From zfridric at redhat.com Fri Feb 10 11:27:56 2023 From: zfridric at redhat.com (Zoltan Fridrich) Date: Fri, 10 Feb 2023 11:27:56 +0100 Subject: [gnutls-help] gnutls 3.8.0 Message-ID: <189beafc-5fc7-daf7-8edb-f24a27714b62@redhat.com> Hello, We have just released gnutls-3.8.0. This is a bug fix and enhancement release on the 3.8.x branch. We would like to thank everyone who contributed in this release: Hubert Kario, Alexander Sosedkin, xuraoqing, Nikolaos Chatzikonstantinou, Stefan Kangas, Peter Leitmann, Samuel Thibault, Eric Blake, Simon Josefsson, Tim Kosse, Stanislav ?idek, Franti?ek Kren?elok, Daiki Ueno and Zoltan Fridrich The detailed list of changes follows: * Version 3.8.0 (released 2023-02-09) ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] ** libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. ** libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. ** libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. ** libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. ** libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml?s commit-check. You may run devel/indent-gnutls to fix any indentation issues if you make code modifications. ** guile: Guile-bindings removed. They have been extracted into a separate project to reduce complexity and to simplify maintenance, see . ** minitasn1: Upgraded to libtasn1 version 4.19. ** API and ABI modifications: GNUTLS_NO_STATUS_REQUEST: New flag GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.0.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.0.tar.xz.sig Note that it has been signed with my openpgp key: pub ? ed25519 2021-12-23 [SC] [expires: 2023-12-23] ? ? ? 5D46CB0F763405A7053556F47A75A648B3F9220C uid ? ? ? ? ? [ultimate] Zoltan Fridrich sub ? cv25519 2021-12-23 [E] [expires: 2023-12-23] and Daiki Uenos openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid ?? ? ???? [ultimate] Daiki Ueno > uid?? ??? ??? [ultimate] Daiki Ueno > sub rsa4096 2010-02-04 [E] Regards, Zoltan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x7A75A648B3F9220C.asc Type: application/pgp-keys Size: 669 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From ametzler at bebt.de Fri Feb 10 15:04:44 2023 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 10 Feb 2023 15:04:44 +0100 Subject: [gnutls-help] gnutls 3.8.0 In-Reply-To: <189beafc-5fc7-daf7-8edb-f24a27714b62@redhat.com> References: <189beafc-5fc7-daf7-8edb-f24a27714b62@redhat.com> Message-ID: On 2023-02-10 Zoltan Fridrich wrote: > Hello, > We have just released gnutls-3.8.0. This is a bug fix and enhancement > release on the 3.8.x branch. [...] > ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. > Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. > [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] [...] Hello, thank you. I gather from ther bug report that this probably affects at least all supported versions, i.e. 3.6.x and 3.7.x (< 3.7.9) - Can you confirm? TIA, cu Andreas From asosedkin at redhat.com Fri Feb 10 15:19:47 2023 From: asosedkin at redhat.com (Alexander Sosedkin) Date: Fri, 10 Feb 2023 15:19:47 +0100 Subject: [gnutls-help] gnutls 3.8.0 In-Reply-To: References: <189beafc-5fc7-daf7-8edb-f24a27714b62@redhat.com> Message-ID: On Fri, Feb 10, 2023 at 3:05 PM Andreas Metzler wrote: > > On 2023-02-10 Zoltan Fridrich wrote: > > Hello, > > > We have just released gnutls-3.8.0. This is a bug fix and enhancement > > release on the 3.8.x branch. > [...] > > ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. > > Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. > > [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] > [...] > > Hello, > > thank you. > > I gather from ther bug report that this probably affects at least all > supported versions, i.e. 3.6.x and 3.7.x (< 3.7.9) - Can you confirm? > > TIA, cu Andreas The problematic code is present in 3.6.5-3.6.16, 3.7.0-3.7.8. From comms at dabrev.com Mon Feb 13 20:08:06 2023 From: comms at dabrev.com (Troy Hinckley) Date: Mon, 13 Feb 2023 13:08:06 -0600 Subject: [gnutls-help] Gnutls version with with fix for CVE-2021-46848 References: <65e3e40c-37b9-415b-aae0-7a0a82ac6fcd@Spark> Message-ID: My company will not let us use gnutls due to?CVE-2021-46848, which impacts libtasn1 versions less than 4.19. Gnutls is using version 4.16, and hence is subject to this vulnerability. We attempted to build with 4.19, but the build failed. What would it take for Gnutls to upgrade to a security compliant version of libtasn1? - Troy Hinckley -------------- next part -------------- An HTML attachment was scrubbed... URL: From ueno at gnu.org Tue Feb 14 07:37:14 2023 From: ueno at gnu.org (Daiki Ueno) Date: Tue, 14 Feb 2023 15:37:14 +0900 Subject: [gnutls-help] Gnutls version with with fix for CVE-2021-46848 In-Reply-To: (Troy Hinckley's message of "Mon, 13 Feb 2023 13:08:06 -0600") References: <65e3e40c-37b9-415b-aae0-7a0a82ac6fcd@Spark> Message-ID: <874jro3g85.fsf-ueno@gnu.org> Troy Hinckley writes: > My company will not let us use gnutls due to CVE-2021-46848, which impacts libtasn1 > versions less than 4.19. Gnutls is using version 4.16, and hence is subject to this > vulnerability. We attempted to build with 4.19, but the build failed. What would it take > for Gnutls to upgrade to a security compliant version of libtasn1? I think that depends on how you build GnuTLS. If it is configured to link with libtasn1 installed on the system (default), you would anyway need to update it; I suggest any build failure to the upstream issue tracker: https://gitlab.com/gnutls/libtasn1/-/issues Otherwise, if it is configured to use libtasn1 bundled in GnuTLS release (i.e., with --with-included-libtasn1), upgrading to GnuTLS 3.8.0 might be an option, as it includes 4.19. Regards, -- Daiki Ueno