[gnutls-help] gnutls 3.8.0

Zoltan Fridrich zfridric at redhat.com
Fri Feb 10 11:27:56 CET 2023


We have just released gnutls-3.8.0. This is a bug fix and enhancement 
release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Hubert Kario, Alexander Sosedkin, xuraoqing, Nikolaos 
Chatzikonstantinou, Stefan Kangas,
Peter Leitmann, Samuel Thibault, Eric Blake, Simon Josefsson, Tim Kosse, 
Stanislav Židek,
František Krenželok, Daiki Ueno and Zoltan Fridrich

The detailed list of changes follows:

* Version 3.8.0 (released 2023-02-09)

** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
[GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]

** libgnutls: C++ library is now header only. All definitions from
gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++
interface have two options:
1. include gnutlsxx.h in their application and link against
the C library. (default)
2. include gnutlsxx.h in their application, compile with
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
against the C++ library.

priority modifier have been added to allow disabling of the
status_request TLS extension in the client side.

** libgnutls: TLS heartbeat is disabled by default.
The heartbeat extension in TLS (RFC 6520) is not widely used given
other implementations dropped support for it. To enable back
support for it, supply --enable-heartbeat-support to configure

** libgnutls: SRP authentication is now disabled by default.
It is disabled because the SRP authentication in TLS is not up to
date with the latest TLS standards and its ciphersuites are based
on the CBC mode and SHA-1. To enable it back, supply
--enable-srp-authentication option to configure script.

** libgnutls: All code has been indented using "indent -ppi1 -linux".
CI/CD has been adjusted to catch regressions. This is implemented
through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s
commit-check. You may run devel/indent-gnutls to fix any
indentation issues if you make code modifications.

** guile: Guile-bindings removed.
They have been extracted into a separate project to reduce complexity
and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.

** minitasn1: Upgraded to libtasn1 version 4.19.

** API and ABI modifications:
GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member

Getting the Software

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:

Here are OpenPGP detached signatures signed using keys:

Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
sub rsa4096 2010-02-04 [E]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230210/954a1663/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 669 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230210/954a1663/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230210/954a1663/attachment-0001.sig>

More information about the Gnutls-help mailing list