From zfridric at redhat.com Fri May 13 09:12:34 2022 From: zfridric at redhat.com (Zoltan Fridrich) Date: Fri, 13 May 2022 09:12:34 +0200 Subject: [gnutls-help] gnutls 3.7.5 Message-ID: Hello, We have just released gnutls-3.7.5. This is a bug fix and enhancement release on the 3.7.x branch. We would like to thank everyone who contributed in this release: Tim Kosse, Tatsuhiro Tsujikawa, Brian Wickman, Franti?ek Kren?elok, Andreas Metzler, Benjamin Herrenschmidt, Pedro Monreal, Tobias Heider, Sam James, Daiki Ueno and Zoltan Fridrich The detailed list of changes follows: * Version 3.7.5 (released 2022-05-15) ** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority ??? modifier have been added to disable session ticket usage in TLS 1.2 because ??? it does not provide forward secrecy (#477). On the other hand, since session ??? tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now ??? only disables session tickets in TLS 1.2. Future backward incompatibility: ??? in the next major release of GnuTLS, we plan to remove those flag and ??? modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2. ** gnutls-cli, gnutls-serv: Channel binding for printing information ??? has been changed from tls-unique to tls-exporter as tls-unique is ??? not supported in TLS 1.3. ** libgnutls: Certificate sanity checks has been enhanced to make ??? gnutls more RFC 5280 compliant (!1583). ??? Following changes were included: - critical extensions are parsed when loading x509 ????? certificate to prohibit any random octet strings. ????? Requires strict-x509 configure option to be enabled ??? - garbage bits in Key Usage extension are prohibited - empty DirectoryStrings in Distinguished name structures ????? of Issuer and Subject name are prohibited ** libgnutls: Removed 3DES from FIPS approved algorithms (#1353). ??? According to the section 2 of SP800-131A Rev.2, 3DES algorithm ??? will be disallowed for encryption after December 31, 2023: ??? https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final ** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312). ??? The existing AEAD API that works in a scatter-gather fashion ??? (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC. ??? For further optimization, new function (gnutls_aead_cipher_set_key) has been ??? added to set key on the existing AEAD handle without re-allocation. ** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode ??? when used in TLS (#1311). ** The configure arguments for Brotli and Zstandard (zstd) support ??? have changed to reflect the previous help text: they are now ??? --with-brotli/--with-zstd respectively (#1342). ** Detecting the Zstandard (zstd) library in configure has been ??? fixed (#1343). ** API and ABI modifications: GNUTLS_NO_TICKETS_TLS12: New flag gnutls_aead_cipher_set_key: New function Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig Note that it has been signed with my openpgp key: pub ? ed25519 2021-12-23 [SC] [expires: 2023-12-23] ? ? ? 5D46CB0F763405A7053556F47A75A648B3F9220C uid ? ? ? ? ? [ultimate] Zoltan Fridrich sub ? cv25519 2021-12-23 [E] [expires: 2023-12-23] and Daiki Uenos openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] ????? 462225C3B46F34879FC8496CD605848ED7E69871 uid ?? ? ???? [ultimate] Daiki Ueno > uid?? ??? ??? [ultimate] Daiki Ueno > sub rsa4096 2010-02-04 [E] Regards, Zoltan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x7A75A648B3F9220C.asc Type: application/pgp-keys Size: 669 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From zfridric at redhat.com Fri May 27 13:43:27 2022 From: zfridric at redhat.com (Zoltan Fridrich) Date: Fri, 27 May 2022 13:43:27 +0200 Subject: [gnutls-help] gnutls 3.7.6 Message-ID: Hello, We have just released gnutls-3.7.6. This is a bug fix release on the 3.7.x branch. We would like to thank everyone who contributed in this release: Zoltan Fridrich, Daiki Ueno, Tobias Heider and Asad Mehmood The detailed list of changes follows: ** libgnutls: Fixed invalid write when gnutls_realloc_zero() is called with new_size < old_size. This bug caused heap corruption when gnutls_realloc_zero() has been set as gmp reallocfunc (!1592, #1367, #1368, #1369). ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.6.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.6.tar.xz.sig Note that it has been signed with my openpgp key: pub ed25519 2021-12-23 [SC] [expires: 2023-12-23] 5D46CB0F763405A7053556F47A75A648B3F9220C uid [ultimate] Zoltan Fridrich sub cv25519 2021-12-23 [E] [expires: 2023-12-23] and Daiki Uenos openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno > uid [ultimate] Daiki Ueno > sub rsa4096 2010-02-04 [E] Regards, Zoltan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x7A75A648B3F9220C.asc Type: application/pgp-keys Size: 669 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: