[mod_gnutls-devel] Security releases: mod_gnutls 0.13.0 and 0.12.3
Fiona Klute
fiona.klute at gmx.de
Fri Mar 20 13:36:21 CET 2026
Hi everyone,
I have just uploaded two new releases and matching signed tags
containing security fixes:
* 0.13.0 [1] fixes CVE-2026-33307 (stack-based buffer overflow caused by
a long client certificate chain [2]) and CVE-2026-33308 (missing key
purpose check in client certificate verification [4]). Use the new
GnuTLSClientKeyPurpose option if you expect a Key Purpose other than
id-kp-clientAuth. This release also switches the build system from
Autotools to Meson, so the release tarball contains nothing the
repository as tagged does not (no generated ./configure script, etc.).
* 0.12.3 [4] contains a minimal fix for CVE-2026-33307 only, for users
of 0.12.x who cannot quickly upgrade to 0.13.0.
Please see the changelog on the release pages and the security
advisories for details. Thanks to Ireneusz Pastusiak from Tenable for
the detailed reports!
Regards,
Fiona
[1]
https://github.com/airtower-luna/mod_gnutls/releases/tag/mod_gnutls%2F0.13.0
[2]
https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r
[3]
https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-hm2g-m958-8qgh
[4]
https://github.com/airtower-luna/mod_gnutls/releases/tag/mod_gnutls%2F0.12.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/mod_gnutls-devel/attachments/20260320/31d82f71/attachment.sig>
More information about the mod_gnutls-devel
mailing list