===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/64.html,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- www/64.html 2018/10/17 07:48:17 1.85
+++ www/64.html 2018/10/17 10:42:19 1.86
@@ -91,7 +91,7 @@
New acpipci(4/arm64)
driver providing support for PCI host bridges
based on information provided by ACPI.
- New
+ New
mvclock(4),
mvgpio(4),
mvicu(4),
@@ -248,7 +248,7 @@
and in assembly files on amd64 and i386.
Added SpectreRSB mitigation on amd64.
Added Intel L1 Terminal Fault mitigation on amd64.
- When available, PCIDs are used on amd64 to separate user
+ When available, PCIDs are used on amd64 to separate user
and kernel thread TLB entries.
Meltdown mitigation was added to i386.
amd64 now uses eager-FPU switching to prevent FPU state
@@ -277,8 +277,8 @@
bound into an alternate routing domain.
ospf6d(8) is
now pledged.
- Prevent ospfd(8) and
- ospf6d(8) from being
+ Prevent ospfd(8) and
+ ospf6d(8) from being
started more than once (in the same routing domain).
slaacd(8) is now fully
pledged.
@@ -423,7 +423,7 @@
improved the rounding of partition offsets and
sizes to cylinder boundaries.
disklabel(8)
- now range checks all user input.
+ now range checks all user input.
disklabel(8)
no longer allows FS_RAID partitions to be given a mount point.
disklabel(8)
@@ -436,7 +436,7 @@
now handles terminfo colors greater than 256 correctly.
httpd(8)
now supports client certificate authentication.
- Numerous improvements to the
+ Numerous improvements to the
fuse(4) subsystem.
Improvements to the way the kernel searches for available
memory to satisfy anonymous
@@ -506,7 +506,7 @@
authentication log messages.
Non-exhaustive list of bug fixes:
-
+
- ssh(1):
ssh-keygen(1):
avoid spurious "invalid format" errors when attempting to load
@@ -536,19 +536,101 @@
from OpenSSH <7.8.
-
+
LibreSSL 2.8.2
-
- - X509 verification was made more strict so
- X509_VERIFY_PARAM
- host, ip or email failure will cause future
- X509_verify_cert
- calls to fail.
-
- Support for single DES cipher suites has been removed.
-
- Support for RSASSA-PKCS1-v1_5 (RFC 8017) was added to
- RSA_sign(3)
+
+ - API and Documentation Enhancements
+
+ - X509 verification is now more strict so
+ X509_VERIFY_PARAM
+ host, ip or email failure will cause future
+ X509_verify_cert
+ calls to fail.
+
- Support for single DES cipher suites is removed.
+
- Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to
+ RSA_sign(3)
+
- Modified signature of CRYPTO_mem_leaks_* to return -1. This function
+ is a no-op in LibreSSL, so this function returns an error to not
+ indicate the (non-)existence of memory leaks.
+
- SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
+ X509_OBJECT_up_ref_count now return an int for error handling,
+ matching OpenSSL.
+
- Converted a number of #defines into proper functions, matching
+ OpenSSL's ABI.
+
- Added X509_get0_serialNumber from OpenSSL.
+
- Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
+ PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
+ OpenSSL.
+
- Removed broken pkcs8 formats from openssl(1).
+
- Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
+
- Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
+ retrieved and set with appropriate validation.
+
- Extensive documentation updates and additional API history.
+
- Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
+
- Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
+ and matching OpenSSL behavior, rewrote ENGINE_* documentation.
+
- Added const annotations to many existing APIs from OpenSSL, making
+ interoperability easier for downstream applications.
+
- Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
+ operation of BN_* functions.
+
+ - Testing and Proactive Security
+
+ - Added Wycheproof test support for ECDH, RSASSA-PSS, AES-GCM,
+ AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
+ X25519 test vectors. Applied appropriate fixes for errors uncovered by
+ tests.
+
- Added more cipher tests, including all TLSv1.2 ciphers.
+
- Added a blinding value when generating DSA and ECDSA signatures, in
+ order to reduce the possibility of a side-channel attack leaking the
+ private key.
+
- Added timing-safe compares for checking results of signature
+ verification.
+
- Added ECC constant time scalar multiplication support.
+ From Billy Brumley and his team at Tampere University of Technology.
+
+
+ - Internal Improvements
+
+ - Simplified key exchange signature generation and verification.
+
- Converted more code paths to use CBB/CBS. All handshake messages are
+ now created by CBB. RSA key exchange is simplified and uses dedicated
+ buffers for secrets.
+
- Simplified session ticket parsing and handling, inspired by
+ BoringSSL.
+
- Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
+ EVP_AEAD interface.
+
- Stopped using composite EVP_CIPHER AEADs.
+
- Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
+ SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
+
- Updated BN_clear to use explicit_bzero.
+
- Cleaned up BN_* implementations following changes made in OpenSSL by
+ Davide Galassi and others.
+
- Revised the implementation of RSASSA-PKCS1-v1_5 to match the
+ specification in RFC 8017. Based on an OpenSSL commit by David
+ Benjamin.
+
+
+ - Bug Fixes
+
+ - Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
+
- Fixed various memory leaks found by Coverity.
+
- Converted more functions in public API to use const arguments.
+
- Correctly clear the current cipher state, when changing cipher state.
+ This fixed an issue where renegotion of cipher suites would fail
+ when switched from AEAD to non-AEAD or vice-versa.
+ Issue reported by Bernard Spil.
+
- Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
+
- Fixed a potential memory leak on failure in ASN1_item_digest
+
- Fixed a potential memory alignment crash in asn1_item_combine_free
+
- Fixed small timing side-channels in ecdsa_sign_setup and
+ dsa_sign_setup.
+
- Added a missing bounds check in c2i_ASN1_BIT_STRING.
+
- Fixed a potential leak/incorrect return value in DSA signature
+ generation.
+
@@ -576,8 +658,8 @@
- update-plist(1)
has been entirely rewritten and now figures out MULTI_PACKAGES and
variable substitution almost 100%.
-
- New packages now run maintenance database tools like
- update-desktop-database just once instead of after
+
- New packages now run maintenance database tools like
+ update-desktop-database just once instead of after
every package addition/removal.
@@ -590,13 +672,13 @@
- aarch64: 8319
- amd64: 10304
-
- arm:
+
- arm:
- i386: 10230
-
- mips64:
-
- mips64el:
+
- mips64:
+
- mips64el:
|
- - powerpc:
+
- powerpc:
- sparc64:
|