Version 7.42.1 (28 Apr 2015)
Daniel Stenberg (28 Apr 2015)
- RELEASE-NOTES: 7.42.1 ready
- CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
- RELEASE-NOTES: synced with a6e0270e
- sws: init http2 state properly
It would otherwise cause problems when running tests after 1801 etc.
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
... as it was previouly undocumented what the pointer was.
- openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
- [Alessandro Ghedini brought this change]
curl.1: fix typo
- RELEASE-NOTES: toward 7.42.1, synced with 097460a
- [Kamil Dudka brought this change]
curl -z: do not write empty file on unmet condition
This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
It also introduces a regression test 1424 based on tests 78 and 1423.
Reported-by: Viktor Szakats
Bug: https://github.com/bagder/curl/issues/237
- [Kamil Dudka brought this change]
docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too
- connectionexists: follow-up to fd9d3a1ef1f
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
- connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
- dist: include {src,lib}/checksrc.whitelist
This release includes the following changes:
o openssl: show the cipher selection to use in verbose text
o gtls: implement CURLOPT_CERTINFO
o add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
o curl: add --false-start option
o add CURLOPT_PATH_AS_IS
o curl: add --path-as-is option
o curl: create output file on successful download of an empty file
This release includes the following bugfixes:
o ConnectionExists: for NTLM re-use, require credentials to match
o cookie: cookie parser out of boundary memory access
o fix_hostname: zero length host name caused -1 index offset
o http_done: close Negotiate connections when done
o sws: timeout idle CONNECT connections
o nss: improve error handling in Curl_nss_random()
o nss: do not skip Curl_nss_seed() if data is NULL
o curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
o http2: move lots of verbose output to be debug-only
o dist: add extern-scan.pl to the tarball
o http2: return recv error on unexpected EOF
o build: Use default RandomizedBaseAddress directive in VC9+ project files
o build: Removed DataExecutionPrevention directive from VC9+ project files
o tool: Updated the warnf() function to use the GlobalConfig structure
o http2: Return error if stream was closed with other than NO_ERROR
o mprintf.h: remove #ifdef CURLDEBUG
o libtest: fixed linker errors on msvc
o tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
o curl.1: fix "The the" typo
o cmake: handle build definitions CURLDEBUG/DEBUGBUILD
o openssl: remove all uses of USE_SSLEAY
o multi: fix memory-leak on timeout (regression)
o curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
o metalink: add some error checks
o TLS: make it possible to enable ALPN/NPN without HTTP/2
o http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
o conncontrol: only log changes to the connection bit
o multi: fix *getsock() with CONNECT
o symbols.pl: handle '-' in the deprecated field
o MacOSX-Framework: use @rpath instead of @executable_path
o GnuTLS: add support for CURLOPT_CAPATH
o GnuTLS: print negotiated TLS version and full cipher suite name
o GnuTLS: don't print double newline after certificate dates
o memanalyze.pl: handle free(NULL)
o proxy: re-use proxy connections (regression)
o mk-ca-bundle: Don't report SHA1 numbers with "-q"
o http: always send Host: header as first header
o openssl: sort ciphers to use based on strength
o openssl: use colons properly in the ciphers list
o http2: detect premature close without data transfered
o hostip: Fix signal race in Curl_resolv_timeout
o closesocket: call multi socket cb on close even with custom close
o mksymbolsmanpage.pl: use std header and generate better nroff header
o connect: Fix happy eyeballs logic for IPv4-only builds
o curl_easy_perform.3: remove superfluous close brace from example
o HTTP: don't use Expect: headers when on HTTP/2
o Curl_sh_entry: remove unused 'timestamp'
o docs/libcurl: makefile portability fix
o mkhelp: Remove trailing carriage return from every line of input
o nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
o curl_easy_setopt.3: added a few missing options
o metalink: fix resource leak in OOM
o axtls: version 1.5.2 now requires that config.h be manually included
o HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
o cyassl: detect the library as renamed wolfssl
o CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
o CURLOPT_URL.3: Added "SECURITY CONCERNS
o openssl: try to avoid accessing OCSP structs when possible
o test938: added missing closing tags
o testcurl: Allow '=' in values given on command line
o tests/certs: added make target to rebuild certificates
o tests/certs: rebuild certificates with modified key usage bits
o gtls: avoid uninitialized variable
o gtls: dereferencing NULL pointer
o gtls: add check of return code
o test1513: eliminated race condition in test run
o dict: rename byte to avoid compiler shadowed declaration warning
o curl_easy_recv/send: make them work with the multi interface
o vtls: fix compile with --disable-crypto-auth but with SSL
o openssl: adapt to ASN1/X509 things gone opaque in 1.1
o openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
o curl_memory: make curl_memory.h the second-last header file loaded
o testcurl.pl: add the --notes option to supply more info about a build
o cyassl: If wolfSSL then identify as such in version string
o cyassl: Check for invalid length parameter in Curl_cyassl_random
o cyassl: default to highest possible TLS version
o Curl_ssl_md5sum: return CURLcode (fixes OOM)
o polarssl: remove dead code
o polarssl: called mbedTLS in 1.3.10 and later
o globbing: fix step parsing for character globbing ranges
o globbing: fix url number calculation when using range with step
o multi: on a request completion, check all CONNECT_PEND transfers
o build: link curl to openssl libraries when openssl support is enabled
o url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
o vtls: Don't accept unknown CURLOPT_SSLVERSION values
o build: Fix libcurl.sln erroneous mixed configurations
o cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
o cyassl: add SSL context callback support for CyaSSL
o tool: only set SSL options if SSL is enabled
o multi: remove_handle: move pending connections
o configure: Use KRB5CONFIG for krb5-config
o axtls: add timeout within Curl_axtls_connect
o CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
o cyassl: Fix library initialization return value
o cookie: handle spaces after the name in Set-Cookie
o http2: Fix missing nghttp2_session_send call in Curl_http2_switched
o cyassl: Fix certificate load check
o build-openssl.bat: Fix mixed line endings
o checksrc.bat: Check lib\vtls source
o DNS: fix refreshing of obsolete dns cache entries
o CURLOPT_RESOLVE: actually implement removals
o checksrc.bat: quotes to support an SRC_DIR with spaces
o cyassl: Remove 'Connecting to' message from cyassl_connect_step2
o cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
o lib/transfer.c: Remove factor of 8 from sleep time calculation
o lib/makefile.m32: add missing libs to build libcurl.dll
o build: Generate source prerequisites for Visual Studio in generate.bat
o cyassl: Include the CyaSSL build config
o firefox-db2pem: fix wildcard to find Firefox default profile
o BUGS: refer to the github issue tracker now as primary
o vtls_openssl: improve several certificate error messages
o cyassl: Add support for TLS extension SNI
o parsecfg: do not continue past a zero termination
o configure --with-nss=PATH: query pkg-config if available
o configure --with-nss: drop redundant if statement
o cyassl: Fix include order
o HTTP: fix PUT regression with Negotiate
o curl_version_info.3: fixed the 'protocols' variable type
Version 7.41.0 (25 Feb 2015)
Daniel Stenberg (25 Feb 2015)
- THANKS: added contributors from the 7.41.0 RELEASE-NOTES
- RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)
Marc Hoersken (25 Feb 2015)
- Revert "telnet.c: fix handling of 0 being returned from custom read function"
This reverts commit 03fa576833643c67579ae216c4e7350fa9b5f2fe.
- telnet.c: fix invalid use of custom read function if not being set
obj_count can be 1 if the custom read function is set or the stdin
handle is a reference to a pipe. Since the pipe should be handled
using the PeekNamedPipe-check below, the custom read function should
only be used if it is actually enabled.
- telnet.c: fix handling of 0 being returned from custom read function
According to [1]: "Returning 0 will signal end-of-file to the library
and cause it to stop the current transfer."
This change makes the Windows telnet code handle this case accordingly.
[1] http://curl.haxx.se/libcurl/c/CURLOPT_READFUNCTION.html
Daniel Stenberg (24 Feb 2015)
- sws: stop logging about TPC_NODELAY nonsense
- lib530: make it less timing sensible
... by making sure the first request is completed before doing the
remainder.
Kamil Dudka (23 Feb 2015)
- connect: wait for IPv4 connection attempts
... even if the last IPv6 connection attempt has failed.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c4
- connect: avoid skipping an IPv4 address
... in case the protocol versions are mixed in a DNS response
(IPv6 -> IPv4 -> IPv6).
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c3
Daniel Stenberg (23 Feb 2015)
- RELEASE-NOTES: synced with 5e4395eab839d
- ROADMAP: curl_easy_setopt.3 has already been split up
Remove cmake as marked for removal. It is in much better state now.
- ROADMAP: extend the HTTP/2 stuff, remove SPDY
- [Julian Ospald brought this change]
configure: allow both --with-ca-bundle and --with-ca-path
SSL_CTX_load_verify_locations by default (and if given non-Null
parameters) searches the CAfile first and falls back to CApath. This
allows for CAfile to be a basis (e.g. installed by the package manager)
and CApath to be a user configured directory.
This wasn't reflected by the previous configure constraint which this
patch fixes.
Bug: https://github.com/bagder/curl/pull/139
- [Ben Boeckel brought this change]
cmake: install the dll file to the correct directory
- [Alessandro Ghedini brought this change]
nss: fix NPN/ALPN protocol negotiation
Correctly check for memcmp() return value (it returns 0 if the strings match).
