NEWS: add an entry for CVE-2026-5260

author Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 09:02:58 +0000 (11:02 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 09:02:58 +0000 (11:02 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index 0e20b7fcb5459ded400cce1e4aea566a69d40c2f..2efefde6905cf8832bfd4727204a6eb38d260c75 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -84,6 +84,13 @@ See the end for copying conditions.
     Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team.
     [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014]
  
+** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
+   For a server using an RSA key backed by a PKCS#11 token,
+   a client sending an extremely short premaster secret
+   during an RSA key exchange could trigger a short heap overread.
+   Reported by Joshua Rogers of AISLE Research Team.
+   [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 09:02:58 +0000 (11:02 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)