CVS commit: wip/libressl

To: pkgsrc-wip-cvs%lists.sourceforge.net@localhost
Subject: CVS commit: wip/libressl
From: "Greg Troxel" <lexort%users.sourceforge.net@localhost>
Date: Tue, 24 Mar 2015 22:42:33 +0000
Module name:	wip
Committed by:	lexort
Date:		Tue Mar 24 22:42:18 UTC 2015

Modified Files:
	wip/libressl: Makefile PLIST distinfo

Log Message:
Update to 2.1.6, from Iain Morgan.

Updated PLIST to what is produced on NetBSD 6, in the absence of any
strong reason to believe the old PLIST was ok.


2.1.6 - Security update

	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences

	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
	  is integrated for safety, but LibreSSL is not vulnerable.

	* Libtls is now built by default. The --enable-libtls
	  configuration option is no longer required.
	  The libtls API is now stable for the 2.1.x series.

2.1.5 - Bug fixes and a security update
	* Fix incorrect comparison function in openssl(1) certhash command.
	  Thanks to Christian Neukirchen / Void Linux.

	* Windows port improvements and bug fixes.
	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
	  - Correct a hang in openssl(1) reading from stdin on an connection.
	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
	    any other network-related commands to function properly.

	* Reject all server DH keys smaller than 1024 bits.

2.1.4 - Security and feature updates
	* Improvements to libtls:
	  - a new API for loading CA chains directly from memory instead of a
	    file, allowing verification with privilege separation in a chroot
	    without direct access to CA certificate files.

	  - Ciphers default to TLSv1.2 with AEAD and PFS.

	  - Improved error handling and message generation

	  - New APIs and improved documentation

	* Added X509_STORE_load_mem API for loading certificates from memory.
	  This facilitates accessing certificates from a chrooted environment.

	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
	  using 'TLSv1.2+AEAD' as the cipher selection string.

	* Dead and disabled code removal including MD5, Netscape workarounds,
	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.

	* ASN1 macro maze expanded to aid reading and searching the code.

	* NULL pointer asserts removed in favor of letting the OS/signal
	  handler catch them.

	* Refactored argument handling in openssl(1) for consistency and
	  maintainability.

	* New openssl(1) command 'certhash' replaces the c_rehash script.

	* Support for building with OPENSSL_NO_DEPRECATED

	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
	  various auditor and vulnerability scanners.

	* Dozens of issues found with the Coverity scanner fixed.

	* Security Updates:

	  - Fix a minor information leak that was introduced in t1_lib.c
	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is
	    provided to the network. In most cases this is a non-issue since
	    the memory content is already public. Issue found and reported by
	    Felix Groebert of the Google Security Team.

	  - Fixes for the following low-severity issues were integrated into
	    LibreSSL from OpenSSL 1.0.1k:

	     CVE-2015-0205 - DH client certificates accepted without
	                     verification
	     CVE-2014-3570 - Bignum squaring may produce incorrect results
	     CVE-2014-8275 - Certificate fingerprints can be modified
	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.

	    The following CVEs were fixed in earlier LibreSSL releases:
	     CVE-2015-0206 - Memory leak handling repeated DLTS records
	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.

	    The following CVEs did not apply to LibreSSL:
	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL
	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA

2.1.3 - Security update and OS support improvements
	* Fixed various memory leaks in DTLS, including fixes for
	  CVE-2015-0206.

	* Added Application-Layer Protocol Negotiation (ALPN) support.

	* Removed GOST R 34.10-94 signature authentication.

	* Removed nonfunctional Netscape browser-hang workaround code.

	* Simplfied and refactored SSL/DTLS handshake code.

	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.

	* Hide timing info about padding errors during handshakes.

	* Improved libtls support for non-blocking sockets, added randomized
	  session ID contexts. Work is ongoing with this library - feedback
	  and potential use-cases are welcome.

	* Support building Windows DLLs.
	  Thanks to Jan Engelhard.

	* Packaged config wrapper for better compatibility with OpenSSL-based
	  build systems.
	  Thanks to @technion from github

	* Ensure the stack is marked non-executable for assembly sections.
	  Thanks to Anthony G. Bastile.

	* Enable extra compiler hardening flags by default, where applicable.
	  The default set of hardening features can vary by OS to OS, so
	  feedback is welcome on this. To disable the default hardening flags,
	  specify '--disable-hardening' during configure.
	  Thanks to Jim Barlow

	* Initial HP-UX support, tested with HP-UX 11.31 ia64
	  Thanks to Kinichiro Inoguchi

	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
	  Imported from OpenNTPD, thanks to @gitisihara from github



To generate a diff of this commit:
cvs -z3 rdiff -u -r1.3 -r1.4 wip/libressl/PLIST
cvs -z3 rdiff -u -r1.7 -r1.8 wip/libressl/distinfo
cvs -z3 rdiff -u -r1.8 -r1.9 wip/libressl/Makefile

To view a diff of this commit:
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/libressl/PLIST?r1=1.3&r2=1.4
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/libressl/distinfo?r1=1.7&r2=1.8
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/libressl/Makefile?r1=1.8&r2=1.9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
pkgsrc-wip-cvs mailing list
pkgsrc-wip-cvs%lists.sourceforge.net@localhost
https://lists.sourceforge.net/lists/listinfo/pkgsrc-wip-cvs
Prev by Date: CVS commit: wip/dcc
Next by Date: CVS commit: wip/livestreamer
Previous by Thread: CVS commit: wip/libressl
Next by Thread: CVS commit: wip/libressl
Indexes:
Home | Main Index | Thread Index | Old Index