summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS38
1 files changed, 38 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 2bf0977..3fac146 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,43 @@
GNU Libtasn1 NEWS -*- outline -*-
+* Noteworthy changes in release 4.13 (released 2018-01-16) [stable]
+- On indefinite string decoding, set a maximum level of allowed recursions
+ (3) to protect the BER decoder from a stack exhaustion.
+
+* Noteworthy changes in release 4.12 (released 2017-05-29) [stable]
+- Corrected so-name version
+
+* Noteworthy changes in release 4.11 (released 2017-05-27) [stable]
+- Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate
+ an invalid encoding in the DER time fields.
+- Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag
+ allows decoding errors in time fields even when in strict DER mode.
+ That is introduced in order to allow toleration of invalid times in
+ X.509 certificates (which are common) even though strict DER adherence
+ is enforced in other fields.
+- Added safety check in asn1_find_node(). That prevents a crash
+ when a very long variable name is provided by the developer.
+ Note that this to be exploited requires controlling the ASN.1
+ definitions used by the developer, i.e., the 'name' parameter of
+ asn1_write_value() or asn1_read_value(). The library is
+ not designed to protect against malicious manipulation of the
+ developer assigned variable names. Reported by Jakub Jirasek.
+
+* Noteworthy changes in release 4.10 (released 2017-01-16) [stable]
+- Updated gnulib
+- Removed -Werror from default compiler flags
+- Fixed undefined behavior when negating integers in _asn1_ltostr().
+ Issue found by oss-fuzz project (via gnutls):
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=388
+- Pass the correct length to _asn1_get_indefinite_length_string in
+ asn1_get_length_ber. This addresses reading 1-byte past the end
+ of data. Issue found by oss-fuzz project (via gnutls):
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=330
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=331
+
+* Noteworthy changes in release 4.9 (released 2016-07-25) [stable]
+- Fixes to OID encoding of OIDs which have elements which exceed 2^32
+
* Noteworthy changes in release 4.8 (released 2016-04-11) [stable]
- Fixes to avoid reliance on C undefined behavior.
- Fixes to avoid an infinite recursion when decoding without
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:46:49 +0000