LibreSSL 2.3.9 and 2.4.4 released

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LibreSSL 2.3.9 and 2.4.4 released

Brent Cook
We have released LibreSSL 2.3.9 and 2.4.4, which are availeble in the
LibreSSL directory of your local OpenBSD mirror. Both include the following
reliability change:

    * Avoid continual processing of an unlimited number of TLS records,
      which can cause a denial-of-service condition. CVE-2016-8610

LibreSSL 2.4.4 also includes these reliability improvements:

    * In X509_cmp_time(), pass asn1_time_parse() the tag of the field
      being parsed so that a malformed GeneralizedTime field is recognized as
      an error instead of potentially being interpreted as if it was a valid
      UTCTime.

    * Improve ticket validity checking when tlsext_ticket_key_cb()
      callback chooses a different HMAC algorithm.

    * Check for packets with a truncated DTLS cookie.

    * Detect zero-length encrypted session data early, instead of when
      malloc(0) fails or the HMAC check fails.

    * Check for and handle failure of HMAC_{Update,Final} or
      EVP_DecryptUpdate()

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Loading...