NEWS: add an entry for #1818.1

author Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 11:53:01 +0000 (13:53 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 11:53:01 +0000 (13:53 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)
diff --git a/NEWS b/NEWS

index ce3877678bd71d9efed785559f31538de06b6a1a..a5cd297f8a1cc406d6248c74b5b79a9bee7205d1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -136,6 +136,12 @@ See the end for copying conditions.
     It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818).
     Reported by Kamil Frankowicz.
  
+** libgnutls: Fix overread when parsing OpenSSL PEM private keys
+   Insufficient bounds checking on the PEM header length could lead
+   to short heap overreads on specially crafted inputs (#1854).
+   Independently reported by Kamil Frankowicz and
+   Joshua Rogers of AISLE Research Team.
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 11:53:01 +0000 (13:53 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)