OpenBSD Journal

LibreSSL 2.1.5 Released

Contributed by pitrh on from the liberal yak shaving dept.

The LibreSSL team has released LibreSSL 2.1.5, which the team characterizes as

relatively small, focused on bug fixes before 2.2.x development begins along-side OpenBSD 5.8.

In what could be a useful test of the LibreSSL project's code cleanup operation, the team notes that

This or earlier LibreSSL releases may also address issues that are to be revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security issues in advance. We will address any previously-unknown issues that are found to affect LibreSSL in future releases.

You can read the full announcement here, and it also follows in full after the fold.

UPDATE 2015-03-17 16:20 CET: Bob Beck (beck@) now reports that the OpenSSL project has communicated details of the still-embargoed OpenSSL vulnerabilities to LibreSSL core developers.

From: Brent Cook 
To: announce@openbsd.org, tech@openbsd.org
Subject: LibreSSL 2.1.5 released

We have released LibreSSL 2.1.5, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is relatively small, focused on bug fixes before 2.2.x
development begins along-side OpenBSD 5.8.

This or earlier LibreSSL releases may also address issues that are to be
revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security
issues in advance. We will address any previously-unknown issues that
are found to affect LibreSSL in future releases.

Issues addressed since 2.1.4:

* Fix incorrect comparison function in openssl(1) certhash command.
  Thanks to Christian Neukirchen / Void Linux.

* Windows port improvements and bug fixes.
  - Removed a dependency on libgcc in 32-bit dynamic libraries.
  - Correct a hang in openssl(1) reading from stdin on an connection.
  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
    any other network-related commands to function properly.

* Reject all server DH keys smaller than 1024 bits.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

(Comments are closed)


Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]