This release includes the following changes:
o curl: add --ca-native and --proxy-ca-native [24]
o curl: add --trace-ids [53]
o CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS [5]
o haproxy: add --haproxy-clientip flag to set client IPs [23]
o lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID [54]
This release includes the following bugfixes:
o bufq: make write/pass methods more robust [21]
o build: drop unused/redundant `HAVE_WINLDAP_H` [25]
o cf-socket: don't bypass fclosesocket callback if cancelled before connect [114]
o cf-socket: move ctx declaration under HAVE_GETPEERNAME [91]
o cf-socket: skip getpeername()/getsockname for TFTP [65]
o checksrc: modernise perl file open [87]
o checksrc: quote the file name to work with "funny" letters [93]
o CI: brew fix for openssl in default path [116]
o CI: don't install impacket if tests are not run
o CI: enable parallel make in more builds
o circleci: install impacket & wolfssl 5.6.0 [1]
o cmake: add support for "unity" builds [13]
o cmake: make use of snprintf [102]
o cmake: stop CMake from quietly ignoring missing Brotli [81]
o configure: add check for ldap_init_fd [80]
o configure: fix run-compiler for old /bin/sh [4]
o configure: the --without forms of the options are also gone [79]
o connect-timeout.d: mention that the DNS lookup is included [85]
o curl.h: include <sys/select.h> for vxworks [78]
o curl: count uploaded data to stop at the originally given size [14]
o curl: return error when asked to use an unsupported HTTP version [113]
o curl_easy_nextheader.3: add missing open parenthesis examples [74]
o curl_log: evaluate log statement only when transfer is verbose [8]
o curl_mprintf.3: minor fix of the example
o curl_pushheader_byname/bynum.3: document in their own man pages [37]
o curl_url_set: enforce the max string length check for all parts [38]
o CURLOPT_AWS_SIGV4.3: remove unused variable from example [11]
o CURLOPT_INFILESIZE.3: mention -1 triggers chunked [55]
o CURLOPT_MIMEPOST.3: clarify what setting to NULL means [95]
o CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search [31]
o docs/libcurl/libcurl.3: cleanups and improvements [46]
o docs: add more .IP after .RE to fix indentation of generate paragraphs [82]
o docs: fix missing parameter names in examples [41]
o docs: update CURLOPT_UPLOAD.3 [63]
o docs: update HTTP3.md for newer ngtcp2 and nghttp3 [28]
o docs: use a space after RFC when spelling out RFC numbers [105]
o example/connect-to: show CURLOPT_CONNECT_TO [47]
o example/crawler: also set CURLOPT_AUTOREFERER [35]
o example/crawler: make it use a few more options
o example/default-scheme: set the default scheme for schemeless URLs [67]
o example/hsts-preload: show one way to HSTS preload [68]
o example/http2-download: set CURLOPT_BUFFERSIZE [34]
o example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use [27]
o example/maxconnects: set maxconnect example [98]
o example/opensslthreadlock: remove [59]
o examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS [39]
o examples/http-options: show how to send "OPTIONS *" [69]
o examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT [19]
o examples/multi-debugcallback.c: avoid the bool typedef [29]
o examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS [71]
o examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH [40]
o examples/websocket.c: websocket example using CONNECT_ONLY [17]
o examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR [70]
o fopen: fix conversion warning on 32-bit Android [49]
o fopen: optimize [101]
o hostip.c: Move macOS-specific calls into global init call [104]
o HTTP/2: upload handling fixes [56]
o http2: better support for --limit-rate [7]
o http2: error stream resets with code CURLE_HTTP2_STREAM [84]
o http2: fix crash in handling stream weights [76]
o http2: fix variable type [50]
o http2: h2 and h2-PROXY connection alive check fixes [83]
o http2: raise header limitations above and beyond [73]
o http2: send HEADER & DATA together if possible [99]
o http2: treat initial SETTINGS as a WINDOW_UPDATE [100]
o HTTP3.md: update openssl version [57]
o http3/ngtcp2: upload EAGAIN handling [108]
o http: rectify the outgoing Cookie: header field size check [72]
o hyper: fix EOF handling on input [66]
o hyper: unslow [51]
o imap-append.c: update to make it more likely to work [106]
o imap: Provide method to disable SASL if it is advertised [75]
o krb5: add typecast to please Coverity
o libcurl-url.3: also mention CURLUPART_ZONEID
o libcurl-ws.3. WebSocket API overview [48]
o libssh2: provide error message when setting host key type fails [9]
o libssh2: use custom memory functions [12]
o ngtcp2: assigning timeout, but value is overwritten before used [103]
o ngtcp2: build with 0.17.0 and nghttp3 0.13.0 [96]
o ngtcp2: use ever increasing timestamp in io [32]
o quiche: avoid NULL deref in debug logging [97]
o quiche: fix defects found in latest coverity report [94]
o quote.d: fix indentation of generated paragraphs [86]
o runtests: abort test run after failure without -a [3]
