Hi friends,

In two weeks time, on Wednesday November 2nd, we will release curl and libcurl 7.51.0 unless something earth shattering happens.

This release will bundle no less than _eleven_ security advisories and their associated fixes (unless we get more reported in the time we have left). Each individual security issue will be documented in detail in their own advisories as usual and sent out as separate emails and get documented on the curl web site. Chances are big several of these affects your use of curl.

We have never before handled anywhere close to this many security problems in a single release. We have notified both Apple and distros@openwall so the major distributions should be aware of what's coming.

Merging eleven previously non-disclosed branches into master just before a release is not ideal but done so to minimize the security impact on existing users when the problems get known. My plan is to merge them all into master and push around 48 hours before release, watch the autobuilds closesly, have a few extra coverity scans done and then fix up what's found before the release.

I will also prepare to do a follow-up patch release within the following week if we find serious enough problems in the shipped product.


 / daniel.haxx.se
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Reply via email to