LibreSSL 2.7.4, 2.6.5 Released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

LibreSSL 2.7.4, 2.6.5 Released

Brent Cook
We have released LibreSSL 2.7.4 and 2.6.5, security updates for the
current stable release branches. They contain the following changes:

  * Avoid a timing side-channel leak when generating DSA and ECDSA
    signatures. This is caused by an attempt to do fast modular
    arithmetic, which introduces branches that leak information
    regarding secret values. Issue identified and reported by Keegan
    Ryan of NCC Group, CVE-2018-0495.

  * Reject excessively large primes in DH key generation. Problem
    reported by Guido Vranken to OpenSSL
    (https://github.com/openssl/openssl/pull/6457) and based on his
    diff.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.