1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • LibreSSL 3.0.2 Released

    From Brent Cook@21:1/5 to All on Sat Oct 19 04:50:01 2019
    Copy: libressl@openbsd.org

    We have released LibreSSL 3.0.2, which will be arriving in the
    LibreSSL directory of your local OpenBSD mirror soon.

    This is the first stable release from the 3.0 series, which is included
    with OpenBSD 6.6. It includes the following changes:

    * Use a valid curve when constructing an EC_KEY that looks like X25519.
    The recent EC group cofactor change results in stricter validation,
    which causes the EC_GROUP_set_generator() call to fail.
    Issue reported and fix tested by rsadowski@

    * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
    (Note that the CMS code is currently disabled)
    Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)

    * Avoid a path traversal bug in s_server on Windows when run with the -WWW
    or -HTTP options, due to incomplete path check logic.
    Issue reported and fix tested by Jobert Abma

    It includes the following changes and improvements from LibreSSL 2.9.x:

    * API and Documentation Enhancements
    - Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
    - Documented undescribed options and removed unfunctional options
    description in openssl(1) manual.

    * Testing and Proactive Security
    - A plethora of small fixes due to regular oss-fuzz testing.
    - Various side channels in DSA and ECDSA were addressed. These are
    some of the many issues found in an extensive systematic analysis of
    bignum usage by Samuel Weiser, David Schrammel et al.
    - Try to compute the cofactor if a nonsensical value was provided for
    ECC parameters. Fix from Billy Brumley.

    * Portable Improvements
    - Enabled performance optimizations when building with Visual Studio
    on Windows.
    - Enabled openssl(1) speed subcommand on Windows platform.

    * Bug Fixes
    - Fixed issue where SRTP extension would not be sent by server.
    - Fixed incorrect carry operation in 512 addition for Streebog.
    - Fixed -modulus option with openssl(1) dsa subcommand.
    - Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
    - Fixed a padding oracle attack in PKCS7_dataDecode() and
    CMS_decrypt_set1_pkey() (CMS is currently disabled). From Bernd Edlinger.

    The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)