GnuTLS 2.8.2

Jeff Cai Jeff.Cai at Sun.COM
Wed Aug 12 10:43:51 CEST 2009 

> What's New
> ==========
> 
> ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
> By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
> into 1) not printing the entire CN/SAN field value when printing a
> certificate and 2) cause incorrect positive matches when matching a
> hostname against a certificate.  Some CAs apparently have poor
> checking of CN/SAN values and issue these (arguable invalid)
> certificates.  Combined, this can be used by attackers to become a
> MITM on server-authenticated TLS sessions.  The problem is mitigated
> since attackers needs to get one certificate per site they want to
> attack, and the attacker reveals his tracks by applying for a
> certificate at the CA.  It does not apply to client authenticated TLS
> sessions.  Research presented independently by Dan Kaminsky and Moxie
> Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger at redhat.com>
> for providing one part of the patch.  [GNUTLS-SA-2009-4].

How is it affecting old versions of gnutls like 2.6 and 2.4? Do they
also need a patch applied if not upgrading them?

Jeff

> 
> ** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
> Before it always returned false.  Reported by Peter Hendrickson
> <pdh at wiredyne.com> in
> <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
> 
> ** libgnutls: Fix off-by-one size computation error in unknown DN printing.
> The error resulted in truncated strings when printing unknown OIDs in
> X.509 certificate DNs.  Reported by Tim Kosse
> <tim.kosse at filezilla-project.org> in
> <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
> 
> ** libgnutls: Return correct bit lengths of some MPIs.
> gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
> gnutls_dh_get_peers_public_bits.  Before the reported value was
> overestimated.  Reported by Peter Hendrickson <pdh at wiredyne.com> in
> <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
> 
> ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
> Report and patch by Tim Kosse <tim.kosse at filezilla-project.org> in
> <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
> and
> <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
> 
> ** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
> Before we required that the runtime library used the same (or more
> recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
> that the runtime usage is above the minimum required.  Reported by
> Marco d'Itri <md at linux.it> via Andreas Metzler
> <ametzler at downhill.at.eu.org> in <http://bugs.debian.org/540449>.
> 
> ** minitasn1: Internal copy updated to libtasn1 v2.3.
> 
> ** tests: Fix failure in "chainverify" because a certificate have expired.
> 
> ** API and ABI modifications:
> No changes since last version.
> 
> Getting the Software
> ====================
> 
> GnuTLS may be downloaded from one of the mirror sites or direct from
> <ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
> <http://www.gnu.org/software/gnutls/download.html>.
> 
> Here are the BZIP2 compressed sources (6.0MB):
> 
>   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2
>   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2
> 
> Here are OpenPGP detached signatures signed using key 0xB565716F:
> 
>   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2.sig
>   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2.sig
> 
> Note, that we don't distribute gzip compressed tarballs.
> 
> In order to check that the version of GnuTLS which you are going to
> install is an original and unmodified one, you should verify the OpenPGP
> signature.  You can use the command
> 
>      gpg --verify gnutls-2.8.2.tar.bz2.sig
> 
> This checks whether the signature file matches the source file.  You
> should see a message indicating that the signature is good and made by
> that signing key.  Make sure that you have the right key, either by
> checking the fingerprint of that key with other sources or by checking
> that the key has been signed by a trustworthy other key.  The signing
> key can be identified with the following information:
> 
> pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
>       Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
> uid                  Simon Josefsson <simon at josefsson.org>
> uid                  Simon Josefsson <jas at extundo.com>
> sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]
> 
> The key is available from:
>   http://josefsson.org/key.txt
>   dns:b565716f.josefsson.org?TYPE=CERT
> 
> Alternatively, after successfully verifying the OpenPGP signature of
> this announcement, you could verify that the files match the following
> checksum values.  The values are for SHA-1 and SHA-224 respectively:
> 
> eea59fb972e7d566679645a564a56b58aeffe10b  gnutls-2.8.2.tar.bz2
> 
> 048bfb981a4a88d7040c1951614bd9d06cdd787e2242d6243391775a  gnutls-2.8.2.tar.bz2
> 
> Documentation
> =============
> 
> The manual is available online at:
> 
>   http://www.gnu.org/software/gnutls/documentation.html
> 
> In particular the following formats are available:
> 
>  HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
>  PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
> 
> For developers there is a GnuTLS API reference manual formatted using
> the GTK-DOC tools:
> 
>   http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
> 
> Community
> =========
> 
> If you need help to use GnuTLS, or want to help others, you are invited
> to join our help-gnutls mailing list, see:
> 
>   http://lists.gnu.org/mailman/listinfo/help-gnutls
> 
> If you wish to participate in the development of GnuTLS, you are invited
> to join our gnutls-dev mailing list, see:
> 
>   http://lists.gnu.org/mailman/listinfo/gnutls-devel
> 
> Windows installer
> =================
> 
> GnuTLS has been ported to the Windows operating system, and a binary
> installer is available.  The installer contains DLLs for application
> development, manuals, examples, and source code.  The installer includes
> libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.3, and GnuTLS v2.8.2.
> 
> For more information about GnuTLS for Windows:
>   http://josefsson.org/gnutls4win/
> 
> The Windows binary installer and PGP signature:
>   http://josefsson.org/gnutls4win/gnutls-2.8.2.exe (15MB)
>   http://josefsson.org/gnutls4win/gnutls-2.8.2.exe.sig
> 
> The checksum values for SHA-1 and SHA-224 are:
> 
> 18fc15825832606123284dd5d7a77d402bf14101  gnutls-2.8.2.exe
> 9e9b9e5c9c213743fcb070af5c0b9a552ddd3fb3a241f2e0dbb89fa3  gnutls-2.8.2.exe
> 
> A ZIP archive containing the Windows binaries:
>   http://josefsson.org/gnutls4win/gnutls-2.8.2.zip (5.3MB)
>   http://josefsson.org/gnutls4win/gnutls-2.8.2.zip.sig
> 
> The checksum values for SHA-1 and SHA-224 are:
> 
> af492d1c31ef4ecc27724839ce62f5a334731b26  gnutls-2.8.2.zip
> ca3306416ad63c22b281c30165c83d94d97b0e7a817303f2ca61d00c  gnutls-2.8.2.zip
> 
> A Debian mingw32 package is also available:
>   http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.2-1_all.deb (4.8MB)
> 
> The checksum values for SHA-1 and SHA-224 are:
> 
> 4d591773c387be1409fb000ff1a9eae3c3c19756  mingw32-gnutls_2.8.2-1_all.deb
> fb742033dca3ccca3757d798dfa37fb718c2bac082e557bb7dfbfe57  mingw32-gnutls_2.8.2-1_all.deb
> 
> Internationalization
> ====================
> 
> The GnuTLS library messages have been translated into Czech, Dutch,
> French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
> addition of more translations.
> 
> Support
> =======
> 
> Improving GnuTLS is costly, but you can help!  We are looking for
> organizations that find GnuTLS useful and wish to contribute back.  You
> can contribute by reporting bugs, improve the software, or donate money
> or equipment.
> 
> Commercial support contracts for GnuTLS are available, and they help
> finance continued maintenance.  Simon Josefsson Datakonsult AB, a
> Stockholm based privately held company, is currently funding GnuTLS
> maintenance.  We are always looking for interesting development
> projects.  See http://josefsson.org/ for more details.
> 
> The GnuTLS service directory is available at:
> 
>   http://www.gnu.org/software/gnutls/commercial.html
> 
> Happy Hacking,
> Simon
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel

More information about the Gnutls-devel mailing list