2.1.7 security update

2015-06-11 09:00:29 -05:00 · 2015-06-11 09:00:29 -05:00 · ce063e4989
commit ce063e4989
parent 89c5dc6bcf
2 changed files with 17 additions and 1 deletions
--- a/16
+++ b/16
@ -31,6 +31,22 @@ LibreSSL Portable Release Notes:
 This release primarily addresses a number of security issues in coordination
 with the OpenSSL project.

+2.1.7 - Security Update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.7:
+	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+	* The following CVEs did not apply to LibreSSL or were fixed in
+	  earlier releases:
+	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+	 - CVE-2014-8176 - Invalid free in DTLS
+
+	* Fixes for the following CVEs are still in review for LibreSSL
+	 - CVE-2015-1791 - Race condition handling NewSessionTicket
+
 2.1.6 - Security update

 	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
--- a/2
+++ b/2
@ -1 +1 @@
-2.1.6
+2.1.7
 @ -1 +1 @@
 .1.6
 .1.7