===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- www/59.html 2016/02/03 14:58:49 1.16
+++ www/59.html 2016/02/03 15:00:51 1.17
@@ -171,16 +171,110 @@
-
-
LibreSSL
+LibreSSL 2.3.2
- User-visible features:
- - ...
+
- This release corrects the handling of ClientHello messages
+ that do not include TLS extensions, resulting in such handshakes being
+ aborted.
+
- When loading a DSA key from an raw (without DH parameters) ASN.1
+ serialization, perform some consistency checks on its `p' and `q'
+ values, and return an error if the checks failed.
+
- Fixed a bug in ECDH_compute_key that can lead to silent
+ truncation of the result key without error. A coding error could cause
+ software to use much shorter keys than intended.
+
- Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations
+ are no longer supported.
+
- The engine command and parameters are removed from
+ openssl(1).
+ Previous releases removed dynamic and builtin engine support already.
+
- SHA-0 is removed, which was withdrawn shortly after publication
+ twenty years ago.
+
- Added Certplus CA root certificate to the default
+ cert.pem file.
+
- Fixed a leak in SSL_new in the error path.
+
- Fixed a memory leak and out-of-bounds access in OBJ_obj2txt.
+
- Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
+ sizeof(RC4_CHUNK).
+
- Added EVP_aead_chacha20_poly1305_ietf() which matches the
+ AEAD construction introduced in RFC 7539, which is different than that
+ already used in TLS with EVP_aead_chacha20_poly1305().
+
- More man pages converted from pod to mdoc format.
+
- Added COMODO RSA Certification Authority and
+ QuoVadis root certificates to cert.pem.
+
- Removed Remhve "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
+ Certification Authority"
+ (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
+ root certificate from cert.pem.
+
- Fixed incorrect TLS certificate loading by
+ nc(1).
+
- The following CVEs had been fixed:
+
+ - CVE-2015-3194—NULL pointer dereference in client
+ side certificate validation.
+
- CVE-2015-3195—memory leak in PKCS7, not reachable
+ from TLS/SSL.
+
+ - Note: The following OpenSSL CVEs did not apply to LibreSSL:
+
+ - CVE-2015-3193—carry propagating bug in the x86_64
+ Montgomery squaring procedure.
+
- CVE-2015-3196—double free race condition of the
+ identify hint data.
+
- Code improvements:
- - ...
+
- Added install target for cmake builds.
+
- Updated pkgconfig files to correctly report the release
+ version number, not the individual library ABI version numbers.
+
- SSLv3 is now permanently removed from the tree.
+
- The libtls API is changed from the 2.2.x series:
+
+ - The tls_read/write functions now work better with external event
+ libraries.
+
- Client-side verification is now supported, with the client
+ supplying the certificate to the server.
+
- Also, when using tls_connect_fds,
+ tls_connect_socket or tls_accept_fds,
+ libtls no longer implicitly closes the passed in sockets.
+ The caller is responsible for closing them in this case.
+
+ - New interface OPENSSL_cpu_caps is provided that does not
+ allow software to inadvertently modify cpu capability flags.
+ OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
- The out_len argument of AEAD changed from ssize_t
+ to size_t.
+
- Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
+
- Converted
+ nc(1)
+ to use libtls for client and server operations; it is
+ included in the libressl-portable distribution as an example of how
+ to use the libtls library. This is intended to be a simpler
+ and more robust replacement for openssl s_client and
+ openssl s_server for day-to-day operations.
+
- ASN.1 cleanups and RFC5280 compliance fixes.
+
- Time representations switched from unsigned long to
+ time_t. LibreSSL now checks if the host OS supports 64-bit
+ time_t.
+
- Support always extracting the peer cipher and version with
+ libtls.
+
- Added ability to check certificate validity times with
+ libtls, tls_peer_cert_notbefore and
+ tls_peer_cert_notafter.
+
- Changed tls_connect_servername to use the first address that
+ resolves with getaddrinfo().
+
- Remove broken conditional EVP_CHECK_DES_KEY code
+ (non-functional since initial commit in 2004).
+
- Reject too small bits value in BN_generate_prime_ex(),
+ so that it does not risk becoming negative in
+ probable_prime_dh_safe().
+
- Changed format of LIBRESSL_VERSION_NUMBER to match that of
+ OPENSSL_VERSION_NUMBER.
+
- Avoid a potential undefined C99+ behavior due to shift overflow in
+ AES_decrypt.
+
- Deprecated the SSL_OP_SINGLE_DH_USE flag.