===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/75.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -c -r1.2 -r1.3
*** www/75.html 2024/03/03 20:55:54 1.2
--- www/75.html 2024/03/09 17:50:13 1.3
***************
*** 230,268 ****
...
! LibreSSL version 3.8.x
! - Security fixes
!
- Portable changes
!
- New features
!
- Compatibility changes
!
- Internal improvements
- Bug fixes
!
- Documentation improvements
!
!
- Testing and Proactive Security
!
--- 230,337 ----
...
! LibreSSL version 3.9.0
! - Portable changes
! - libcrypto no longer exports compat symbols in cmake builds.
!
- Most compatibility symbols are prefixed with
libressl_
! to avoid symbol clashes in static links.
! - Fixed various warnings on Windows.
!
- Removed assert pop-ups with Windows debug builds.
!
- Fixed crashes and hangs in Windows ARM64 builds.
!
- Improved control-flow enforcement (CET) support.
! - Internal improvements
! - Converted uses of
OBJ_bsearch_()
to standard
! bsearch(3).
! - Greatly simplified
by_file_ctrl()
.
! - Simplified and cleaned up the OBJ_ API.
!
- Cleaned up the EVP_Cipher{Init,Update,Final}(3) implementations.
!
- Removed unused function pointers from X.509 stores and contexts.
!
- A lot of cleanup and reorganization in EVP.
!
- Removed all remaining
ENGINE
tentacles.
! - Simplified internals of
X509_TRUST
handling.
! - Made deletion from a lhash
! doall callback safe.
!
- Rewrote BIO_dump*(3) internals
! to be less bad.
! - Documentation improvements
! ENGINE
documentation was updated to reflect reality.
! - Made EVP API documentation more accurate and less incoherent.
!
- Call out some shortcomings of the
EC_KEY_set_*
API explicitly.
! - Testing and proactive security
! - Bug fixes and simplifications in the Wycheproof tests.
! - Compatibility changes
! - Added ChaCha20 and chacha20 aliases for ChaCha.
!
- SSL_library_init(3)
! now has the same effect as OPENSSL_init_ssl().
!
EVP_add_{cipher,digest}()
were removed. From the OBJ_NAME
API,
! only OBJ_NAME_do_all*() remain.
! In particular, it is no longer possible to add aliases for ciphers and digests.
! - The thread unsafe global tables are no longer supported. It is no
! longer possible to add aliases for ciphers and digests, custom ASN.1
! strings table entries, ASN.1 methods, PKEY methods, digest methods,
! CRL methods, purpose and trust identifiers, or X.509 extensions.
!
- Removed the _cb() and _fp() versions of
! BIO_dump{,_indent}().
!
BIO_set()
was removed.
! BIO_{sn,v,vsn}printf()
were removed.
! - Turn the long dysfunctional
! openssl(1)
!
s_client -pause
into a noop.
! - openssl(1)
x509
! now supports -new
, -force_pubkey
, -multivalue-rdn
,
! -set_issuer
-set_subject
, and -utf8
.
! - Support ECDSA with SHA-3 signature algorithms.
!
- Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
!
- GOST and STREEBOG support was removed.
!
CRYPTO_THREADID
, _LHASH
, _STACK
and
! X509_PURPOSE
are now opaque, X509_CERT_AUX
and
! X509_TRUST
were removed from the public API.
! - ASN1_STRING_TABLE_get(3)
! and X509_PURPOSE_get0*(3) now
! return const pointers.
!
EVP_{CIPHER,MD}_CTX_init()
's signatures and semantics now match
! OpenSSL's behavior.
! sk_find_ex()
and OBJ_bsearch_()
were removed.
! - CRYPTO_malloc(3) was fixed to use
!
size_t
argument. CRYPTO_malloc()
! and CRYPTO_free()
now accept file and line arguments.
! - A lot of decrepit CRYPTO memory API was removed.
- Bug fixes
! - Fixed aliasing issues in
BN_mod_exp_simple()
and BN_mod_exp_recp()
.
! - Fixed numerous misuses of
! X509_ALGOR_set0(3)
! resulting in leaks and potentially incorrect encodings.
!
- Fixed potential double free in
! X509v3_asid_add_id_or_range(3).
!
- Stopped using
ASN1_time_parse()
outside of libcrypto.
! - Prepared OPENSSL_gmtime(3) and
! OPENSSL_timegm(3) as public API
! wrappers of internal functions compatible with BoringSSL API.
!
- Removed
print_bin()
to avoid overwriting the stack with 5 bytes
! of " "
when ECPK parameters are printed with large
! indentation.
! - Avoid a
NULL
dereference after memory allocation failure during TLS
! version downgrade.
! - Fixed various bugs in CMAC internals.
!
- Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
!
- Fixed various NULL dereferences in PKCS #12 code due to mishandling
! of OPTIONAL content in PKCS #7 ContentInfo.
!
- Aligned SSL_shutdown(3)
! behavior in TLSv1.3 with the legacy stack.
!
- Fixed the new X.509 verifier to find trust anchors in the trusted
! stack.