Opened 2 years ago
Closed 2 years ago
#17633 closed enhancement (fixed)
gnutls-3.8.0
| Reported by: | Bruce Dubbs | Owned by: | |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version.
Change History (3)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Priority: | normal → elevated |
comment:2 by , 2 years ago
Noting the comment about API and ABI modifications, I looked at a previously installed qpdf. That links to libgnutls.so.30 which previously symlinked to libgnutls.so.30.34.2 and now symlinks to libgnutls.so.35.0. It appears to still work.
Fixed in b1c55f0042ae7d133ccd87c3252fccf3403ff03d 11.2-1162 Security Advisory to follow on Tuesday.
comment:3 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Security Advisory SA 11.2-089 issued.
Note:
See TracTickets
for help on using tickets.
We have just released gnutls-3.8.0. This is a bug fix and enhancement release on the 3.8.x branch.
We would like to thank everyone who contributed in this release: Hubert Kario, Alexander Sosedkin, xuraoqing, Nikolaos Chatzikonstantinou, Stefan Kangas, Peter Leitmann, Samuel Thibault, Eric Blake, Simon Josefsson, Tim Kosse, Stanislav Židek, František Krenželok, Daiki Ueno and Zoltan Fridrich
The detailed list of changes follows:
libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options:
the C library. (default)
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library.
libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side.
libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script.
libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any indentation issues if you make code modifications.
guile: Guile-bindings removed. They have been extracted into a separate project to reduce complexity and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.
minitasn1: Upgraded to libtasn1 version 4.19.
API and ABI modifications: GNUTLS_NO_STATUS_REQUEST: New flag GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member
In addition, upstream added the GNUTLS-SA-2020-07-14 security advisory. https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-07-14 CVE-2023-0361
Severity Medium; timing sidechannel in RSA decryption: A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected. The issue was reported in the issue tracker as #1050. Recommendation: To address the issue found upgrade to GnuTLS 3.8.0 or later versions.