=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v retrieving revision 1.6 retrieving revision 1.7 diff -c -r1.6 -r1.7 *** www/74.html 2023/10/04 05:51:39 1.6 --- www/74.html 2023/10/04 08:42:20 1.7 *************** *** 174,200 ****

... !

LibreSSL version X.X.X

New features
- ...
-
Compatibility changes
- ...
!
Bug fixes
- ...
! !
Internal improvements
- ...

OpenSSH XXX.YYY --- 174,342 ----

... !

LibreSSL version 3.8.2

Security fixes +
- Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer + be selected for use. +
- BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than + 32 kbits for primality. This mitigates various DoS vectors. +
- Restricted the RFC 3779 code to IPv4 and IPv6. It was not written + to be able to deal with anything else. +
+
Portable changes +
- Extended the endian.h compat header with hto* and *toh macros. +
- Adapted more tests to the portable framework. +
- Internal tools are now statically linked. +
- Applications bundled as part of the LibreSSL package internally, + nc(1) and openssl(1), now are linked statically if static libraries + are built. +
- Internal compatibility function symbols are no longer exported from + libcrypto. Instead, the libcompat library is linked to libcrypto, + libssl, and libtls separately. This increases size a little, but + ensures that the libraries are not exporting symbols to programs + unintentionally. +
- Selective removal of CET implementation on platforms where it is + not supported (macOS). +
- Integrated four more tests. +
- Added Windows ARM64 architecture to tested platforms. +
- Removed Solaris 10 support, fixed Solaris 11. +
- libtls no longer links statically to libcrypto / libssl unless + --enable-libtls-only is specified at configure time. +
- Improved Windows compatibility library, namely handling of files vs + sockets, correcting an exception when operating on a closed socket. +
- CMake builds no longer hardcode -O2 into the compiler flags, + instead using flags from the CMake build type instead. +
- Set the CMake default build type to Release. This can be overridden + during configuration. +
- Fixed broken ASM support with MinGW builds. +
New features
- Added support for truncated SHA-2 and for SHA-3. !
- The BPSW primality test performs additional Miller-Rabin rounds ! with random bases to reduce the likelihood of composites passing. !
- Allow testing of ciphers and digests using badly aligned buffers ! in openssl speed using -unalign. !
- Ed25519 certificates are now supported in openssl(1) ca and req. ! Prepared Ed25519 support in libssl. !
- Add branch target information (BTI) support to amd64 and arm64 ! assembly.
Compatibility changes
- Added a workaround for a poorly thought-out change in OpenSSL 3 that ! broke privilege separation support in libtls. !
- Moved libtls from ECDSA_METHOD to EC_KEY_METHOD. !
- Removed GF2m support: BIGNUM no longer supports binary extension ! field arithmetic and all binary elliptic builtin curves were removed. !
- Removed dangerous, "fast" NIST prime and elliptic curve implementations. ! In particular, EC_GFp_nist_method() is no longer available. !
- Removed most public symbols that were deprecated in OpenSSL 0.9.8. !
- Removed the public X9.31 API (RSA_X931_PADDING is still available). !
- Removed Cipher Text Stealing mode. ! openssl(1) nseq command. !
- Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD. !
- Removed COMP, DSO, dynamic loading of conf modules and support for ! custom ex_data and error stacks. !
- Removed proxy certificate (RFC 3820) support. !
- Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the !
- ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite ! of this, some stub functions are provided to avoid patching some ! applications that do not honor OPENSSL_NO_ENGINE. !
- The POLICY_TREE and its related structures and API were removed. !
- In X509_VERIFY_PARAM_inherit() copy hostflags independently of the ! host list. !
- Made CRYPTO_get_ex_new_index() not return 0 to allow applications ! to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside ! each other. !
- X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain ! valid UTF-8 without embedded NUL. !
- The explicitText user notice uses UTF8String instead of VisibleString ! to reduce the risk of emitting certificates with invalid DER-encoding. !
- Initial fixes for RSA-PSS support to make the TLSv1.3 stack more ! compliant with RFC 8446. !
