[gnutls-help] gnutls 3.8.12

Alexander Sosedkin asosedkin at redhat.com
Mon Feb 9 17:25:10 CET 2026 

Hello,

We have just released gnutls-3.8.12. This is a bug fix, security and
enhancement release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Alexander Sosedkin, Daiki Ueno, Mikhail Dmitrichenko, František Krenželok,
Jan Palus, Julien Olivain, Markus Theil, Maxim Cournoyer, xinpeng wang.

The detailed list of changes follows:

* Version 3.8.12 (released 2026-02-09)

** libgnutls: Fix NULL pointer dereference in PSK binder verification
   A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
   could lead to a denial of service attack via crashing the server.
   The updated code guards against the problematic dereference.
   Reported by Jaehun Lee.
   [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]

** libgnutls: Fix name constraint processing performance issue
   Verifying certificates with pathological amounts of name constraints
   could lead to a denial of service attack via resource exhaustion.
   Reworked processing algorithms exhibit better performance characteristics.
   Reported by Tim Scheckenbach.
   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]

** libgnutls: Fix multiple unexploitable overflows
   Reported by Tim Rühsen (#1783, #1786).

** libgnutls: Fall back to thread-unsafe module initialization
   Improve fallback handling for PKCS#11 modules that
   don't support thread-safe initialization (#1774).
   Also return filename from p11_kit_module_get_name() for unconfigured modules.

** libgnutls: Accept NULL as digest argument for gnutls_hash_output
   The accelerated implementation of gnutls_hash_output() now
   properly accepts NULL as the digest argument, matching the
   behavior of the reference implementation (#1769).

** srptool: Avoid a stack buffer overflow when processing large SRP groups.
   Reported and fixed by Mikhail Dmitrichenko (#1777).

** API and ABI modifications:
No changes since last version.


Getting the Software
================

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html

Here are the XZ compressed sources:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.12.tar.xz

Here are OpenPGP detached signatures signed using keys:
5D46CB0F763405A7053556F47A75A648B3F9220C
and
E987AB7F7E89667776D05B3BB0E9DD20B29F1432
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.12.tar.xz.sig

Note that it has been signed with the following openpgp keys:

pub   ed25519 2021-12-23 [SC] [expires: 2027-01-01]
      5D46CB0F763405A7053556F47A75A648B3F9220C
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2027-01-01]

pub   rsa4096 2016-09-27 [SC]
      E987AB7F7E89667776D05B3BB0E9DD20B29F1432
uid           [ultimate] Alexander Sosedkin <monk at unboiled.info>
sub   rsa4096 2021-08-21 [A]
sub   rsa4096 2016-09-27 [E]
sub   rsa4096 2016-09-27 [S]


Regards,
Alexander Sosedkin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 849 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20260209/2181c01c/attachment.sig>

More information about the Gnutls-help mailing list