NEWS: add an entry for #1808

author Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 10:20:20 +0000 (12:20 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 10:20:20 +0000 (12:20 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)
diff --git a/NEWS b/NEWS

index 15957c9e1c220ca76292f90c9b26983a416d7903..3914eaaa35057664ddfae7bc512e672d2b0be1d9 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -114,6 +114,11 @@ See the end for copying conditions.
     Reported by Doria Tang of Stony Brook University.
     [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419]
  
+** libgnutls: Fix PSK username comparison during rehandshake
+   Rehandshaking to a username with embedded NUL character could theoretically
+   allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808).
+   Reported and fixed by Joshua Rogers of AISLE Research Team.
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 10:20:20 +0000 (12:20 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)