#11868: gnutls-3.6.7 (CVE-2019-3829 CVE-2019-3836)
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 8.5
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
New point version
{{{
Hello,
I've just released gnutls 3.6.7. This is a bug fix and security
release on the stable 3.6.x branch.
I'd like to thank everyone who contributed in this release:
Alon Bar-Lev, Anderson Toshiyuki Sasaki, Andreas Metzler, Bas van
Schaik, Daiki Ueno, Dmitry Eremin-Solenikov, Hugo Beauzée-Luyssen,
Ke Zhao, R. Andrew Bailey, Steve Lhomme, and Tim Rühsen.
The applicable security advisory GNUTLS-SA-2019-03-27 will be made
available at:
https://www.gnutls.org/security-new.html
The detailed list of changes follows; they can be seen in more detail
in our milestone tracker:
https://gitlab.com/gnutls/gnutls/milestones/19
Changes
=======
* Version 3.6.7 (released 2019-03-27)
** libgnutls, gnutls tools: Every gnutls_free() will automatically set
the free'd pointer to NULL. This prevents possible use-after-free and
double free issues. Use-after-free will be turned into NULL
dereference.
The counter-measure does not extend to applications using
gnutls_free().
** libgnutls: Fixed a memory corruption (double free) vulnerability in the
certificate verification API. Reported by Tavis Ormandy; addressed with
the change above. [GNUTLS-SA-2019-03-27, #694]
** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async
messages;
Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
** libgnutls: enforce key usage limitations on certificates more actively.
Previously we would enforce it for TLS1.2 protocol, now we enforce it
even when TLS1.3 is negotiated, or on client certificates as well. When
an inappropriate for TLS1.3 certificate is seen on the credentials
structure
GnuTLS will disable TLS1.3 support for that session (#690).
** libgnutls: the default number of tickets sent under TLS 1.3 was
increased to
two. This makes it easier for clients which perform multiple
connections
to the server to use the tickets sent by a default server.
** libgnutls: enforce the equality of the two signature parameters fields
in
a certificate. We were already enforcing the signature algorithm, but
there
was a bug in parameter checking code.
** libgnutls: fixed issue preventing sending and receiving from different
threads when false start was enabled (#713).
** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a
writable
session, as non-writeable security officer sessions are undefined in
PKCS#11
(#721).
** libgnutls: no longer send downgrade sentinel in TLS 1.3.
Previously the sentinel value was embedded to early in version
negotiation and was sent even on TLS 1.3. It is now sent only when
TLS 1.2 or earlier is negotiated (#689).
** gnutls-cli: Added option --logfile to redirect informational messages
output.
** API and ABI modifications:
No changes since last version.
}}}
{{{
It was found using the TLS fuzzer tools that decoding a malformed TLS1.3
asynchronous message can cause a server crash via an invalid pointer
access. The issue affects GnuTLS server applications since 3.6.4. The
issue was reported in issue tracker as #704.
Tavis Ormandy from Google Project Zero found a memory corruption (double
free) vulnerability in the certificate verification API. Any client or
server application that verifies X.509 certificates with GnuTLS 3.5.8 or
later is affected. The issue was reported in issue tracker as #694.
Recommendation: To address the issues found upgrade to GnuTLS 3.6.7 or
later versions.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11868>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
