changelog for 2.0.5

2024-06-11 08:18:10 +00:00 · 2024-06-11 08:18:10 +00:00 · a33eaaa925
parent a4f18acde3
commit a33eaaa925
2 changed files with 30 additions and 0 deletions
--- a/21
+++ b/21
@ -1,5 +1,26 @@
+2024-06-11  Omar Polo  <op@omarpolo.com>
+
+	* configure (VERSION): release 2.0.5
+
+2024-06-10  Omar Polo  <op@omarpolo.com>
+
+	* don't error on a '..' component at the start of the path
+	* reject NUL bytes embedded in the request
+
+2024-06-09  Omar Polo  <op@omarpolo.com>
+
+	* check for truncation various strlcpy calls.
+	* clean up of a few unused prototypes and externs.
+
+2024-06-08  Omar Polo  <op@omarpolo.com>
+
+	* configure: change how strnvis(3) is handled: on systems
+	with the broken interface gmid will just use its built-in
+	version.
+
 2024-06-06  Omar Polo  <op@omarpolo.com>

+	* parse.y: allow again empty lines at the start of the config
 	* configure (VERSION): release 2.0.4
 	* portability fix for system with a wrong strnvis(3)

--- a/site/changelog.gmi
+++ b/site/changelog.gmi
@ -1,5 +1,14 @@
 # change log

+## 2024/06/11 - 2.0.5 “Lady Stardust” security release
+
+This release fixes a logic error that can result in a DoS; therefore is a strongly reccomended update for all users.  It's safe to update to it from any version of the 2.0.x series.
+
+* allow again empty lines at the start of the configuration file
+* change how strnvis(3) is handled: on systems with the broken interface gmid will just use its own built-in version
+* reject requests with NUL bytes in them.
+* don't error on a '..' component at the start of the path.
+
 ## 2024/06/06 - 2.0.4 “Lady Stardust” bugfix release

 * add a nicer error message if the removed `cgi' option is still used.  Reported by freezr.