cURL / Mailing Lists / curl-library / Single Mail

curl-library

An alert on the upcoming 7.51.0 release

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 19 Oct 2016 00:30:38 +0200 (CEST)

Hi friends,

In two weeks time, on Wednesday November 2nd, we will release curl and libcurl
7.51.0 unless something earth shattering happens.

This release will bundle no less than _eleven_ security advisories and their
associated fixes (unless we get more reported in the time we have left). Each
individual security issue will be documented in detail in their own advisories
as usual and sent out as separate emails and get documented on the curl web
site. Chances are big several of these affects your use of curl.

We have never before handled anywhere close to this many security problems in
a single release. We have notified both Apple and distros_at_openwall so the
major distributions should be aware of what's coming.

Merging eleven previously non-disclosed branches into master just before a
release is not ideal but done so to minimize the security impact on existing
users when the problems get known. My plan is to merge them all into master
and push around 48 hours before release, watch the autobuilds closesly, have a
few extra coverity scans done and then fix up what's found before the release.

I will also prepare to do a follow-up patch release within the following week
if we find serious enough problems in the shipped product.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-19