NEWS: add an entry for CVE-2026-42010

author Alexander Sosedkin <asosedkin@redhat.com>

Fri, 24 Apr 2026 09:17:26 +0000 (11:17 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Fri, 24 Apr 2026 09:17:26 +0000 (11:17 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index db1ac0722273233e871a20f8207cd458d8f4ffb9..55828ecafa05d55b45c6b73d3bec2b69ec195087 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,14 @@ See the end for copying conditions.
     Reported by Joshua Rogers of AISLE Research Team.
     [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845]
  
+** libgnutls: Fix RSA-PSK identity truncation
+   Servers configured with RSA-PSK have wrongfully matched usernames with NUL
+   character in them to ones truncated to NUL character,
+   which could lead to an authentication bypass.
+   Fix the check to perform comparison up to the full username length.
+   Reported by Joshua Rogers of AISLE Research Team.
+   [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Fri, 24 Apr 2026 09:17:26 +0000 (11:17 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)