From fiona.klute at gmx.de Fri Mar 20 13:36:21 2026 From: fiona.klute at gmx.de (Fiona Klute) Date: Fri, 20 Mar 2026 14:36:21 +0200 Subject: [mod_gnutls-devel] Security releases: mod_gnutls 0.13.0 and 0.12.3 Message-ID: Hi everyone, I have just uploaded two new releases and matching signed tags containing security fixes: * 0.13.0 [1] fixes CVE-2026-33307 (stack-based buffer overflow caused by a long client certificate chain [2]) and CVE-2026-33308 (missing key purpose check in client certificate verification [4]). Use the new GnuTLSClientKeyPurpose option if you expect a Key Purpose other than id-kp-clientAuth. This release also switches the build system from Autotools to Meson, so the release tarball contains nothing the repository as tagged does not (no generated ./configure script, etc.). * 0.12.3 [4] contains a minimal fix for CVE-2026-33307 only, for users of 0.12.x who cannot quickly upgrade to 0.13.0. Please see the changelog on the release pages and the security advisories for details. Thanks to Ireneusz Pastusiak from Tenable for the detailed reports! Regards, Fiona [1] https://github.com/airtower-luna/mod_gnutls/releases/tag/mod_gnutls%2F0.13.0 [2] https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r [3] https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-hm2g-m958-8qgh [4] https://github.com/airtower-luna/mod_gnutls/releases/tag/mod_gnutls%2F0.12.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: