gnutls-3.4.4.1

[Fernando de Oliveira]

​ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.1.tar.xz

​ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.1.tar.xz.sig

​http://www.gnutls.org/security.html

Notice that I recommend upgrade to 3.4.4.1, below it is recommended to previous 2.4.4.

Tag
GNUTLS-SA-2015-3

Severity
        Double free in certificate DN decoding

Information
        Kurt Roeckx reported that decoding a specific certificate with
        very long DistinguishedName (DN) entries leads to double free,
        which may result to a denial of service. Since the DN decoding
        occurs in almost all applications using certificates it is
        recommended to upgrade the latest GnuTLS version fixing the
        issue.
        Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.

No announcement for gnutls-3.4.4.1. Giving, further below, the announcement for gnutls-3.4.4. Apparently, the date was wrong in the News and the modification, over gnutls-3.4.4:

​https://gitlab.com/gnutls/gnutls/commit/50244178cd47f01aa9f3b65c082a992166d140ca.diff

diff --git a/Makefile.am b/Makefile.am
index 1bbb7f4..19fcb90 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -85,4 +85,9 @@ dist-hook:
 	cd $(distdir)/src/ && for i in *-args.c *-args.h;do \
 		mv $$i $$i.bak; \
 	done
+	@echo "*****************************************************************"
+	@echo "Checking whether included libopts matches the system's. If the"
+	@echo "check fails upgrade the included libopts."
+	@echo "*****************************************************************"
+	test "`autoopts-config libsrc|cut -d '-' -f 2|sed 's/.tar.gz//'`" = "`cat src/libopts/autoopts/options.h |grep OPTIONS_VERSION_STRING|cut -d '"' -f 2|sed 's/:/./g'`"
 	touch $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info

​https://lists.gnupg.org/pipermail/gnutls-devel/2015-August/007707.html

[gnutls-devel] gnutls 3.4.4
Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Aug 10 09:08:36 CEST 2015

Hello, 
 I've just released gnutls 3.4.4. This version fixes bugs and adds
minor features to the next stable branch.


* Version 3.4.4 (released 2015-08-10)

** libgnutls: added high level API (gnutls_prf_rfc5705) to access
   the PRF as specified by RFC5705. Suggestion and original patch
   by Rick van Rein.

** libgnutls: Link to trousers (TPM library) dynamically when this
   functionality is requested.

** libgnutls: Fix issue with server side sending the status request
   extension even when not requested. Reported by Jeremy Harris.

** libgnutls: Added support for RFC7507 by introducing the 
   %FALLBACK_SCSV priority string option. Patch by Alessandro Ghedini.

** libgnutls: gnutls_pkcs11_privkey_generate2() will store the 
   generated public key, unless the 
   GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified.

** libgnutls: Corrected regression from 3.4.3 in loading PKCS #8 keys 
   as fallback. Reported by Daniel Berrange.

** libgnutls: Allow the parsing of very long DNs. Also fixes double 
   free in DN decoding [GNUTLS-SA-2015-3].

** API and ABI modifications:
gnutls_prf_rfc5705: Added
gnutls_hex_encode2: Added
gnutls_hex_decode2: Added

[Fernando de Oliveira]

• Update to firefox-40.0.
• Update to gnutls-3.4.4.1.
• Update to openssh-7.0p1 and ssh-askpass-7.0p1.
• SoundTouch-1.9.0: typo and add short description.
• GTK+-2.24.28: reformat commands to decrease width. I'm

doing this systematically, due to discussions about (B)LFS format changes and reading (B)LFS in new small screen devices. Now, 80 is maximum, but 60 is a better target, when possible.

Fixed at r16341.