This is not really important, since curl is going to use http/1.1 anyway, but
it's still a bug I guess.
- [Alessandro Ghedini brought this change]
polarssl: fix ALPN protocol negotiation
Correctly check for strncmp() return value (it returns 0 if the strings
match).
- [Sergei Nikulov brought this change]
CMake: Fix generation of tool_hugehelp.c on windows
Use "cmake -E echo" instead of "echo".
Reviewed-by: Brad King <brad.king@kitware.com>
- [Sergei Nikulov brought this change]
CMake: fix winsock2 detection on windows
Set CMAKE_REQUIRED_DEFINITIONS to include definitions needed to get
the winsock2 API from windows.h. Simplify the order of checks to
avoid extra conditions.
Use check_include_file instead of check_include_file_concat to look
for OpenSSL headers. They do not need to participate in a sequence
of dependent system headers. Also they may cause winsock.h to be
included before ws2tcpip.h, causing the latter to not be detected
in the sequence.
Reviewed-by: Brad King <brad.king@kitware.com>
- [Alessandro Ghedini brought this change]
gtls: fix build with HTTP2
Steve Holme (16 Feb 2015)
- Makefile.vc6: Corrected typos in rename of darwinssl.obj
Nick Zitzmann (15 Feb 2015)
- By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"
Steve Holme (14 Feb 2015)
- RELEASE-NOTES: Synced with 6f89f86c3d
- tests/README: Updated to reflect email test ranges
- [Alessandro Ghedini brought this change]
curl.1: --cert-status is also supported by OpenSSL now
- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
Visual Studio 2005 and above defaults to disabling the startup banner
for the Compiler, Linker and MIDL tools (with /NOLOGO). As such there
is no need to explicitly set the SuppressStartupBanner directive, as
this is a leftover from the VC7 and VC7.1 projects being upgraded to
VC8 and above.
Kamil Dudka (12 Feb 2015)
- openssl: fix a compile-time warning
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
Steve Holme (11 Feb 2015)
- openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
Patrick Monnerat (11 Feb 2015)
- ftp: accept all 2xx responses to the PORT command
Steve Holme (9 Feb 2015)
- openssl: Disable OCSP in old versions of OpenSSL
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
Daniel Stenberg (9 Feb 2015)
- [Tatsuhiro Tsujikawa brought this change]
http2: Fix bug that associated stream canceled on PUSH_PROMISE
Previously we don't ignore PUSH_PROMISE header fields in on_header
callback. It makes header values mixed with following HEADERS,
resulting protocol error.
- [Jay Satiro brought this change]
polarssl: Fix exclusive SSL protocol version options
Prior to this change the options for exclusive SSL protocol versions did
not actually set the protocol exclusive.
http://curl.haxx.se/mail/lib-2015-01/0002.html
Reported-by: Dan Fandrich
- [Jay Satiro brought this change]
gskit: Fix exclusive SSLv3 option
- curl.1: clarify that -X is used for all requests
Reported-by: Jon Seymour
- curl.1: add warning when using -H and redirects
Steve Holme (7 Feb 2015)
- schannel: Removed curl_ prefix from source files
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
Daniel Stenberg (6 Feb 2015)
- md5: use axTLS's own MD5 functions when available
- MD(4|5): make the MD4_* and MD5_* functions static
- axtls: fix conversion from size_t to int warning
Steve Holme (5 Feb 2015)
- ftp: Use 'CURLcode result' for curl result codes
Daniel Stenberg (5 Feb 2015)
- openssl: SSL_SESSION->ssl_version no longer exist
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!
Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
Dan Fandrich (4 Feb 2015)
- unit1600: Fix compilation when NTLM is disabled
Daniel Stenberg (4 Feb 2015)
- MD5: fix compiler warnings and code style nits
- MD5: replace implementation
The previous one was "encumbered" by RSA Inc - to avoid the licensing
restrictions it has being replaced. This is the initial import,
inserting the md5.c and md5.h files from
http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
Code-by: Alexander Peslyak
- MD4: fix compiler warnings and code style nits
- MD4: replace implementation
The previous one was "encumbered" by RSA Inc - to avoid the licensing
restrictions it has being replaced. This is the initial import,
inserting the md4.c and md4.h files from
http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
Code-by: Alexander Peslyak
Steve Holme (4 Feb 2015)
- telnet: Prefer 'CURLcode result' for curl result codes
- hostasyn: Prefer 'CURLcode result' for curl result codes
- schannel: Prefer 'CURLcode result' for curl result codes
Daniel Stenberg (3 Feb 2015)
- unit1601: MD5 unit tests
- unit1600: unit test for Curl_ntlm_core_mk_nt_hash
- unit1600: NTLM unit test
- tests/README: add a new range, clean up some language
- [Jay Satiro brought this change]
opts: CURLOPT_CAINFO availability depends on SSL engine
- getpass: protect include with proper #ifdef
Reported-by: Tamir
- getpass_r: read from stdin, not stdout!
The file number used was wrong. This bug was introduced over 10 years
ago, proving this function isn't used much...
Bug: http://curl.haxx.se/bug/view.cgi?id=1476
Reported-by: Tamir
- test1135: verify the CURL_EXTERN order in header files
- Makefile.am: fix 'make distcheck'
... by removing generated files from the *_DIST variable [*] and instead
generate them with a .dist suffix, since that is then handled and put
into the release archive by our generic dist-hook.
[*] = 'make distcheck' fails with non-existing files listed there
Steve Holme (2 Feb 2015)
- curl_sasl.c: More code policing
Better use of 80 character line limit, comment corrections and line
spacing preferences.
Daniel Stenberg (2 Feb 2015)
- libcurl-symbols: first basic shot for autogenerated docs
- FAQ: minor edit of 3.22
Steve Holme (2 Feb 2015)
- build: Added removal of Visual Studio project files
Added the removal of the locally generated project files so one
may revert to a clean repository.
- build: Renamed top level Visual Studio solution files
In preparation for adding the test suite and examples projects renamed
the top level "all" solution files to better describe what they are.
This will also enable us to use "curl" rather than "curlsrc" for the
command line tool solution and project files, which will simplify some
of the configuration.
- build: Enabled DEBUGBUILD in Visual Studio debug builds
Defined the DEBUGBUILD pre-processor variable to allow extra logging,
which is particularly useful in debug builds, as we use this and Visual
Studio typically uses _DEBUG.
We could define DEBUBBUILD, in curl_setup.h, when _MSC_VER and _DEBUG is
defined but that would also affect the makefile based builds which we
probably don't want to do.
- build: Removed unused Visual Studio bscmake settings
Daniel Stenberg (2 Feb 2015)
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
And modify the text to refer to HTTP 2 as it isn't called "2.0".
Reported-By: Michael Wallner
Marc Hoersken (31 Jan 2015)
- TODO: moved WinSSL/SChannel todo items into docs
Daniel Stenberg (29 Jan 2015)
- [Michael Kaufmann brought this change]
CURLOPT_SEEKFUNCTION.3: also when server closes a connection
Steve Holme (29 Jan 2015)
- curl_sasl.c: Fixed compilation warning when cryptography is disabled
curl_sasl.c:1506: warning: unused variable 'chlg'
- curl_sasl.c: Fixed compilation warning when verbose debug output disabled
curl_sasl.c:1317: warning: unused parameter 'conn'
- ntlm_core: Use own odd parity function when crypto engine doesn't have one
- ntlm_core: Prefer sizeof(key) rather than hard coded sizes
- ntlm_core: Added consistent comments to DES functions
- des: Added Curl_des_set_odd_parity()
Added Curl_des_set_odd_parity() for use when cryptography engines
don't include this functionality.
- tests: Grouped SMTP SASL EXTERNAL tests with other SMTP tests
- tests: Grouped POP3 SASL EXTERNAL tests with other POP3 tests
- tests: Grouped IMAP SASL EXTERNAL tests with other IMAP tests
- sasl: Minor code policing and grammar corrections
Daniel Stenberg (28 Jan 2015)
- [Gisle Vanem brought this change]
ldap: build with BoringSSL
- security: avoid compiler warning
Possible access to uninitialised memory '&nread' at line 140 of
lib/security.c in function 'ftp_send_command'.
Reported-by: Rich Burridge
- runtests: identify BoringSSL and libressl
Patrick Monnerat (27 Jan 2015)
- docs: cite SASL external authentication.
- sasl: remove XOAUTH2 from default enabled authentication mechanism.
- test: add test cases for sasl external authentication (imap/pop3/smtp).
- imap: remove automatic password setting: it breaks external sasl authentication
- sasl: implement EXTERNAL authentication mechanism.
Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and
by not setting the password.
Steve Holme (27 Jan 2015)
- openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
- openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.
Reported-by: John E. Malmberg
- [Brad Spencer brought this change]
curl_setup: Disable SMB/CIFS support when HTTP only
- RELEASE-NOTES: Synced with 37824498a3
Daniel Stenberg (22 Jan 2015)
- configure: remove detection of the old yassl emulation API
... as that is ancient history and not used.
- OCSP stapling: disabled when build with BoringSSL
- [Alessandro Ghedini brought this change]
openssl: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066
section 8.
Thanks-to: Joe Mason
- for the work-around for the OpenSSL bug.
- BoringSSL: fix build for non-configure builds
HAVE_BORINGSSL gets defined now by configure and should be defined by
other build systems in case a BoringSSL build is desired.
