pkgsrc changes:
- Add test dependency to Python and py-impacket for SMB and TELNET tests
Changes:
7.72.0
------
This release includes the following changes:
o content_encoding: add zstd decoding support
o CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
o CURLINFO_EFFECTIVE_METHOD: added
This release includes the following bugfixes:
o CVE-2020-8231: libcurl: wrong connect-only connection
o appveyor: collect libcurl.dll variants with prefix or suffix
o asyn-ares: correct some bad comments
o bearssl: fix build with disabled proxy support
o buildconf: avoid array concatenation in die()
o buildconf: retire ares buildconf invocation
o checksrc: ban gmtime/localtime
o checksrc: invoke script with -D to find .checksrc proper
o CI/azure: install libssh2 for use with msys2-based builds
o CI/azure: unconditionally enable warnings-as-errors with autotools
o CI/macos: enable warnings as errors for CMake builds
o CI/macos: set minimum macOS version
o CI/macos: unconditionally enable warnings-as-errors with autotools
o CI: Add muse CI analyzer
o cirrus-ci: upgrade 11-STABLE to 11.4
o CMake: don't complain about missing nroff
o CMake: fix test for warning suppressions
o cmake: fix windows xp build
o configure.ac: Sort features name in summary
o configure: allow disabling warnings
o configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
o configure: show zstd "no" in summary when built without it
o connect: remove redundant message about connect failure
o curl-config: ignore REQUIRE_LIB_DEPS in --libs output
o curl.1: add a few missing valid exit codes
o curl: add %{method} to the -w variables
o curl: improve the existing file check with -J
o curl_multi_setopt: fix compiler warning "result is always false"
o curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
o CURLINFO_CERTINFO.3: fix typo
o CURLOPT_NOBODY.3: clarify what setting to 0 means
o docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions
o docs: Add video link to docs/CONTRIBUTE.md
o docs: change "web site" to "website"
o docs: clarify MAX_SEND/RECV_SPEED functionality
o docs: Update a few leftover mentions of DarwinSSL
o doh: remove redundant cast
o file2memory: use a define instead of -1 unsigned value
o ftp: don't do ssl_shutdown instead of ssl_close
o ftpserver: don't verify SMTP MAIL FROM names
o getinfo: reset retry-after value in initinfo
o gnutls: repair the build with `CURL_DISABLE_PROXY`
o gtls: survive not being able to get name/issuer
o h2: repair trailer handling
o http2: close the http2 connection when no more requests may be sent
o http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
o libssh2: s/ssherr/sftperr/
o libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin
o md(4|5): don't use deprecated macOS functions
o mprintf: Fix dollar string handling
o mprintf: Fix stack overflows
o multi: Condition 'extrawait' is always true
o multi: Remove 10-year old out-commented code
o multi: remove two checks always true
o multi: update comment to say easyp list is linear
o multi_remove_handle: close unused connect-only connections
o ngtcp2: adapt to error code rename
o ngtcp2: adjust to recent sockaddr updates
o ngtcp2: update to modified qlog callback prototype
o nss: fix build with disabled proxy support
o ntlm: free target_info before (re-)malloc
o openssl: fix build with LibreSSL < 2.9.1
o page-header: provide protocol details in the curl.1 man page
o quiche: handle calling disconnect twice
o runtests.pl: treat LibreSSL and BoringSSL as OpenSSL
o runtests: move the gnutls-serv tests to a dynamic port
o runtests: move the smbserver to use a dynamic port number
o runtests: move the TELNET server to a dynamic port
o runtests: run the DICT server on a random port number
o runtests: run the http2 tests on a random port number
o runtests: support dynamicly base64 encoded sections in tests
o setopt: unset NOBODY switches to GET if still HEAD
o smtp_parse_address: handle blank input string properly
o socks: use size_t for size variable
o strdup: remove the odd strlen check
o test1119: verify stdout in the test
o test1139: make it display the difference on test failures
o test1140: compare stdout
o test1908: treat file as text
o tests/FILEFORMAT.md: mention %HTTP2PORT
o tests/sshserver.pl: fix compatibility with OpenSSH for Windows
o TLS naming: fix more Winssl and Darwinssl leftovers
o tls-max.d: this option is only for TLS-using connections
o tlsv1.3.d. only for TLS-using connections
o tool_doswin: Simplify Windows version detection
o tool_getparam: make --krb option work again
o TrackMemory tests: ignore realloc and free in getenv.c
o transfer: fix data_pending for builds with both h2 and h3 enabled
o transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
o transfer: move retrycount from connect struct to easy handle
o travis/script.sh: fix use of `-n' with unquoted envvar
o travis: add ppc64le and s390x builds
o travis: update quiche builds for new boringssl layout
o url: fix CURLU and location following
o url: silence MSVC warning
o util: silence conversion warnings
o win32: Add Curl_verify_windows_version() to curlx
o WIN32: stop forcing narrow-character API
o windows: add unicode to feature list
o windows: disable Unix Sockets for old mingw
freeze ok: gdt, leot
curl and libcurl 7.71.0
Public curl releases: 192
Command line options: 232
curl_easy_setopt() options: 277
Public functions in libcurl: 82
Contributors: 2202
This release includes the following changes:
o CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl) [10]
o setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency [31]
o setopt: support certificate options in memory with struct curl_blob [41]
o tool: Add option --retry-all-errors to retry on any error [27]
This release includes the following bugfixes:
o CVE-2020-8177: curl overwrite local file with -J [111]
o CVE-2020-8169: Partial password leak over DNS on HTTP redirect [48]
o *_sspi: fix bad uses of CURLE_NOT_BUILT_IN [21]
o all: fix codespell errors [75]
o altsvc: bump to h3-29 [114]
o altsvc: fix 'dsthost' may be used uninitialized in this function
o altsvc: fix parser for lines ending with CRLF [74]
o altsvc: remove the num field from the altsvc struct [109]
o appveyor: add non-debug plain autotools-based build [90]
o appveyor: disable flaky test 1501 and ignore broken 1056
o appveyor: disable test 1139 instead of ignoring it
o asyn-*: remove support for never-used NULL entry pointers [19]
o azure: use matrix strategy to avoid configuration redundancy [83]
o build: disable more code/data when built without proxy support [84]
o buildconf: remove -print from the find command that removes files
o checksrc: enhance the ASTERISKSPACE and update code accordingly [52]
o CI/macos: fix 'is already installed' errors by using bundle [94]
o cirrus: disable SFTP and SCP tests [7]
o CMake: add ENABLE_ALT_SVC option
o CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche) [34]
o CMake: add libssh build support [37]
o CMake: do not build test programs by default [30]
o CMake: fix runtests.pl with CMake, add new test targets [29]
o CMake: ignore INTERFACE_LIBRARY targets for pkg-config file [112]
o CMake: rebuild Makefile.inc.cmake when Makefile.inc changes [58]
o CODE_REVIEW.md: how to do code reviews in curl [108]
o configure: fix pthread check with static boringssl
o configure: for wolfSSL, check for the DES func needed for NTLM
o configure: only strip first -L from LDFLAGS [89]
o configure: repair the check if argv can be written to [47]
o configure: the wolfssh backend does not provide SCP [57]
o connect: improve happy eyeballs handling [118]
o connect: make happy eyeballs work for QUIC (again) [16]
o curl.1: Quote globbed URLs [51]
o curl: remove -J "informational" written on stdout [36]
o Curl_addrinfo: use one malloc instead of three [97]
o CURLINFO_ACTIVESOCKET.3: clarify the description [87]
o doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3 [5]
o doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax [20]
o docs/HTTP3: add qlog to the quiche build instruction
o docs/options-in-versions: which version added each cmdline option [53]
o docs: unify protocol lists [54]
o dynbuf: introduce internal generic dynamic buffer functions [17]
o easy: fix dangling pointer on easy_perform fail [26]
o examples/ephiperfifo: turn off interval when setting timerfd [79]
o examples/http2-down/upload: add error checks [78]
o examples: remove asiohiper.cpp [4]
o FILEFORMAT: add more features that tests can depend on
o FILEFORMAT: describe verify/stderr
o ftp: make domore_getsock() return the secondary socket properly
o ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void) [64]
o ftp: shut down the secondary connection properly when SSL is used [43]
o GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT [9]
o hostip: make Curl_printable_address not return anything [63]
o hostip: on macOS avoid DoH when given a numerical IP address [69]
o http2: keep trying to send pending frames after req.upload_done [40]
o http2: simplify and clean up trailer handling [6]
o HTTP3.md: clarify cargo build directory [77]
o http: move header storage to Curl_easy from connectdata [107]
o libcurl.pc: Merge Libs.private into Libs for static-only builds [28]
o libssh2: improved error output for wrong quote syntax [39]
o libssh2: keep sftp errors as 'unsigned long' [103]
o libssh2: set the expected total size in SCP upload init [2]
o libtest/cmake: Remove commented code [13]
o list-only.d: this option existed already in 4.0
o manpage: add three missing environment variables [121]
o multi: add defensive check on data->multi->num_alive [96]
o multi: implement wait using winsock events [120]
o ngtcp2: cleanup memory when failing to connect [70]
o ngtcp2: fix build with current ngtcp2 master implementing draft 28 [76]
o ngtcp2: fix happy eyeballs quic connect crash [118]
o ngtcp2: introduce qlog support [23]
o ngtcp2: never call fprintf() in lib code in release version
o ngtcp2: update with recent API changes [100]
o ntlm: enable NTLM support with wolfSSL [81]
o OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN [55]
o openssl: set FLAG_TRUSTED_FIRST unconditionally [105]
o projects: Add crypt32.lib to dependencies for all OpenSSL configs [93]
o quiche: clean up memory properly when failing to connect [71]
o quiche: enable qlog output [14]
o quiche: update SSLKEYLOGFILE support [98]
o Revert "buildconf: use find -execdir" [38]
o Revert "ssh: ignore timeouts during disconnect" [67]
o runtests: remove sleep calls [18]
o runtests: show elapsed test time with higher precision (ms)
o select: always use Sleep in Curl_wait_ms on Win32 [82]
o select: fix overflow protection in Curl_socket_check [22]
o sendf: make failf() use the mvsnprintf() return code [62]
o server/sws: fix asan warning on use of uninitialized variable
o server/util: fix logmsg format using curl_off_t argument [106]
o sha256: fixed potentially uninitialized variable [61]
o share: don't set the share flag it something fails [116]
o sockfilt: make select_ws stop waiting on exit signal event
o socks: detect connection close during handshake [95]
o socks: fix expected length of SOCKS5 reply [68]
o socks: remove unreachable breaks in socks.c and mime.c [101]
o source cleanup: remove all custom typedef structs [42]
o test1167: fixes in badsymbols.pl [73]
o test1177: look for curl.h in source directory [1]
o test1238: avoid tftpd being busy for tests shortly following [33]
o test613.pl: make tests 613 and 614 work with OpenSSH for Windows [8]
o test75: Remove precheck test
o tests: add https-proxy support to the test suite [49]
o tests: add support for SSH server variant specific transfer paths [24]
o tests: add two simple tests for --login-options [99]
o tests: make test 1248 + 1249 use %NOLISTENPORT [3]
o tests: pick a random port number for SSH [12]
o tests: run stunnel for HTTPS and FTPS on dynamic ports [11]
o timeouts: change millisecond timeouts to timediff_t from time_t [86]
o timeouts: move ms timeouts to timediff_t from int and long [104]
o tool: fixup a few --help descriptions [56]
o tool: support UTF-16 command line on Windows [46]
o tool_cfgable: free login_options at exit [102]
o tool_getparam: fix memory leak in parse_args
o tool_operate: fixed potentially uninitialized variables [60]
o tool_paramhlp: fixed potentially uninitialized strtol() variable [59]
o transfer: close connection after excess data has been read [66]
o travis: add "qlog" as feature in the quiche build
o travis: Add ngtcp2 and quiche tests for CMake
o travis: upgrade to bionic, clang-9, improve readability [35]
o typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *' [44]
o unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode' [88]
o url: accept "any length" credentials for proxy auth [72]
o url: alloc the download buffer at transfer start [85]
o url: reject too long input when parsing credentials [25]
o url: sort the protocol schemes in rough popularity order [32]
o urlapi: accept :: as a valid IPv6 address [15]
o urldata: leave the HTTP method untouched in the set.* struct [45]
o urlglob: treat literal IPv6 addresses with zone IDs as a host name [115]
o user-agent.d: spell out what happens given a blank argument [80]
o vauth/cleartext: fix theoretical integer overflow [50]
o version.d: expanded and alpha-sorted [110]
o vtls: Extract and simplify key log file handling from OpenSSL
o wolfssl: add SSLKEYLOGFILE support [65]
o wording: avoid blacklist/whitelist stereotypes [92]
o write-out.d: added "response_code"
This release includes the following changes:
o polarssl: removed
o smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
o wolfSSH: new SSH backend
This release includes the following bugfixes:
o altsvc: improved header parser
o altsvc: keep a copy of the file name to survive handle reset
o altsvc: make saving the cache an atomic operation
o altsvc: use h3-27
o azure: disable brotli on the macos debug-builds
o build: remove all HAVE_OPENSSL_ENGINE_H defines
o checksrc.bat: Fix not being able to run script from the main curl dir
o cleanup: fix several comment typos
o cleanup: fix typos and wording in docs and comments
o cmake: add support for CMAKE_LTO option
o cmake: clean up and improve build procedures
o cmake: enable SMB for Windows builds
o cmake: improve libssh2 check on Windows
o cmake: Show HTTPS-proxy in the features output
o cmake: support specifying the target Windows version
o cmake: use check_symbol_exists also for inet_pton
o configure.ac: fix comments about --with-quiche
o configure: disable metalink if mbedTLS is specified
o configure: disable metalink support for incompatible SSL/TLS
o conn: do not reuse connection if SOCKS proxy credentials differ
o conncache: removed unused Curl_conncache_bundle_size()
o connect: remove some spurious infof() calls
o connection reuse: respect the max_concurrent_streams limits
o contributors: also include people who contributed to curl-www
o contrithanks: use the most recent tag by default
o cookie: check __Secure- and __Host- case sensitively
o cookies: make saving atomic with a rename
o create-dirs.d: mention the mode
o curl: avoid using strlen for testing if a string is empty
o curl: error on --alt-svc use w/o support
o curl: let -D merge headers in one file again
o curl: make #0 not output the full URL
o curl: make the -# spaceship bar not wrap the line
o curl: remove 'config' field from OutStruct
o curl:progressbarinit: ignore column width from terminals < 20
o curl_escape.3: add a link to curl_free
o curl_getenv.3: fix the memory handling description
o curl_global_init: assume the EINTR bit by default
o curl_global_init: move the IPv6 works status bool to multi handle
o CURLINFO_COOKIELIST.3: Fix example
o CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
o CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
o CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
o data.d: remove "Multiple files can also be specified"
o digest: do not quote algorithm in HTTP authorisation
o docs/HTTP3: add --enable-alt-svc to curl's configure
o docs/HTTP3: update the OpenSSL branch to use for ngtcp2
o docs: fix typo on CURLINFO_RETRY_AFTER
o easy: remove dead code
o form.d: fix two minor typos
o ftp: convert 'sock_accepted' to a plain boolean
o ftp: remove superfluous checking for crlf in user or pwd
o ftp: shrink temp buffers used for PORT
o github action: add CIFuzz
o github: Instructions to post "uname -a" on Unix systems in issues
o GnuTLS: always send client cert
o gtls: fixed compilation when using GnuTLS < 3.5.0
o hostip: move code to resolve IP address literals to `Curl_resolv`
o HTTP-COOKIES: describe the cookie file format
o HTTP-COOKIES: mention that a trailing newline is required
o http2: make pausing/unpausing set/clear local stream window
o http2: now requires nghttp2 >= 1.12.0
o http: added 417 response treatment
o http: increase EXPECT_100_THRESHOLD to 1Mb
o http: mark POSTs with no body as "upload done" from the start
o http: move "oauth_bearer" from connectdata to Curl_easy
o include: remove non-curl prefixed defines
o KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
o libssh2: add support for forcing a hostkey type
o libssh2: fix variable type
o libssh: improve known hosts handling
o llist: removed unused Curl_llist_move()
o location.d: the method change is from POST to GET only
o md4: fixed compilation issues when using GNU TLS gcrypt
o md4: use init/update/final functions in Secure Transport
o md5: added implementation for mbedTLS
o mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
o multi: change curl_multi_wait/poll to error on negative timeout
o multi: fix outdated comment
o multi: if Curl_readwrite sets 'comeback' use expire, not loop
o multi_done: if multiplexed, make conn->data point to another transfer
o multi_wait: stop loop when sread() returns zero
o ngtcp2: add error code for QUIC connection errors
o ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
o ngtcp2: update to git master and its draft-25 support
o ntlm: move the winbind data into the NTLM data structure
o ntlm: pass the Curl_easy structure to the private winbind functions
o ntlm: removed the dependency on the TLS libaries when using MD5
o ntlm_wb: use Curl_socketpair() for greater portability
o oauth2-bearer.d: works for HTTP too
o openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
o openssl: remove redundant assignment
o os400: fixed the build
o pause: force-drain the transfer on unpause
o quiche: update to draft-25
o README: mention that the docs is in docs/
o RELEASE-PROCEDURE: feature win is closed post-release a few days
o runtests: make random seed fixed for a month
o runtests: restore the command log
o schannel: make CURLOPT_CAINFO work better on Windows 7
o schannel_verify: Fix alt names manual verify for UNICODE builds
o sha256: use crypto implementations when available
o singleuse.pl: support new API functions, fix curl_dbg_ handling
o smtp: support the SMTPUTF8 extension
o smtp: support UTF-8 based host names in MAIL FROM
o SOCKS: make the connect phase non-blocking
o strcase: turn Curl_raw_tolower into static
o strerror: increase STRERROR_LEN 128 -> 256
o test1323: added missing 'unit test' feature requirement
o tests: add a unit test for MD4 digest generation
o tests: add a unit test for SHA256 digest generation
o tests: add a unit test for the HMAC hash generation
o tests: deduce the tool name from the test case for unit tests
o tests: fix Python 3 compatibility of smbserver.py
o tool_dirhie: allow directory traversal during creation
o tool_homedir: change GetEnv() to use libcurl's curl_getenv()
o tool_util: improve Windows version of tvnow()
o travis: update non-OpenSSL Linux jobs to Bionic
o url: include the failure reason when curl_win32_idn_to_ascii() fails
o urlapi: guess scheme properly with credentials given
o urldata: do string enums without #ifdefs for build scripts
o vtls: refactor Curl_multissl_version to make the code clearer
o win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256
pkgsrc changes:
- Removes patch-configure hunks applied upstream
Changes:
7.68.0
------
This release includes the following changes:
o TLS: add BearSSL vtls implementation
o XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
o curl: add --etag-compare and --etag-save
o curl: add --parallel-immediate
o multi: add curl_multi_wakeup()
o openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
This release includes the following bugfixes:
o CVE-2019-15601: file: on Windows, refuse paths that start with \\
o Azure Pipelines: add several builds
o CMake: add support for building with the NSS vtls backend
o CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
o CURLOPT_HEADERFUNCTION.3: Document that size is always 1
o CURLOPT_QUOTE.3: fix typos
o CURLOPT_READFUNCTION.3: fix the example
o CURLOPT_URL.3: "curl supports SMB version 1 (only)"
o CURLOPT_VERBOSE.3: see also ERRORBUFFER
o HISTORY: added cmake, HTTP/3 and parallel downloads with curl
o HISTORY: the SMB(S) support landed in 2014
o INSTALL.md: provide Android build instructions
o KNOWN_BUGS: Connection information when using TCP Fast Open
o KNOWN_BUGS: LDAP on Windows doesn't work correctly
o KNOWN_BUGS: TLS session cache doesn't work with TFO
o OPENSOCKETFUNCTION.3: correct the purpose description
o TrackMemory tests: always remove CR before LF
o altsvc: bump to h3-24
o altsvc: make the save function ignore NULL filenames
o build: Disable Visual Studio warning "conditional expression is constant"
o build: fix for CURL_DISABLE_DOH
o checksrc.bat: Add a check for vquic and vssh directories
o checksrc: repair the copyrightyear check
o cirrus-ci: enable clang sanitizers on freebsd 13
o cirrus: Drop the FreeBSD 10.4 build
o config-win32: cpu-machine-OS for Windows on ARM
o configure: avoid unportable `==' test(1) operator
o configure: enable IPv6 support without `getaddrinfo`
o configure: fix typo in help text
o conncache: CONNECT_ONLY connections assumed always in-use
o conncache: fix multi-thread use of shared connection cache
o copyrights: fix copyright year range
o create_conn: prefer multiplexing to using new connections
o curl -w: handle a blank input file correctly
o curl.h: add two missing defines for "pre ISO C" compilers
o curl/parseconfig: fix mem-leak
o curl/parseconfig: use curl_free() to free memory allocated by libcurl
o curl: cleanup multi handle on failure
o curl: fix --upload-file . hangs if delay in STDIN
o curl: fix -T globbing
o curl: improved cleanup in upload error path
o curl: make a few char pointers point to const char instead
o curl: properly free mimepost data
o curl: show better error message when no homedir is found
o curl: show error for --http3 if libcurl lacks support
o curl_setup_once: consistently use WHILE_FALSE in macros
o define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
o docs: Change 'experiemental' to 'experimental'
o docs: TLS SRP doesn't work with TLS 1.3
o docs: fix several typos
o docs: mention CURL_MAX_INPUT_LENGTH restrictions
o doh: improved both encoding and decoding
o doh: make it behave when built without proxy support
o examples/postinmemory.c: Call curl_global_cleanup always
o examples/url2file.c: corrected erroneous comment
o examples: add multi-poll.c
o global_init: undo the "intialized" bump in case of failure
o hostip: suppress compiler warning
o http_ntlm: Remove duplicate NSS initialisation
o lib: Move lib/ssh.h -> lib/vssh/ssh.h
o lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
o lib: fix warnings found when porting to NuttX
o lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
o lib: remove erroneous +x file permission on some c files
o libssh2: add support for ECDSA and ed25519 knownhost keys
o multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
o multi: free sockhash on OOM
o multi_poll: avoid busy-loop when called without easy handles attached
o ngtcp2: Support the latest update key callback type
o ngtcp2: fix thread-safety bug in error-handling
o ngtcp2: free used resources on disconnect
o ngtcp2: handle key updates as ngtcp2 master branch tells us
o ngtcp2: increase QUIC window size when data is consumed
o ngtcp2: use overflow buffer for extra HTTP/3 data
o ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
o ntlm_wb: fix double-free in OOM
o openssl: Revert to less sensitivity for SYSCALL errors
o openssl: improve error message for SYSCALL during connect
o openssl: prevent recursive function calls from ctx callbacks
o openssl: retrieve reported LibreSSL version at runtime
o openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
o parsedate: offer a getdate_capped() alternative
o pause: avoid updating socket if done was already called
o projects: Fix Visual Studio projects SSH builds
o projects: Fix Visual Studio wolfSSL configurations
o quiche: reject HTTP/3 headers in the wrong order
o remove_handle: clear expire timers after multi_done()
o runtests: --repeat=[num] to repeat tests
o runtests: introduce --shallow to reduce huge torture tests
o schannel: fix --tls-max for when min is --tlsv1 or default
o setopt: Fix ALPN / NPN user option when built without HTTP2
o strerror: Add Curl_winapi_strerror for Win API specific errors
o strerror: Fix an error looking up some Windows error strings
o strerror: Fix compiler warning "empty expression"
o system.h: fix for MCST lcc compiler
o test/sws: search for "Testno:" header unconditionally if no testno
o test1175: verify symbols-in-versions and libcurl-errors.3 in sync
o test1270: a basic -w redirect_url test
o test1456: remove the use of a fixed local port number
o test1558: use double slash after file:
o test1560: require IPv6 for IPv6 aware URL parsing
o tests/lib1557: fix mem-leak in OOM
o tests/lib1559: fix mem-leak in OOM
o tests/lib1591: free memory properly on OOM, in the trailers callback
o tests/unit1607: fix mem-leak in OOM
o tests/unit1609: fix mem-leak in OOM
o tests/unit1620: fix bad free in OOM
o tests: Change NTLM tests to require SSL
