7.76.1
Bugfixes:
configure: disable min version set for Darwin
configure: include <time.h> unconditionally
configure: remove use of RETSIGTYPE
docs/HTTP3.md: update the build instruction using gnutls
examples/hiperfifo.c: check event_initialized before delete
file: support GETing directories again
github/workflow: add "security-extended" to codeql-analysis.yml
h2: allow 100 streams by default
hostip: fix builds that disable all asynchronous DNS
http_proxy: only loop on 407 + close if we have credentials
install: add instructions for Apple Darwin platforms
lib: remove unused HAVE_INET_NTOA_R* defines
libssh: get rid of PATH_MAX
ngtcp2+gnutls: clear credentials when freed
ngtcp2: Use ALPN h3-29 for now
ntlm: fix negotiated flags usage
ntlm: support version 2 on 32-bit platforms
openssl: fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
TLS: fix HTTP/2 selection
tool_progress: fix progress meter final update in parallel mode
typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
Changes:
7.76.0
======
This release includes the following changes:
o cookies: Support multiple -b parameters
o curl: add --fail-with-body
o doh: add options to disable ssl verification
o http: add support to read and store the referrer header
o sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
o vtls: initial implementation of rustls backend
This release includes the following bugfixes:
o CVE-2021-22876: strip credentials from the auto-referer header field
o CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
o asyn-ares: use consistent resolve error message
o BUG-BOUNTY: removed the cooperation mention
o build: delete unused feature guards
o build: fix --disable-dateparse
o build: fix --disable-http-auth
o build: remove all traces of USE_BLOCKING_SOCKETS
o c-hyper: Remove superfluous pointer check
o c-hyper: support automatic content-encoding
o CI/azure: disable test 433 on azure-ubuntu
o CI/azure: replace python-impacket with python3-impacket
o ci: stop building on freebsd-12-1
o cmake: fix import library name for non-MS compiler on Windows
o cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
o cmake: support WinIDN
o config: fix building SMB with configure using Win32 Crypto
o config: fix detection of restricted Windows App environment
o configure: fail if --with-quiche is used and quiche isn't found
o configure: make AC_TRY_* into AC_*_IFELSE
o configure: make hyper opt-in, and fail if missing
o configure: only add OpenSSL paths if they are defined
o configure: provide Largefile feature for curl-config
o configure: remove use of deprecated macros
o configure: s/AC_HELP_STRING/AS_HELP_STRING
o cookies: Fix potential NULL pointer deref with PSL
o curl: set CURLOPT_NEW_FILE_PERMS if requested
o curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
o curl_multibyte: always return a heap-allocated copy of string
o curl_multibyte: fall back to local code page stat/access on Windows
o Curl_timeleft: check both timeouts during connect
o curl_url_set.3: mention CURLU_PATH_AS_IS
o CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
o docs/HTTP2: remove the outdated remark about multiplexing for the tool
o docs/Makefile.inc: format to be update-friendly
o docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
o docs: add missing Arg tag to --stderr
o docs: Add SSL backend names to CURL_SSL_BACKEND
o docs: clarify timeouts for queued transfers in multi API
o docs: Explain DOH transfers inherit some SSL settings
o docs: fix FILE example url in --metalink documentation
o docs: make gen.pl support *italic* and **bold**
o doh: Fix sharing user's resolve list with DOH handles
o doh: Inherit CURLOPT_STDERR from user's easy handle
o dynbuf: bump the max HTTP request to 1MB
o examples: Remove threaded-shared-conn.c due to bug
o file: Support unicode urls on windows
o ftp: add 'list_only' to the transfer state struct
o ftp: add 'prefer_ascii' to the transfer state struct
o FTP: allow SIZE to fail when doing (resumed) upload
o ftp: avoid SIZE when asking for a TYPE A file
o ftp: fix Codacy/cppcheck warning about null pointer arithmetic
o ftp: fix memory leak in ftp_done
o ftp: never set data->set.ftp_append outside setopt
o gen.pl: quote "bare" minuses in the nroff curl.1
