Hello, I've just released gnutls 3.5.10. This is a bug fix release on the 3.5.x branch.
* Version 3.5.10 (released 2017-03-06) ** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions available do not include libidn2.pc, thus the inclusion was causing pkg-config issues. Instead we include -lidn2 in Libs.private when compile against libidn2. ** libgnutls: optimized access to subject alternative names (SANs) in parsed certificates. The previous implementation assumed a small number of SANs in a certificate, with repeated calls to ASN.1 decoding of the extension without any intermediate caching. That caused delays in certificates with a long list of names in functions such as gnutls_x509_crt_check_hostname(). With the current code, the SANs are parsed once on certificate import. Resolves gitlab issue #165. ** libgnutls: Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] ** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 ** libgnutls: Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] ** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] ** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 when printing certificate information. ** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() flags can be set from the gnutls_certificate_verify_flags enumeration. This allows the functions to pass the same flags available for certificates to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or GNUTLS_VERIFY_ALLOW_BROKEN). ** libgnutls: gnutls_store_commitment() can accept flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate in applications which use SHA1 for example, after SHA1 is deprecated. ** certtool: No longer ignore the 'add_critical_extension' template option if the 'add_extension' option is not present. ** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the starttls-proto command. Patch by Robert Scheck. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from <ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be found at <http://www.gnutls.org/download.html>. Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.10.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org> uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
