[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libidn security update
From: |
Leo Famulari |
Subject: |
libidn security update |
Date: |
Fri, 2 Sep 2016 02:40:33 -0400 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
The last release of libidn, 1.33, fixed this bugs:
https://security-tracker.debian.org/tracker/CVE-2015-8948
https://security-tracker.debian.org/tracker/CVE-2016-6261
https://security-tracker.debian.org/tracker/CVE-2016-6263
We already have libidn 1.33 on core-updates.
Quoted from the release announcment [0]:
** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
See tests/tst_toascii64oob.c for regression check (and the comment in
it how to use it). Reported by Hanno Böck <address@hidden>.
** idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline. Reported by Hanno Böck <address@hidden>.
** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
It was always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data. Reported by Hanno Böck.
** Dropped valgrind suppressions file, should no longer be needed.
** API and ABI is backwards compatible with the previous version.
[0]
https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- libidn security update,
Leo Famulari <=