[gnutls-dev] GnuTLS 1.2.3 and 1.0.25

Simon Josefsson jas at extundo.com
Thu Apr 28 13:06:48 CEST 2005


We are pleased to announce the availability of two new GnuTLS
releases; GnuTLS 1.2.3 and GnuTLS 1.0.25!

These releases were prompted by the discovery of a denial of service
problem.

We recommend 1.0 users to move to 1.2.  We will continue to make
releases on the old branch when security problems are discovered, for
those who feel unable to upgrade.

We do not have the resources to analyze and write an explanation of
this security problem.  Volunteers who want to read the bug reports
and the CVS changes, and write up an explanation in plain English, are
most welcome!  Having a detailed track record of security problems can
be a useful reference when discussing security in free software
packages in general.  Naturally, if you wish to sponsor us to do this
work for you, please contact me.

PS.  The ftp.gnutls.org server appear down at the moment, but the
files below will be available as soon as possible.

If you need help to use GnuTLS, or want to help others, you are
invited to join our help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

The project page of the library is available at:
  http://www.gnutls.org/
  http://www.gnu.org/software/gnutls/
  http://josefsson.org/gnutls/ (updated fastest)

Here are the compressed sources:
  http://josefsson.org/gnutls/releases/gnutls-1.0.25.tar.gz (1.5MB)
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.0.25.tar.gz (1.5MB)
  http://josefsson.org/gnutls/releases/gnutls-1.2.3.tar.bz2 (2.4MB)
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.3.tar.bz2 (2.4MB)

Here are GPG detached signatures signed using key 0xB565716F:
  http://josefsson.org/gnutls/releases/gnutls-1.0.25.tar.gz.sig
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.0.25.tar.gz.sig
  http://josefsson.org/gnutls/releases/gnutls-1.2.3.tar.bz2.sig
  ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.3.tar.bz2.sig

Here are the build reports for various platforms:
  http://josefsson.org/autobuild-logs/gnutls.html

Here are the MD5/SHA1 checksums:

3585b5b204135e51e0efc9084b3e028b  gnutls-1.0.25.tar.gz
80527e5a5d17e199cb8a2848178990a6  gnutls-1.0.25.tar.gz.sig
e790b848b9aa1e98d8f28ecf522d8e5dc7e0cb0b  gnutls-1.0.25.tar.gz
7db580ff783bcfb2febe5085f3a3ad10d76d5508  gnutls-1.0.25.tar.gz.sig

4986c2bf8ce533d6b5d4dd6f9f1bbdf1  gnutls-1.2.3.tar.bz2
04a61b016ae24c4b7983c2373c9e023c  gnutls-1.2.3.tar.bz2.sig
78e1b92a9d818479faca9042d446eed61770fb17  gnutls-1.2.3.tar.bz2
c3ccbd42db7918e5d1f69dbdd40e755f8fa5a985  gnutls-1.2.3.tar.bz2.sig

Noteworthy changes since version 1.0.24/1.2.3:

- Corrected bug in record packet parsing that could lead
  to a denial of service attack.
- Corrected bug in RSA key export. Previously exported keys
  can be fixed using certtool. Use certtool -k <infile >outfile
- API and ABI modifications:
    gnutls_x509_privkey_fix(): Add.

Enjoy,
Nikos and Simon



More information about the Gnutls-dev mailing list