We are pleased to announce the availability of two new GnuTLS releases; GnuTLS 1.2.3 and GnuTLS 1.0.25!
These releases were prompted by the discovery of a denial of service problem. We recommend 1.0 users to move to 1.2. We will continue to make releases on the old branch when security problems are discovered, for those who feel unable to upgrade. We do not have the resources to analyze and write an explanation of this security problem. Volunteers who want to read the bug reports and the CVS changes, and write up an explanation in plain English, are most welcome! Having a detailed track record of security problems can be a useful reference when discussing security in free software packages in general. Naturally, if you wish to sponsor us to do this work for you, please contact me. PS. The ftp.gnutls.org server appear down at the moment, but the files below will be available as soon as possible. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: <http://lists.gnu.org/mailman/listinfo/help-gnutls>. The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.0.25.tar.gz (1.5MB) ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.0.25.tar.gz (1.5MB) http://josefsson.org/gnutls/releases/gnutls-1.2.3.tar.bz2 (2.4MB) ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.3.tar.bz2 (2.4MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.0.25.tar.gz.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.0.25.tar.gz.sig http://josefsson.org/gnutls/releases/gnutls-1.2.3.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.3.tar.bz2.sig Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the MD5/SHA1 checksums: 3585b5b204135e51e0efc9084b3e028b gnutls-1.0.25.tar.gz 80527e5a5d17e199cb8a2848178990a6 gnutls-1.0.25.tar.gz.sig e790b848b9aa1e98d8f28ecf522d8e5dc7e0cb0b gnutls-1.0.25.tar.gz 7db580ff783bcfb2febe5085f3a3ad10d76d5508 gnutls-1.0.25.tar.gz.sig 4986c2bf8ce533d6b5d4dd6f9f1bbdf1 gnutls-1.2.3.tar.bz2 04a61b016ae24c4b7983c2373c9e023c gnutls-1.2.3.tar.bz2.sig 78e1b92a9d818479faca9042d446eed61770fb17 gnutls-1.2.3.tar.bz2 c3ccbd42db7918e5d1f69dbdd40e755f8fa5a985 gnutls-1.2.3.tar.bz2.sig Noteworthy changes since version 1.0.24/1.2.3: - Corrected bug in record packet parsing that could lead to a denial of service attack. - Corrected bug in RSA key export. Previously exported keys can be fixed using certtool. Use certtool -k <infile >outfile - API and ABI modifications: gnutls_x509_privkey_fix(): Add. Enjoy, Nikos and Simon _______________________________________________ GNU Announcement mailing list <info-gnu@gnu.org> http://lists.gnu.org/mailman/listinfo/info-gnu
