GnuTLS 1.2.10 - Security release
John Gilmore
gnu at toad.com
Fri Feb 10 12:15:26 EST 2006
From: Simon Josefsson <jas at extundo.com>
To: gnutls-dev at gnupg.org, help-gnutls at gnu.org, info-gnu at gnu.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:21:060209:gnutls-dev at gnupg.org::zaOuZtWmJFhp9CnX:7K5h
X-Hashcash: 1:21:060209:help-gnutls at gnu.org::jeAkm4ig/gb/UmeB:9RnD
X-Hashcash: 1:21:060209:info-gnu at gnu.org::Ii3w27rTBUk11ps6:Qt4B
Date: Thu, 09 Feb 2006 16:46:28 +0100
MIME-Version: 1.0
Subject: GnuTLS 1.2.10 - Security release
Content-Type: multipart/mixed; boundary="===============1374029283=="
--===============1374029283==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
--=-=-=
Content-Transfer-Encoding: quoted-printable
We are pleased to announce the availability of GnuTLS version 1.2.10,
a security bug-fix release on the stable 1.2.x branch.
This release fixes several serious bugs that would make the DER
decoder in libtasn1 crash on invalid input. The problems were
reported by Evgeny Legerov on the 31th of January.
We invite more detailed analysis of the problem, following our general
security advisory approach explained on:
http://www.gnu.org/software/gnutls/security.html
Particularly, it would be useful to answer the question of whether
these bugs are possible to exploit remotely. It is certainly possible
to cause the server to crash. We don't have resources to investigate
this problem more ourselves currently.
To make it easier for you to review this problem, I have prepared a
self test that trigger three bugs in the old libtasn1. It will be
part of GnuTLS 1.3.4, in tests/certder.c. A diff between libtasn1
0.2.17 and libtasn1 0.2.18 is also available, for those wishing to
analyze the changes made to address the problems. It contains a few
unrelated fixes too, but it is not too large. It is available from:
http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.p=
atch
Please send your analysis to gnutls-dev at gnupg.org and I'll update the
security advisory web page pointing to it.
GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.
Noteworthy changes since version 1.2.9:
=2D Fix read out bounds bug in DER parser. Reported by Evgeny Legerov
<admin at gleg.net>, and debugging help from Protover SSL.
=2D Libtasn1 0.2.18 is now required (contains the previous bug fix).
The included version has been updated too.
=2D Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
Otto Maddox <ottomaddox at fastmail.fm> and Nozomu Ando <nand at mac.com>.
=2D Corrected a bug in certtool for 64 bit machines. Reported
by Max Kellermann <max at duempel.org>.
=2D Corrected bugs in gnutls_certificate_set_x509_crl() and
gnutls_certificate_set_x509_trust(), that caused memory corruption if
more than one certificates were added. Report and patch by Max Kellermann.
=2D Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no=20
longer invalidate a session if the underlying send fails, but it will=20
prevent future writes. That is to allow reading the already received data.
Patches and bug reports by Yoann Vandoorselaere <yoann at prelude-ids.org>
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance. We are always looking for interesting development
projects.
If you need help to use GnuTLS, or want to help others, you are
invited to join our help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.
The project page of the library is available at:
http://www.gnutls.org/
http://www.gnu.org/software/gnutls/
http://josefsson.org/gnutls/ (updated fastest)
Here are the compressed sources:
http://josefsson.org/gnutls/releases/gnutls-1.2.10.tar.bz2 (2.7MB)
ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.10.tar.bz2
Here are GPG detached signatures signed using key 0xB565716F:
http://josefsson.org/gnutls/releases/gnutls-1.2.10.tar.bz2.sig
ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.10.tar.bz2.sig
The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:
1280R/B565716F 2002-05-05 [expires: 2006-02-28]
Key fingerprint =3D 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
The key is available from:
http://josefsson.org/key.txt
dns:b565716f.josefsson.org?TYPE=3DCERT
Here are the build reports for various platforms:
http://josefsson.org/autobuild-logs/gnutls.html
Here are the SHA-1 checksums:
18140bebae006e019deb77962836bcd775256aab gnutls-1.2.10.tar.bz2
19d200ce04dc54b55d609a091500d1a2aee6e368 gnutls-1.2.10.tar.bz2.sig
Enjoy,
Nikos and Simon
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-cvs (GNU/Linux)
iOoEAAECADQFAkPrY9QtFIAAAAAAFQAPcGthLWFkZHJlc3NAZ251cGcub3JnamFz
QGV4dHVuZG8uY29tAAoJEO2iHpS1ZXFv/SAE/00ygiTi6krotf6NOJPzY9vxqKMv
9tWG298wAmLqAOHbyaTaKqacSNUfKmotgWMW3fPi/O98cUVFQ2MePFK8xt4Rvw7j
D9tV13yxRAOKTR9Twj6s91CRti20i5FIV/7ZmmmFIu8eGRUwwND1QA1VA4YEpeAP
Mb/MkaqlMxtZG9arE7f4MH5yWJ5crTdsyGHrtI4H58qswxkMoZcX+paNOvE=
=gKC2
-----END PGP SIGNATURE-----
--=-=-=--
--===============1374029283==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
GNU Announcement mailing list <info-gnu at gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu
--===============1374029283==--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list