BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 2.6.2 Released

We have released LibreSSL 2.6.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the third
development release from the 2.6 series, which will eventually be part of
OpenBSD 6.2. It includes the following fixes:

  * Provide a useful error with libtls if there are no OCSP URLs in a
    peer certificate.

  * Keep track of which keypair is in use by a TLS context, fixing a bug
    where a TLS server with SNI would only return the OCSP staple for the
    default keypair. Issue reported by William Graeber and confirmed by
    Andreas Bartelt.

  * Fixed various issues in the OCSP extension parsing code.
    The original code incorrectly passes the pointer allocated via
    CBS_stow() (using malloc()) to a d2i_*() function and then calls
    free() on the now incremented pointer, most likely resulting in a
    crash. This issue was reported by Robert Swiecki who found the issue
    using honggfuzz.

  * If tls_config_parse_protocols() is called with a NULL pointer,
    return the default protocols instead of crashing - this makes the
    behaviour more useful and mirrors what we already do in
    tls_config_set_ciphers() et al.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.