BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 3.0.1 Released

We have released LibreSSL 3.0.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the second development release from the 3.0 series, which will
eventually be part of OpenBSD 6.6. It includes the following changes:

 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
   or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
   it using Hasse's bound. This works as long as the cofactor is small
   enough.

 * Fixed a memory leak in error paths for eckey_type2param().

 * Initial work on supporting Cryptographic Message Syntax (CMS) in
   libcrypto (not enabled).

 * Various manual page improvements and additions.

 * Added a CMake check for an existing uninstall target, facilitating
   embedding LibreSSL in larger CMake projects, from Matthew Albrecht.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.