deadsimple BSD Security Advisories and Announcements

LibreSSL 2.5.0/2.4.3/2.3.8 Released

LibreSSL portable versions 2.3.7 and 2.4.3 are now released, along with
the newest development version 2.5.0, and will be available at a mirror
near you.

The following issues were fixed in all of the releases:

  * Avoid unbounded memory growth in libssl, which can be triggered by a
    TLS client repeatedly renegotiating and sending OCSP Status Request
    TLS extensions. (CVE-2016-6304)

  * Avoid falling back to a weak digest for (EC)DH when using SNI with

  * Issues related to recent CVE-2016-6306, "Certificate message OOB reads",
    were fixed in the first LibreSSL releases two years ago, which were
    reported to us by David Ramos of Stanford using the UC-KLEE tool
    developed there.

  * Other recently-announced issues including recent CVE-2016-6305,
    CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 did not apply.

LibreSSL 2.4.3 contains an additional fix:

  * Reverted change that cleans up the EVP cipher context in
    EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
    previous behaviour.

LibreSSL 2.5.0 also contains the following improvements and fixes:

  * libtls now supports ALPN and SNI

  * libtls adds a new callback interface for integrating custom IO
    functions. Thanks to Tobias Pape.

  * libtls now handles 4 cipher suite groups:
      "secure" (TLSv1.2+AEAD+PFS)
      "compat" (HIGH:!aNULL)
      "legacy" (HIGH:MEDIUM:!aNULL)
      "insecure" (ALL:!aNULL:!eNULL)

      This allows for flexibility and finer grained control, rather than
      having two extremes (an issue raised by Marko Kreen some time ago).

  * Tightened error handling for tls_config_set_ciphers().

  * libtls now always loads CA, key and certificate files at the time the
    configuration function is called. This simplifies code and results in
    a single memory based code path being used to provide data to libssl.

  * Add support for OCSP intermediate certificates.

  * Added functions used by stunnel and exim from BoringSSL - this
    brings in X509_check_host, X509_check_email, X509_check_ip, and

  * Added initial support for iOS, thanks to Jacob Berkman.

  * Improved behavior of arc4random on Windows when using memory leak
    analysis software.

  * Correctly handle an EOF that occurs prior to the TLS handshake
    completing. Reported by Vasily Kolobkov, based on a diff from Marko

  * Limit the support of the "backward compatible" ssl2 handshake to
    only be used if TLS 1.0 is enabled.

  * Fix incorrect results in certain cases on 64-bit systems when
    BN_mod_word() can return incorrect results. BN_mod_word() now can
    return an error condition. Thanks to Brian Smith.

  * Added constant-time updates to address CVE-2016-0702

  * Fixed undefined behavior in BN_GF2m_mod_arr()

  * Removed unused Cryptographic Message Support (CMS)

  * More conversions of long long idioms to time_t

  * Improved compatibility by avoiding printing NULL strings with