NEWS: add an entry for CVE-2026-33846

author Alexander Sosedkin <asosedkin@redhat.com>

Fri, 24 Apr 2026 07:53:07 +0000 (09:53 +0200)

committer Alexander Sosedkin <asosedkin@redhat.com>

Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)
author Alexander Sosedkin <asosedkin@redhat.com>
Fri, 24 Apr 2026 07:53:07 +0000 (09:53 +0200)
committer Alexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)
diff --git a/NEWS b/NEWS

index 7c4527d402072f5c69af41432068ac1d7225e78c..a6f363400b5d5ebfefcfa70cf69a66ea383b0c4d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,16 @@ See the end for copying conditions.
  
  * Version 3.8.13 (unreleased)
  
+** libgnutls: Add more checks to DTLS reassembly
+   Previously, gnutls didn't check that DTLS fragments claimed
+   a consistent message_length value.
+   Additionally, a crucial array size check was missing,
+   enabling an attacker to cause a heap overwrite.
+   Reject fragments with mismatching length and add a missing boundary check.
+   Independently reported by
+   Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
+   [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]
+
  ** build: Support building with Nettle 4.0
     Nettle 4.0 was released in Feburary 2026, with API incompatibile
     changes from 3.10. The library can now compile with it, while
author	Alexander Sosedkin <asosedkin@redhat.com>
	Fri, 24 Apr 2026 07:53:07 +0000 (09:53 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:02 +0000 (15:35 +0200)