deadsimple BSD Security Advisories and Announcements

LibreSSL 2.3.1 released

We have released LibreSSL 2.3.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the second snapshot based on the development OpenBSD 5.9
branch. It is still likely to change more compared to the 2.2.x and
2.1.x branches. The ABI/API for the LibreSSL 2.3.x series will be
declared stable around March 2016. See for more details.

LibreSSL 2.3.1 has the following notable changes:

  * ASN.1 cleanups and RFC5280 compliance fixes.

  * Time representations switched from 'unsigned long' to 'time_t'.
    LibreSSL now checks if the host OS supports 64-bit time_t.

  * Fixed a leak in SSL_new in the error path.

  * Support always extracting the peer cipher and version with libtls.

  * Added ability to check certificate validity times with libtls,
    tls_peer_cert_notbefore and tls_peer_cert_notafter.

  * Changed tls_connect_servername to use the first address that
    resolves with getaddrinfo().

  * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional
    since initial commit in 2004).

  * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt,
    reported by Qualys Security.

  * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
    sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at>.

  * Reject too small bits value in BN_generate_prime_ex(), so that it
    does not risk becoming negative in probable_prime_dh_safe(),
    reported by Franck Denis.

  * Enable nc(1) builds on more platforms.

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.