Hello, I've just released gnutls 3.5.8. This is a bug fix release, and is also the release in the 3.5.x marked as stable. As such the 3.5.x fully replaces the (ABI-compatible) 3.4.x branch which will no longer receive updates.
Several issues fixed at this release were found using the oss-fuzz project. I'd like to thank Alex Gaynor for bringing gnutls to OSS-FUZZ and fixing issues. The existing fuzzers for gnutls/ are available on the devel/fuzz directory in the master branch. * Version 3.5.8 (released 2016-01-09) ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_* functions will not leave the verification profiles field to an undefined state. The last call will take precedence. ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. ** libgnutls: Introduced option to override the default priority string used by the library. The intention is to allow support of system-wide priority strings (as set with --with-system-priority-file). The configure option is --with-default-priority-string. ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. This prevents crashes when decrypting malformed PKCS#8 keys. (issue found using oss-fuzz project) ** libgnutls: Fix crash on the loading of malformed private keys with certain parameters set to zero. (issue found using oss-fuzz project) ** libgnutls: Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. (issue found using oss-fuzz project) ** libgnutls: Addressed memory leaks in client and server side error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from <ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be found at <http://www.gnutls.org/download.html>. Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.8.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org> uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