o runtests: better handle ^C during slow tests
o runtests: consistently write the test check summary block
o runtests: create multiple test runners when requested [20]
o runtests: include missing valgrind package [89]
o runtests: make test file directories in log/N [44]
o runtests: rename server command file
o runtests: use more consistent failure lines
o runtests: work around a perl without SIGUSR1 [88]
o runtests; give each server a unique log lock file [43]
o scripts: Fix GHA matrix job detection in cijobs.pl
o sectransp: fix EOF handling [92]
o system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles [10]
o test2600: fix the description [90]
o test427: verify sending more cookies than fit in a 8190 bytes line [61]
o tests/http: Add mod_h2 directive `H2ProxyRequests` [77]
o tests/servers.pm: pick unused port number with a server socket [16]
o tests/servers: generate temp names in /tmp for unix domain sockets [6]
o tests: fix error messages & handling around sockets [30]
o tests: improve reliability of TFTP tests
o testutil: allow multiple %-operators on the same line [62]
o timeval: use CLOCK_MONOTONIC_RAW if available [52]
o tls13-ciphers.d: include Schannel [36]
o tool: remove exclamation marks from error/warning messages
o tool: remove newlines from all helpf/notef/warnf/errorf calls [15]
o tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION` [109]
o tool_getparam: fix comment [22]
o tool_operate: allow cookie lines up to 8200 bytes [60]
o tool_parsecfg: accept line lengths up to 10M [115]
o tool_urlglob: use curl_off_t instead of longs [2]
o tool_writeout_json: fix encoding of control characters [107]
o transfer: clear credentials when redirecting to absolute URL [64]
o urlapi: have *set(PATH) prepend a slash if one is missing [42]
o urlapi: scheme must start with alpha [26]
o vtls: avoid memory leak if sha256 call fails [58]
o websocket-cb: example doing WebSocket download using callback [18]
o wolfssl: detect when TLS 1.2 support is not built into wolfssl [111]
o wolfssl: support setting CA certificates as blob [110]
o ws: make the curl_ws_meta() return pointer a const [45]
Changelog:
115.0.2:
Fixed
* Fixed a startup crash experienced by some Windows 10 and 11 users by
blocking instances of a malicious injected DLL (bug 1841751)
* Fixed a bug with displaying a caret in the text editor on some websites (
bug 1840804)
* Fixed a bug with broken audio rendering on some websites (bug 1841982)
* Fixed a bug with patternTransform translate using the wrong units (bug
1840746)
* A security fix.
* Fixed a crash affecting Windows 7 users related to the DLL blocklist.
Security fix:
#CVE-2023-3600: Use-after-free in workers
115.0.1:
Fixed
* Fixed a startup crash for Windows users with Kingsoft Antivirus software
installed (bug 1837242)
0.115.{3, 2, 1}: bugfixes.
0.115.0
The notable new feature in this release is that you can now have permalink
configuration also for section and taxonomy pages.
0.114.0
The main new thing in this release is that we now support both major versions
of the Dart Sass Embedded protocol, which means that you now can use the
regular Dart Sass binary.
We have also moved to a new log library and added some new math functions and
also revised the existing set to work better with a mix of scalars and slices.
Nghttp2 v1.55.1
Security Advisory
CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec
For more information, read the security advisory.
This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.
lib
This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.
PoC described in CVE is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. nghttp2 defines 2 fatal error codes:
NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing.
NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE.
1.130.0 (2023-07-13)
* Feature - S3 Inventory now supports Object Access Control List and Object
Owner as available object metadata fields in inventory reports.
* Feature - Allow Object multipart copy API to work when requiring a
checksum algorithm.
* Feature - Allow Object multipart copy API to optionally copy parts as they
exist on the source object if it has parts, instead of generating new part
ranges, when specifying use_source_parts: true.
1.129.0 (2023-07-11)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
3.178.0 (2023-07-11)
* Feature - Updated Aws::STS::Client with the latest API changes.
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
* Feature - Updated Aws::SSO::Client with the latest API changes.
* Feature - Add support for configuring the endpoint URL in the shared
configuration file or via an environment variable for a specific AWS
service or all AWS services.
Seaward is a crawler used to discover every link on a web page and its linked
pages without duplicates or to search for a word starting from the given URL.
If you want to save the links inside a file, you can run
'seaward <URL> --silent > file.txt', and if you experience many timeout errors
try using a higher timeout with '-t'.
