LibreSSL 2.9.1 to be Available

The LibreSSL project is focused on high-quality support for the SSL / TLS protocols with the removal of unnecessary functionality
22 April 2019   482

The OpenBSD project developers presented a release of the portable edition of the LibreSSL 2.9.1 package, within which the OpenSSL fork is being developed, aimed at providing a higher level of security. The LibreSSL project is focused on high-quality support for the SSL / TLS protocols with the removal of unnecessary functionality, additional security features sy and the extensive cleaning and processing of the code base. The release of LibreSSL 2.9.1 is considered experimental, in which the capabilities that will be included in OpenBSD 6.5 are being developed.

These are some of the updates and new features:

  • Added SM3 hash function (Chinese standard GB / T 32905-2016);
  • Added block cipher SM4 (Chinese standard GB / T 32907-2016);
  • Added OPENSSL_NO_ * macros to improve compatibility with OpenSSL;
  • The EC_KEY_METHOD method is partially ported from OpenSSL;
  • Implemented missing OpenSSL 1.1 API calls;
  • Added support for XChaCha20 and XChaCha20-Poly1305;

Get more info at email copy.

Two Vulnerabilities to be Found at SDL

Two of six serious vulnerabilities in this cross-platform multimedia library create conditions for remote code execution.
04 July 2019   1017

The SDL (Simple Direct Layer) library set, which provides tools for hardware accelerated 2D and 3D graphics rendering, input processing, audio playback, 3D output via OpenGL / OpenGL ES, and many other related operations, revealed 6 vulnerabilities. Including in the SDL2_image library, two problems have been discovered that allow organizing remote code execution in the system. Attacks can be made on applications that use SDL to load images.

Both vulnerabilities (CVE-2019-5051, CVE-2019-5051) are present in the IMG_LoadPCX_RW function and are caused by the lack of the necessary error handler and integer overflow that can be exploited through the transfer of a specially crafted PCX file. Issues have already been fixed in the SDL_image 2.0.5 release. Information about the remaining 4 vulnerabilities has not yet been disclosed.

Vulnerabilities were found by Talos, so you can find more info at their website.