- configure: fix BoringSSL detection and detect libresssl
Steve Holme (22 Jan 2015)
- curl_sasl: Reinstate the sasl_ prefix for locally scoped functions
Commit 7a8b2885e2 made some functions static and removed the public
Curl_ prefix. Unfortunately, it also removed the sasl_ prefix, which
is the naming convention we use in this source file.
- curl_sasl: Minor code policing following recent commits
Daniel Stenberg (22 Jan 2015)
- [John Malmberg brought this change]
openvms: Handle openssl/0.8.9zb version parsing
packages/vms/gnv_link_curl.com was assuming only a single letter suffix
in the openssl version. That assumption has been fixed for 7.40.
- BoringSSL: detected by configure, switches off NTLM
- BoringSSL: no PKCS12 support nor ERR_remove_state
- [Leith Bade brought this change]
BoringSSL: fix build
Steve Holme (20 Jan 2015)
- curl_sasl.c: chlglen is not used when cryptography is disabled
- curl_sasl.c: Fixed compilation warning when cyptography is disabled
curl_sasl.c:1453: warning C4101: 'serverdata' : unreferenced local
variable
- curl_sasl.c: Fixed compilation error when USE_WINDOWS_SSPI defined
curl_sasl.c:1221: error C2065: 'mechtable' : undeclared identifier
This error could also happen for non-SSPI builds when cryptography is
disabled (CURL_DISABLE_CRYPTO_AUTH is defined).
Patrick Monnerat (20 Jan 2015)
- SASL: make some procedures local-scoped
- SASL: common state engine for imap/pop3/smtp
- SASL: common URL option and auth capabilities decoders for all protocols
- IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.
Daniel Stenberg (20 Jan 2015)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
Reported-by: Chris Young
- [Chris Young brought this change]
timeval: typecast for better type (on Amiga)
There is an issue with conflicting "struct timeval" definitions with
certain AmigaOS releases and C libraries, depending on what gets
included when. It's a minor difference - the OS one is unsigned,
whereas the common structure has signed elements. If the OS one ends up
getting defined, this causes a timing calculation error in curl.
It's easy enough to resolve this at the curl end, by casting the
potentially errorneous calculation to a signed long.
- openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.
Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
Patrick Monnerat (19 Jan 2015)
- OS400: CURLOPT_SSL_VERIFYSTATUS for ILE/RPG too.
Steve Holme (18 Jan 2015)
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
For consistency with other USE_WIN32_ defines as well as the
USE_OPENLDAP define.
- http_negotiate: Use dynamic buffer for SPN generation
Use a dynamicly allocated buffer for the temporary SPN variable similar
to how the SASL GSS-API code does, rather than using a fixed buffer of
2048 characters.
- sasl_gssapi: Make Curl_sasl_build_gssapi_spn() public
- sasl_gssapi: Fixed memory leak with local SPN variable
Daniel Stenberg (17 Jan 2015)
- http_negotiate.c: unused variable 'ret'
Steve Holme (17 Jan 2015)
- gskit.h: Code policing of function pointer arguments
- vtls: Removed unimplemented overrides of curlssl_close_all()
Carrying on from commit 037cd0d991, removed the following unimplemented
instances of curlssl_close_all():
Curl_axtls_close_all()
Curl_darwinssl_close_all()
Curl_cyassl_close_all()
Curl_gskit_close_all()
Curl_gtls_close_all()
Curl_nss_close_all()
Curl_polarssl_close_all()
- vtls: Separate the SSL backend definition from the API setup
Slight code cleanup as the SSL backend #define is mixed up with the API
function setup.
- vtls: Fixed compilation errors when SSL not used
Fixed the following warning and error from commit 3af90a6e19 when SSL
is not being used:
url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
assuming extern returning int
error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
referenced in function Curl_setopt
- http_negotiate: Added empty decoded challenge message info text
- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
- http_negotiate_sspi: Prefer use of 'attrs' for context attributes
Use the same variable name as other areas of SSPI code.
- http_negotiate_sspi: Use correct return type for QuerySecurityPackageInfo()
Use the SECURITY_STATUS typedef rather than a unsigned long for the
QuerySecurityPackageInfo() return and rename the variable as per other
areas of SSPI code.
- http_negotiate_sspi: Use 'CURLcode result' for CURL result code
- curl_endian: Fixed build when 64-bit integers are not supported (Part 2)
Missed Curl_read64_be() in commit bb12d44471 :(
Daniel Stenberg (16 Jan 2015)
- CURLOPT_SSL_VERIFYSTATUS.3: mention it is added in version 7.41.0
- curlver.h: next release is 7.41.0 due to the changes
- RELEASE-NOTES: mention the new OCSP stapling options, bump version
- opts: add CURLOPT_SSL_VERIFYSTATUS* to docs/Makefile
- help: add --cert-status to --help output
- copyright years: after OCSP stapling changes
- [Alessandro Ghedini brought this change]
curl: add --cert-status option
This enables the CURLOPT_SSL_VERIFYSTATUS functionality.
- [Alessandro Ghedini brought this change]
nss: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
This requires NSS 3.15 or higher.
- [Alessandro Ghedini brought this change]
gtls: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
response verfication to fail even on valid responses.
- [Alessandro Ghedini brought this change]
url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.
This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
- TheArtOfHttpScripting: skip the date at the top, we have git
- TheArtOfHttpScripting: phrase it TLS lib agnostic
Steve Holme (16 Jan 2015)
- TODO: Added some SMB ideas
- RELEASE-NOTES: Synced with 5f09947d28
- build-openssl.bat: Added check for Perl installation
- checksrc.bat: Better detection of Perl installation
- curl_endian: Fixed build when 64-bit integers are not supported
Bug: http://curl.haxx.se/mail/lib-2015-01/0094.html
Reported-by: John E. Malmberg
Daniel Stenberg (15 Jan 2015)
- [Yun SangHo brought this change]
curl.h: remove extra space
- Curl_pretransfer: reset expected transfer sizes
Reported-by: Mohammad AlSaleh
Bug: http://curl.haxx.se/mail/lib-2015-01/0065.html
Marc Hoersken (12 Jan 2015)
- curl_schannel.c: mark session as removed from cache if not freed
If the session is still used by active SSL/TLS connections, it
cannot be closed yet. Thus we mark the session as not being cached
any longer so that the reference counting mechanism in
Curl_schannel_shutdown is used to close and free the session.
Reported-by: Jean-Francois Durand
Steve Holme (9 Jan 2015)
- RELEASE-NOTES: Synced with d21b66835f
Guenter Knauf (9 Jan 2015)
- Merge pull request #134 from vszakats/mingw-m64
add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
- Merge pull request #136 from vszakats/mingw-allow-custom-cflags
mingw build: allow to pass custom CFLAGS
Daniel Stenberg (9 Jan 2015)
- NSS: fix compiler error when built http2-enabled
Steve Holme (9 Jan 2015)
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
Better code reuse and consistency in calls to gss_import_name().
Viktor Szakats (9 Jan 2015)
- mingw build: allow to pass custom CFLAGS
Daniel Stenberg (8 Jan 2015)
- FTP: if EPSV fails on IPV6 connections, bail out
... instead of trying PASV, since PASV can't work with IPv6.
Reported-by: Vojtěch Král
- FTP: fix IPv6 host using link-local address
... and make sure we can connect the data connection to a host name that
is longer than 48 bytes.
Also simplifies the code somewhat by re-using the original host name
more, as it is likely still in the DNS cache.
Original-Patch-by: Vojtěch Král
Bug: http://curl.haxx.se/bug/view.cgi?id=1468
Steve Holme (8 Jan 2015)
- [Sam Schanken brought this change]
winbuild: Added option to build with c-ares
Added support for a WITH_CARES option to be used when invoking nmake
via Makefile.vc. This option enables linking against both the DLL and
static versions of the c-ares libraries, as well as the debug and
release varients, depending on the value of DEBUG. The USE_ARES
preprocessor symbol is also defined.
Guenter Knauf (8 Jan 2015)
- NetWare build: added TLS-SRP enabled build.
