- Johan van Selst found and fixed a OpenSSL session ref count leak:

  ossl_connect_step3() increments an SSL session handle reference counter on
  each call. When sessions are re-used this reference counter may be
  incremented many times, but it will be decremented only once when done (by
  Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
  if this reference count remains positive. When a session is re-used the
  reference counter should be corrected by explicitly calling
  SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
  introducing a memory leak.

  (http://curl.haxx.se/bug/view.cgi?id=2926284)

1 files changed, 3 insertions, 1 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index f2ed8c060..eab8e4216 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -42,6 +42,7 @@ This release includes the following bugfixes:
  o header include fix for FreeBSD versions before v8
  o fragment part of URLs are no longer sent to the server
  o progress callback called repeatedly with c-ares for resolving
+ o OpenSSL session id ref count leak
 
 This release includes the following known bugs:
 
@@ -54,6 +55,7 @@ advice from friends like these:
  Marco Maggi, Camille Moncelier, Claes Jakobsson, Kevin Baughman,
  Marc Kleine-Budde, Jad Chamcham, Bjorn Augustsson, David Byron,
  Markus Koetter, Chad Monroe, Martin Storsjo, Siegfried Gyuricsko,
- Jon Nelson, Julien Chaffraix, Renato Botelho, Peter Pentchev, Ingmar Runge
+ Jon Nelson, Julien Chaffraix, Renato Botelho, Peter Pentchev, Ingmar Runge,
+ Johan van Selst
 
         Thanks! (and sorry if I forgot to mention someone)