From: Simon Josefsson Date: Mon, 10 Aug 2009 13:04:04 +0000 (+0200) Subject: Add 2.8.x news entries. X-Git-Tag: gnutls_2_9_2~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e8b0bb52763a28a02910bbff1e41fe9bec726532;p=thirdparty%2Fgnutls.git Add 2.8.x news entries. --- diff --git a/NEWS b/NEWS index d5e512b3b3..3f42f3587a 100644 --- a/NEWS +++ b/NEWS @@ -91,6 +91,75 @@ No changes since last version. ** API and ABI modifications: No changes since last version. +* Version 2.8.2 (released 2009-08-10) + +** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. +By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS +into 1) not printing the entire CN/SAN field value when printing a +certificate and 2) cause incorrect positive matches when matching a +hostname against a certificate. Some CAs apparently have poor +checking of CN/SAN values and issue these (arguable invalid) +certificates. Combined, this can be used by attackers to become a +MITM on server-authenticated TLS sessions. The problem is mitigated +since attackers needs to get one certificate per site they want to +attack, and the attacker reveals his tracks by applying for a +certificate at the CA. It does not apply to client authenticated TLS +sessions. Research presented independently by Dan Kaminsky and Moxie +Marlinspike at BlackHat09. Thanks to Tomas Hoger +for providing one part of the patch. [GNUTLS-SA-2009-4]. + +** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. +Before it always returned false. Reported by Peter Hendrickson + in +. + +** libgnutls: Fix off-by-one size computation error in unknown DN printing. +The error resulted in truncated strings when printing unknown OIDs in +X.509 certificate DNs. Reported by Tim Kosse + in +. + +** libgnutls: Return correct bit lengths of some MPIs. +gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and +gnutls_dh_get_peers_public_bits. Before the reported value was +overestimated. Reported by Peter Hendrickson in +. + +** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. +Report and patch by Tim Kosse in + +and +. + +** libgnutls: Relax checking of required libtasn1/libgcrypt versions. +Before we required that the runtime library used the same (or more +recent) libgcrypt/libtasn1 as it was compiled with. Now we just check +that the runtime usage is above the minimum required. Reported by +Marco d'Itri via Andreas Metzler + in . + +** minitasn1: Internal copy updated to libtasn1 v2.3. + +** tests: Fix failure in "chainverify" because a certificate have expired. + +** API and ABI modifications: +No changes since last version. + +* Version 2.8.1 (released 2009-06-10) + +** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle. +Forwarded by Martin von Gagern from +. + +** libgnutls: Fix PKCS#12 decryption from password. +The encryption key derived from the password was incorrect for (on +average) 1 in every 128 input for random inputs. Reported by "Kukosa, +Tomas" in +. + +** API and ABI modifications: +No changes since last version. + * Version 2.8.0 (released 2009-05-27) ** doc: Fix gnutls_dh_get_prime_bits. Fix error codes and algorithm lists.