1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • LibreSSL 2.5.0/2.4.3/2.3.8 Released

    From Brent Cook@21:1/5 to All on Wed Sep 28 05:50:02 2016
    Copy: libressl@openbsd.org

    LibreSSL portable versions 2.3.7 and 2.4.3 are now released, along with
    the newest development version 2.5.0, and will be available at a mirror
    near you.

    The following issues were fixed in all of the releases:

    * Avoid unbounded memory growth in libssl, which can be triggered by a
    TLS client repeatedly renegotiating and sending OCSP Status Request
    TLS extensions. (CVE-2016-6304)

    * Avoid falling back to a weak digest for (EC)DH when using SNI with
    libssl.

    * Issues related to recent CVE-2016-6306, "Certificate message OOB reads",
    were fixed in the first LibreSSL releases two years ago, which were
    reported to us by David Ramos of Stanford using the UC-KLEE tool
    developed there.

    * Other recently-announced issues including recent CVE-2016-6305,
    CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 did not apply.

    LibreSSL 2.4.3 contains an additional fix:

    * Reverted change that cleans up the EVP cipher context in
    EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
    previous behaviour.

    LibreSSL 2.5.0 also contains the following improvements and fixes:

    * libtls now supports ALPN and SNI

    * libtls adds a new callback interface for integrating custom IO
    functions. Thanks to Tobias Pape.

    * libtls now handles 4 cipher suite groups:
    "secure" (TLSv1.2+AEAD+PFS)
    "compat" (HIGH:!aNULL)
    "legacy" (HIGH:MEDIUM:!aNULL)
    "insecure" (ALL:!aNULL:!eNULL)

    This allows for flexibility and finer grained control, rather than
    having two extremes (an issue raised by Marko Kreen some time ago).

    * Tightened error handling for tls_config_set_ciphers().

    * libtls now always loads CA, key and certificate files at the time the
    configuration function is called. This simplifies code and results in
    a single memory based code path being used to provide data to libssl.

    * Add support for OCSP intermediate certificates.

    * Added functions used by stunnel and exim from BoringSSL - this
    brings in X509_check_host, X509_check_email, X509_check_ip, and
    X509_check_ip_asc.

    * Added initial support for iOS, thanks to Jacob Berkman.

    * Improved behavior of arc4random on Windows when using memory leak
    analysis software.

    * Correctly handle an EOF that occurs prior to the TLS handshake
    completing. Reported by Vasily Kolobkov, based on a diff from Marko
    Kreen.

    * Limit the support of the "backward compatible" ssl2 handshake to
    only be used if TLS 1.0 is enabled.

    * Fix incorrect results in certain cases on 64-bit systems when
    BN_mod_word() can return incorrect results. BN_mod_word() now can
    return an error condition. Thanks to Brian Smith.

    * Added constant-time updates to address CVE-2016-0702

    * Fixed undefined behavior in BN_GF2m_mod_arr()

    * Removed unused Cryptographic Message Support (CMS)

    * More conversions of long long idioms to time_t

    * Improved compatibility by avoiding printing NULL strings with
    printf.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)