[gnutls-devel] gnutls 3.5.8

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls 3.5.8

Nikos Mavrogiannopoulos
Hello, 
 I've just released gnutls 3.5.8. This is a bug fix release, and is also
the release in the 3.5.x marked as stable. As such the 3.5.x fully replaces
the (ABI-compatible) 3.4.x branch which will no longer receive updates.

Several issues fixed at this release were found using the oss-fuzz project.
I'd like to thank Alex Gaynor for bringing gnutls to OSS-FUZZ and fixing
issues. The existing fuzzers for gnutls/ are available on the devel/fuzz
directory in the master branch.


* Version 3.5.8 (released 2016-01-09)

** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
   functions will not leave the verification profiles field to an
   undefined state. The last call will take precedence.

** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
   by PKCS#8 decryption functions when an invalid key is provided. This
   addresses regression on decrypting certain PKCS#8 keys.

** libgnutls: Introduced option to override the default priority string
   used by the library. The intention is to allow support of system-wide
   priority strings (as set with --with-system-priority-file). The
   configure option is --with-default-priority-string.

** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
   This prevents crashes when decrypting malformed PKCS#8 keys.
   (issue found using oss-fuzz project)

** libgnutls: Fix crash on the loading of malformed private keys with certain
   parameters set to zero. (issue found using oss-fuzz project)

** libgnutls: Fix double free in certificate information printing. If the PKIX
   extension proxy was set with a policy language set but no policy specified,
   that could lead to a double free. (issue found using oss-fuzz project)

** libgnutls: Addressed memory leaks in client and server side error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
   parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
   (issues found using oss-fuzz project)

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.8

Nikos Mavrogiannopoulos
On Mon, Jan 9, 2017 at 9:17 AM, Nikos Mavrogiannopoulos <[hidden email]> wrote:

> ** libgnutls: Fix double free in certificate information printing. If the PKIX
>    extension proxy was set with a policy language set but no policy specified,
>    that could lead to a double free. (issue found using oss-fuzz project)
>
> ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
>    (issues found using oss-fuzz project)

Note that I forgot to refer to GNUTLS-SA-2017-1 and GNUTLS-SA-2017-2 for these
two issues.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.8

Derek Schrock
On Mon, Jan 09, 2017 at 03:25:10AM EST, Nikos Mavrogiannopoulos wrote:

> On Mon, Jan 9, 2017 at 9:17 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>
> > ** libgnutls: Fix double free in certificate information printing. If the PKIX
> >    extension proxy was set with a policy language set but no policy specified,
> >    that could lead to a double free. (issue found using oss-fuzz project)
> >
> > ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
> >    (issues found using oss-fuzz project)
>
> Note that I forgot to refer to GNUTLS-SA-2017-1 and GNUTLS-SA-2017-2 for these
> two issues.
>
> regards,
> Nikos
>

Was there a 3.4.x release for SA 2017-1/2?  I see 3.3.x and 3.5.x
however no 3.4.x.  Is 3.4.x not effected by the two SAs?

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls 3.5.8

Nikos Mavrogiannopoulos
On Sun, 2017-01-22 at 20:13 -0500, Derek Schrock wrote:

> On Mon, Jan 09, 2017 at 03:25:10AM EST, Nikos Mavrogiannopoulos
> wrote:
> > On Mon, Jan 9, 2017 at 9:17 AM, Nikos Mavrogiannopoulos <nmav at
> > gnutls.org> wrote:
> >
> > > ** libgnutls: Fix double free in certificate information
> > > printing. If the PKIX
> > >    extension proxy was set with a policy language set but no
> > > policy specified,
> > >    that could lead to a double free. (issue found using oss-fuzz
> > > project)
> > >
> > > ** libgnutls: Addressed invalid memory accesses in OpenPGP
> > > certificate parsing.
> > >    (issues found using oss-fuzz project)
> >
> > Note that I forgot to refer to GNUTLS-SA-2017-1 and GNUTLS-SA-2017-
> > 2 for these
> > two issues.
> >
> > regards,
> > Nikos
> >
>
> Was there a 3.4.x release for SA 2017-1/2?  I see 3.3.x and 3.5.x
> however no 3.4.x.  Is 3.4.x not effected by the two SAs?

Hi,
 The 3.4.x releases are indeed affected, however 3.5.8 is a drop in
replacement and you can use that release instead. My goal with that is
to reduce the cost of maintaining overlapping/fully compatible release
branches.

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...