From release notes of 3.7.1:
** libgnutls: Fixed potential use-after-free in sending "key_share"
and "pre_shared_key" extensions. When sending those extensions, the
client may dereference a pointer no longer valid after
realloc. This happens only when the client sends a large Client
Hello message, e.g., when HRR is sent in a resumed session
previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call
realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
Only 3.7.x is affected which isn't stable.
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <email@example.com>
AuthorDate: 2021-03-28 06:07:24 +0000
Commit: Thomas Deutschmann <firstname.lastname@example.org>
CommitDate: 2021-03-28 06:08:22 +0000
net-libs/gnutls: drop vulnerable version
Package-Manager: Portage-3.0.17, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <email@example.com>
net-libs/gnutls/Manifest | 1 -
...nutls-3.7.0-ignore-duplicate-certificates.patch | 403 ---------------------
net-libs/gnutls/gnutls-3.7.0-r1.ebuild | 139 -------
3 files changed, 543 deletions(-)
Repository is clean, all done.