| 4 | |
| 5 | After this ticket has been closed, I discovered that it solved a |
| 6 | security vulnerability. |
| 7 | |
| 8 | CVE-2015-2059 |
| 9 | |
| 10 | Thus, I decided to change the ticket. |
| 11 | |
| 12 | '''Users are advised to update to this version or, preferably, |
| 13 | later.''' Book now is at version 1.32. |
| 14 | |
| 15 | [https://ftp.gnu.org/gnu/libidn/libidn-1.31.tar.gz] |
| 16 | |
| 17 | or |
| 18 | |
| 19 | [ftp://ftp.gnu.org/gnu/libidn/libidn-1.31.tar.gz] |
| 20 | |
| 21 | [https://ftp.gnu.org/gnu/libidn/libidn-1.31.tar.gz.sig] |
| 22 | |
| 23 | [https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00011.html] |
| 24 | |
| 25 | or |
| 26 | |
| 27 | [http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=blob_plain;f=NEWS;hb=HEAD] |
| 28 | |
| 29 | SHA1 0bb34003a0fe05a91e60d346803401f16c82a1fb libidn-1.31.tar.gz |
| 30 | |
| 31 | {{{ |
| 32 | Libidn 1.31 released |
| 33 | From: Simon Josefsson |
| 34 | Subject: Libidn 1.31 released |
| 35 | Date: Wed, 08 Jul 2015 23:33:00 +0200 |
| 36 | User-agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux) |
| 37 | |
| 38 | GNU Libidn is a fully documented implementation of the Stringprep, |
| 39 | Punycode and IDNA specifications. Libidn's purpose is to encode and |
| 40 | decode internationalized domain name strings. There are native C, C# |
| 41 | and Java libraries. |
| 42 | |
| 43 | Noteworthy changes since the last release (from NEWS file): |
| 44 | |
| 45 | * Version 1.31 (released 2015-07-08) [beta] |
| 46 | |
| 47 | ** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059 |
| 48 | This function has always been documented to not validate that the |
| 49 | input UTF-8 string is actually valid UTF-8. Like the rest of the API, |
| 50 | when you call a function that works on UTF-8 data, you have to pass it |
| 51 | valid UTF-8 data. Application writers appear to have difficulties |
| 52 | using interfaces designed like that, as bugs triggered by invalid |
| 53 | UTF-8 has been identified in a number of projects (jabberd2, gnutls, |
| 54 | wget, and curl). While we could introduce a new API to perform UTF-8 |
| 55 | validation, so that applications can easily implement the proper |
| 56 | checks, this appear error prone because there is a risk that the check |
| 57 | will be forgotten. Instead, we took the more radical approach of |
| 58 | modifying the documentation and the implementation of the API. The |
| 59 | intention is that all functions that accepts UTF-8 data should |
| 60 | validate it before use. This will solve the problem for applications, |
| 61 | without needing to change them. This change has the unfortunate |
| 62 | side-effect that Surrogate codes (see section 5.5 of RFC 3454) no |
| 63 | longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but |
| 64 | instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error |
| 65 | code, as the gnulib/libunistring-based code that we use to test |
| 66 | UTF-8-compliance rejects Surrogate codes. We hope that this is an |
| 67 | acceptable cost to live with in order to improve application security. |
| 68 | We welcome feedback on this solution, and we are marking this release |
| 69 | as beta rather than stable to signal that we may reconsider this |
| 70 | approach if people disagree. Reported by several people including |
| 71 | Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos |
| 72 | Mavrogiannopoulos. |
| 73 | |
| 74 | ** libidn: Added STRINGPREP_ICONV_ERROR error code. |
| 75 | |
| 76 | ** libidn: Workaround valgrind/gcc/glibc issue. |
| 77 | Valgrind reported a 'Invalid read of size 4' that was caused by |
| 78 | optimized strlen implementation. Reported and patch by Alessandro |
| 79 | Ghedini <address@hidden>. |
| 80 | |
| 81 | ** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use. |
| 82 | Errors caught by valgrind did not always trigger 'make check' failures |
| 83 | before. |
| 84 | |
| 85 | ** i18n: Updated Danish translation. |
| 86 | Thanks to Joe Hansen. |
| 87 | |
| 88 | ** API and ABI is backwards compatible with the previous version. |
| 89 | |
| 90 | Happy hacking, |
| 91 | Simon |
| 92 | }}} |