ${STAGEDIR}${PREFIX}/bin/gpgsplit2 + ${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR} .include <bsd.port.mk> diff --git a/security/gnupg/distinfo b/security/gnupg/distinfo index bb8d171c4d5b..271c5cd064c8 100644 --- a/security/gnupg/distinfo +++ b/security/gnupg/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1584729314 -SHA256 (gnupg-2.2.20.tar.bz2) = 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 -SIZE (gnupg-2.2.20.tar.bz2) = 6786913 +TIMESTAMP = 1599184354 +SHA256 (gnupg-2.2.23.tar.bz2) = 10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c +SIZE (gnupg-2.2.23.tar.bz2) = 7099806 diff --git a/security/gnupg/files/patch-doc_Makefile.in b/security/gnupg/files/patch-doc_Makefile.in new file mode 100644 index 000000000000..5127e94d5ac1 --- /dev/null +++ b/security/gnupg/files/patch-doc_Makefile.in @@ -0,0 +1,16 @@ +This works around a breakage introduced in 2.2.21. +Hopefully the patch can be removed for 2.2.22. + +--- doc/Makefile.in.orig 2020-07-09 13:22:35 UTC ++++ doc/Makefile.in +@@ -1235,8 +1235,8 @@ defsincdate: $(gnupg_TEXINFOS) + if test -e $(top_srcdir)/.git; then \ + (cd $(srcdir) && git log -1 --format='%ct' \ + -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- elif test x"$SOURCE_DATE_EPOCH" != x; then \ +- echo "$SOURCE_DATE_EPOCH" >>defsincdate ; \ ++ elif test x"$$SOURCE_DATE_EPOCH" != x; then \ ++ echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ + fi + + defs.inc : defsincdate Makefile mkdefsinc diff --git a/security/gnupg/pkg-plist b/security/gnupg/pkg-plist index 10f410b915e8..5c5407cd3401 100644 --- a/security/gnupg/pkg-plist +++ b/security/gnupg/pkg-plist @@ -1,17 +1,18 @@ bin/dirmngr bin/dirmngr-client -bin/gpg-connect-agent bin/gpg-agent -bin/gpgscm -bin/gpgsm -bin/gpgtar +bin/gpg-connect-agent %%WKS_SERVER%%bin/gpg-wks-server -bin/kbxutil %%SUID_GPG%%@(,,4555) bin/gpg2 %%NO_SUID_GPG%%bin/gpg2 bin/gpgconf bin/gpgparsemail +bin/gpgscm +bin/gpgsm +bin/gpgsplit2 +bin/gpgtar bin/gpgv2 +bin/kbxutil bin/symcryptrun bin/watchgnupg %%LDAP%%libexec/dirmngr_ldap |