Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#8281 closed enhancement (fixed)

gnutls-3.5.4

Reported by: bdubbs@… Owned by: Douglas R. Reno
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Douglas R. Reno)

Monthly releases: 

gnutls-3.5.0.tar.xz	05/09/2016 	08:05:00 AM
gnutls-3.5.1.tar.xz 	06/14/2016 	04:43:00 PM
gnutls-3.5.2.tar.xz	07/06/2016 	09:10:00 AM
gnutls-3.5.3.tar.xz 	08/09/2016 	07:29:00 AM
gnutls-3.5.4.tar.xz 	09/08/2016 	07:33:00 AM

Hello, 
 I've just released gnutls 3.5.4. This is a minor enhancements and
bugfix release for the 3.5.x branch.

* Version 3.5.4 (released 2016-09-08)

** libgnutls: Corrected the comparison of the serial size in OCSP
   response. Previously the OCSP certificate check wouldn't verify the
   serial length and could succeed in cases it shouldn't 
   (GNUTLS-SA-2016-3). Reported by Stefan Buehler.

** libgnutls: Added support for IP name constraints. Patch by Martin
   Ukrop.

** libgnutls: Added support for PKCS#8 file decryption using
   DES-CBC-MD5. This is added to allow decryption of PKCS #8 private
   keys from openssl prior to 1.1.0.

** libgnutls: Added support for decrypting PKCS#8 files which use 
   HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys
   generated with openssl 1.1.0.

** libgnutls: Added support for internationalized passwords in PKCS#12
   files. Previous versions would only encrypt or decrypt using
   passwords from the ASCII set.

** libgnutls: Addressed issue with PKCS#11 signature generation on
   ECDSA keys. The signature is now written as unsigned integers into
   the DSASignatureValue structure. Previously signed integers could be
   written depending on what the underlying module would produce.
   Addresses #122.

** gnutls-cli: Fixed starttls regression from 3.5.3.

** API and ABI modifications:
GNUTLS_E_MALFORMED_CIDR: Added
gnutls_x509_cidr_to_rfc5280: Added
gnutls_oid_to_mac: Added

Stefan Bühler discovered an issue that affects validation of certificates using OCSP responses, which can falsely report a certificate as valid under certain circumstances. That issue affects gnutls 3.3.24, 3.4.14, 3.5.3 and previous versions. Write-up by Stefan Bühler
Recommendation: Upgrade to GnuTLS versions 3.4.15, 3.5.4 or apply the patch referenced in the mail above.

http://lists.gnutls.org/pipermail/gnutls-devel/2016-September/008146.html

Change History (5)

comment:1 by Douglas R. Reno, 8 years ago

Description: modified (diff)
Priority: normalhigh

comment:2 by Douglas R. Reno, 8 years ago

Owner: changed from blfs-book@… to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 8 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r17758

comment:4 by Douglas R. Reno, 8 years ago

Was given "CVE-2016-7444" by MITRE

comment:5 by bdubbs@…, 7 years ago

Milestone: 7.118.0

Milestone renamed

Note: See TracTickets for help on using tickets.