From c5df560fd3762c0dbe99562f52223c73d445e597 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Thu, 3 Dec 2020 16:59:10 +0100
Subject: gnu: GnuTLS: Update replacement to 3.6.15 [fixes CVE-2020-24659].

* gnu/packages/tls.scm (gnutls-3.6.14): Rename to ...
(gnutls/fixed): ... this.  Update to 3.6.15.
(gnutls): Adjust for renamed replacement.
* gnu/packages/package-management.scm (guix)[propagated-inputs]: Likewise.
* gnu/packages/vpn.scm (openconnect)[propagated-inputs]: Likewise.
---
 gnu/packages/package-management.scm | 2 +-
 gnu/packages/tls.scm                | 9 +++++----
 gnu/packages/vpn.scm                | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

(limited to 'gnu')

diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 2cb9350bbd..906c04c7ff 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -405,7 +405,7 @@ (define code
 
          ("glibc-utf8-locales" ,glibc-utf8-locales)))
       (propagated-inputs
-       `(("gnutls" ,(if (%current-target-system) gnutls-3.6.14 gnutls))
+       `(("gnutls" ,(if (%current-target-system) gnutls/fixed gnutls))
          ;; Avahi requires "glib" which doesn't cross-compile yet.
          ,@(if (%current-target-system)
                '()
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 00b0bf6ddb..3b681426ad 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -165,7 +165,7 @@ (define-public gnutls
   (package
     (name "gnutls")
     ;; XXX Unversion openconnect's "gnutls" input when ungrafting.
-    (replacement gnutls-3.6.14)
+    (replacement gnutls/fixed)
     (version "3.6.12")
     (source (origin
              (method url-fetch)
@@ -254,10 +254,11 @@ (define-public gnutls
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-(define-public gnutls-3.6.14
+;; Replacement package to fix multiple security vulnerabilities.
+(define-public gnutls/fixed
   (package
     (inherit gnutls)
-    (version "3.6.14")
+    (version "3.6.15")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnutls/v"
@@ -267,7 +268,7 @@ (define-public gnutls-3.6.14
                                        "gnutls-cross.patch"))
               (sha256
                (base32
-                "0qwxsfizynly0ns537vnhnlm5lh03la4vbsmz675n0n7vqd7ac2n"))))
+                "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
     (native-inputs
      `(,@(if (%current-target-system)             ;for cross-build
              `(("guile" ,guile-3.0))              ;to create .go files
diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 39a9825893..04c34c3d4d 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -265,7 +265,7 @@ (define-public openconnect
     `(("libxml2" ,libxml2)
       ;; XXX ‘DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.’
       ;; See <https://gitlab.com/gnutls/gnutls/-/issues/960>.
-      ("gnutls" ,gnutls-3.6.14)
+      ("gnutls" ,gnutls/fixed)
       ("zlib" ,zlib)))
    (inputs
     `(("lz4" ,lz4)
-- 
cgit v1.2.3