Steve Holme (8 Jan 2015)
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
Bug: http://curl.haxx.se/bug/view.cgi?id=1469
Reported-by: Thomas Klausner
Viktor Szakats (8 Jan 2015)
- add -m64 clags when targeting mingw64, add -m32/-m64 to LDFLAGS
Daniel Stenberg (8 Jan 2015)
- bump: start working towards 7.40.1
- THANKS: 14 new contributors from the 7.40.0 release notes
compile any longer, see
https://sourceforge.net/p/curl/bugs/1469/
Changes:
Curl and libcurl 7.40.0
Public curl releases: 143
Command line options: 162
curl_easy_setopt() options: 208
Public functions in libcurl: 58
Contributors: 1219
This release includes the following changes:
o http_digest: Added support for Windows SSPI based authentication
o version info: Added Kerberos V5 to the supported features
o Makefile: Added VC targets for WinIDN
o config-win32: Introduce build targets for VS2012+
o SSL: Add PEM format support for public key pinning
o smtp: Added support for the conversion of Unix newlines during mail send [8]
o smb: Added initial support for the SMB/CIFS protocol
o Added support for HTTP over unix domain sockets, via
CURLOPT_UNIX_SOCKET_PATH and --unix-socket
o sasl: Added support for GSS-API based Kerberos V5 authentication
This release includes the following bugfixes:
o darwinssl: fix session ID keys to only reuse identical sessions [18]
o url-parsing: reject CRLFs within URLs [19]
o OS400: Adjust specific support to last release
o THANKS: Remove duplicate names
o url.c: Fixed compilation warning
o ssh: Fixed build on platforms where R_OK is not defined [1]
o tool_strdup.c: include the tool strdup.h
o build: Fixed Visual Studio project file generation of strdup.[c|h]
o curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY [2]
o curl.1: show zone index use in a URL
o mk-ca-bundle.vbs: switch to new certdata.txt url
o Makefile.dist: Added some missing SSPI configurations
o build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
o SSH: use the port number as well for known_known checks [3]
o libssh2: detect features based on version, not configure checks
o http2: Deal with HTTP/2 data inside Upgrade response header buffer [4]
o multi: removed Curl_multi_set_easy_connection
o symbol-scan.pl: do not require autotools
o cmake: add ENABLE_THREADED_RESOLVER, rename ARES
o cmake: build libhostname for test suite
o cmake: fix HAVE_GETHOSTNAME definition
o tests: fix libhostname visibility
o tests: fix memleak in server/resolve.c
o vtls.h: Fixed compiler warning when compiled without SSL
o CMake: Restore order-dependent header checks
o CMake: Restore order-dependent library checks
o tool: Removed krb4 from the supported features
o http2: Don't send Upgrade headers when we already do HTTP/2
o examples: Don't call select() to sleep on windows [6]
o win32: Updated some legacy APIs to use the newer extended versions [5]
o easy.c: Fixed compilation warning when no verbose string support
o connect.c: Fixed compilation warning when no verbose string support
o build: in Makefile.m32 pass -F flag to windres
o build: in Makefile.m32 add -m32 flag for 32bit
o multi: when leaving for timeout, close accordingly
o CMake: Simplify if() conditions on check result variables
o build: in Makefile.m32 try to detect 64bit target
o multi: inform about closed sockets before they are closed
o multi-uv.c: close the file handle after download
o examples: Wait recommended 100ms when no file descriptors are ready
o ntlm: Split the SSPI based messaging code from the native messaging code
o cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
o cmake: add Kerberos to the supported feature
o CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
o http: Disable pipelining for HTTP/2 and upgraded connections
o ntlm: Fixed static'ness of local decode function
o sasl: Reduced the need for two sets of NTLM messaging functions
o multi.c: Fixed compilation warnings when no verbose string support
o select.c: fix compilation for VxWorks [7]
o multi-single.c: switch to use curl_multi_wait
o curl_multi_wait.3: clarify numfds being used if not NULL
o http.c: Fixed compilation warnings from features being disabled
o NSS: enable the CAPATH option [9]
o docs: Fix FAILONERROR typos
o HTTP: don't abort connections with pending Negotiate authentication
o HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
o http_perhapsrewind: don't abort CONNECT requests
o build: updated dependencies in makefiles
o multi.c: Fixed compilation warning
o ftp.c: Fixed compilation warnings when proxy support disabled
o get_url_file_name: Fixed crash on OOM on debug build
o cookie.c: Refactored cleanup code to simplify
o OS400: enable NTLM authentication
o ntlm: Use Windows Crypt API
o http2: avoid logging neg "failure" if h2 was not requested
o schannel_recv: return the correct code [10]
o VC build: added sspi define for winssl-zlib builds
o Curl_client_write(): chop long data, convert data only once
o openldap: do not ignore Curl_client_write() return code
o ldap: check Curl_client_write() return codes
o parsedate.c: Fixed compilation warning
o url.c: Fixed compilation warning when USE_NTLM is not defined
o ntlm_wb_response: fix "statement not reached" [11]
o telnet: fix "cast increases required alignment of target type"
o smtp: Fixed dot stuffing when EOL characters at end of input buffers [12]
o ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
o ntlm: Disable NTLM v2 when 64-bit integers are not supported
o ntlm: Use short integer when decoding 16-bit values
o ftp.c: Fixed compilation warning when no verbose string support
o synctime.c: fixed timeserver URLs
o mk-ca-bundle.pl: restored forced run again
o ntlm: Fixed return code for bad type-2 Target Info
o curl_schannel.c: Data may be available before connection shutdown
o curl_schannel: Improvements to memory re-allocation strategy [13]
o darwinssl: aprintf() to allocate the session key
o tool_util.c: Use GetTickCount64 if it is available
o lib: Fixed multiple code analysis warnings if SAL are available
o tool_binmode.c: Explicitly ignore the return code of setmode
o tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
o opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
o SFTP: work-around servers that return zero size on STAT [14]
o connect: singleipconnect(): properly try other address families after failure
o IPV6: address scope != scope id [15]
o parseurlandfillconn(): fix improper non-numeric scope_id stripping [16]
o secureserver.pl: make OpenSSL CApath and cert absolute path values
o secureserver.pl: update Windows detection and fix path conversion
o secureserver.pl: clean up formatting of config and fix verbose output
o tests: Added Windows support using Cygwin-based OpenSSH
o sockfilt.c: use non-Ex functions that are available before WinXP
o VMS: Updates for 0740-0D1220
o openssl: warn for SRP set if SSLv3 is used, not for TLS version
o openssl: make it compile against openssl 1.1.0-DEV master branch
o openssl: fix SSL/TLS versions in verbose output
o curl: show size of inhibited data when using -v
o build: Removed WIN32 definition from the Visual Studio projects
o build: Removed WIN64 definition from the libcurl Visual Studio projects
o vtls: Use bool for Curl_ssl_getsessionid() return type
o sockfilt.c: Replace 100ms sleep with thread throttle
o sockfilt.c: Reduce the number of individual memory allocations
o vtls: Don't set cert info count until memory allocation is successful
o nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
o nss: Don't ignore Curl_extract_certinfo() OOM failure
o vtls: Fixed compilation warning and an ignored return code
o sockfilt.c: Fixed compilation warnings
o darwinssl: Fixed compilation warning
o vtls: Use '(void) arg' for unused parameters
o sepheaders.c: Fixed resource leak on failure
o lib1900.c: Fixed cppcheck error [17]
o ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
o ldap: Fixed Unicode DN, attributes and filter in Win32 search calls
* SSLv3 is disabled by default
* CURLOPT_COOKIELIST: Added "RELOAD" command [5]
* build: Added WinIDN build configuration options to Visual Studio projects
* ssh: improve key file search
* SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
* vtls: remove QsoSSL support, use gskit!
* mk-ca-bundle: added SHA-384 signature algorithm
* docs: added many examples for libcurl opts and other doc improvements
* build: Added VC ssh2 target to main Makefile
* MinGW: Added support to build with nghttp2
* NetWare: Added support to build with nghttp2
* build: added Watcom support to build with WinSSL
* build: Added optional specific version generation of VC project files
Bugfixes:
* curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds [9]
* openssl: build fix for versions < 0.9.8e [1]
* newlines: fix mixed newlines to LF-only [2]
* ntlm: Fixed HTTP proxy authentication when using Windows SSPI [3]
* sasl_sspi: Fixed Unicode build [4]
* file: reject paths using embedded %00
* threaded-resolver: revert Curl_expire_latest() switch [6]
* configure: allow --with-ca-path with PolarSSL too
* HTTP/2: Fix busy loop when EOF is encountered
* CURLOPT_CAPATH: return failure if set without backend support
* nss: do not fail if a CRL is already cached
* smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
* fixed 20+ nits/memory leaks identified by Coverity scans
* curl_schannel.c: Fixed possible memory or handle leak
* multi-uv.c: call curl_multi_info_read() better
* Cmake: Check for OpenSSL before OpenLDAP
* Cmake: Fix library list provided to cURL tests
* Cmake: Avoid cycle directory dependencies
* Cmake: Build with GSS-API libraries (MIT or Heimdal)
* vtls: provide backend defines for internal source code
* nss: fix a connection failure when FTPS handle is reused
* tests/http_pipe.py: Python 3 support
* cmake: build tool_hugehelp (ENABLE_MANUAL)
* cmake: enable IPv6 by default if available
* tests: move TESTCASES to Makefile.inc, add show for cmake
* ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
* ntlm: Fixed empty/bad base-64 decoded buffer return codes
* ntlm: Fixed empty type-2 decoded message info text
* cmake: add CMake/Macros.cmake to the release tarball
* cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
* cmake: use LIBCURL_VERSION from curlver.h
* cmake: generate pkg-config and curl-config
* fixed several superfluous variable assignements identified by cppcheck
* cleanup of 'CURLcode result' return code
* pipelining: only output "is not blacklisted" in debug builds
* SSL: Remove SSLv3 from SSL default due to POODLE attack
* gskit.c: remove SSLv3 from SSL default
