LibreSSL 2.4.2 and 2.3.7 released

Mon, 01 Aug 2016 19:49:09 -0700 

We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is
now the current stable version. LibreSSL 2.3.7 is based on the previous
OpenBSD 5.9 release, and will be supported for one more release cycle.
LibreSSL 2.2.x support has now ended.

LibreSSL 2.4.2 and 2.3.7 contain the following changes:

    * Fixed several issues in the OCSP code that could result in the
      incorrect generation and parsing of OCSP requests. This remediates
      a lack of error checking on time parsing in these functions, and
      ensures that only GENERALIZEDTIME formats are accepted for OCSP,
      as per RFC 6960.

      Issues reported, and fixes provided by Kazuki Yamaguchi <k...@rhe.jp>
      and Kinichiro Inoguchi <kinichiro.inogu...@gmail.com>

LibreSSL 2.4.2 contains additional changes:

    * Fixed loading default certificate locations with openssl s_client.

    * Improved behavior of arc4random on Windows to not appear to leak
      memory in debug tools, reduced privileges of allocated memory.

    * Fixed incorrect results from BN_mod_word() when the modulus is too
      large, thanks to Brian Smith from BoringSSL.

    * Correctly handle an EOF prior to completing the TLS handshake in
      libtls.

    * Improved libtls ceritificate loading and cipher string validation.

    * Updated libtls cipher group suites into four categories:
        "secure"   (TLSv1.2+AEAD+PFS)
        "compat"   (HIGH:!aNULL)
        "legacy"   (HIGH:MEDIUM:!aNULL)
        "insecure" (ALL:!aNULL:!eNULL)
      This allows for flexibility and finer grained control, rather than
      having two extremes.

    * Limited support for 'backward compatible' SSLv2 handshake packets to
      when TLS 1.0 is enabled, providing more restricted compatibility
      with TLS 1.0 clients.

    * openssl(1) and other documentation improvements.

    * Removed flags for disabling constant-time operations.
      This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
      DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
      all of these operations unconditionally constant-time.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Reply via email to