I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This release includes a few bug fixes and portability improvements. See NEWS entries below.

Users of powerpc64 are adviced to upgrade; the bugs in the powerpc64 sha256 assembly of nettle-3.10 has the potential to cause crashes due to invalid memory read accesses. It's unclear if it could be exploitable, but it seems unlikely that any exploit could do worse than denial of service.

The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html.

The release can be downloaded from

https://ftp.gnu.org/gnu/nettle/nettle-3.10.1.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.10.1.tar.gz

Happy hacking, /Niels Möller

NEWS for the Nettle 3.10.1 release

This is a maintenance release, with only a few bugfixes and portability improvements.

The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.10 and libhogweed.so.6.10, with sonames libnettle.so.8 and libhogweed.so.6.

Bug fixes:

* Fix buffer overread in the new sha256 assembly for powerpc64, as well as a stack alignment issue.

* Added missing nettle_mac structs for hmac-gosthash.

* Fix configure test for valgrind, to not attempt to run valgrind on executables built using memory sanitizers.

Optimizations:

* Improved runtime detection of cpu features for OpenBSD and FreeBSD, using elf_aux_info when available. This also adds runtime detection for FreeBSD on arm64. Contributed by Brad Smith.