o github: add torture-ftp for FTP-only torture testing
o gnutls: assume nettle crypto support
o gskit: correct the gskit_send() prototype
o hostip: fix build with sync resolver
o hostip: fix crash in sync resolver builds that use DOH
o hsts: remove unused defines
o http2: don't set KEEP_SEND when there's no more data to be sent
o http2: fail if connection terminated without END_STREAM
o http: cap body data amount during send speed limiting
o http: do not add a referrer header with empty value
o http: make 416 not fail with resume + CURLOPT_FAILONERRROR
o http: remove superfluous NULL assign
o http: strip default port from URL sent to proxy
o http: use credentials from transfer, not connection
o ldap: use correct memory free function
o lib1536: check ptr against NULL before dereferencing it
o lib1537: check ptr against NULL before dereferencing it
o lib: remove 'conn->data' completely
o libssh2: kdb_callback: get the right struct pointer
o libssh2:ssh_connect: clear session pointer after free
o memdebug: close debug logfile explicitly on exit
o mingw: enable using strcasecmp()
o multi: close the connection when h2=>h1 downgrading
o multi: do once-per-transfer inits in before_perform in DID state
o multi: rename the multi transfer states
o multi: update pending list when removing handle
o ngtcp2: adapt to the new recv_datagram callback
o ngtcp2: clarify calculation precedence
o ngtcp2: Fix build error due to change in ngtcp2_addr_init
o ngtcp2: sync with recent API updates
o openldap: avoid NULL pointer dereferences
o openssl: adapt to v3's new const for a few API calls
o openssl: ensure to check SSL_CTX_set_alpn_protos return values
o openssl: remove get_ssl_version_txt in favor of SSL_get_version
o openssl: set the transfer pointer for logging early
o OS400: update for CURLOPT_AWS_SIGV4
o parse_proxy: fix a memory leak in the OOM path
o pathhelp.pm: fix use of pwd -L in Msys environment
o projects: Update VS projects for OpenSSL 1.1.x
o quiche: fix build error: use 'int' for port number
o quiche: fix crash when failing to connect
o retry-all-errors.d: Explain curl errors versus HTTP response errors
o retry.d: Clarify transient 5xx HTTP response codes
o runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
o runtests.pl: add a -P option to specify an external proxy
o runtests.pl: kill processes locking test log files
o setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
o test1188: change error to check for: --fail HTTP status
o test220/314: adjust to run with Hyper
o test304: header CRLF cleanup to work with Hyper
o test306: make it not run with Hyper
o tests: disable .curlrc in more environments
o tests: use %TESTNUMBER instead of fixed number
o tftp: remove the 3600 second default timeout
o time: enable 64-bit time_t in supported mingw environments
o tool_help: add missing argument for --create-file-mode
o tool_help: Increase space between option and description
o tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
o travis: add a rustls build
o travis: bump wolfssl to 4.7.0
o travis: only build wolfssl when needed
o travis: split "torture" into a separate "events" build
o travis: switch ngtcp2 build over to quictls
o travis: use ubuntu nghttp2 package instead of build our own
o url.c: use consistent error message for failed resolve
o url: fix memory leak if OOM in the HSTS handling
o url: fix possible use-after-free in default protocol
o urldata: don't touch data->set.httpversion at run-time
o urldata: fix build without HTTP and MQTT
o urldata: make 'actions[]' use unsigned char instead of int
o urldata: merge "struct DynamicStatic" into "struct UrlState"
o urldata: remove the 'rtspversion' field
o urldata: remove the _ORIG suffix from string names
o version.d: Add missing features to the features list
o wolfssl: don't store a NULL sessionid
Rather than letting openssl perform default validation, curl passes in
an explicit request to... use the certificates in the default
location. In cases where SSLCERTBUNDLE is defined (because the system
uses a bundle instead of the traditonal directory of trust anchors),
pass that to curl's configure.
As proposed on tech-pkg by Thomas Orgis, without objections.
