Wed Apr 10 19:09:14 UTC 202420240410190914

a/cryptsetup-2.7.2-x86_64-1.txz:  Upgraded.
a/kernel-firmware-20240410_53438f8-noarch-1.txz:  Upgraded.
a/kernel-generic-6.6.26-x86_64-1.txz:  Upgraded.
a/kernel-huge-6.6.26-x86_64-1.txz:  Upgraded.
a/kernel-modules-6.6.26-x86_64-1.txz:  Upgraded.
a/openssl-solibs-3.3.0-x86_64-1.txz:  Upgraded.
a/pam-1.6.1-x86_64-1.txz:  Upgraded.
d/kernel-headers-6.6.26-x86-1.txz:  Upgraded.
d/rust-1.77.2-x86_64-1.txz:  Upgraded.
  [PATCH] compiler: Use wasm-ld for wasm targets.
  Thanks to Heinz Wiesinger.
k/kernel-source-6.6.26-noarch-1.txz:  Upgraded.
  +SPECTRE_BHI_AUTO n
  +SPECTRE_BHI_OFF n
  +SPECTRE_BHI_ON y
l/gst-plugins-bad-free-1.24.2-x86_64-1.txz:  Upgraded.
l/gst-plugins-base-1.24.2-x86_64-1.txz:  Upgraded.
l/gst-plugins-good-1.24.2-x86_64-1.txz:  Upgraded.
l/gst-plugins-libav-1.24.2-x86_64-1.txz:  Upgraded.
l/gstreamer-1.24.2-x86_64-1.txz:  Upgraded.
l/libcap-ng-0.8.5-x86_64-1.txz:  Upgraded.
l/nodejs-20.12.2-x86_64-1.txz:  Upgraded.
l/python-trove-classifiers-2024.4.10-x86_64-1.txz:  Upgraded.
n/gnutls-3.8.5-x86_64-2.txz:  Rebuilt.
  [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration.
  Thanks to bortolotto.
n/openssl-3.3.0-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.

2 files changed, 101 insertions, 2 deletions

diff --git a/source/n/gnutls/1830.patch b/source/n/gnutls/1830.patch
new file mode 100644
index 000000000..d3271fb1d
--- /dev/null
+++ b/source/n/gnutls/1830.patch
@@ -0,0 +1,96 @@
+From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ lib/priority.c                                | 12 ++++++----
+ ...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++--
+ 2 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/lib/priority.c b/lib/priority.c
+index 8abe00d1ff..342f71471d 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+ 		_gnutls_default_priority_string = cfg->default_priority_string;
+ 	}
+ 
+-	/* enable RSA-PKCS1-V1_5 by default */
+-	cfg->allow_rsa_pkcs1_encrypt = true;
+-
+ 	if (cfg->allowlisting) {
+ 		/* also updates `flags` of global `hash_algorithms[]` */
+ 		ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ 	}
+ 
+ 	if (stat(system_priority_file, &sb) < 0) {
++		/* if there is no config enable RSA-PKCS1-V1_5 by default */
++		system_wide_config.allow_rsa_pkcs1_encrypt = true;
++
+ 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
+ 				  system_priority_file, errno);
+ 		goto out;
+@@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ 					  system_priority_file, errno);
+ 			goto out;
+ 		}
++
++		memset(&ctx, 0, sizeof(ctx));
++		/* enable RSA-PKCS1-V1_5 by default */
++		ctx.cfg.allow_rsa_pkcs1_encrypt = true;
++
+ 		/* Parsing the configuration file needs to be done in 2 phases:
+ 		 * first parsing the [global] section
+ 		 * and then the other sections,
+ 		 * because the [global] section modifies the parsing behavior.
+ 		 */
+-		memset(&ctx, 0, sizeof(ctx));
+ 		err = ini_parse_file(fp, global_ini_handler, &ctx);
+ 		if (!err) {
+ 			if (fseek(fp, 0L, SEEK_SET) < 0) {
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index b7d477c96e..014088bd2f 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+ 
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
++${TEST}
++if [ $? != 0 ]; then
++	echo "${TEST} expected to succeed"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled"
+ 
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+ 
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
++${TEST}
++if [ $? = 0 ]; then
++	echo "${TEST} expected to fail"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
++
++${TEST}
++if [ $? != 0 ]; then
++	echo "${TEST} expected to succeed by default"
++	exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled by default"
++
+ exit 0
+-- 
+GitLab
+
diff --git a/source/n/gnutls/gnutls.SlackBuild b/source/n/gnutls/gnutls.SlackBuild
index 157f01aae..154b283fa 100755
--- a/source/n/gnutls/gnutls.SlackBuild
+++ b/source/n/gnutls/gnutls.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2007, 2008, 2009, 2010, 2016, 2017, 2018, 2020  Patrick Volkerding, Sebeka, MN, USA
+# Copyright 2007, 2008, 2009, 2010, 2016, 2017, 2018, 2020, 2024  Patrick Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=gnutls
 VERSION=${VERSION:-$(echo gnutls-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -81,6 +81,9 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration:
+cat $CWD/1830.patch | patch -p1 --verbose || exit 1
+
 # Need to reconf to find guile-3.0.x:
 autoreconf -vif