deadsimple BSD Security Advisories and Announcements

LibreSSL 3.8.1 Released

We have released LibreSSL 3.8.1, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon. This is a development release for
the 3.8.x branch, so we appreciate early testing and feedback.

It includes the following changes:

  * Portable changes
    - Applications bundled as part of the LibreSSL package internally,
      nc(1) and openssl(1), now are linked statically if static libraries
      are built.
    - Internal compatibility function symbols are no longer exported from
      libcrypto. Instead, the libcompat library is linked to libcrypto,
      libssl, and libtls separately. This increases size a little, but
      ensures that the libraries are not exporting symbols to programs
    - Selective removal of CET implementation on platforms where it is
      not supported (macOS).
    - Integrated four more tests.
    - Added Windows ARM64 architecture to tested platforms.
    - Removed Solaris 10 support, fixed Solaris 11.
    - libtls no longer links statically to libcrypto / libssl unless
      '--enable-libtls-only' is specified at configure time.
    - Improved Windows compatibility library, namely handling of files vs
      sockets, correcting an exception when operating on a closed socket.
    - CMake builds no longer hardcode '-O2' into the compiler flags, instead
      using flags from the CMake build type instead.
    - Set the CMake default build type to 'Release'. This can be overridden
      during configuration.
    - Fixed broken ASM support with MinGW builds.
  * Internal improvements
    - Fixed alignment handling in SHA-512.
    - Moved the verified_chain to the correct internal struct.
    - Improved checks for commonName in libtls.
    - Fixed error check for X509_get_ext_d2i() failure in libtls.
    - Improved BIGNUM internals and performance.
    - Significantly improved Montgomery multiplication performance.
    - Initial cleanup passes for SHA-256 internals.
    - Converted more libcrypto internals API using CBB and CBS.
    - Removed code guarded by #ifdef ZLIB.
    - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
      Ed25519 and fixed a few bugs in there.
    - Fixed various issues with EVP_PKEY_CTX_{new,dup}().
    - Improved X.509 certificate version checks.
    - Cleaned up handling of elliptic curve cofactors.
    - Made BN_num_bits() independent of bn->top.
    - Rewrote and simplified bn_sqr().
    - Removed EC_GROUP precomp machinery.
    - Ensure no X.509v3 extensions appear more than once in certificates.
    - Cleaned up various ECDH, ECDSA and EC internals.
    - Replaced ASN1_bn_print with a cleaner internal implementation.
    - Simplified ASN1_item_sign_ctx().
    - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
    - Various improvements in the 'simple' EC code.
    - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
    - Reduced the dependency of hash implementations on many layers of
      macros. This results in significant speedups since modern compilers
      are now less confused.
    - Significantly simplified the BN_BLINDING internals used in RSA.
  * New features
  * Compatibility changes
    - X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
      valid UTF-8 without embedded NUL.
    - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
    - Removed support for ECDH_METHOD and ECDSA_METHOD.
    - BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
      32 kbits for primality. This mitigates various DoS vectors.
    - Comp was removed.
    - Dynamic loading of conf modules is no longer supported.
    - DSO was removed and OPENSSL_NO_DSO is defined.
    - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
      of this, some stub functions are provided to avoid patching some
      applications that do not honor OPENSSL_NO_ENGINE.
    - It is no longer possible to make the library use your own error
      stack or ex_data implementation.
  * Bug fixes
    - Fixed aliasing issue in BN_mod_inverse().
    - Made CRYPTO_get_ex_new_index() not return 0 to allow applications
      to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
      each other.
    - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
    - Plugged leaks in BIO_chain_dup().
    - Fixed numerous leaks and other minor bugs in RSA, DH, DSA and EC
      ASN.1 methods. Unified the coding style.
    - On socket errors in the poll loop, netcat could issue system calls
      on invalidated file descriptors.
  * Documentation improvements
    - Made it very explicit that the verify callback should not be used.
    - Called out that the CRL lastUpdate is standardized as thisUpdate.
  * Testing and Proactive Security
    - As always, new test coverage is added as bugs are fixed and subsystems
      are cleaned up.
  * Security fixes
    - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
      be selected for use.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.