With the '-d 0' option you crawl only the web page passed in the URL parameter,
with '-d 1' also the pages linked to it (always within the same web site) and
so on.
Nghttp2 v1.55.0
build
The following dependencies have been updated:
ngtcp2
nghttp3
BoringSSL
This release fixes build error without libev.
third-party
llhttp has been updated.
Cross-compiling mruby is now supported.
nghttpx
UDP_GRO is enabled for QUIC socket.
The initial QUIC packet number is now randomized.
h2load
UDP_GRO is enabled for QUIC socket.
v0.8.0 (Fri Jul 07 2023)
🎉 This release contains work from a new contributor! 🎉
Thank you, Enoumy (@Enoumy), for all your work!
Release Notes
Correctly handle non-existent pages (#186)
When you now try to open a link leading to a page that doesn't exist yet, a
warning will now pop up informing you about the missing page.
Vim movements (ctrl+d, ctrl+u, gg, G) (#180)
The Vim keybindings ctrl+d, ctrl+u, gg, and G have been implemented!
Exciting New Features 🎉
- Correctly handle non-existent pages #186 (@Builditluc)
- Vim movements (ctrl+d, ctrl+u, gg, G) #180 (@Enoumy)
Bug Fixes 🐛
- Fix url encoded links #181 (@Builditluc)
CI Pipeline and Dependency Updates
- Bump select to v0.6 #189 (@Builditluc)
Documentation Changes
- Update and Improve the Documentation #188 (@Builditluc)
Structure and Style Changes
- Change default keybindings to vim #185 (@Builditluc)
This was written for squid-2, and we now only ship squid-4 and squid-5.
It also tries to do numerous silly 2004-era things like compile amd64
code optimized for a 586 CPU which means it is broken in many places.
Active Support
* Fix EncryptedConfiguration returning incorrect values for some Hash
methods. (Hartley McGuire)
* Fix arguments being destructed Enumerable#many? with block. (Andrew
Novoselac)
* Fix humanize for strings ending with id. (fatkodima)
Active Model
* No changes.
Active Record
* Fix autosave associations with validations added on :base of the
associated objects. (fatkodima)
* Fix result with anonymous PostgreSQL columns of different type from json.
(Oleksandr Avoiants)
* Preserve timestamp when setting an ActiveSupport::TimeWithZone value to
timestamptz attribute. (fatkodima)
* Fix where on association with has_one/has_many polymorphic relations.
Before:
Treasure.where(price_estimates: PriceEstimate.all)
#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates")
Later:
Treasure.where(price_estimates: PriceEstimate.all)
#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates" WHERE "price_estimates"."estimate_of_type" = 'Treasure')
(Lázaro Nixon)
* Fix decrementing counter caches on optimistically locked record deletion.
(fatkodima)
* Ensure binary-destined values have binary encoding during type cast.
(Matthew Draper)
* Preserve existing column default functions when altering table in SQLite.
(fatkodima)
* Remove table alias added when using where.missing or where.associated.
(fatkodima)
* Fix Enumerable#in_order_of to only flatten first level to preserve
nesting. (Miha Rekar)
Action View
* No changes.
Action Pack
* No changes.
Active Job
* Fix error Active Job passed class with permitted?. (Alex Baldwin)
Action Mailer
* No changes.
Action Cable
* Fix Action Cable Redis configuration with sentinels. (Dmitriy Ivliev)
Active Storage
* Fix retrieving rotation value from FFmpeg on version 5.0+.
In FFmpeg version 5.0+ the rotation value has been removed from tags.
Instead the value can be found in side_data_list. Along with this update
it's possible to have values of -90, -270 to denote the video has been
rotated.
(Haroon Ahmed)
Action Mailbox
* No changes.
Action Text
* No changes.
Railties
* Avoid escaping paths when editing credentials. (Jonathan Hefner)
2.7.7 (2023-06-20)
What's Changed
* Fix implementation of Faraday::Error helpers. by @iMacTia in #1510
2.7.8 (2023-06-28)
What's Changed
* Failing test: Logging headers & errors fails when ConnectionFailed is
raised by @eikes in #1512
New Contributors
* @eikes made their first contribution in #1512
2.7.9 (2023-06-30)
What's Changed
* Raise Error: Add Faraday::RequestTimeoutError by @tisba in #1513
* Include env[:headers] in Stubs::NotFound by @yykamei in #1514
New Contributors
* @tisba made their first contribution in #1513
2.7.10 (2023-07-06)
What's Changed
* Fix some logging inefficiencies by @semaperepelitsa in #1515
New Contributors
* @semaperepelitsa made their first contribution in #1515
pkgsrc chnage: update dependency.
1.128.0 (2023-07-06)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
1.127.0 (2023-06-28)
* Feature - The S3 LISTObjects, ListObjectsV2 and ListObjectVersions API now
supports a new optional header x-amz-optional-object-attributes. If
header contains RestoreStatus as the value, then S3 will include Glacier
restore status i.e. isRestoreInProgress and RestoreExpiryDate in List
response.
* Feature - Select minimum expiration time for presigned urls between the
expiration time option and the credential expiration time.
pkgsrc chnage: update dependency.
1.70.0 (2023-07-06)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
1.69.0 (2023-07-05)
* Feature - Added Dry Run Feature to cryptographic and cross-account
mutating KMS APIs (14 in all). This feature allows users to test their
permissions and parameters before making the actual API call.
1.68.0 (2023-06-28)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
pkgsrc chnage: update dependency (in comment).
3.177.0 (2023-07-06)
* Feature - Updated Aws::STS::Client with the latest API changes.
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
* Feature - Updated Aws::SSO::Client with the latest API changes.
* Feature - Add support for Request Compression.
3.176.1 (2023-06-29)
* Issue - Fix signing for S3/S3 Control and aws-crt gem for certain object
keys (#2849).
* Issue - Ensure SSOCredentials #expiration is a Time (#2874)
3.176.0 (2023-06-28)
* Feature - Add :expiration accessor to CredentialProvider and do not
refresh credentials when checking expiration (#2872).
pkgsrc chnage: update dependency.
1.6.0 (2023-06-28)
* Feature - Select the minimum expiration time for presigned urls between
the expiration time option and the credential expiration time.
1.785.0 (2023-07-07)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.784.0 (2023-07-06)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.783.0 (2023-07-03)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.782.0 (2023-06-27)
* Feature - Added support for enumerating regions for Aws::AppFabric.
1.781.0 (2023-06-20)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
Version 1.3
===========
Breaking changes
----------------
* To prevent malicious web servers from reading arbitrary files from the
client, files must now be opened explicitly by the user in order to
upload their contents in form submission. For example, instead of:
browser["upload"] = "/path/to/file"
you would now use:
browser["upload"] = open("/path/to/file", "rb")
This remediates
`CVE-2023-34457 <https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4>`__.
Main changes
------------
* Added support for Python 3.11.
* Allow submitting a form with no submit element. This can be achieved by
passing ``submit=False`` to ``StatefulBrowser.submit_selected``.
Changelog:
New
* Migrating from another browser? Now you can bring over payment methods
you've saved in Chrome-based browsers to Firefox.
* Hardware video decoding is now enabled for Intel GPUs on Linux.
* The Tab Manager dropdown now features close buttons, so you can close tabs
more quickly.
* We've refreshed and streamlined the user interface for importing data in
from other browsers.
* Users without platform support for H264 video decoding can now fallback to
Cisco's OpenH264 plugin for playback.
Fixed
* Windows Magnifier now follows the text cursor correctly when the Firefox
title bar is visible.
* Windows users on low-end/USB wifi drivers and with OS geolocation disabled
can now approve geolocation on a case by case basis without causing
system-wide network instability.
* Various security fixes.
Changed
* Undo and redo are now available in Password fields.
* On Linux, middle clicks on the new tab button will now open the xclipboard
contents in the new tab. If the xclipboard content is a URL then that URL
is opened, any other text is opened with your default search provider.
* For users with a Firefox Colorways built-in theme, the theme will be
automatically migrated to the same theme hosted on addons.mozilla.org for
Firefox profiles that have disabled add-ons auto-updates. This will allow
users to keep their Colorways theme when they are later removed from
Firefox installer files.
* Certain Firefox users may come across a message in the extensions panel
indicating that their add-ons are not allowed on the site currently open.
We have introduced a new back-end feature to only allow some extensions
monitored by Mozilla to run on specific websites for various reasons,
including security concerns.
Security fixes:
#CVE-2023-3482: Block all cookies bypass for localstorage
#CVE-2023-37201: Use-after-free in WebRTC certificate generation
#CVE-2023-37202: Potential use-after-free from compartment mismatch in
SpiderMonkey
#CVE-2023-37203: Drag and Drop API may provide access to local system files
#CVE-2023-37204: Fullscreen notification obscured via option element
#CVE-2023-37205: URL spoofing in address bar using RTL characters
#CVE-2023-37206: Insufficient validation of symlinks in the FileSystem API
#CVE-2023-37207: Fullscreen notification obscured
#CVE-2023-37208: Lack of warning when opening Diagcab files
#CVE-2023-37209: Use-after-free in `NotifyOnHistoryReload`
#CVE-2023-37210: Full-screen mode exit prevention
#CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
#CVE-2023-37212: Memory safety bugs fixed in Firefox 115