o tests: Fix bounce requests with truncated writes
o tests: fix build with `CURL_DISABLE_DOH`
o tests: fix permissions of ssh keys in WSL
o tests: make it possible to set executable extensions
o tests: make sure checksrc runs on header files too
o tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
o tests: use DoH feature for DoH tests
o tests: use \r\n for log messages in WSL
o tool_operate: fix mem leak when failed config parse
o travis: Fix error detection
o travis: abandon coveralls, it is not reliable
o travis: build ngtcp2 with --enable-lib-only
o travis: export the CC/CXX variables when set
o vtls: make BearSSL possible to set with CURL_SSL_BACKEND
o winbuild: Define CARES_STATICLIB when WITH_CARES=static
o winbuild: Document CURL_STATICLIB requirement for static libcurl
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
Changes:
7.67.0
------
This release includes the following changes:
o curl: added --no-progress-meter
o setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
o urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
This release includes the following bugfixes:
o BINDINGS: five new bindings addded
o CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
o CURLOPT_TIMEOUT.3: remove the mention of "minutes"
o ESNI: initial build/setup support
o FTP: FTPFILE_NOCWD: avoid redundant CWDs
o FTP: allow "rubbish" prepended to the SIZE response
o FTP: remove trailing slash from path for LIST/MLSD
o FTP: skip CWD to entry dir when target is absolute
o FTP: url-decode path before evaluation
o HTTP3.md: move -p for mkdir, remove -j for make
o HTTP3: fix invalid use of sendto for connected UDP socket
o HTTP3: fix ngtcp2 Windows build
o HTTP3: fix prefix parameter for ngtcp2 build
o HTTP3: fix typo somehere1 > somewhere1
o HTTP3: show an --alt-svc using example too
o INSTALL: add missing space for configure commands
o INSTALL: add vcpkg installation instructions
o README: minor grammar fix
o altsvc: accept quoted ma and persist values
o altsvc: both backends run h3-23 now
o appveyor: Add MSVC ARM64 build
o appveyor: Use two parallel compilation on appveyor with CMake
o appveyor: add --disable-proxy autotools build
o appveyor: add 32-bit MinGW-w64 build
o appveyor: add a winbuild
o appveyor: add a winbuild that uses VS2017
o appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
o appveyor: publish artifacts on appveyor
o appveyor: upgrade VS2017 to VS2019
o asyn-thread: make use of Curl_socketpair() where available
o asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
o build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
o checksrc: fix uninitialized variable warning
o chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
o cirrus: Increase the git clone depth
o cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
o cirrus: switch off blackhole status on the freebsd CI machines
o cleanups: 21 various PVS-Studio warnings
o configure: only say ipv6 enabled when the variable is set
o configure: remove all cyassl references
o conn-reuse: requests wanting NTLM can reuse non-NTLM connections
o connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
o connect: silence sign-compare warning
o cookie: avoid harmless use after free
o cookie: pass in the correct cookie amount to qsort()
o cookies: change argument type for Curl_flush_cookies
o cookies: using a share with cookies shouldn't enable the cookie engine
o copyrights: update copyright notices to 2019
o curl: create easy handles on-demand and not ahead of time
o curl: ensure HTTP 429 triggers --retry
o curl: exit the create_transfers loop on errors
o curl: fix memory leaked by parse_metalink()
o curl: load large files with -d @ much faster
o docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
o docs: added multi-event.c example
o docs: disambiguate CURLUPART_HOST is for host name (ie no port)
o docs: note on failed handles not being counted by curl_multi_perform
o doh: allow only http and https in debug mode
o doh: avoid truncating DNS QTYPE to lower octet
o doh: clean up dangling DOH memory on easy close
o doh: fix (harmless) buffer overrun
o doh: fix undefined behaviour and open up for gcc and clang optimization
o doh: return early if there is no time left
o examples/sslbackend: fix -Wchar-subscripts warning
o examples: remove the "this exact code has not been verified"
o git: add tests/server/disabled to .gitignore
o gnutls: make gnutls_bye() not wait for response on shutdown
o http2: expire a timeout at end of stream
o http2: prevent dup'ed handles to send dummy PRIORITY frames
o http2: relax verification of :authority in push promise requests
o http2_recv: a closed stream trumps pause state
o http: lowercase headernames for HTTP/2 and HTTP/3
o ldap: Stop using wide char version of ldapp_err2string
o ldap: fix OOM error on missing query string
o mbedtls: add error message for cert validity starting in the future
o mime: when disabled, avoid C99 macro
o ngtcp2: adapt to API change
o ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
o ngtcp2: remove fprintf() calls
o openssl: close_notify on the FTP data connection doesn't mean closure
o openssl: fix compiler warning with LibreSSL
o openssl: use strerror on SSL_ERROR_SYSCALL
o os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
o parsedate: fix date parsing disabled builds
o quiche: don't close connection at end of stream
o quiche: persist connection details (fixes -I with --http3)
o quiche: set 'drain' when returning without having drained the queues
o quiche: update HTTP/3 config creation to new API
o redirect: handle redirects to absolute URLs containing spaces
o runtests: get textaware info from curl instead of perl
o schannel: reverse the order of certinfo insertions
o schannel_verify: Fix concurrent openings of CA file
o security: silence conversion warning
o setopt: handle ALTSVC set to NULL
o setopt: make it easier to add new enum values
o setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
o smb: check for full size message before reading message details
o smbserver: fix Python 3 compatibility
o socks: Fix destination host shown on SOCKS5 error
o test1162: disable MSYS2's POSIX path conversion
o test1591: fix spelling of http feature
o tests: add `connect to non-listen` keywords
o tests: fix narrowing conversion warnings
o tests: fix the test 3001 cert failures
o tests: makes tests succeed when using --disable-proxy
o tests: use %FILE_PWD for file:// URLs
o tests: use port 2 instead of 60000 for a safer non-listening port
o tool_operate: Fix retry sleep time shown to user when Retry-After
o travis: Add an ARM64 build
o url: Curl_free_request_state() should also free doh handles
o url: don't set appconnect time for non-ssl/non-ssh connections
o url: fix the NULL hostname compiler warning
o url: normalize CURLINFO_EFFECTIVE_URL
o url: only reuse TLS connections with matching pinning
o urlapi: avoid index underflow for short ipv6 hostnames
o urlapi: fix URL encoding when setting a full URL
o urlapi: fix unused variable warning
o urlapi: question mark within fragment is still fragment
o urldata: use 'bool' for the bit type on MSVC compilers
o vtls: Fix comment typo about macosx-version-min compiler flag
o vtls: fix narrowing conversion warnings
o winbuild/MakefileBuild.vc: Add vssh
o winbuild/MakefileBuild.vc: Fix line endings
o winbuild: Add manifest to curl.exe for proper OS version detection
o winbuild: add ENABLE_UNICODE option
Changes:
7.66.0
------
This release includes the following changes:
o CURLINFO_RETRY_AFTER: parse the Retry-After header value
o HTTP3: initial (experimental still not working) support
o curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
o curl: support parallel transfers with -Z
o curl_multi_poll: a sister to curl_multi_wait() that waits more
o sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
This release includes the following bugfixes:
o CVE-2019-5481: FTP-KRB double-free
o CVE-2019-5482: TFTP small blocksize heap buffer overflow
o CI: remove duplicate configure flag for LGTM.com
o CMake: remove needless newlines at end of gss variables
o CMake: use platform dependent name for dlopen() library
o CURLINFO docs: mention that in redirects times are added
o CURLOPT_ALTSVC.3: use a "" file name to not load from a file
o CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
o CURLOPT_HEADERFUNCTION.3: clarify
o CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
o CURLOPT_READFUNCTION.3: provide inline example
o CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
o Curl_addr2string: take an addrlen argument too
o Curl_fillreadbuffer: avoid double-free trailer buf on error
o HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
o alt-svc: add protocol version selection masking
o alt-svc: fix removal of expired cache entry
o alt-svc: make it use h3-22 with ngtcp2 as well
o alt-svc: more liberal ALPN name parsing
o alt-svc: send Alt-Used: in redirected requests
o alt-svc: with quiche, use the quiche h3 alpn string
o appveyor: pass on -k to make
o asyn-thread: create a socketpair to wait on
o build-openssl: fix build with Visual Studio 2019
o cleanup: move functions out of url.c and make them static
o cleanup: remove the 'numsocks' argument used in many places
o configure: avoid undefined check_for_ca_bundle
o curl.h: add CURL_HTTP_VERSION_3 to the version enum
o curl.h: fix outdated comment
o curl: cap the maximum allowed values for retry time arguments
o curl: handle a libcurl build without netrc support
o curl: make use of CURLINFO_RETRY_AFTER when retrying
o curl: remove outdated comment
o curl: use .curlrc (with a dot) on Windows
o curl: use CURLINFO_PROTOCOL to check for HTTP(s)
o curl_global_init_mem.3: mention it was added in 7.12.0
o curl_version: bump string buffer size to 250
o curl_version_info.3: mentioned ALTSVC and HTTP3
o curl_version_info: offer quic (and h3) library info
o curl_version_info: provide nghttp2 details
o defines: avoid underscore-prefixed defines
o docs/ALTSVC: remove what works and the experimental explanation
o docs/EXPERIMENTAL: explain what it means and what's experimental now
o docs/MANUAL.md: converted to markdown from plain text
o docs/examples/curlx: fix errors
o docs: s/curl_debug/curl_dbg_debug in comments and docs
o easy: resize receive buffer on easy handle reset
o examples: Avoid reserved names in hiperfifo examples
o examples: add http3.c, altsvc.c and http3-present.c
o getenv: support up to 4K environment variable contents on windows
o http09: disable HTTP/0.9 by default in both tool and library
o http2: when marked for closure and wanted to close == OK
o http2_recv: trigger another read when the last data is returned
o http: fix use of credentials from URL when using HTTP proxy
o http_negotiate: improve handling of gss_init_sec_context() failures
o md4: Use our own MD4 when no crypto libraries are available
o multi: call detach_connection before Curl_disconnect
o netrc: make the code try ".netrc" on Windows
o nss: use TLSv1.3 as default if supported
o openssl: build warning free with boringssl
o openssl: use SSL_CTX_set_<min|max>_proto_version() when available
o plan9: add support for running on Plan 9
o progress: reset download/uploaded counter between transfers
o readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
o scp: fix directory name length used in memcpy
o smb: init *msg to NULL in smb_send_and_recv()
o smtp: check for and bail out on too short EHLO response
o source: remove names from source comments
o spnego_sspi: add typecast to fix build warning
o src/makefile: fix uncompressed hugehelp.c generation
o ssh-libssh: do not specify O_APPEND when not in append mode
o ssh: move code into vssh for SSH backends
o sspi: fix memory leaks
o tests: Replace outdated test case numbering documentation
o tftp: return error when packet is too small for options
o timediff: make it 64 bit (if possible) even with 32 bit time_t
o travis: reduce number of torture tests in 'coverage'
o url: make use of new HTTP version if alt-svc has one
o urlapi: verify the IPv6 numerical address
o urldata: avoid 'generic', use dedicated pointers
o vauth: Use CURLE_AUTH_ERROR for auth function errors
pkgsrc changes:
- Remove patch-configure test(1) `==' -> `=' hunk applied upstream
Changes:
7.65.0
------
This release includes the following changes:
o CURLOPT_DNS_USE_GLOBAL_CACHE: removed
o CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
o pipelining: removed
This release includes the following bugfixes:
o CVE-2019-5435: Integer overflows in curl_url_set
o CVE-2019-5436: tftp: use the current blksize for recvfrom()
o --config: clarify that initial : and = might need quoting
o AppVeyor: enable testing for WinSSL build
o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
o CURLOPT_ADDRESS_SCOPE: fix range check and more
o CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
o CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
o CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
o CURL_MAX_INPUT_LENGTH: largest acceptable string input size
o Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
o INTERNALS: Add code highlighting
o OS400/ccsidcurl: replace use of Curl_vsetopt
o OpenSSL: Report -fips in version if OpenSSL is built with FIPS
o README.md: fix no-consecutive-blank-lines Codacy warning
o VC15 project: remove MinimalRebuild
o VS projects: use Unicode for VC10+
o WRITEFUNCTION: add missing set_in_callback around callback
o altsvc: Fix building with cookies disabled
o auth: Rename the various authentication clean up functions
o base64: build conditionally if there are users
o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
o build: fix "clarify calculation precedence" warnings
o checksrc.bat: ignore snprintf warnings in docs/examples
o cirrus: Customize the disabled tests per FreeBSD version
o cleanup: remove FIXME and TODO comments
o cmake: avoid linking executable for some tests with cmake 3.6+
o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
o cmake: set SSL_BACKENDS
o configure: avoid unportable `==' test(1) operator
o configure: error out if OpenSSL wasn't detected when asked for
o configure: fix default location for fish completions
o cookie: Guard against possible NULL ptr deref
o curl: make code work with protocol-disabled libcurl
o curl: report error for "--no-" on non-boolean options
o curl_easy_getinfo.3: fix minor formatting mistake
o curlver.h: use parenthesis in CURL_VERSION_BITS macro
o docs/BUG-BOUNTY: bug bounty time
o docs/INSTALL: fix broken link
o docs/RELEASE-PROCEDURE: link to live iCalendar
o documentation: Fix several typos
o doh: acknowledge CURL_DISABLE_DOH
o doh: disable DOH for the cases it doesn't work
o examples: remove unused variables
o ftplistparser: fix LGTM alert "Empty block without comment"
o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
o http: acknowledge CURL_DISABLE_HTTP_AUTH
o http: mark bundle as not for multiuse on < HTTP/2 response
o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
o http_negotiate: do not treat failure of gss_init_sec_context() as fatal
o http_ntlm: Corrected the name of the include guard
o http_ntlm_wb: Handle auth for only a single request
o http_ntlm_wb: Return the correct error on receiving an empty auth message
o lib509: add missing include for strdup
o lib557: initialize variables
o makedebug: Fix ERRORLEVEL detection after running where.exe
o mbedtls: enable use of EC keys
o mime: acknowledge CURL_DISABLE_MIME
o multi: improved HTTP_1_1_REQUIRED handling
o netrc: acknowledge CURL_DISABLE_NETRC
o nss: allow fifos and character devices for certificates
o nss: provide more specific error messages on failed init
o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
o ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
o openssl: mark connection for close on TLS close_notify
o openvms: Remove pre-processor for SecureTransport
o openvms: Remove pre-processors for Windows
o parse_proxy: use the URL parser API
o parsedate: disabled on CURL_DISABLE_PARSEDATE
o pingpong: disable more when no pingpong protocols are enabled
o polarssl_threadlock: remove conditionally unused code
o progress: acknowledge CURL_DISABLE_PROGRESS_METER
o proxy: acknowledge DISABLE_PROXY more
o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
o revert "multi: support verbose conncache closure handle"
o sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
o sasl: only enable if there's a protocol enabled using it
o scripts: fix typos
o singleipconnect: show port in the verbose "Trying ..." message
o smtp: fix compiler warning
o socks5: user name and passwords must be shorter than 256
o socks: fix error message
o socksd: new SOCKS 4+5 server for tests
o spnego_gssapi: fix return code on gss_init_sec_context() failure
o ssh-libssh: remove unused variable
o ssh: define USE_SSH if SSH is enabled (any backend)
o ssh: move variable declaration to where it's used
o test1002: correct the name
o test2100: Fix typos in test description
o tests/server/util: fix Windows Unicode build
o tests: Run global cleanup at end of tests
o tests: make Impacket (SMB server) Python 3 compatible
o tool_cb_wrt: fix bad-function-cast warning
o tool_formparse: remove redundant assignment
o tool_help: Warn if curl and libcurl versions do not match
o tool_help: include <strings.h> for strcasecmp
o transfer: fix LGTM alert "Comparison is always true"
o travis: add an osx http-only build
o travis: allow builds on branches named "ci"
o travis: install dependencies only when needed
o travis: update some builds do Xenial
o travis: updated mesalink builds
o url: always clone the CUROPT_CURLU handle
o url: convert the zone id from a IPv6 URL to correct scope id
o urlapi: add CURLUPART_ZONEID to set and get
o urlapi: increase supported scheme length to 40 bytes
o urlapi: require a non-zero host name length when parsing URL
o urlapi: stricter CURLUPART_PORT parsing
o urlapi: strip off zone id from numerical IPv6 addresses
o urlapi: urlencode characters above 0x7f correctly
o vauth/cleartext: update the PLAIN login to match RFC 4616
o vauth/oauth2: Fix OAUTHBEARER token generation
o vauth: Fix incorrect function description for Curl_auth_user_contains_domain
o vtls: fix potential ssl_buffer stack overflow
o wildcard: disable from build when FTP isn't present
o winbuild: Support MultiSSL builds
o xattr: skip unittest on unsupported platforms
pkgsrc changes:
- No longer install MANUAL, it is no longer available
- Remove patch-lib_hostcheck.c, <netinet/in.h> is already included few
lines before
- Take MAINTAINERSHIP
Changes:
7.64.1
======
This release includes the following changes:
o alt-svc: experiemental support added [74]
o configure: add --with-amissl [84]
This release includes the following bugfixes:
o AppVeyor: add MinGW-w64 and classic Mingw builds [55]
o AppVeyor: switch VS 2015 builds to VS 2017 image [49]
o CURLU: fix NULL dereference when used over proxy [73]
o Curl_easy: remove req.maxfd - never used! [58]
o Curl_now: figure out windows version in win32_init: [11]
o Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning [20]
o DoH: inherit some SSL options from user's easy handle [80]
o Secure Transport: no more "darwinssl" [56]
o Secure Transport: tvOS 11 is required for ALPN support [94]
o cirrus: Added FreeBSD builds using Cirrus CI
o cleanup: make local functions static [5]
o cli tool: do not use mime.h private structures [27]
o cmdline-opts/proxytunnel.d: the option tunnnels all protocols [83]
o configure: add additional libraries to check for LDAP support [45]
o configure: remove the unused fdopen macro [40]
o configure: show features as well in the final summary [15]
o conncache: use conn->data to know if a transfer owns it [95]
o connection: never reuse CONNECT_ONLY connections [35]
o connection_check: restore original conn->data after the check [14]
o connection_check: set ->data to the transfer doing the check [3]
o cookie: Add support for cookie prefixes [29]
o cookies: dotless names can set cookies again [81]
o cookies: fix NULL dereference if flushing cookies with no CookieInfo set [47]
o curl.1: --user and --proxy-user are hidden from ps output [86]
o curl.1: mark the argument to --cookie as <data|filename> [87]
o curl.h: use __has_declspec_attribute for shared builds [52]
o curl: display --version features sorted alphabetically [51]
o curl: fix FreeBSD compiler warning in the --xattr code [2]
o curl: remove MANUAL from -M output [38]
o curl_easy_duphandle.3: clarify that a duped handle has no shares [64]
o curl_multi_remove_handle.3: use at any time, just not from within callbacks
o curl_url.3: this API is not experimental anymore
o dns: release sharelock as soon as possible [1]
o docs: update max-redirs.d phrasing [59]
o easy: fix win32 init to work without CURL_GLOBAL_WIN32 [30]
o examples/10-at-a-time.c: improve readability and simplify
o examples/cacertinmem.c: use multiple certificates for loading CA-chain [54]
o examples/crawler: Fix the Accept-Encoding setting
o examples/ephiperfifo.c: various fixes [63]
o examples/externalsocket: add missing close socket calls [78]
o examples/http2-download: cleaned up
o examples/http2-serverpush: add some sensible error checks [31]
o examples/http2-upload: cleaned up
o examples/httpcustomheader: Value stored to 'res' is never read
o examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
o examples/sftpuploadresume: Value stored to 'result' is never read
o examples: only include <curl/curl.h> [70]
o examples: remove recursive calls to curl_multi_socket_action [42]
o examples: remove superfluous null-pointer checks
o file: fix "Checking if unsigned variable 'readcount' is less than zero." [90]
o fnmatch: disable if FTP is disabled [25]
o gnutls: remove call to deprecated gnutls_compression_get_name [66]
o gopher: remove check for path == NULL [69]
o gssapi: fix deprecated header warnings [16]
o hostip: make create_hostcache_id avoid alloc + free [4]
o http2: multi_connchanged() moved from multi.c, only used for h2 [21]
o http2: verify :athority in push promise requests [37]
o http: make adding a blank header thread-safe [33]
o http: send payload when (proxy) authentication is done [89]
o http: set state.infilesize when sending multipart formposts [57]
o makefile: make checksrc and hugefile commands "silent" [85]
o mbedtls: make it build even if MBEDTLS_VERSION_C isn't set [24]
o mbedtls: release sessionid resources on error [28]
o memdebug: log pointer before freeing its data [91]
o memdebug: make debug-specific functions use curl_dbg_ prefix [82]
o mime: put the boundary buffer into the curl_mime struct [18]
o multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME [43]
o multi: remove verbose "Expire in" ... messages [23]
o multi: removed unused code for request retries [79]
o multi: support verbose conncache closure handle [72]
o negotiate: fix for HTTP POST with Negotiate [88]
o openssl: add support for TLS ASYNC state [46]
o openssl: if cert type is ENG and no key specified, key is ENG too [93]
o pretransfer: don't strlen() POSTFIELDS set for GET requests [22]
o rand: Fix a mismatch between comments in source and header [32]
o runtests: detect "schannel" as an alias for "winssl" [50]
o schannel: be quiet - remove verbose output [19]
o schannel: close TLS before removing conn from cache [10]
o schannel: support CALG_ECDH_EPHEM algorithm [44]
o scripts/completion.pl: also generate fish completion file [67]
o singlesocket: fix the 'sincebefore' placement [36]
o source: fix two 'nread' may be used uninitialized warnings [68]
o ssh: fix Condition '!status' is always true [60]
o ssh: loop the state machine if not done and not blocking [71]
o strerror: make the strerror function use local buffers [48]
o system_win32: move win32_init here from easy.c [65]
o test578: make it read data from the correct test
o tests: Fixed XML validation errors in some test files
o tests: add stderr comparison to the test suite [26]
o tests: fix multiple may be used uninitialized warnings
o threaded-resolver: shutdown the resolver thread without error message [61]
o tool_cb_wrt: fix writing to Windows null device NUL [96]
o tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr [84]
o tool_operate: build on AmigaOS [84]
o tool_operate: fix typecheck warning [9]
o transfer.c: do not compute length of undefined hex buffer
o travis: add build using gnutls [75]
o travis: add scan-build [13]
o travis: bump the used wolfSSL version to 4.0.0 [92]
o travis: enable valgrind for the iconv tests [12]
o travis: use updated compiler versions: clang 7 and gcc 8 [77]
o unit1307: require FTP support [17]
o unit1651: survive curl_easy_init() fails
o url/idnconvert: remove scan for <= 32 ascii values [6]
o url: change conn shutdown order to ensure SOCKETFUNCTION callbacks [39]
o urlapi: reduce variable scope, remove unreachable 'break' [7]
o urldata: convert bools to bitfields and move to end [53]
o urldata: simplify bytecounters [62]
o urlglob: Argument with 'nonnull' attribute passed null
o version.c: silent scan-build even when librtmp is not enabled
o vtls: rename some of the SSL functions [84]
o wolfssl: stop custom-adding curves [41]
o x509asn1: "Dereference of null pointer"
o x509asn1: cleanup and unify code layout [34]
o zsh.pl: escape ':' character [8]
o zsh.pl: update regex to better match curl -h output [8]
curl and libcurl 7.64.0
This release includes the following changes:
* cookies: leave secure cookies alone
* hostip: support wildcard hosts
* http: Implement trailing headers for chunked transfers
* http: added options for allowing HTTP/0.9 responses
* timeval: Use high resolution timestamps on Windows
This release includes the following bugfixes:
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
* CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
* CVE-2019-3823: SMTP end-of-response out-of-bounds read
* FAQ: remove mention of sourceforge for github
* OS400: handle memory error in list conversion
* OS400: upgrade ILE/RPG binding.
