diff options
| -rw-r--r-- | ChangeLog | 40 |
1 files changed, 33 insertions, 7 deletions
| @@ -30,16 +30,15 @@ LibreSSL Portable Release Notes: | |||
| 30 | 30 | ||
| 31 | 2.1.4 - Security and feature updates | 31 | 2.1.4 - Security and feature updates |
| 32 | * Improvements to libtls: | 32 | * Improvements to libtls: |
| 33 | 33 | - a new API for loading CA chains directly from memory instead of a | |
| 34 | * a new API for loading CA chains directly from memory instead of a | ||
| 35 | file, allowing verification with privilege separation in a chroot | 34 | file, allowing verification with privilege separation in a chroot |
| 36 | without direct access to CA certificate files. | 35 | without direct access to CA certificate files. |
| 37 | 36 | ||
| 38 | * Ciphers default to TLSv1.2 with AEAD and PFS. | 37 | - Ciphers default to TLSv1.2 with AEAD and PFS. |
| 39 | 38 | ||
| 40 | * Improved error handling and message generation | 39 | - Improved error handling and message generation |
| 41 | 40 | ||
| 42 | * New APIs and improved documentation | 41 | - New APIs and improved documentation |
| 43 | 42 | ||
| 44 | * Added X509_STORE_load_mem API for loading certificates from memory. | 43 | * Added X509_STORE_load_mem API for loading certificates from memory. |
| 45 | This facilitates accessing certificates from a chrooted environment. | 44 | This facilitates accessing certificates from a chrooted environment. |
| @@ -62,11 +61,38 @@ LibreSSL Portable Release Notes: | |||
| 62 | 61 | ||
| 63 | * Support for building with OPENSSL_NO_DEPRECATED | 62 | * Support for building with OPENSSL_NO_DEPRECATED |
| 64 | 63 | ||
| 65 | * Dozens of issues found with the Coverity scanner fixed. | ||
| 66 | |||
| 67 | * Server-side support for TLS_FALLBACK_SCSV for compatibility with | 64 | * Server-side support for TLS_FALLBACK_SCSV for compatibility with |
| 68 | various auditor and vulnerability scanners. | 65 | various auditor and vulnerability scanners. |
| 69 | 66 | ||
| 67 | * Dozens of issues found with the Coverity scanner fixed. | ||
| 68 | |||
| 69 | * Security Updates: | ||
| 70 | |||
| 71 | - Fix a minor information leak that was introduced in t1_lib.c | ||
| 72 | r1.71, whereby an additional 28 bytes of .rodata (or .data) is | ||
| 73 | provided to the network. In most cases this is a non-issue since | ||
| 74 | the memory content is already public. Issue found and reported by | ||
| 75 | Felix Groebert of the Google Security Team. | ||
| 76 | |||
| 77 | - Fixes for the following low-severity issues were integrated into | ||
| 78 | LibreSSL from OpenSSL 1.0.1k: | ||
| 79 | |||
| 80 | CVE-2015-0205 - DH client certificates accepted without | ||
| 81 | verification | ||
| 82 | CVE-2014-3570 - Bignum squaring may produce incorrect results | ||
| 83 | CVE-2014-8275 - Certificate fingerprints can be modified | ||
| 84 | CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] | ||
| 85 | Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. | ||
| 86 | |||
| 87 | The following CVEs were fixed in earlier LibreSSL releases: | ||
| 88 | CVE-2015-0206 - Memory leak handling repeated DLTS records | ||
| 89 | CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. | ||
| 90 | |||
| 91 | The following CVEs did not apply to LibreSSL: | ||
| 92 | CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record | ||
| 93 | CVE-2014-3569 - no-ssl3 configuration sets method to NULL | ||
| 94 | CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA | ||
| 95 | |||
| 70 | 2.1.3 - Security update and OS support improvements | 96 | 2.1.3 - Security update and OS support improvements |
| 71 | * Fixed various memory leaks in DTLS, including fixes for | 97 | * Fixed various memory leaks in DTLS, including fixes for |
| 72 | CVE-2015-0206. | 98 | CVE-2015-0206. |