Opened 7 months ago

Closed 7 months ago

#21834 closed enhancement (fixed)

gnutls-3.8.10

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Priority: normalelevated
Status: newassigned

comment:2 by Douglas R. Reno, 7 months ago 

* Version 3.8.10 (released 2025-07-08)

** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
   Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
   [CVE-2025-6395]

** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
   Spotted by oss-fuzz and reported by OpenAI Security Research Team,
   and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
   CVSS: medium] [CVE-2025-32989]

** libgnutls: Fix double-free upon error when exporting otherName in SAN
   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
   CVSS: low] [CVE-2025-32988]

** certtool: Fix 1-byte write buffer overrun when parsing template
   Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
   CVSS: low] [CVE-2025-32990]

** libgnutls: PKCS#11 modules can now be used to override the default
   cryptographic backend. Use the [provider] section in the system-wide config
   to specify path and pin to the module (see system-wide config Documentation).

** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
   support. The library running on the aforementioned version now utilizes the
   kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
   TLS session. The --enable-ktls configure option as well as the system-wide
   kTLS configuration(see GnuTLS Documentation) are still required to enable
   this feature.

** libgnutls: liboqs support for PQC has been removed
   For maintenance purposes, support for post-quantum cryptography
   (PQC) is now only provided through leancrypto. The experimental key
   exchange algorithm, X25519Kyber768Draft00, which is based on the
   round 3 candidate of Kyber and only supported through liboqs has
   also been removed altogether.

** libgnutls: TLS certificate compression methods can now be set with
   cert-compression-alg configuration option in the gnutls priority file.

** libgnutls: All variants of ML-DSA private key formats are supported
   While the previous implementation of ML-DSA was based on
   draft-ietf-lamps-dilithium-certificates-04, this updates it to
   draft-ietf-lamps-dilithium-certificates-12 with support for all 3
   variants of private key formats: "seed", "expandedKey", and "both".

** libgnutls: ML-DSA signatures can now be used in TLS
   The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
   ML-DSA-87, can now be used to digitally sign TLS handshake
   messages.

** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t

comment:3 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at ce2af3e2f114decb8f0860bce3eb1de7c6bb823d

SA-12.3-070 issued. There wasn't a lot of information to go off of but this update is extremely new, so I will probably update it later once more details are available.

Note: See TracTickets for help on using tickets.