NEWS: Add CVE numbers close their release notes

Some bug fixes did not happen to have a CVE number in the NEWS file. Added also NEWS-security.md to aggregate the security fixes in Evince across branches. For example, CVE-2017-1000083 affected only until version 3.24, which was already branched. Therefore, it does not appear in the NEWS file from master. Sometimes, people want to have a quick look if CVE are fixed in a product. By adding this file, we hope we can cope with that need. Fixes #864
2024-06-28 13:44:46 +00:00 · 2018-08-01 16:03:51 -04:00 · 2018-08-01 16:03:51 -04:00 · db2697e978
commit db2697e978
parent 76c3920aa1
2 changed files with 34 additions and 5 deletions
--- a/16
+++ b/16
@ -380,11 +380,14 @@ Bug fixes:
    * Fix several memory leaks (#770070 and #770069, Eric R. Schulz)
    * Fix scaling calculation in PostScript backend (#755776, Jason
      Crain)
-    * Fix a crash when processing button events in EvView (#769700,
-      Marek Kasik)
    * Fix a crash when opening a copy of a document with annotation
      popup windows (#760299, Jose Aliste)

+Security Fixes:
+
+    * Fix a crash when processing button events in EvView (#769700)
+      CVE-2013-3718. (Marek Kasik)
+
 Translation updates:

    * David Medina (ca)
@ -2975,11 +2978,14 @@ New Features and UI Improvements:
 Bug fixes:

    * Fix return value in g_return_val_if_fail() macro (Daniel Garcia)
-    * Fix several security issues in dvi backend: CVE-2010-2640,
-      CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 (José Aliste)
    * Do not use deprecated API: GdkCursor, GtkStyle, size-request
      (Carlos Garcia Campos)

+Security Fixes:
+
+    * Fix several security issues in dvi backend: CVE-2010-2640,
+      CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 (José Aliste)
+
 Translation updates:

    * Khaled Hosny (ar)
@ -5214,7 +5220,7 @@ Bug Fixes:

 Security Fixes:

-    * Buffer overflow in PS backend. CVE-2006-5864. (Carlos Garcia Campos)
+    * Buffer overflow in PS backend (#380191). CVE-2006-5864. (Carlos Garcia Campos)

 Translations:

--- a/NEWS-security.md
+++ b/NEWS-security.md
@ -0,0 +1,23 @@
+Security fixes
+==============
+
+* Evince 3.24.1
+
+    * Remove support for tar and tar-like commands in commics backend
+      (#784630). CVE-2017-1000083. (Bastien Nocera)
+
+* Evince 3.21.92
+
+    * Fix a crash when processing button events in EvView (#769700)
+      CVE-2013-3718. (Marek Kasik)
+
+* Evince 2.91.5
+
+    * Fix several security issues in dvi backend.
+      CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
+      (José Aliste)
+
+* Evince 0.7.0
+
+    * Buffer overflow in PS backend (#380191).
+      CVE-2006-5864. (Carlos Garcia Campos)