Hi, I think the chacha bug is a severe enough regression to warrant a bugfix release pretty soon. I'll aim to get it out in a week from now.

I think it should be fine to do a 3.7.1 release from the master branch, rather than cherry-picking selected bugfixes. I've looked through git history and ChangeLog since the release one and a half month ago, and I think this is a accurate summary for the NEWS file:

Bug fixes:

* Fix bug in chacha counter update logic. The problem affected ppc64 and ppc64el, with the new altivec assembly code enabled. Reported by Andreas Metzler, after breakage in GnuTLS tests on ppc64.

* Support for big-endian ARM platforms has been restored. Fixes contributed by Michael Weiser.

* Fix build problem on OpenBSD/powerpc64, reported by Jasper Lievisse Adriaanse.

* Fix corner case bug in ECDSA verify, it would produce incorrect result in the unlikely case of an all-zero message hash. Reported by Guido Vranken.

New features:

* Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512, contributed by Nicolas Mora.

Miscellaneous:

* Poorly performing ARM Neon code for doing single-block Salsa20 and Chacha has been deleted. The code to do two or three blocks in parallel, introduced in Nettle-3.7, is unchanged.

Sonames will be unchanged. libnettle.so should get an incremented minor number, for the addition of the new pbkdf2 function. I don't think libhogweed.so strictly needs an incremented minor number, but maybe it's less confusing to increment it anyway.

Anything I'm missing? Any easy in-progress changes that should also get into the release?

Regards, /Niels