From zfridric at redhat.com  Thu Apr  4 13:20:07 2024
From: zfridric at redhat.com (Zoltan Fridrich)
Date: Thu, 4 Apr 2024 13:20:07 +0200
Subject: [gnutls-help] gnutls 3.8.5
Message-ID: <1a13d10e-a0ff-4b0f-b617-5a5c12f3f5df@redhat.com>

Hello,

We have just released gnutls-3.8.5. This is a bug fix and enhancement 
release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Alyssa Ross, Daiki Ueno and Zoltan Fridrich


The detailed list of changes follows:

* Version 3.8.5 (released 2024-04-04)

** libgnutls: Due to majority of usages and implementations of RSA 
decryption with PKCS#1 v1.5 padding being incorrect, leaving them 
vulnerable to Marvin attack, the RSAES-PKCS1-v1_5 is being deprecated 
(encryption and decryption) and will be disabled in the future. A new 
option `allow-rsa-pkcs1-encrypt` has been added into the system-wide 
library configuration which allows to enable/disable the 
RSAES-PKCS1-v1_5. Currently, the RSAES-PKCS1-v1_5 is enabled by default.

** libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for 
backward compatibility with GCR.

** libgnutls: A couple of memory related issues have been fixed in RSA 
PKCS#1 v1.5 decryption error handling and deterministic ECDSA with 
earlier versions of GMP. These were a regression introduced in the 3.8.4 
release. See #1535 and !1827.

** build: Fixed a bug where building gnutls statically failed due to a 
duplicate definition of nettle_rsa_compute_root_tr().

** API and ABI modifications:
GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of gnutls_pkcs_encrypt_flags_t


Getting the Software
================
GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.5.tar.xz 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.5.tar.xz>

Here are OpenPGP detached signatures signed using key:
5D46CB0F763405A7053556F47A75A648B3F9220C
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.5.tar.xz.sig 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.5.tar.xz.sig>

Note that it has been signed with my openpgp key:
pub ? ed25519 2021-12-23 [SC] [expires: 2027-01-01]
 ? ? ? 5D46CB0F763405A7053556F47A75A648B3F9220C
uid ? ? ? ? ? [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub ? cv25519 2021-12-23 [E] [expires: 2027-01-01]

Regards,
Zoltan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20240404/75fd7208/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 1054 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20240404/75fd7208/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20240404/75fd7208/attachment.sig>