NEWS: add an entry for CVE-2026-42011

author Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 06:42:38 +0000 (08:42 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 06:42:38 +0000 (08:42 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index 3258a38c4f05bb380eeb84f5fc14b47e125443eb..7eb199ade5596de83f1e3ebb43cbba6e5e64cc73 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,13 @@ See the end for copying conditions.
     Joshua Rogers of AISLE Research Team.
     [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
  
+** libgnutls: Fix intersecting empty constraints
+   Permitted name constraints were wrongfully ignored
+   when prior CAs only had excluded name constraints,
+   resulting in a name constraint bypass.
+   Reported by Haruto Kimura (Stella).
+   [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 06:42:38 +0000 (08:42 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)