https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html announces the release of gnutls-3.8.10, a bug fix, security and enhancement release on the 3.8.x branch, including fixes for:
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395] ** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989] ** libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988] ** certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990] https://www.gnutls.org/security-new.html provides a few more details: GNUTLS-SA-2025-07-08-1 CVE-2025-32989 Severity Medium; Heap read buffer overflow When an X.509 certificate contains an SCT (signed certificate timestamp) extension and its length field is malformed, the library could read the memory buffer past the boundary. The issue was reported in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1695>. Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later versions. The issue could be effectively avoided if you compile the library with -D_FORTIFY_SOURCE=2. ------------------------------------------------------------------------------ GNUTLS-SA-2025-07-08-2 CVE-2025-32988 Severity Low; Memory corruption on error path When any error occurs during exporting a certificate with an otherName in the SAN (subject alternative name) extension, the library could potentially double free the ASN.1 structure. The issue was reported in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1694>. Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later versions. ------------------------------------------------------------------------------ GNUTLS-SA-2025-07-08-3 CVE-2025-32990 Severity Low; Heap write buffer overflow When the certtool program is invoked with a template file with a number of string pairs for a single keyword, a NULL pointer could be written past the memory boundary. The issue was reported in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1696>. Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later versions. ------------------------------------------------------------------------------ GNUTLS-SA-2025-07-08-4 CVE-2025-6395 Severity Medium; Denial of service When a TLS 1.3 handshake involves a Hello Retry Request and the second Client Hello omits the PSK which was present in the first Client Hello, the GnuTLS server can dereference a NULL pointer. The issue was reported in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1718>. Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later versions. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