Changes:
curl: add --create-file-mode [mode]
curl: add new variables to --write-out
dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
gopher: implement secure gopher protocol
http: add Hyper as new optional HTTP backend
http: introduce AWS HTTP v4 Signature support
Bugfixes:
badsymbols.pl: add verbose mode -v
badsymbols.pl: ignore stand-alone single hash lines
BUG-BOUNTY: minor language updates
build: fix djgpp builds
cleanup: fix empty expression statement has no effect
cmake: Add an option to disable libidn2
cmake: enable gophers correctly in curl-config
cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
cmdline-opts/gen.pl: return hard on errors
cmdline-opts/retry.d: mention response code 429 as well
configure: set -Wextra-semi-stmt for clang with --enable-debug
connect: defer port selection until connect() time
connect: mark intentional ignores of setsockopt return values
connect: on linux, enable reporting of all ICMP errors on UDP sockets
connect: zero variable on stack to silence valgrind complaint
cookie: avoid the C1001 internal compiler error with MSVC 14
curl.1: fix typo microsft -> microsoft
curl: fix handling of -q option
curl: include the file name in --xattr/--remote-time error msgs
curl: move fprintf outputs to warnf
Curl_chunker: shrink the struct
curl_easy_pause.3: add multiplexed pause effects
CURLINFO_PRETRANSFER_TIME.3: clarify
CURLOPT_URL.3: remove scheme specific details
digest_sspi: Show InitializeSecurityContext errors in verbose mode
docs/examples: adjust prototypes for CURLOPT_READFUNCTION
docs/URL-SYNTAX: the URL syntax curl accepts and works with
docs: enable syntax highlighting in several docs files
docs: fix line length bug in gen.pl
docs: fix typos in NEW-PROTOCOL.md
docs: fix wrong documentation in help.d
docs: remove redundant "better" in --fail help
doh: allocate state struct on demand
examples/libtest: add .checksrc to dist
examples: remove superfluous asterisk uses
failf: remove newline from formatting strings
file: don't provide content-length for directories
getinfo: build with disabled HTTP support
gitattributes: Set batch files to CRLF line endings on checkout
h2: do not wait for RECV on paused transfers
HISTORY: added dates to early history
http: empty reply connection are not left intact
http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
http: have CURLOPT_FAILONERROR fail after all headers
http: make providing Proxy-Connection header not cause duplicated headers
http: show the request as headers even when split-sending
http_chunks: correct and clarify a comment on hexnumber length
http_proxy: Fix CONNECT chunked encoding race condition
httpauth: make multi-request auth work with custom port
INSTALL: now at 85 operating systems
INSTALL: update the list known OSes and CPU archs curl has run on
lib/unit tests: add missing curl_global_cleanup() calls
lib1564/5: verify that curl_multi_wakeup returns OK
lib: pass in 'struct Curl_easy *' to most functions
lib: remove Curl_ prefix from many static functions
lib: save a bit of space with some structure packing
libssh2: fix "Value stored to 'readdir_len' is never read"
libssh2: move data from connection object to transfer object
libssh: avoid plain free() of libssh-memory
mime: make sure setting MIMEPOST to NULL resets properly
misc: assorted typo fixes
misc: fix "warning: empty expression statement has no effect"
misc: fix typos
mk-ca-bundle.pl: deterministic output when using -t
mqtt: deal with 0 byte reads correctly
mqtt: handle POST/PUBLISH without a set POSTFIELDSIZE
multi: set the PRETRANSFER time-stamp when we switch to PERFORM
multi: skip DONE state if there's no connection left for ftp wildcard
multi: when erroring in TOOFAST state, act as for PERFORM
multi_runsingle: bail out early on data->conn == NULL
ngtcp2: Fix http3 upload stall
ngtcp2: Fix stack buffer overflow
ngtcp2: make it build it current master again
nss: get the run-time version instead of build-time
openssl: lowercase the hostname before using it for SNI
OS400: update ccsidcurl.c
pretransfer: setup the User-Agent header here
quiche: remove fprintf() leftover
Revert "CI/github: work-around for brew breakage on macOS"
runtests: add 'wakeup' as a feature
runtests: add support for %if [feature] conditions
runtests: preprocess DISABLED to allow conditionals
schannel: plug a memory-leak
schannel_verify: fix safefree call typo
select: convert Curl_select() to private static function
socks: use the download buffer instead
