From: Mike Brady Date: Thu, 23 Nov 2017 15:47:10 +0000 (+0000) Subject: Update RELEASENOTES.md X-Git-Tag: 3.1.5~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83907d6135c033a287fdbc32c1689082043aace4;p=thirdparty%2Fshairport-sync.git Update RELEASENOTES.md --- diff --git a/RELEASENOTES.md b/RELEASENOTES.md index ab435750..9f98b448 100644 --- a/RELEASENOTES.md +++ b/RELEASENOTES.md @@ -3,13 +3,12 @@ Version 3.1.4 **Security Update** -* The version of `tinysvcmdns` bundled in Shairport Sync has a buffer overflow bug: *"An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability."* The vulnerability is addressed by additional checking on packet sizes. See also [Vulnerability in tinysvcmdns](https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668). CVE-2017-12087. +* The version of `tinysvcmdns` bundled in Shairport Sync has a buffer overflow bug: *"An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability."* The vulnerability is addressed by additional checking on packet sizes. See also [CVE-2017-12087](https://bugs.launchpad.net/bugs/cve/2017-12087) and [Vulnerability in tinysvcmdns](https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668). Thanks and [Chris Boot](https://github.com/bootc) for fixing this bug. **Bug Fix** -* Somewhere in version 3.x, the `softvol` plugin got broken as the volume change is not applied anymore. Turned out for the `softvol` plugin no `volume()` and `parameters()` are defined. Thanks to [Jörg Krause](https://github.com/joerg-krause) for locating and fixing this bug. - +* Somewhere in version 3.x, the `softvol` plugin got broken as the volume change is not applied anymore. Turned out that, for the `softvol` plugin, no `volume()` and `parameters()` are defined. Thanks to [Jörg Krause](https://github.com/joerg-krause) for locating and fixing this bug. Version 3.1.3 ====