RELEASE-NOTES: synced with 70f71bb99f7ed9
Synced and prepared for 7.24.0 release. Two security problems, one bug fix,
two more contributors.
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index af4f2c4..62f12e5 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -7,6 +7,13 @@
Known libcurl bindings: 39
Contributors: 907
+This release includes the following security fixes:
+
+ o curl was vulnerable to a data injection attack for certain protocols
+ http://curl.haxx.se/docs/adv_20120124.html
+ o curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
+ http://curl.haxx.se/docs/adv_20120124B.html
+
This release includes the following changes:
o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24]
@@ -71,6 +78,7 @@
o polarssl: havege_rand is not present in version 1.1.0 WARNING, we still
use the old API which is said to be insecure. See
http://polarssl.org/trac/wiki/SecurityAdvisory201102
+ o gnutls: enforced use of SSLv3 [43]
This release includes the following known bugs:
@@ -86,7 +94,8 @@
Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer,
Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin,
Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester,
- Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann
+ Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann,
+ Christian Grothoff, Nikos Mavrogiannopoulos
Thanks! (and sorry if I forgot to mention someone)
@@ -134,3 +143,4 @@
[40] = http://curl.haxx.se/mail/lib-2012-01/0096.html
[41] = http://curl.haxx.se/mail/lib-2012-01/0049.html
[42] = http://curl.haxx.se/bug/view.cgi?id=3474308
+ [43] = http://curl.haxx.se/mail/lib-2012-01/0225.html
