[gnutls-devel] gnutls 3.5.10
nmav at gnutls.org
Mon Mar 6 08:05:39 CET 2017
I've just released gnutls 3.5.10. This is a bug fix release on the
* Version 3.5.10 (released 2017-03-06)
** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions
available do not include libidn2.pc, thus the inclusion was causing pkg-config
issues. Instead we include -lidn2 in Libs.private when compile against libidn2.
** libgnutls: optimized access to subject alternative names (SANs) in parsed
certificates. The previous implementation assumed a small number of
SANs in a certificate, with repeated calls to ASN.1 decoding of the extension
without any intermediate caching. That caused delays in certificates with
a long list of names in functions such as gnutls_x509_crt_check_hostname().
With the current code, the SANs are parsed once on certificate import.
Resolves gitlab issue #165.
** libgnutls: Addressed integer overflow resulting to invalid memory write
in OpenPGP certificate parsing. Issue found using oss-fuzz project:
** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
certificate parsing. Issue found using oss-fuzz project:
** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
to private key parser. No longer allow OpenPGP certificates (public keys)
to contain private key sub-packets. Issue found using oss-fuzz project:
** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
could lead in out-of-memory condition. Issue found using oss-fuzz project,
and was fixed by Alex Gaynor:
** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
when printing certificate information.
** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
flags can be set from the gnutls_certificate_verify_flags enumeration.
This allows the functions to pass the same flags available for certificates
to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
** libgnutls: gnutls_store_commitment() can accept flag
GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
in applications which use SHA1 for example, after SHA1 is deprecated.
** certtool: No longer ignore the 'add_critical_extension' template option if
the 'add_extension' option is not present.
** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
starttls-proto command. Patch by Robert Scheck.
** API and ABI modifications:
No changes since last version.
Getting the Software
GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.
Here are the XZ compressed sources:
Here are OpenPGP detached signatures signed using key 0x96865171:
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
More information about the Gnutls-devel