LibreSSL 2.1.6 released
19 March, 2015 by busterb@gmail.com | openbsd
We have released LibreSSL 2.1.6, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release primarily addresses a number of security issues in coordination with the OpenSSL project. Fixes for the following issues are integrated into LibreSSL 2.1.6: * CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * CVE-2015-0287 - ASN.1 structure reuse memory corruption * CVE-2015-0289 - PKCS7 NULL pointer dereferences * CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref The patch for this issue is integrated in LibreSSL 2.1.6: * CVE-2015-0207 - Segmentation fault in DTLSv1_listen LibreSSL is not vulnerable, but the fix was safe to merge. The following issues were addressed in earlier LibreSSL releases: * CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA Fixed in LibreSSL 2.1.2 - reclassifed from low to high, * CVE-2015-0292 - Fault processing Base64 decode Fixed in LibreSSL 2.0.0 * CVE-2015-1787 - Empty CKE with client auth and DHE Fixed in LibreSSL 2.0.1 The following issues did not apply to LibreSSL 2.1.6: * CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS Affected code is not present. * CVE-2015-0290 - Multiblock corrupted pointer Affected code is not present. * CVE-2015-0208 - Segmentation fault for invalid PSS parameters Affected code is not present. * CVE-2015-0293 - DoS via reachable assert in SSLv2 servers Affected code is not present. * CVE-2015-0285 - Handshake with unseeded PRNG Cannot happen by the design of the LibreSSL PRNG. This release also enables the building of libtls by default, as the API and ABI are declared stable within the LibreSSL 2.1.x series. Further changes to libtls will resume with LibreSSL 2.2.x. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.