* darwinssl: detect possible future removal of SSLv3 from the framework
* ntlm: Only define ntlm data structure when USE_NTLM is defined
* ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
* ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
* sspi: Only call CompleteAuthToken() when complete is needed
* http_negotiate: Fixed missing check for USE_SPNEGO
* HTTP: return larger than 3 digit response codes too [7]
* openssl: Check for NPN / ALPN via OpenSSL version number
* openssl: enable NPN separately from ALPN
* sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
* sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
* resume: consider a resume from [content-length] to be OK [8]
* sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
* build-openssl.bat: Fix x64 release build
* cmake: drop _BSD_SOURCE macro usage
* cmake: fix gethostby{addr,name}_r in CurlTests
* cmake: clean OtherTests, fixing -Werror
* cmake: fix struct sockaddr_storage check
* Curl_single_getsock: fix hold/pause sock handling
* SSL: PolarSSL default min SSL version TLS 1.0
* cmake: fix ZLIB_INCLUDE_DIRS use [10]
* buildconf: stop checking for libtool
Changes:
supports HTTP/2 draft-14
CURLE_HTTP2 is a new error code
CURLAUTH_NEGOTIATE is a new auth define
CURL_VERSION_GSSAPI is a new capability bit
no longer use fbopenssl for anything
schannel: use CryptGenRandom for random numbers
axtls: define curlssl_random using axTLS's PRNG
cyassl: use RNG_GenerateBlock to generate a good random number
findprotocol: show unsupported protocol within quotes
version: detect and show LibreSSL
version: detect and show BoringSSL
imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
http2: requires nghttp2 0.6.0 or later
Bugfixes:
SECURITY ADVISORY: cookie leak with IP address as domain
SECURITY ADVISORY: cookie leak for TLDs
fix a build failure on Debian when NSS support is enabled
HTTP/2: fixed compiler warnings when built disabled
cyassl: return the correct error code on no CA cert
http: Deprecate GSS-Negotiate macros due to bad naming
http: Fixed Negotiate: authentication
multi: Improve proxy CONNECT performance (regression)
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
url.c: use the preferred symbol name: *READDATA
smtp: fixed a segfault during test 1320 torture test
cyassl: made it compile with version 2.0.6 again
nss: do not check the version of NSS at run time
c-ares: fix build without IPv6 support
HTTP/2: use base64url encoding
SSPI Negotiate: Fix 3 memory leaks
libtest: fixed duplicated line in Makefile
conncache: fix compiler warning
openssl: make ossl_send return CURLE_OK better
HTTP/2: Support expect: 100-continue
HTTP/2: Fix infinite loop in readwrite_data()
parsedate: fix the return code for an overflow edge condition
darwinssl: don't use strtok()
http_negotiate_sspi: Fixed specific username and password not working
openssl: replace call to OPENSSL_config
http2: show the received header for better debugging
HTTP/2: Move :authority before non-pseudo header fields
HTTP/2: Reset promised stream, not its associated stream
HTTP/2: added some more logging for debugging stream problems
ntlm: Added support for SSPI package info query
ntlm: Fixed hard coded buffer for SSPI based auth packet generation
sasl_sspi: Fixed memory leak with not releasing Package Info struct
sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
http_negotiate_sspi: Use a dynamic buffer for SPN generation
sasl_sspi: Fixed missing free of challenge buffer on SPN failure
sasl_sspi: Fixed hard coded buffer for response generation
Curl_poll + Curl_wait_ms: fix timeout return value
docs/SSLCERTS: update the section about NSS database
create_conn: prune dead connections
openssl: fix version report for the 0.9.8 branch
mk-ca-bundle.pl: switched to using hg.mozilla.org
http: fix the Content-Range: parser
Curl_disconnect: don't free the URL
win32: Fixed WinSock 2 #if
NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
curl.1: clarify --limit-rate's effect on both directions
disconnect: don't touch easy-related state on disconnects
Cmake: big cleanup and numerous fixes
HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
HTTP/2: Reset promised stream, not its associated stream
configure.ac: Add support for recent GSS-API implementations for HP-UX
CONNECT: close proxy connections that fail
CURLOPT_NOBODY.3: clarify this option is for downloads
darwinssl: fix CA certificate checking using PEM format
resolve: cache lookup for async resolvers
low-speed-limit: avoid timeout flood
polarssl: implement CURLOPT_SSLVERSION
multi: convert CURLM_STATE_CONNECT_PEND handling to a list
curl_multi_cleanup: remove superfluous NULL assigns
polarssl: support CURLOPT_CAPATH / --capath
progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly
Changes:
bits.close: introduce connection close tracking
darwinssl: Add support for --cacert
polarssl: add ALPN support
docs: Added new option man pages
Bugfixes:
build: Fixed incorrect reference to curl_setup.h in Visual Studio files
build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
curl.1: clarify that -u can't specify a user with colon
openssl: Fix uninitialized variable use in NPN callback
curl_easy_reset: reset the URL
curl_version_info.3: returns a pointer to a static struct
url-parser: only use if_nametoindex if detected by configure
select: with winsock, avoid passing unsupported arguments to select()
gnutls: don't use deprecated type names anymore
gnutls: allow building with nghttp2 but without ALPN support
tests: Fix portability issue with the tftpd server
curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
random: use Curl_rand() for proper random data
Curl_ossl_init: call OPENSSL_config for initing engines
config-win32.h: Updated for VC12
winbuild: Don't USE_WINSSL when WITH_SSL is being used
getinfo: HTTP CONNECT code not reset between transfers
Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
http2: avoid segfault when using the plain-text http2
conncache: move the connection counter to the cache struct
http2: better return code error checking
curlbuild: fix GCC build on SPARC systems without configure script
tool_metalink: Support polarssl as digest provider
curl.h: reverse the enum/define setup for old symbols
curl.h: moved two really old deprecated symbols
curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
buildconf: do not search tools in current directory.
OS400: make it compilable again. Make RPG binding up to date
nss: do not abort on connection failure (failing tests 305 and 404)
nss: make the fallback to SSLv3 work again
tool: prevent valgrind from reporting possibly lost memory (nss only)
progress callback: skip last callback update on errors
nss: fix a memory leak when CURLOPT_CRLFILE is used
compiler warnings: potentially uninitialized variables
url.c: Fixed memory leak on OOM
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
gnutls: fix SRP support with versions of GnuTLS from 2.99.0
gnutls: fixed a couple of uninitialized variable references
gnutls: fixed compilation against versions < 2.12.0
build: Fixed overridden compiler PDB settings in VC7 to VC12
ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
netrc: don't abort if home dir cannot be found
netrc: fixed thread safety problem by using getpwuid_r if available
cookie: avoid mutex deadlock
configure: respect host tool prefix for krb5-config
gnutls: handle IP address in cert name check
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
URL parser: IPv6 zone identifiers are now supported
CURLOPT_PROXYHEADER: set headers for proxy-only
CURLOPT_HEADEROPT: added
curl: add --proxy-header
sasl: Added support for DIGEST-MD5 via Windows SSPI
sasl: Added DIGEST-MD5 qop-option validation in native challange handling
imap: Expanded mailbox SEARCH support to use URL query strings
imap: Extended FETCH support to include PARTIAL URL specifier
nss: implement non-blocking SSL handshake
build: Reworked Visual Studio project files
poll: enable poll on darwin13
mk-ca-bundle: added -p
libtests: add a wait_ms() function
Fixed in 7.36.0 - March 26 2014
Release contains security-related bug fixes
Changes:
ntlm: Added support for NTLMv2
tool: Added support for URL specific options
openssl: add ALPN support
gtls: add ALPN support
nss: add ALPN and NPN support
added CURLOPT_EXPECT_100_TIMEOUT_MS
tool: add --no-alpn and --no-npn
added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
winssl: enable TLSv1.1 and TLSv1.2 by default
winssl: TLSv1.2 disables certificate signatures using MD5 hash
winssl: enable hostname verification of IP address using SAN or CN
darwinssl: Don't omit CN verification when an IP address is used
http2: build with current nghttp2 version
polarssl: dropped support for PolarSSL < 1.3.0
openssl: info message with SSL version used
Bugfixes:
SECURITY ADVISORY: wrong re-use of connections
SECURITY ADVISORY: IP address wildcard certificate validation
SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
nss: allow to use ECC ciphers if NSS implements them
netrc: Fixed a memory leak in an OOM condition
ftp: fixed a memory leak on wildcard error path
pipeline: Fixed a NULL pointer dereference on OOM
nss: prefer highest available TLS version
100-continue: fix timeout condition
ssh: Fixed a NULL pointer dereference on OOM condition
formpost: use semicolon in multipart/mixaed
--help: add missing --tlsv1.x options
formdata: Fixed memory leak on OOM condition
ConnectionExists: reusing possible HTTP+NTLM connections better
mingw32: fix compilation
chunked decoder: track overflows correctly
curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
dict: fix memory leak in OOM exit path
valgrind: added suppression on optimized code
curl: output protocol headers using binary mode
tool: Added URL index to password prompt for multiple operations
ConnectionExists: re-use non-NTLM connections better
axtls: call ssl_read repeatedly
multi: make MAXCONNECTS default 4 x number of easy handles function
configure: Fix the --disable-crypto-auth option
multi: ignore SIGPIPE internally
curl.1: update the description of --tlsv1
SFTP: skip reading the dir when NOBODY=1
easy: Fixed a memory leak on OOM condition
tool: Fixed incorrect return code when setting HTTP request fails
configure: Tiny fix to honor POSIX
tool: Do not output libcurl source for the information only parameters
Rework Open Watcom make files to use standard Wmake features
x509asn: moved out Curl_verifyhost from NSS builds
configure: call it GSS-API
hostcheck: Curl_cert_hostcheck is not used by NSS builds
multi_runsingle: move timestamp into INIT
