Hello, We've just released gnutls 3.6.15. This is a security and bug fix release on the stable 3.6.x branch.
We'd like to thank everyone who contributed in this release: Alexander Sosedkin, Daniel Lenski, Fiona Klute, Frantisek Krenzelok, James Bottomley, Lei Maohui, Petr Pavlu, Steve Lhomme, and Vitezslav Cizek. The detailed list of changes follows: * Version 3.6.15 (releases 2020-09-04) ** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. The server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake was able to cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure (#1071). [GNUTLS-SA-2020-09-04, CVSS: medium] ** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now indicates that with a false return value (!1306). ** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked accordingly to SP800-56A rev 3 (!1295, !1299). ** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than the size of the internal base64 blob (#1025). The new behavior aligns to the existing documentation. ** libgnutls: Certificate verification failue due to OCSP must-stapling is not honered is now correctly marked with the GNUTLS_CERT_INVALID flag (!1317). The new behavior aligns to the existing documentation. ** libgnutls: The audit log message for weak hashes is no longer printed twice (!1301). ** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is disabled in the priority string. Previously, even when TLS 1.2 is explicitly disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is enabled (#1054). ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from < ftp://ftp.gnutls.org/gcrypt/gnutls/>;. A list of GnuTLS mirrors can be found at < http://www.gnutls.org/download.html> Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.15.tar.xz Here are OpenPGP detached signatures signed using key 0x462225C3B46F34879FC8496CD605848ED7E69871: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.15.tar.xz.sig Note that it has been signed with my openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno <u...@unixuser.org> uid [ultimate] Daiki Ueno <u...@gnu.org> sub rsa4096 2010-02-04 [E] Regards, -- Daiki Ueno, on behalf of the GnuTLS development team
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help