Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 27 19:53:13 2026 +0200

    Release 3.8.13
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 27 19:26:19 2026 +0200

    NEWS: add a couple more 3.8.13 entries
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 13 13:42:52 2026 +0200

    lib/pkcs11: do not silently pass on unimplemented functionality
    
    When the relevant PKCS#11 header macros were not defined,
    several functions for FIPS PKCS#11 provider wrongfully reported success.
    They have been modified to return GNUTLS_E_UNIMPLEMENTED_FEATURE instead.
    
    Fixes: #1820
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 7 10:16:03 2026 +0200

    session_pack: validate session_id_size on unpacking
    
    A check for session_id_size not exceeding GNUTLS_MAX_SESSION_ID_SIZE
    on loading persisted TLS session data was overlooked,
    leading to a heap overflow
    were the data corrupted in a malicious manner.
    
    Reported-by: Haruto Kimura (Stella)
    Fixes: #1817
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 14 18:25:13 2026 +0200

    src/cfg: avoid a data leak in clear_options, on the error path
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 14 18:21:19 2026 +0200

    src/cfg: fix iterating in clear_options, on the error path
    
    Calling testing tools bundled with GnuTLS with malformed arguments
    could lead to crashing them.
    This change makes the error path of option parsing more robust.
    
    Fixes: #1823
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 14:20:11 2026 +0200

    NEWS: add an entry for #1841
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 15 21:21:46 2026 +0900

    key_share: zeroize derived shared secret after compositing
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 14:12:23 2026 +0200

    NEWS: add an entry for #1822
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 13 18:42:56 2026 +0200

    lib/x509/x509_ext: avoid a heap overread in SCT extension parser
    
    Parsing a specially crafted SCT extension could previously lead to
    a short heap overread.
    The list-length validation didn't account for the 2-byte length field.
    
    The fix now accounts for the header field length,
    ensuring the parsing stays within the buffer.
    
    Fixes: #1822
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 14:04:28 2026 +0200

    NEWS: add an entry for #1819
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 10 20:34:41 2026 +0200

    tests/pkcs11/trust-list-fault: test #1819 with libpkcs11mock5
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 10 20:30:27 2026 +0200

    lib/x509: fix cleanup when gnutls_x509_crt_list_import_pkcs11 fails
    
    Previously gnutls_x509_trust_list_remove_trust_file tried to free
    the entire xcrt_list, even though one source of failures is
    gnutls_pkcs11_obj_list_import_url2 that deinits it up to the correct
    position.
    
    With this change, both functions zero unused entries.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1819
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Apr 9 11:49:25 2026 +0200

    tests/pkcs11/pkcs11-mock5: add a generic fault injector
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 13:53:01 2026 +0200

    NEWS: add an entry for #1818.1
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 7 20:31:49 2026 +0200

    tests/key-openssl: add a test for #1818.4 OpenSSL PEM parsing
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 7 20:23:29 2026 +0200

    lib/x509/privkey_openssl: mind header size more carefully
    
    When parsing private keys in OpenSSL PEM format, GnuTLS did not perform
    sufficient bounds checking for the length of the PEM header being parsed.
    For specially crafted inputs, this could lead to heap overreads.
    There was no confidentiality risk and
    the crash potential was limited to instrumented builds in practice.
    This change instates the overlooked bounds checking.
    
    Reported-by: Kamil Frankowicz <kamil.frankowicz@cert.pl>
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Related: #1818
    Fixes: #1854
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 13:51:54 2026 +0200

    NEWS: add an entry for #1818.3
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 7 20:18:40 2026 +0200

    nettle/pk: check RSA key coprimality in verify_params
    
    Previously, gnutls_privkey_verify_params has overlooked
    the scenario of p and q not being co-prime,
    and proceeded with undefined behaviour that was extremely likely
    to error out in practice anyway.
    Now it returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.
    