remote_port: allow connect to port 0
parse_remote_port: error out on illegal port numbers better
ssh: Pass errors from libssh2_sftp_read up the stack
docs: remove documentation on setting up krb4 support
polarssl: build fixes to work with PolarSSL 1.3.x
polarssl: fix possible handshake timeout issue in multi
nss: allow to enable/disable cipher-suites better
ssh: prevent a logic error that could result in an infinite loop
http2: free resources on disconnect
polarssl: avoid extra newlines in debug messages
rtsp: parse "Session:" header properly
trynextip: don't store 'ai' on failed connects
Curl_cert_hostcheck: strip trailing dots in host name and wildcard
imap/pop3/smtp: Added support for SASL authentication downgrades
imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
TheArtOfHttpScripting: major update, converted layout and more
mprintf: Added support for I, I32 and I64 size specifiers
makefile: Added support for VC7, VC11 and VC12
Bugfixes:
SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
pop3: Fixed APOP being determined by CAPA response rather than by timestamp
Curl_pp_readresp: zero terminate line
FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
pop3: Fixed auth preference not being honored when CAPA not supported
imap: Fixed auth preference not being honored when CAPABILITY not supported
threaded resolver: Use pthread_t * for curl_thread_t
FILE: we don't support paused transfers using this protocol
connect: Try all addresses in first connection attempt
curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
OpenSSL: Fix forcing SSLv3 connections
openssl: allow explicit sslv2 selection
FTP parselist: fix "total" parser
conncache: fix possible dereference of null pointer
multi.c: fix possible dereference of null pointer
mk-ca-bundle: introduces -d and warns about using this script
ConnectionExists: fix NTLM check for new connection
trynextip: fix build for non-IPV6 capable systems
Curl_updateconninfo: don't do anything for UDP "connections"
darwinssl: un-break Leopard build after PKCS-12 change
threaded-resolver: never use NULL hints with getaddrinf
multi_socket: remind app if timeout didn't run
OpenSSL: deselect weak ciphers by default
error message: Sensible message on timeout when transfer size unknown
curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
configure: fix gssapi linking on HP-UX
chunked-parser: abort on overflows, allow 64 bit chunks
chunked parsing: relax the CR strictness
cookie: max-age fixes
progress bar: always update when at 100%
progress bar: increase update frequency to 10Hz
tool: Fixed incorrect return code if command line parser runs out of memory
tool: Fixed incorrect return code if password prompting runs out of memory
HTTP POST: omit Content-Length if data size is unknown
GnuTLS: disable insecure ciphers
GnuTLS: honor --slv2 and the --tlsv1[.N] switches
multi: Fixed a memory leak on OOM condition
netrc: Fixed a memory and file descriptor leak on OOM
getpass: fix password parsing from console
TFTP: fix crash on time-out
hostip: don't remove DNS entries that are in use
tests: lots of tests fixed to pass the OOM torture tests
SSL: protocol version can be specified more precisely
imap/pop3/smtp: Added graceful cancellation of SASL authentication
Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
base64: Added validation of base64 input strings when decoding
curl_easy_setopt: Added the ability to set the login options separately
smtp: Added support for additional SMTP commands
curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
nss: allow to use TLS > 1.0 if built against recent NSS
SECURITY: added this document to describe our security processes
parseconfig: warn if unquoted white spaces are detected
Bugfixes:
SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
darwinssl: un-break iOS build after PKCS/12 feature added
tool: use XFERFUNCTION to save some casts
usercertinmem: fix memory leaks
ssh: Handle successful SSH_USERAUTH_NONE
NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
test906: Fixed failing test on some platforms
sasl: initialize NSS before using NTLM crypto
sasl: Fixed memory leak in OAUTH2 message creation
imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
cmake: unbreak for non-Windows platforms
ssh: initialize per-handle data in ssh_connect()
glob: fix broken URLs
configure: check for long long when building with cyassl
CURLOPT_RESOLVE: mention they don't time-out
docs/examples/httpput.c: fix build for MSVC
FTP: make the data connection work when going through proxy
NSS: support for CERTINFO feature
curl_multi_wait: accept 0 from multi_timeout() as valid timeout
glob_range: pass the closing bracket for a-z ranges
tool_help: Updated --list-only description to include POP3
Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
cmake: fix Windows build with IPv6 support
ares: Fixed compilation under Visual Studio 2012
curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
curl.1: mention that -O does no URL decoding
darwinssl: PKCS/12 import feature now requires Lion or later
darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
configure: Fix test with -Werror=implicit-function-declaration
sigpipe: factor out sigpipe_reset from easy.c
curl_multi_cleanup: ignore SIGPIPE
globbing: curl glob counter mismatch with {} list use
parseconfig: dash options can't specified with colon or equals
digest: fix CURLAUTH_DIGEST_IE
curl.h: for OpenBSD
darwinssl: Fix #if 10.6.0 for SecKeychainSearch
TFTP: fix return codes for connect timeout
login options: remove the ;[options] support from CURLOPT_USERPWD
imap: Fixed incorrect fallback to clear text authentication
parsedate: avoid integer overflow
curl.1: document -J doesn't %-decode
multi: add timer inaccuracy margin to timeout/connecttimeout
* test code for testing the event based API
* CURLM_ADDED_ALREADY: new error code
* test TFTP server: support "writedelay" within
* krb4 support has been removed
* imap/pop3/smtp: added basic SASL XOAUTH2 support
* darwinssl: add support for PKCS12 files for client authentication
* darwinssl: enable BEAST workaround on iOS 7 & later
* Pass password to OpenSSL engine by user interface
* c-ares: Add support for various DNS binding options
* cookies: add expiration
* curl: added --oauth2-bearer option
curl: allow timeouts to accept decimal values
OS400: add slist and certinfo EBCDIC support
OS400: new SSL backend GSKit
CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
LIBCURL-STRUCTS: new document
Bugfixes:
dotdot: introducing dot file path cleanup
docs: fix typo in curl_easy_getinfo manpage
test1230: avoid using hard-wired port number
test1396: invoke the correct test tool
SIGPIPE: ignored while inside the library
darwinssl: fix crash that started happening in Lion
OpenSSL: check for read errors, don't assume
c-ares: improve error message on failed resolve
printf: make sure %x are treated unsigned
formpost: better random boundaries
url: restore the functionality of 'curl -u :'
curl.1: fix typo in --xattr description
digest: improve nonce generation
configure: automake 1.14 compatibility tweak
curl.1: document the --post303 option in the man page
curl.1: document the --sasl-ir option in the man page
setup-vms.h: sk_pop symbol tweak
tool_paramhlp: try harder to catch negatives
cmake: Fix for MSVC2010 project generation
asyn-ares: Don't blank ares servers if none configured
curl_multi_wait: set revents for extra fds
Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
ftp_do_more: consider DO_MORE complete when server connects back
curl_easy_perform: gradually increase the delay time
curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
curl: fix upload of a zip file in OpenVMS
build: fix linking on Solaris 10
curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
curl_formadd: fix file upload on VMS
curl_easy_pause: on unpause, trigger mulit-socket handling
md5 & metalink: use better build macros on Apple operating systems
darwinssl: fix build error in crypto authentication under Snow Leopard
curl: make --progress-bar update the line less frequently
configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
mk-ca-bundle: skip more untrusted certificates
formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
FTP: when EPSV gets a 229 but fails to connect, retry with PASV
mk-ca-bundle.1: don't install on make install
VMS: lots of updates and fixes of the build procedure
global dns cache: didn't work (regression)
global dns cache: fix memory leak
Changes:
--------
darwinssl: add TLS session resumption
darwinssl: add TLS crypto authentication
imap/pop3/smtp: Added support for ;auth= in the URL
imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
usercertinmem.c: add example showing user cert in memory
url: Added smtp and pop3 hostnames to the protocol detection list
imap/pop3/smtp: Added support for enabling the SASL initial response
curl -E: allow to use ':' in certificate nicknames
Bugfixes:
---------
SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond
the end of the input buffer [26]
FTP: access files in root dir correctly
configure: try pthread_create without -lpthread
FTP: handle a 230 welcome response
curl-config: don't output static libs when they are disabled
CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
Various documentation updates
getinfo.c: reset timecond when clearing session-info variables
FILE: prevent an artificial timeout event due to stale speed-check data
ftp_state_pasv_resp: connect through proxy also when set by env
sshserver: disable StrictHostKeyChecking
ftpserver: Fixed imap logout confirmation data
curl_easy_init: use less mallocs
smtp: Fixed unknown percentage complete in progress bar
smtp: Fixed sending of double CRLF caused by first in EOB
bindlocal: move brace out of #ifdef
winssl: Fixed invalid memory access during SSL shutdown
OS X framework: fix invalid symbolic link
OpenSSL: allow empty server certificate subject
axtls: prevent memleaks on SSL handshake failures
cookies: only consider full path matches
Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
Curl_cookie_add: handle IPv6 hosts
ossl_send: SSL_write() returning 0 is an error too
ossl_recv: SSL_read() returning 0 is an error too
Digest auth: escape user names with backslash or " in them
curl_formadd.3: fixed wrong "end-marker" syntax
libcurl-tutorial.3: fix incorrect backslash
curl_multi_wait: reduce timeout if the multi handle wants to
tests/Makefile: typo in the perlcheck target
axtls: honor disabled VERIFYHOST
OpenSSL: avoid double free in the PKCS12 certificate code
