update changelog with security updates

author: Brent Cook <bcook@openbsd.org> 2015-03-02 20:47:26 -0600
committer: Brent Cook <bcook@openbsd.org> 2015-03-02 20:47:26 -0600
commit: 3b3a290b73547ae36649b088759b202cc0b698cd (patch)
tree: e7267dd04ee7393a6e6cc6c7f83d358e9ad235ba
parent: 3cb34ee99f9be3e866ca63110fec90bc104fe800 (diff)
download: portable-3b3a290b73547ae36649b088759b202cc0b698cd.tar.gz
portable-3b3a290b73547ae36649b088759b202cc0b698cd.tar.bz2
portable-3b3a290b73547ae36649b088759b202cc0b698cd.zip
1 files changed, 33 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 268f074..bcb038b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,16 +30,15 @@ LibreSSL Portable Release Notes:
 2.1.4 - Security and feature updates
        * Improvements to libtls:
+          - a new API for loading CA chains directly from memory instead of a
-          * a new API for loading CA chains directly from memory instead of a
            file, allowing verification with privilege separation in a chroot
            without direct access to CA certificate files.
-          * Ciphers default to TLSv1.2 with AEAD and PFS.
+          - Ciphers default to TLSv1.2 with AEAD and PFS.
-          * Improved error handling and message generation
+          - Improved error handling and message generation
-          * New APIs and improved documentation
+          - New APIs and improved documentation
        * Added X509_STORE_load_mem API for loading certificates from memory.
          This facilitates accessing certificates from a chrooted environment.
@@ -62,11 +61,38 @@ LibreSSL Portable Release Notes:
        * Support for building with OPENSSL_NO_DEPRECATED
-        * Dozens of issues found with the Coverity scanner fixed.
        * Server-side support for TLS_FALLBACK_SCSV for compatibility with
          various auditor and vulnerability scanners.
+        * Dozens of issues found with the Coverity scanner fixed.
+        * Security Updates:
+          - Fix a minor information leak that was introduced in t1_lib.c
+            r1.71, whereby an additional 28 bytes of .rodata (or .data) is
+            provided to the network. In most cases this is a non-issue since
+            the memory content is already public. Issue found and reported by
+            Felix Groebert of the Google Security Team.
+          - Fixes for the following low-severity issues were integrated into
+            LibreSSL from OpenSSL 1.0.1k:
+             CVE-2015-0205 - DH client certificates accepted without
+                             verification
+             CVE-2014-3570 - Bignum squaring may produce incorrect results
+             CVE-2014-8275 - Certificate fingerprints can be modified
+             CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
+             Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
+            The following CVEs were fixed in earlier LibreSSL releases:
+             CVE-2015-0206 - Memory leak handling repeated DLTS records
+             CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
+            The following CVEs did not apply to LibreSSL:
+             CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
+             CVE-2014-3569 - no-ssl3 configuration sets method to NULL
+             CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
 2.1.3 - Security update and OS support improvements
        * Fixed various memory leaks in DTLS, including fixes for
          CVE-2015-0206.
author	Brent Cook <bcook@openbsd.org>	2015-03-02 20:47:26 -0600
committer	Brent Cook <bcook@openbsd.org>	2015-03-02 20:47:26 -0600
commit	3b3a290b73547ae36649b088759b202cc0b698cd (patch)
tree	e7267dd04ee7393a6e6cc6c7f83d358e9ad235ba
parent	3cb34ee99f9be3e866ca63110fec90bc104fe800 (diff)
download	portable-3b3a290b73547ae36649b088759b202cc0b698cd.tar.gz portable-3b3a290b73547ae36649b088759b202cc0b698cd.tar.bz2 portable-3b3a290b73547ae36649b088759b202cc0b698cd.zip

diff --git a/ChangeLog b/ChangeLog index 268f074..bcb038b 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,16 +30,15 @@ LibreSSL Portable Release Notes:
30		30
31	2.1.4 - Security and feature updates	31	2.1.4 - Security and feature updates
32	* Improvements to libtls:	32	* Improvements to libtls:
33		33	- a new API for loading CA chains directly from memory instead of a
34	* a new API for loading CA chains directly from memory instead of a
35	file, allowing verification with privilege separation in a chroot	34	file, allowing verification with privilege separation in a chroot
36	without direct access to CA certificate files.	35	without direct access to CA certificate files.
37		36
38	* Ciphers default to TLSv1.2 with AEAD and PFS.	37	- Ciphers default to TLSv1.2 with AEAD and PFS.
39		38
40	* Improved error handling and message generation	39	- Improved error handling and message generation
41		40
42	* New APIs and improved documentation	41	- New APIs and improved documentation
43		42
44	* Added X509_STORE_load_mem API for loading certificates from memory.	43	* Added X509_STORE_load_mem API for loading certificates from memory.
45	This facilitates accessing certificates from a chrooted environment.	44	This facilitates accessing certificates from a chrooted environment.
@@ -62,11 +61,38 @@ LibreSSL Portable Release Notes:
62		61
63	* Support for building with OPENSSL_NO_DEPRECATED	62	* Support for building with OPENSSL_NO_DEPRECATED
64		63
65	* Dozens of issues found with the Coverity scanner fixed.
66
67	* Server-side support for TLS_FALLBACK_SCSV for compatibility with	64	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
68	various auditor and vulnerability scanners.	65	various auditor and vulnerability scanners.
69		66
		67	* Dozens of issues found with the Coverity scanner fixed.
		68
		69	* Security Updates:
		70
		71	- Fix a minor information leak that was introduced in t1_lib.c
		72	r1.71, whereby an additional 28 bytes of .rodata (or .data) is
		73	provided to the network. In most cases this is a non-issue since
		74	the memory content is already public. Issue found and reported by
		75	Felix Groebert of the Google Security Team.
		76
		77	- Fixes for the following low-severity issues were integrated into
		78	LibreSSL from OpenSSL 1.0.1k:
		79
		80	CVE-2015-0205 - DH client certificates accepted without
		81	verification
		82	CVE-2014-3570 - Bignum squaring may produce incorrect results
		83	CVE-2014-8275 - Certificate fingerprints can be modified
		84	CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
		85	Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
		86
		87	The following CVEs were fixed in earlier LibreSSL releases:
		88	CVE-2015-0206 - Memory leak handling repeated DLTS records
		89	CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
		90
		91	The following CVEs did not apply to LibreSSL:
		92	CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
		93	CVE-2014-3569 - no-ssl3 configuration sets method to NULL
		94	CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
		95
70	2.1.3 - Security update and OS support improvements	96	2.1.3 - Security update and OS support improvements
71	* Fixed various memory leaks in DTLS, including fixes for	97	* Fixed various memory leaks in DTLS, including fixes for
72	CVE-2015-0206.	98	CVE-2015-0206.