[gnutls-devel] gnutls 3.3.26

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 9 09:01:02 CET 2017

 I've just released gnutls 3.3.26. This is a bug-fix release on
the previous stable branch which addresses GNUTLS-SA-2017-1, and
GNUTLS-SA-2017-2, while backports some functionality to enable certain
PKCS#11 smart card use-cases.

* Version 3.3.26 (released 2016-01-09)

** libgnutls: Handle status request responses as optional (following
   RFC6066). This improves compatibility with implementations not sending
   these messages (including specific versions of the GnuTLS 3.5.x branch).

** libgnutls: Set limits on the maximum number of alerts handled. That is,
   applications using gnutls could be tricked into an busy loop if the
   peer sends continuously alert messages. Applications which set a maximum
   handshake time (via gnutls_handshake_set_timeout) will eventually recover
   but others may remain in a busy loops indefinitely. This is related but
   not identical to CVE-2016-8610, due to the difference in alert handling
   of the libraries (gnutls delegates that handling to applications).

** libgnutls: Fixed issue in PKCS#12 password encoding, which truncated
   passwords over 32-characters. Reported by Mario Klebsch.

** libgnutls: Backported functionality allowing to manipulate the IDs
   of PKCS#11 objects.

** libgnutls: Link to trousers (TPM library) dynamically. Backported TPM
   key handling improvements from master branch.

** libgnutls: Backported several fixes in PKCS#8 decryption (related to
   gitlab issue #148).

** libgnutls: Fix double free in certificate information printing. If the PKIX
   extension proxy was set with a policy language set but no policy specified,
   that could lead to a double free. [GNUTLS-SA-2017-1]

** libgnutls: Addressed memory leak in server side error path
   (issue found using oss-fuzz project)

** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
   parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
   (issues found using oss-fuzz project) [GNUTLS-SA-2017-2]

** tpmtool: backported the --test-sign option.

** API and ABI modifications:
gnutls_pkcs11_obj_set_info: Added
gnutls_pkcs11_privkey_generate3: Added
gnutls_pkcs11_copy_x509_privkey2: Added
gnutls_pkcs11_copy_x509_crt2: Added

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list