multi_socket: reduce timeout inaccuracy margin
digest: support auth-int for empty entity body
axtls: now done non-blocking
lib1900: use tutil_tvnow instead of gettimeofday
curl_easy_perform: avoid busy-looping
CURLOPT_COOKIELIST: take cookie share lock
multi_socket: react on socket close immediately
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Fixed in 7.30.0 - April 12 2013
Release contains security-related bug fix
Changes:
imap: Changed response tag generation to be completely unique
imap: Added support for SASL-IR extension
imap: Added support for the list command
imap: Added support for the append command
imap: Added custom request parsing
imap: Added support to the fetch command for UID and SECTION properties
imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
darwinssl: Make certificate errors less techy
imap/pop3/smtp: Added support for the STARTTLS capability
checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
Bugfixes:
SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
darwinssl: Fix build under Leopard
DONE: consider callback-aborted transfers premature
ntlm: Fixed memory leaks
smtp: Fixed an issue when processing EHLO failure responses
pop3: Fixed incorrect return value from pop3_endofresp()
pop3: Fixed SASL authentication capability detection
pop3: Fixed blocking SSL connect when connecting via POP3S
imap: Fixed memory leak when performing multiple selects
nss: fix misplaced code enabling non-blocking socket mode
AddFormData: prevent only directories from being posted
darwinssl: fix infinite loop if server disconnected abruptly
metalink: fix improbable crash parsing metalink filename
show proper host name on failed resolve
MacOSX-Framework: Make script work in Xcode 4.0 and later
strlcat: remove function
darwinssl: Fix send glitchiness with data > 32 or so KB
polarssl: better 1.1.x and 1.2.x support
various documentation improvements
multi: NULL pointer reference when closing an unused multi handle
SOCKS: fix socks proxy when noproxy matched
install-sh: updated to support multiple source files as arguments
PolarSSL: added human readable error strings
resolver_error: remove wrong error message output
docs: updates HTML index and general improvements
curlbuild.h.dist: enhance non-configure GCC ABI detection logic
sasl: Fixed null pointer reference when decoding empty digest challenge
easy: do not ignore poll() failures other than EINTR
darwinssl: disable ECC ciphers under Mountain Lion by default
CONNECT: count received headers
build: fixes for VMS
CONNECT: clear 'rewindaftersend' on success
HTTP proxy: insert slash in URL if missing
hiperfifo: updated to use current libevent API
getinmemory.c: abort the transfer nicely if not enough memory
improved win32 memorytracking
corrected proxy header response headers count
FTP quote operations on re-used connection
tcpkeepalive on win32
tcpkeepalive on Mac OS X
easy: acknowledge the CURLOPT_MAXCONNECTS option properly
easy interface: restore default MAXCONNECTS to 5
win32: don't set SO_SNDBUF for windows vista or later versions
HTTP: made cookie sort function more deterministic
winssl: Fixed memory leak if connection was not successful
FTP: wait on both connections during active STOR state
connect: treat a failed local bind of an interface as a non-fatal error
darwinssl: disable insecure ciphers by default
FTP: handle "rubbish" in front of directory name in 257 responses
mk-ca-bundle: Fixed lost OpenSSL output with "-t"
After curl 7.25.0 update (imported to pkgsrc at 20120417),
"curl-config --libs" no longer returns "-Wl,-R/usr/pkg/lib"
while "curl-config --static-libs" still returns it.
Fixes the root cause of libcurl part of PR pkg/46567, and this is
also required to fix openoffice3 issue as mentioned in PR pkg/46983.
The problem is tracked and reported by Yasushi Oshima.
Bump PKGREVISION.
Fixed in 7.29.0 - February 6 2013
Release contains security-related bug fix
(already fixed in pkgsrc)
Changes:
test: offer "automake" output and check for perl better
always-multi: always use non-blocking internals
imap: Added support for sasl digest-md5 authentication
imap: Added support for sasl cram-md5 authentication
imap: Added support for sasl ntlm authentication
imap: Added support for sasl login authentication
imap: Added support for sasl plain text authentication
imap: Added support for login disabled server capability
mk-ca-bundle: add -f, support passing to stdout and more
writeout: -w now supports remote_ip/port and local_ip/port
Bugfixes:
SECURITY ADVISORY: SASL buffer overflow vulnerability
nss: prevent NSS from crashing on client auth hook failure
darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
SCP: relative path didn't work as documented
setup_once.h: HP-UX issue workaround
configure: fix cross pkg-config detection
runtests: Do not add undefined values to @INC
build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
multi: fix re-sending request on early connection close
HTTP: remove stray CRLF in chunk-encoded content-free request bodies
build: fix AIX compilation and usage of events/revents
VC Makefiles: add missing hostcheck
nss: clear session cache if a client certificate from file is used
nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
fix HTTP CONNECT tunnel establishment upon delayed response
--libcurl: fix for non-zero default options
FTP: reject illegal port numbers in EPSV 229 responses
build: use per-target '_CPPFLAGS' for those currently using default
configure: fix automake 1.13 compatibility
curl: ignore SIGPIPE
pop3: Added support for non-blocking SSL upgrade
pop3: Fixed default authentication detection
imap: Fixed usernames and passwords that contain escape characters
packages/DOS/common.dj: remove COFF debug info generation
imap/pop3/smtp: Fixed failure detection during TLS upgrade
pop3: Fixed no known authentication mechanism when fallback is required
formadd: reject trying to read a directory where a file is expected
formpost: support quotes, commas and semicolon in file names
docs: update the comments about loading CA certs with NSS
docs: fix typos in man pages
darwinssl: Fix bug where packets were sometimes transmitted twice
winbuild: include version info for .dll .exe
schannel: Removed extended error connection setup flag
VMS: fix and generate the VMS build config
turned off in www/curl.
Modify the curl package to be aware of the libidn option. Ensure default
is on.
No functional change, so no version number bump.
This release includes the following changes:
o metalink/md5: Use CommonCrypto on Apple operating systems
o href_extractor: new example code extracting href elements
o NSS can be used for metalink hashing [13]
This release includes the following bugfixes:
o Fix broken libmetalink-aware OpenSSL build
o gnutls: fix the error is fatal logic [1]
o darwinssl: un-broke iOS build, fix error on server disconnect
o asyn-ares: restore functionality with c-ares < 1.6.1 [2]
o tlsauthtype: deal with the string case insensitively [3]
o Fixed MSVC libssh2 static build
o evhiperfifo: fix the pointer passed to WRITEDATA [6]
o BUGS: fix the bug tracker URL [4]
o winbuild: Use machine type of development environment
o FTP: prevent the multi interface from blocking [5]
o uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
o httpcustomheader.c: free the headers after use
o fix >2000 bytes POST over NTLM-using proxy [7]
o redirects to URLs with fragments [8]
o don't send '#' fragments when using proxy [9]
o OpenSSL: show full issuer string [10]
o fix HTTP auth regression [11]
o CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value [12]
o ftp: EPSV-disable fix over SOCKS [14]
o Digest: Add microseconds into nounce calculation [15]
o SCP/SFTP: improve error code used for send failures
o SSL: Several SSL-backend related fixes
o removed the notorious "additional stuff not fine" debug output
o OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
o FILE: Make upload-writes unbuffered
o custom memory callbacks failure with HTTP proxy (and more) [16]
o TFTP: handle resends
o autoconf: don't force-disable compiler debug option
o winbuild: Fix PDB file output [17]
o test2032: spurious failure caused by premature termination [18]
o memory leak: CURLOPT_RESOLVE with multi interface [19]
SSH: added agent based authentication
ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
multi: add curl_multi_wait()
metalink: Added support for Microsoft Windows CryptoAPI
md5: Added support for Microsoft Windows CryptoAPI
parse_proxy: treat "socks://x" as a socks4 proxy
socks: Added support for IPv6 connections through SOCKSv5 proxy
Bugfixes:
WSAPoll disabled on Windows builds due to its bugs
segfault on request retries
curl-config: parentheses fix
VC build: add define for openssl
globbing: fix segfault when >9 globs were used
fixed a few clang-analyzer warnings
metalink: change code order to build with gnutls-nettle
gtls: fix build failure by including nettle-specific headers
change preferred HTTP auth on a handle previously used for another auth
file: use fdopen() to avoid race condition
Added DWANT_IDN_PROTOTYPES define for MSVC too
verbose: fixed (nil) output of hostnames in re-used connections
metalink: Un-broke the build when building --with-darwinssl
curl man page cleanup
Avoid leak of local device string when reusing connection
Curl_socket_check: fix return code for timeout
nss: do not print misleading NSS error codes
configure: remove the --enable/disable-nonblocking options
darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
NTLM: re-use existing connection better
schannel crash on multi and easy handle cleanup
SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
mk-ca-bundle: detect start of trust section better
gnutls: do not fail on non-fatal handshake errors
SMTP: only send SIZE if supported
ftpserver: respond with a 250 to SMTP EHLO
ssh: do not crash if MD5 fingerprint is not provided by libssh2
winbuild: Added support for building with SPNEGO enabled
metalink: Fixed validation of binary files containing EOF
setup.h: fixed for MS VC10 build
cmake: use standard findxxx modules for cmake v2.8+
HTTP_ONLY: disable more protocols
Curl_reconnect_request: clear pointer on failure
https.c example: remember to call curl_global_init()
metalink: Filter resource URLs by type
multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
curl_schannel: Removed buffer limit and optimized buffer strategy
DragonFly uses millisecond rather than second as the unit of TCP_KEEPIDLE.
Patch multiples obtained value by 1000 on DragonFly.
Patch will be submitted to curl at SourceForge.