* README: add codacy code quality badge
* Revert http_negotiate: do not close connection
* THANKS: added several missing names from year <= 2000
* build: make 'tidy' target work for metalink builds
* cmake: added checks for variadic macros
* cmake: updated check for HAVE_POLL_FINE to match autotools
* cmake: use lowercase for function name like the rest of the code
* configure: detect xlclang separately from clang
* configure: fix recv/send/select detection on Android
* configure: rewrite --enable-code-coverage
* conncache_unlock: avoid indirection by changing input argument type
* cookie: fix comment typo
* cookies: allow secure override when done over HTTPS
* cookies: extend domain checks to non psl builds
* cookies: skip custom cookies when redirecting cross-site
* curl --xattr: strip credentials from any URL that is stored
* curl -J: refuse to append to the destination file
* curl/urlapi.h: include "curl.h" first
* curl_multi_remove_handle() don't block terminating c-ares requests
* darwinssl: accept setting max-tls with default min-tls
* disconnect: separate connections and easy handles better
* disconnect: set conn->data for protocol disconnect
* docs/version.d: mention MultiSSL
* docs: fix the --tls-max description
* docs: use $(INSTALL_DATA) to install man page
* docs: use meaningless port number in CURLOPT_LOCALPORT example
* gopher: always include the entire gopher-path in request
* http2: clear pause stream id if it gets closed
* if2ip: remove unused function Curl_if_is_interface_name
* libssh: do not let libssh create socket
* libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
* libssh: free sftp_canonicalize_path() data correctly
* libtest/stub_gssapi: use "real" snprintf
* mbedtls: use VERIFYHOST
* multi: multiplexing improvements
* multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
* ntlm: fix NTMLv2 compliance
* ntlm_sspi: add support for channel binding
* openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
* openssl: fix the SSL_get_tlsext_status_ocsp_resp call
* openvms: fix OpenSSL discovery on VAX
* openvms: fix typos in documentation
* os400: add a missing closing bracket
* os400: fix extra parameter syntax error
* pingpong: change default response timeout to 120 seconds
* pingpong: ignore regular timeout in disconnect phase
* printf: fix format specifiers
* runtests.pl: Fix perl call to include srcdir
* schannel: fix compiler warning
* schannel: preserve original certificate path parameter
* schannel: stop calling it "winssl"
* sigpipe: if mbedTLS is used, ignore SIGPIPE
* smb: fix incorrect path in request if connection reused
* ssh: log the libssh2 error message when ssh session startup fails
* test1558: verify CURLINFO_PROTOCOL on file:// transfer
* test1561: improve test name
* test1653: make it survive torture tests
* tests: allow tests to pass by 2037-02-12
* tests: move objnames-* from lib into tests
* timediff: fix math for unsigned time_t
* timeval: Disable MSVC Analyzer GetTickCount warning
* tool_cb_prg: avoid integer overflow
* travis: added cmake build for osx
* urlapi: Fix port parsing of eol colon
* urlapi: distinguish possibly empty query
* urlapi: fix parsing ipv6 with zone index
* urldata: rename easy_conn to just conn
* winbuild: conditionally use /DZLIB_WINAPI
* wolfssl: fix memory-leak in threaded use
* spnego_sspi: add support for channel binding
pkgsrc changes:
- Remove no longer needed patch-lib_connect.c: imported upstream
Changes:
7.63.0
------
This release includes the following changes:
o curl: add %{stderr} and %{stdout} for --write-out
o curl: add undocumented option --dump-module-paths for win32
o setopt: add CURLOPT_CURLU
This release includes the following bugfixes:
o (lib)curl.rc: fixup for minor bugs
o CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
o CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
o CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
o Curl_follow: accept non-supported schemes for "fake" redirects
o KNOWN_BUGS: add --proxy-any connection issue
o NTLM: Remove redundant ifdef USE_OPENSSL
o NTLM: force the connection to HTTP/1.1
o OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
o SECURITY-PROCESS: bountygraph shuts down again
o TODO: Have the URL API offer IDN decoding
o ares: remove fd from multi fd set when ares is about to close the fd
o axtls: removed
o checksrc: add COPYRIGHTYEAR check
o cmake: fix MIT/Heimdal Kerberos detection
o configure: include all libraries in ssl-libs fetch
o configure: show CFLAGS, LDFLAGS etc in summary
o connect: fix building for recent versions of Minix
o cookies: create the cookiejar even if no cookies to save
o cookies: expire "Max-Age=0" immediately
o curl: --local-port range was not "including"
o curl: fix --local-port integer overflow
o curl: fix memory leak reading --writeout from file
o curl: fixed UTF-8 in current console code page (Windows)
o curl_easy_perform: fix timeout handling
o curl_global_sslset(): id == -1 is not necessarily an error
o curl_multibyte: fix a malloc overcalculation
o curle: move deprecated error code to ifndef block
o docs: curl_formadd field and file names are now escaped
o docs: escape "\n" codes
o doh: fix memory leak in OOM situation
o doh: make it work for h2-disabled builds too
o examples/ephiperfifo: report error when epoll_ctl fails
o ftp: avoid two unsigned int overflows in FTP listing parser
o host names: allow trailing dot in name resolve, then strip it
o http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
o http: don't set CURLINFO_CONDITION_UNMET for http status code 204
o http: fix HTTP Digest auth to include query in URI
o http_negotiate: do not close connection until negotiation is completed
o impacket: add LICENSE
o infof: clearly indicate truncation
o ldap: fix LDAP URL parsing regressions
o libcurl: stop reading from paused transfers
o mprintf: avoid unsigned integer overflow warning
o netrc: don't ignore the login name specified with "--user"
o nss: Fall back to latest supported SSL version
o nss: Fix compatibility with nss versions 3.14 to 3.15
o nss: fix fallthrough comment to fix picky compiler warning
o nss: remove version selecting dead code
o nss: set default max-tls to 1.3/1.2
o openssl: Remove SSLEAY leftovers
o openssl: do not log excess "TLS app data" lines for TLS 1.3
o openssl: do not use file BIOs if not requested
o openssl: fix unused variable compiler warning with old openssl
o openssl: support session resume with TLS 1.3
o openvms: fix example name
o os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
o os400: add CURLOPT_CURLU to ILE/RPG binding
o os400: fix return type of curl_easy_pause() in ILE/RPG binding
o packages: remove old leftover files and dirs
o pop3: only do APOP with a valid timestamp
o runtests: use the local curl for verifying
o schannel: be consistent in Schannel capitalization
o schannel: better CURLOPT_CERTINFO support
o schannel: use Curl_ prefix for global private symbols
o snprintf: renamed and we now only use msnprintf()
o ssl: fix compilation with OpenSSL 0.9.7
o ssl: replace all internal uses of CURLE_SSL_CACERT
o symbols-in-versions: add missing CURLU_ symbols
o test328: verify Content-Encoding: none
o tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
o tests: drop http_pipe.py script no longer used
o tool_cb_wrt: Silence function cast compiler warning
o tool_doswin: Fix uninitialized field warning
o travis: build with clang sanitizers
o travis: remove curl before a normal build
o url: a short host name + port is not a scheme
o url: fix IPv6 numeral address parser
o urlapi: only skip encoding the first '=' with APPENDQUERY set
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alessandro Ghedini, Alexey Melnichuk, Antoni Villalonga, Ben Greear,
bobmitchell1956 on github, Brad King, Brian Carpenter, daboul on github,
Daniel Gustafsson, Daniel Stenberg, Dave Reisner, David Benjamin,
Dheeraj Sangamkar, dtmsecurity on github, Elia Tufarolo, Frank Gevaerts,
Gergely Nagy, Gisle Vanem, Hagai Auro, Han Han, infinnovation-dev on github,
James Knight, Jérémy Rocher, Jeroen Ooms, Jim Fuller, Johannes Schindelin,
Kamil Dudka, Konstantin Kushnir, Marcel Raad, Marc Hörsken, Marcos Diazr,
Michael Kaufmann, NTMan on Github, Patrick Monnerat, Paul Howarth,
Pavel Pavlov, Peter Wu, Ray Satiro, Rod Widdowson, Romain Fliedel,
Samuel Surtees, Sevan Janiyan, Stefan Kanthak, Sven Blumenstein, Tim Rühsen,
Tobias Hintze, Tomas Hoger, tonystz on Github, tpaukrt on github,
Viktor Szakats, Yasuhiro Matsumoto,
(51 contributors)
Thanks! (and sorry if I forgot to mention someone)
Changes:
7.62.0
------
This release includes the following changes:
o multiplex: enable by default
o url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
o setopt: add CURLOPT_DOH_URL
o curl: --doh-url added
o setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
o imap: change from "FETCH" to "UID FETCH"
o configure: add option to disable automatic OpenSSL config loading
o upkeep: add a connection upkeep API: curl_easy_upkeep()
o URL-API: added five new functions
o vtls: MesaLink is a new TLS backend
This release includes the following bugfixes:
o CVE-2018-16839: SASL password overflow via integer overflow
o CVE-2018-16840: use-after-free in handle close
o CVE-2018-16842: warning message out-of-buffer read
o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
o Curl_dedotdotify(): always nul terminate returned string
o Curl_follow: Always free the passed new URL
o Curl_http2_done: fix memleak in error path
o Curl_retry_request: fix memory leak
o Curl_saferealloc: Fixed typo in docblock
o FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
o GnutTLS: TLS 1.3 support
o SECURITY-PROCESS: mention the bountygraph program
o VS projects: add USE_IPV6:
o Windows: fixes for MinGW targeting Windows Vista
o anyauthput: fix compiler warning on 64-bit Windows
o appveyor: add WinSSL builds
o appveyor: run test suite (on Windows!)
o certs: generate tests certs with sha256 digest algorithm
o checksrc: enable strict mode and warnings
o checksrc: handle zero scoped ignore commands
o cmake: Backport to work with CMake 3.0 again
o cmake: Improve config installation
o cmake: add support for transitive ZLIB target
o cmake: disable -Wpedantic-ms-format
o cmake: don't require OpenSSL if USE_OPENSSL=OFF
o cmake: fixed path used in generation of docs/tests
o cmake: remove unused *SOCKLEN_T variables
o cmake: suppress MSVC warning C4127 for libtest
o cmake: test and set missed defines during configuration
o comment: Fix multiple typos in function parameters
o config: Remove unused SIZEOF_VOIDP
o config_win32: enable LDAPS
o configure: force-use -lpthreads on HPUX
o configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
o configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
o cookies: Remove redundant expired check
o cookies: fix leak when writing cookies to file
o curl-config.in: remove dependency on bc
o curl.1: --ipv6 mutexes ipv4 (fixed typo)
o curl: enabled Windows VT Support and UTF-8 output
o curl: update the documentation of --tlsv1.0
o curl_multi_wait: call getsock before figuring out timeout
o curl_ntlm_wb: check aprintf() return codes
o curl_threads: fix classic MinGW compile break
o darwinssl: Fix realloc memleak
o darwinssl: more specific and unified error codes
o data-binary.d: clarify default content-type is x-www-form-urlencoded
o docs/BUG-BOUNTY: explain the bounty program
o docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
o docs/CIPHERS: fix the TLS 1.3 cipher names
o docs/CIPHERS: mention the colon separation for OpenSSL
o docs/examples: URL updates
o docs: add "see also" links for SSL options
o example/asiohiper: insert warning comment about its status
o example/htmltidy: fix include paths of tidy libraries
o examples/Makefile.m32: sync with core
o examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
o examples/parseurl.c: show off the URL API
o examples: Fix memory leaks from realloc errors
o examples: do not wait when no transfers are running
o ftp: include command in Curl_ftpsend sendbuffer
o gskit: make sure to terminate version string
o gtls: Values stored to but never read
o hostip: fix check on Curl_shuffle_addr return value
o http2: fix memory leaks on error-path
o http: fix memleak in rewind error path
o krb5: fix memory leak in krb_auth
o ldap: show precise LDAP call in error message on Windows
o lib: fix gcc8 warning on Windows
o memory: add missing curl_printf header
o memory: ensure to check allocation results
o multi: Fix error handling in the SENDPROTOCONNECT state
o multi: fix memory leak in content encoding related error path
o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
o netrc: free temporary strings if memory allocation fails
o nss: fix nssckbi module loading on Windows
o nss: try to connect even if libnssckbi.so fails to load
o ntlm_wb: Fix memory leaks in ntlm_wb_response
o ntlm_wb: bail out if the response gets overly large
o openssl: assume engine support in 0.9.8 or later
o openssl: enable TLS 1.3 post-handshake auth
o openssl: fix gcc8 warning
o openssl: load built-in engines too
o openssl: make 'done' a proper boolean
o openssl: output the correct cipher list on TLS 1.3 error
o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
o openssl: show "proper" version number for libressl builds
o pipelining: deprecated
o rand: add comment to skip a clang-tidy false positive
o rtmp: fix for compiling with lwIP
o runtests: ignore disabled even when ranges are given
o runtests: skip ld_preload tests on macOS
o runtests: use Windows paths for Windows curl
o schannel: unified error code handling
o sendf: Fix whitespace in infof/failf concatenation
o ssh: free the session on init failures
o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
o system.h: use proper setting with Sun C++ as well
o test1299: use single quotes around asterisk
o test1452: mark as flaky
o test1651: unit test Curl_extract_certinfo()
o test320: strip out more HTML when comparing
o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
o tests: add unit tests for url.c
o timeval: fix use of weak symbol clock_gettime() on Apple platforms
o tool_cb_hdr: handle failure of rename()
o travis: add a "make tidy" build that runs clang-tidy
o travis: add build for "configure --disable-verbose"
o travis: bump the Secure Transport build to use xcode
o travis: make distcheck scan for BOM markers
o unit1300: fix stack-use-after-scope AddressSanitizer warning
o urldata: Fix "connecting" comment
o urlglob: improve error message on bad globs
o vtls: fix ssl version "or later" behavior change for many backends
o x509asn1: Fix SAN IP address verification
o x509asn1: always check return code from getASN1Element()
o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
o x509asn1: suppress left shift on signed value
Curl and libcurl 7.61.0
This release includes the following changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
This release includes the following bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "version 1"
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
* multi: provide a socket to wait for in Curl_protocol_getsock
* content_encoding: handle zlib versions too old for Z_BLOCK
* winbuild: only delete OUTFILE if it exists
* winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
* schannel: add failf calls for client certificate failures
* cmake: Fix the test for fsetxattr and strerror_r
* curl.1: Fix cmdline-opts reference errors
* cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
* cmake: check for getpwuid_r
* configure: fix ssh2 linking when built with a static mbedtls
* psl: use latest psl and refresh it periodically
* fnmatch: insist on escaped bracket to match
* KNOWN_BUGS: restore text regarding 2101
* INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
* configure: override AR_FLAGS to silence warning
* os400: implement mime api EBCDIC wrappers
* curl.rc: embed manifest for correct Windows version detection
* strictness: correct {infof, failf} format specifiers
* tests: update .gitignore for libtests
* configure: check for declaration of getpwuid_r
* fnmatch: use the system one if available
* CURLOPT_RESOLVE: always purge old entry first
* multi: remove a potentially bad DEBUGF()
* curl_addrinfo: use same #ifdef conditions in source as header
* build: remove the Borland specific makefiles
* axTLS: not considered fit for use
* cmdline-opts/cert-type.d: mention "p12" as a recognized type
* system.h: add support for IBM xlc C compiler
* tests/libtest: Add lib1521 to nodist_SOURCES
* mk-ca-bundle.pl: leave certificate name untouched
* boringssl + schannel: undef X509_NAME in lib/schannel.h
* openssl: assume engine support in 1.0.1 or later
* cppcheck: fix warnings
* test 46: make test pass after year 2025
* schannel: support selecting ciphers
* Curl_debug: remove dead printhost code
* test 1455: unflakified
* Curl_init_do: handle NULL connection pointer passed in
* progress: remove a set of unused defines
* mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
* GOVERNANCE.md: explains how this project is run
* configure: use pkg-config for c-ares detection
* configure: enhance ability to build with static openssl
* maketgz: fix sed issues on OSX
* multi: fix memory leak when stopped during name resolve
* CURLOPT_INTERFACE.3: interface names not supported on Windows
* url: fix dangling conn->data pointer
* cmake: allow multiple SSL backends
* system.h: fix for gcc on 32 bit OpenServer
* ConnectionExists: make sure conn->data is set when "taking" a connection
* multi: fix crash due to dangling entry in connect-pending list
* CURLOPT_SSL_VERIFYPEER.3: Add performance note
* netrc: use a larger buffer to support longer passwords
* url: check Curl_conncache_add_conn return code
* configure: Add dependent libraries after crypto
* easy_perform: faster local name resolves by using *multi_timeout()
* getnameinfo: not used, removed all configure checks
* travis: add a build using the synchronous name resolver
* CURLINFO_TLS_SSL_PTR.3: improve the example
* openssl: allow TLS 1.3 by default
* openssl: make the requested TLS version the *minimum* wanted
* openssl: Remove some dead code
* telnet: fix clang warnings
* DEPRECATE: new doc describing planned item removals
* example/crawler.c: simple crawler based on libxml2
* libssh: goto DISCONNECT state on error, not SESSION_FREE
* CMake: Remove unused functions
* darwinssl: allow High Sierra users to build the code using GCC
* scripts: include _curl as part of CLEANFILES
* examples: fix -Wformat warnings
* curl_setup: include <winerror.h> before <windows.h>
* schannel: make more cipher options conditional
* CMake: remove redundant and old end-of-block syntax
* post303.d: clarify that this is an RFC violation
Changes:
7.60.0
------
This release includes the following changes:
o Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
o Add --haproxy-protocol for the command line tool
o Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
This release includes the following bugfixes:
o FTP: shutdown response buffer overflow CVE-2018-1000300
o RTSP: bad headers buffer over-read CVE-2018-1000301
o FTP: fix typo in recursive callback detection for seeking
o test1208: marked flaky
o HTTP: make header-less responses still count correct body size
o user-agent.d:: mention --proxy-header as well
o http2: fixes typo
o cleanup: misc typos in strings and comments
o rate-limit: use three second window to better handle high speeds
o examples/hiperfifo.c: improved
o pause: when changing pause state, update socket state
o multi: improved pending transfers handling => improved performance
o curl_version_info.3: fix ssl_version description
o add_handle/easy_perform: clear errorbuffer on start if set
o darwinssl: fix iOS build
o cmake: add support for brotli
o parsedate: support UT timezone
o vauth/ntlm.h: fix the #ifdef header guard
o lib/curl_path.h: added #ifdef header guard
o vauth/cleartext: fix integer overflow check
o CURLINFO_COOKIELIST.3: made the example not leak memory
o cookie.d: mention that "-" as filename means stdin
o CURLINFO_SSL_VERIFYRESULT.3: fixed the example
o http2: read pending frames (including GOAWAY) in connection-check
o timeval: remove compilation warning by casting
o cmake: avoid warn-as-error during config checks
o travis-ci: enable -Werror for CMake builds
o openldap: fix for NULL return from ldap_get_attribute_ber()
o threaded resolver: track resolver time and set suitable timeout values
o cmake: Add advapi32 as explicit link library for win32
o docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
o test1148: set a fixed locale for the test
o cookies: when reading from a file, only remove_expired once
o cookie: store cookies per top-level-domain-specific hash table
o openssl: fix build with LibreSSL 2.7
o tls: fix mbedTLS 2.7.0 build + handle sha256 failures
o openssl: RESTORED verify locations when verifypeer==0
o file: restore old behavior for file:////foo/bar URLs
o FTP: allow PASV on IPv6 connections when a proxy is being used
o build-openssl.bat: allow custom paths for VS and perl
o winbuild: make the clean target work without build-type
o build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
o curl: retry on FTP 4xx, ignore other protocols
o configure: detect (and use) sa_family_t
o examples/sftpuploadresume: Fix Windows large file seek
o build: cleanup to fix clang warnings/errors
o winbuild: updated the documentation
o lib: silence null-dereference warnings
o travis: bump to clang 6 and gcc 7
o travis: build libpsl and make builds use it
o proxy: show getenv proxy use in verbose output
o duphandle: make sure CURLOPT_RESOLVE is duplicated
o all: Refactor malloc+memset to use calloc
o checksrc: Fix typo
o system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
o vauth: Fix typo
o ssh: show libSSH2 error code when closing fails
o test1148: tolerate progress updates better
o urldata: make service names unconditional
o configure: keep LD_LIBRARY_PATH changes local
o ntlm_sspi: fix authentication using Credential Manager
o schannel: add client certificate authentication
o winbuild: Support custom devel paths for each dependency
o schannel: add support for CURLOPT_CAINFO
o http2: handle on_begin_headers() called more than once
o openssl: support OpenSSL 1.1.1 verbose-mode trace messages
o openssl: fix subjectAltName check on non-ASCII platforms
o http2: avoid strstr() on data not zero terminated
o http2: clear the "drain counter" when a stream is closed
o http2: handle GOAWAY properly
o tool_help: clarify --max-time unit of time is seconds
o curl.1: clarify that options and URLs can be mixed
o http2: convert an assert to run-time check
o curl_global_sslset: always provide available backends
o ftplistparser: keep state between invokes
o Curl_memchr: zero length input can't match
o examples/sftpuploadresume: typecast fseek argument to long
o examples/http2-upload: expand buffer to avoid silly warning
o ctype: restore character classification for non-ASCII platforms
o mime: avoid NULL pointer dereference risk
o cookies: ensure that we have cookies before writing jar
o os400.c: fix checksrc warnings
o configure: provide --with-wolfssl as an alias for --with-cyassl
o cyassl: adapt to libraries without TLS 1.0 support built-in
o http2: get rid of another strstr
o checksrc: force indentation of lines after an else
o cookies: remove unused macro
o CURLINFO_PROTOCOL.3: mention the existing defined names
o tests: provide 'manual' as a feature to optionally require
o travis: enable libssh2 on both macos and Linux
o CURLOPT_URL.3: added ENCODING section
o wolfssl: Fix non-blocking connect
o vtls: don't define MD5_DIGEST_LENGTH for wolfssl
o docs: remove extraneous commas in man pages
o URL: fix ASCII dependency in strcpy_url and strlen_url
o ssh-libssh.c: fix left shift compiler warning
o configure: only check for CA bundle for file-using SSL backends
o travis: add an mbedtls build
o http: don't set the "rewind" flag when not uploading anything
o configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
o transfer: don't unset writesockfd on setup of multiplexed conns
o vtls: use unified "supports" bitfield member in backends
o URLs: fix one more http url
o travis: add a build using WolfSSL
o openssl: change FILE ops to BIO ops
o travis: add build using NSS
o smb: reject negative file sizes
o cookies: accept parameter names as cookie name
o http2: getsock fix for uploads
o all over: fixed format specifiers
o http2: use the correct function pointer typedef
This release would not have looked like this without help, code, reports and
advice from friends like these:
Adam Brown, Alex Baines, Anders Bakken, Anders Roxell, anshnd on github,
Bas van Schaik, Bernard Spil, Chris Araman, Christian Schmitz, Cyril B,
Dagobert Michelsen, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
Dan McNulty, Dario Weisser, dasimx on github, David Garske, David L.,
Denis Ollier, Dmitry Mikhirev, Dongliang Mu, Don J Olmstead, Eric Gallager,
Ernst Sjöstrand, Frank Gevaerts, Gaurav Malhotra, Geeknik Labs, Howard Chu,
iz8mbw on github, Jakub Wilk, Jon DeVree, Kees Dekker, Kobi Gurkan,
Laurie Clark-Michalek, Lauri Kasanen, Lawrence Matthews, Luz Paz,
Marcel Raad, Max Dymond, Michael Kaufmann, Michael Kilburn,
Michał Janiszewski, Michal Trybus, Muz Dima, Nikos Tsipinakis, Ori Avtalion,
Oumph on github, patelvivekv1993 on github, Patrick Monnerat,
Philip Prindeville, Ray Satiro, Rick Deist, Rikard Falkeborn, Sergei Nikulov,
Stefan Agner, steini2000 on github, Stephan Mühlstrasser, Sunny Purushe,
Terry Wu, Vincas Razma, wncboy on github, Wyatt O'Day, 刘佩东,
(64 contributors)
Thanks! (and sorry if I forgot to mention someone)
Curl and libcurl 7.59.0
This release includes the following changes:
o curl: add --proxy-pinnedpubkey [10]
o added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T [13]
o CURLOPT_RESOLVE: Add support for multiple IP addresses per entry [37]
o Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS [37]
o Add new tool option --happy-eyeballs-timeout-ms [37]
o Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA [39]
This release includes the following bugfixes:
o openldap: check ldap_get_attribute_ber() results for NULL before using [50]
o FTP: reject path components with control codes [51]
o readwrite: make sure excess reads don't go beyond buffer end [52]
o lib555: drop text conversion and encode data as ascii codes [1]
o lib517: make variable static to avoid compiler warning
o lib544: sync ascii code data with textual data [1]
o GSKit: restore pinnedpubkey functionality [2]
o darwinssl: Don't import client certificates into Keychain on macOS [3]
o parsedate: fix date parsing for systems with 32 bit long [4]
o openssl: fix pinned public key build error in FIPS mode [5]
o SChannel/WinSSL: Implement public key pinning [6]
o cookies: remove verbose "cookie size:" output
o progress-bar: don't use stderr explicitly, use bar->out [7]
o Fixes for MSDOS
o build: open VC15 projects with VS 2017
o curl_ctype: private is*() type macros and functions [8]
o configure: set PATH_SEPARATOR to colon for PATH w/o separator [9]
o winbuild: make linker generate proper PDB [11]
o curl_easy_reset: clear digest auth state [12]
o curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 [14]
o range: commonize FTP and FILE range handling [15]
o progress-bar docs: update to match implementation [16]
o fnmatch: do not match the empty string with a character set
o fnmatch: accept an alphanum to be followed by a non-alphanum in char set [17]
o build: fix termios issue on android cross-compile [18]
o getdate: return -1 for out of range [19]
o formdata: use the mime-content type function [20]
o time-cond: fix reading the file modification time on Windows [21]
o build-openssl.bat: Extend VC15 support to include Enterprise and Professional
o build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
o openssl: Don't add verify locations when verifypeer==0
o fnmatch: optimize processing of consecutive *s and ?s pattern characters [22]
o schannel: fix compiler warnings [23]
o content_encoding: Add "none" alias to "identity" [24]
o get_posix_time: only check for overflows if they can happen
o http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING [25]
o README: language fix [26]
o sha256: build with OpenSSL < 0.9.8 [27]
o smtp: fix processing of initial dot in data [28]
o --tlsauthtype: works only if libcurl is built with TLS-SRP support [29]
o tests: new tests for http raw mode [30]
o libcurl-security.3: man page discussion security concerns when using libcurl
o curl_gssapi: make sure this file too uses our *printf()
o BINDINGS: fix curb link (and remove ruby-curl-multi)
o nss: use PK11_CreateManagedGenericObject() if available [31]
o travis: add build with iconv enabled [32]
o ssh: add two missing state names [33]
o CURLOPT_HEADERFUNCTION.3: mention folded headers
o http: fix the max header length detection logic [34]
o header callback: don't chop headers into smaller pieces [35]
o CURLOPT_HEADER.3: clarify problems with different data sizes
o curl --version: show PSL if the run-time lib has it enabled
o examples/sftpuploadresume: resume upload via CURLOPT_APPEND [36]
o Return error if called recursively from within callbacks [38]
o sasl: prefer PLAIN mechanism over LOGIN
o winbuild: Use CALL to run batch scripts [40]
o curl_share_setopt.3: connection cache is shared within multi handles
o winbuild: Use macros for the names of some build utilities [41]
o projects/README: remove reference to dead IDN link/package [42]
o lib655: silence compiler warning [43]
o configure: Fix version check for OpenSSL 1.1.1
o docs/MANUAL: formfind.pl is not accessible on the site anymore [44]
o unit1309: fix warning on Windows x64 [45]
o unit1307: proper cleanup on OOM to fix torture tests
o curl_ctype: fix macro redefinition warnings
o build: get CFLAGS (including -werror) used for examples and tests [46]
o NO_PROXY: fix for IPv6 numericals in the URL [47]
o krb5: use nondeprecated functions [48]
o winbuild: prefer documented zlib library names [49]
o http2: mark the connection for close on GOAWAY [53]
o limit-rate: kick in even before "limit" data has been received [54]
o HTTP: allow "header;" to replace an internal header with a blank one [55]
o http2: verbose output new MAX_CONCURRENT_STREAMS values
o SECURITY: distros' max embargo time is 14 days
o curl tool: accept --compressed also if Brotli is enabled and zlib is not
o WolfSSL: adding TLSv1.3 [56]
o checksrc.pl: add -i and -m options
o CURLOPT_COOKIEFILE.3: "-" as file name means stdin
This release includes the following changes:
o new libssh-powered SSH SCP/SFTP back-end
o curl-config: add --ssl-backends [10]
This release includes the following bugfixes:
o http2: fix incorrect trailer buffer size [40]
o http: prevent custom Authorization headers in redirects [55]
o travis: add boringssl build [1]
o examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL [2]
o SSL: Avoid magic allocation of SSL backend specific data [3]
o lib: don't export all symbols, just everything curl_* [4]
o libssh2: send the correct CURLE error code on scp file not found
o libssh2: return CURLE_UPLOAD_FAILED on failure to upload
o openssl: enable pkcs12 in boringssl builds [5]
o libssh2: remove dead code from SSH_SFTP_QUOTE [6]
o sasl_getmesssage: make sure we have a long enough string to pass [7]
o conncache: fix several lock issues [8]
o threaded-shared-conn.c: new example
o conncache: only allow multiplexing within same multi handle [9]
o configure: check for netinet/in6.h [11]
o URL: tolerate backslash after drive letter for FILE: [12]
o openldap: add commented out debug possibilities [13]
o include: get netinet/in.h before linux/tcp.h [14]
o CONNECT: keep close connection flag in http_connect_state struct [15]
o BINDINGS: another PostgreSQL client
o curl: limit -# update frequency for unknown total size [16]
o configure: add AX_CODE_COVERAGE only if using gcc [17]
o curl.h: remove incorrect comment about ERRORBUFFER
o openssl: improve data-pending check for https proxy [18]
o curl: remove __EMX__ #ifdefs [19]
o CURLOPT_PRIVATE.3: fix grammar [20]
o sftp: allow quoted commands to use relative paths [21]
o CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
o RESOLVE: output verbose text when trying to set a duplicate name
o openssl: Disable file buffering for Win32 SSLKEYLOGFILE [22]
o multi_done: prune DNS cache [23]
o tests: update .gitignore for libtests
o tests: mark data files as non-executable in git
o CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference
o curl.1: documented two missing valid exit codes
o curl.1: mention http:// and https:// as valid proxy prefixes
o vtls: replaced getenv() with curl_getenv() [24]
o setopt: less *or equal* than INT_MAX/1000 should be fine [25]
o examples/smtp-mail.c: use separate defines for options and mail
o curl: support >256 bytes warning messsages [26]
o conncache: fix a return code
o krb5: fix a potential access of uninitialized memory
o rand: add a clang-analyzer work-around
o CURLOPT_READFUNCTION.3: refer to argument with correct name [27]
o brotli: allow compiling with version 0.6.0
o content_encoding: rework zlib_inflate [28]
o curl_easy_reset: release mime-related data [29]
o examples/rtsp: fix error handling macros [30]
o build-openssl.bat: Added support for VC15
o build-wolfssl.bat: Added support for VC15
o build: Added Visual Studio 2017 project files
o winbuild: Added support for VC15
o curl: Support size modifiers for --max-filesize [32]
o examples/cacertinmem: ignore cert-already-exists error [33]
o brotli: data at the end of content can be lost [34]
o curl_version_info.3: call the argument 'age' [35]
o openssl: fix memory leak of SSLKEYLOGFILE filename
o build: remove HAVE_LIMITS_H check [36]
o --mail-rcpt: fix short-text description
o scripts: allow all perl scripts to be run directly [37]
o progress: calculate transfer speed on milliseconds if possible [38]
o system.h: check __LONG_MAX__ for defining curl_off_t [31]
o easy: fix connection ownership in curl_easy_pause [39]
o setopt: reintroduce non-static Curl_vsetopt() for OS400 support [41]
o setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values [42]
o configure.ac: append extra linker flags instead of prepending them [43]
o HTTP: bail out on negative Content-Length: values [44]
o docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
o mime: clone mime tree upon easy handle duplication [45]
o openssl: enable SSLKEYLOGFILE support by default [46]
o smtp/pop3/imap_get_message: decrease the data length too... [47]
o CURLOPT_TCP_NODELAY.3: fix typo [48]
o SMB: fix numeric constant suffix and variable types [49]
o ftp-wildcard: fix matching an empty string with "*[^a]" [50]
o curl_fnmatch: only allow 5 '*' sections in a single pattern
o openssl: fix potential memory leak in SSLKEYLOGFILE logic
o SSH: Fix state machine for ssh-agent authentication [51]
o examples/url2file.c: add missing curl_global_cleanup() call [52]
o http2: don't close connection when single transfer is stopped [53]
o libcurl-env.3: first version
o curl: progress bar refresh, get width using ioctl() [54]
o CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support [56]
Curl and libcurl 7.56.0
This release includes the following changes:
o curl: enable compression for SCP/SFTP with --compressed-ssh [11]
o libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION [11]
o vtls: added dynamic changing SSL backend with curl_global_sslset() [28]
o new MIME API, curl_mime_init() and friends [32]
o openssl: initial SSLKEYLOGFILE implementation [36]
This release includes the following bugfixes:
o FTP: zero terminate the entry path even on bad input [67]
o examples/ftpuploadresume.c: use portable code
o runtests: match keywords case insensitively
o travis: build the examples too [1]
o strtoofft: reduce integer overflow risks globally [2]
o zsh.pl: produce a working completion script again [3]
o cmake: remove dead code for CURL_DISABLE_RTMP [4]
o progress: Track total times following redirects [5]
o configure: fix --disable-threaded-resolver [6]
o cmake: remove dead code for DISABLED_THREADSAFE [7]
o configure: fix clang version detection
o darwinssi: fix error: variable length array used
o travis: add metalink to some osx builds [8]
o configure: check for __builtin_available() availability [9]
o http_proxy: fix build error for CURL_DOES_CONVERSIONS [10]
o examples/ftpuploadresume: checksrc compliance
o ftp: fix CWD when doing multicwd then nocwd on same connection [12]
o system.h: remove all CURL_SIZEOF_* defines [13]
o http: Don't wait on CONNECT when there is no proxy [14]
o system.h: check for __ppc__ as well [15]
o http2_recv: return error better on fatal h2 errors [16]
o scripts/contri*sh: use "git log --use-mailmap"
o tftp: fix memory leak on too long filename [17]
o system.h: fix build for hppa [18]
o cmake: enable picky compiler options with clang and gcc [19]
o makefile.m32: add support for libidn2 [20]
o curl: turn off MinGW CRT's globbing [21]
o request-target.d: mention added in 7.55.0
o curl: shorten and clean up CA cert verification error message [22]
o imap: support PREAUTH [23]
o CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
o examples/threaded-ssl: mention that this is for openssl before 1.1
o winbuild: fix embedded manifest option [24]
o tests: Make sure libtests & unittests call curl_global_cleanup()
o system.h: include sys/poll.h for AIX [25]
o darwinssl: handle long strings in TLS certs [26]
o strtooff: fix build for systems with long long but no strtoll [27]
o asyn-thread: Improved cleanup after OOM situations
o HELP-US.md: "How to get started helping out in the curl project" [29]
o curl.h: CURLSSLBACKEND_WOLFSSL used wrong value [30]
o unit1301: fix error message on first test
o ossfuzz: moving towards the ideal integration [31]
o http: fix a memory leakage in checkrtspprefix()
o examples/post-callback: stop returning one byte at a time
o schannel: return CURLE_SSL_CACERT on failed verification [33]
o MAIL-ETIQUETTE: added "1.9 Your emails are public"
o http-proxy: treat all 2xx as CONNECT success [34]
o openssl: use OpenSSL's default ciphers by default [35]
o runtests.pl: support attribute "nonewline" in part verify/upload
o configure: remove --enable-soname-bump and SONAME_BUMP [37]
o travis: add c-ares enabled builds linux + osx [38]
o vtls: fix WolfSSL 3.12 build problems [39]
o http-proxy: when not doing CONNECT, that phase is done immediately [40]
o configure: fix curl_off_t check's include order [41]
o configure: use -Wno-varargs on clang 3.9[.X] debug builds
o rtsp: do not call fwrite() with NULL pointer FILE * [42]
o mbedtls: enable CA path processing [43]
o travis: add build without HTTP/SMTP/IMAP
o checksrc: verify more code style rules [44]
o HTTP proxy: on connection re-use, still use the new remote port [45]
o tests: add initial gssapi test using stub implementation [46]
o rtsp: Segfault when using WRITEDATA [47]
o docs: clarify the CURLOPT_INTERLEAVE* options behavior
o non-ascii: use iconv() with 'char **' argument [48]
o server/getpart: provide dummy function to build conversion enabled
o conversions: fix several compiler warnings
o openssl: add missing includes [49]
o schannel: Support partial send for when data is too large [50]
o socks: fix incorrect port number in SOCKS4 error message [51]
o curl: fix integer overflow in timeout options [52]
o travis: on mac, don't install openssl or libidn [53]
o cookies: reject oversized cookies instead of truncating [54]
o cookies: use lock when using CURLINFO_COOKIELIST [55]
o curl: check fseek() return code and bail on error
o examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
o openssl: only verify RSA private key if supported [56]
o tests: make the imap server not verify user+password [57]
o imap: quote atoms properly when escaping characters [58]
o tests: fix a compiler warning in test 643
o file_range: avoid integer overflow when figuring out byte range [59]
o curl.h: include <sys/select.h> on cygwin too [60]
o reuse_conn: don't copy flags that are known to be equal [61]
o http: fix adding custom empty headers to repeated requests [62]
o docs: clarify the use of environment variables for proxy [63]
o docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS [64]
o connect: fix race condition with happy eyeballs timeout [65]
o cookie: fix memory leak if path was set twice in header [66]
o vtls: compare and clone ssl configs properly [68]
o proxy: read the "no_proxy" variable only if necessary [69]
This release includes the following bugfixes:
o build: fix 'make install' with configure, install docs/libcurl/* too
o make install: add 8 missing man pages to the installation
o curl: do bounds check using a double comparison [1]
o dist: Add dictserver.py/negtelnetserver.py to release [2]
o digest_sspi: Don't reuse context if the user/passwd has changed [3]
o gitignore: ignore top-level .vs folder [4]
o build: check out *.sln files with Windows line endings [5]
o travis: verify "make install" [6]
o dist: fix the cmake build by shipping cmake_uninstall.cmake.in too [7]
o metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
o configure: use the threaded resolver backend by default if possible [8]
o mkhelp.pl: allow executing this script directly [9]
o maketgz: remove old *.dist files before making the tarball [10]
o openssl: remove CONST_ASN1_BIT_STRING [11]
o openssl: fix "error: this statement may fall through"
o proxy: fix memory leak in case of invalid proxy server name [12]
o curl/system.h: support more architectures (OpenRISC, ARC) [13]
o docs: fix typos [14]
o curl/system.h: add Oracle Solaris Studio [15]
o CURLINFO_TOTAL_TIME: could wrongly return 4200 seconds [16]
o docs: --connect-to clarified
o cmake: allow user to override CMAKE_DEBUG_POSTFIX [17]
o travis: test cmake build on tarball too
o redirect: make it handle absolute redirects to IDN names [18]
o curl/system.h: fix for gcc on PowerPC [19]
o curl --interface: fixed for IPV6 unique local addresses [20]
o cmake: threads detection improvements [21]
Curl and libcurl 7.55.0
Public curl releases: 167
Command line options: 210
curl_easy_setopt() options: 247
Public functions in libcurl: 61
Contributors: 1571
This release includes the following changes:
o curl: allow --header and --proxy-header read from file [7]
o getinfo: provide sizes as curl_off_t [6]
o curl: prevent binary output spewed to terminal [16]
o curl: added --request-target [22]
o libcurl: added CURLOPT_REQUEST_TARGET [22]
o curl: added --socks5-{basic,gssapi}: control socks5 auth [30]
o libcurl: added CURLOPT_SOCKS5_AUTH [30]
This release includes the following bugfixes:
o glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) [85]
o tftp: reject file name lengths that don't fit (CVE-2017-1000100) [84]
o file: output the correct buffer to the user (CVE-2017-1000099) [83]
o includes: remove curl/curlbuild.h and curl/curlrules.h [1]
o dist: make the hugehelp.c not get regenerated unnecessarily [2]
o timers: store internal time stamps as time_t instead of doubles [3]
o progress: let "current speed" be UL + DL speeds combined [4]
o http-proxy: do the HTTP CONNECT process entirely non-blocking [5]
o lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV [8]
o fuzz: bring oss-fuzz initial code converted to C89 [10]
o configure: disable nghttp2 too if HTTP has been disabled
o mk-ca-bundle.pl: Check curl's exit code after certdata download [11]
o test1148: verify the -# progressbar [12]
o tests: stabilize test 2032 and 2033 [13]
o HTTPS-Proxy: don't offer h2 for https proxy connections [14]
o http-proxy: only attempt FTP over HTTP proxy [9]
o curl-compilers.m4: enable vla warning for clang [15]
o curl-compilers.m4: enable double-promotion warning [15]
o curl-compilers.m4: enable missing-variable-declarations clang warning [15]
o curl-compilers.m4: enable comma clang warning [15]
o Makefile.m32: enable -W for MinGW32 build [15]
o CURLOPT_PREQUOTE: not supported for SFTP [17]
o http2: fix OOM crash
o PIPELINING_SERVER_BL: cleanup the internal list use [18]
o mkhelp.pl: fix script name in usage text
o lib1521: add curl_easy_getinfo calls to the test set
o travis: do the distcheck test build out-of-tree as well
o if2ip: fix compiler warning in ISO C90 mode
o lib: fix the djgpp build [19]
o typecheck-gcc: add support for CURLINFO_OFF_T [20]
o travis: enable typecheck-gcc warnings [21]
o maketgz: switch to xz instead of lzma [23]
o CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
o curl-compilers.m4: fix unknown-warning-option on Apple clang [24]
o winbuild: fix boringssl build [25]
o curl/system.h: add check for XTENSA for 32bit gcc [26]
o test1537: fixed memory leak on OOM
o test1521: fix compiler warnings [27]
o curl: fix memory leak on test 1147 OOM [28]
o libtest/make: generate lib1521.c dynamically at build-time [29]
o curl_strequal.3: fix typo in SYNOPSIS [31]
o progress: prevent resetting t_starttransfer [32]
o openssl: improve fallback seed of PRNG with a time based hash [33]
o http2: improved PING frame handling [34]
o test1450: add simple testing for DICT [35]
o make: build the docs subdir only from within src [36]
o cmake: Added compatibility options for older Windows versions [37]
o gtls: fix build when sizeof(long) < sizeof(void *) [38]
o url: make the original string get used on subsequent transfers [39]
o timeval.c: Use long long constant type for timeval assignment [40]
o tool_sleep: typecast to avoid macos compiler warning
o travis.yml: use --enable-werror on debug builds [41]
o test1451: add SMB support to the testbed [42]
o configure: remove checks for 5 functions never used [43]
o configure: try ldap/lber in reversed order first [44]
o smb: fix build for djgpp/MSDOS [45]
o travis: install nghttp2 on linux builds [46]
o smb: add support for CURLOPT_FILETIME [47]
o cmake: fix send/recv argument scanner for windows [48]
o inet_pton: fix include on windows to get prototype [49]
o select.h: avoid macro redefinition harder
o cmake: if inet_pton is used, bump _WIN32_WINNT
o asyn-thread.c: fix unused variable warnings on macOS
o runtests: support "threaded-resolver" as a feature
o test506: skip if threaded-resolver
o cmake: remove spurious "-l" from linker flags [50]
o cmake: add CURL_WERROR for enabling "warning as errors"
o memdebug: don't setbuf() if the file open failed [51]
o curl_easy_escape.3: mention the (lack of) encoding [52]
o test1452: add telnet negotiation [53]
o CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
o cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC [54]
o tests/valgrind.supp: supress OpenSSL false positive seen on travis [55]
o curl_setup_once: Remove ERRNO/SET_ERRNO macros [56]
o curl-compilers.m4: disable warning spam with Cygwin's clang [57]
o ldap: fix MinGW compiler warning [58]
o make: fix docs build on OpenBSD [59]
o curl_setup: always define WIN32_LEAN_AND_MEAN on Windows [60]
o system.h: include winsock2.h before windows.h
o winbuild: build with warning level 4 [61]
o rtspd: fix MSVC level 4 warning
o sockfilt: suppress conversion warning with explicit cast
o libtest: fix MSVC warning C4706
o darwinssl: fix pinnedpubkey build error [62]
o tests/server/resolve.c: fix deprecation warning [63]
o nss: fix a possible use-after-free in SelectClientCert() [64]
o checksrc: escape open brace in regex
o multi: mention integer overflow risk if using > 500 million sockets [65]
o darwinssl: fix --tlsv1.2 regression [66]
o timeval: struct curltime is a struct timeval replacement [67]
o curl_rtmp: fix a compiler warning [68]
o include.d: clarify that it concerns the response headers [69]
o cmake: support make uninstall [70]
o include.d: clarify --include is only for response headers [71]
o libcurl: Stop using error codes defined under CURL_NO_OLDIES [72]
o http: fix response code parser to avoid integer overflow [73]
o configure: fix the check for IdnToUnicode [74]
o multi: fix request timer management [75]
o curl_threads: fix MSVC compiler warning [76]
o travis: build on osx with openssl
o travis: build on osx with libressl
o CURLOPT_NETRC.3: mention the file name on windows
o cmake: set MSVC warning level to 4 [77]
o netrc: skip lines starting with '#' [78]
o darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
o BUILD.WINDOWS: mention buildconf.bat for builds off git
o darwinssl: silence compiler warnings [79]
o travis: build on osx with darwinssl
o FTP: skip unnecessary CWD when in nocwd mode [80]
o gssapi: fix memory leak of output token in multi round context [81]
o getparameter: avoid returning uninitialized 'usedarg' [82]
o curl (debug build) easy_events: make event data static
o curl: detect and bail out early on parameter integer overflows [86]
o configure: fix recv/send/select detection on Android [87]
Curl and libcurl 7.54.0
Public curl releases: 165
Command line options: 207
curl_easy_setopt() options: 245
Public functions in libcurl: 61
Contributors: 1538
This release includes the following changes:
o Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION [19]
o Add --max-tls [19]
o Add CURLOPT_SUPPRESS_CONNECT_HEADERS [24]
o Add --suppress-connect-headers [24]
This release includes the following bugfixes:
o CVE-2017-7468: switch off SSL session id when client cert is used [68]
o cmake: Replace invalid UTF-8 byte sequence [1]
o tests: use consistent environment variables for setting charset
o proxy: fixed a memory leak on OOM
o ftp: removed an erroneous free in an OOM path
o docs: de-duplicate file lists in the Makefiles [2]
o ftp: fixed a NULL pointer dereference on OOM
o gopher: fixed detection of an error condition from Curl_urldecode
o url: fix unix-socket support for proxy-disabled builds [3]
o test1139: allow for the possibility that the man page is not rebuilt
o cyassl: get library version string at runtime
o digest_sspi: fix compilation warning
o tests: enable HTTP/2 tests to run with non-default port numbers
o warnless: suppress compiler warning
o darwinssl: Warn that disabling host verify also disables SNI [4]
o configure: fix for --enable-pthreads [5]
o checksrc.bat: Ignore curl_config.h.in, curl_config.h
o no-keepalive.d: fix typo [6]
o configure: fix --with-zlib when a path is specified [7]
o build: fix gcc7 implicit fallthrough warnings [8]
o fix potential use of uninitialized variables [9]
o CURLOPT_SSL_CTX_FUNCTION.3: Fix EXAMPLE formatting errors [10]
o CMake: Reorganize SSL support, separate WinSSL and SSPI [11]
o CMake: Add DarwinSSL support [12]
o CMake: Add mbedTLS support [13]
o ares: return error at once if timed out before name resolve starts [14]
o BINDINGS: added C++, perl, go and Scilab bindings
o URL: return error on malformed URLs with junk after port number
o KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password [15]
o http2: Fix assertion error on redirect with CL=0 [16]
o updatemanpages.pl: Update man pages to use current date and versions [17]
o --insecure: clarify that this option is for server connections [18]
o mkhelp: simplified the gzip code
o build: fixed making man page in out-of-tree tarball builds
o tests: disabled 1903 due to flakiness
o openssl: add two /* FALLTHROUGH */ to satisfy coverity
o cmdline-opts: fixed a few typos
o authneg: clear auth.multi flag at http_done [20]
o curl_easy_reset: Also reset the authentication state [21]
o proxy: skip SSL initialization for closed connections [22]
o http_proxy: ignore TE and CL in CONNECT 2xx responses [23]
o tool_writeout: fixed a buffer read overrun on --write-out
o make: regenerate docs/curl.1 by running make in docs [25]
o winbuild: add basic support for OpenSSL 1.1.x [26]
o build: removed redundant DEPENDENCIES from makefiles
o CURLINFO_LOCAL_PORT.3: added example
o curl: show HTTPS-Proxy options on CURLE_SSL_CACERT [27]
o tests: strip more options from non-HTTP --libcurl tests
o tests: fixed the documented test server port numbers
o runtests.pl: fixed display of the Gopher IPv6 port number
o multi: fix streamclose() crash in debug mode [28]
o cmake: build manual pages [29]
o cmake: add support for building HTML and PDF docs [30]
o mbedtls: add support for CURLOPT_SSL_CTX_FUNCTION [31]
