BSDSec

LibreSSL 2.3.9 and 2.4.4 released

7 November, 2016 by busterb@gmail.com | openbsd

We have released LibreSSL 2.3.9 and 2.4.4, which are availeble in the
LibreSSL directory of your local OpenBSD mirror. Both include the following
reliability change:

    * Avoid continual processing of an unlimited number of TLS records,
      which can cause a denial-of-service condition. CVE-2016-8610

LibreSSL 2.4.4 also includes these reliability improvements:

    * In X509_cmp_time(), pass asn1_time_parse() the tag of the field
      being parsed so that a malformed GeneralizedTime field is recognized as
      an error instead of potentially being interpreted as if it was a valid
      UTCTime.

    * Improve ticket validity checking when tlsext_ticket_key_cb()
      callback chooses a different HMAC algorithm.

    * Check for packets with a truncated DTLS cookie.

    * Detect zero-length encrypted session data early, instead of when
      malloc(0) fails or the HMAC check fails.

    * Check for and handle failure of HMAC_{Update,Final} or
      EVP_DecryptUpdate()

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.