diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 12 |
1 files changed, 11 insertions, 1 deletions
@@ -21,7 +21,8 @@ Version 2.20 16882, 16885, 16888, 16890, 16912, 16915, 16916, 16917, 16918, 16922, 16927, 16928, 16932, 16943, 16958, 16965, 16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031, 17042, 17048, 17050, 17058, - 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125. + 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125, + 17137. * Optimized strchr implementation for AArch64. Contributed by ARM Ltd. @@ -70,6 +71,15 @@ Version 2.20 On configurations that support it (all Linux configurations), it's now used regardless of the --enable-add-ons switch to configure. It is no longer possible to build such configurations without pthreads support. + +* Locale names, including those obtained from environment variables (LANG + and the LC_* variables), are more tightly checked for proper syntax. + setlocale will now fail (with EINVAL) for locale names that are overly + long, contain slashes without starting with a slash, or contain ".." path + components. (CVE-2014-0475) Previously, some valid locale names were + silently replaced with the "C" locale when running in AT_SECURE mode + (e.g., in a SUID program). This is no longer necessary because of the + additional checks. Version 2.19 |