From 2a40a3d90df001c520ab5f25f97608f5eb3c489e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 27 Mar 2019 07:21:31 +0100 Subject: released 3.6.7 Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index a2eec5b621..76764e8654 100644 --- a/NEWS +++ b/NEWS @@ -2,37 +2,44 @@ GnuTLS NEWS -- History of user-visible changes. -*- outline -*- Bug numbers referenced in this log correspond to bug numbers at our issue tracker, available at https://gitlab.com/gnutls/gnutls/issues Copyright (C) 2000-2016 Free Software Foundation, Inc. -Copyright (C) 2013-2017 Nikos Mavrogiannopoulos +Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.6.7 (unreleased) +* Version 3.6.7 (released 2019-03-27) ** libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free(). +** libgnutls: Fixed a memory corruption (double free) vulnerability in the + certificate verification API. Reported by Tavis Ormandy; addressed with + the change above. [GNUTLS-SA-2019-03-27, #694] + +** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; + Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] + ** libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690). -** libgnutls: fixed issue preventing sending and receiving from different - threads when false start was enabled (#713). +** libgnutls: the default number of tickets sent under TLS 1.3 was increased to + two. This makes it easier for clients which perform multiple connections + to the server to use the tickets sent by a default server. ** libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. +** libgnutls: fixed issue preventing sending and receiving from different + threads when false start was enabled (#713). + ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721). -** libgnutls: the default number of tickets sent under TLS 1.3 was increased to - two. This makes it easier for clients which perform multiple connections - to the server to use the tickets sent by a default server. - ** libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when -- cgit v1.2.1