This release includes the following changes:
o nss: the minimal supported version of NSS bumped to 3.12.x
o nss: human-readable names are now provided for NSS errors if available
o add a manual page for mk-ca-bundle
o added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
o smtp: Add support for DIGEST-MD5 authentication
o pop3: Added support for additional pop3 commands
This release includes the following bugfixes:
o nss: libcurl now uses NSS_InitContext() to prevent collisions if available [1]
o URL parse: reject numerical IPv6 addresses outside brackets [4]
o MD5: fix OOM memory leak [5]
o OpenSSL cert: provide more details when cert check fails
o HTTP: empty chunked POST ended up in two zero size chunks [6]
o fixed a regression when curl resolved to multiple addresses and the first
isn't supported [7]
o -# progress meter: avoid superfluous updates and duplicate lines [8]
o headers: surround GCC attribute names with double underscores [9]
o PolarSSL: correct return code for CRL matches
o PolarSSL: include version number in version string
o PolarSSL: add support for asynchronous connect
o mk-ca-bundle: revert the LWP usage [12]
o IPv6 cookie domain: get rid of the first bracket before the second
o connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
o OpenSSL: Made cert hostname check conform to RFC 6125 [10]
o HTTP: reset expected DL/UL sizes on redirects [11]
o CMake: fix Windows LDAP/LDAPS option handling [2]
o CMake: fix MS Visual Studio x64 unsigned long long literal suffix [3]
o configure: update detection logic of getaddrinfo() thread-safeness
o configure: check for gethostbyname in the watt lib
o curl-config.1: fix curl-config usage in example [13]
o smtp: Fixed non-escaping of dot character at beginning of line
o MakefileBuild.vc: use the correct IDN variable
o autoconf: improve handling of versioned symbols
o curl.1: clarify -x usage
o curl: shorten user-agent
o smtp: issue with the multi-interface always sending postdata [14]
o compile error with GnuTLS+Nettle fixed
o winbuild: fix IPv6 enabled build
Fixed in 7.24.0 - January 24 2012
Release contains security-related bug fix
Changes:
* CURLOPT_QUOTE: SFTP supports the '*'-prefix now
* CURLOPT_DNS_SERVERS: set name servers if possible
* Add support for using nettle instead of gcrypt as gnutls backend
* CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
* Added CURLOPT_ACCEPTTIMEOUT_MS
* configure: add symbols versioning option --enable-versioned-symbols
Bugfixes:
* curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
* curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
* SSL session share: move the age counter to the share object
* -J -O: use -O name if no Content-Disposition header comes!
* protocol_connect: show verbose connect and set connect time
* query-part: ignore the URI part for given protocols
* gnutls: only translate winsock errors for old versions
* POP3: fix end of body detection
* POP3: detect when LIST returns no mails
* TELNET: improved treatment of options
* configure: add support for pkg-config detection of libidn
* CyaSSL 2.0+ library initialization adjustment
* multi interface: only use non-NULL socker function pointer
* call opensocket callback properly for active FTP
* don't call close socket callback for sockets created with accept()
* differentiate better between host/proxy errors
* SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
* multi: handle timeouts on DNS servers by checking for new sockets
* CURLOPT_DNS_SERVERS: fix return code
* POP3: fixed escaped dot not being stripped out
* OpenSSL: check for the SSLv2 function in configure
* MakefileBuild: fix the static build
* create_conn: don't switch to HTTP protocol if tunneling is enabled
* multi interface: fix block when CONNECT_ONLY option is used
* Fix connection reuse for TLS upgraded connections
* multiple file upload with -F and custom type
* multi interface: active FTP connections are no longer blocking
* Android build fix
* timer: restore PRETRANSFER timing
* libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
* appconnect time fixed for non-blocking connect ssl backends
* do not include SSL handshake into time spent waiting for 100-continue
* handle dns cache case insensitive
* use new host name casing for subsequent HTTP requests
* CURLOPT_RESOLVE: avoid adding already present host names
* SFTP mkdir: use correct permission
* resolve: don't leak pre-populated dns entries
* --retry: Retry transfers on timeout and DNS errors
* negotiate with SSPI backend: use the correct buffer for input
* SFTP dir: increase buffer size counter to avoid cut off file names
* TFTP: fix resending (again)
* c-ares: don't include getaddrinfo-using code
* FTP: CURLE_PARTIAL_FILE will not close the control channel
* win32-threaded-resolver: stop using a dummy socket
* OpenSSL: remove reference to openssl internal struct
* OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
* OpenSSL: fix PKCS#12 certificate parsing related memory leak
* OpenLDAP: fix LDAP connection phase memory leak
* Telnet: Use correct file descriptor for telnet upload
* Telnet: Remove bogus optimisation of telnet upload
* URL parse: user name with ipv6 numerical address
* polarssl: show cipher suite name correctly with 1.1.0
* polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be
insecure
* gnutls: enforced use of SSLv3
Fixed in 7.23.1 - November 17 2011
Bugfixes:
Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used
Fixed in 7.23.0 - November 15 2011
Changes:
Empty headers can be sent in HTTP requests by terminating with a semicolon
SSL session sharing support added to curl_share_setopt()
Added support to MAIL FROM for the optional SIZE parameter
smtp: Added support for NTLM authentication
curl tool: code split into tool_*.[ch] files
Bugfixes:
handle HTTP redirects to "//hostname/path"
SMTP without --mail-from caused segfault
prevent extra progress meter headers between multiple files
allow Content-Length to be replaced when sending HTTP requests
curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
curl_multi_fdset: avoid FD_SET out of bounds
lots of MinGW build tweaks
Curl_gethostname: return un-qualified machine name
fixed the openssl version number configure check
nss: certificates from files are no longer looked up by file base names
returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
fix libcurl.m4 to not fail with modern gcc versions
ftp: improved the failed PORT host name resolved error message
TFTP timeout and unexpected block adjustments
HTTP and GOPHER test server-side connection closing adjustments
fix endless loop upon transport connection timeout
don't clobber errno on failed connect
typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
formdata: ack read callback abort
make --show-error properly position independent
set the ipv6-connection boolean correctly on connect
SMTP: fix end-of-body string escaping
gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
curl_multi_fdset: correct fdset with FTP PORT use
windbuild: fix the static build
fix builds with GnuTLS version 3
fix calling of OpenSSL's ERR_remove_state(0)
HTTP auth: fix proxy Negotiate bug when Negotiate not requested
ftp PORT: don't hang if bind() fails
-# would crash on terminals wider than 256 columns
Fixed in 7.22.0 - September 13 2011
Changes:
Added CURLOPT_GSSAPI_DELEGATION
Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
Display notes from setup file in testcurl.pl
BSD-style lwIP TCP/IP stack experimental support on Windows
OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
--delegation was added to set CURLOPT_GSSAPI_DELEGATION
nss: start with no database if the selected database is broken
telnet: allow programatic use on Windows
Bugfixes:
curl_getdate: detect some illegal dates better
when sending a request and an error is received before the (entire) request body is sent, stop sending the request and close the connection after having received the entire response. This is equally true if an Expect: 100-continue header was used.
When using both -J and a single -O with multiple URLs, a missing init could cause a segfault
-J fixed for escaped quotes
-J fixed for file names with semicolons
progress: reset flags at transfer start to avoid wrong CURLINFO_CONTENT_LENGTH_DOWNLOAD
curl_gssapi: Guard files with HAVE_GSSAPI and rename private header
silence picky compilers: mark unused parameters
help output: more gnu like output
libtests: stop checking for CURLM_CALL_MULTI_PERFORM
setting a non-HTTP proxy with an environment variable or with CURLOPT_PROXY / --proxy (without specifying CURLOPT_PROXYTYPE) would still make it do proxy-like HTTP requests
CURLFORM_BUFFER: insert filename as documented (regression)
SOCKS: fix the connect timeout
ftp_doing: bail out on error properly while multi interfacing
improved Content-Encoded decoding error message
asyn-thread: check for dotted addresses before thread starts
cmake: find winsock when building on windows
Curl_retry_request: check return code
cookies: handle 'secure=' as if it was 'secure'
tests: break busy loops in tests 502, 555, and 573
FTP: fix proxy connect race condition with multi interface and SOCKS proxy
RTSP: GET_PARAMETER requests have a body
fixed several memory leaks in OOM situations
bad expire(0) caused multi_socket API to hang
Avoid ftruncate() static define with mingw64
mk-ca-bundle.pl: ignore untrusted certs
builds with PolarSSL 1.0.0
This release includes the following changes:
o recognize the [protocol]:// prefix in proxy hosts where the protocol is one
of socks4, socks4a, socks5 or socks5h.
o Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA
This release includes the following bugfixes:
o SECURITY ADVISORY: inappropriate GSSAPI delegation. Full details at
http://curl.haxx.se/docs/adv_20110623.html
o NTLM: work with unicode
o fix connect with SOCKS proxy when using the multi interface
o anyauthput.c: stdint.h must not be included unconditionally
o CMake: improved build
o SCP/SFTP enable non-blocking earlier
o GnuTLS handshake: fix timeout
o cyassl: build without filesystem
o HTTPS over HTTP proxy using the multi interface
o speedcheck: invalid timeout event on a reused handle
o Force connection close for HTTP 200 OK when time condition matched
o curl_formget: fix FILE * leak
o configure: improved OpenSSL detection
o Android build: support gingerbread
o CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
o windows build: use correct MS CRT
o pop3: remove extra space in LIST command
