[gnutls-devel] gnutls 3.5.8
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Jan 9 09:17:16 CET 2017
Hello,
I've just released gnutls 3.5.8. This is a bug fix release, and is also
the release in the 3.5.x marked as stable. As such the 3.5.x fully replaces
the (ABI-compatible) 3.4.x branch which will no longer receive updates.
Several issues fixed at this release were found using the oss-fuzz project.
I'd like to thank Alex Gaynor for bringing gnutls to OSS-FUZZ and fixing
issues. The existing fuzzers for gnutls/ are available on the devel/fuzz
directory in the master branch.
* Version 3.5.8 (released 2016-01-09)
** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
functions will not leave the verification profiles field to an
undefined state. The last call will take precedence.
** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
by PKCS#8 decryption functions when an invalid key is provided. This
addresses regression on decrypting certain PKCS#8 keys.
** libgnutls: Introduced option to override the default priority string
used by the library. The intention is to allow support of system-wide
priority strings (as set with --with-system-priority-file). The
configure option is --with-default-priority-string.
** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
This prevents crashes when decrypting malformed PKCS#8 keys.
(issue found using oss-fuzz project)
** libgnutls: Fix crash on the loading of malformed private keys with certain
parameters set to zero. (issue found using oss-fuzz project)
** libgnutls: Fix double free in certificate information printing. If the PKIX
extension proxy was set with a policy language set but no policy specified,
that could lead to a double free. (issue found using oss-fuzz project)
** libgnutls: Addressed memory leaks in client and server side error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
(issues found using oss-fuzz project)
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.
Here are the XZ compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
More information about the Gnutls-devel
mailing list