Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20131204043554.GX24286@brightrain.aerifal.cx>
Date: Tue, 3 Dec 2013 23:35:54 -0500
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: draft release notes for 0.9.15

On Wed, Dec 04, 2013 at 03:42:06AM +0100, Szabolcs Nagy wrote:
> * Rich Felker <dalias@...ifal.cx> [2013-12-03 20:33:20 -0500]:
> > See draft below. Comments welcome, especially on what's the most
> > important to go in the short release blurb since there's so much..
> 
> my list would be:
> 
> new features:
> v4 and v6 nameserver in resolv.conf
> multicast structures in netinet/in.h
> shadow password api
> libc.so can print musl version info
> 
> bug fixes:
> mbsrtowcs buffer overflow
> group file handling
> execle environ passing
> setenv crash
> timezone
> ip address parsing
> faccessat
> fnmatch
> fd leaks

That's a big list. Of these, I think setenv is probably not worth
mentioning. It's rare (and probably buggy) to be calling setenv many
times; most sane usage just calls it a finite number of times at
startup, where memory exhaustion is really unlikely.

Based on this, here's a proposed draft blurb:

    Major bug fixes include a buffer overflow in mbsrtowcs, various
    group file handling errors, failure of execle to pass on the new
    environment, and timezone-parsing crashes on 64-bit systems. Also
    fixed are several file descriptor leak (close-on-exec) issues,
    handling of invalid IP address strings, several fnmatch corner
    cases possibly leading to out-of-bound access, and failure of
    faccessat with the AT_EACCESS flag. This release also adds support
    for mixing IPv4 and v6 nameservers in resolv.conf, expanded shadow
    password API, IPv6 multicast structures, and the ability for
    libc.so to report the version installed.

That might still need to be trimmed down a bit to freecode's (formerly
freshmeat) release blurb limit but it works for all our other uses.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.