heap buffer overflow while trying to emit access log (CVE-2018-0608)

[kazuho]

H2O up to version 2.2.4 has a bug that would allow an remote attacker to trigger a heap buffer overflow while the server attempts to emit an access log line.

Users should update to 2.2.5 as soon as possible, or disable access logging.

We would like to thank Marlies Ruck, ForAllSecure for finding the issue.

[proyb6]

The v2.2.5 archive contains the old mruby-iijson dependency in contrast with the master branch.

[kazuho]

@proyb6 This is a bug fix release. Change of the JSON implementation was not a result of a bug.