7.15.0 timecurl-7_15_0

2 files changed, 18 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index 189df7fea..8d2017e5c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,22 @@
 
 
 
+Version 7.15.0 (13 October 2005)
+
+Daniel (12 October 2005)
+- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
+  code that would overflow a buffer if given a too long user name or domain
+  name. This would happen if you enable NTLM authentication and either
+
+  A - pass in a user name and domain name to libcurl that together are longer
+      than 192 bytes
+
+  B - allow (lib)curl to follow HTTP "redirects" (Location: and the
+      appropriate HTTP 30x response code) and the new URL contains a URL with
+      a user name and domain name that together are longer than 192 bytes
+
+  See http://curl.haxx.se/docs/security.html for further details and updates
+
 Daniel (5 October 2005)
 - Darryl House reported a problem with using -z to download files from FTP.
   It turned out that if the given time stamp was exact the same as the remote
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 1a3b9b8e2..5684bf3b4 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -5,7 +5,7 @@ Curl and libcurl 7.15.0
  Available command line options:           109
  Available curl_easy_setopt() options:     124
  Number of public functions in libcurl:    46
- Amount of public web site mirrors:        25
+ Amount of public web site mirrors:        24
  Number of known libcurl bindings:         32
  Number of contributors:                   451
 
@@ -16,6 +16,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o user+domain name buffer overflow in the NTLM code (security flaw)
  o -z over FTP now considers equal timestamps "not modified since"
  o Weird characters removed from the configure script
  o Fixed time zone offsets for MEST and CEST for the time parser