From 63b80068976fbc5460c284aef0e6560abcf13e68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sat, 12 Jan 2019 17:38:40 +0100 Subject: New upstream version 0.9.1 --- ChangeLog | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 3a05e7e..420320d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,16 +2,41 @@ NOTE: uriparser is looking for help with a few things: https://github.com/uriparser/uriparser/labels/help%20wanted If you can help, please get in touch. Thanks! +2019-01-02 -- 0.9.1 + +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Fixed: + Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 + addresses with embedded IPv4 address, e.g. "//[::44.1"; + mitigated if passed parameter points to readable memory + containing a '\0' byte. + Thanks to Joergen Ibsen for the report! +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Fixed: When parsing a malformed URI with an IPvFuture address + (e.g. "http://[vA.123456" missing "]"), errorPos would point to the first + character after "v" than the actual position of the error (here: the end + of the string) + * Fixed: uriToStringCharsRequired* reported 1 more byte than actually needed + for IPv4 address URIs (GitHub #41); Thanks to @gyh007 for the patch! + * Fixed: Compilation with MinGW + Thanks to Sandro Mani for the patch! + * Fixed: Drop use of asprintf from the test suite for MinGW (GitHub #40) + * Improved: For parse errors, waterproof errorPos <= afterLast + * Soname: 1:24:0 + 2018-10-27 -- 0.9.0 >>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - * Fixed: Out-of-bounds write in uriComposeQuery* and uriComposeQueryEx* + * Fixed: [CVE-2018-19198] + Out-of-bounds write in uriComposeQuery* and uriComposeQueryEx* Commit 864f5d4c127def386dd5cc926ad96934b297f04e Thanks to Google Autofuzz team for the report! - * Fixed: Detect integer overflow in uriComposeQuery* and uriComposeQueryEx* + * Fixed: [CVE-2018-19199] + Detect integer overflow in uriComposeQuery* and uriComposeQueryEx* Commit f76275d4a91b28d687250525d3a0c5509bbd666f Thanks to Google Autofuzz team for the report! - * Fixed: Protect uriResetUri* against acting on NULL input + * Fixed: [CVE-2018-19200] + Protect uriResetUri* against acting on NULL input Commit f58c25069cf4a986fe17a80c5b38687e31feb539 >>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> * Fixed: Be fully compliant to C89 (Gitub #28) and C++98 in test code -- cgit v1.2.3