o make: introduce 'test-nonflaky' target
o CURLINFO_PRIMARY_IP.3: add example
o tests/README: mention nroff for --manual tests [32]
o mkhelp: disable compression if the perl gzip module is unavailable
o openssl: fall back on SSL_ERROR_* string when no error detail [33]
o asiohiper: make sure socket is open in event_cb [34]
o tests/README: make "Run" section foolproof [35]
o curl: check for end of input in writeout backslash handling
o .gitattributes: turn off CRLF for *.am [36]
o multi: fix MinGW-w64 compiler warnings
o schannel: fix variable shadowing warning
o openssl: exclude DSA code when OPENSSL_NO_DSA is defined [37]
o http: Fix proxy connection reuse with basic-auth [38]
o pause: handle mixed types of data when paused [39]
o http: do not treat FTPS over CONNECT as HTTPS
o conncache: make hashkey avoid malloc [40]
o make: use the variable MAKE for recursive calls [41]
o curl: fix callback argument inconsistency [42]
o NTLM: check for features with #ifdef instead of #if [43]
o cmake: add several missing files to the dist
o select: use correct SIZEOF_ constant [44]
o connect: fix unreferenced parameter warning
o schannel: fix unused variable warning
o gcc7: fix ‘*’ in boolean context [45]
o http2: silence unused parameter warnings
o ssh: fix narrowing conversion warning
o telnet: (win32) fix read callback return variable [46]
o docs: Explain --fail-early does not imply --fail [47]
o docs: added examples for CURLINFO_FILETIME.3 and CURLOPT_FILETIME.3
o tests/server/util: remove in6addr_any for recent MinGW [48]
o multi: make curl_multi_wait avoid malloc in the typical case [49]
o include: curl/system.h is a run-time version of curlbuild.h [50]
o easy: silence compiler warning
o llist: replace Curl_llist_alloc with Curl_llist_init [51]
o hash: move key into hash struct to reduce mallocs [52]
o url: don't free postponed data on connection reuse [53]
o curl_sasl: declare mechtable static
o curl: fix Windows Unicode build
o multi: fix queueing of pending easy handles [54]
o tool_operate: fix MinGW compiler warning [55]
o low_speed_limit: improved function for longer time periods [56]
o gtls: fix compiler warning
o sspi: print out InitializeSecurityContext() error message [57]
o schannel: fix compiler warnings [58]
o vtls: fix unreferenced variable warnings
o INSTALL.md: fix secure transport configure arguments
o CURLINFO_SCHEME.3: fix variable type
o libcurl-thread.3: also mention threaded-resolver [59]
o nss: load CA certificates even with --insecure [60]
o openssl: fix this statement may fall through [61]
o poll: prefer <poll.h> over <sys/poll.h> [62]
o polarssl: unbreak build with versions < 1.3.8 [63]
o Curl_expire_latest: ignore already expired timers [64]
o configure: turn implicit function declarations into errors [65]
o mbedtls: fix memory leak in error path [66]
o http2: fix handle leak in error path [67]
o .gitattributes: force shell scripts to LF [69]
o configure.ac: ignore CR after version numbers [70]
o extern-scan.pl: strip trailing CR [71]
o openssl: make SSL_ERROR_to_str more future-proof [72]
o openssl: fix thread-safety bugs in error-handling [73]
o openssl: don't try to print nonexistant peer private keys [74]
o nss: fix MinGW compiler warnings [75]
Curl and libcurl 7.53.0
This release includes the following changes:
o unix_socket: added --abstract-unix-socket and CURLOPT_ABSTRACT_UNIX_SOCKET [25]
o CURLOPT_BUFFERSIZE: support enlarging receive buffer [29]
This release includes the following bugfixes:
o CVE-2017-2629: make SSL_VERIFYSTATUS work again [64]
o gnutls-random: check return code for failed random
o openssl-random: check return code when asking for random
o http: remove "Curl_http_done: called premature" message
o cyassl: use time_t instead of long for timeout
o build-wolfssl: Sync config with wolfSSL 3.10
o ftp-gss: check for init before use
o configure: accept --with-libidn2 instead [1]
o ftp: failure to resolve proxy should return that error code
o curl.1: add three more exit codes
o docs/ciphers: link to our own new page about ciphers
o vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl [2]
o darwinssl: fix iOS build [3]
o darwinssl: fix CFArrayRef leak [4]
o cmake: use crypt32.lib when building with OpenSSL on windows [5]
o curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked [6]
o digest_sspi: copy terminating NUL as well [7]
o curl: fix --remote-time incorrect times on Windows [8]
o curl.1: several updates and corrections [11]
o content_encoding: change return code on a failure
o curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
o docs: TCP_KEEPALIVE start and interval default to 60 [9]
o darwinssl: --insecure overrides --cacert if both settings are in use [10]
o TheArtOfHttpScripting: grammar
o CIPHERS.md: document GSKit ciphers
o wolfssl: support setting cipher list
o wolfssl: display negotiated SSL version and cipher
o lib506: fix build for Open Watcom [12]
o asiohiper: improved socket handling [13]
o examples: make the C++ examples follow our code style too
o tests/sws: retry send() on EWOULDBLOCK [14]
o cmake: Fix passing _WINSOCKAPI_ macro to compiler [15]
o smtp: Fix STARTTLS denied error message
o imap/pop3: don't print response character in STARTTLS denied messages [16]
o rand: make it work without TLS backing [17]
o url: fix parsing for when 'file' is the default protocol [18]
o url: allow file://X:/path URLs on windows again [19]
o gnutls: check for alpn and ocsp in configure [20]
o IDN: Use TR46 'non-transitional' for toASCII translations [21]
o url: Fix NO_PROXY env var to work properly with --proxy option [22]
o CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char* [23]
o docs: Add note about libcurl copying strings to CURLOPT_* manpages [24]
o curl: reset the easy handle at --next
o --next docs: --trace and --trace-ascii are also global
o --write-out docs: 'time_total' is not always shown with ms precision
o http: print correct HTTP string in verbose output when using HTTP/2
o docs: improved language in README.md HISTORY.md CONTRIBUTE.md [26]
o http2: disable server push if not requested [27]
o nss: use the correct lock in nss_find_slot_by_name()
o usercertinmem.c: improve the short description
o CURLOPT_CONNECT_TO: Fix compile warnings
o docs: non-blocking SSL handshake is now supported with NSS
o *.rc: escape non-ASCII/non-UTF-8 character for clarity [28]
o mbedTLS: fix multi interface non-blocking handshake [30]
o PolarSSL: fix multi interface non-blocking handshake [31]
o VC: remove the makefile.vc6 build infra [32]
o telnet: fix windows compiler warnings [33]
o cookies: do not assume a valid domain has a dot
o polarssl: fix hangs
o gnutls: disable TLS session tickets [34]
o mbedtls: disable TLS session tickets [35]
o mbedtls: implement CTR-DRBG and HAVEGE random generators [36]
o openssl: Don't use certificate after transferring ownership [37]
o cmake: Support curl --xattr when built with cmake [38]
o OS400: Fix symbols [39]
o docs: Add more HTTPS proxy documentation [40]
o docs: use more HTTPS links [41]
o cmdline-opts: Fixed build and test in out of source tree builds
o CHANGES.0: removed
o schannel: Remove incorrect SNI disabled message [42]
o darwinssl: Avoid parsing certificates when not in verbose mode [43]
o test552: Fix typos [44]
o telnet: Fix typos [45]
o transfer: only retry nobody-requests for HTTP [46]
o http2: reset push header counter fixes crash [47]
o nss: make FTPS work with --proxytunnel [48]
o test1139: Added the --manual keyword since the manual is required
o polarssl, mbedtls: Fix detection of pending data [49]
o http_proxy: Fix tiny memory leak upon edge case connecting to proxy [50]
o URL: only accept ";options" in SMTP/POP3/IMAP URL schemes [51]
o curl.1: ftp.sunet.se is no longer an FTP mirror
o tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT [52]
o http2: fix memory-leak when denying push streams [53]
o configure: Allow disabling pthreads, fall back on Win32 threads [54]
o curl: fix typo in time condition warning message [55]
o axtls: adapt to API changes [56]
o tool_urlglob: Allow a glob range with the same start and stop [57]
o winbuild: add note on auto-detection of MACHINE in Makefile.vc [58]
o http: fix missing 'Content-Length: 0' while negotiating auth [59]
o proxy: fix hostname resolution and IDN conversion [60]
o docs: fix timeout handling in multi-uv example
o digest_sspi: Fix nonce-count generation in HTTP digest [61]
o sftp: improved checks for create dir failures [62]
o smb: use getpid replacement for windows UWP builds [63]
o digest_sspi: Handle 'stale=TRUE' directive in HTTP digest [65]
Version 7.52.0 (20 Dec 2016)
Changes:
nss: map CURL_SSLVERSION_DEFAULT to NSS default
vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
curl: introduce the --tlsv1.3 option to force TLS 1.3
curl: Add --retry-connrefused
proxy: Support HTTPS proxy and SOCKS+HTTP(s)
add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
curl: add --fail-early
Bugfixes:
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
msvc: removed a straggling reference to strequal.c
winbuild: remove strcase.obj from curl build
examples: bugfixed multi-uv.c
configure: verify that compiler groks -Werror=partial-availability
mbedtls: fix build with mbedtls versions < 2.4.0
dist: add unit test CMakeLists.txt to the tarball
curl -w: added more decimal digits to timing counters
easy: Initialize info variables on easy init and duphandle
cmake: disable poll for macOS
http2: Don't send header fields prohibited by HTTP/2 spec
ssh: check md5 fingerprints case insensitively (regression)
openssl: initial TLS 1.3 adaptions
curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
printf: fix ".*f" handling
examples/fileupload.c: fclose the file as well
SPNEGO: Fix memory leak when authentication fails
realloc: use Curl_saferealloc to avoid common mistakes
openssl: make sure to fail in the unlikely event that PRNG seeding fails
URL-parser: for file://[host]/ URLs, the [host] must be localhost
timeval: prefer time_t to hold seconds instead of long
Curl_rand: fixed and moved to rand.c
glob: fix [a-c] globbing regression
darwinssl: fix SSL client certificate not found on MacOS Sierra
curl.1: Clarify --dump-header only writes received headers
http2: Fix address sanitizer memcpy warning
http2: Use huge HTTP/2 windows
connects: Don't mix unix domain sockets with regular ones
url: Fix conn reuse for local ports and interfaces
x509: Limit ASN.1 structure sizes to 256K
checksrc: add more checks
winbuild: add config option ENABLE_NGHTTP2
http2: check nghttp2_session_set_local_window_size exists
http2: Fix crashes when parent stream gets aborted
CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries
URL parser: reject non-numerical port numbers
CONNECT: reject TE or CL in 2xx responses
CONNECT: read responses one byte at a time
curl: support zero-length argument strings in config files
openssl: don't use OpenSSL's ERR_PACK
curl.1: generated with the new man page system
curl_easy_recv: Improve documentation and example program
Curl_getconnectinfo: avoid checking if the connection is closed
CIPHERS.md: attempt to document TLS cipher names
Curl and libcurl 7.51.0
Public curl releases: 160
Command line options: 185
curl_easy_setopt() options: 225
Public functions in libcurl: 61
Contributors: 1467
This release includes the following changes:
o nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
o New option: CURLOPT_KEEP_SENDING_ON_ERROR [10]
This release includes the following bugfixes:
o CVE-2016-8615: cookie injection for other servers [28]
o CVE-2016-8616: case insensitive password comparison [29]
o CVE-2016-8617: OOB write via unchecked multiplication [30]
o CVE-2016-8618: double-free in curl_maprintf [31]
o CVE-2016-8619: double-free in krb5 code [32]
o CVE-2016-8620: glob parser write/read out of bounds [33]
o CVE-2016-8621: curl_getdate read out of bounds [34]
o CVE-2016-8622: URL unescape heap overflow via integer truncation [35]
o CVE-2016-8623: Use-after-free via shared cookies [36]
o CVE-2016-8624: invalid URL parsing with '#' [37]
o CVE-2016-8625: IDNA 2003 makes curl use wrong host [38]
o openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 [1]
o http: accept "Transfer-Encoding: chunked" for HTTP/2 as well [2]
o LICENSE-MIXING.md: update with mbedTLS dual licensing [3]
o examples/imap-append: Set size of data to be uploaded [4]
o test2048: fix url
o darwinssl: disable RC4 cipher-suite support
o CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
o openssl: don’t call CRYTPO_cleanup_all_ex_data [5]
o libressl: fix version output [6]
o easy: Reset all statistical session info in curl_easy_reset [7]
o curl_global_cleanup.3: don't unload the lib with sub threads running [8]
o dist: add CurlSymbolHiding.cmake to the tarball
o docs: Remove that --proto is just used for initial retrieval [9]
o configure: Fixed builds with libssh2 in a custom location
o curl.1: --trace supports % for sending to stderr!
o cookies: same domain handling changed to match browser behavior [11]
o formpost: trying to attach a directory no longer crashes [12]
o CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning [13]
o formpost: avoid silent snprintf() truncation
o ftp: fix Curl_ftpsendf
o mprintf: return error on too many arguments
o smb: properly check incoming packet boundaries [14]
o GIT-INFO: remove the Mac 10.1-specific details [15]
o resolve: add error message when resolving using SIGALRM [16]
o cmake: add nghttp2 support [17]
o dist: remove PDF and HTML converted docs from the releases [18]
o configure: disable poll() in macOS builds [19]
o vtls: only re-use session-ids using the same scheme
o pipelining: skip to-be-closed connections when pipelining [20]
o win: fix Universal Windows Platform build [21]
o curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically [22]
o maketgz: make it support "only" generating version info
o Curl_socket_check: add extra check to avoid integer overflow
o gopher: properly return error for poll failures
o curl: set INTERLEAVEDATA too
o polarssl: clear thread array at init
o polarssl: fix unaligned SSL session-id lock
o polarssl: reduce #ifdef madness with a macro
o curl_multi_add_handle: set timeouts in closure handles [23]
o configure: set min version flags for builds on mac [24]
o INSTALL: converted to markdown => INSTALL.md
o curl_multi_remove_handle: fix a double-free [25]
o multi: fix inifinte loop in curl_multi_cleanup() [26]
o nss: fix tight loop in non-blocking TLS handhsake over proxy [27]
o mk-ca-bundle: Change URL retrieval to HTTPS-only by default [39]
o mbedtls: stop using deprecated include file [40]
o docs: fix req->data in multi-uv example [41]
o configure: Fix test syntax for monotonic clock_gettime
o CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2 [42]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Akshay Vernekar, Alexander Sinditskiy, Anders Bakken, Andreas Streichardt,
Andrei Sedoi, Bernard Spil, Christian Heimes, Dan Fandrich,
Daniel Gustafsson, Daniel Stenberg, Darío Hereñú, David Woodhouse,
Fernando Muñoz, Gregory Szorc, Jeroen Ooms, Kamil Dudka, Luật Nguyễn,
lukaszgn on github, Marcel Raad, Martin Frodl, Martin Storsjö,
Michael Kaufmann, Michael Osipov, Miloš Ljumović, Nick Zitzmann,
nopjmp on github, Paul Joyce, Rainer Müller, Ray Satiro, Remo E,
Rider Linden, Sebastian Mundry, Sergei Kuzmin, Stephen Brokenshire,
Tobias Stoeckmann, Toby Peterson, Todd Short, Tony Kelman, Torben Dannhauer,
Valentin David,
(40 contributors)
Thanks! (and sorry if I forgot to mention someone)
References to bug reports and discussions on issues:
[1] = https://curl.haxx.se/bug/?i=964
[2] = https://curl.haxx.se/bug/?i=1013
[3] = https://curl.haxx.se/bug/?i=1019
[4] = https://curl.haxx.se/bug/?i=1011
[5] = https://curl.haxx.se/mail/lib-2016-09/0045.html
[6] = https://curl.haxx.se/bug/?i=1029
[7] = https://curl.haxx.se/bug/?i=1017
[8] = https://curl.haxx.se/bug/?i=997
[9] = https://curl.haxx.se/bug/?i=1031
[10] = https://curl.haxx.se/libcurl/c/CURLOPT_KEEP_SENDING_ON_ERROR.html
[11] = https://curl.haxx.se/bug/?i=1050
[12] = https://curl.haxx.se/bug/?i=1053
[13] = https://curl.haxx.se/bug/?i=1056
[14] = https://curl.haxx.se/bug/?i=1052
[15] = https://curl.haxx.se/bug/?i=1049
[16] = https://curl.haxx.se/bug/?i=1066
[17] = https://curl.haxx.se/bug/?i=922
[18] = https://curl.haxx.se/mail/lib-2016-10/0040.html
[19] = https://curl.haxx.se/bug/?i=1057
[20] = https://curl.haxx.se/bug/?i=1075
[21] = https://curl.haxx.se/bug/?i=1048
[22] = https://curl.haxx.se/bug/?i=1042
[23] = https://curl.haxx.se/bug/?i=739
[24] = https://curl.haxx.se/bug/?i=1069
[25] = https://curl.haxx.se/bug/?i=1083
[26] = https://curl.haxx.se/mail/lib-2016-10/0011.html
[27] = https://bugzilla.redhat.com/1388162
[28] = https://curl.haxx.se/docs/adv_20161102A.html
[29] = https://curl.haxx.se/docs/adv_20161102B.html
[30] = https://curl.haxx.se/docs/adv_20161102C.html
[31] = https://curl.haxx.se/docs/adv_20161102D.html
[32] = https://curl.haxx.se/docs/adv_20161102E.html
[33] = https://curl.haxx.se/docs/adv_20161102F.html
[34] = https://curl.haxx.se/docs/adv_20161102G.html
[35] = https://curl.haxx.se/docs/adv_20161102H.html
[36] = https://curl.haxx.se/docs/adv_20161102I.html
[37] = https://curl.haxx.se/docs/adv_20161102J.html
[38] = https://curl.haxx.se/docs/adv_20161102K.html
[39] = https://curl.haxx.se/bug/?i=1012
[40] = https://curl.haxx.se/bug/?i=1087
[41] = https://curl.haxx.se/bug/?i=1088
[42] = https://curl.haxx.se/bug/?i=1059
Bugfixes:
TLS: switch off SSL session id when client cert is used
TLS: only reuse connections with the same client cert
curl_multi_cleanup: clear connection pointer for easy handles
include the CURLINFO_HTTP_VERSION man page into the release tarball
include the http2-server.pl script in the release tarball
test558: fix test by stripping file paths from FD lines
spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
tests: Fix for http/2 feature
cmake: Fix for schannel support
curl.h: make public types void * again
win32: fix a potential memory leak in Curl_load_library
travis: fix OSX build by re-installing libtool
mbedtls: Fix debug function name
Fixed in 7.49.0 - May 18 2016
Changes:
schannel: Add ALPN support
SSH: support CURLINFO_FILETIME
SSH: new CURLOPT_QUOTE command "statvfs"
wolfssl: Add ALPN support
http2: added --http2-prior-knowledge
http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
libcurl: added CURLOPT_CONNECT_TO
curl: added --connect-to
libcurl: added CURLOPT_TCP_FASTOPEN
curl: added --tcp-fastopen
curl: remove support for --ftpport, -http-request and --socks
Bugfixes:
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
checksrc.bat: Updated the help to be consistent with generate.bat
checksrc.bat: Added support for scanning the tests and examples
openssl: fix ERR_remove_thread_state() for boringssl/libressl
openssl: boringssl provides the same numbering as openssl
multi: fix "Operation timed out after" timer
url: don't use bad offset in tld_check_name to show error
sshserver.pl: use quotes for given options
Makefile.am: skip the scripts dir
curl: warn for --capath use if not supported by libcurl
http2: fix connection reuse
GSS: make Curl_gss_log_error more verbose
build-wolfssl: Allow a broader range of ciphers (Visual Studio)
wolfssl: Use ECC supported curves extension
openssl: Fix compilation warnings
Curl_add_buffer_send: avoid possible NULL dereference
SOCKS5_gssapi_negotiate: don't assume little-endian ints
strerror: don't bit shift a signed integer
url: Corrected get protocol family for FTP and LDAP
curl/mprintf.h: remove support for _MPRINTF_REPLACE
upload: missing rewind call could make libcurl hang
IMAP: check pointer before dereferencing it
build: Changed the Visual Studio projects warning level from 3 to 4
checksrc: now stricter, wider checks, code cleaned up
checksrc: added docs/CHECKSRC.md
curl_sasl: Fixed potential null pointer utilisation
krb5: Fixed missing client response when mutual authentication enabled
krb5: Only process challenge when present
krb5: Only generate a SPN when its not known
formdata: use appropriate fopen() macros
curl.1: -w filename_effective was introduced in 7.26.0
http2: make use of the nghttp2 error callback
http2: fix connection reuse when PING comes after last DATA
curl.1: change example for -F
HTTP2: Add a space character after the status code
curl.1: use example.com more
mbedtls.c: changed private prefix to mbed_
mbedtls: implement and provide *_data_pending() to avoid hang
mbedtls: fix MBEDTLS_DEBUG builds
ftp/imap/pop3/smtp: Allow the service name to be overridden
CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
build: include scripts/ in the dist
http2: Add handling stream level error
http2: Improve header parsing
makefile.vc6: use d suffix on debug object
configure: remove check for libresolve
scripts/make: use $(EXEEXT) for executables
checksrc: got rid of the whitelist files
sendf: added ability to call recv() before send() as workaround
NTLM: check for NULL pointer before dereferencing
openssl: builds with OpenSSL 1.1.0-pre5
configure: ac_cv_ -> curl_cv_ for all cached vars
winbuild: add mbedtls support
curl: make --ftp-create-dirs retry on failure
PolarSSL: implement public key pinning
multi: accidentally used resolved host name instead of proxy
CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
CONNECT_ONLY: don't close connection on GSS 401/407 reponses
opts: Fix some syntax errors in example code fragments
mbedtls: Fix session resume
test1139: verifies libcurl option man page presence
CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
curl: make --disable work as long form of -q
curl: use --telnet-option as documented
curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
curl: -h output lacked --proxy-header and --ntlm-wb
curl -J: make it work even without http:// scheme on URL
lib: include curl_printf.h as one of the last headers
tests: handle path properly on Msys/Cygwin
curl.1: --mail-rcpt can be used multiple times
CURLOPT_ACCEPT_ENCODING.3: clarified
docs: fixed lots of broken man page references
tls: make setting pinnedkey option fail if not supported
test1140: run nroff-scan to verify man pages
http: make sure a blank header overrides accept_decoding
connections: do not reuse non-HTTP proxies on different ports
connect: fix invalid "Network is unreachable" errors
TLS: move the ALPN/NPN enable bits to the connection
TLS: SSL_peek is not a const operation
http2: Add space between colon and header value
darwinssl: fix certificate verification disable on OS X 10.8
mprintf: Fix processing of width and prec args
ftp wildcard: segfault due to init only in multi_perform
- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
- Revert "sshserver: remove use of AuthorizedKeysFile2"
It seems we may have some autobuild problems after this commit went
in. Trying to see if a revert helps to get them back.
- maketgz: add -j to make dist
... makes it a lot faster
- libcurl-thread.3: minor nroff format fix
- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
- CODE_STYLE: indend example code
... to make it look nicer in markdown outputa
Changes:
configure: build silently by default
cookies: Add support for Publix Suffix List with libpsl
vtls: added support for mbedTLS
Added CURLOPT_STREAM_DEPENDS
Added CURLOPT_STREAM_DEPENDS_E
Added CURLOPT_STREAM_WEIGHT
Added CURLFORM_CONTENTLEN
oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
Bugfixes:
des: Fix header conditional for Curl_des_set_odd_parity
ntlm: get rid of unconditional use of long long
CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
http2: Fix http2_recv to return -1 if recv returned -1
curl_global_init_mem: set function pointers before doing init
ntlm: error out without 64bit support as the code needs it
openssl: Fix set up of pkcs12 certificate verification chain
acinclude: remove PKGCONFIG override
test1531: case the size to fix the test on non-largefile builds
fread_func: move callback pointer from set to state struct
test1601: fix compilation with --enable-debug and --disable-crypto-auth
http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
curlbuild.h: Fix non-configure compiling to mips and sh4 targets
tool: Generate easysrc with last cache linked-list
cmake: Fix for add_subdirectory(curl) use-case
vtls: fix compiler warning for TLS backends without sha256
build: fix for MSDOS/djgpp
checksrc: add crude // detection
http2: on_frame_recv: trust the conn/data input
ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
polarssl/mbedtls: fix name space pollution
build: Fix mingw ssl gdi32 order
build: Fix support for PKG_CONFIG
MacOSX-Framework: sdk regex fix for sdk 10.10 and later
socks: Fix incorrect port numbers in failed connect messages
curl.1: -E: s/private certificate/client certificate
curl.h: s/HTTPPOST_/CURL_HTTPOST_
curl_formadd: support >2GB files on windows
http redirects: %-encode bytes outside of ascii range
rawstr: Speed up Curl_raw_toupper by 40%
curl_ntlm_core: fix 2 curl_off_t constant overflows.
getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
tftp tests: verify sent options too
imap: Don't call imap_atom() when no mailbox specified in LIST command
imap: Fixed double quote in LIST command when mailbox contains spaces
imap: Don't check for continuation when executing a CUSTOMREQUEST
acinclude: Remove check for 16-bit curl_off_t
BoringSSL: Work with stricter BIO_get_mem_data()
cmake: Add missing feature macros in config header
sasl_sspi: fixed unicode build for digest authentication
sasl_sspi: fix identity memory leak in digest authentication
unit1602: Fixed failure in torture test
unit1603: Added unit tests for hash functions
vtls/openssl: remove unused traces of yassl ifdefs
openssl: remove #ifdefs for < 0.9.7 support
typecheck-gcc.h: add some missing options
curl: mark two more options strings for --libcurl output
openssl: Free modules on cleanup
CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
getconnectinfo: Don't call recv(2) if socket == -1
http2: http_done: don't free already-freed push headers
zsh completion: Preserve single quotes in output
os400: Provide options for libssh2 use in compile scripts.
