deadsimple BSD Security Advisories and Announcements

LibreSSL 2.4.0/2.3.5/2.2.8 Released

We have released a first development snapshot of LibreSSL 2.4.0 along
with two stable builds, 2.3.5 and 2.2.8. These should be arriving in
the LibreSSL directory of your local OpenBSD mirror soon.

The 2.3.5 and 2.2.8 releases contain a reliability fix, correcting an
error when parsing certain ASN.1 elements over 16k in size.

The 2.4.0 release contains the following additional changes:

    * Implemented the IETF ChaCha20-Poly1305 cipher suites.

    * Changed default EVP_aead_chacha20_poly1305() implementation to the
      IETF version, which is now the default.

    * Many improvements to the CMake build infrastructure, including
      Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
      Inoguchi for this work.

    * Reworked error handling in libtls so that configuration errors are
      more visible.

    * Added missing error handling around bn_wexpand() calls.

    * Added explicit_bzero calls for freed ASN.1 objects.

    * Fixed X509_*set_object functions to return 0 on allocation failure.

    * Fixed password prompts from openssl(1) to properly handle ^C.

    * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.