version 1.17, 2016/02/03 15:00:51 |
version 1.18, 2016/02/03 16:40:02 |
|
|
<ul> |
<ul> |
<li>Qualys Security identified vulnerabilities in the |
<li>Qualys Security identified vulnerabilities in the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
client experimential support for resuming SSH-connections (roaming). |
client experimental support for resuming SSH-connections (roaming). |
In the default configuration, this could potentially leak client keys |
In the default configuration, this could potentially leak client keys |
to a hostile server. The authentication of the server host key |
to a hostile server. The authentication of the server host key |
prevents exploitation by a man-in-the-middle, so this information leak |
prevents exploitation by a man-in-the-middle, so this information leak |
|
|
forwarding for cases when the X server disables the <tt>SECURITY</tt> |
forwarding for cases when the X server disables the <tt>SECURITY</tt> |
extension. |
extension. |
<li>Fix an out of-bound read access in the packet handling code. |
<li>Fix an out of-bound read access in the packet handling code. |
<li>Further use of explicit_bzero has been added in various buffer |
<li>Further use of |
handling code paths to guard against compilers aggressively doing |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a> |
dead-store removal. |
has been added in various buffer handling code paths to guard against |
|
compilers aggressively doing dead-store removal. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
add compatability workarounds for FuTTY. |
add compatibility workarounds for FuTTY. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
refine compatability workarounds for WinSCP. |
refine compatibility workarounds for WinSCP. |
<li>Fix a number of memory faults (double-free, free of uninitialised |
<li>Fix a number of memory faults (double-free, free of uninitialised |
memory, etc) in |
memory, etc) in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
<li>Correctly interpret the 'first_kex_follows' option during the intial |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
key exchange. |
initial key exchange. |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<tt>sizeof(RC4_CHUNK)</tt>. |
<tt>sizeof(RC4_CHUNK)</tt>. |
<li>Added <tt>EVP_aead_chacha20_poly1305_ietf()</tt> which matches the |
<li>Added <tt>EVP_aead_chacha20_poly1305_ietf()</tt> which matches the |
AEAD construction introduced in RFC 7539, which is different than that |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
already used in TLS with <tt>EVP_aead_chacha20_poly1305()</tt>. |
than that already used in TLS with |
<li>More man pages converted from pod to mdoc format. |
<tt>EVP_aead_chacha20_poly1305()</tt>. |
|
<li>More man pages converted from pod to |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a> |
|
format. |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
<li>Removed Remhve "<tt>C=US, O=VeriSign, Inc., OU=Class 3 Public Primary |
<li>Removed Remhve "<tt>C=US, O=VeriSign, Inc., OU=Class 3 Public Primary |
|
|
<li>SSLv3 is now permanently removed from the tree. |
<li>SSLv3 is now permanently removed from the tree. |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<ul> |
<ul> |
<li>The tls_read/write functions now work better with external event |
<li>The <tt>tls_read</tt>/<tt>write</tt> functions now work better |
libraries. |
with external event libraries. |
<li>Client-side verification is now supported, with the client |
<li>Client-side verification is now supported, with the client |
supplying the certificate to the server. |
supplying the certificate to the server. |
<li>Also, when using <tt>tls_connect_fds</tt>, |
<li>Also, when using <tt>tls_connect_fds</tt>, |
|
|
<li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not |
<li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not |
allow software to inadvertently modify cpu capability flags. |
allow software to inadvertently modify cpu capability flags. |
<tt>OPENSSL_ia32cap</tt> and <tt>OPENSSL_ia32cap_loc</tt> are removed. |
<tt>OPENSSL_ia32cap</tt> and <tt>OPENSSL_ia32cap_loc</tt> are removed. |
<li>The <tt>out_len</tt> argument of AEAD changed from <tt>ssize_t</tt> |
<li>The <tt>out_len</tt> argument of <tt>AEAD</tt> changed from |
to <tt>size_t</tt>. |
<tt>ssize_t</tt> to <tt>size_t</tt>. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Converted |
<li>Converted |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a> |
|
|
<li>Added ability to check certificate validity times with |
<li>Added ability to check certificate validity times with |
<tt>libtls</tt>, <tt>tls_peer_cert_notbefore</tt> and |
<tt>libtls</tt>, <tt>tls_peer_cert_notbefore</tt> and |
<tt>tls_peer_cert_notafter</tt>. |
<tt>tls_peer_cert_notafter</tt>. |
<li>Changed tls_connect_servername to use the first address that |
<li>Changed <tt>tls_connect_servername</tt> to use the first address that |
resolves with getaddrinfo(). |
resolves with |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>. |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
(non-functional since initial commit in 2004). |
(non-functional since initial commit in 2004). |
<li>Reject too small bits value in <tt>BN_generate_prime_ex()</tt>, |
<li>Reject too small bits value in <tt>BN_generate_prime_ex()</tt>, |
so that it does not risk becoming negative in |
so that it does not risk becoming negative in |
<tt>probable_prime_dh_safe()</tt>. |
<tt>probable_prime_dh_safe()</tt>. |
<li>Changed format of LIBRESSL_VERSION_NUMBER to match that of |
<li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of |
<tt>OPENSSL_VERSION_NUMBER</tt>. |
<tt>OPENSSL_VERSION_NUMBER</tt>. |
<li>Avoid a potential undefined C99+ behavior due to shift overflow in |
<li>Avoid a potential undefined C99+ behavior due to shift overflow in |
<tt>AES_decrypt</tt>. |
<tt>AES_decrypt</tt>. |