mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-02-17 14:59:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

mention today's fixes

Browse Source
This commit is contained in:
Daniel Stenberg 2006-03-20 22:25:14 +00:00
parent 97181b5c0d
commit 18081e30e1
2 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CHANGES
View File

@ -6,8 +6,35 @@
Changelog
Daniel (20 March 2006)
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
whose length was a multiple of 512 bytes could have random garbage
appended. Also, stop processing TFTP packets which are too short to be
legal.
- Ilja van Sprundel reported a possible crash in the curl tool when using
"curl hostwithoutslash -d data -G"
Version 7.15.3 (20 March 2006)
Daniel (20 March 2006)
- VULNERABILITY reported to us by Ulf Harnhammar.
libcurl uses the given file part of a TFTP URL in a manner that allows a
malicious user to overflow a heap-based memory buffer due to the lack of
boundary check.
This overflow happens if you pass in a URL with a TFTP protocol prefix
("tftp://"), using a valid host and a path part that is longer than 512
bytes.
The affected flaw can be triggered by a redirect, if curl/libcurl is told to
follow redirects and an HTTP server points the client to a tftp URL with the
characteristics described above.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2006-1061 to this issue.
Daniel (16 March 2006)
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
in the release archive.

7
RELEASE-NOTES
View File

@ -7,7 +7,7 @@ Curl and libcurl 7.15.4
Number of public functions in libcurl: 46
Amount of public web site mirrors: 31
Number of known libcurl bindings: 32
Number of contributors: 487
Number of contributors: 492
This release includes the following changes:
@ -15,7 +15,8 @@ This release includes the following changes:
This release includes the following bugfixes:
o
o TFTP transfers could trash data
o -d + -G combo crash
Other curl-related news since the previous public release:
@ -24,6 +25,6 @@ Other curl-related news since the previous public release:
This release would not have looked like this without help, code, reports and
advice from friends like these:
Dan Fandrich, Ilja van Sprundel
Thanks! (and sorry if I forgot to mention someone)