    Reported-by: Kamil Frankowicz <kamil.frankowicz@cert.pl>
    Related: #1818
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 13:43:28 2026 +0200

    NEWS: add an entry for #1813
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Mar 25 19:42:19 2026 +0100

    tests/pkcs11-provider: check for lingering token objects
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Wed Mar 25 19:43:33 2026 +0100

    pkcs11/p11_cipher: make AES keys ephemeral objects
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 12:27:48 2026 +0200

    NEWS: add an entry for #1810
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Apr 23 20:00:17 2026 +0200

    tests/ocsp: do not exit(1), fail does that
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 19 20:12:19 2026 +0100

    tests/ocsp: test against a truncated EKU OID
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 19 19:33:02 2026 +0100

    x509/ocsp: check OCSP delegated signer EKU OID to full length
    
    The retrieved certificate purpose OID was compared against the expected
    1.3.6.1.5.5.7.3.9 value without checking if the lengths were identical,
    allowing a value that constitutes a prefix to match.
    The check now compares the length as well.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 12:20:20 2026 +0200

    NEWS: add an entry for #1808
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Mar 18 16:47:43 2026 +0100

    tests/rehandshake-switch-psk-id: test usernames of varied length
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Mar 18 16:08:51 2026 +0100

    tests/rehandshake-switch-psk-id: refactor a bit
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Joshua Rogers <joshua@joshua.hu>
Date:   Wed Mar 18 17:08:03 2026 +0100

    handshake-checks: fix username comparison during rehandshake
    
    This is definitely a security issue
    subverting the GNUTLS_ALLOW_ID_CHANGE protection,
    but its real-life exploitability is under question.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1808
    Signed-off-by: Joshua Rogers <joshua@joshua.hu>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 11:49:54 2026 +0200

    NEWS: add an entry for CVE-2026-5419
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 1 19:01:50 2026 +0900

    tests/cipher-padding: exercise invalid padding case
    
    This adds a negative test case, where a PKCS#7 padding is manipulated.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 1 18:57:21 2026 +0900

    gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free
    
    This tries to make the logic of PKCS#7 padding removal constant-time,
    by removing potential branching operations.
    
    Reported-by: Doria Tang of Stony Brook University
    Fixes: #1815
    Fixes: CVE-2026-5419
    Fixes: GNUTLS-SA-2026-04-29-13
    CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 11:36:08 2026 +0200

    NEWS: add an entry for CVE-2026-3832
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 12 10:57:14 2026 +0100

    tests/ocsp-tests/ocsp-must-staple-connection: no response case
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 12 10:25:41 2026 +0100

    cert-session: log "no responses" case separately
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 12 10:42:49 2026 +0100

    tests/ocsp-tests/ocsp-must-staple-connection: grep for specific...
    
    ... error message: 'Got OCSP response with an unrelated certificate'.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 12 15:25:24 2026 +0100

    tests/ocsp-tests/ocsp-must-staple-connection: test CVE-2026-3832
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Mar 12 09:48:57 2026 +0100

    cert-session: fix multi-entry OCSP revocation bypass
    
    In check_ocsp_response(), the code first searched
    for the SingleResponse that matches the certificate being validated.
    But later, the status was retrieved from entry 0 unconditionally,
    rather than from the matched resp_indx.
    As a result, if entry 0 corresponded to a different certificate and was good,
    while the matched entry for the peer certificate is revoked,
    the revocation check could've mistakenly accept the certificate.
    
    Reported-by: Oleh Konko (1seal) <security@1seal.org>
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1801
    Fixes: #1812
    Fixes: CVE-2026-3832
    Fixes: GNUTLS-SA-2026-04-29-12
    CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
    Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 11:23:47 2026 +0200

    NEWS: add an entry for CVE-2026-42015
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 20 22:42:20 2026 +0200

    x509/pkcs12_bag: fix off-by-one in bag element bounds check
    
    Appending elements to a PKCS#12 bag had a bounds check that
    prevented adding the 32nd element.
    On the other hand, it is possible to import one that already has 32.
    Subsequent appending then led to writing past the 32-element array,
    smashing its length.
    
    Tighten the check to reject any bag with 32 or more elements.
    
    We'll treat this vulnerability as a Low due to how contrived
    the requirements are: for the code to be vulnerable,
    it needs to append to an imported untrusted unencrypted PKCS#12 structure.
    
