|
* Version 3.3.30 (released 2018-07-16)
** libgnutls: Corrected infinite loop when an incorrect PIN was provided
via pin-value or pin-source.
** gnutls-cli: backported the --sni-hostname option. This allows overriding the
hostname advertised to the peer.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** The ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings. They are not necessary for compatibility or other purpose and
provide no advantage over their SHA1 counter-parts, as they all depend on the legacy
TLS CBC block mode.
** API and ABI modifications:
No changes since last version.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|