===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- www/57.html 2015/03/17 22:57:32 1.72
+++ www/57.html 2015/03/18 15:23:30 1.73
@@ -457,12 +457,57 @@
LibreSSL
- - Fix a Bleichenbacher style timing oracle with bad PKCS padding.
-
- Reluctantly add server-side support for TLS_FALLBACK_SCSV.
-
- Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.
-
- Jettison DTLS over SCTP.
-
- Fix memory leaks.
-
- Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl
+
- User-visible features:
+
+ - Reluctantly add server-side support for TLS_FALLBACK_SCSV.
+
- Import BoringSSL's crypto bytestring and crypto bytebuilder
+ APIs.
+
- Jettison DTLS over SCTP.
+
- Move
+ openssl(1)
+ from /usr/sbin/openssl to /usr/bin/openssl.
+
- Two important cipher suites, GOST and Camellia, have been reworked
+ or reenabled, providing better interoperability with systems around
+ the world.
+
- libtls: New API for loading CA chains directly from memory instead
+ of a file, allowing verification with privilege separation in a
+ chroot(8)
+ without direct access to CA certificate files.
+
- libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
+
- libtls: Improved error handling and message generation.
+
- Added X509_STORE_load_mem API for loading certificates from
+ memory. This facilitates accessing certificates from a chrooted
+ environment.
+
- New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
+ using 'TLSv1.2+AEAD' as the cipher selection string.
+
- New
+ openssl(1)
+ command 'certhash' replaces the c_rehash script.
+
- Application-Layer Protocol Negotiation (ALPN) support.
+
+ - Code improvements:
+
+ - Dead and disabled code removal including MD5, Netscape workarounds,
+ non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more.
+
- The ASN1 macros are expanded to aid readability and maintainability.
+
- Various NULL pointer asserts removed in favor of letting the
+ OS/signal handler catch them.
+
- Dozens of issues found with the Coverity scanner fixed.
+
+ - Security updates:
+
+ - Fix a Bleichenbacher style timing oracle with bad PKCS padding.
+
- Fix memory leaks.
+
- Address POODLE attack by disabling SSLv3 by default.
+
- SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
+
- Earlier libtls support for non-blocking sockets and randomized
+ session ID contexts.
+
- Ensure the stack is marked non-executable for assembly sections.
+
- Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507,
+ CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511,
+ CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205
+ and CVE-2015-0206.
+
mandoc 1.13.3: