This update for libressl to version 2.5.1 fixes the following issues:
These security issues were fixed:
- CVE-2016-0702: Prevent side channel attack on modular exponentiation (boo#968050).
- CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing (boo#1019334).
These non-security issues were fixed:
- Detect zero-length encrypted session data early
- Curve25519 Key Exchange support.
- Support for alternate chains for certificate verification.
- Added EVP interface for MD5+SHA1 hashes
- Fixed DTLS client failures when the server sends a certificate request.
- Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection.
- Allowed protocols and ciphers to be set on a TLS config object in libtls.
- Submitted by Jan Engelhardt (jengelh)