speedcheck: exclude paused transfers
strerror: skip errnum >= 0 assertion on windows
test1522: add debug tracing
test1633: set appropriate name
test179: use consistent header line endings
test410: verify HTTPS GET with a 49K request header
tests/mqttd: extract the client id from the correct offset
tests: make --libcurl tests only test FTP options if ftp enabled
tool_doswin: Restore original console settings on CTRL signal
tool_operate: fix the suppression logic of some error messages
tool_operate: spellfix a comment
tooĺ_writeout: fix the -w time output units
transfer: fix GCC 10 warning with flag '-Wint-in-bool-context'
travis: build ngtcp2 --with-gnutls
travis: limit the tests with quiche builds to HTTPS and FTPS only
travis: restrict the openssl3 job to only run https and ftps tests
url: if IDNA conversion fails, fallback to Transitional
urldata: make magic be the first struct field
urldata: remove 'local_ip' from the connectdata struct
urldata: remove duplicate 'upkeep_interval_ms' from connectdata
urldata: remove duplicate port number storage
urldata: remove the duplicate 'ip_addr_str' field
urldata: store ip version in a single byte
vtls: remove md5sum
warnless: remove curlx_ultosi
wolfssl: add SECURE_RENEGOTIATION support
wolfssl: Support wolfSSL builds missing TLS 1.1
curl and libcurl 7.74.0
This release includes the following changes:
o hsts: add experimental support for Strict-Transport-Security
This release includes the following bugfixes:
o CVE-2020-8286: Inferior OCSP verification
o CVE-2020-8285: FTP wildcard stack overflow
o CVE-2020-8284: trusting FTP PASV responses
o acinclude: detect manually set minimum macos/ipod version
o alt-svc: enable (in the build) by default
o alt-svc: minimize variable scope and avoid "DEAD_STORE"
o asyn: use 'struct thread_data *' instead of 'void *'
o checksrc: warn on empty line before open brace
o CI/appveyor: disable test 571 in two cmake builds
o CI/azure: improve on flakiness by avoiding libtool wrappers
o CI/tests: enable test target on TravisCI for CMake builds
o CI/travis: add brotli and zstd to the libssh2 build
o cirrus: build with FreeBSD 12.2 in CirrusCI
o cmake: call the feature unixsockets without dash
o cmake: check for linux/tcp.h
o cmake: correctly handle linker flags for static libs
o cmake: don't pass -fvisibility=hidden to clang-cl on Windows
o cmake: don't use reserved target name 'test'
o cmake: make BUILD_TESTING dependent option
o cmake: make CURL_ZLIB a tri-state variable
o cmake: set the unicode feature in curl-config on Windows
o cmake: store IDN2 information in curl_config.h
o cmake: use libcurl.rc in all Windows builds
o configure: pass -pthread to Libs.private for pkg-config
o configure: use pkgconfig to find openSSL when cross-compiling
o connect: repair build without ipv6 availability
o curl.1: add an "OUTPUT" section at the top of the manpage
o curl.se: new home
o curl: add compatibility for Amiga and GCC 6.5
o curl: only warn not fail, if not finding the home dir
o curl_easy_escape: limit output string length to 3 * max input
o Curl_pgrsStartNow: init speed limit time stamps at start
o curl_setup: USE_RESOLVE_ON_IPS is for Apple native resolver use
o curl_url_set.3: fix typo in the RETURN VALUE section
o CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo
o CURLOPT_HSTS.3: document the file format
o CURLOPT_NOBODY.3: fix typo
o CURLOPT_TCP_NODELAY.3: fix comment in example code
o CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well
o docs: document the 8MB input string limit
o docs: fix typos and markup in ETag manpage sections
o docs: Fix various typos in documentation
o examples/httpput: remove use of CURLOPT_PUT
o FAQ: refreshed
o file: avoid duplicated code sequence
o ftp: retry getpeername for FTP with TCP_FASTOPEN
o gnutls: fix memory leaks (certfields memory wasn't released)
o header.d: mention the "Transfer-Encoding: chunked" handling
o HISTORY: the new domain
o http3: fix two build errors, silence warnings
o http3: use the master branch of GnuTLS for testing
o http: pass correct header size to debug callback for chunked post
o http_proxy: use enum with state names for 'keepon'
o httpput-postfields.c: new example doing PUT with POSTFIELDS
o infof/failf calls: fix format specifiers
o libssh2: fix build with disabled proxy support
o libssh2: fix transport over HTTPS proxy
o libssh2: require version 1.0 or later
o Makefile.m32: add support for HTTP/3 via ngtcp2+nghttp3
