1 files changed, 17 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 15d925c23..45c6e5798 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -69,6 +69,17 @@ xine-lib (1.1.90) (Unreleased)
     colour controls, zooming, colour keying.
 
 xine-lib (1.1.16) 2008-??-??
+  * Security fixes:
+    - Heap overflow in Quicktime atom parsing.                 (CVE-2008-5234)
+    - Multiple buffer overflows.                               (CVE-2008-5236)
+    - Multiple integer overflows.                              (CVE-2008-5237)
+    - Unchecked or incompletely-checked read function results. (CVE-2008-5239)
+    - Unchecked malloc using untrusted values.                 (CVE-2008-5240)
+    - Buffer indexing using untrusted or unchecked values.     (CVE-2008-5243)
+    - Integer overflows in the ffmpeg audio decoder and the CDDA server.
+    - Heap buffer overflow in the ffmpeg video decoder.
+    - Avoid segfault on invalid track type in Matroska files.
+    - Avoid underflow (compressed atoms) in the Qt demuxer.
   * Fix reported compilation failures (with C++ programs).
   * Fix CDDB access in 64-bit builds.
   * Fix seeking FLV clips that don't specify the movie length in the headers.
@@ -97,10 +108,16 @@ xine-lib (1.1.15) 2008-08-14
       (CVE-2008-3231)
       This includes a libfaad update from the 1.2 branch.
     - Delay V4L video frame preallocation until we know how large they'll be.
+      (CVE-2008-5245)
     - Fix an exploitable ID3 heap buffer overflow.
+      (CVE-2008-5234, vector 2)
     - Check for possible buffer overflow attempts in the Real demuxer.
+      (CVE-2008-5235)
     - Use size_t for data length variables where there may be int overflows.
     - Add some checks for memory allocation failures.
+      (CVE-2008-5233)
+    - Fix crashes with MP3 files with metadata consisting only of separators.
+      (CVE-2008-5248)
   * Use external ffmpeg and libfaad by default.
   * V4L: Don't segfault if asked for an input that doesn't exist.
   * Recognise AMR audio (normally found in 3GP files).
@@ -110,7 +127,6 @@ xine-lib (1.1.15) 2008-08-14
     others, there would be no problem.
   * V4L: only try and set the tuner if we're going to use it. Setting the tuner
     when using baseband video (CVBS, S-Video) breaks the input.
-  * Fix crashes with MP3 files with metadata consisting only of separators.
 
 xine-lib (1.1.14) 2008-06-29
   * DVB changes: