[gnutls-devel] gnutls 3.3.25

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Oct 9 20:38:57 CEST 2016

 I've just released gnutls 3.3.25. This is a bug-fix release on
the previous stable branch which addresses GNUTLS-SA-2016-3, and
backports some functionality used by recent samba versions.

* Version 3.3.25 (released 2016-10-9)

** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
   failures due to key mismatch. This prevents leaks or double freeing
   on such failures.

** libgnutls: Corrected the comparison of the serial size in OCSP response.
   Previously the OCSP certificate check wouldn't verify the serial length
   and could succeed in cases it shouldn't (GNUTLS-SA-2016-3).
   Reported by Stefan Buehler.

** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
   ignoring flags if all certificates in the list fit within the
   initially allocated memory.

** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain,
   even when the extra_certs was non-null. Report and fix by Stefan Sørensen.

** libgnutls: Added support for decrypting PKCS#8 files which use the HMAC-SHA256
   as PRF.

** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA
   keys. The signature is now written as unsigned integers into the DSASignatureValue
   structure. Previously signed integers could be written depending on what
   the underlying module would produce. Addresses #122.

** libgnutls: backported X.509 unique ID functionality from later versions.

** libgnutls: Increased the maximum size of the handshake message hash.
   This will allow the library to cope better with larger packets, as
   the ones offered by current TLS 1.3 drafts.

** API and ABI modifications:
gnutls_x509_crt_set_issuer_unique_id: Added
gnutls_x509_crt_set_subject_unique_id: Added

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list