[gnutls-help] gnutls 3.8.13
Alexander Sosedkin
asosedkin at redhat.com
Thu Apr 30 15:10:00 CEST 2026
Quoting Alexander Sosedkin (2026-04-29 19:36:47)
> We have just released gnutls-3.8.13...
> * Version 3.8.13 (released 2026-04-29)
> ...
> ** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
> Domain name comparison during name constraints processing
> was case-sensitive, violating RFC 5280 section 7.2.
> For excluded name constraints, this could lead to
> incorrectly accepting domain names that should've been rejected.
> DNS name comparison and the domain part of email names
> now perform case-insensitive comparison.
> Independently reported by Oleh Konko (1seal) and
> Joshua Rogers of AISLE Research Team.
> [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
I would like to apologize for the confusion and issue a correction
regarding the severity of CVE-2026-3833. As discussed in
https://gitlab.com/gnutls/gnutls/-/issues/1803,
it was decided to treat it as Medium,
but I failed to reflect that in the NEWS file and the release announcement.
The line above should state:
> [GNUTLS-SA-2026-04-29-5, CVSS: medium] [CVE-2026-3833]
Regarding other post-release fixes: if you encounter failures linking
`tests/mini-dtls-fragments`, you might want to consider
https://gitlab.com/gnutls/gnutls/-/merge_requests/2105.
Regards,
Alexander Sosedkin
More information about the Gnutls-help
mailing list