BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 2.5.4 Released

We have released LibreSSL 2.5.4, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the
following changes:

  * Reverted a previous change that forced consistency between return
    value and error code when specifing a certificate verification
    callback, since this breaks the documented API. When a user supplied
    callback always returns 1, and later code checks the error code to
    potentially abort post verification, this will result in incorrect
    successul certificate verification.

  * Switched Linux getrandom() usage to non-blocking mode, continuing to
    use fallback mechanims if unsuccessful. This works around a design
    flaw in Linux getrandom(2) where early boot usage in a library makes
    it impossible to recover if getrandom(2) is not yet initialized.

  * Fixed a bug caused by the return value being set early to signal
    successful DTLS cookie validation. This can mask a later failure and
    result in a positive return value being returned from
    ssl3_get_client_hello(), when it should return a negative value to
    propagate the error.

  * Fixed a build error on non-x86/x86_64 systems running Solaris.

This is the first stable fix release for the LibreSSL 2.5.x branch. The
next development release will be 2.6.0.