build: Fix theoretical infinite loops
pop3: Differentiate between success and continuation responses
examples: Fixed compilation warnings
schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
CURLOPT_HEADERFUNCTION.3: fix typo
curl: expanded the -XHEAD warning text
done: make sure the final progress update is made
build: Install zsh completion
RTSP: do not add if-modified-since without timecondition
curl: Fixed display of URL index in password prompt for --next
nonblock: fix setting non-blocking mode for Amiga
http2 push: add missing inits of new stream
http2: convert some verbose output into debug-only output
Curl_read_plain: clean up ifdefs that break statements
Fixed in 7.45.0 - October 7 2015
Changes:
added CURLOPT_DEFAULT_PROTOCOL
added new tool option --proto-default
getinfo: added CURLINFO_ACTIVESOCKET
turned CURLINFO_* option docs as stand-alone man pages
curl: point out unnecessary uses of -X in verbose mode
Bugfixes:
curl_global_init_mem.3: Stronger thread safety warning
buildconf.bat: Fixed issues when ran in directories with special chars
cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
generate.bat: Fixed issues when ran in directories with special chars
generate.bat: Only call buildconf.bat if it exists
generate.bat: Added support for generating only the prerequisite files
curl.1: Document weaknesses in SSLv2 and SSLv3
CURLOPT_HTTP_VERSION.3: connection re-use goes before version
docs: Update the redirect protocols disabled by default
inet_pton.c: Fix MSVC run-time check failure
CURLMOPT_PUSHFUNCTION.3: fix argument types
rtsp: support basic/digest authentication
rtsp: stop reading empty DESCRIBE responses
travis: Upgrading to container based build
travis.yml: Add OS X testbot
FTP: make state machine not get stuck in state
openssl: handle lack of server cert when strict checking disabled
configure: change functions to detect openssl (clones)
configure: detect latest boringssl
runtests: Allow for spaces in server-verify curl custom path
http2: on_frame_recv: get a proper 'conn' for the debug logging
ntlm: mark deliberate switch case fall-through
http2: remove dead code
curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
curl: point out the conflicting HTTP methods if used
cmake: added Windows SSL support
curl_easy_{escape,setopt}.3: fix example
curl_easy_escape.3: escape '\n'
libcurl.m4: Put braces around empty if body
buildconf.bat: Fixed double blank line in 'curl manual' warning output
sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
inet_pton.c: Fix MSVC run-time check failure
CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
http2: don't pass on Connection: headers
nss: do not directly access SSL_ImplementedCiphers
docs: numerous cleanups and spelling fixes
FTP: do_more: add check for wait_data_conn in upload case
parse_proxy: reject illegal port numbers
cmake: IPv6 : disable Unix header check on Windows platform
winbuild: run buildconf.bat if necessary
buildconf.bat: fix syntax error
curl_sspi: fix possibly undefined CRYPT_E_REVOKED
nss: prevent NSS from incorrectly re-using a session
libcurl-errors.3: add two missing error codes
openssl: fix build with < 0.9.8
openssl: refactor certificate parsing to use OpenSSL memory BIO
openldap: only part of LDAP query results received
ssl: add server cert's "sha256//" hash to verbose
NTLM: Reset auth-done when using a fresh connection
curl: generate easysrc only on --libcurl
tests: disable 1801 until fixed
CURLINFO_TLS_SESSION: always return backend info
gnutls: Support CURLOPT_KEYPASSWD
gnutls: Report actual GnuTLS error message for certificate errors
tests: disable 1510 due to CI-problems on github
cmake: Put "winsock2.h" before "windows.h" during configure checks
cmake: Ensure discovered include dirs are considered
configure: Add missing ')' for CURL_CHECK_OPTION_RT
build: fix failures with -Wcast-align and -Werror
FTP: fix uploading ASCII with unknown size
readwrite_data: set a max number of loops
http2: avoid superfluous Curl_expire() calls
http2: set TCP_NODELAY unconditionally
docs: fix unescaped '\n' in man pages
openssl: Fix algorithm init to make (gost) engines work
win32: make recent Borland compilers use long long
runtests: Fix pid check in checkdied
gopher: don't send NUL byte
tool_setopt: fix c_escape truncated octal
hiperfifo: fix the pointer passed to WRITEDATA
getinfo: Fix return code for unknown CURLINFO options
Curl and libcurl 7.44.0
Public curl releases: 148
Command line options: 176
curl_easy_setopt() options: 219
Public functions in libcurl: 58
Contributors: 1291
This release includes the following changes:
o http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA [6]
o examples: added http2-serverpush.c [7]
o http2: added curl_pushheader_byname() and curl_pushheader_bynum()
o docs: added CODE_OF_CONDUCT.md [8]
o curl: Add --ssl-no-revoke to disable certificate revocation checks [5]
o libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS [9]
o makefile: Added support for VC14
o build: Added Visual Studio 2015 (VC14) project files
o build: Added wolfSSL configurations to VC10+ project files [18]
This release includes the following bugfixes:
o FTP: fix HTTP CONNECT logic regression [1]
o openssl: Fix build with openssl < ~ 0.9.8f
o openssl: fix build with BoringSSL
o curl_easy_setopt.3: option order doesn't matter
o openssl: fix use of uninitialized buffer [2]
o RTSP: removed dead code
o Makefile.m32: add support for CURL_LDFLAG_EXTRAS
o curl: always provide negotiate/kerberos options
o cookie: Fix bug in export if any-domain cookie is present
o curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
o INSTALL: Advise use of non-native SSL for Windows <= XP
o tool_help: fix --tlsv1 help text to use >= for TLSv1
o HTTP: POSTFIELDSIZE set after added to multi handle [3]
o SSL-PROBLEMS: mention WinSSL problems in WinXP
o setup-vms.h: Symbol case fixups
o SSL: Pinned public key hash support
o libtest: call PR_Cleanup() on exit if NSPR is used
o ntlm_wb: Fix theoretical memory leak
o runtests: Allow for spaces in curl custom path
o http2: add stream != NULL checks for reliability
o schannel: Replace deprecated GetVersion with VerifyVersionInfo
o http2: verify success of strchr() in http2_send()
o configure: add --disable-rt option
o openssl: work around MSVC warning
o HTTP: ignore "Content-Encoding: compress"
o configure: check if OpenSSL linking wants -ldl
o build-openssl.bat: Show syntax if required args are missing
o test1902: attempt to make the test more reliable
o libcurl-thread.3: Consolidate thread safety info
o maketgz: Fixed some VC makefiles missing from the release tarball
o libcurl-multi.3: mention curl_multi_wait [10]
o ABI doc: use secure URL
o http: move HTTP/2 cleanup code off http_disconnect() [11]
o libcurl-thread.3: Warn memory functions must be thread safe [12]
o curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs [13]
o docs: formpost needs the full size at start of upload [14]
o curl_gssapi: remove 'const' to fix compiler warnings
o SSH: three state machine fixups [15]
o libcurl.3: fix a single typo [16]
o generate.bat: Only clean prerequisite files when in ALL mode
o curl_slist_append.3: add error checking to the example
o buildconf.bat: Added support for file clean-up via -clean
o generate.bat: Use buildconf.bat for prerequisite file clean-up
o NTLM: handle auth for only a single request [17]
o curl_multi_remove_handle.3: fix formatting [19]
o checksrc.bat: Fixed error when [directory] isn't a curl source directory
o checksrc.bat: Fixed error when missing *.c and *.h files
o CURLOPT_RESOLVE.3: Note removal support was added in 7.42 [20]
o test46: update cookie expire time
o SFTP: fix range request off-by-one in size check [21]
o CMake: fix GSSAPI builds [22]
o build: refer to fixed libidn versions [4]
o http2: discard frames with no SessionHandle [23]
o curl_easy_recv.3: fix formatting
o libcurl-tutorial.3: fix formatting [24]
o curl_formget.3: correct return code [25]
Curl and libcurl 7.43.0
Public curl releases: 147
Command line options: 176
curl_easy_setopt() options: 219
Public functions in libcurl: 58
Contributors: 1291
This release includes the following changes:
o Added CURLOPT_PROXY_SERVICE_NAME[11]
o Added CURLOPT_SERVICE_NAME[12]
o New curl option: --proxy-service-name[13]
o Mew curl option: --service-name [14]
o New curl option: --data-raw [5]
o Added CURLOPT_PIPEWAIT [15]
o Added support for multiplexing transfers using HTTP/2, enable this
with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING [16]
o HTTP/2: requires nghttp2 1.0.0 or later
o scripts: add zsh.pl for generating zsh completion
o curl.h: add CURL_HTTP_VERSION_2
This release includes the following bugfixes:
o CVE-2015-3236: lingering HTTP credentials in connection re-use [30]
o CVE-2015-3237: SMB send off unrelated memory contents [31]
o nss: fix compilation failure with old versions of NSS [1]
o curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
o schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
o Curl_ossl_init: load builtin modules [2]
o configure: follow-up fix for krb5-config [3]
o sasl_sspi: Populate domain from the realm in the challenge [4]
o netrc: support 'default' token
o README: convert to UTF-8
o cyassl: Implement public key pinning
o nss: implement public key pinning for NSS backend
o mingw build: add arch -m32/-m64 to LDFLAGS
o schannel: Fix out of bounds array [6]
o configure: remove autogenerated files by autoconf
o configure: remove --automake from libtoolize call
o acinclude.m4: fix shell test for default CA cert bundle/path
o schannel: fix regression in schannel_recv [7]
o openssl: skip trace outputs for ssl_ver == 0 [8]
o gnutls: properly retrieve certificate status
o netrc: Read in text mode when cygwin [9]
o winbuild: Document the option used to statically link the CRT [10]
o FTP: Make EPSV use the control IP address rather than the original host
o FTP: fix dangling conn->ip_addr dereference on verbose EPSV
o conncache: keep bundles on host+port bases, not only host names
o runtests.pl: use 'h2c' now, no -14 anymore
o curlver: introducing new version number (checking) macros
o openssl: boringssl build brekage, use SSL_CTX_set_msg_callback [17]
o CURLOPT_POSTFIELDS.3: correct variable names [18]
o curl_easy_unescape.3: update RFC reference [19]
o gnutls: don't fail on non-fatal alerts during handshake
o testcurl.pl: allow source to be in an arbitrary directory
o CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
o SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description [20]
o parse_proxy: switch off tunneling if non-HTTP proxy [21]
o share_init: fix OOM crash
o perl: remove subdir, not touched in 9 years
o CURLOPT_COOKIELIST.3: Add example
o CURLOPT_COOKIE.3: Explain that the cookies won't be modified [22]
o CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain [23]
o FAQ: How do I port libcurl to my OS?
o openssl: Use TLS_client_method for OpenSSL 1.1.0+
o HTTP-NTLM: fail auth on connection close instead of looping [24]
o curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT [25]
o curl_getdate.3: update RFC reference
o curl_multi_info_read.3: added example
o curl_multi_perform.3: added example
o curl_multi_timeout.3: added example
o cookie: Stop exporting any-domain cookies [26]
o openssl: remove dummy callback use from SSL_CTX_set_verify()
o openssl: remove SSL_get_session()-using code
o openssl: removed USERDATA_IN_PWD_CALLBACK kludge
o openssl: removed error string #ifdef
o openssl: Fix verification of server-sent legacy intermediates [27]
o docs: man page indentation and syntax fixes
o docs: Spelling fixes
o fopen.c: fix a few compiler warnings
o CURLOPT_OPENSOCKETFUNCTION: return error at once [28]
o schannel: Add support for optional client certificates
o build: Properly detect OpenSSL 1.0.2 when using configure
o urldata: store POST size in state.infilesize too [29]
o security:choose_mech remove dead code
o rtsp_do: remove dead code
o docs: many HTTP URIs changed to HTTPS
o schannel: schannel_recv overhaul [32]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alessandro Ghedini, Alexander Dyagilev, Anders Bakken, Anthony Avina,
Ashish Shukla, Bert Huijben, Brian Chrisman, Brian Prodoehl, Chris Araman,
Dagobert Michelsen, Dan Fandrich, Daniel Melani, Daniel Stenberg,
Dmitry Eremin-Solenikov, Drake Arconis, Egon Eckert, Frank Meier, Fred Stluka,
Gisle Vanem, Grant Pannell, Isaac Boukris, Jens Rantil, Joel Depooter,
Kamil Dudka, Linus Nielsen Feltzing, Linus Nielsen Feltzing Feltzing,
Liviu Chircu, Marc Hoersken, Michael Osipov, Oren Souroujon, Orgad Shaneh,
Patrick Monnerat, Patrick Rapin, Paul Howarth, Paul Oliver, Rafayel Mkrtchyan,
Ray Satiro, Sean Boudreau, Tatsuhiro Tsujikawa, Tomas Tomecek, Viktor Szakáts,
Ville Skyttä, Yehezkel Horowitz,
(43 contributors)
Thanks! (and sorry if I forgot to mention someone)
References to bug reports and discussions on issues:
[1] = http://curl.haxx.se/mail/lib-2015-04/0095.html
[2] = https://github.com/bagder/curl/pull/206
[3] = 5b66860652 (commitcomment-10473445)
[4] = https://github.com/bagder/curl/pull/141
[5] = https://github.com/bagder/curl/issues/198
[6] = http://curl.haxx.se/mail/lib-2015-04/0199.html
[7] = https://github.com/bagder/curl/issues/244
[8] = https://github.com/bagder/curl/issues/219
[9] = https://github.com/bagder/curl/pull/258
[10] = https://github.com/bagder/curl/issues/254
[11] = http://curl.haxx.se/libcurl/c/CURLOPT_PROXY_SERVICE_NAME.html
[12] = http://curl.haxx.se/libcurl/c/CURLOPT_SERVICE_NAME.html
[13] = http://curl.haxx.se/docs/manpage.html#--proxy-service-name
[14] = http://curl.haxx.se/docs/manpage.html#--service-name
[15] = http://curl.haxx.se/libcurl/c/CURLOPT_PIPEWAIT.html
[16] = http://curl.haxx.se/libcurl/c/CURLMOPT_PIPELINING.html
[17] = https://github.com/bagder/curl/issues/275
[18] = https://github.com/bagder/curl/issues/281
[19] = https://github.com/bagder/curl/issues/282
[20] = https://github.com/bagder/curl/issues/267
[21] = http://curl.haxx.se/mail/lib-2015-05/0056.html
[22] = http://curl.haxx.se/mail/lib-2015-05/0115.html
[23] = http://curl.haxx.se/mail/lib-2015-05/0137.html
[24] = https://github.com/bagder/curl/issues/256
[25] = https://github.com/bagder/curl/pull/258#issuecomment-107093055
[26] = https://github.com/bagder/curl/issues/292
[27] = https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
[28] = http://curl.haxx.se/mail/lib-2015-06/0047.html
[29] = http://curl.haxx.se/mail/lib-2015-06/0019.html
[30] = http://curl.haxx.se/docs/adv_20150617A.html
[31] = http://curl.haxx.se/docs/adv_20150617B.html
[32] = https://github.com/bagder/curl/issues/244
Version 7.42.1 (28 Apr 2015)
Daniel Stenberg (28 Apr 2015)
- RELEASE-NOTES: 7.42.1 ready
- CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
- RELEASE-NOTES: synced with a6e0270e
- sws: init http2 state properly
It would otherwise cause problems when running tests after 1801 etc.
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
... as it was previouly undocumented what the pointer was.
- openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
- [Alessandro Ghedini brought this change]
curl.1: fix typo
- RELEASE-NOTES: toward 7.42.1, synced with 097460a
- [Kamil Dudka brought this change]
curl -z: do not write empty file on unmet condition
This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
It also introduces a regression test 1424 based on tests 78 and 1423.
Reported-by: Viktor Szakats
Bug: https://github.com/bagder/curl/issues/237
- [Kamil Dudka brought this change]
docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too
- connectionexists: follow-up to fd9d3a1ef1f
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
- connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
- dist: include {src,lib}/checksrc.whitelist
This release includes the following changes:
o openssl: show the cipher selection to use in verbose text
o gtls: implement CURLOPT_CERTINFO
o add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
o curl: add --false-start option
o add CURLOPT_PATH_AS_IS
o curl: add --path-as-is option
o curl: create output file on successful download of an empty file
This release includes the following bugfixes:
o ConnectionExists: for NTLM re-use, require credentials to match
o cookie: cookie parser out of boundary memory access
o fix_hostname: zero length host name caused -1 index offset
o http_done: close Negotiate connections when done
o sws: timeout idle CONNECT connections
o nss: improve error handling in Curl_nss_random()
o nss: do not skip Curl_nss_seed() if data is NULL
o curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
o http2: move lots of verbose output to be debug-only
o dist: add extern-scan.pl to the tarball
o http2: return recv error on unexpected EOF
o build: Use default RandomizedBaseAddress directive in VC9+ project files
o build: Removed DataExecutionPrevention directive from VC9+ project files
o tool: Updated the warnf() function to use the GlobalConfig structure
o http2: Return error if stream was closed with other than NO_ERROR
o mprintf.h: remove #ifdef CURLDEBUG
o libtest: fixed linker errors on msvc
o tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
o curl.1: fix "The the" typo
o cmake: handle build definitions CURLDEBUG/DEBUGBUILD
o openssl: remove all uses of USE_SSLEAY
o multi: fix memory-leak on timeout (regression)
o curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
o metalink: add some error checks
o TLS: make it possible to enable ALPN/NPN without HTTP/2
o http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
o conncontrol: only log changes to the connection bit
o multi: fix *getsock() with CONNECT
o symbols.pl: handle '-' in the deprecated field
o MacOSX-Framework: use @rpath instead of @executable_path
o GnuTLS: add support for CURLOPT_CAPATH
o GnuTLS: print negotiated TLS version and full cipher suite name
o GnuTLS: don't print double newline after certificate dates
o memanalyze.pl: handle free(NULL)
o proxy: re-use proxy connections (regression)
o mk-ca-bundle: Don't report SHA1 numbers with "-q"
o http: always send Host: header as first header
o openssl: sort ciphers to use based on strength
o openssl: use colons properly in the ciphers list
o http2: detect premature close without data transfered
o hostip: Fix signal race in Curl_resolv_timeout
o closesocket: call multi socket cb on close even with custom close
o mksymbolsmanpage.pl: use std header and generate better nroff header
o connect: Fix happy eyeballs logic for IPv4-only builds
o curl_easy_perform.3: remove superfluous close brace from example
o HTTP: don't use Expect: headers when on HTTP/2
o Curl_sh_entry: remove unused 'timestamp'
o docs/libcurl: makefile portability fix
o mkhelp: Remove trailing carriage return from every line of input
o nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
o curl_easy_setopt.3: added a few missing options
o metalink: fix resource leak in OOM
o axtls: version 1.5.2 now requires that config.h be manually included
o HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
o cyassl: detect the library as renamed wolfssl
o CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
o CURLOPT_URL.3: Added "SECURITY CONCERNS
o openssl: try to avoid accessing OCSP structs when possible
o test938: added missing closing tags
o testcurl: Allow '=' in values given on command line
o tests/certs: added make target to rebuild certificates
o tests/certs: rebuild certificates with modified key usage bits
o gtls: avoid uninitialized variable
o gtls: dereferencing NULL pointer
o gtls: add check of return code
o test1513: eliminated race condition in test run
o dict: rename byte to avoid compiler shadowed declaration warning
o curl_easy_recv/send: make them work with the multi interface
o vtls: fix compile with --disable-crypto-auth but with SSL
o openssl: adapt to ASN1/X509 things gone opaque in 1.1
o openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
o curl_memory: make curl_memory.h the second-last header file loaded
o testcurl.pl: add the --notes option to supply more info about a build
o cyassl: If wolfSSL then identify as such in version string
o cyassl: Check for invalid length parameter in Curl_cyassl_random
o cyassl: default to highest possible TLS version
o Curl_ssl_md5sum: return CURLcode (fixes OOM)
o polarssl: remove dead code
o polarssl: called mbedTLS in 1.3.10 and later
o globbing: fix step parsing for character globbing ranges
o globbing: fix url number calculation when using range with step
o multi: on a request completion, check all CONNECT_PEND transfers
o build: link curl to openssl libraries when openssl support is enabled
o url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
o vtls: Don't accept unknown CURLOPT_SSLVERSION values
o build: Fix libcurl.sln erroneous mixed configurations
o cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
o cyassl: add SSL context callback support for CyaSSL
o tool: only set SSL options if SSL is enabled
o multi: remove_handle: move pending connections
o configure: Use KRB5CONFIG for krb5-config
o axtls: add timeout within Curl_axtls_connect
o CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
o cyassl: Fix library initialization return value
o cookie: handle spaces after the name in Set-Cookie
o http2: Fix missing nghttp2_session_send call in Curl_http2_switched
o cyassl: Fix certificate load check
o build-openssl.bat: Fix mixed line endings
o checksrc.bat: Check lib\vtls source
o DNS: fix refreshing of obsolete dns cache entries
o CURLOPT_RESOLVE: actually implement removals
o checksrc.bat: quotes to support an SRC_DIR with spaces
o cyassl: Remove 'Connecting to' message from cyassl_connect_step2
o cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
o lib/transfer.c: Remove factor of 8 from sleep time calculation
o lib/makefile.m32: add missing libs to build libcurl.dll
o build: Generate source prerequisites for Visual Studio in generate.bat
o cyassl: Include the CyaSSL build config
o firefox-db2pem: fix wildcard to find Firefox default profile
o BUGS: refer to the github issue tracker now as primary
o vtls_openssl: improve several certificate error messages
o cyassl: Add support for TLS extension SNI
o parsecfg: do not continue past a zero termination
o configure --with-nss=PATH: query pkg-config if available
o configure --with-nss: drop redundant if statement
o cyassl: Fix include order
o HTTP: fix PUT regression with Negotiate
o curl_version_info.3: fixed the 'protocols' variable type
Version 7.41.0 (25 Feb 2015)
Daniel Stenberg (25 Feb 2015)
- THANKS: added contributors from the 7.41.0 RELEASE-NOTES
- RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)
Marc Hoersken (25 Feb 2015)
- Revert "telnet.c: fix handling of 0 being returned from custom read function"
This reverts commit 03fa576833643c67579ae216c4e7350fa9b5f2fe.
- telnet.c: fix invalid use of custom read function if not being set
obj_count can be 1 if the custom read function is set or the stdin
handle is a reference to a pipe. Since the pipe should be handled
using the PeekNamedPipe-check below, the custom read function should
only be used if it is actually enabled.
- telnet.c: fix handling of 0 being returned from custom read function
According to [1]: "Returning 0 will signal end-of-file to the library
and cause it to stop the current transfer."
This change makes the Windows telnet code handle this case accordingly.
[1] http://curl.haxx.se/libcurl/c/CURLOPT_READFUNCTION.html
Daniel Stenberg (24 Feb 2015)
- sws: stop logging about TPC_NODELAY nonsense
- lib530: make it less timing sensible
... by making sure the first request is completed before doing the
remainder.
Kamil Dudka (23 Feb 2015)
- connect: wait for IPv4 connection attempts
... even if the last IPv6 connection attempt has failed.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c4
- connect: avoid skipping an IPv4 address
... in case the protocol versions are mixed in a DNS response
(IPv6 -> IPv4 -> IPv6).
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c3
Daniel Stenberg (23 Feb 2015)
- RELEASE-NOTES: synced with 5e4395eab839d
- ROADMAP: curl_easy_setopt.3 has already been split up
Remove cmake as marked for removal. It is in much better state now.
- ROADMAP: extend the HTTP/2 stuff, remove SPDY
- [Julian Ospald brought this change]
configure: allow both --with-ca-bundle and --with-ca-path
SSL_CTX_load_verify_locations by default (and if given non-Null
parameters) searches the CAfile first and falls back to CApath. This
allows for CAfile to be a basis (e.g. installed by the package manager)
and CApath to be a user configured directory.
This wasn't reflected by the previous configure constraint which this
patch fixes.
Bug: https://github.com/bagder/curl/pull/139
- [Ben Boeckel brought this change]
cmake: install the dll file to the correct directory
- [Alessandro Ghedini brought this change]
nss: fix NPN/ALPN protocol negotiation
Correctly check for memcmp() return value (it returns 0 if the strings match).
This is not really important, since curl is going to use http/1.1 anyway, but
it's still a bug I guess.
- [Alessandro Ghedini brought this change]
polarssl: fix ALPN protocol negotiation
Correctly check for strncmp() return value (it returns 0 if the strings
match).
- [Sergei Nikulov brought this change]
CMake: Fix generation of tool_hugehelp.c on windows
Use "cmake -E echo" instead of "echo".
Reviewed-by: Brad King <brad.king@kitware.com>
- [Sergei Nikulov brought this change]
CMake: fix winsock2 detection on windows
Set CMAKE_REQUIRED_DEFINITIONS to include definitions needed to get
the winsock2 API from windows.h. Simplify the order of checks to
avoid extra conditions.
Use check_include_file instead of check_include_file_concat to look
for OpenSSL headers. They do not need to participate in a sequence
of dependent system headers. Also they may cause winsock.h to be
included before ws2tcpip.h, causing the latter to not be detected
in the sequence.
Reviewed-by: Brad King <brad.king@kitware.com>
- [Alessandro Ghedini brought this change]
gtls: fix build with HTTP2
Steve Holme (16 Feb 2015)
- Makefile.vc6: Corrected typos in rename of darwinssl.obj
Nick Zitzmann (15 Feb 2015)
- By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"
Steve Holme (14 Feb 2015)
- RELEASE-NOTES: Synced with 6f89f86c3d
- tests/README: Updated to reflect email test ranges
- [Alessandro Ghedini brought this change]
curl.1: --cert-status is also supported by OpenSSL now
- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
Visual Studio 2005 and above defaults to disabling the startup banner
for the Compiler, Linker and MIDL tools (with /NOLOGO). As such there
is no need to explicitly set the SuppressStartupBanner directive, as
this is a leftover from the VC7 and VC7.1 projects being upgraded to
VC8 and above.
Kamil Dudka (12 Feb 2015)
- openssl: fix a compile-time warning
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
Steve Holme (11 Feb 2015)
- openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
Patrick Monnerat (11 Feb 2015)
- ftp: accept all 2xx responses to the PORT command
Steve Holme (9 Feb 2015)
- openssl: Disable OCSP in old versions of OpenSSL
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
Daniel Stenberg (9 Feb 2015)
- [Tatsuhiro Tsujikawa brought this change]
http2: Fix bug that associated stream canceled on PUSH_PROMISE
Previously we don't ignore PUSH_PROMISE header fields in on_header
callback. It makes header values mixed with following HEADERS,
resulting protocol error.
- [Jay Satiro brought this change]
polarssl: Fix exclusive SSL protocol version options
Prior to this change the options for exclusive SSL protocol versions did
not actually set the protocol exclusive.
http://curl.haxx.se/mail/lib-2015-01/0002.html
Reported-by: Dan Fandrich
- [Jay Satiro brought this change]
gskit: Fix exclusive SSLv3 option
- curl.1: clarify that -X is used for all requests
Reported-by: Jon Seymour
- curl.1: add warning when using -H and redirects
Steve Holme (7 Feb 2015)
- schannel: Removed curl_ prefix from source files
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
Daniel Stenberg (6 Feb 2015)
- md5: use axTLS's own MD5 functions when available
- MD(4|5): make the MD4_* and MD5_* functions static
- axtls: fix conversion from size_t to int warning
Steve Holme (5 Feb 2015)
- ftp: Use 'CURLcode result' for curl result codes
Daniel Stenberg (5 Feb 2015)
- openssl: SSL_SESSION->ssl_version no longer exist
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!
Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
Dan Fandrich (4 Feb 2015)
- unit1600: Fix compilation when NTLM is disabled
Daniel Stenberg (4 Feb 2015)
- MD5: fix compiler warnings and code style nits
- MD5: replace implementation
The previous one was "encumbered" by RSA Inc - to avoid the licensing
restrictions it has being replaced. This is the initial import,
inserting the md5.c and md5.h files from
http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
Code-by: Alexander Peslyak
- MD4: fix compiler warnings and code style nits
- MD4: replace implementation
The previous one was "encumbered" by RSA Inc - to avoid the licensing
restrictions it has being replaced. This is the initial import,
inserting the md4.c and md4.h files from
http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
Code-by: Alexander Peslyak
Steve Holme (4 Feb 2015)
- telnet: Prefer 'CURLcode result' for curl result codes
- hostasyn: Prefer 'CURLcode result' for curl result codes
- schannel: Prefer 'CURLcode result' for curl result codes
Daniel Stenberg (3 Feb 2015)
- unit1601: MD5 unit tests
- unit1600: unit test for Curl_ntlm_core_mk_nt_hash
- unit1600: NTLM unit test
- tests/README: add a new range, clean up some language
- [Jay Satiro brought this change]
opts: CURLOPT_CAINFO availability depends on SSL engine
- getpass: protect include with proper #ifdef
Reported-by: Tamir
- getpass_r: read from stdin, not stdout!
The file number used was wrong. This bug was introduced over 10 years
ago, proving this function isn't used much...
Bug: http://curl.haxx.se/bug/view.cgi?id=1476
Reported-by: Tamir
- test1135: verify the CURL_EXTERN order in header files
- Makefile.am: fix 'make distcheck'
... by removing generated files from the *_DIST variable [*] and instead
generate them with a .dist suffix, since that is then handled and put
into the release archive by our generic dist-hook.
[*] = 'make distcheck' fails with non-existing files listed there
Steve Holme (2 Feb 2015)
- curl_sasl.c: More code policing
Better use of 80 character line limit, comment corrections and line
spacing preferences.
Daniel Stenberg (2 Feb 2015)
- libcurl-symbols: first basic shot for autogenerated docs
- FAQ: minor edit of 3.22
Steve Holme (2 Feb 2015)
- build: Added removal of Visual Studio project files
Added the removal of the locally generated project files so one
may revert to a clean repository.
- build: Renamed top level Visual Studio solution files
In preparation for adding the test suite and examples projects renamed
the top level "all" solution files to better describe what they are.
This will also enable us to use "curl" rather than "curlsrc" for the
command line tool solution and project files, which will simplify some
of the configuration.
- build: Enabled DEBUGBUILD in Visual Studio debug builds
Defined the DEBUGBUILD pre-processor variable to allow extra logging,
which is particularly useful in debug builds, as we use this and Visual
Studio typically uses _DEBUG.
We could define DEBUBBUILD, in curl_setup.h, when _MSC_VER and _DEBUG is
defined but that would also affect the makefile based builds which we
probably don't want to do.
- build: Removed unused Visual Studio bscmake settings
Daniel Stenberg (2 Feb 2015)
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
And modify the text to refer to HTTP 2 as it isn't called "2.0".
Reported-By: Michael Wallner
Marc Hoersken (31 Jan 2015)
- TODO: moved WinSSL/SChannel todo items into docs
Daniel Stenberg (29 Jan 2015)
- [Michael Kaufmann brought this change]
CURLOPT_SEEKFUNCTION.3: also when server closes a connection
Steve Holme (29 Jan 2015)
- curl_sasl.c: Fixed compilation warning when cryptography is disabled
curl_sasl.c:1506: warning: unused variable 'chlg'
- curl_sasl.c: Fixed compilation warning when verbose debug output disabled
curl_sasl.c:1317: warning: unused parameter 'conn'
- ntlm_core: Use own odd parity function when crypto engine doesn't have one
- ntlm_core: Prefer sizeof(key) rather than hard coded sizes
- ntlm_core: Added consistent comments to DES functions
- des: Added Curl_des_set_odd_parity()
Added Curl_des_set_odd_parity() for use when cryptography engines
don't include this functionality.
- tests: Grouped SMTP SASL EXTERNAL tests with other SMTP tests
- tests: Grouped POP3 SASL EXTERNAL tests with other POP3 tests
- tests: Grouped IMAP SASL EXTERNAL tests with other IMAP tests
- sasl: Minor code policing and grammar corrections
Daniel Stenberg (28 Jan 2015)
- [Gisle Vanem brought this change]
ldap: build with BoringSSL
- security: avoid compiler warning
Possible access to uninitialised memory '&nread' at line 140 of
lib/security.c in function 'ftp_send_command'.
Reported-by: Rich Burridge
- runtests: identify BoringSSL and libressl
Patrick Monnerat (27 Jan 2015)
- docs: cite SASL external authentication.
- sasl: remove XOAUTH2 from default enabled authentication mechanism.
- test: add test cases for sasl external authentication (imap/pop3/smtp).
- imap: remove automatic password setting: it breaks external sasl authentication
- sasl: implement EXTERNAL authentication mechanism.
Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and
by not setting the password.
Steve Holme (27 Jan 2015)
- openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
- openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.
Reported-by: John E. Malmberg
- [Brad Spencer brought this change]
curl_setup: Disable SMB/CIFS support when HTTP only
- RELEASE-NOTES: Synced with 37824498a3
Daniel Stenberg (22 Jan 2015)
- configure: remove detection of the old yassl emulation API
... as that is ancient history and not used.
- OCSP stapling: disabled when build with BoringSSL
- [Alessandro Ghedini brought this change]
openssl: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066
section 8.
Thanks-to: Joe Mason
- for the work-around for the OpenSSL bug.
- BoringSSL: fix build for non-configure builds
HAVE_BORINGSSL gets defined now by configure and should be defined by
other build systems in case a BoringSSL build is desired.
- configure: fix BoringSSL detection and detect libresssl
Steve Holme (22 Jan 2015)
- curl_sasl: Reinstate the sasl_ prefix for locally scoped functions
Commit 7a8b2885e2 made some functions static and removed the public
Curl_ prefix. Unfortunately, it also removed the sasl_ prefix, which
is the naming convention we use in this source file.
- curl_sasl: Minor code policing following recent commits
Daniel Stenberg (22 Jan 2015)
- [John Malmberg brought this change]
openvms: Handle openssl/0.8.9zb version parsing
packages/vms/gnv_link_curl.com was assuming only a single letter suffix
in the openssl version. That assumption has been fixed for 7.40.
- BoringSSL: detected by configure, switches off NTLM
- BoringSSL: no PKCS12 support nor ERR_remove_state
- [Leith Bade brought this change]
BoringSSL: fix build
Steve Holme (20 Jan 2015)
- curl_sasl.c: chlglen is not used when cryptography is disabled
- curl_sasl.c: Fixed compilation warning when cyptography is disabled
curl_sasl.c:1453: warning C4101: 'serverdata' : unreferenced local
variable
- curl_sasl.c: Fixed compilation error when USE_WINDOWS_SSPI defined
curl_sasl.c:1221: error C2065: 'mechtable' : undeclared identifier
This error could also happen for non-SSPI builds when cryptography is
disabled (CURL_DISABLE_CRYPTO_AUTH is defined).
Patrick Monnerat (20 Jan 2015)
- SASL: make some procedures local-scoped
- SASL: common state engine for imap/pop3/smtp
- SASL: common URL option and auth capabilities decoders for all protocols
- IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.
Daniel Stenberg (20 Jan 2015)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
Reported-by: Chris Young
- [Chris Young brought this change]
timeval: typecast for better type (on Amiga)
There is an issue with conflicting "struct timeval" definitions with
certain AmigaOS releases and C libraries, depending on what gets
included when. It's a minor difference - the OS one is unsigned,
whereas the common structure has signed elements. If the OS one ends up
getting defined, this causes a timing calculation error in curl.
It's easy enough to resolve this at the curl end, by casting the
potentially errorneous calculation to a signed long.
- openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.
Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
Patrick Monnerat (19 Jan 2015)
- OS400: CURLOPT_SSL_VERIFYSTATUS for ILE/RPG too.
Steve Holme (18 Jan 2015)
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
For consistency with other USE_WIN32_ defines as well as the
USE_OPENLDAP define.
- http_negotiate: Use dynamic buffer for SPN generation
Use a dynamicly allocated buffer for the temporary SPN variable similar
to how the SASL GSS-API code does, rather than using a fixed buffer of
2048 characters.
- sasl_gssapi: Make Curl_sasl_build_gssapi_spn() public
- sasl_gssapi: Fixed memory leak with local SPN variable
Daniel Stenberg (17 Jan 2015)
- http_negotiate.c: unused variable 'ret'
Steve Holme (17 Jan 2015)
- gskit.h: Code policing of function pointer arguments
- vtls: Removed unimplemented overrides of curlssl_close_all()
Carrying on from commit 037cd0d991, removed the following unimplemented
instances of curlssl_close_all():
Curl_axtls_close_all()
Curl_darwinssl_close_all()
Curl_cyassl_close_all()
Curl_gskit_close_all()
Curl_gtls_close_all()
Curl_nss_close_all()
Curl_polarssl_close_all()
- vtls: Separate the SSL backend definition from the API setup
Slight code cleanup as the SSL backend #define is mixed up with the API
function setup.
- vtls: Fixed compilation errors when SSL not used
Fixed the following warning and error from commit 3af90a6e19 when SSL
is not being used:
url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
assuming extern returning int
error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
referenced in function Curl_setopt
- http_negotiate: Added empty decoded challenge message info text
- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
- http_negotiate_sspi: Prefer use of 'attrs' for context attributes
Use the same variable name as other areas of SSPI code.
- http_negotiate_sspi: Use correct return type for QuerySecurityPackageInfo()
Use the SECURITY_STATUS typedef rather than a unsigned long for the
QuerySecurityPackageInfo() return and rename the variable as per other
areas of SSPI code.
- http_negotiate_sspi: Use 'CURLcode result' for CURL result code
- curl_endian: Fixed build when 64-bit integers are not supported (Part 2)
Missed Curl_read64_be() in commit bb12d44471 :(
Daniel Stenberg (16 Jan 2015)
- CURLOPT_SSL_VERIFYSTATUS.3: mention it is added in version 7.41.0
- curlver.h: next release is 7.41.0 due to the changes
- RELEASE-NOTES: mention the new OCSP stapling options, bump version
- opts: add CURLOPT_SSL_VERIFYSTATUS* to docs/Makefile
- help: add --cert-status to --help output
- copyright years: after OCSP stapling changes
- [Alessandro Ghedini brought this change]
curl: add --cert-status option
This enables the CURLOPT_SSL_VERIFYSTATUS functionality.
- [Alessandro Ghedini brought this change]
nss: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
This requires NSS 3.15 or higher.
- [Alessandro Ghedini brought this change]
gtls: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
response verfication to fail even on valid responses.
- [Alessandro Ghedini brought this change]
url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.
This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
- TheArtOfHttpScripting: skip the date at the top, we have git
- TheArtOfHttpScripting: phrase it TLS lib agnostic
Steve Holme (16 Jan 2015)
- TODO: Added some SMB ideas
- RELEASE-NOTES: Synced with 5f09947d28
- build-openssl.bat: Added check for Perl installation
- checksrc.bat: Better detection of Perl installation
- curl_endian: Fixed build when 64-bit integers are not supported
Bug: http://curl.haxx.se/mail/lib-2015-01/0094.html
Reported-by: John E. Malmberg
Daniel Stenberg (15 Jan 2015)
- [Yun SangHo brought this change]
curl.h: remove extra space
- Curl_pretransfer: reset expected transfer sizes
Reported-by: Mohammad AlSaleh
Bug: http://curl.haxx.se/mail/lib-2015-01/0065.html
Marc Hoersken (12 Jan 2015)
- curl_schannel.c: mark session as removed from cache if not freed
If the session is still used by active SSL/TLS connections, it
cannot be closed yet. Thus we mark the session as not being cached
any longer so that the reference counting mechanism in
Curl_schannel_shutdown is used to close and free the session.
Reported-by: Jean-Francois Durand
Steve Holme (9 Jan 2015)
- RELEASE-NOTES: Synced with d21b66835f
Guenter Knauf (9 Jan 2015)
- Merge pull request #134 from vszakats/mingw-m64
add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
- Merge pull request #136 from vszakats/mingw-allow-custom-cflags
mingw build: allow to pass custom CFLAGS
Daniel Stenberg (9 Jan 2015)
- NSS: fix compiler error when built http2-enabled
Steve Holme (9 Jan 2015)
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
Better code reuse and consistency in calls to gss_import_name().
Viktor Szakats (9 Jan 2015)
- mingw build: allow to pass custom CFLAGS
Daniel Stenberg (8 Jan 2015)
- FTP: if EPSV fails on IPV6 connections, bail out
... instead of trying PASV, since PASV can't work with IPv6.
Reported-by: Vojtěch Král
- FTP: fix IPv6 host using link-local address
... and make sure we can connect the data connection to a host name that
is longer than 48 bytes.
Also simplifies the code somewhat by re-using the original host name
more, as it is likely still in the DNS cache.
Original-Patch-by: Vojtěch Král
Bug: http://curl.haxx.se/bug/view.cgi?id=1468
Steve Holme (8 Jan 2015)
- [Sam Schanken brought this change]
winbuild: Added option to build with c-ares
Added support for a WITH_CARES option to be used when invoking nmake
via Makefile.vc. This option enables linking against both the DLL and
static versions of the c-ares libraries, as well as the debug and
release varients, depending on the value of DEBUG. The USE_ARES
preprocessor symbol is also defined.
Guenter Knauf (8 Jan 2015)
- NetWare build: added TLS-SRP enabled build.
Steve Holme (8 Jan 2015)
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
Bug: http://curl.haxx.se/bug/view.cgi?id=1469
Reported-by: Thomas Klausner
Viktor Szakats (8 Jan 2015)
- add -m64 clags when targeting mingw64, add -m32/-m64 to LDFLAGS
Daniel Stenberg (8 Jan 2015)
- bump: start working towards 7.40.1
- THANKS: 14 new contributors from the 7.40.0 release notes
compile any longer, see
https://sourceforge.net/p/curl/bugs/1469/
Changes:
Curl and libcurl 7.40.0
Public curl releases: 143
Command line options: 162
curl_easy_setopt() options: 208
Public functions in libcurl: 58
Contributors: 1219
This release includes the following changes:
o http_digest: Added support for Windows SSPI based authentication
o version info: Added Kerberos V5 to the supported features
o Makefile: Added VC targets for WinIDN
o config-win32: Introduce build targets for VS2012+
o SSL: Add PEM format support for public key pinning
o smtp: Added support for the conversion of Unix newlines during mail send [8]
o smb: Added initial support for the SMB/CIFS protocol
o Added support for HTTP over unix domain sockets, via
CURLOPT_UNIX_SOCKET_PATH and --unix-socket
o sasl: Added support for GSS-API based Kerberos V5 authentication
This release includes the following bugfixes:
o darwinssl: fix session ID keys to only reuse identical sessions [18]
o url-parsing: reject CRLFs within URLs [19]
o OS400: Adjust specific support to last release
o THANKS: Remove duplicate names
o url.c: Fixed compilation warning
o ssh: Fixed build on platforms where R_OK is not defined [1]
o tool_strdup.c: include the tool strdup.h
o build: Fixed Visual Studio project file generation of strdup.[c|h]
o curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY [2]
o curl.1: show zone index use in a URL
o mk-ca-bundle.vbs: switch to new certdata.txt url
o Makefile.dist: Added some missing SSPI configurations
o build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
o SSH: use the port number as well for known_known checks [3]
o libssh2: detect features based on version, not configure checks
o http2: Deal with HTTP/2 data inside Upgrade response header buffer [4]
o multi: removed Curl_multi_set_easy_connection
o symbol-scan.pl: do not require autotools
o cmake: add ENABLE_THREADED_RESOLVER, rename ARES
o cmake: build libhostname for test suite
o cmake: fix HAVE_GETHOSTNAME definition
o tests: fix libhostname visibility
o tests: fix memleak in server/resolve.c
o vtls.h: Fixed compiler warning when compiled without SSL
o CMake: Restore order-dependent header checks
o CMake: Restore order-dependent library checks
o tool: Removed krb4 from the supported features
o http2: Don't send Upgrade headers when we already do HTTP/2
o examples: Don't call select() to sleep on windows [6]
o win32: Updated some legacy APIs to use the newer extended versions [5]
o easy.c: Fixed compilation warning when no verbose string support
o connect.c: Fixed compilation warning when no verbose string support
o build: in Makefile.m32 pass -F flag to windres
o build: in Makefile.m32 add -m32 flag for 32bit
o multi: when leaving for timeout, close accordingly
o CMake: Simplify if() conditions on check result variables
o build: in Makefile.m32 try to detect 64bit target
o multi: inform about closed sockets before they are closed
o multi-uv.c: close the file handle after download
o examples: Wait recommended 100ms when no file descriptors are ready
o ntlm: Split the SSPI based messaging code from the native messaging code
o cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
o cmake: add Kerberos to the supported feature
o CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
o http: Disable pipelining for HTTP/2 and upgraded connections
o ntlm: Fixed static'ness of local decode function
o sasl: Reduced the need for two sets of NTLM messaging functions
o multi.c: Fixed compilation warnings when no verbose string support
o select.c: fix compilation for VxWorks [7]
o multi-single.c: switch to use curl_multi_wait
o curl_multi_wait.3: clarify numfds being used if not NULL
o http.c: Fixed compilation warnings from features being disabled
o NSS: enable the CAPATH option [9]
o docs: Fix FAILONERROR typos
o HTTP: don't abort connections with pending Negotiate authentication
o HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
o http_perhapsrewind: don't abort CONNECT requests
o build: updated dependencies in makefiles
o multi.c: Fixed compilation warning
o ftp.c: Fixed compilation warnings when proxy support disabled
o get_url_file_name: Fixed crash on OOM on debug build
o cookie.c: Refactored cleanup code to simplify
o OS400: enable NTLM authentication
o ntlm: Use Windows Crypt API
o http2: avoid logging neg "failure" if h2 was not requested
o schannel_recv: return the correct code [10]
o VC build: added sspi define for winssl-zlib builds
o Curl_client_write(): chop long data, convert data only once
o openldap: do not ignore Curl_client_write() return code
o ldap: check Curl_client_write() return codes
o parsedate.c: Fixed compilation warning
o url.c: Fixed compilation warning when USE_NTLM is not defined
o ntlm_wb_response: fix "statement not reached" [11]
o telnet: fix "cast increases required alignment of target type"
o smtp: Fixed dot stuffing when EOL characters at end of input buffers [12]
o ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
o ntlm: Disable NTLM v2 when 64-bit integers are not supported
o ntlm: Use short integer when decoding 16-bit values
o ftp.c: Fixed compilation warning when no verbose string support
o synctime.c: fixed timeserver URLs
o mk-ca-bundle.pl: restored forced run again
o ntlm: Fixed return code for bad type-2 Target Info
o curl_schannel.c: Data may be available before connection shutdown
o curl_schannel: Improvements to memory re-allocation strategy [13]
o darwinssl: aprintf() to allocate the session key
o tool_util.c: Use GetTickCount64 if it is available
o lib: Fixed multiple code analysis warnings if SAL are available
o tool_binmode.c: Explicitly ignore the return code of setmode
o tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
o opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
o SFTP: work-around servers that return zero size on STAT [14]
o connect: singleipconnect(): properly try other address families after failure
o IPV6: address scope != scope id [15]
o parseurlandfillconn(): fix improper non-numeric scope_id stripping [16]
o secureserver.pl: make OpenSSL CApath and cert absolute path values
o secureserver.pl: update Windows detection and fix path conversion
o secureserver.pl: clean up formatting of config and fix verbose output
o tests: Added Windows support using Cygwin-based OpenSSH
o sockfilt.c: use non-Ex functions that are available before WinXP
o VMS: Updates for 0740-0D1220
o openssl: warn for SRP set if SSLv3 is used, not for TLS version
o openssl: make it compile against openssl 1.1.0-DEV master branch
o openssl: fix SSL/TLS versions in verbose output
o curl: show size of inhibited data when using -v
o build: Removed WIN32 definition from the Visual Studio projects
o build: Removed WIN64 definition from the libcurl Visual Studio projects
o vtls: Use bool for Curl_ssl_getsessionid() return type
o sockfilt.c: Replace 100ms sleep with thread throttle
o sockfilt.c: Reduce the number of individual memory allocations
o vtls: Don't set cert info count until memory allocation is successful
o nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
o nss: Don't ignore Curl_extract_certinfo() OOM failure
o vtls: Fixed compilation warning and an ignored return code
o sockfilt.c: Fixed compilation warnings
o darwinssl: Fixed compilation warning
o vtls: Use '(void) arg' for unused parameters
o sepheaders.c: Fixed resource leak on failure
o lib1900.c: Fixed cppcheck error [17]
o ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
o ldap: Fixed Unicode DN, attributes and filter in Win32 search calls
* SSLv3 is disabled by default
* CURLOPT_COOKIELIST: Added "RELOAD" command [5]
* build: Added WinIDN build configuration options to Visual Studio projects
* ssh: improve key file search
* SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
* vtls: remove QsoSSL support, use gskit!
* mk-ca-bundle: added SHA-384 signature algorithm
* docs: added many examples for libcurl opts and other doc improvements
* build: Added VC ssh2 target to main Makefile
* MinGW: Added support to build with nghttp2
* NetWare: Added support to build with nghttp2
* build: added Watcom support to build with WinSSL
* build: Added optional specific version generation of VC project files
Bugfixes:
* curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds [9]
* openssl: build fix for versions < 0.9.8e [1]
* newlines: fix mixed newlines to LF-only [2]
* ntlm: Fixed HTTP proxy authentication when using Windows SSPI [3]
* sasl_sspi: Fixed Unicode build [4]
* file: reject paths using embedded %00
* threaded-resolver: revert Curl_expire_latest() switch [6]
* configure: allow --with-ca-path with PolarSSL too
* HTTP/2: Fix busy loop when EOF is encountered
* CURLOPT_CAPATH: return failure if set without backend support
* nss: do not fail if a CRL is already cached
* smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
* fixed 20+ nits/memory leaks identified by Coverity scans
* curl_schannel.c: Fixed possible memory or handle leak
* multi-uv.c: call curl_multi_info_read() better
* Cmake: Check for OpenSSL before OpenLDAP
* Cmake: Fix library list provided to cURL tests
* Cmake: Avoid cycle directory dependencies
* Cmake: Build with GSS-API libraries (MIT or Heimdal)
* vtls: provide backend defines for internal source code
* nss: fix a connection failure when FTPS handle is reused
* tests/http_pipe.py: Python 3 support
* cmake: build tool_hugehelp (ENABLE_MANUAL)
* cmake: enable IPv6 by default if available
* tests: move TESTCASES to Makefile.inc, add show for cmake
* ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
* ntlm: Fixed empty/bad base-64 decoded buffer return codes
* ntlm: Fixed empty type-2 decoded message info text
* cmake: add CMake/Macros.cmake to the release tarball
* cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
* cmake: use LIBCURL_VERSION from curlver.h
* cmake: generate pkg-config and curl-config
* fixed several superfluous variable assignements identified by cppcheck
* cleanup of 'CURLcode result' return code
* pipelining: only output "is not blacklisted" in debug builds
* SSL: Remove SSLv3 from SSL default due to POODLE attack
* gskit.c: remove SSLv3 from SSL default
* darwinssl: detect possible future removal of SSLv3 from the framework
* ntlm: Only define ntlm data structure when USE_NTLM is defined
* ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
* ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
* sspi: Only call CompleteAuthToken() when complete is needed
* http_negotiate: Fixed missing check for USE_SPNEGO
* HTTP: return larger than 3 digit response codes too [7]
* openssl: Check for NPN / ALPN via OpenSSL version number
* openssl: enable NPN separately from ALPN
* sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
* sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
* resume: consider a resume from [content-length] to be OK [8]
* sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
* build-openssl.bat: Fix x64 release build
* cmake: drop _BSD_SOURCE macro usage
* cmake: fix gethostby{addr,name}_r in CurlTests
* cmake: clean OtherTests, fixing -Werror
* cmake: fix struct sockaddr_storage check
* Curl_single_getsock: fix hold/pause sock handling
* SSL: PolarSSL default min SSL version TLS 1.0
* cmake: fix ZLIB_INCLUDE_DIRS use [10]
* buildconf: stop checking for libtool
Changes:
bits.close: introduce connection close tracking
darwinssl: Add support for --cacert
polarssl: add ALPN support
docs: Added new option man pages
Bugfixes:
build: Fixed incorrect reference to curl_setup.h in Visual Studio files
build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
curl.1: clarify that -u can't specify a user with colon
openssl: Fix uninitialized variable use in NPN callback
curl_easy_reset: reset the URL
curl_version_info.3: returns a pointer to a static struct
url-parser: only use if_nametoindex if detected by configure
select: with winsock, avoid passing unsupported arguments to select()
gnutls: don't use deprecated type names anymore
gnutls: allow building with nghttp2 but without ALPN support
tests: Fix portability issue with the tftpd server
curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
random: use Curl_rand() for proper random data
Curl_ossl_init: call OPENSSL_config for initing engines
config-win32.h: Updated for VC12
winbuild: Don't USE_WINSSL when WITH_SSL is being used
getinfo: HTTP CONNECT code not reset between transfers
Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
http2: avoid segfault when using the plain-text http2
conncache: move the connection counter to the cache struct
http2: better return code error checking
curlbuild: fix GCC build on SPARC systems without configure script
tool_metalink: Support polarssl as digest provider
curl.h: reverse the enum/define setup for old symbols
curl.h: moved two really old deprecated symbols
curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
buildconf: do not search tools in current directory.
