GnuTLS 2.8.2

Jeff Cai Jeff.Cai at Sun.COM
Thu Aug 13 04:36:39 CEST 2009 

Simon,

Could you provide a patch for 2.6.6 or release 2.6.8 to fix this issue?

Thanks

Jeff

On Wed, 2009-08-12 at 16:43 +0800, Jeff Cai wrote:
> > What's New
> > ==========
> > 
> > ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
> > By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
> > into 1) not printing the entire CN/SAN field value when printing a
> > certificate and 2) cause incorrect positive matches when matching a
> > hostname against a certificate.  Some CAs apparently have poor
> > checking of CN/SAN values and issue these (arguable invalid)
> > certificates.  Combined, this can be used by attackers to become a
> > MITM on server-authenticated TLS sessions.  The problem is mitigated
> > since attackers needs to get one certificate per site they want to
> > attack, and the attacker reveals his tracks by applying for a
> > certificate at the CA.  It does not apply to client authenticated TLS
> > sessions.  Research presented independently by Dan Kaminsky and Moxie
> > Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger at redhat.com>
> > for providing one part of the patch.  [GNUTLS-SA-2009-4].
> 
> How is it affecting old versions of gnutls like 2.6 and 2.4? Do they
> also need a patch applied if not upgrading them?
> 
> Jeff
> 
> > 
> > ** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
> > Before it always returned false.  Reported by Peter Hendrickson
> > <pdh at wiredyne.com> in
> > <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
> > 
> > ** libgnutls: Fix off-by-one size computation error in unknown DN printing.
> > The error resulted in truncated strings when printing unknown OIDs in
> > X.509 certificate DNs.  Reported by Tim Kosse
> > <tim.kosse at filezilla-project.org> in
> > <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
> > 
> > ** libgnutls: Return correct bit lengths of some MPIs.
> > gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
> > gnutls_dh_get_peers_public_bits.  Before the reported value was
> > overestimated.  Reported by Peter Hendrickson <pdh at wiredyne.com> in
> > <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
> > 
> > ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
> > Report and patch by Tim Kosse <tim.kosse at filezilla-project.org> in
> > <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
> > and
> > <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
> > 
> > ** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
> > Before we required that the runtime library used the same (or more
> > recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
> > that the runtime usage is above the minimum required.  Reported by
> > Marco d'Itri <md at linux.it> via Andreas Metzler
> > <ametzler at downhill.at.eu.org> in <http://bugs.debian.org/540449>.
> > 
> > ** minitasn1: Internal copy updated to libtasn1 v2.3.
> > 
> > ** tests: Fix failure in "chainverify" because a certificate have expired.
> > 
> > ** API and ABI modifications:
> > No changes since last version.
> > 
> > Getting the Software
> > ====================
> > 
> > GnuTLS may be downloaded from one of the mirror sites or direct from
> > <ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
> > <http://www.gnu.org/software/gnutls/download.html>.
> > 
> > Here are the BZIP2 compressed sources (6.0MB):
> > 
> >   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2
> >   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2
> > 
> > Here are OpenPGP detached signatures signed using key 0xB565716F:
> > 
> >   ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2.sig
> >   http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.2.tar.bz2.sig
> > 
> > Note, that we don't distribute gzip compressed tarballs.
> > 
> > In order to check that the version of GnuTLS which you are going to
> > install is an original and unmodified one, you should verify the OpenPGP
> > signature.  You can use the command
> > 
> >      gpg --verify gnutls-2.8.2.tar.bz2.sig
> > 
> > This checks whether the signature file matches the source file.  You
> > should see a message indicating that the signature is good and made by
> > that signing key.  Make sure that you have the right key, either by
> > checking the fingerprint of that key with other sources or by checking
> > that the key has been signed by a trustworthy other key.  The signing
> > key can be identified with the following information:
> > 
> > pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
