version 1.3, 2016/07/21 09:57:48 |
version 1.4, 2016/07/21 10:40:51 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |
<li>LibreSSL X.X.X |
<li>LibreSSL 2.4.2 |
<ul> |
<ul> |
<li>User-visible features: |
<li>User-visible features: |
<ul> |
<ul> |
<li>... |
<li>Fixed some broken manpage links in the install target. |
|
<li><tt>cert.pem</tt> has been reorganized and synced with Mozilla's |
|
certificate store. |
|
<li>Reliability fix, correcting an error when parsing certain ASN.1 |
|
elements over 16k in size. |
|
<li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites. |
|
<li>Fixed password prompts from |
|
<a href="http://man.openbsd.org/?query=openssl">openssl(1)</a> |
|
to properly handle ^C. |
</ul> |
</ul> |
<li>Code improvements: |
<li>Code improvements: |
<ul> |
<ul> |
<li>... |
<li>Fixed an <i>nginx</i> compatibility issue by adding an |
|
'<tt>install_sw</tt>' build target. |
|
<li>Changed default |
|
<a href="http://man.openbsd.org/?query=EVP_AEAD_CTX_init">EVP_aead_chacha20_poly1305(3)</a> |
|
implementation to the IETF version, which is now the default. |
|
<li>Reworked error handling in <tt>libtls</tt> so that configuration |
|
errors are more visible. |
|
<li>Added missing error handling around |
|
<a href="http://man.openbsd.org/?query=bn_dump">bn_wexpand(3)</a> |
|
calls. |
|
<li>Added |
|
<a href="http://man.openbsd.org/?query=bzero">explicit_bzero(3)</a> |
|
calls for freed ASN.1 objects. |
|
<li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation |
|
failure. |
|
<li>Deprecated internal use of |
|
<a href="http://man.openbsd.org/?query=EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>. |
|
<li>Fixed a problem that prevents the DSA signing algorithm from running |
|
in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set. |
|
<li>Fixed several issues in the OCSP code that could result in the |
|
incorrect generation and parsing of OCSP requests. This remediates |
|
a lack of error checking on time parsing in these functions, and |
|
ensures that only <tt>GENERALIZEDTIME</tt> formats are accepted for |
|
OCSP, as per <i>RFC 6960</i>. |
|
</ul> |
|
<li>The following CVEs had been fixed: |
|
<ul> |
|
<li><tt>CVE-2016-2105</tt>—EVP_EncodeUpdate overflow. |
|
<li><tt>CVE-2016-2106</tt>—EVP_EncryptUpdate overflow. |
|
<li><tt>CVE-2016-2107</tt>—padding oracle in AES-NI CBC MAC check. |
|
<li><tt>CVE-2016-2108</tt>—memory corruption in the ASN.1 encoder. |
|
<li><tt>CVE-2016-2109</tt>—ASN.1 BIO excessive memory allocation. |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |