deadsimple BSD Security Advisories and Announcements

LibreSSL 2.9.1 Released

We have released LibreSSL 2.9.1, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon. This is the first stable release
from the 2.9 series, which is also included with OpenBSD 6.5

It includes the following changes and improvements from LibreSSL 2.8.x:

 * API and Documentation Enhancements
   - CRYPTO_LOCK is now automatically initialized, with the legacy
	 callbacks stubbed for compatibility.
   - Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
   - Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
   - Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
   - Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
   - Implemented further missing OpenSSL 1.1 API.
   - Added support for XChaCha20 and XChaCha20-Poly1305.
   - Added support for AES key wrap constructions via the EVP interface.

 * Compatibility Changes
   - Added pbkdf2 key derivation support to openssl(1) enc.
   - Changed the default digest type of openssl(1) enc to sha256.
   - Changed the default digest type of openssl(1) dgst to sha256.
   - Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
   - Changed the default digest type of openssl(1) crl -fingerprint to sha256.

 * Testing and Proactive Security
   - Added extensive interoperability tests between LibreSSL and OpenSSL
	 1.0 and 1.1.
   - Added additional Wycheproof tests and related bug fixes.

 * Internal Improvements
   - Simplified sigalgs option processing and handshake signing
	 algorithm selection.
   - Added the ability to use the RSA PSS algorithm for handshake signatures.
   - Added bn_rand_interval() and use it in code needing ranges of
	 random bn values.
   - Added functionality to derive early, handshake, and application
	 secrets as per RFC8446.
   - Added handshake state machine from RFC8446.
   - Removed some ASN.1 related code from libcrypto that had not been
	 used since around 2000.
   - Unexported internal symbols and internalized more record layer structs.
   - Removed SHA224 based handshake signatures from consideration for
	 use in a TLS 1.2 handshake.

 * Portable Improvements
   - Added support for assembly optimizations on 32-bit ARM ELF targets.
   - Added support for assembly optimizations on Mingw-w64 targets.
   - Improved Android compatibility

 * Bug Fixes
   - Improved protection against timing side channels in ECDSA signature
   - Coordinate blinding was added to some elliptic curves. This is the
	 last bit of the work by Brumley et al. to protect against the Portsmash
   - Ensure transcript handshake is always freed with TLS 1.2.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.