NEWS: add an entry for CVE-2026-42009

author Alexander Sosedkin <asosedkin@redhat.com>

Fri, 24 Apr 2026 08:06:14 +0000 (10:06 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Fri, 24 Apr 2026 08:06:14 +0000 (10:06 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index a6f363400b5d5ebfefcfa70cf69a66ea383b0c4d..8c5ddc8ba0130c6f20b3aed0bd3450e730372e66 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,18 @@ See the end for copying conditions.
     Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
     [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]
  
+** libgnutls: Fix qsort comparator in DTLS reassembly
+   The comparator function used for ordering DTLS packets
+   by sequence numbers did not follow qsort comparator contracts
+   in case of packets with duplicate sequence numbers,
+   which could lead to unstable ordering or undefined behaviour.
+   Return 0 in such cases makes the sorting stable.
+   Additionally, discard packets with same sequence numbers
+   and differing handshake type,
+   so that they don't end up being sorted in the first place.
+   Reported by Joshua Rogers of AISLE Research Team.
+   [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Fri, 24 Apr 2026 08:06:14 +0000 (10:06 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)