diff --git a/user/gnutls/APKBUILD b/user/gnutls/APKBUILD
index 616793f57ea64e173dd849d27236b175683901fd..e75b1d5523d0b17c2c90a72b8b1ae4f38174bbf8 100644
--- a/user/gnutls/APKBUILD
+++ b/user/gnutls/APKBUILD
@@ -2,12 +2,11 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer:
pkgname=gnutls
-pkgver=3.6.11.1
+pkgver=3.6.14
pkgrel=0
pkgdesc="A TLS protocol implementation"
-url="http://www.gnutls.org/"
+url="https://www.gnutls.org/"
arch="all"
-options="!check" # https://gitlab.com/gnutls/gnutls/issues/560
license="LGPL-2.1+"
makedepends="libtasn1-dev libunistring-dev nettle-dev p11-kit-dev texinfo
unbound-dev cmd:which zlib-dev"
@@ -23,11 +22,16 @@ case $pkgver in
;;
esac
source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/$pkgname-$pkgver.tar.xz
- gnulib-tests-dont-require-gpg-passphrase.patch"
+ gnulib-tests-dont-require-gpg-passphrase.patch
+ disable-certtool-test.patch
+ "
# secfixes:
# 3.5.13-r0:
# - CVE-2017-7507
+# 3.6.14-r0:
+# - CVE-2020-11501
+# - CVE-2020-13777
build() {
LIBS="-lgmp" ./configure \
@@ -79,5 +83,6 @@ xx() {
mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="55fbbf0ebc824fbc91ccd08d1708452c5b1c12af75e332f29414540eb2f81337fa605a693ce9f34319a927e9d71177e6e7ffea5c6747792d341fb740f68c9489 gnutls-3.6.11.1.tar.xz
-abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d gnulib-tests-dont-require-gpg-passphrase.patch"
+sha512sums="b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 gnutls-3.6.14.tar.xz
+abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d gnulib-tests-dont-require-gpg-passphrase.patch
+25400be364c1f27b88451002a471cbf841b9738dd93c42dcbeaf7644c3deea6afc85300b40d5ae32d29dc4d441237e8b311f3e07f0af2fb4788701ee4e240c0f disable-certtool-test.patch"
diff --git a/user/gnutls/disable-certtool-test.patch b/user/gnutls/disable-certtool-test.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2ae16a38e4bab02ea55d0a1d2439937c255aaa2d
--- /dev/null
+++ b/user/gnutls/disable-certtool-test.patch
@@ -0,0 +1,33 @@
+If GNUTLS_PIN is not available in the environment, the test will fail
+because it cannot ask for the password:
+
+Generating a self signed certificate...
+No PIN given.
+note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables
+cert generation failed
+FAIL certtool (exit status: 1)
+
+The comment above this line says "some CI runners need GNUTLS_PIN
+(GNUTLS_PIN=${PASS})" (i.e. GNUTLS_PIN=1234). When this is passed
+instead, the test fails again because "No password was asked" (it greps
+for "Enter password" in the output, but this won't happen because
+GNUTLS_PIN is set).
+
+The folks at Nix believe this is an incompatibility due to musl's
+getpass not falling back to stdin/stderr if it cannot connect to a tty,
+as glibc does.
+
+https://gitlab.com/gnutls/gnutls/-/issues/945
+
+--- gnutls-3.6.13/tests/cert-tests/certtool 2020-01-01 14:10:19.000000000 -0600
++++ gnutls-3.6.13/tests/cert-tests/certtool 2020-06-02 20:36:20.380039844 -0500
+@@ -20,6 +20,9 @@
+
+ #set -e
+
++echo 'this test is not compatible with musl'
++exit 77
++
+ srcdir="${srcdir:-.}"
+ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+ DIFF="${DIFF:-diff -b -B}"