o Makefile.m32: add support for UNICODE builds
o mqttd: fclose test file when done
o NEW-PROTOCOL: document what needs to be done to add one
o ngtcp2: adapt to recent nghttp3 updates
o ngtcp2: advertise h3 ALPN unconditionally
o ngtcp2: Fix build error due to symbol name change
o ngtcp2: use the minimal version of QUIC supported by ngtcp2
o ntlm: avoid malloc(0) on zero length user and domain
o openssl: acknowledge SRP disabling in configure properly
o openssl: free mem_buf in error path
o openssl: guard against OOM on context creation
o openssl: use OPENSSL_init_ssl() with >= 1.1.0
o os400: Sync libcurl API options
o packages/OS400: make the source code-style compliant
o quiche: close the connection
o quiche: remove 'static' from local buffer
o range.d: clarify that curl will not parse multipart responses
o range.d: fix typo
o Revert "multi: implement wait using winsock events"
o rtsp: error out on empty Session ID, unified the code
o rtsp: fixed Session ID comparison to refuse prefix
o rtsp: fixed the RTST Session ID mismatch in test 570
o runtests: return error if no tests ran
o runtests: revert the mistaken edit of $CURL
o runtests: show keywords when no tests ran
o scripts/completion.pl: parse all opts
o socks: check for DNS entries with the right port number
o src/tool_filetime: disable -Wformat on mingw for this file
o strerror: use 'const' as the string should never be modified
o test122[12]: remove these two tests
o test506: make it not run in c-ares builds
o tests/*server.py: close log file after each log line
o tests/server/tftpd.c: close upload file right after transfer
o tests/util.py: fix compatibility with Python 2
o tests: add missing global_init/cleanup calls
o tests: fix some http/2 tests for older versions of nghttpx
o tool_debug_cb: do not assume zero-terminated data
o tool_help: make "output" description less confusing
o tool_operate: --retry for HTTP 408 responses too
o tool_operate: bail out proper on errors during parallel transfers
o tool_operate: fix compiler warning when --libcurl is disabled
o tool_writeout: use off_t getinfo-types instead of doubles
o travis: use ninja-build for CMake builds
o travis: use valgrind when running tests for debug builds
o urlapi: don't accept blank port number field without scheme
o urlapi: URL encode a '+' in the query part
o urldata: remove 'void *protop' and create the union 'p'
o vquic/ngtcp2.h: define local_addr as sockaddr_storage
curl and libcurl 7.73.0
Public curl releases: 195
Command line options: 234
curl_easy_setopt() options: 278
Public functions in libcurl: 85
Contributors: 2270
This release includes the following changes:
o curl: add --output-dir [25]
o curl: support XDG_CONFIG_HOME to find .curlrc [3]
o curl: update --help with categories [77]
o curl_easy_option_*: new API for meta-data about easy options [40]
o CURLE_PROXY: new error code [7]
o mqtt: enable by default [28]
o sftp: add new quote commands 'atime' and 'mtime' [6]
o ssh: add the option CURLKHSTAT_FINE_REPLACE [27]
o tls: add CURLOPT_SSL_EC_CURVES and --curves [29]
This release includes the following bugfixes:
o altsvc: clone setting in curl_easy_duphandle [60]
o base64: also build for smtp, pop3 and imap [81]
o BUGS: convert document to markdown [107]
o build-wolfssl: fix build with Visual Studio 2019 [114]
o buildconf: invoke 'autoreconf -fi' instead [37]
o checksrc: detect // comments on column 0 [132]
o checksrc: verify do-while and spaces between the braces [2]
o checksrc: warn on space after exclamation mark [129]
o CI/azure: disable test 571 in the msys2 builds [93]
o CI/azure: MQTT is now enabled by default [64]
o CI/azure: no longer ignore results of test 1013 [43]
o CI/tests: fix invocation of tests for CMake builds [117]
o CI/travis: add a CI job with openssl3 (from git master) [51]
o cleanups: avoid curl_ on local variables [53]
o CMake: add option to enable Unicode on Windows [48]
o cmake: make HTTP_ONLY also disable MQTT [58]
o CMake: remove explicit `CMAKE_ANSI_CFLAGS` [45]
o cmake: remove scary warning [96]
o cmdline-opts/gen.pl: generate nicer "See Also" in curl.1 [66]
o configure: don't say HTTPS-proxy is enabled when disabled [120]
o configure: fix pkg-config detecting wolfssl [26]
o configure: let --enable-debug set -Wenum-conversion with gcc >= 10 [56]
o conn: check for connection being dead before reuse [39]
o connect.c: remove superfluous 'else' in Curl_getconnectinfo [42]
