[gnutls-help] gnutls 3.5.10

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Mar 6 08:05:39 CET 2017

 I've just released gnutls 3.5.10. This is a bug fix release on the
3.5.x branch.

* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions
   available do not include libidn2.pc, thus the inclusion was causing pkg-config
   issues. Instead we include -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs) in parsed
   certificates. The previous implementation assumed a small number of
   SANs in a certificate, with repeated calls to ASN.1 decoding of the extension
   without any intermediate caching. That caused delays in certificates with
   a long list of names in functions such as gnutls_x509_crt_check_hostname().
   With the current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory write
   in OpenPGP certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A]

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-help mailing list