> >       Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
> > uid                  Simon Josefsson <simon at josefsson.org>
> > uid                  Simon Josefsson <jas at extundo.com>
> > sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]
> > 
> > The key is available from:
> >   http://josefsson.org/key.txt
> >   dns:b565716f.josefsson.org?TYPE=CERT
> > 
> > Alternatively, after successfully verifying the OpenPGP signature of
> > this announcement, you could verify that the files match the following
> > checksum values.  The values are for SHA-1 and SHA-224 respectively:
> > 
> > eea59fb972e7d566679645a564a56b58aeffe10b  gnutls-2.8.2.tar.bz2
> > 
> > 048bfb981a4a88d7040c1951614bd9d06cdd787e2242d6243391775a  gnutls-2.8.2.tar.bz2
> > 
> > Documentation
> > =============
> > 
> > The manual is available online at:
> > 
> >   http://www.gnu.org/software/gnutls/documentation.html
> > 
> > In particular the following formats are available:
> > 
> >  HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
> >  PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
> > 
> > For developers there is a GnuTLS API reference manual formatted using
> > the GTK-DOC tools:
> > 
> >   http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
> > 
> > Community
> > =========
> > 
> > If you need help to use GnuTLS, or want to help others, you are invited
> > to join our help-gnutls mailing list, see:
> > 
> >   http://lists.gnu.org/mailman/listinfo/help-gnutls
> > 
> > If you wish to participate in the development of GnuTLS, you are invited
> > to join our gnutls-dev mailing list, see:
> > 
> >   http://lists.gnu.org/mailman/listinfo/gnutls-devel
> > 
> > Windows installer
> > =================
> > 
> > GnuTLS has been ported to the Windows operating system, and a binary
> > installer is available.  The installer contains DLLs for application
> > development, manuals, examples, and source code.  The installer includes
> > libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.3, and GnuTLS v2.8.2.
> > 
> > For more information about GnuTLS for Windows:
> >   http://josefsson.org/gnutls4win/
> > 
> > The Windows binary installer and PGP signature:
> >   http://josefsson.org/gnutls4win/gnutls-2.8.2.exe (15MB)
> >   http://josefsson.org/gnutls4win/gnutls-2.8.2.exe.sig
> > 
> > The checksum values for SHA-1 and SHA-224 are:
> > 
> > 18fc15825832606123284dd5d7a77d402bf14101  gnutls-2.8.2.exe
> > 9e9b9e5c9c213743fcb070af5c0b9a552ddd3fb3a241f2e0dbb89fa3  gnutls-2.8.2.exe
> > 
> > A ZIP archive containing the Windows binaries:
> >   http://josefsson.org/gnutls4win/gnutls-2.8.2.zip (5.3MB)
> >   http://josefsson.org/gnutls4win/gnutls-2.8.2.zip.sig
> > 
> > The checksum values for SHA-1 and SHA-224 are:
> > 
> > af492d1c31ef4ecc27724839ce62f5a334731b26  gnutls-2.8.2.zip
> > ca3306416ad63c22b281c30165c83d94d97b0e7a817303f2ca61d00c  gnutls-2.8.2.zip
> > 
> > A Debian mingw32 package is also available:
> >   http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.2-1_all.deb (4.8MB)
> > 
> > The checksum values for SHA-1 and SHA-224 are:
> > 
> > 4d591773c387be1409fb000ff1a9eae3c3c19756  mingw32-gnutls_2.8.2-1_all.deb
> > fb742033dca3ccca3757d798dfa37fb718c2bac082e557bb7dfbfe57  mingw32-gnutls_2.8.2-1_all.deb
> > 
> > Internationalization
> > ====================
> > 
> > The GnuTLS library messages have been translated into Czech, Dutch,
> > French, German, Malay, Polish, Swedish, and Vietnamese.  We welcome the
> > addition of more translations.
> > 
> > Support
> > =======
> > 
> > Improving GnuTLS is costly, but you can help!  We are looking for
> > organizations that find GnuTLS useful and wish to contribute back.  You
> > can contribute by reporting bugs, improve the software, or donate money
> > or equipment.
> > 
> > Commercial support contracts for GnuTLS are available, and they help
> > finance continued maintenance.  Simon Josefsson Datakonsult AB, a
> > Stockholm based privately held company, is currently funding GnuTLS
> > maintenance.  We are always looking for interesting development
> > projects.  See http://josefsson.org/ for more details.
> > 
> > The GnuTLS service directory is available at:
> > 
> >   http://www.gnu.org/software/gnutls/commercial.html
> > 
> > Happy Hacking,
> > Simon
> > _______________________________________________
> > Gnutls-devel mailing list
> > Gnutls-devel at gnu.org
> > http://lists.gnu.org/mailman/listinfo/gnutls-devel
> 
> 
> 
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel

More information about the Gnutls-devel mailing list