Hello, We've just released gnutls 3.6.16. This is a security and bug fix release on the stable 3.6.x branch.
We'd like to thank everyone who contributed in this release: Daiki Ueno, Fiona Klute, and Stefan Berger. The detailed list of changes follows: * Version 3.6.16 (released 2021-05-24) ** libgnutls: Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle. In GnuTLS, as long as it is built and linked against the fixed version of Nettle, this only affects GOST curves. [CVE-2021-20305] ** libgnutls: Fixed potential use-after-free in sending "key_share" and "pre_shared_key" extensions. When sending those extensions, the client may dereference a pointer no longer valid after realloc. This happens only when the client sends a large Client Hello message, e.g., when HRR is sent in a resumed session previously negotiated large FFDHE parameters, because the initial allocation of the buffer is large enough without having to call realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low] ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from < ftp://ftp.gnutls.org/gcrypt/gnutls/>;. A list of GnuTLS mirrors can be found at < http://www.gnutls.org/download.html> Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.16.tar.xz Here are OpenPGP detached signatures signed using key 0x462225C3B46F34879FC8496CD605848ED7E69871: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.16.tar.xz.sig Note that it has been signed with my openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno <[email protected]> uid [ultimate] Daiki Ueno <[email protected]> sub rsa4096 2010-02-04 [E] Regards, -- Daiki Ueno, on behalf of the GnuTLS development team
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
