[gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Mar 3 07:22:41 CET 2014


Hello,
 I've just released gnutls 3.2.12. This is an important bug-fix release
on the current stable branch which addresses GNUTLS-SA-2014-2
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2

This fixes is an important (and at the same time embarrassing) bug
discovered during an audit for Red Hat. Everyone is urged to upgrade.
The git branches of older releases (e.g., 2.12.x), were also updated
with patches to the issue as they are also vulnerable. I'll provide more
information on the issue the next few days.


* Version 3.2.12 (released 2014-03-03)

** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)

** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.

** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.

** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.

** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.

** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.

** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.

** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.

** API and ABI modifications:
No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



More information about the Gnutls-devel mailing list