NEWS: add an entry for CVE-2026-3833

author Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 06:58:03 +0000 (08:58 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 06:58:03 +0000 (08:58 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index 55828ecafa05d55b45c6b73d3bec2b69ec195087..3258a38c4f05bb380eeb84f5fc14b47e125443eb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,17 @@ See the end for copying conditions.
     Reported by Joshua Rogers of AISLE Research Team.
     [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]
  
+** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
+   Domain name comparison during name constraints processing
+   was case-sensitive, violating RFC 5280 section 7.2.
+   For excluded name constraints, this could lead to
+   incorrectly accepting domain names that should've been rejected.
+   DNS name comparison and the domain part of email names
+   now perform case-insensitive comparison.
+   Independently reported by Oleh Konko (1seal) and
+   Joshua Rogers of AISLE Research Team.
+   [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 06:58:03 +0000 (08:58 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)