o curl.1: add see also no-progress-meter on two spots [67]
o curl.1: fix typo invokved -> invoked [36]
o curl: in retry output don't call all problems "transient" [74]
o curl: make --libcurl show binary posts correctly [130]
o curl: make checkpasswd use dynbuf [100]
o curl: make file2memory use dynbuf [102]
o curl: make file2string use dynbuf [103]
o curl: make glob_match_url use dynbuf [101]
o curl: make sure setopt CURLOPT_IPRESOLVE passes on a long [134]
o curl: retry delays in parallel mode no longer sleeps blocking [70]
o curl: use curlx_dynbuf for realloc when loading config files [73]
o curl:parallel_transfers: make sure retry readds the transfer [71]
o curl_get_line: build only if cookies or alt-svc are enabled [13]
o curl_mime_headers.3: fix the example's use of curl_slist_append [83]
o Curl_pgrsTime - return new time to avoid timeout integer overflow [32]
o Curl_send: return error when pre_receive_plain can't malloc [111]
o dist: add missing CMake Find modules to the distribution [14]
o docs/LICENSE-MIXING: remove [79]
o docs/opts: fix typos in two manual pages [119]
o docs/RESOURCES: remove [105]
o docs/TheArtOfHttpScripting: convert to markdown [106]
o docs: add description about CI platforms to CONTRIBUTE.md [44]
o docs: correct non-existing macros in man pages [35]
o doh: add error message for DOH_DNS_NAME_TOO_LONG [17]
o dynbuf: make sure Curl_dyn_tail() zero terminates [78]
o easy_reset: clear retry counter [82]
o easygetopt: pass a valid enum to avoid compiler warning [75]
o etag: save and use the full received contents [4]
o ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND [99]
o ftp: avoid risk of reading uninitialized integers [76]
o ftp: get rid of the PPSENDF macro [85]
o ftp: make a 552 response return CURLE_REMOTE_DISK_FULL [87]
o ftp: separate FTPS from FTP over "HTTPS proxy" [112]
o git: ignore libtests in 3XXX area [16]
o github: use new issue template feature [88]
o HISTORY: mention alt-svc added in 2019
o HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29 [41]
o http: consolidate nghttp2_session_mem_recv() call paths [80]
o http_proxy: do not count proxy headers in the header bytecount [90]
o http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set [50]
o imap: make imap_send use dynbuf for the send buffer management [110]
o imap: set cselect_bits to CURL_CSELECT_IN initially [104]
o ldap: reduce the amount of #ifdefs needed [124]
o lib/Makefile.am: bump VERSIONINFO due to new functions [65]
o lib1560: verify "redirect" to double-slash leading URL [20]
o lib583: fix enum mixup
o lib: fix -Wassign-enum warnings [84]
o lib: make Curl_gethostname accept a const pointer [38]
o libssh2: handle the SSH protocols done over HTTPS proxy [125]
o libssh2: pass on the error from ssh_force_knownhost_key_type [47]
o Makefile.m32: add ability to override zstd libs [ci skip] [10]
o man pages: switch to https://example.com URLs [86]
o MANUAL: update examples to resolve without redirects [122]
o mbedtls: add missing header when defining MBEDTLS_DEBUG [133]
o memdebug: remove 9 year old unused debug function [126]
o multi: expand pre-check for socket readiness [21]
o multi: handle connection state winsock events [31]
o multi: implement wait using winsock events [22]
o ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define [108]
o ngtcp2: adapt to the new pkt_info arguments [18]
o ntlm: fix condition for curl_ntlm_core usage [46]
o openssl: avoid error conditions when importing native CA [52]
o openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification [57]
o openssl: Fix wincrypt symbols conflict with BoringSSL [9]
o parsedate: tune the date to epoch conversion [95]
o pause: only trigger a reread if the unpause sticks [92]
o pingpong: use a dynbuf for the *_pp_sendf() function [113]
o READMEs: convert several to markdown [115]
o runtests: add %repeat[]% for test files [116]
o runtests: allow creating files without newlines [72]
o runtests: allow generating a binary sequence from hex
o runtests: clear pid variables when failing to start a server [12]
o runtests: make cleardir() erase dot files too [8]
o runtests: provide curl's version string as %VERSION for tests [127]
o schannel: fix memory leak when using get_cert_location [15]
o schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root [128]
o scripts: improve the "get latest curl release tag" logic
o sectransp: make it build with --disable-proxy [123]
o select.h: make socket validation macros test for INVALID_SOCKET [24]
