From 87441bdbceeceb8eebc8d8b4d7211c890248c0c7 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 15 Apr 2022 18:03:35 +0200 Subject: LibreSSL 3.5.2 ChangeLog --- ChangeLog | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index b58f52d..486b6c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,49 @@ history is also available from Git. LibreSSL Portable Release Notes: +3.5.2 - Stable release + + * Bug fixes + - Fix NULL dereferences in openssl(1) cms option parsing. + - Do not zero the computed cofactor on ec_guess_cofactor() success. + - Bound cofactor in EC_GROUP_set_generator() to reduce the number of + bogus groups that can be described with nonsensical parameters. + - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low + memory conditions. Reported for HMAC by Masaru Masuda. + - Plug leak in ASN1_TIME_adj_internal(). + - Avoid infinite loop for custom curves of order 1. + Issue reported by Hanno Boeck, comments by David Benjamin. + - Avoid an infinite loop on parsing DSA private keys by validating + that the provided parameters conform to FIPS 186-4. + Issue reported by Hanno Boeck, comments by David Benjamin. + * Internal improvements + - Suppress various compiler warnings for old gcc versions. + - Rework ASN1_STRING_set(). + - Remove const from tls1_transcript_hash_value(). + - Clean up and simplify ssl3_renegotiate{,_check}(). + - Rewrite legacy TLS and DTLS unexpected handshake message handling. + - Simplify SSL_do_handshake(). + - Rewrite ASCII/text to ASN.1 object conversion. + - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj(). + - Split armv7 and aarch64 code into separate locations. + - Rewrote openssl(1) ts to use the new option handling and cleaned + up the C code. + - Provide asn1_get_primitive(). + - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. + - Remove the minimum record length checks from dtls1_read_bytes(). + - Clean up {dtls1,ssl3}_read_bytes(). + - Be more careful with embedded and terminating NULs in the new + name constraints code. + - Check EVP_Digest* return codes in openssl(1) ts + - Various minor code cleanup in openssl(1) pkcs12 + - Use calloc() in pkey_hmac_init(). + - Simplify priv_key handling in d2i_ECPrivateKey(). + * Documentation improvements + - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after + refactoring and bug fixes. + - Fixed numerous minor grammar, spelling, wording, and punctuation + issues. + 3.5.1 - Security release * A malicious certificate can cause an infinite loop. -- cgit v1.2.3-55-g6feb From ac053c8453d0ae1e16a15f435dbd4d3169ebbae8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 15 Apr 2022 18:34:43 +0200 Subject: add a few more things --- ChangeLog | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 486b6c1..c739281 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,10 @@ LibreSSL Portable Release Notes: 3.5.2 - Stable release * Bug fixes + - Avoid single byte overread in asn1_parse2(). + - Allow name constraints with a leading dot. From Alex Wilson. + - Relax a check in x509_constraints_dirname() to allow prefixes. + From Alex Wilson. - Fix NULL dereferences in openssl(1) cms option parsing. - Do not zero the computed cofactor on ec_guess_cofactor() success. - Bound cofactor in EC_GROUP_set_generator() to reduce the number of @@ -43,8 +47,17 @@ LibreSSL Portable Release Notes: - Avoid an infinite loop on parsing DSA private keys by validating that the provided parameters conform to FIPS 186-4. Issue reported by Hanno Boeck, comments by David Benjamin. + * Compatibility improvements + - Allow non-standard name constraints of the form @domain.com. * Internal improvements + - Limit OID text conversion to 64 bits per arc. + - Clean up and simplify memory BIO code. + - Reduce number of memmove() calls in memory BIOs. + - Factor out alert handling code in the legacy stack. + - Add sanity checks on p and q in old_dsa_priv_decode() + - Cache the SHA-512 hash instead of the SHA-1 for CRLs. - Suppress various compiler warnings for old gcc versions. + - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). - Rework ASN1_STRING_set(). - Remove const from tls1_transcript_hash_value(). - Clean up and simplify ssl3_renegotiate{,_check}(). -- cgit v1.2.3-55-g6feb From 4458b705f4acf9265a346403f3da3cbd8afaa21a Mon Sep 17 00:00:00 2001 From: kinichiro Date: Sat, 16 Apr 2022 20:55:27 +0900 Subject: Update ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index c739281..e4dc7ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,7 @@ LibreSSL Portable Release Notes: - Cache the SHA-512 hash instead of the SHA-1 for CRLs. - Suppress various compiler warnings for old gcc versions. - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). + - Rework ownership handling in x509_constraints_validate(). - Rework ASN1_STRING_set(). - Remove const from tls1_transcript_hash_value(). - Clean up and simplify ssl3_renegotiate{,_check}(). -- cgit v1.2.3-55-g6feb