===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.6
retrieving revision 1.7
diff -c -r1.6 -r1.7
*** www/74.html 2023/10/04 05:51:39 1.6
--- www/74.html 2023/10/04 08:42:20 1.7
***************
*** 174,200 ****
...
! LibreSSL version X.X.X
- New features
-
- Compatibility changes
!
- Bug fixes
!
!
- Internal improvements
OpenSSH XXX.YYY
--- 174,342 ----
...
! LibreSSL version 3.8.2
+ - Security fixes
+
+ - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
+ be selected for use.
+
- BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
+ 32 kbits for primality. This mitigates various DoS vectors.
+
- Restricted the RFC 3779 code to IPv4 and IPv6. It was not written
+ to be able to deal with anything else.
+
+ - Portable changes
+
+ - Extended the endian.h compat header with hto* and *toh macros.
+
- Adapted more tests to the portable framework.
+
- Internal tools are now statically linked.
+
- Applications bundled as part of the LibreSSL package internally,
+ nc(1) and openssl(1), now are linked statically if static libraries
+ are built.
+
- Internal compatibility function symbols are no longer exported from
+ libcrypto. Instead, the libcompat library is linked to libcrypto,
+ libssl, and libtls separately. This increases size a little, but
+ ensures that the libraries are not exporting symbols to programs
+ unintentionally.
+
- Selective removal of CET implementation on platforms where it is
+ not supported (macOS).
+
- Integrated four more tests.
+
- Added Windows ARM64 architecture to tested platforms.
+
- Removed Solaris 10 support, fixed Solaris 11.
+
- libtls no longer links statically to libcrypto / libssl unless
+
--enable-libtls-only
is specified at configure time.
+ - Improved Windows compatibility library, namely handling of files vs
+ sockets, correcting an exception when operating on a closed socket.
+
- CMake builds no longer hardcode
-O2
into the compiler flags,
+ instead using flags from the CMake build type instead.
+ - Set the CMake default build type to
Release
. This can be overridden
+ during configuration.
+ - Fixed broken ASM support with MinGW builds.
+
- New features
! - Added support for truncated SHA-2 and for SHA-3.
!
- The BPSW primality test performs additional Miller-Rabin rounds
! with random bases to reduce the likelihood of composites passing.
!
- Allow testing of ciphers and digests using badly aligned buffers
! in openssl speed using -unalign.
!
- Ed25519 certificates are now supported in openssl(1) ca and req.
! Prepared Ed25519 support in libssl.
!
- Add branch target information (BTI) support to amd64 and arm64
! assembly.
- Compatibility changes
! - Added a workaround for a poorly thought-out change in OpenSSL 3 that
! broke privilege separation support in libtls.
!
- Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
!
- Removed GF2m support: BIGNUM no longer supports binary extension
! field arithmetic and all binary elliptic builtin curves were removed.
!
- Removed dangerous, "fast" NIST prime and elliptic curve implementations.
! In particular, EC_GFp_nist_method() is no longer available.
!
- Removed most public symbols that were deprecated in OpenSSL 0.9.8.
!
- Removed the public X9.31 API (RSA_X931_PADDING is still available).
!
- Removed Cipher Text Stealing mode.
! openssl(1) nseq command.
!
- Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD.
!
- Removed COMP, DSO, dynamic loading of conf modules and support for
! custom ex_data and error stacks.
!
- Removed proxy certificate (RFC 3820) support.
!
- Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
!
- ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
! of this, some stub functions are provided to avoid patching some
! applications that do not honor OPENSSL_NO_ENGINE.
!
- The POLICY_TREE and its related structures and API were removed.
!
- In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
! host list.
!
- Made CRYPTO_get_ex_new_index() not return 0 to allow applications
! to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
! each other.
!
- X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
! valid UTF-8 without embedded NUL.
!
- The explicitText user notice uses UTF8String instead of VisibleString
! to reduce the risk of emitting certificates with invalid DER-encoding.
!
- Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
! compliant with RFC 8446.
!
- Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
! EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
! - Internal improvements
!
! - Improved sieve of Eratosthenes script used for generating a table
! of small primes.
!
- Removed incomplete and dangerous BN_RECURSION code.
!
- Imported RFC 5280 policy checking code from BoringSSL and used it
! to replace the old exponential time code.
!
- Converted more of libcrypto to use CBB/CBS.
!
- Started cleaning up and rewriting SHA internals.
!
- Reduced the dependency of hash implementations on many layers of
! macros. This results in significant speedups since modern compilers
! are now less confused.
!
- Improved BIGNUM internals and performance.
!
- Significantly simplified the BN_BLINDING internals used in RSA.
!
- Made BN_num_bits() independent of bn->top.
!
- Rewrote and simplified bn_sqr().
!
- Significantly improved Montgomery multiplication performance.
!
- Rewrote and improved BN_exp() and BN_copy().
!
- Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
! Ed25519 and fixed a few bugs in there.
!
- Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous
! memory leaks, fixed logic errors and inconsistencies.
!
- Cleaned up and simplified various ECDH and ECDSA internals.
!
- Removed EC_GROUP precomp machinery.
!
- Fixed various issues with EVP_PKEY_CTX_{new,dup}().
!
- Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
!
- Improved X.509 certificate version checks.
!
- Ensure no X.509v3 extensions appear more than once in certificates.
!
- Replaced ASN1_bn_print with a cleaner internal implementation.
!
- Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
!
- Improved checks for commonName in libtls.
!
- Fixed error check for X509_get_ext_d2i() failure in libtls.
!
- Removed code guarded by #ifdef ZLIB.
!
- Plug a potential memory leak in ASN1_TIME_normalize().
!
- Fixed a use of uninitialized in i2r_IPAddrBlocks().
!
- Rewrote CMS_SignerInfo_{sign,verify}().
!
- Bug fixes
! - Correctly handle negative input to various BIGNUM functions.
!
- Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
!
- Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
!
- Fixed aliasing issue in BN_mod_inverse().
!
- Fixed detection of extended operations (XOP) on AMD hardware.
!
- Ensure Montgomery exponentiation is used for the initial RSA blinding.
!
- Policy is always checked in X509 validation. Critical policy extensions
! are no longer silently ignored.
!
- Fixed error handling in tls_check_common_name().
!
- Add missing pointer invalidation in SSL_free().
!
- Fixed X509err() and X509V3err() and their internal versions.
!
- Ensure that OBJ_obj2txt() always returns a C string again.
!
- Fixed aliasing issue in BN_mod_inverse().
!
- Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
!
- On socket errors in the poll loop, netcat could issue system calls
! on invalidated file descriptors.
!
- Allow IP addresses to be specified in a URI.
!
- Fixed a copy-paste error in ASN1_TIME_compare() that could lead
! to two UTCTimes or two GeneralizedTimes incorrectly being compared
! as equal.
! - Documentation improvements
! - Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
! BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
!
- Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
! undocumented.
!
- Made it very explicit that the verify callback should not be used.
!
- Called out that the CRL lastUpdate is standardized as thisUpdate.
!
- Documented the RFC 3779 API and its shortcomings.
+ - Testing and Proactive Security
+
+ - Significantly improved test coverage of BN_mod_sqrt() and GCD.
+
- As always, new test coverage is added as bugs are fixed and subsystems
+ are cleaned up.
+
OpenSSH XXX.YYY
***************
*** 234,240 ****
Some highlights:
!
- Asterisk 16.30.1, 18.19.0 and 20.4.0
- Audacity 3.3.3
- CMake 3.27.5
--- 376,382 ----
Some highlights:
!
- Asterisk 16.30.1, 18.19.0 and 20.4.0
- Audacity 3.3.3
- CMake 3.27.5
***************
*** 282,288 ****
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
!
- Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
--- 424,430 ----
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
!
- Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)