doc update

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-11-02 16:11:19 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-11-02 16:11:19 +0100
commit: 5f1c84a032bf67ee9ff9c6370965c3d776775da8 (patch)
tree: 28934883758685fd235b39e08009ce804de8594d
parent: 02d95898f840e8ad383e198715af802a66d4b85a (diff)
download: gnutls-5f1c84a032bf67ee9ff9c6370965c3d776775da8.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 4b87aef49a..9669328441 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,14 @@ See the end for copying conditions.
 ** libgnutls: Handle status request responses as optional (following
    RFC6066).
 
+** libgnutls: Set limits on the maximum number of alerts handled. That is,
+   applications using gnutls could be tricked into an busy loop if the
+   peer sends continuously alert messages. Applications which set a maximum
+   handshake time (via gnutls_handshake_set_timeout) will eventually recover
+   but others may remain in a busy loops indefinitely. This is related but
+   not identical to CVE-2016-8610, due to the difference in alert handling
+   of the libraries (gnutls delegates that handling to applications).
+
 ** API and ABI modifications:
 No changes since last version.
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-11-02 16:11:19 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-11-02 16:11:19 +0100
commit	5f1c84a032bf67ee9ff9c6370965c3d776775da8 (patch)
tree	28934883758685fd235b39e08009ce804de8594d
parent	02d95898f840e8ad383e198715af802a66d4b85a (diff)
download	gnutls-5f1c84a032bf67ee9ff9c6370965c3d776775da8.tar.gz