From 8fb8ecdf7e78afc6c22818e082bd236ec62a4bef Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 13 Jun 2018 11:40:32 -0500 Subject: update changelog --- ChangeLog | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f853e4a..06e5999 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,18 +28,33 @@ history is also available from Git. LibreSSL Portable Release Notes: +2.7.4 - Security fixes + + * Avoid a timing side-channel leak when generating DSA and ECDSA + signatures. This is caused by an attempt to do fast modular + arithmetic, which introduces branches that leak information + regarding secret values. Issue identified and reported by Keegan + Ryan of NCC Group. + + * Reject excessively large primes in DH key generation. Problem + reported by Guido Vranken to OpenSSL + (https://github.com/openssl/openssl/pull/6457) and based on his + diff. + 2.7.3 - Bug fixes - * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej Sury + * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej + Sury * Fixed an issue normalizing CPU architecture in the configure script, which disabled assembly optimizations on platforms that get detected as 'amd64', opposed to 'x86_64' * Limited tls_config_clear_keys() to only clear private keys. - This was inadvertently clearing the keypair, which includes the OCSP staple - and pubkey hash - if an application called tls_configure() followed by - tls_config_clear_keys(), this would prevent OCSP staples from working. + This was inadvertently clearing the keypair, which includes the OCSP + staple and pubkey hash - if an application called tls_configure() + followed by tls_config_clear_keys(), this would prevent OCSP staples + from working. 2.7.2 - Stable release -- cgit v1.2.3-55-g6feb