o select: align poll emulation to return all relevant events [63]
o select: fix poll-based check not detecting connect failure
o select: reduce duplication of Curl_poll in Curl_socket_check [23]
o select: simplify return code handling for poll and select [49]
o setopt: if the buffer exists, refuse the new BUFFERSIZE [5]
o setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument [91]
o socketpair: allow CURL_DISABLE_SOCKETPAIR [11]
o sockfilt: handle FD_CLOSE winsock event on write socket [30]
o src: spell whitespace without whitespace [121]
o SSLCERTS: fix English syntax [34]
o strerror: honor Unicode API choice on Windows [109]
o symbian: drop support [118]
o telnet.c: depend on static requirement of WinSock version 2 [61]
o test1541: remove since it is a known bug [68]
o test163[12]: require http to be built-in to run [94]
o test434: test -K use in a single line without newline [59]
o test971: show test mismatches "inline"
o tests/data: Fix some mismatched XML tags in test cases
o tests/FILEFORMAT: document nonewline support for <file>
o tests/FILEFORMAT: document type=shell for <command>
o tests/server/util.c: fix support for Windows Unicode builds [131]
o tests: remove pipelining tests [69]
o tls: fix SRP detection by using the proper #ifdefs [33]
o tls: provide the CApath verbose log on its own line [1]
o tool_setopt: escape binary data to hex, not octal
o tool_writeout: add new writeout variable, %{num_headers} [97]
o travis: add a build using libressl (from git master) [55]
o url: use blank credentials when using proxy w/o username and password [54]
o urlapi: use more Curl_safefree [89]
o vtls: deduplicate client certificates in ssl_config_data [98]
o win32: drop support for WinSock version 1, require version 2 [62]
o winbuild: convert the instruction text to README.md [19]
pkgsrc changes:
- Add test dependency to Python and py-impacket for SMB and TELNET tests
Changes:
7.72.0
------
This release includes the following changes:
o content_encoding: add zstd decoding support
o CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
o CURLINFO_EFFECTIVE_METHOD: added
This release includes the following bugfixes:
o CVE-2020-8231: libcurl: wrong connect-only connection
o appveyor: collect libcurl.dll variants with prefix or suffix
o asyn-ares: correct some bad comments
o bearssl: fix build with disabled proxy support
o buildconf: avoid array concatenation in die()
o buildconf: retire ares buildconf invocation
o checksrc: ban gmtime/localtime
o checksrc: invoke script with -D to find .checksrc proper
o CI/azure: install libssh2 for use with msys2-based builds
o CI/azure: unconditionally enable warnings-as-errors with autotools
o CI/macos: enable warnings as errors for CMake builds
o CI/macos: set minimum macOS version
o CI/macos: unconditionally enable warnings-as-errors with autotools
o CI: Add muse CI analyzer
o cirrus-ci: upgrade 11-STABLE to 11.4
o CMake: don't complain about missing nroff
o CMake: fix test for warning suppressions
o cmake: fix windows xp build
o configure.ac: Sort features name in summary
o configure: allow disabling warnings
o configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
o configure: show zstd "no" in summary when built without it
o connect: remove redundant message about connect failure
o curl-config: ignore REQUIRE_LIB_DEPS in --libs output
o curl.1: add a few missing valid exit codes
o curl: add %{method} to the -w variables
o curl: improve the existing file check with -J
o curl_multi_setopt: fix compiler warning "result is always false"
o curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
o CURLINFO_CERTINFO.3: fix typo
o CURLOPT_NOBODY.3: clarify what setting to 0 means
o docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions
o docs: Add video link to docs/CONTRIBUTE.md
o docs: change "web site" to "website"
o docs: clarify MAX_SEND/RECV_SPEED functionality
o docs: Update a few leftover mentions of DarwinSSL
o doh: remove redundant cast
o file2memory: use a define instead of -1 unsigned value
o ftp: don't do ssl_shutdown instead of ssl_close
o ftpserver: don't verify SMTP MAIL FROM names
o getinfo: reset retry-after value in initinfo
o gnutls: repair the build with `CURL_DISABLE_PROXY`
o gtls: survive not being able to get name/issuer
o h2: repair trailer handling
o http2: close the http2 connection when no more requests may be sent
o http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
