===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.16
retrieving revision 1.17
diff -c -r1.16 -r1.17
*** www/59.html	2016/02/03 14:58:49	1.16
--- www/59.html	2016/02/03 15:00:51	1.17
***************
*** 171,186 ****
        </ul>
      </ul>
  <p>
! 
! <li>LibreSSL
      <ul>
      <li>User-visible features:
        <ul>
!       <li>...
        </ul>
      <li>Code improvements:
        <ul>
!       <li>...
        </ul>
      </ul>
  <p>
--- 171,280 ----
        </ul>
      </ul>
  <p>
! <li>LibreSSL 2.3.2
      <ul>
      <li>User-visible features:
        <ul>
!       <li>This release corrects the handling of <tt>ClientHello</tt> messages
!         that do not include TLS extensions, resulting in such handshakes being
!         aborted.
!       <li>When loading a DSA key from an raw (without DH parameters) ASN.1
!         serialization, perform some consistency checks on its `p' and `q'
!         values, and return an error if the checks failed.
!       <li>Fixed a bug in <tt>ECDH_compute_key</tt> that can lead to silent
!         truncation of the result key without error. A coding error could cause
!         software to use much shorter keys than intended.
!       <li>Removed support for <tt>DTLS_BAD_VER</tt>. Pre-DTLSv1 implementations
!         are no longer supported.
!       <li>The engine command and parameters are removed from
! 	<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&amp;sektion=1">openssl(1)</a>.
!         Previous releases removed dynamic and builtin engine support already.
!       <li>SHA-0 is removed, which was withdrawn shortly after publication
!         twenty years ago.
!       <li>Added <tt>Certplus CA</tt> root certificate to the default
!         <tt>cert.pem</tt> file.
!       <li>Fixed a leak in <tt>SSL_new</tt> in the error path.
!       <li>Fixed a memory leak and out-of-bounds access in <tt>OBJ_obj2txt</tt>.
!       <li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
!         <tt>sizeof(RC4_CHUNK)</tt>.
!       <li>Added <tt>EVP_aead_chacha20_poly1305_ietf()</tt> which matches the
!         AEAD construction introduced in RFC 7539, which is different than that
!         already used in TLS with <tt>EVP_aead_chacha20_poly1305()</tt>.
!       <li>More man pages converted from pod to mdoc format.
!       <li>Added <tt>COMODO RSA Certification Authority</tt> and
!         <tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>.
!       <li>Removed Remhve "<tt>C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
!         Certification Authority</tt>"
!         (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
!         root certificate from <tt>cert.pem</tt>.
!       <li>Fixed incorrect TLS certificate loading by
! 	<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&amp;sektion=1">nc(1)</a>.
!       <li>The following CVEs had been fixed:
!         <ul>
!           <li><tt>CVE-2015-3194</tt>&#8212;NULL pointer dereference in client
!             side certificate validation.
!           <li><tt>CVE-2015-3195</tt>&#8212;memory leak in PKCS7, not reachable
!             from TLS/SSL.
!         </ul>
!       <li>Note: The following OpenSSL CVEs did not apply to LibreSSL:
!         <ul>
!           <li><tt>CVE-2015-3193</tt>&#8212;carry propagating bug in the x86_64
!             Montgomery squaring procedure.
!           <li><tt>CVE-2015-3196</tt>&#8212;double free race condition of the
!             identify hint data.
!         </ul>
        </ul>
      <li>Code improvements:
        <ul>
!       <li>Added install target for <tt>cmake</tt> builds.
!       <li>Updated <tt>pkgconfig</tt> files to correctly report the release
!         version number, not the individual library ABI version numbers.
!       <li>SSLv3 is now permanently removed from the tree.
!       <li>The <tt>libtls</tt> API is changed from the 2.2.x series:
!         <ul>
!           <li>The tls_read/write functions now work better with external event
!             libraries.
!           <li>Client-side verification is now supported, with the client
!             supplying the certificate to the server.
!           <li>Also, when using <tt>tls_connect_fds</tt>,
!             <tt>tls_connect_socket</tt> or <tt>tls_accept_fds</tt>,
!             <tt>libtls</tt> no longer implicitly closes the passed in sockets.
!             The caller is responsible for closing them in this case.
!         </ul>
!       <li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not
!         allow software to inadvertently modify cpu capability flags.
!         <tt>OPENSSL_ia32cap</tt> and <tt>OPENSSL_ia32cap_loc</tt> are removed.
!       <li>The <tt>out_len</tt> argument of AEAD changed from <tt>ssize_t</tt>
!         to <tt>size_t</tt>.
!       <li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
!       <li>Converted
! 	<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&amp;sektion=1">nc(1)</a>
!         to use <tt>libtls</tt> for client and server operations; it is
!         included in the libressl-portable distribution as an example of how
!         to use the <tt>libtls</tt> library.  This is intended to be a simpler
!         and more robust replacement for <tt>openssl s_client</tt> and
!         <tt>openssl s_server</tt> for day-to-day operations.
!       <li>ASN.1 cleanups and RFC5280 compliance fixes.
!       <li>Time representations switched from <tt>unsigned long</tt> to
!         <tt>time_t</tt>.  LibreSSL now checks if the host OS supports 64-bit
!         <tt>time_t</tt>.
!       <li>Support always extracting the peer cipher and version with
!         <tt>libtls</tt>.
!       <li>Added ability to check certificate validity times with
!         <tt>libtls</tt>, <tt>tls_peer_cert_notbefore</tt> and
!         <tt>tls_peer_cert_notafter</tt>.
!       <li>Changed tls_connect_servername to use the first address that
!         resolves with getaddrinfo().
!       <li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code
!         (non-functional since initial commit in 2004).
!       <li>Reject too small bits value in <tt>BN_generate_prime_ex()</tt>,
!         so that it does not risk becoming negative in
!         <tt>probable_prime_dh_safe()</tt>.
!       <li>Changed format of LIBRESSL_VERSION_NUMBER to match that of
!         <tt>OPENSSL_VERSION_NUMBER</tt>.
!       <li>Avoid a potential undefined C99+ behavior due to shift overflow in
!         <tt>AES_decrypt</tt>.
!       <li>Deprecated the <tt>SSL_OP_SINGLE_DH_USE</tt> flag.
        </ul>
      </ul>
  <p>