RELEASE-NOTES: 7.62.0

RELEASE-NOTES

@@ -4,7 +4,7 @@ Curl and libcurl 7.62.0
  Command line options:         219
  curl_easy_setopt() options:   261
  Public functions in libcurl:  80
- Contributors:                 1787
+ Contributors:                 1808
 
 This release includes the following changes:
 
@@ -21,6 +21,9 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o CVE-2018-16839: SASL password overflow via integer overflow [107]
+ o CVE-2018-16840: use-after-free in handle close [108]
+ o CVE-2018-16842: warning message out-of-buffer read [114]
  o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated [5]
  o Curl_dedotdotify(): always nul terminate returned string [46]
  o Curl_follow: Always free the passed new URL [87]
@@ -40,6 +43,7 @@ This release includes the following bugfixes:
  o checksrc: handle zero scoped ignore commands [62]
  o cmake: Backport to work with CMake 3.0 again [55]
  o cmake: Improve config installation [60]
+ o cmake: add support for transitive ZLIB target [113]
  o cmake: disable -Wpedantic-ms-format [84]
  o cmake: don't require OpenSSL if USE_OPENSSL=OFF [35]
  o cmake: fixed path used in generation of docs/tests [56]
@@ -88,6 +92,7 @@ This release includes the following bugfixes:
  o lib: fix gcc8 warning on Windows [20]
  o memory: add missing curl_printf header [30]
  o memory: ensure to check allocation results [68]
+ o multi: Fix error handling in the SENDPROTOCONNECT state [112]
  o multi: fix memory leak in content encoding related error path [59]
  o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL [90]
  o netrc: free temporary strings if memory allocation fails [103]
@@ -104,6 +109,7 @@ This release includes the following bugfixes:
  o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer [6]
  o openssl: show "proper" version number for libressl builds [28]
  o pipelining: deprecated [1]
+ o rand: add comment to skip a clang-tidy false positive
  o rtmp: fix for compiling with lwIP [100]
  o runtests: ignore disabled even when ranges are given [74]
  o runtests: skip ld_preload tests on macOS [80]
@@ -112,21 +118,27 @@ This release includes the following bugfixes:
  o sendf: Fix whitespace in infof/failf concatenation [26]
  o ssh: free the session on init failures [96]
  o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code [6]
+ o system.h: use proper setting with Sun C++ as well [109]
  o test1299: use single quotes around asterisk [72]
  o test1452: mark as flaky [2]
+ o test1651: unit test Curl_extract_certinfo() [110]
  o test320: strip out more HTML when comparing [66]
  o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server [67]
  o tests: add unit tests for url.c [3]
  o timeval: fix use of weak symbol clock_gettime() on Apple platforms [61]
  o tool_cb_hdr: handle failure of rename() [94]
+ o travis: add a "make tidy" build that runs clang-tidy [105]
  o travis: add build for "configure --disable-verbose" [93]
  o travis: bump the Secure Transport build to use xcode [58]
  o travis: make distcheck scan for BOM markers [86]
+ o unit1300: fix stack-use-after-scope AddressSanitizer warning [106]
  o urldata: Fix "connecting" comment
  o urlglob: improve error message on bad globs [22]
  o vtls: fix ssl version "or later" behavior change for many backends [38]
  o x509asn1: Fix SAN IP address verification [88]
+ o x509asn1: always check return code from getASN1Element() [110]
  o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert [6]
+ o x509asn1: suppress left shift on signed value [111]
 
 This release includes the following known bugs:
 
@@ -135,18 +147,18 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Alexey Eremikhin, Brad King, Christian Heimes, Colin Hogben,
+  Alexey Eremikhin, Brad King, Brian Carpenter, Christian Heimes, Colin Hogben,
   Daniel Gustafsson, Daniel Shahaf, Daniel Stenberg, Dario Weißer,
   Dave Reisner, Dima Pasechnik, Dmitry Kostjuchenko, Doron Behar,
-  Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem,
-  Github user @jakirkham, Han Han, Harry Sintonen, Jean Fabrice, Jim Fuller,
-  Kamil Dudka, Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl,
+  Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, Han Han,
+  Harry Sintonen, jakirkham on github, Jean Fabrice, Jim Fuller, Kamil Dudka,
+  Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl,
   Matthew Whitehead, Max Dymond, Maxime Legros, Michael Kaufmann, Nate Prewitt,
-  Nicklas Avén, Nick Zitzmann, Philipp Waehnert, Rainer Jung, Ray Satiro,
-  Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn,
-  Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann,
+  Nicklas Avén, Nick Zitzmann, Patrick Monnerat, Philipp Waehnert, Rainer Jung,
+  Ray Satiro, Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn,
+  Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, Tuomo Rinne,
   Viktor Szakats, Yiming Jing,
-  (46 contributors)
+  (49 contributors)
 
         Thanks! (and sorry if I forgot to mention someone)
 
@@ -256,3 +268,13 @@ References to bug reports and discussions on issues:
  [102] = https://curl.haxx.se/bug/?i=3166
  [103] = https://curl.haxx.se/bug/?i=3122
  [104] = https://curl.haxx.se/bug/?i=3162
+ [105] = https://curl.haxx.se/bug/?i=3182
+ [106] = https://curl.haxx.se/bug/?i=3182
+ [107] = https://curl.haxx.se/docs/CVE-2018-16839.html
+ [108] = https://curl.haxx.se/docs/CVE-2018-16840.html
+ [109] = https://curl.haxx.se/bug/?i=3181
+ [110] = https://curl.haxx.se/bug/?i=3163
+ [111] = https://curl.haxx.se/bug/?i=3163
+ [112] = https://curl.haxx.se/bug/?i=3170
+ [113] = https://curl.haxx.se/bug/?i=3123
+ [114] = https://curl.haxx.se/docs/CVE-2018-16842.html