RELEASE-NOTES: 7.62.0
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b86d92d..4cdab8d 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,7 +4,7 @@
Command line options: 219
curl_easy_setopt() options: 261
Public functions in libcurl: 80
- Contributors: 1787
+ Contributors: 1808
This release includes the following changes:
@@ -21,6 +21,9 @@
This release includes the following bugfixes:
+ o CVE-2018-16839: SASL password overflow via integer overflow [107]
+ o CVE-2018-16840: use-after-free in handle close [108]
+ o CVE-2018-16842: warning message out-of-buffer read [114]
o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated [5]
o Curl_dedotdotify(): always nul terminate returned string [46]
o Curl_follow: Always free the passed new URL [87]
@@ -40,6 +43,7 @@
o checksrc: handle zero scoped ignore commands [62]
o cmake: Backport to work with CMake 3.0 again [55]
o cmake: Improve config installation [60]
+ o cmake: add support for transitive ZLIB target [113]
o cmake: disable -Wpedantic-ms-format [84]
o cmake: don't require OpenSSL if USE_OPENSSL=OFF [35]
o cmake: fixed path used in generation of docs/tests [56]
@@ -88,6 +92,7 @@
o lib: fix gcc8 warning on Windows [20]
o memory: add missing curl_printf header [30]
o memory: ensure to check allocation results [68]
+ o multi: Fix error handling in the SENDPROTOCONNECT state [112]
o multi: fix memory leak in content encoding related error path [59]
o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL [90]
o netrc: free temporary strings if memory allocation fails [103]
@@ -104,6 +109,7 @@
o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer [6]
o openssl: show "proper" version number for libressl builds [28]
o pipelining: deprecated [1]
+ o rand: add comment to skip a clang-tidy false positive
o rtmp: fix for compiling with lwIP [100]
o runtests: ignore disabled even when ranges are given [74]
o runtests: skip ld_preload tests on macOS [80]
@@ -112,21 +118,27 @@
o sendf: Fix whitespace in infof/failf concatenation [26]
o ssh: free the session on init failures [96]
o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code [6]
+ o system.h: use proper setting with Sun C++ as well [109]
o test1299: use single quotes around asterisk [72]
o test1452: mark as flaky [2]
+ o test1651: unit test Curl_extract_certinfo() [110]
o test320: strip out more HTML when comparing [66]
o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server [67]
o tests: add unit tests for url.c [3]
o timeval: fix use of weak symbol clock_gettime() on Apple platforms [61]
o tool_cb_hdr: handle failure of rename() [94]
+ o travis: add a "make tidy" build that runs clang-tidy [105]
o travis: add build for "configure --disable-verbose" [93]
o travis: bump the Secure Transport build to use xcode [58]
o travis: make distcheck scan for BOM markers [86]
+ o unit1300: fix stack-use-after-scope AddressSanitizer warning [106]
o urldata: Fix "connecting" comment
o urlglob: improve error message on bad globs [22]
o vtls: fix ssl version "or later" behavior change for many backends [38]
o x509asn1: Fix SAN IP address verification [88]
+ o x509asn1: always check return code from getASN1Element() [110]
o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert [6]
+ o x509asn1: suppress left shift on signed value [111]
This release includes the following known bugs:
@@ -135,18 +147,18 @@
This release would not have looked like this without help, code, reports and
advice from friends like these:
- Alexey Eremikhin, Brad King, Christian Heimes, Colin Hogben,
+ Alexey Eremikhin, Brad King, Brian Carpenter, Christian Heimes, Colin Hogben,
Daniel Gustafsson, Daniel Shahaf, Daniel Stenberg, Dario Weißer,
Dave Reisner, Dima Pasechnik, Dmitry Kostjuchenko, Doron Behar,
- Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem,
- Github user @jakirkham, Han Han, Harry Sintonen, Jean Fabrice, Jim Fuller,
- Kamil Dudka, Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl,
+ Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, Han Han,
+ Harry Sintonen, jakirkham on github, Jean Fabrice, Jim Fuller, Kamil Dudka,
+ Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl,
Matthew Whitehead, Max Dymond, Maxime Legros, Michael Kaufmann, Nate Prewitt,
- Nicklas Avén, Nick Zitzmann, Philipp Waehnert, Rainer Jung, Ray Satiro,
- Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn,
- Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann,
+ Nicklas Avén, Nick Zitzmann, Patrick Monnerat, Philipp Waehnert, Rainer Jung,
+ Ray Satiro, Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn,
+ Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, Tuomo Rinne,
Viktor Szakats, Yiming Jing,
- (46 contributors)
+ (49 contributors)
Thanks! (and sorry if I forgot to mention someone)
@@ -256,3 +268,13 @@
[102] = https://curl.haxx.se/bug/?i=3166
[103] = https://curl.haxx.se/bug/?i=3122
[104] = https://curl.haxx.se/bug/?i=3162
+ [105] = https://curl.haxx.se/bug/?i=3182
+ [106] = https://curl.haxx.se/bug/?i=3182
+ [107] = https://curl.haxx.se/docs/CVE-2018-16839.html
+ [108] = https://curl.haxx.se/docs/CVE-2018-16840.html
+ [109] = https://curl.haxx.se/bug/?i=3181
+ [110] = https://curl.haxx.se/bug/?i=3163
+ [111] = https://curl.haxx.se/bug/?i=3163
+ [112] = https://curl.haxx.se/bug/?i=3170
+ [113] = https://curl.haxx.se/bug/?i=3123
+ [114] = https://curl.haxx.se/docs/CVE-2018-16842.html
