GNU C Library NEWS -- history of user-visible changes.
-Copyright (C) 1992-2014 Free Software Foundation, Inc.
+Copyright (C) 1992-2015 Free Software Foundation, Inc.
See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
\f
+Version 2.21
+
+* The following bugs are resolved with this release:
+
+ 6652, 10672, 12847, 12926, 13862, 14132, 14138, 14171, 14498, 15215,
+ 15884, 16469, 16617, 16619, 16657, 16740, 16857, 17192, 17266, 17344,
+ 17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508,
+ 17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581, 17582, 17583,
+ 17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17630, 17633,
+ 17634, 17647, 17653, 17657, 17664, 17665, 17668, 17682, 17717, 17719,
+ 17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
+ 17775, 17780, 17781
+
+* i386 memcpy functions optimized with SSE2 unaligned load/store.
+
+* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+ under certain input conditions resulting in the execution of a shell for
+ command substitution when the applicaiton did not request it. The
+ implementation now checks WRDE_NOCMD immediately before executing the
+ shell and returns the error WRDE_CMDSUB as expected.
+
+* CVE-2012-3406 printf-style functions could run into a stack overflow when
+ processing format strings with a large number of format specifiers.
+
+* CVE-2014-9402 The nss_dns implementation of getnetbyname could run into an
+ infinite loop if the DNS response contained a PTR record of an unexpected
+ format.
+
+* The minimum GCC version that can be used to build this version of the GNU
+ C Library is GCC 4.6. Older GCC versions, and non-GNU compilers, can
+ still be used to compile programs using the GNU C Library.
+
+* The GNU C Library is now built with -Werror by default. This can be
+ disabled by configuring with --disable-werror.
+
+* New locales: tu_IN, bh_IN, raj_IN, ce_RU.
+
+* The obsolete sigvec function has been removed. This was the original
+ 4.2BSD interface that inspired the POSIX.1 sigaction interface, which
+ programs have been using instead for about 25 years. Of course, ABI
+ compatibility for old binaries using sigvec remains intact.
+
+* Merged gettext 0.19.3 into the intl subdirectory. This fixes building
+ with newer versions of bison.
+\f
Version 2.20
* The following bugs are resolved with this release:
16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
- 17187, 17213, 17259, 17261, 17262, 17263.
+ 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
+
+* Optimized strchrnul implementation for AArch64. Contributed by ARM Ltd.
* Reverted change of ABI data structures for s390 and s390x:
On s390 and s390x the size of struct ucontext and jmp_buf was increased in
2.19. This change is reverted in 2.20. The introduced 2.19 symbol versions
of getcontext, setjmp, _setjmp, __sigsetjmp, longjmp, _longjmp, siglongjmp
are preserved pointing straight to the same implementation as the old ones.
- Given that, new callers wil simply provide a too-big buffer to these
+ Given that, new callers will simply provide a too-big buffer to these
functions. Any applications/libraries out there that embed jmp_buf or
ucontext_t in an ABI-relevant data structure that have already been rebuilt
against 2.19 headers will have to rebuilt again. This is necessary in any
over a decade, and the removal is prompted by security defects. The
normal gconv conversion modules are still supported. Transliteration
with //TRANSLIT is still possible, and the //IGNORE specifier
- continues to be supported. (CVE-2014-5519)
+ continues to be supported. (CVE-2014-5119)
+
+* Decoding a crafted input sequence in the character sets IBM933, IBM935,
+ IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
+ resulting a denial-of-service security vulnerability in applications which
+ use functions related to iconv. (CVE-2014-6040)
\f
Version 2.19
----------------------------------------------------------------------
Copyright information:
-Copyright (C) 1992-2014 Free Software Foundation, Inc.
+Copyright (C) 1992-2015 Free Software Foundation, Inc.
Permission is granted to anyone to make or distribute verbatim copies
of this document as received, in any medium, provided that the