BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 2.1.6 released

19 March, 2015 by busterb@gmail.com | openbsd 

We have released LibreSSL 2.1.6, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release primarily addresses a number of security issues in
coordination with the OpenSSL project.

  Fixes for the following issues are integrated into LibreSSL 2.1.6:

     * CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
     * CVE-2015-0287 - ASN.1 structure reuse memory corruption
     * CVE-2015-0289 - PKCS7 NULL pointer dereferences
     * CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
     * CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

  The patch for this issue is integrated in LibreSSL 2.1.6:

     * CVE-2015-0207 - Segmentation fault in DTLSv1_listen
         LibreSSL is not vulnerable, but the fix was safe to merge.

  The following issues were addressed in earlier LibreSSL releases:

     * CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
	  Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
     * CVE-2015-0292 - Fault processing Base64 decode
          Fixed in LibreSSL 2.0.0
     * CVE-2015-1787 - Empty CKE with client auth and DHE
          Fixed in LibreSSL 2.0.1

  The following issues did not apply to LibreSSL 2.1.6:

     * CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
          Affected code is not present.
     * CVE-2015-0290 - Multiblock corrupted pointer
          Affected code is not present.
     * CVE-2015-0208 - Segmentation fault for invalid PSS parameters
          Affected code is not present.
     * CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
          Affected code is not present.
     * CVE-2015-0285 - Handshake with unseeded PRNG
          Cannot happen by the design of the LibreSSL PRNG.

This release also enables the building of libtls by default, as the API
and ABI are declared stable within the LibreSSL 2.1.x series. Further
changes to libtls will resume with LibreSSL 2.2.x.

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.