[gnutls-devel] gnutls 3.5.13

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls 3.5.13

Nikos Mavrogiannopoulos
Hello, 
 I've just released gnutls 3.5.13. This is a bug fix release on the
3.5.x branch.

* Version 3.5.13 (released 2017-06-07)

** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in
   aarch64. Resolves gitlab issue #204.

** libgnutls: no longer parse the ResponseID field of the status response
   TLS extension. The field is not used by GnuTLS nor is made available to
   calling applications. That addresses a null pointer dereference on server
   side caused by packets containing the ResponseID field. Reported
   by Hubert Kario. [GNUTLS-SA-2017-4]

** libgnutls: tolerate certificates which do not have strict DER time encoding.
   It is possible using 3rd party tools to generate certificates with time fields
   that do not conform to DER requirements. Since 3.4.x these certificates were rejected
   and cannot be used with GnuTLS, however that caused problems with existing private
   certificate infrastructures, which were relying on such certificates (see gitlab
   issue #196). Tolerate reading and using these certificates.

** minitasn1: updated to libtasn1 4.11.

** certtool: allow multiple certificates to be used in --p7-sign with
   the --load-certificate option. Patch by Karl Tarbe.

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.13.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.13.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] GNUTLS-SA-2017-4 (was: gnutls 3.5.13)

Andreas Metzler-3
On 2017-06-07 Nikos Mavrogiannopoulos <[hidden email]> wrote:
> Hello, 
>  I've just released gnutls 3.5.13. This is a bug fix release on the
> 3.5.x branch.
[...]
> ** libgnutls: no longer parse the ResponseID field of the status response
>    TLS extension. The field is not used by GnuTLS nor is made available to
>    calling applications. That addresses a null pointer dereference on server
>    side caused by packets containing the ResponseID field. Reported
>    by Hubert Kario. [GNUTLS-SA-2017-4]
[...]

Hello,

do you know to which versions of GnuTLS this applies? Afaict it seems to
apply to 3.3.8, too.

TIA cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] GNUTLS-SA-2017-4 (was: gnutls 3.5.13)

Nikos Mavrogiannopoulos
On Sun, 2017-06-11 at 11:43 +0200, Andreas Metzler wrote:

> On 2017-06-07 Nikos Mavrogiannopoulos <[hidden email]> wrote:
> > Hello, 
> >  I've just released gnutls 3.5.13. This is a bug fix release on the
> > 3.5.x branch.
>
> [...]
> > ** libgnutls: no longer parse the ResponseID field of the status
> > response
> >    TLS extension. The field is not used by GnuTLS nor is made
> > available to
> >    calling applications. That addresses a null pointer dereference
> > on server
> >    side caused by packets containing the ResponseID field. Reported
> >    by Hubert Kario. [GNUTLS-SA-2017-4]
>
> [...]
>
> Hello,
>
> do you know to which versions of GnuTLS this applies? Afaict it seems
> to apply to 3.3.8, too.

Hi,
 It certainly applies to 3.3.x branch; I have not investigated other
versions (though 2.12.x are not vulnerable as this extension is not
supported). There is a patch on the 3.3.x branch for it.

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...