    Reported-by: Zou Dikai
    Fixes: #1840
    Fixes: CVE-2026-42015
    Fixes: GNUTLS-SA-2026-04-29-11
    CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
    Severity: Low
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 11:02:58 2026 +0200

    NEWS: add an entry for CVE-2026-5260
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 30 17:46:40 2026 +0200

    lib/pkcs11_privkey: guard against overreading on short ciphertexts
    
    This is an alternative fix for the callee side.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1814
    Fixes: CVE-2026-5260
    Fixes: GNUTLS-SA-2026-04-29-10
    CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 30 17:31:07 2026 +0200

    lib/auth/rsa: check that ciphertext matches the modulus size
    
    A client sending extremely short premaster secret as part of an
    RSA key exchange could've theoretically triggered a short heap overread
    to nowhere when the RSA key was backed with a PKCS#11 token.
    With this fix, the internal decryption function will not be called
    with an mismatching plaintext length specified, avoiding the overread.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1814
    Fixes: CVE-2026-5260
    Fixes: GNUTLS-SA-2026-04-29-10
    CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 10:52:10 2026 +0200

    NEWS: add an entry for CVE-2026-42014
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Mar 18 18:19:06 2026 +0100

    pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
    
    Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
    oldpin == NULL for a token that lacks a protected authentication path
    led to a use-after-free.
    
    Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team
    Fixes: #1766
    Fixes: #1809
    Fixes: CVE-2026-42014
    Fixes: GNUTLS-SA-2026-04-29-9
    CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 10:30:37 2026 +0200

    NEWS: add an entry for CVE-2026-42013
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 15 18:02:31 2026 +0200

    tests/cert-tests: add tests for #1825
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 15 16:02:19 2026 +0200

    x509: prevent fallback on oversized SAN
    
    Passing oversized SAN did not preclude CN (or DN email) fallback
    during verification, which is an RFC 6125 6.4.4 violation.
    
    Now oversized SAN are skipped over,
    but prevent the fallback from happening.
    
    Reported-by: Haruto Kimura (Stella)
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1825
    Fixes: #1849
    Fixes: CVE-2026-42013
    Fixes: GNUTLS-SA-2026-04-27-8
    CVSS: 6.5 Moderate CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 15 15:35:59 2026 +0200

    x509/email-verify: call fallback DN fallback
    
    A comment was inaccurately referring to DN email field fallback
    as CN fallback.
    Rename a few things as well to match x509/hostname-verify more closely.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 27 13:31:36 2026 +0200

    NEWS: add an entry for CVE-2026-42012
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 13 17:54:56 2026 +0100

    tests/hostname-check: extend to exercise no-CN-fallback
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 13 17:02:07 2026 +0100

    x509/hostname-verify: make URI/SRV SAN preclude CN fallback
    
    URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
    > a client MUST NOT seek a match for a reference identifier of CN-ID
    > if the presented identifiers include a DNS-ID, *SRV-ID*, *URI-ID*,
    > or any application-specific identifier types supported by the client.
    
    With this change, certificates containing URI or SRV SAN
    no longer pass DNS hostname checks via CN fallback
    to avoid potential misuse of such certificates
    beyond their original purpose.
    
    Reported-by: Oleh Konko <security@1seal.org>
    Fixes: #1802
    Fixes: CVE-2026-42012
    Fixes: GNUTLS-SA-2026-04-29-7
    CVSS: 6.5 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 13 17:00:03 2026 +0100

    x509/hostname-verify: refactor and simplify CN fallback logic
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 13 17:41:33 2026 +0100

    x509: add bare-bones awareness of SRV virtual SAN
    
    There's no support for constraints, no certtool support, no nothing.
    Just added what's easy to add because I needed a virtual SAN for them.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 28 15:26:32 2026 +0200

    x509/virt-san: a small OOM-correctness fix
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 08:42:38 2026 +0200

    NEWS: add an entry for CVE-2026-42011
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 14 17:49:50 2026 +0200

    tests/name-constraints-merge: extend to cover #1824
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 14 17:41:30 2026 +0200

    x509/name_constraints: fix intersecting empty constraints
    
    Permitted name constraints were wrongfully ignored
    when prior CAs only had excluded name constraints,
    resulting in a name constraint bypass.
    
    With this change, they are taken into account and propagate.
    