- Fixed EVP_CIPHER_CTX_iv_length() to return what was set with ! EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
!
Internal improvements !
- Improved sieve of Eratosthenes script used for generating a table ! of small primes. !
- Removed incomplete and dangerous BN_RECURSION code. !
- Imported RFC 5280 policy checking code from BoringSSL and used it ! to replace the old exponential time code. !
- Converted more of libcrypto to use CBB/CBS. !
- Started cleaning up and rewriting SHA internals. !
- Reduced the dependency of hash implementations on many layers of ! macros. This results in significant speedups since modern compilers ! are now less confused. !
- Improved BIGNUM internals and performance. !
- Significantly simplified the BN_BLINDING internals used in RSA. !
- Made BN_num_bits() independent of bn->top. !
- Rewrote and simplified bn_sqr(). !
- Significantly improved Montgomery multiplication performance. !
- Rewrote and improved BN_exp() and BN_copy(). !
- Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with ! Ed25519 and fixed a few bugs in there. !
- Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous ! memory leaks, fixed logic errors and inconsistencies. !
- Cleaned up and simplified various ECDH and ECDSA internals. !
- Removed EC_GROUP precomp machinery. !
- Fixed various issues with EVP_PKEY_CTX_{new,dup}(). !
- Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs(). !
- Improved X.509 certificate version checks. !
- Ensure no X.509v3 extensions appear more than once in certificates. !
- Replaced ASN1_bn_print with a cleaner internal implementation. !
- Fix OPENSSL_cpuid_setup() invocations on arm/aarch64. !
- Improved checks for commonName in libtls. !
- Fixed error check for X509_get_ext_d2i() failure in libtls. !
- Removed code guarded by #ifdef ZLIB. !
- Plug a potential memory leak in ASN1_TIME_normalize(). !
- Fixed a use of uninitialized in i2r_IPAddrBlocks(). !
- Rewrote CMS_SignerInfo_{sign,verify}(). !
Bug fixes
- Correctly handle negative input to various BIGNUM functions. !
- Ensure ERR_load_ERR_strings() does not set errno unexpectedly. !
- Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign(). !
- Fixed aliasing issue in BN_mod_inverse(). !
- Fixed detection of extended operations (XOP) on AMD hardware. !
- Ensure Montgomery exponentiation is used for the initial RSA blinding. !
- Policy is always checked in X509 validation. Critical policy extensions ! are no longer silently ignored. !
- Fixed error handling in tls_check_common_name(). !
- Add missing pointer invalidation in SSL_free(). !
- Fixed X509err() and X509V3err() and their internal versions. !
- Ensure that OBJ_obj2txt() always returns a C string again. !
- Fixed aliasing issue in BN_mod_inverse(). !
- Made EVP_PKEY_set1_hkdf_key() fail on a NULL key. !
- On socket errors in the poll loop, netcat could issue system calls ! on invalidated file descriptors. !
- Allow IP addresses to be specified in a URI. !
- Fixed a copy-paste error in ASN1_TIME_compare() that could lead ! to two UTCTimes or two GeneralizedTimes incorrectly being compared ! as equal.
!
Documentation improvements
- Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3), ! BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3). !
- Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally ! undocumented. !
- Made it very explicit that the verify callback should not be used. !
- Called out that the CRL lastUpdate is standardized as thisUpdate. !
- Documented the RFC 3779 API and its shortcomings.
+
Testing and Proactive Security +
- Significantly improved test coverage of BN_mod_sqrt() and GCD. +
- As always, new test coverage is added as bugs are fixed and subsystems + are cleaned up. +

OpenSSH XXX.YYY *************** *** 234,240 ****

Some highlights: !

Asterisk 16.30.1, 18.19.0 and 20.4.0
Audacity 3.3.3
CMake 3.27.5 --- 376,382 ----

Some highlights: !

Asterisk 16.30.1, 18.19.0 and 20.4.0
Audacity 3.3.3
CMake 3.27.5 *************** *** 282,288 ****
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers: !
- Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches, freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2 and more) --- 424,430 ----
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers: !
  - Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches, freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)