released 3.4.1

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index e0f31df0e06041805943af6bb5cc2bce3df692b0..a0848ff33afc8adf09beeaa78b53e6a588bc3d6a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,10 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
-* Version 3.6.5 (unreleased)
+* Version 3.6.5 (released 2018-12-01)
 
 ** libgnutls: Provide the option of transparent re-handshake/reauthentication
-   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init().
+   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
 
 ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
 
@@ -18,9 +18,21 @@ See the end for copying conditions.
    servers which do not support TLS1.3 will negotiate TLS1.2 which will be
    rejected by the client as disabled (#621).
 
+** libgnutls: Change RSA decryption to use a new side-channel silent function.
+   This addresses a security issue where memory access patterns as well as timing
+   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
+   attacks. Side-channel resistant code is slower due to the need to mask
+   access and timings. When used in TLS the new functions cause RSA based
+   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
+   the tests where performed on a relatively modern Intel CPU, results vary
+   depending on the CPU and architecture used). This change makes nettle 3.4.1
+   the minimum requirement of gnutls (#630). [CVSS: medium]
+
 ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
    in the priority string. It is only accepted as legacy option and is ignored.
 
+** libgnutls: Added support for EdDSA under PKCS#11 (#417)
+
 ** libgnutls: Added support for AES-CFB8 cipher (#357)
 
 ** libgnutls: Added support for AES-CMAC MAC (#351)
@@ -41,15 +53,6 @@ See the end for copying conditions.
 ** certtool: Add parameter --no-text that prevents certtool from outputting
    text before PEM-encoded private key, public key, certificate, CRL or CSR.
 
-** libgnutls: Change RSA decryption to use a new side-channel silent function.
-   This addresses a security issue where memory access patterns as well as timing
-   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
-   attacks. Side-channel resistant code is slower due to the need to mask
-   access and timings. When used in TLS the new functions cause RSA based
-   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
-   the tests where performed on a relatively modern Intel CPU, results vary
-   depending on the CPU and architecture used).
-
 ** API and ABI modifications:
 GNUTLS_AUTO_REAUTH: Added
 GNUTLS_CIPHER_AES_128_CFB8: Added

diff --git a/m4/hooks.m4 b/m4/hooks.m4
index ebb538ec92c6975292a5a509ec62b708d494f34f..aebc58214a77894ba5a73a996928d7634d980070 100644 (file)
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -68,13 +68,13 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
   DLL_SSL_VERSION=`expr ${LT_SSL_CURRENT} - ${LT_SSL_AGE}`
   AC_SUBST(DLL_SSL_VERSION)
 
-  PKG_CHECK_MODULES(NETTLE, [nettle >= 3.4], [cryptolib="nettle"], [
+  PKG_CHECK_MODULES(NETTLE, [nettle >= 3.4.1], [cryptolib="nettle"], [
 AC_MSG_ERROR([[
   *** 
   *** Libnettle 3.4 was not found.
 ]])
   ])
-  PKG_CHECK_MODULES(HOGWEED, [hogweed >= 3.4], [], [
+  PKG_CHECK_MODULES(HOGWEED, [hogweed >= 3.4.1], [], [
 AC_MSG_ERROR([[
   *** 
   *** Libhogweed (nettle's companion library) was not found. Note that you must compile nettle with gmp support.