From 042cc1f69ec0878f542667cb684378869f859911 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Mar 2009 23:05:31 +0000
Subject: - David Kierznowski notified us about a security flaw  
 (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in  
 which previous libcurl versions (by design) can be tricked to access an  
 arbitrary local/different file instead of a remote one when  
 CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release  
 together this the addition of two new setopt options for controlling this  
 new behavior:

  o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
  follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
  excludes the FILE and SCP protocols and thus you nee to explicitly allow
  them in your app if you really want that behavior.

  o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
  using the primary URL option. This is useful if you want to allow a user or
  other outsiders control what URL to pass to libcurl and yet not allow all
  protocols libcurl may have been built to support.
---
 RELEASE-NOTES | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'RELEASE-NOTES')

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 0027eebc5..71525341a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -2,11 +2,16 @@ Curl and libcurl 7.19.4
 
  Public curl releases:         110
  Command line options:         132
- curl_easy_setopt() options:   161
+ curl_easy_setopt() options:   163
  Public functions in libcurl:  58
  Known libcurl bindings:       38
  Contributors:                 700
 
+This release includes the following security-related fix:
+
+ o CVE-2009-0037 with the curl advisory here:
+   http://curl.haxx.se/docs/adv_20090303.html
+
 This release includes the following changes:
 
  o Added CURLOPT_NOPROXY and the corresponding --noproxy
@@ -24,6 +29,7 @@ This release includes the following changes:
  o CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even
    when MKD fails
  o GnuTLS initing moved to curl_global_init()
+ o Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS
 
 This release includes the following bugfixes:
 
@@ -59,6 +65,6 @@ advice from friends like these:
  Patrick Scott, Hidemoto Nakada, Jocelyn Jaubert, Andre Guibert de Bruet,
  Kamil Dudka, Patrik Thunstrom, Linus Nielsen Feltzing, Mark Incley,
  Daniel Johnson, James Cheng, Brian J. Murrell, Senthil Raja Velu,
- Markus Koetter
+ Markus Koetter, David Kierznowski, Michal Marek
 
         Thanks! (and sorry if I forgot to mention someone)
-- 
cgit v1.2.3