Recent Releases

2.1.619 Mar 2015 21:05 major security bugfix: This release primarily addresses a number of security issues in coordination with the OpenSSL project. This release also enables the building of libtls by default, as the API and ABI are declared stable within the LibreSSL 2.1.x series. Further changes to libtls will resume with LibreSSL 2.2.x. Incorporated fixes: CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp. CVE-2015-0287 - ASN.1 structure reuse memory corruption. CVE-2015-0289 - PKCS7 NULL pointer dereferences. CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error. CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref. Additional patch for CVE-2015-0207 - Segmentation fault in DTLSv1_listen (LibreSSL is not vulnerable, but the fix was safe to merge). Fixes for CVE-2015-0204, CVE-2015-0292, CVE-2015-1787 were addressed in earlier LibreSSL releases: Issues CVE-2015-0291, CVE-2015-0290, CVE-2015-0208, CVE-2015-0293, CVE-2015-0285 did not apply to LibreSSL.
2.1.517 Mar 2015 14:45 : This release is relatively small, fixing a few bugs found in the last release before before opening development on 2.2.x. Fix incorrect comparison function in openssl(1) certhash command. Thanks to Christian Neukirchen / Void Linux. Windows port improvements and bug fixes. Removed a dynamic dependency on libgcc Correct a hang in openssl(1) reading from stdin after a connection. Correct a network initialization issue with the 'openssl ocsp' command. Reject server ephemeral DH keys smaller than 1024 bits. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
2.1.423 Feb 2015 04:45 documentation: Improvements to libtls: a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. Ciphers default to TLSv1.2 with AEAD and PFS. Improved error handling and message generation New APIs and improved documentation Added X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. ASN1 macro maze expanded to aid reading and searching the code. NULL pointer asserts removed in favor of letting the OS/signal handler catch them. Refactored argument handling in openssl for consistency and maintainability. New openssl command 'certhash' replaces the c_rehash script. Support for building with OPENSSL_NO_DEPRECATED Dozens of issues found with the Coverity scanner fixed. Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners.
2.1.322 Jan 2015 03:15 feature: Fixed various memory leaks in DTLS, including fixes for CVE-2015-0206. Added Application-Layer Protocol Negotiation support. Removed GOST R 34.10-94 signature authentication. Removed nonfunctional Netscape browser-hang workaround code. Simplfied and refactored SSL/DTLS handshake code. Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. Hide timing info about padding errors during handshakes. Improved libtls support for non-blocking sockets, added randomized session ID contexts. Work is ongoing with this library - feedback and potential use-cases are welcome. Support building Windows DLLs. Thanks to Jan Engelhard. Packaged config wrapper for better compatibility with OpenSSL-based build systems. Thanks to @technion from github Ensure the stack is marked non-executable for assembly sections. Thanks to Anthony G. Bastile. Enable extra compiler hardening flags by default, where applicable. The default set of hardening features can vary by OS to OS, so feedback is welcome on this. To disable the default hardening flags, specify '--disable-hardening' during configure. Thanks to Jim Barlow Initial HP-UX support, tested with HP-UX 11.31 ia64 Thanks to Kinichiro Inoguchi Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 Imported from OpenNTPD, thanks to @gitisihara from github
2.1.205 Dec 2014 07:25 cleanup: Added reworked GOST cipher suite support thanks to Dmitry Eremin-Solenikov Enabled Camellia ciphers due to improved patent situation Use builtin arc4random implementation on OS X and FreeBSD addresses some deficiencies in the native implementations, see commit logs for more information. Added initial Windows mingw-w64 support thanks to Song Dongsheng for code and comments Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl Many cleanups
2.1.116 Oct 2014 22:32 security: Address POODLE attack by disabling SSLv3 by default. Fix Eliptical Curve cipher selection bug.
2.1.013 Oct 2014 15:52 major bugfix: When verifying whether an IP address is in the commonName of a certificate, do not perform wildcard matching. Allow "auto" to be specified as an ECDH curve name and make this the default. This enables automatic handling of ephemeral EC keys. Move cipher configuration handling to the shared SSL configuration function so that applies to both the ressl client and server. Add an option that allows the enabled SSL protocols to be explicitly configured. Add a new API function SSL_CTX_use_certificate_chain() that allows to read the PEM-encoded certificate chain from memory instead of a file. Implement ressl_accept_socket, which allocates a new server connection context (if necessary) and handles the TLS/SSL handshake over the given socket. Improve ressl_ read,write handling of non-blocking reads/writes. Man page fixes. Remove a few stray .Pp macros. Use preferred license form. Can't trust that doug guy with anything...
2.0.509 Aug 2014 13:45 security: This version forward-ports security fixes from OpenSSL 1.0.1i, including fixes for CVE-2014-3506, CVE-2014-3507, CVE-2014-3508 (partially vulnerable), CVE-2014-3509, CVE-2014-3510, CVE-2014-3511. LibreSSL 2.0.4 however wasn't found to be vulnerable to CVE-2014-5139, CVE-2014-3512 and CVE-2014-3505.
2.0.405 Aug 2014 22:32 minor bugfix: This version includes more portability changes, as well as other work. Most noticable may be the deletion of the of the SRP code (which has not been enabled in any LibreSSL release).
2.0.324 Jul 2014 02:12 minor bugfix: This release includes a number of portability fixes based on feedback from the BSD/Linux community. It also includes some improvements to the fork detection support.
2.0.216 Jul 2014 23:32 minor bugfix: An atfork hook handler addresses the PRNG bug for possibly wrapping PIDs after forking. And a build problem for absent getauxval(3) has been eschewed with an ifdef precompiler directive. An unneeded locking variable has been removed.
2.0.114 Jul 2014 05:28 minor bugfix: This release includes a number of portability fixes based on initial community feedback. Among other things new configure options to set OPENSSLDIR and ENGINESDIR. Some hardcoded compiler options like -Werror were disabled. There was also a baseline re-sync with the latest OpenBSD upstream changes, like pkg-config support.
2.0.012 Jul 2014 11:36 cleanup: First release of LibreSSL portable