    Reported-by: Haruto Kimura (Stella)
    Fixes: #1824
    Fixes: CVE-2026-42011
    Fixes: GNUTLS-SA-2026-04-29-6
    CVSS: 4.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 29 08:58:03 2026 +0200

    NEWS: add an entry for CVE-2026-3833
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 16 15:48:57 2026 +0100

    tests/name-constraints: add case-sensitivity check
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 16 15:29:40 2026 +0100

    x509/name-constraints: compare domain names case-insensitive
    
    RFC 5280 7.2:
    > When comparing DNS names for equality, conforming implementations
    > MUST perform a case-insensitive exact match on the entire DNS name.
    > When evaluating name constraints, conforming implementations MUST
    > perform a case-insensitive exact match on a label-by-label basis.
    
    Domain name comparison during name constraints processing
    was case-sensitive. For excluded name constraints, this could lead to
    incorrectly accepting domain names that should've been rejected.
    The code for comparing domain names and domain name parts of emails
    has been modified to perform case-insensitive comparison instead.
    
    Reported-by: Oleh Konko <security@1seal.org>
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1223
    Fixes: #1803
    Fixes: #1852
    Fixes: CVE-2026-3833
    Fixes: GNUTLS-SA-2026-04-29-5
    CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 24 11:17:26 2026 +0200

    NEWS: add an entry for CVE-2026-42010
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 27 17:16:25 2026 +0200

    lib/auth/psk_passwd: limit the length of the comparison
    
    Comparing a long username from a password file
    to a short username from the wire
    could lead to a heap overread up to the difference in their lengths.
    
    Fixes: #1864
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 21 19:49:47 2026 +0200

    tests/pskself2: sprinkle NUL into key for good measure
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 21 19:19:42 2026 +0200

    tests/pskself2: test username with NUL in the middle (#1850)
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 21 19:26:10 2026 +0200

    lib/auth/rsa_psk: fix binary PSK identity lookup
    
    A server looking up PSK username with a NUL-character in it
    was wrongfully matching username truncated at a NUL-character.
    Fix the check to compare up to the full username length.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1850
    Fixes: CVE-2026-42010
    Fixes: GNUTLS-SA-2026-04-29-4
    CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 21 19:02:43 2026 +0200

    tests/pskself2: extend with RSA-PSK support
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 24 10:15:01 2026 +0200

    NEWS: add an entry for CVE-2026-33845
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 23 20:24:26 2026 +0100

    tests/mini-dtls-fragments: test #1811 crashing datagram
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 20 16:55:10 2026 +0100

    tests/mini-dtls-fragments: test injecting 0-length ones
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 23 15:57:39 2026 +0100

    buffers: simplify and tighten parse_handshake_header checks
    
    * frag_size > data_size is now rejected even when length == 0
    * length == 0 && frag_size > 0 is now rejected even when start_offset == 0
    * start_offset > length is now rejected even when frag_size == 0
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Mar 23 15:09:43 2026 +0100

    buffers: switch from end_offset over to frag_length
    
    Instead of maintaining an inclusive [start_offset, end_offset] range
    when reassembling DTLS handshake,
    track start_offset and a relative frag_length instead.
    
    You'd think it'd be a no-op, but it fixes:
    
    * 0-length fragments triggering completion if message was 1 byte long
    * a remotely triggerable underflow and an ensuing heap overrun
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1811
    Fixes: CVE-2026-33845
    Fixes: GNUTLS-SA-2026-04-29-3
    CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 22 14:19:57 2026 +0200

    buffers: rename a variable in parse_handshake_header
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 24 10:06:14 2026 +0200

    NEWS: add an entry for CVE-2026-42009
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Joshua Rogers <joshua@joshua.hu>
Date:   Tue Apr 21 18:11:39 2026 +0200

    buffers: fix handshake_compare when sequence numbers match
    
    The comparator function used for ordering DTLS packets
    by sequence numbers did not follow qsort comparator contracts
    in case of packets with duplicate sequence numbers,
    which could lead to unstable ordering or undefined behaviour.
    Returning 0 in such cases makes the sorting stable.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1848
    Fixes: CVE-2026-42009
    Fixes: GNUTLS-SA-2026-04-29-2
    CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Joshua Rogers <joshua@joshua.hu>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Apr 21 16:52:48 2026 +0200

    lib/buffers: ensure packets have differing sequence numbers
    
    There should normally be no packets with same sequence number and
    differing handshake type, unless an adversary crafts them.
    Discarding them allows to get rid of packets
    with duplicate sequence ID in the buffer,
    relieving us from the question of how to sort them later.
    
    Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
    Fixes: #1848
    Fixes: CVE-2026-42009
    Fixes: GNUTLS-SA-2026-04-29-2
    CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 24 09:53:07 2026 +0200

    NEWS: add an entry for CVE-2026-33846
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 20 16:36:08 2026 +0200

    tests/mini-dtls-fragments: #1839 mismatching message_seq
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 20 16:32:02 2026 +0200

    buffers: match DTLS datagrams by sequence number
    
    DTLS handshake fragment reassembly previously matched incoming fragments
    by handshake type only, without checking the sequence number.
    This allowed fragments from different handshake messages
    to be merged into the same reassembly buffer.
    
    Now sequence number is accounted for during reassembly,
    ensuring fragments are only merged when they belong
    to the same handshake message.
    
    Reported-by: Zou Dikai
    Fixes: #1839
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Mon Apr 20 16:08:11 2026 +0200

    tests/mini-dtls-fragments: extend with fragmenting ClientHello
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Apr 1 19:51:45 2026 +0200

    tests/mini-dtls-fragments: extend with a #1816 reproducer
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 17 18:21:36 2026 +0200

    buffers: add more checks to DTLS reassembly
    
    Previously, gnutls didn't check that DTLS fragments claimed
    a consistent message_length value.
    Additionally, a crucial array size check was missing,
    enabling an attacker to cause a heap overwrite.
    The updated version rejects fragments with mismatching length
    and adds a missing boundary check.
    
    Reported-by: Haruto Kimura (Stella)
    Reported-by: Oscar Reparaz
    Reported-by: Zou Dikai
    Fixes: #1816
    Fixes: #1838
    Fixes: #1839
    Fixes: CVE-2026-33846
    Fixes: GNUTLS-SA-2026-04-29-1
    CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
    CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 17 17:49:31 2026 +0200

    buffers: shorten merge_handshake_packet using recv_buf
    
    I had vague concerns about thread-safety of this,
    but then this pattern already exists within the file.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Mar 20 16:09:40 2026 +0100

    tests/mini-dtls-fragments: implement a basic DTLS test
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Sam James <sam@gentoo.org>
Date:   Mon Apr 27 18:51:19 2026 +0100

    tests: fix typo in skip message
    
    Otherwise we try to execute the skip message which results in noise
    in the log. Copy the other places we skip and echo to stderr.
    
    Signed-off-by: Sam James <sam@gentoo.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Apr 27 14:25:28 2026 +0900

    nettle: support truncated authentication tag in Nettle 4 build
    
    Reported by Joshua Rogers.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Apr 27 11:10:08 2026 +0900

    tests: execise client cert selection for RSA-PSS-RSAE algorithms
    
    This adds a test case for 8366cd25ff81ddf27a7a5d885f64a3fdcc0c5125, by
    extending send-client-cert test with only RSA-PSS-* signature
    algorithms are indicated by the server.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 26 21:58:28 2026 +0900

    NEWS: mention gnutls_pkcs11_obj_get_pk_algorithm as a new function
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Feb 18 19:58:42 2026 +0100

    doc/Makefile: add stamp_error_codes to EXTRA_DIST
    
    This also moves stamp_* to MAINTAINERCLEANFILES from DISTCLEANFILES,
    which should not include what's in the tarball.
    
    Fixes: #1797
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 26 11:13:33 2026 +0900

    tests: match automake variables for pkcs11-obj-get-pk-algorithm
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 26 11:10:10 2026 +0900

    build: switch to using static_assert instead of verify
    
    Gnulib now emulates static_assert in C23, prefer it over verify.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 26 10:15:34 2026 +0900

    .gitlab-ci.yml: enable HPKE in Fedora builds
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Apr 24 10:44:16 2026 +0200

    hpke/hpke-builders: use a relative include
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 21 17:10:12 2026 +0900

    hpke-key-management: use memcmp instead of manual comparison
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 21 16:53:11 2026 +0900

    hpke-key-management: fix the license header
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 21 16:38:34 2026 +0900

    hpke: rework public key serialization logic with existing facilities
    
    Instead of manually serializing or deserializing KEM public keys, use
    _gnutls_ecc_ansi_x962_{import,export} for NIST curves and copy
    raw_pub from gnutls_pk_params_st for Edwards curves.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 21 12:42:21 2026 +0900

    hpke: use _gnutls_set_datum as possible
