libpng-1.6.28 has been released to fix a bug exposed when attempting to build with zlib-1.2.9 or 1.2.10
New versions released to fix CVE-2016-10087
Libpng-1.5.26, 1.4.19, 1.2.56, and 1.0.66 fix an out-of-range read in png_check_keyword(), CVE-2015-8540.
The bugfix of CVE-2015-8126 in the previous versions was incomplete; it defended against malevolent PNG files that are read via png_handle_PLTE but did not detect applications that use png_set_PLTE to set an over-length palette. This set of releases completes the bugfix, fixing CVE-2015-8472.
libpng-1.6.19, libpng-1.5.24, libpng-1.2.54, libpng-1.4.17, and libpng-1.0.64 have been released to fix a potential out-of-bounds read in png_set_tIME/png_convert_to_rfc1123 (CVE-2014-9425) and a potential out-of-bounds write in png_get_PLTE/png_set_PLTE (CVE-2015-8126).
libpng-1.6.18 and 1.5.23 were released last week. Due to the outage, they aren't available yet in the SourceForge File Release System. They are, however, available from the glennrp/libpng-releases repository at github. This is a cleanup release that fixes some harmless Coverity defects and removes some unused code.
libpng-1.6.17 and 1.5.22 have been released. They "harden" the library against attacks using very wide images by imposing a default limit of 1 million columns. Users who truly need to process wider images can override this limit.
libpng-1.7.0beta49 has been released, to test some changes to the filter-selection procedure to use a single "try_row" buffer instead of separate "sub_row, up_row, avg_row, and paeth_row" buffers. Please try it out and report back; if all goes well I'll port it back to libpng15 and libpng16 soon.
libpng-1.6.16 has been released to fix two potential overflows while reading very wide images.
libpng-1.6.14 has been released. This is mostly a code cleanup, with a minor bugfix to the iTXt chunk handler.
libpng-1.6.13 and libpng-1.5.19 have been released. These are simple code-cleanup releases without any security issues or new features.
libpng-1.6.12 has been released to relocate an out-of-order statement introduced in libpng-1.6.11.
libpng-1.6.10 avoids an infinite loop while reading a datastream whose first IDAT chunk is of zero-length. This fixes CERT VU#684412 and CVE-2014-0333.
libpng-1.6.9 is a simple cleanup release.
Libpng-1.6.8 has been released. This fixes a potential NULL pointer dereference and is otherwise a simple cleanup release.
Libpng-1.6.7 adds ARMv8 support and improves/simplifies the unknown chunk handling, and has been made compatible with automake-1.14.
libpng-1.6.5 did not correct the error it was supposed to fix (two stray lines in arm/arm_init.c). The bad lines are removed from 1.6.6.
libpng-1.6.5 has been released, to remove two stray lines in arm/arm_init.c that caused libpng to fail to compile when ARM support is enabled.
libpng-1.6.4 has been released. It has some minor speed and footprint optimizations.
libpng-1.6.3 has been released. It has improved support for ARM platforms.
libpng-1.5.17 has been released. There are minor changes, mainly in the ARM support.
libpng public releases 1.2.50, 1.4.12, 1.5.16, and 1.6.2 now have PGP signatures signed by Glenn Randers-Pehrson. In the frs they are in libpngNN/libpng.x.y.z/Gnupg, and in the GIT repository there are signed tags libpng-1.2.50-signed, libpng-1.4.12-signed, libpng-1.5.16-signed, and libpng-1.6.2-signed. Future public releases (but not beta releases or intermediate GIT checkins) will be similarly signed. To verify a release you have downloaded, follow the instructions in Gnupg/libpng-x.y.z-gnupg-README.txt
libpng-1.6.2 fixes a bug in which libpng-1.6.0 and 1.6.1 would write uncompressed iTXt chunks with the wrong length. An application for fixing such PNGs is supplied in contrib/tools/fixitxt.c.
libpng-1.6.1 has been released. It is a minor cleanup release. For legacy applications, libpng-1.5.15 has also been released.
libpng-1.6.0 has been released. This version adds a "simplified API" for reading and writing PNG images.