aboutsummaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS12
1 files changed, 11 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 3ef9162..a6617a1 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,8 @@ Version 2.20
16882, 16885, 16888, 16890, 16912, 16915, 16916, 16917, 16918, 16922,
16927, 16928, 16932, 16943, 16958, 16965, 16966, 16967, 16977, 16978,
16984, 16990, 16996, 17009, 17022, 17031, 17042, 17048, 17050, 17058,
- 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125.
+ 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125,
+ 17137.
* Optimized strchr implementation for AArch64. Contributed by ARM Ltd.
@@ -70,6 +71,15 @@ Version 2.20
On configurations that support it (all Linux configurations), it's now
used regardless of the --enable-add-ons switch to configure. It is no
longer possible to build such configurations without pthreads support.
+
+* Locale names, including those obtained from environment variables (LANG
+ and the LC_* variables), are more tightly checked for proper syntax.
+ setlocale will now fail (with EINVAL) for locale names that are overly
+ long, contain slashes without starting with a slash, or contain ".." path
+ components. (CVE-2014-0475) Previously, some valid locale names were
+ silently replaced with the "C" locale when running in AT_SECURE mode
+ (e.g., in a SUID program). This is no longer necessary because of the
+ additional checks.
Version 2.19