version 1.3, 2023/03/15 16:50:03 |
version 1.4, 2023/03/16 08:49:53 |
|
|
<li>... |
<li>... |
</ul> |
</ul> |
|
|
<li>LibreSSL version 3.6.0 |
<li>LibreSSL version 3.7.2 |
<ul> |
<ul> |
<li>New features |
<li>New features |
<ul> |
<ul> |
<li>... |
<li>Added Ed25519 support both as a primitive and via OpenSSL's EVP interfaces. |
|
<li>X25519 is now also supported via EVP. |
|
<li>The OpenSSL 1.1 raw public and private key API is available with support for |
|
EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519. Poly1305 is not |
|
currently supported via this interface. |
|
<li>Added EVP_CIPHER_meth_*() setter API. |
|
<li>Added various X.509 accessor functions. |
</ul> |
</ul> |
|
|
<li>Compatibility changes |
<li>Compatibility changes |
<ul> |
<ul> |
<li>... |
<li>BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in |
|
various corner cases. |
</ul> |
</ul> |
|
|
<li>Bug fixes |
<li>Bug fixes |
<ul> |
<ul> |
<li>... |
<li>Added EVP_chacha20_poly1305() to the list of all ciphers. |
|
<li>Fixed potential leaks of EVP_PKEY in various printing functions |
|
<li>Fixed potential leak in OBJ_NAME_add(). |
|
<li>Avoid signed overflow in i2c_ASN1_BIT_STRING(). |
|
<li>Cleaned up EVP_PKEY_ASN1_METHOD related tables and code. |
|
<li>Fixed long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod(). |
|
<li>Fixed segfaults in BN_{dec,hex}2bn(). |
|
<li>Fixed NULL dereference in x509_constraints_uri_host() reachable only |
|
in the process of generating certificates. |
|
<li>Fixed a variety of memory corruption issues in BIO chains coming |
|
from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next(). |
|
<li>Avoid potential divide by zero in BIO_dump_indent_cb() |
|
<li>Fixed a memory leak, a double free and various other issues in |
|
BIO_new_NDEF(). |
|
<li>Fixed various crashes in the openssl(1) testing utility. |
|
<li>Do not check policies by default in the new X.509 verifier. |
|
<li>Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse. |
|
<li>Added missing error checking in PKCS7. |
|
<li>Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup(). |
</ul> |
</ul> |
|
|
|
<li>Documentation improvements |
|
<ul> |
|
<li>Numerous improvements and additions for ASN.1, BIO, BN, and X.509. |
|
<li>The BN documentation is now considered to be complete. |
|
<li>Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3), |
|
BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented. |
|
<li>Documented various BIO_* interfaces. |
|
<li>Documented ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3). |
|
<li>Documented EVP_PKEY raw private/public key interfaces. |
|
<li>Documented ASN1_buf_print(3). |
|
<li>Documented DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_* and RSA_get0_*. |
|
<li>Merged documentation of UI_null() from OpenSSL 1.1 |
|
<li>Various spelling and other documentation improvements. |
|
</ul> |
|
|
<li>Internal improvements |
<li>Internal improvements |
<ul> |
<ul> |
<li>... |
<li>Remove dependency on system timegm() and gmtime() by replacing |
|
traditional Julian date conversion with POSIX epoch-seconds date |
|
conversion from BoringSSL. |
|
<li>Removed old and unused BN code dealing with primes. |
|
<li>Started rewriting name constraints code using CBS. |
|
<li>Removed support for the HMAC PRIVATE KEY. |
|
<li>Reworked DSA signing and verifying internals. |
|
<li>Rewrote the TLSv1.2 key exporter. |
|
<li>Cleaned up and refactored various aspects of the legacy TLS stack. |
|
<li>Initial overhaul of the BIGNUM code: |
|
<li>Added a new framework that allows architecture-dependent |
|
replacement implementations for bignum primitives. |
|
<li>Imported various s2n-bignum's constant time assembly primitives |
|
and switched amd64 to them. |
|
<li>Lots of cleanup, simplification and bug fixes. |
|
<li>Changed Perl assembly generators to move constants into .rodata, |
|
allowing code to run with execute-only permissions. |
|
<li>Capped the number of iterations in DSA and ECDSA signing (avoiding |
|
infinite loops), added additional sanity checks to DSA. |
|
<li>ASN.1 parsing improvements. |
|
<li>Cleanup and improvements in EC code, including always clearing EC |
|
groups and points on free. |
|
<li>Various openssl(1) improvements. |
|
<li>Various nc(1) improvements. |
</ul> |
</ul> |
|
|
|
<li>Security fixes |
|
<ul> |
|
<li>A malicious certificate revocation list or timestamp response token |
|
would allow an attacker to read arbitrary memory. |
|
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH XXX.YYY |
<li>OpenSSH XXX.YYY |
|
|
</ul> |
</ul> |
|
|
<p>Some highlights: |
<p>Some highlights: |
<ul style="column-count: 3"><!--- XXX all need to be checked/updated 2023-03-04 ---> |
<ul style="column-count: 3"><!-- XXX all need to be checked/updated 2023-03-04 --> |
<li>Asterisk 16.28.0, 18.14.0 and 19.6.0 |
<li>Asterisk 16.28.0, 18.14.0 and 19.6.0 |
<li>Audacity 2.4.2 |
<li>Audacity 2.4.2 |
<li>CMake 3.24.2 |
<li>CMake 3.24.2 |
|
|
<li>As usual, steady improvements in manual pages and other documentation. |
<li>As usual, steady improvements in manual pages and other documentation. |
|
|
<li>The system includes the following major components from outside suppliers: |
<li>The system includes the following major components from outside suppliers: |
<ul><!--- XXX all need to be checked/updated 2023-03-04 ---> |
<ul><!-- XXX all need to be checked/updated 2023-03-04 --> |
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.4 + patches, |
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.4 + patches, |
freetype 2.12.1, fontconfig 2.13.94, Mesa 22.1.7, xterm 372, |
freetype 2.12.1, fontconfig 2.13.94, Mesa 22.1.7, xterm 372, |
xkeyboard-config 2.20, fonttosfnt 1.2.2 and more) |
xkeyboard-config 2.20, fonttosfnt 1.2.2 and more) |