Hello, We have just released gnutls-3.8.12. This is a bug fix, security and enhancement release on the 3.8.x branch.
We would like to thank everyone who contributed in this release: Alexander Sosedkin, Daiki Ueno, Mikhail Dmitrichenko, František Krenželok, Jan Palus, Julien Olivain, Markus Theil, Maxim Cournoyer, xinpeng wang. The detailed list of changes follows: * Version 3.8.12 (released 2026-02-09) ** libgnutls: Fix NULL pointer dereference in PSK binder verification A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server. The updated code guards against the problematic dereference. Reported by Jaehun Lee. [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] ** libgnutls: Fix name constraint processing performance issue Verifying certificates with pathological amounts of name constraints could lead to a denial of service attack via resource exhaustion. Reworked processing algorithms exhibit better performance characteristics. Reported by Tim Scheckenbach. [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] ** libgnutls: Fix multiple unexploitable overflows Reported by Tim Rühsen (#1783, #1786). ** libgnutls: Fall back to thread-unsafe module initialization Improve fallback handling for PKCS#11 modules that don't support thread-safe initialization (#1774). Also return filename from p11_kit_module_get_name() for unconfigured modules. ** libgnutls: Accept NULL as digest argument for gnutls_hash_output The accelerated implementation of gnutls_hash_output() now properly accepts NULL as the digest argument, matching the behavior of the reference implementation (#1769). ** srptool: Avoid a stack buffer overflow when processing large SRP groups. Reported and fixed by Mikhail Dmitrichenko (#1777). ** API and ABI modifications: No changes since last version. Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.12.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and E987AB7F7E89667776D05B3BB0E9DD20B29F1432 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.12.tar.xz.sig Note that it has been signed with the following openpgp keys: pub ed25519 2021-12-23 [SC] [expires: 2027-01-01] 5D46CB0F763405A7053556F47A75A648B3F9220C uid [ultimate] Zoltan Fridrich <[email protected]> sub cv25519 2021-12-23 [E] [expires: 2027-01-01] pub rsa4096 2016-09-27 [SC] E987AB7F7E89667776D05B3BB0E9DD20B29F1432 uid [ultimate] Alexander Sosedkin <[email protected]> sub rsa4096 2021-08-21 [A] sub rsa4096 2016-09-27 [E] sub rsa4096 2016-09-27 [S] Regards, Alexander Sosedkin
signature.asc
Description: PGP signature
