From 196677150f711a96c38ed123e621f1d4e995b2e5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 29 Oct 2018 08:35:51 +0100 Subject: RELEASE-NOTES: 7.62.0 --- RELEASE-NOTES | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b86d92d66..4cdab8d13 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -4,7 +4,7 @@ Curl and libcurl 7.62.0 Command line options: 219 curl_easy_setopt() options: 261 Public functions in libcurl: 80 - Contributors: 1787 + Contributors: 1808 This release includes the following changes: @@ -21,6 +21,9 @@ This release includes the following changes: This release includes the following bugfixes: + o CVE-2018-16839: SASL password overflow via integer overflow [107] + o CVE-2018-16840: use-after-free in handle close [108] + o CVE-2018-16842: warning message out-of-buffer read [114] o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated [5] o Curl_dedotdotify(): always nul terminate returned string [46] o Curl_follow: Always free the passed new URL [87] @@ -40,6 +43,7 @@ This release includes the following bugfixes: o checksrc: handle zero scoped ignore commands [62] o cmake: Backport to work with CMake 3.0 again [55] o cmake: Improve config installation [60] + o cmake: add support for transitive ZLIB target [113] o cmake: disable -Wpedantic-ms-format [84] o cmake: don't require OpenSSL if USE_OPENSSL=OFF [35] o cmake: fixed path used in generation of docs/tests [56] @@ -88,6 +92,7 @@ This release includes the following bugfixes: o lib: fix gcc8 warning on Windows [20] o memory: add missing curl_printf header [30] o memory: ensure to check allocation results [68] + o multi: Fix error handling in the SENDPROTOCONNECT state [112] o multi: fix memory leak in content encoding related error path [59] o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL [90] o netrc: free temporary strings if memory allocation fails [103] @@ -104,6 +109,7 @@ This release includes the following bugfixes: o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer [6] o openssl: show "proper" version number for libressl builds [28] o pipelining: deprecated [1] + o rand: add comment to skip a clang-tidy false positive o rtmp: fix for compiling with lwIP [100] o runtests: ignore disabled even when ranges are given [74] o runtests: skip ld_preload tests on macOS [80] @@ -112,21 +118,27 @@ This release includes the following bugfixes: o sendf: Fix whitespace in infof/failf concatenation [26] o ssh: free the session on init failures [96] o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code [6] + o system.h: use proper setting with Sun C++ as well [109] o test1299: use single quotes around asterisk [72] o test1452: mark as flaky [2] + o test1651: unit test Curl_extract_certinfo() [110] o test320: strip out more HTML when comparing [66] o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server [67] o tests: add unit tests for url.c [3] o timeval: fix use of weak symbol clock_gettime() on Apple platforms [61] o tool_cb_hdr: handle failure of rename() [94] + o travis: add a "make tidy" build that runs clang-tidy [105] o travis: add build for "configure --disable-verbose" [93] o travis: bump the Secure Transport build to use xcode [58] o travis: make distcheck scan for BOM markers [86] + o unit1300: fix stack-use-after-scope AddressSanitizer warning [106] o urldata: Fix "connecting" comment o urlglob: improve error message on bad globs [22] o vtls: fix ssl version "or later" behavior change for many backends [38] o x509asn1: Fix SAN IP address verification [88] + o x509asn1: always check return code from getASN1Element() [110] o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert [6] + o x509asn1: suppress left shift on signed value [111] This release includes the following known bugs: @@ -135,18 +147,18 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Alexey Eremikhin, Brad King, Christian Heimes, Colin Hogben, + Alexey Eremikhin, Brad King, Brian Carpenter, Christian Heimes, Colin Hogben, Daniel Gustafsson, Daniel Shahaf, Daniel Stenberg, Dario Weißer, Dave Reisner, Dima Pasechnik, Dmitry Kostjuchenko, Doron Behar, - Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, - Github user @jakirkham, Han Han, Harry Sintonen, Jean Fabrice, Jim Fuller, - Kamil Dudka, Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl, + Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, Han Han, + Harry Sintonen, jakirkham on github, Jean Fabrice, Jim Fuller, Kamil Dudka, + Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl, Matthew Whitehead, Max Dymond, Maxime Legros, Michael Kaufmann, Nate Prewitt, - Nicklas Avén, Nick Zitzmann, Philipp Waehnert, Rainer Jung, Ray Satiro, - Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn, - Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, + Nicklas Avén, Nick Zitzmann, Patrick Monnerat, Philipp Waehnert, Rainer Jung, + Ray Satiro, Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn, + Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, Tuomo Rinne, Viktor Szakats, Yiming Jing, - (46 contributors) + (49 contributors) Thanks! (and sorry if I forgot to mention someone) @@ -256,3 +268,13 @@ References to bug reports and discussions on issues: [102] = https://curl.haxx.se/bug/?i=3166 [103] = https://curl.haxx.se/bug/?i=3122 [104] = https://curl.haxx.se/bug/?i=3162 + [105] = https://curl.haxx.se/bug/?i=3182 + [106] = https://curl.haxx.se/bug/?i=3182 + [107] = https://curl.haxx.se/docs/CVE-2018-16839.html + [108] = https://curl.haxx.se/docs/CVE-2018-16840.html + [109] = https://curl.haxx.se/bug/?i=3181 + [110] = https://curl.haxx.se/bug/?i=3163 + [111] = https://curl.haxx.se/bug/?i=3163 + [112] = https://curl.haxx.se/bug/?i=3170 + [113] = https://curl.haxx.se/bug/?i=3123 + [114] = https://curl.haxx.se/docs/CVE-2018-16842.html -- cgit v1.2.3