===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.16
retrieving revision 1.17
diff -c -r1.16 -r1.17
*** www/59.html 2016/02/03 14:58:49 1.16
--- www/59.html 2016/02/03 15:00:51 1.17
***************
*** 171,186 ****
!
!
LibreSSL
- User-visible features:
- Code improvements:
--- 171,280 ----
!
LibreSSL 2.3.2
- User-visible features:
! - This release corrects the handling of ClientHello messages
! that do not include TLS extensions, resulting in such handshakes being
! aborted.
!
- When loading a DSA key from an raw (without DH parameters) ASN.1
! serialization, perform some consistency checks on its `p' and `q'
! values, and return an error if the checks failed.
!
- Fixed a bug in ECDH_compute_key that can lead to silent
! truncation of the result key without error. A coding error could cause
! software to use much shorter keys than intended.
!
- Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations
! are no longer supported.
!
- The engine command and parameters are removed from
! openssl(1).
! Previous releases removed dynamic and builtin engine support already.
!
- SHA-0 is removed, which was withdrawn shortly after publication
! twenty years ago.
!
- Added Certplus CA root certificate to the default
! cert.pem file.
!
- Fixed a leak in SSL_new in the error path.
!
- Fixed a memory leak and out-of-bounds access in OBJ_obj2txt.
!
- Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
! sizeof(RC4_CHUNK).
!
- Added EVP_aead_chacha20_poly1305_ietf() which matches the
! AEAD construction introduced in RFC 7539, which is different than that
! already used in TLS with EVP_aead_chacha20_poly1305().
!
- More man pages converted from pod to mdoc format.
!
- Added COMODO RSA Certification Authority and
! QuoVadis root certificates to cert.pem.
!
- Removed Remhve "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
! Certification Authority"
! (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
! root certificate from cert.pem.
!
- Fixed incorrect TLS certificate loading by
! nc(1).
!
- The following CVEs had been fixed:
!
! - CVE-2015-3194—NULL pointer dereference in client
! side certificate validation.
!
- CVE-2015-3195—memory leak in PKCS7, not reachable
! from TLS/SSL.
!
! - Note: The following OpenSSL CVEs did not apply to LibreSSL:
!
! - CVE-2015-3193—carry propagating bug in the x86_64
! Montgomery squaring procedure.
!
- CVE-2015-3196—double free race condition of the
! identify hint data.
!
- Code improvements:
! - Added install target for cmake builds.
!
- Updated pkgconfig files to correctly report the release
! version number, not the individual library ABI version numbers.
!
- SSLv3 is now permanently removed from the tree.
!
- The libtls API is changed from the 2.2.x series:
!
! - The tls_read/write functions now work better with external event
! libraries.
!
- Client-side verification is now supported, with the client
! supplying the certificate to the server.
!
- Also, when using tls_connect_fds,
! tls_connect_socket or tls_accept_fds,
! libtls no longer implicitly closes the passed in sockets.
! The caller is responsible for closing them in this case.
!
! - New interface OPENSSL_cpu_caps is provided that does not
! allow software to inadvertently modify cpu capability flags.
! OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
!
- The out_len argument of AEAD changed from ssize_t
! to size_t.
!
- Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
!
- Converted
! nc(1)
! to use libtls for client and server operations; it is
! included in the libressl-portable distribution as an example of how
! to use the libtls library. This is intended to be a simpler
! and more robust replacement for openssl s_client and
! openssl s_server for day-to-day operations.
!
- ASN.1 cleanups and RFC5280 compliance fixes.
!
- Time representations switched from unsigned long to
! time_t. LibreSSL now checks if the host OS supports 64-bit
! time_t.
!
- Support always extracting the peer cipher and version with
! libtls.
!
- Added ability to check certificate validity times with
! libtls, tls_peer_cert_notbefore and
! tls_peer_cert_notafter.
!
- Changed tls_connect_servername to use the first address that
! resolves with getaddrinfo().
!
- Remove broken conditional EVP_CHECK_DES_KEY code
! (non-functional since initial commit in 2004).
!
- Reject too small bits value in BN_generate_prime_ex(),
! so that it does not risk becoming negative in
! probable_prime_dh_safe().
!
- Changed format of LIBRESSL_VERSION_NUMBER to match that of
! OPENSSL_VERSION_NUMBER.
!
- Avoid a potential undefined C99+ behavior due to shift overflow in
! AES_decrypt.
!
- Deprecated the SSL_OP_SINGLE_DH_USE flag.