I've just released gnutls 3.3.26. This is a bug-fix release on
the previous stable branch which addresses GNUTLS-SA-2017-1, and
GNUTLS-SA-2017-2, while backports some functionality to enable certain
PKCS#11 smart card use-cases.
* Version 3.3.26 (released 2016-01-09)
** libgnutls: Handle status request responses as optional (following
RFC6066). This improves compatibility with implementations not sending
these messages (including specific versions of the GnuTLS 3.5.x branch).
** libgnutls: Set limits on the maximum number of alerts handled. That is,
applications using gnutls could be tricked into an busy loop if the
peer sends continuously alert messages. Applications which set a maximum
handshake time (via gnutls_handshake_set_timeout) will eventually recover
but others may remain in a busy loops indefinitely. This is related but
not identical to CVE-2016-8610, due to the difference in alert handling
of the libraries (gnutls delegates that handling to applications).
** libgnutls: Fixed issue in PKCS#12 password encoding, which truncated
passwords over 32-characters. Reported by Mario Klebsch.
** libgnutls: Backported functionality allowing to manipulate the IDs
of PKCS#11 objects.
** libgnutls: Link to trousers (TPM library) dynamically. Backported TPM
key handling improvements from master branch.
** libgnutls: Backported several fixes in PKCS#8 decryption (related to
gitlab issue #148).
** libgnutls: Fix double free in certificate information printing. If the PKIX
extension proxy was set with a policy language set but no policy specified,
that could lead to a double free. [GNUTLS-SA-2017-1]
** libgnutls: Addressed memory leak in server side error path
(issue found using oss-fuzz project)
** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
(issues found using oss-fuzz project) [GNUTLS-SA-2017-2]
** tpmtool: backported the --test-sign option.
** API and ABI modifications:
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]