Update release notes with CVE numbers (#1971)

mozilla · Dec 20, 2021 · a69d99e · a69d99e
1 parent 0ac0f37
commit a69d99e
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,12 +6,23 @@ All notable changes to this program are documented in this file.
 0.30.0  (2021-09-16, `d372710b98a6`)
 ------------------------------------
 
+### Security Fixes
+
+- CVE-2021-4138
+
+  Fixed a DNS rebinding issues by enforcing a stricter `Host` header check.
+
+  Reported by Gabriel Corona.
+
+  - Improved `Host` header checks to reject requests not sent to a well-known
+    local hostname or IP, or the server-specified hostname.
+
 ### Known problems
 
 - geckodriver restricts connections to local IP addresses. This can interfere
   with deployments in which geckodriver is running on a different network node
   to the tests e.g. some container or virtual-machine based setups.
-  
+
 - _macOS 10.15 (Catalina) and later:_
 
   Due to the requirement from Apple that all programs must be
@@ -50,9 +61,6 @@ All notable changes to this program are documented in this file.
 
 ### Fixed
 
-- Improved Host header checks to reject requests not sent to a well-known
-  local hostname or IP, or the server-specified hostname.
-
 - Added validation that the `--host` argument resolves to a local IP address.
 
 - Limit the `--foreground` argument of Firefox to MacOS only.
@@ -225,6 +233,11 @@ All notable changes to this program are documented in this file.
 
 - CVE-2020-15660
 
+  Improved validation of incoming requests to prevent remote
+  requests being treated as local.
+
+  Reported by Gabriel Corona.
+
   - Added additional checks on the `Content-Type` header for `POST`
     requests to disallow `application/x-www-form-urlencoded`,
     `multipart/form-data` and `text/plain`.