aboutsummaryrefslogtreecommitdiff
path: root/CHANGES
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2005-10-13 08:19:09 +0000
committerDaniel Stenberg <daniel@haxx.se>2005-10-13 08:19:09 +0000
commit96cec4dfd7daa3ff87bad2140f28745d8417581e (patch)
tree90ee322914c9fd4c7fc983236928a323e44a8e10 /CHANGES
parent943aea62679fb9f2d6d7abe59b5edcba21490c52 (diff)
7.15.0 time
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES16
1 files changed, 16 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 189df7fea..8d2017e5c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,22 @@
+Version 7.15.0 (13 October 2005)
+
+Daniel (12 October 2005)
+- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
+ code that would overflow a buffer if given a too long user name or domain
+ name. This would happen if you enable NTLM authentication and either
+
+ A - pass in a user name and domain name to libcurl that together are longer
+ than 192 bytes
+
+ B - allow (lib)curl to follow HTTP "redirects" (Location: and the
+ appropriate HTTP 30x response code) and the new URL contains a URL with
+ a user name and domain name that together are longer than 192 bytes
+
+ See http://curl.haxx.se/docs/security.html for further details and updates
+
Daniel (5 October 2005)
- Darryl House reported a problem with using -z to download files from FTP.
It turned out that if the given time stamp was exact the same as the remote