BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 2.1.7 and 2.2.0 released

11 June, 2015 by busterb@gmail.com | openbsd 

We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.

We have also released LibreSSL 2.1.7, which contains additional security
fixes.

  * AIX Support - thanks to Michael Felt

  * Cygwin Support - thanks to Corinna Vinschen

  * Refactored build macros, support packaging libtls independently.
    There are more pieces required to support building and using OpenSSL
    with libtls, but this is an initial start at providing an
    independent package for people to start hacking on.

  * Removal of OPENSSL_issetugid and all library getenv calls.
    Applications can and should no longer rely on environment variables
    for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
    supported with the openssl(1) command.

  * libtls API and documentation additions

  * Various bug fixes and simplifications to libssl and libcrypto

  * Fixes for the following issues are integrated into LibreSSL 2.1.7
    and LibreSSL 2.2.0:
    - CVE-2015-1788 - Malformed ECParameters causes infinite loop
    - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
    - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
                      (this code is not enabled by default)

  * The following CVEs did not apply to LibreSSL or were fixed in earlier
    releases:
    - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
    - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
    - CVE-2014-8176 - Invalid free in DTLS

  * Fixes for the following CVEs are still in review for LibreSSL:
    - CVE-2015-1791 - Race condition handling NewSessionTicket

Note: This will likely be the last 2.2.x release with support for SSLv3,
as it will be removed entirely from the main LibreSSL tree.

Windows binaries are currently delayed, but they should be available
next week. You can build them fairly easily using the dist-win.sh
script available in the LibreSSL portable git repository.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.