===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- www/57.html	2015/03/17 22:57:32	1.72
+++ www/57.html	2015/03/18 15:23:30	1.73
@@ -457,12 +457,57 @@
 
 <li>LibreSSL
     <ul>
-    <li>Fix a Bleichenbacher style timing oracle with bad PKCS padding.
-    <li>Reluctantly add server-side support for TLS_FALLBACK_SCSV.
-    <li>Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.
-    <li>Jettison DTLS over SCTP.
-    <li>Fix memory leaks.
-    <li>Move <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1??query=openssl&sec=1">openssl(1)</a> from /usr/sbin/openssl to /usr/bin/openssl
+    <li>User-visible features:
+      <ul>
+      <li>Reluctantly add server-side support for <tt>TLS_FALLBACK_SCSV</tt>.
+      <li>Import <i>BoringSSL</i>'s crypto bytestring and crypto bytebuilder
+        APIs.
+      <li>Jettison DTLS over SCTP.
+      <li>Move
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&amp;sektion=1">openssl(1)</a>
+        from <tt>/usr/sbin/openssl</tt> to <tt>/usr/bin/openssl</tt>.
+      <li>Two important cipher suites, GOST and Camellia, have been reworked
+        or reenabled, providing better interoperability with systems around
+        the world.
+      <li>libtls: New API for loading CA chains directly from memory instead
+        of a file, allowing verification with privilege separation in a
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&amp;sektion=8">chroot(8)</a>
+        without direct access to CA certificate files.
+      <li>libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
+      <li>libtls: Improved error handling and message generation.
+      <li>Added <tt>X509_STORE_load_mem</tt> API for loading certificates from
+        memory.  This facilitates accessing certificates from a chrooted
+        environment.
+      <li>New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
+        using 'TLSv1.2+AEAD' as the cipher selection string.
+      <li>New
+        <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&amp;sektion=1">openssl(1)</a>
+        command '<tt>certhash</tt>' replaces the <tt>c_rehash</tt> script.
+      <li><i>Application-Layer Protocol Negotiation</i> (ALPN) support.
+      </ul>
+    <li>Code improvements:
+      <ul>
+      <li>Dead and disabled code removal including MD5, Netscape workarounds,
+        non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more.
+      <li>The ASN1 macros are expanded to aid readability and maintainability.
+      <li>Various NULL pointer asserts removed in favor of letting the
+        OS/signal handler catch them.
+      <li>Dozens of issues found with the <i>Coverity scanner</i> fixed.
+      </ul>
+    <li>Security updates:
+      <ul>
+      <li>Fix a Bleichenbacher style timing oracle with bad PKCS padding.
+      <li>Fix memory leaks.
+      <li>Address POODLE attack by disabling SSLv3 by default.
+      <li>SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
+      <li>Earlier libtls support for non-blocking sockets and randomized
+        session ID contexts.
+      <li>Ensure the stack is marked non-executable for assembly sections.
+      <li>Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507,
+        CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511,
+        CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205
+        and CVE-2015-0206.
+      </ul>
     </ul>
 <p>
 <li>mandoc 1.13.3: