summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOlav Morken <olav.morken@uninett.no>2014-12-18 09:59:02 (GMT)
committerOlav Morken <olav.morken@uninett.no>2014-12-18 09:59:16 (GMT)
commit03db9ccf91c2986d420e392e777318383038c92a (patch)
tree0f429a9fbfc764ed4e2005b53063ce776c2b0b53
parent3dd7c01926a64db08bdea3695efd7ff343789b66 (diff)
downloadmodmellon-03db9ccf91c2986d420e392e777318383038c92a.zip
modmellon-03db9ccf91c2986d420e392e777318383038c92a.tar.gz
modmellon-03db9ccf91c2986d420e392e777318383038c92a.tar.bz2
Include version 0.8.1 in the NEWS-file.
This release was branched from the 0.8.0-release, and was therefore not included in the NEWS-file for the master-branch.
-rw-r--r--NEWS17
1 files changed, 17 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 0d99640..b116c88 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,23 @@ Version 0.9.0
* Fix looking up sessions by NameID, which is used during logout.
+
+Version 0.8.1
+---------------------------------------------------------------------------
+
+This is a security release with fixes backported from version 0.9.1.
+
+It turned out that session overflow bugs fixes in version 0.9.0 and
+0.9.1 can lead to information disclosure, where data from one session
+is leaked to another session. Depending on how this data is used by the
+web application, this may lead to data from one session being disclosed
+to an user in a different session. (CVE-2014-8566)
+
+In addition to the information disclosure, this release contains some
+fixes for logout processing, where logout requests would crash the
+Apache web server. (CVE-2014-8567)
+
+
Version 0.8.0
---------------------------------------------------------------------------