===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- www/59.html 2016/02/18 01:55:02 1.27
+++ www/59.html 2016/02/18 11:39:14 1.28
@@ -76,7 +76,7 @@
Generic network stack improvements:
- - Remove support for obsolete IPv6 socket options
+
- Remove support for obsolete IPv6 socket options.
- ...
@@ -120,9 +120,11 @@
Assorted improvements:
- - doas is a little friendlier to use
-
- Updated flex
-
- Updated and improved less
+
- doas is a little friendlier to use.
+
- Updated
+ flex(1).
+
- Updated and improved
+ less(1).
- pdisk(8) was largely rewritten and pledged.
- Renaming files in the root directory of a MSDOS filesystem was fixed.
- Many obsolete disktab(5) attributes and entries were removed.
@@ -225,19 +227,20 @@
- Added Certplus CA root certificate to the default
cert.pem file.
- Fixed a leak in
- SSL_new(3)
+ SSL_new(3)
in the error path.
-
- Fixed a memory leak and out-of-bounds access in OBJ_obj2txt.
+
- Fixed a memory leak and out-of-bounds access in
+ OBJ_obj2txt(3).
- Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
sizeof(RC4_CHUNK).
- Added
- EVP_aead_chacha20_poly1305(3)
+ EVP_aead_chacha20_poly1305(3)
which matches the
AEAD construction introduced in RFC 7539, which is different
than that already used in TLS with
- EVP_aead_chacha20_poly1305(3).
+ EVP_aead_chacha20_poly1305(3).
- More man pages converted from pod to
- mdoc(7)
+ mdoc(7)
format.
- Added COMODO RSA Certification Authority and
QuoVadis root certificates to cert.pem.
@@ -246,20 +249,20 @@
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
root certificate from cert.pem.
- Fixed incorrect TLS certificate loading by
- nc(1).
+ nc(1).
- The following CVEs had been fixed:
- - CVE-2015-3194—NULL pointer dereference in client
- side certificate validation.
-
- CVE-2015-3195—memory leak in PKCS7, not reachable
- from TLS/SSL.
+
- CVE-2015-3194—NULL pointer dereference in client
+ side certificate validation.
+
- CVE-2015-3195—memory leak in PKCS7, not reachable
+ from TLS/SSL.
- Note: The following OpenSSL CVEs did not apply to LibreSSL:
- - CVE-2015-3193—carry propagating bug in the x86_64
- Montgomery squaring procedure.
-
- CVE-2015-3196—double free race condition of the
- identify hint data.
+
- CVE-2015-3193—carry propagating bug in the x86_64
+ Montgomery squaring procedure.
+
- CVE-2015-3196—double free race condition of the
+ identify hint data.
Code improvements:
@@ -270,20 +273,20 @@
SSLv3 is now permanently removed from the tree.
The libtls API is changed from the 2.2.x series:
- - The
- tls_read(3)
- and
- tls_write(3)
- functions now work better with external event libraries.
-
- Client-side verification is now supported, with the client
- supplying the certificate to the server.
-
- Also, when using
- tls_connect_fds(3),
- tls_connect_socket(3)
- or
- tls_accept_fds(3),
- libtls no longer implicitly closes the passed in sockets.
- The caller is responsible for closing them in this case.
+
- The
+ tls_read(3)
+ and
+ tls_write(3)
+ functions now work better with external event libraries.
+
- Client-side verification is now supported, with the client
+ supplying the certificate to the server.
+
- Also, when using
+ tls_connect_fds(3),
+ tls_connect_socket(3)
+ or
+ tls_accept_fds(3),
+ libtls no longer implicitly closes the passed in sockets.
+ The caller is responsible for closing them in this case.
New interface OPENSSL_cpu_caps is provided that does not
allow software to inadvertently modify cpu capability flags.
@@ -292,7 +295,7 @@
ssize_t to size_t.
Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
Converted
- nc(1)
+ nc(1)
to use libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the libtls library. This is intended to be a simpler
@@ -306,17 +309,17 @@
libtls.
Added ability to check certificate validity times with
libtls,
- tls_peer_cert_notbefore(3)
+ tls_peer_cert_notbefore(3)
and
- tls_peer_cert_notafter(3).
+ tls_peer_cert_notafter(3).
Changed
- tls_connect_servername(3)
+ tls_connect_servername(3)
to use the first address that resolves with
- getaddrinfo(3).
+ getaddrinfo(3).
Remove broken conditional EVP_CHECK_DES_KEY code
(non-functional since initial commit in 2004).
Reject too small bits value in
- BN_generate_prime_ex(3),
+ BN_generate_prime_ex(3),
so that it does not risk becoming negative in
probable_prime_dh_safe().
Changed format of LIBRESSL_VERSION_NUMBER to match that of