Hello, I've just released gnutls 3.2.12. This is an important bug-fix release on the current stable branch which addresses GNUTLS-SA-2014-2 http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
This fixes is an important (and at the same time embarrassing) bug discovered during an audit for Red Hat. Everyone is urged to upgrade. The git branches of older releases (e.g., 2.12.x), were also updated with patches to the issue as they are also vulnerable. I'll provide more information on the issue the next few days. * Version 3.2.12 (released 2014-03-03) ** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) ** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. ** libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. ** libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. ** libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. ** ocsptool: When verifying a response and a signer isn't provided assume that the signer is the issuer. ** ocsptool: When sending a nonce, verify that the nonce exists in the OCSP response. ** gnutls-cli: Added --strict-tofu option; contributed by Jens Lechtenboerger. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from <ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be found at <http://www.gnutls.org/download.html>. Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org> uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
