deadsimple BSD Security Advisories and Announcements

LibreSSL 3.1.1 released

We have released LibreSSL 3.1.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first stable release from the 3.1 series, which is included
with OpenBSD 6.7. It includes the following changes from 3.0:

 * New Features
   - Completed initial TLS 1.3 implementation with a completely new state
     machine and record layer. TLS 1.3 is now enabled by default for the client
     side, with the server side to be enabled in a future release. Note that
     the OpenSSL TLS 1.3 API is not yet visible/available.
   - Improved cipher suite handling to automatically include TLSv1.3 cipher
     suites when they are not explicitly referred to in the cipher string.
   - Provided TLSv1.3 cipher suite aliases to match the names used in RFC 8446.
   - Added cms subcommand to openssl(1).
   - Added -addext option to openssl(1) req subcommand.
   - Added -groups option to openssl(1) s_server subcommand.
   - Added TLSv1.3 extension types to openssl(1) -tlsextdebug.

 * API and Documentation Enhancements
   - Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
   - Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
     1.1.1 and enabled by default.

 * Compatibility Changes
   - Improved compatibility by backporting functionality and documentation from
     OpenSSL 1.1.1.
   - Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.

 * Testing and Proactive Security:
   - Added many new additional crypto test vectors.
   - Fix to disallow setting the AES-GCM IV length to zero.

 * Internal Improvements
   - Many more code cleanups, fixes, and improvements to memory handling and
     protocol parsing.

 * Portable Improvements
   - Default CA bundle location is now configurable in portable builds.
   - Improved portable builds to support for use of static MSVC runtimes.
   - Fixed portable builds to avoid exporting a sleep() symbol.

 * Bug Fixes
   - Fixed printing the serialNumber with X509_print_ex() fall back to the
     colon separated hex bytes in case greater than int value.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.