OS400: make it compilable again. Make RPG binding up to date
nss: do not abort on connection failure (failing tests 305 and 404)
nss: make the fallback to SSLv3 work again
tool: prevent valgrind from reporting possibly lost memory (nss only)
progress callback: skip last callback update on errors
nss: fix a memory leak when CURLOPT_CRLFILE is used
compiler warnings: potentially uninitialized variables
url.c: Fixed memory leak on OOM
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
gnutls: fix SRP support with versions of GnuTLS from 2.99.0
gnutls: fixed a couple of uninitialized variable references
gnutls: fixed compilation against versions < 2.12.0
build: Fixed overridden compiler PDB settings in VC7 to VC12
ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
netrc: don't abort if home dir cannot be found
netrc: fixed thread safety problem by using getpwuid_r if available
cookie: avoid mutex deadlock
configure: respect host tool prefix for krb5-config
gnutls: handle IP address in cert name check
SSL: protocol version can be specified more precisely
imap/pop3/smtp: Added graceful cancellation of SASL authentication
Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
base64: Added validation of base64 input strings when decoding
curl_easy_setopt: Added the ability to set the login options separately
smtp: Added support for additional SMTP commands
curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
nss: allow to use TLS > 1.0 if built against recent NSS
SECURITY: added this document to describe our security processes
parseconfig: warn if unquoted white spaces are detected
Bugfixes:
SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
darwinssl: un-break iOS build after PKCS/12 feature added
tool: use XFERFUNCTION to save some casts
usercertinmem: fix memory leaks
ssh: Handle successful SSH_USERAUTH_NONE
NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
test906: Fixed failing test on some platforms
sasl: initialize NSS before using NTLM crypto
sasl: Fixed memory leak in OAUTH2 message creation
imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
cmake: unbreak for non-Windows platforms
ssh: initialize per-handle data in ssh_connect()
glob: fix broken URLs
configure: check for long long when building with cyassl
CURLOPT_RESOLVE: mention they don't time-out
docs/examples/httpput.c: fix build for MSVC
FTP: make the data connection work when going through proxy
NSS: support for CERTINFO feature
curl_multi_wait: accept 0 from multi_timeout() as valid timeout
glob_range: pass the closing bracket for a-z ranges
tool_help: Updated --list-only description to include POP3
Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
cmake: fix Windows build with IPv6 support
ares: Fixed compilation under Visual Studio 2012
curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
curl.1: mention that -O does no URL decoding
darwinssl: PKCS/12 import feature now requires Lion or later
darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
configure: Fix test with -Werror=implicit-function-declaration
sigpipe: factor out sigpipe_reset from easy.c
curl_multi_cleanup: ignore SIGPIPE
globbing: curl glob counter mismatch with {} list use
parseconfig: dash options can't specified with colon or equals
digest: fix CURLAUTH_DIGEST_IE
curl.h: for OpenBSD
darwinssl: Fix #if 10.6.0 for SecKeychainSearch
TFTP: fix return codes for connect timeout
login options: remove the ;[options] support from CURLOPT_USERPWD
imap: Fixed incorrect fallback to clear text authentication
parsedate: avoid integer overflow
curl.1: document -J doesn't %-decode
multi: add timer inaccuracy margin to timeout/connecttimeout
* test code for testing the event based API
* CURLM_ADDED_ALREADY: new error code
* test TFTP server: support "writedelay" within
* krb4 support has been removed
* imap/pop3/smtp: added basic SASL XOAUTH2 support
* darwinssl: add support for PKCS12 files for client authentication
* darwinssl: enable BEAST workaround on iOS 7 & later
* Pass password to OpenSSL engine by user interface
* c-ares: Add support for various DNS binding options
* cookies: add expiration
* curl: added --oauth2-bearer option
curl: allow timeouts to accept decimal values
OS400: add slist and certinfo EBCDIC support
OS400: new SSL backend GSKit
CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
LIBCURL-STRUCTS: new document
Bugfixes:
dotdot: introducing dot file path cleanup
docs: fix typo in curl_easy_getinfo manpage
test1230: avoid using hard-wired port number
test1396: invoke the correct test tool
SIGPIPE: ignored while inside the library
darwinssl: fix crash that started happening in Lion
OpenSSL: check for read errors, don't assume
c-ares: improve error message on failed resolve
printf: make sure %x are treated unsigned
formpost: better random boundaries
url: restore the functionality of 'curl -u :'
curl.1: fix typo in --xattr description
digest: improve nonce generation
configure: automake 1.14 compatibility tweak
curl.1: document the --post303 option in the man page
curl.1: document the --sasl-ir option in the man page
setup-vms.h: sk_pop symbol tweak
tool_paramhlp: try harder to catch negatives
cmake: Fix for MSVC2010 project generation
asyn-ares: Don't blank ares servers if none configured
curl_multi_wait: set revents for extra fds
Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
ftp_do_more: consider DO_MORE complete when server connects back
curl_easy_perform: gradually increase the delay time
curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
curl: fix upload of a zip file in OpenVMS
build: fix linking on Solaris 10
curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
curl_formadd: fix file upload on VMS
curl_easy_pause: on unpause, trigger mulit-socket handling
md5 & metalink: use better build macros on Apple operating systems
darwinssl: fix build error in crypto authentication under Snow Leopard
curl: make --progress-bar update the line less frequently
configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
mk-ca-bundle: skip more untrusted certificates
formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
FTP: when EPSV gets a 229 but fails to connect, retry with PASV
mk-ca-bundle.1: don't install on make install
VMS: lots of updates and fixes of the build procedure
global dns cache: didn't work (regression)
global dns cache: fix memory leak
Changes:
--------
darwinssl: add TLS session resumption
darwinssl: add TLS crypto authentication
imap/pop3/smtp: Added support for ;auth= in the URL
imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
usercertinmem.c: add example showing user cert in memory
url: Added smtp and pop3 hostnames to the protocol detection list
imap/pop3/smtp: Added support for enabling the SASL initial response
curl -E: allow to use ':' in certificate nicknames
Bugfixes:
---------
SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond
the end of the input buffer [26]
FTP: access files in root dir correctly
configure: try pthread_create without -lpthread
FTP: handle a 230 welcome response
curl-config: don't output static libs when they are disabled
CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
Various documentation updates
getinfo.c: reset timecond when clearing session-info variables
FILE: prevent an artificial timeout event due to stale speed-check data
ftp_state_pasv_resp: connect through proxy also when set by env
sshserver: disable StrictHostKeyChecking
ftpserver: Fixed imap logout confirmation data
curl_easy_init: use less mallocs
smtp: Fixed unknown percentage complete in progress bar
smtp: Fixed sending of double CRLF caused by first in EOB
bindlocal: move brace out of #ifdef
winssl: Fixed invalid memory access during SSL shutdown
OS X framework: fix invalid symbolic link
OpenSSL: allow empty server certificate subject
axtls: prevent memleaks on SSL handshake failures
cookies: only consider full path matches
Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
Curl_cookie_add: handle IPv6 hosts
ossl_send: SSL_write() returning 0 is an error too
ossl_recv: SSL_read() returning 0 is an error too
Digest auth: escape user names with backslash or " in them
curl_formadd.3: fixed wrong "end-marker" syntax
libcurl-tutorial.3: fix incorrect backslash
curl_multi_wait: reduce timeout if the multi handle wants to
tests/Makefile: typo in the perlcheck target
axtls: honor disabled VERIFYHOST
OpenSSL: avoid double free in the PKCS12 certificate code
multi_socket: reduce timeout inaccuracy margin
digest: support auth-int for empty entity body
axtls: now done non-blocking
lib1900: use tutil_tvnow instead of gettimeofday
curl_easy_perform: avoid busy-looping
CURLOPT_COOKIELIST: take cookie share lock
multi_socket: react on socket close immediately
Fixed in 7.30.0 - April 12 2013
Release contains security-related bug fix
Changes:
imap: Changed response tag generation to be completely unique
imap: Added support for SASL-IR extension
imap: Added support for the list command
imap: Added support for the append command
imap: Added custom request parsing
imap: Added support to the fetch command for UID and SECTION properties
imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
darwinssl: Make certificate errors less techy
imap/pop3/smtp: Added support for the STARTTLS capability
checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
Bugfixes:
SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
darwinssl: Fix build under Leopard
DONE: consider callback-aborted transfers premature
ntlm: Fixed memory leaks
smtp: Fixed an issue when processing EHLO failure responses
pop3: Fixed incorrect return value from pop3_endofresp()
pop3: Fixed SASL authentication capability detection
pop3: Fixed blocking SSL connect when connecting via POP3S
imap: Fixed memory leak when performing multiple selects
nss: fix misplaced code enabling non-blocking socket mode
AddFormData: prevent only directories from being posted
darwinssl: fix infinite loop if server disconnected abruptly
metalink: fix improbable crash parsing metalink filename
show proper host name on failed resolve
MacOSX-Framework: Make script work in Xcode 4.0 and later
strlcat: remove function
darwinssl: Fix send glitchiness with data > 32 or so KB
polarssl: better 1.1.x and 1.2.x support
various documentation improvements
multi: NULL pointer reference when closing an unused multi handle
SOCKS: fix socks proxy when noproxy matched
install-sh: updated to support multiple source files as arguments
PolarSSL: added human readable error strings
resolver_error: remove wrong error message output
docs: updates HTML index and general improvements
curlbuild.h.dist: enhance non-configure GCC ABI detection logic
sasl: Fixed null pointer reference when decoding empty digest challenge
easy: do not ignore poll() failures other than EINTR
darwinssl: disable ECC ciphers under Mountain Lion by default
CONNECT: count received headers
build: fixes for VMS
CONNECT: clear 'rewindaftersend' on success
HTTP proxy: insert slash in URL if missing
hiperfifo: updated to use current libevent API
getinmemory.c: abort the transfer nicely if not enough memory
improved win32 memorytracking
corrected proxy header response headers count
FTP quote operations on re-used connection
tcpkeepalive on win32
tcpkeepalive on Mac OS X
easy: acknowledge the CURLOPT_MAXCONNECTS option properly
easy interface: restore default MAXCONNECTS to 5
win32: don't set SO_SNDBUF for windows vista or later versions
HTTP: made cookie sort function more deterministic
winssl: Fixed memory leak if connection was not successful
FTP: wait on both connections during active STOR state
connect: treat a failed local bind of an interface as a non-fatal error
darwinssl: disable insecure ciphers by default
FTP: handle "rubbish" in front of directory name in 257 responses
mk-ca-bundle: Fixed lost OpenSSL output with "-t"
This release includes the following changes:
o metalink/md5: Use CommonCrypto on Apple operating systems
o href_extractor: new example code extracting href elements
o NSS can be used for metalink hashing [13]
This release includes the following bugfixes:
o Fix broken libmetalink-aware OpenSSL build
o gnutls: fix the error is fatal logic [1]
o darwinssl: un-broke iOS build, fix error on server disconnect
o asyn-ares: restore functionality with c-ares < 1.6.1 [2]
o tlsauthtype: deal with the string case insensitively [3]
o Fixed MSVC libssh2 static build
o evhiperfifo: fix the pointer passed to WRITEDATA [6]
o BUGS: fix the bug tracker URL [4]
o winbuild: Use machine type of development environment
o FTP: prevent the multi interface from blocking [5]
o uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
o httpcustomheader.c: free the headers after use
o fix >2000 bytes POST over NTLM-using proxy [7]
o redirects to URLs with fragments [8]
o don't send '#' fragments when using proxy [9]
o OpenSSL: show full issuer string [10]
o fix HTTP auth regression [11]
o CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value [12]
o ftp: EPSV-disable fix over SOCKS [14]
o Digest: Add microseconds into nounce calculation [15]
o SCP/SFTP: improve error code used for send failures
o SSL: Several SSL-backend related fixes
o removed the notorious "additional stuff not fine" debug output
o OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
o FILE: Make upload-writes unbuffered
o custom memory callbacks failure with HTTP proxy (and more) [16]
o TFTP: handle resends
o autoconf: don't force-disable compiler debug option
o winbuild: Fix PDB file output [17]
o test2032: spurious failure caused by premature termination [18]
o memory leak: CURLOPT_RESOLVE with multi interface [19]
SSH: added agent based authentication
ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
multi: add curl_multi_wait()
metalink: Added support for Microsoft Windows CryptoAPI
md5: Added support for Microsoft Windows CryptoAPI
parse_proxy: treat "socks://x" as a socks4 proxy
socks: Added support for IPv6 connections through SOCKSv5 proxy
Bugfixes:
WSAPoll disabled on Windows builds due to its bugs
segfault on request retries
curl-config: parentheses fix
VC build: add define for openssl
globbing: fix segfault when >9 globs were used
fixed a few clang-analyzer warnings
metalink: change code order to build with gnutls-nettle
gtls: fix build failure by including nettle-specific headers
change preferred HTTP auth on a handle previously used for another auth
file: use fdopen() to avoid race condition
Added DWANT_IDN_PROTOTYPES define for MSVC too
verbose: fixed (nil) output of hostnames in re-used connections
metalink: Un-broke the build when building --with-darwinssl
curl man page cleanup
Avoid leak of local device string when reusing connection
Curl_socket_check: fix return code for timeout
nss: do not print misleading NSS error codes
configure: remove the --enable/disable-nonblocking options
darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
NTLM: re-use existing connection better
schannel crash on multi and easy handle cleanup
SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
mk-ca-bundle: detect start of trust section better
gnutls: do not fail on non-fatal handshake errors
SMTP: only send SIZE if supported
ftpserver: respond with a 250 to SMTP EHLO
ssh: do not crash if MD5 fingerprint is not provided by libssh2
winbuild: Added support for building with SPNEGO enabled
metalink: Fixed validation of binary files containing EOF
setup.h: fixed for MS VC10 build
cmake: use standard findxxx modules for cmake v2.8+
HTTP_ONLY: disable more protocols
Curl_reconnect_request: clear pointer on failure
https.c example: remember to call curl_global_init()
metalink: Filter resource URLs by type
multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
curl_schannel: Removed buffer limit and optimized buffer strategy
This release includes the following changes:
o nss: the minimal supported version of NSS bumped to 3.12.x
o nss: human-readable names are now provided for NSS errors if available
o add a manual page for mk-ca-bundle
o added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
o smtp: Add support for DIGEST-MD5 authentication
o pop3: Added support for additional pop3 commands
This release includes the following bugfixes:
o nss: libcurl now uses NSS_InitContext() to prevent collisions if available [1]
o URL parse: reject numerical IPv6 addresses outside brackets [4]
o MD5: fix OOM memory leak [5]
o OpenSSL cert: provide more details when cert check fails
o HTTP: empty chunked POST ended up in two zero size chunks [6]
o fixed a regression when curl resolved to multiple addresses and the first
isn't supported [7]
o -# progress meter: avoid superfluous updates and duplicate lines [8]
o headers: surround GCC attribute names with double underscores [9]
o PolarSSL: correct return code for CRL matches
o PolarSSL: include version number in version string
o PolarSSL: add support for asynchronous connect
o mk-ca-bundle: revert the LWP usage [12]
o IPv6 cookie domain: get rid of the first bracket before the second
o connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
o OpenSSL: Made cert hostname check conform to RFC 6125 [10]
o HTTP: reset expected DL/UL sizes on redirects [11]
o CMake: fix Windows LDAP/LDAPS option handling [2]
o CMake: fix MS Visual Studio x64 unsigned long long literal suffix [3]
o configure: update detection logic of getaddrinfo() thread-safeness
o configure: check for gethostbyname in the watt lib
o curl-config.1: fix curl-config usage in example [13]
o smtp: Fixed non-escaping of dot character at beginning of line
o MakefileBuild.vc: use the correct IDN variable
o autoconf: improve handling of versioned symbols
o curl.1: clarify -x usage
o curl: shorten user-agent
o smtp: issue with the multi-interface always sending postdata [14]
o compile error with GnuTLS+Nettle fixed
o winbuild: fix IPv6 enabled build
Fixed in 7.24.0 - January 24 2012
Release contains security-related bug fix
Changes:
* CURLOPT_QUOTE: SFTP supports the '*'-prefix now
* CURLOPT_DNS_SERVERS: set name servers if possible
* Add support for using nettle instead of gcrypt as gnutls backend
* CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
* Added CURLOPT_ACCEPTTIMEOUT_MS
* configure: add symbols versioning option --enable-versioned-symbols
Bugfixes:
* curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
* curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
* SSL session share: move the age counter to the share object
* -J -O: use -O name if no Content-Disposition header comes!
* protocol_connect: show verbose connect and set connect time
* query-part: ignore the URI part for given protocols
* gnutls: only translate winsock errors for old versions
* POP3: fix end of body detection
* POP3: detect when LIST returns no mails
* TELNET: improved treatment of options
* configure: add support for pkg-config detection of libidn
* CyaSSL 2.0+ library initialization adjustment
* multi interface: only use non-NULL socker function pointer
* call opensocket callback properly for active FTP
* don't call close socket callback for sockets created with accept()
* differentiate better between host/proxy errors
* SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
* multi: handle timeouts on DNS servers by checking for new sockets
* CURLOPT_DNS_SERVERS: fix return code
* POP3: fixed escaped dot not being stripped out
* OpenSSL: check for the SSLv2 function in configure
* MakefileBuild: fix the static build
* create_conn: don't switch to HTTP protocol if tunneling is enabled
* multi interface: fix block when CONNECT_ONLY option is used
* Fix connection reuse for TLS upgraded connections
* multiple file upload with -F and custom type
* multi interface: active FTP connections are no longer blocking
* Android build fix
* timer: restore PRETRANSFER timing
* libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
* appconnect time fixed for non-blocking connect ssl backends
* do not include SSL handshake into time spent waiting for 100-continue
* handle dns cache case insensitive
* use new host name casing for subsequent HTTP requests
* CURLOPT_RESOLVE: avoid adding already present host names
* SFTP mkdir: use correct permission
* resolve: don't leak pre-populated dns entries
* --retry: Retry transfers on timeout and DNS errors
* negotiate with SSPI backend: use the correct buffer for input
* SFTP dir: increase buffer size counter to avoid cut off file names
* TFTP: fix resending (again)
* c-ares: don't include getaddrinfo-using code
* FTP: CURLE_PARTIAL_FILE will not close the control channel
* win32-threaded-resolver: stop using a dummy socket
* OpenSSL: remove reference to openssl internal struct
* OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
* OpenSSL: fix PKCS#12 certificate parsing related memory leak
* OpenLDAP: fix LDAP connection phase memory leak
* Telnet: Use correct file descriptor for telnet upload
* Telnet: Remove bogus optimisation of telnet upload
* URL parse: user name with ipv6 numerical address
* polarssl: show cipher suite name correctly with 1.1.0
* polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be
insecure
* gnutls: enforced use of SSLv3
Fixed in 7.23.1 - November 17 2011
Bugfixes:
Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used
Fixed in 7.23.0 - November 15 2011
Changes:
Empty headers can be sent in HTTP requests by terminating with a semicolon
SSL session sharing support added to curl_share_setopt()
Added support to MAIL FROM for the optional SIZE parameter
smtp: Added support for NTLM authentication
curl tool: code split into tool_*.[ch] files
Bugfixes:
handle HTTP redirects to "//hostname/path"
SMTP without --mail-from caused segfault
prevent extra progress meter headers between multiple files
allow Content-Length to be replaced when sending HTTP requests
curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
curl_multi_fdset: avoid FD_SET out of bounds
lots of MinGW build tweaks
Curl_gethostname: return un-qualified machine name
fixed the openssl version number configure check
nss: certificates from files are no longer looked up by file base names
returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
fix libcurl.m4 to not fail with modern gcc versions
ftp: improved the failed PORT host name resolved error message
TFTP timeout and unexpected block adjustments
HTTP and GOPHER test server-side connection closing adjustments
fix endless loop upon transport connection timeout
don't clobber errno on failed connect
typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
formdata: ack read callback abort
make --show-error properly position independent
set the ipv6-connection boolean correctly on connect
SMTP: fix end-of-body string escaping
gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
curl_multi_fdset: correct fdset with FTP PORT use
windbuild: fix the static build
fix builds with GnuTLS version 3
fix calling of OpenSSL's ERR_remove_state(0)
HTTP auth: fix proxy Negotiate bug when Negotiate not requested
ftp PORT: don't hang if bind() fails
-# would crash on terminals wider than 256 columns
Fixed in 7.22.0 - September 13 2011
Changes:
Added CURLOPT_GSSAPI_DELEGATION
Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
Display notes from setup file in testcurl.pl
BSD-style lwIP TCP/IP stack experimental support on Windows
OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
--delegation was added to set CURLOPT_GSSAPI_DELEGATION
nss: start with no database if the selected database is broken
telnet: allow programatic use on Windows
Bugfixes:
curl_getdate: detect some illegal dates better
when sending a request and an error is received before the (entire) request body is sent, stop sending the request and close the connection after having received the entire response. This is equally true if an Expect: 100-continue header was used.
When using both -J and a single -O with multiple URLs, a missing init could cause a segfault
-J fixed for escaped quotes
-J fixed for file names with semicolons
progress: reset flags at transfer start to avoid wrong CURLINFO_CONTENT_LENGTH_DOWNLOAD
curl_gssapi: Guard files with HAVE_GSSAPI and rename private header
silence picky compilers: mark unused parameters
help output: more gnu like output
libtests: stop checking for CURLM_CALL_MULTI_PERFORM
setting a non-HTTP proxy with an environment variable or with CURLOPT_PROXY / --proxy (without specifying CURLOPT_PROXYTYPE) would still make it do proxy-like HTTP requests
CURLFORM_BUFFER: insert filename as documented (regression)
SOCKS: fix the connect timeout
ftp_doing: bail out on error properly while multi interfacing
improved Content-Encoded decoding error message
asyn-thread: check for dotted addresses before thread starts
cmake: find winsock when building on windows
Curl_retry_request: check return code
cookies: handle 'secure=' as if it was 'secure'
tests: break busy loops in tests 502, 555, and 573
FTP: fix proxy connect race condition with multi interface and SOCKS proxy
RTSP: GET_PARAMETER requests have a body
fixed several memory leaks in OOM situations
bad expire(0) caused multi_socket API to hang
Avoid ftruncate() static define with mingw64
mk-ca-bundle.pl: ignore untrusted certs
builds with PolarSSL 1.0.0
This release includes the following changes:
o recognize the [protocol]:// prefix in proxy hosts where the protocol is one
of socks4, socks4a, socks5 or socks5h.
o Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA
This release includes the following bugfixes:
o SECURITY ADVISORY: inappropriate GSSAPI delegation. Full details at
http://curl.haxx.se/docs/adv_20110623.html
o NTLM: work with unicode
o fix connect with SOCKS proxy when using the multi interface
o anyauthput.c: stdint.h must not be included unconditionally
o CMake: improved build
o SCP/SFTP enable non-blocking earlier
o GnuTLS handshake: fix timeout
o cyassl: build without filesystem
o HTTPS over HTTP proxy using the multi interface
o speedcheck: invalid timeout event on a reused handle
o Force connection close for HTTP 200 OK when time condition matched
o curl_formget: fix FILE * leak
o configure: improved OpenSSL detection
o Android build: support gingerbread
o CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
o windows build: use correct MS CRT
o pop3: remove extra space in LIST command
This release includes the following changes:
o CURLINFO_FTP_ENTRY_PATH now supports SFTP
o introduced new framework for unit-testing
o IDN: use win32 API if told to
o ares: ask for both IPv4 and IPv6 addresses
o HTTP: do Negotiate authentication using SSPI on windows
o Windows build: alternative makefile
o TLS-SRP: support added when using GnuTLS
This release includes the following bugfixes:
o SMTP: add brackets for MAIL FROM
o ossl_seed: no more RAND_screen (on Windows)
o multi: connect fail => use next IP address
o use the timeout when using multiple IP addresses similar to how
the easy interface does it
o cookies: tricked dotcounter fixed
o pubkey_show: allocate buffer to fit any-size result
o Curl_nss_connect: avoid PATH_MAX
o Curl_do: avoid using stale conn pointer
o tftpd test server: avoid buffer overflow report from glibc
o nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
o nss: fix a bug in handling of CURLOPT_CAPATH
o CMake: Use upstream CheckTypeSize module
o OpenSSL get_cert_chain: support larger data sets
o SCP/SFTP transfers: acknowledge speedcheck
o GnuTLS builds: fix memory leak
o connect problem: use UDP correctly
o Borland C++ makefile tweaks
o OpenSSL: improved error message on SSL_CTX_new failures
o HTTP: memory leak on multiple Location:
o ares_query_completed_cb: don't touch invalid data
o ares: memory leak fix
o mk-ca-bundle: use new cacert url
o Curl_gmtime: added a portable gmtime and check for NULL
o curl.1: typo in -v description
o CURLOPT_SOCKOPTFUNCTION: return proper error code
o --keepalive-time: warn if not supported properly
o file: add support for CURLOPT_TIMECONDITION
o nss: avoid memory leaks and failure of NSS shutdown
o multi: fix CURLM_STATE_TOOFAST for multi_socket
leot
wiz
adam
maya
prlw1
spz
jperkin
obache
asau