Add release notes for 1.8.15 which escaped news.rst

[ci skip]
author: Jack Lloyd <[email protected]> 2016-08-24 12:26:29 -0400
committer: Jack Lloyd <[email protected]> 2016-08-24 12:26:29 -0400
commit: bc647fd495eba07dd893f0247d9912852aa499d7 (patch)
tree: f2e3c7fef57ffb62430a3cc89da2064735c7c4f6 /doc/news.rst
parent: 91474f60d72937ad3c21d8aa53c14f7a0cceb9ca (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 6e9b88479..5b4cef681 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -296,6 +296,19 @@ Version 1.11.29, 2016-03-20
 
 * Support for locking allocator on Windows using VirtualLock. GH #450
 
+Version 1.18.15, 2016-02-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* NOTE WELL: Botan 1.8 is not supported for security issues anymore.
+  Moving to 1.10 or 1.11 is certainly recommended.
+* Fix CVE-2014-9742: Insufficient randomness in Miller-Rabin primality check
+* Fix CVE-2016-2194: Infinite loop in modulur square root algorithm
+* Fix CVE-2015-5726: Crash in BER decoder
+* Fix CVE-2015-5727: Excess memory allocation in BER decoder
+  Note: Unlike the fix in 1.10 which checks that the source actually
+  contains enough data to satisfy the read before allocating the
+  memory, 1.8.15 simply rejects all ASN.1 blocks larger than 1 MiB.
+  This simpler check avoids the problem without breaking ABI.
+
 Version 1.10.12, 2016-02-03
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
author	Jack Lloyd <[email protected]>	2016-08-24 12:26:29 -0400
committer	Jack Lloyd <[email protected]>	2016-08-24 12:26:29 -0400
commit	bc647fd495eba07dd893f0247d9912852aa499d7 (patch)
tree	f2e3c7fef57ffb62430a3cc89da2064735c7c4f6 /doc/news.rst
parent	91474f60d72937ad3c21d8aa53c14f7a0cceb9ca (diff)