Hello, We have just released gnutls-3.8.10. This is a bug fix, security and enhancement release on the 3.8.x branch.
We would like to thank everyone who contributed in this release: Alexander Sosedkin, Andrew Hamilton, Angel Yankov, Daiki Ueno, Daniel P. Berrangé, David Dudas, Doekin, František Krenželok, Jiasheng Jiang, Richard Hughes, and Zoltan Fridrich. The detailed list of changes follows: * Version 3.8.10 (released 2025-07-08) ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395] ** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989] ** libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988] ** certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990] ** libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). ** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. ** libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. ** libgnutls: TLS certificate compression methods can now be set with cert-compression-alg configuration option in the gnutls priority file. ** libgnutls: All variants of ML-DSA private key formats are supported While the previous implementation of ML-DSA was based on draft-ietf-lamps-dilithium-certificates-04, this updates it to draft-ietf-lamps-dilithium-certificates-12 with support for all 3 variants of private key formats: "seed", "expandedKey", and "both". ** libgnutls: ML-DSA signatures can now be used in TLS The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and ML-DSA-87, can now be used to digitally sign TLS handshake messages. ** API and ABI modifications: GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.10.tar.xz Here are OpenPGP detached signatures signed using key: 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.10.tar.xz.sig Note that it has been signed with my openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2026-06-29] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno <[email protected]> uid [ultimate] Daiki Ueno <[email protected]> sub rsa4096 2010-02-04 [E] Regards, -- Daiki Ueno
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
