deadsimple BSD Security Advisories and Announcements

LibreSSL 3.0.2 Released

We have released LibreSSL 3.0.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first stable release from the 3.0 series, which is included
with OpenBSD 6.6. It includes the following changes:

 * Use a valid curve when constructing an EC_KEY that looks like X25519.
   The recent EC group cofactor change results in stricter validation,
   which causes the EC_GROUP_set_generator() call to fail.
   Issue reported and fix tested by rsadowski@

 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
   (Note that the CMS code is currently disabled)
   Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)

 * Avoid a path traversal bug in s_server on Windows when run with the -WWW
   or -HTTP options, due to incomplete path check logic.
   Issue reported and fix tested by Jobert Abma

It includes the following changes and improvements from LibreSSL 2.9.x:

 *  API and Documentation Enhancements
  - Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
  - Documented undescribed options and removed unfunctional options
	description in openssl(1) manual.

 * Testing and Proactive Security
  - A plethora of small fixes due to regular oss-fuzz testing.
  - Various side channels in DSA and ECDSA were addressed. These are
	some of the many issues found in an extensive systematic analysis of
	bignum usage by Samuel Weiser, David Schrammel et al.
  - Try to compute the cofactor if a nonsensical value was provided for
	ECC parameters. Fix from Billy Brumley.

 * Portable Improvements
  - Enabled performance optimizations when building with Visual Studio
	on Windows.
  - Enabled openssl(1) speed subcommand on Windows platform.

 * Bug Fixes
  - Fixed issue where SRTP extension would not be sent by server.
  - Fixed incorrect carry operation in 512 addition for Streebog.
  - Fixed -modulus option with openssl(1) dsa subcommand.
  - Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
  - Fixed a padding oracle attack in PKCS7_dataDecode() and
	CMS_decrypt_set1_pkey() (CMS is currently disabled). From Bernd Edlinger.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.