| version 1.72, 2015/03/17 22:57:32 |
version 1.73, 2015/03/18 15:23:30 |
|
|
| |
|
| <li>LibreSSL |
<li>LibreSSL |
| <ul> |
<ul> |
| <li>Fix a Bleichenbacher style timing oracle with bad PKCS padding. |
<li>User-visible features: |
| <li>Reluctantly add server-side support for TLS_FALLBACK_SCSV. |
<ul> |
| <li>Import BoringSSL's crypto bytestring and crypto bytebuilder APIs. |
<li>Reluctantly add server-side support for <tt>TLS_FALLBACK_SCSV</tt>. |
| <li>Jettison DTLS over SCTP. |
<li>Import <i>BoringSSL</i>'s crypto bytestring and crypto bytebuilder |
| <li>Fix memory leaks. |
APIs. |
| <li>Move <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1??query=openssl&sec=1">openssl(1)</a> from /usr/sbin/openssl to /usr/bin/openssl |
<li>Jettison DTLS over SCTP. |
| |
<li>Move |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
| |
from <tt>/usr/sbin/openssl</tt> to <tt>/usr/bin/openssl</tt>. |
| |
<li>Two important cipher suites, GOST and Camellia, have been reworked |
| |
or reenabled, providing better interoperability with systems around |
| |
the world. |
| |
<li>libtls: New API for loading CA chains directly from memory instead |
| |
of a file, allowing verification with privilege separation in a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=8">chroot(8)</a> |
| |
without direct access to CA certificate files. |
| |
<li>libtls: Ciphers default to TLSv1.2 with AEAD and PFS. |
| |
<li>libtls: Improved error handling and message generation. |
| |
<li>Added <tt>X509_STORE_load_mem</tt> API for loading certificates from |
| |
memory. This facilitates accessing certificates from a chrooted |
| |
environment. |
| |
<li>New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by |
| |
using 'TLSv1.2+AEAD' as the cipher selection string. |
| |
<li>New |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> |
| |
command '<tt>certhash</tt>' replaces the <tt>c_rehash</tt> script. |
| |
<li><i>Application-Layer Protocol Negotiation</i> (ALPN) support. |
| |
</ul> |
| |
<li>Code improvements: |
| |
<ul> |
| |
<li>Dead and disabled code removal including MD5, Netscape workarounds, |
| |
non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. |
| |
<li>The ASN1 macros are expanded to aid readability and maintainability. |
| |
<li>Various NULL pointer asserts removed in favor of letting the |
| |
OS/signal handler catch them. |
| |
<li>Dozens of issues found with the <i>Coverity scanner</i> fixed. |
| |
</ul> |
| |
<li>Security updates: |
| |
<ul> |
| |
<li>Fix a Bleichenbacher style timing oracle with bad PKCS padding. |
| |
<li>Fix memory leaks. |
| |
<li>Address POODLE attack by disabling SSLv3 by default. |
| |
<li>SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. |
| |
<li>Earlier libtls support for non-blocking sockets and randomized |
| |
session ID contexts. |
| |
<li>Ensure the stack is marked non-executable for assembly sections. |
| |
<li>Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507, |
| |
CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, |
| |
CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205 |
| |
and CVE-2015-0206. |
| |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
| <li>mandoc 1.13.3: |
<li>mandoc 1.13.3: |
![[BACK]](/icons/back.gif){kind=icon}
Return to 57.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www