GnuTLS 2.3.10
Simon Josefsson
simon at josefsson.org
Mon May 19 19:12:47 CEST 2008
The GnuTLS 2.3.x branch is NOT what you want for your stable system. It
is intended for developers and experienced users.
The goals for the 2.3.x branch are tracked at:
http://trac.gnutls.org/cgi-bin/trac.cgi/milestone/gnutls-2.4
More ideas are welcome, just create a new ticket.
Here are the compressed sources:
http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.10.tar.bz2
ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.10.tar.bz2
Here is the Windows binaries:
http://josefsson.org/gnutls4win/gnutls-2.3.10.exe
http://josefsson.org/gnutls4win/gnutls-2.3.10.zip
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
News in this release:
* Version 2.3.10 (released 2008-05-19)
** Added wide wildcard hostname matching.
Tiny patch by Jean-Philippe Garcia Ballester.
** Fix three security vulnerabilities. [GNUTLS-SA-2008-1]
Thanks to CERT-FI for finding the bugs and providing detailed reports,
which allowed the bugs to be reproduced and fixed easily. Patches
developed by Simon Josefsson and Nikos Mavrogiannopoulos. Any updates
with more details about these vulnerabilities will be added to
<http://www.gnu.org/software/gnutls/security.html>
*** [GNUTLS-SA-2008-1-1]
*** libgnutls: Fix crash when sending invalid server name.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server. The bug
cause gnutls to store more session resumption data than what was
allocated for, thus overwriting unallocated memory.
*** [GNUTLS-SA-2008-1-2]
*** libgnutls: Fix crash when sending repeated client hellos.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server. The bug
triggers a null-pointer dereference.
*** [GNUTLS-SA-2008-1-3]
*** libgnutls: Fix crash in cipher padding decoding for invalid record lengths.
The crash can be triggered remotely before authentication, which can
lead to a Daniel of Service attack to disable the server. The bug
cause gnutls to read memory beyond the end of the received record.
** libgnutlsxx: Updated API according to patches from Eduardo
Villanueva Che (discussion at
<http://lists.gnu.org/archive/html/gnutls-devel/2007-02/msg00017.html>)
** Use umask to restrict permissions to owner before creating a file.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20080519/f08c8af2/attachment.pgp>
More information about the Gnutls-devel
mailing list