Thu Apr 30 2026 Alexander Sosedkin <asosedkin@redhat.com> - 3.8.10-4
- Fix CVE-2026-33846 (DTLS fragment reassembly, High, heap overwrite)
- Fix CVE-2026-42009 (DTLS fragment reassembly, High, undefined behaviour)
- Fix CVE-2026-33845 (DTLS fragment reassembly, High, heap overread)
- Fix CVE-2026-42010 (PSK authentication, High, authentication bypass)
- Fix CVE-2026-3833 (Name constraints, Medium, name constraint bypass)
- Fix CVE-2026-42011 (Name constraints, Medium, name constraint bypass)
- Fix CVE-2026-42012 (CN fallback, Medium, certificate misuse)
- Fix CVE-2026-42013 (CN fallback, Medium, certificate misuse)
- Fix CVE-2026-42014 (PKCS#11 PIN change, Medium, use-after-free)
- Fix CVE-2026-5260 (PKCS#11 RSA, Medium, heap overread)
- Fix CVE-2026-42015 (PKCS#12 appending, Low, heap overwrite)
- Fix CVE-2026-3832 (OCSP, Low, revocation bypass)
- Fix CVE-2026-5419 (PKCS#7, Low, timing side-channel)
- Fix upstream security issue #1808 (PSK rehandshake)
- Fix upstream security issue #1810 (EKU OID prefix match)
- Fix upstream security issue #1813 (pkcs11-provider persistent keys)
- Fix upstream security issue #1818 (RSA correctness, OpenSSL format import)
- Fix upstream security issue #1819 (PKCS#11 trust removal error path)
- Fix upstream security issue #1822 (SCT extension parser OOB read)
- Fix upstream security issue #1841 (key zeroization in hybrid kex)
- Fix upstream security issue #1823 (malformed certtool template)
- Fix upstream security issue #1817 (session parameter loading robustness)
- Fix upstream security issue #1820 (PKCS#11 KDF succeeding w/o deriving)
- gnutls-3.8.10-CVE-2025-9820.patch: update Makefile.in