diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-03-02 23:05:31 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-03-02 23:05:31 +0000 |
| commit | 042cc1f69ec0878f542667cb684378869f859911 (patch) | |
| tree | c906f85632eb6018fadb153a4c5cdd2fe48072a5 /RELEASE-NOTES | |
| parent | 90b804d3fa74e9d4fe260c889e9ccebdb7aaa3b1 (diff) | |
- David Kierznowski notified us about a security flaw
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
which previous libcurl versions (by design) can be tricked to access an
arbitrary local/different file instead of a remote one when
CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
together this the addition of two new setopt options for controlling this
new behavior:
o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
excludes the FILE and SCP protocols and thus you nee to explicitly allow
them in your app if you really want that behavior.
o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
using the primary URL option. This is useful if you want to allow a user or
other outsiders control what URL to pass to libcurl and yet not allow all
protocols libcurl may have been built to support.
Diffstat (limited to 'RELEASE-NOTES')
| -rw-r--r-- | RELEASE-NOTES | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 0027eebc5..71525341a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -2,11 +2,16 @@ Curl and libcurl 7.19.4 Public curl releases: 110 Command line options: 132 - curl_easy_setopt() options: 161 + curl_easy_setopt() options: 163 Public functions in libcurl: 58 Known libcurl bindings: 38 Contributors: 700 +This release includes the following security-related fix: + + o CVE-2009-0037 with the curl advisory here: + http://curl.haxx.se/docs/adv_20090303.html + This release includes the following changes: o Added CURLOPT_NOPROXY and the corresponding --noproxy @@ -24,6 +29,7 @@ This release includes the following changes: o CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails o GnuTLS initing moved to curl_global_init() + o Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS This release includes the following bugfixes: @@ -59,6 +65,6 @@ advice from friends like these: Patrick Scott, Hidemoto Nakada, Jocelyn Jaubert, Andre Guibert de Bruet, Kamil Dudka, Patrik Thunstrom, Linus Nielsen Feltzing, Mark Incley, Daniel Johnson, James Cheng, Brian J. Murrell, Senthil Raja Velu, - Markus Koetter + Markus Koetter, David Kierznowski, Michal Marek Thanks! (and sorry if I forgot to mention someone) |