o libssh2: s/ssherr/sftperr/
o libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin
o md(4|5): don't use deprecated macOS functions
o mprintf: Fix dollar string handling
o mprintf: Fix stack overflows
o multi: Condition 'extrawait' is always true
o multi: Remove 10-year old out-commented code
o multi: remove two checks always true
o multi: update comment to say easyp list is linear
o multi_remove_handle: close unused connect-only connections
o ngtcp2: adapt to error code rename
o ngtcp2: adjust to recent sockaddr updates
o ngtcp2: update to modified qlog callback prototype
o nss: fix build with disabled proxy support
o ntlm: free target_info before (re-)malloc
o openssl: fix build with LibreSSL < 2.9.1
o page-header: provide protocol details in the curl.1 man page
o quiche: handle calling disconnect twice
o runtests.pl: treat LibreSSL and BoringSSL as OpenSSL
o runtests: move the gnutls-serv tests to a dynamic port
o runtests: move the smbserver to use a dynamic port number
o runtests: move the TELNET server to a dynamic port
o runtests: run the DICT server on a random port number
o runtests: run the http2 tests on a random port number
o runtests: support dynamicly base64 encoded sections in tests
o setopt: unset NOBODY switches to GET if still HEAD
o smtp_parse_address: handle blank input string properly
o socks: use size_t for size variable
o strdup: remove the odd strlen check
o test1119: verify stdout in the test
o test1139: make it display the difference on test failures
o test1140: compare stdout
o test1908: treat file as text
o tests/FILEFORMAT.md: mention %HTTP2PORT
o tests/sshserver.pl: fix compatibility with OpenSSH for Windows
o TLS naming: fix more Winssl and Darwinssl leftovers
o tls-max.d: this option is only for TLS-using connections
o tlsv1.3.d. only for TLS-using connections
o tool_doswin: Simplify Windows version detection
o tool_getparam: make --krb option work again
o TrackMemory tests: ignore realloc and free in getenv.c
o transfer: fix data_pending for builds with both h2 and h3 enabled
o transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
o transfer: move retrycount from connect struct to easy handle
o travis/script.sh: fix use of `-n' with unquoted envvar
o travis: add ppc64le and s390x builds
o travis: update quiche builds for new boringssl layout
o url: fix CURLU and location following
o url: silence MSVC warning
o util: silence conversion warnings
o win32: Add Curl_verify_windows_version() to curlx
o WIN32: stop forcing narrow-character API
o windows: add unicode to feature list
o windows: disable Unix Sockets for old mingw
Fixed in 7.71.1:
cirrus-ci: disable FreeBSD 13 (again)
Curl_inet_ntop: always check the return code
CURLOPT_READFUNCTION.3: provide the upload data size up front
DYNBUF.md: fix a typo: trail => tail
escape: make the URL decode able to reject only %00-bytes
escape: zero length input should return a zero length output
examples/multithread.c: call curl_global_cleanup()
http2: set the correct URL in pushed transfers
http: fix proxy auth with blank password
mbedtls: fix build with disabled proxy support
ngtcp2: sync with current master
openssl: Fix compilation on Windows when ngtcp2 is enabled
Revert "multi: implement wait using winsock events"
sendf: improve the message on client write errors
terminology: call them null-terminated strings
tool_cb_hdr: Fix etag warning output and return code
url: allow user + password to contain "control codes" for HTTP(S)
vtls: compare cert blob when finding a connection to reuse
freeze ok: gdt, leot
curl and libcurl 7.71.0
Public curl releases: 192
Command line options: 232
curl_easy_setopt() options: 277
Public functions in libcurl: 82
Contributors: 2202
This release includes the following changes:
o CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl) [10]
o setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency [31]
o setopt: support certificate options in memory with struct curl_blob [41]
o tool: Add option --retry-all-errors to retry on any error [27]
This release includes the following bugfixes:
o CVE-2020-8177: curl overwrite local file with -J [111]
o CVE-2020-8169: Partial password leak over DNS on HTTP redirect [48]
o *_sspi: fix bad uses of CURLE_NOT_BUILT_IN [21]
o all: fix codespell errors [75]
o altsvc: bump to h3-29 [114]
o altsvc: fix 'dsthost' may be used uninitialized in this function
o altsvc: fix parser for lines ending with CRLF [74]
o altsvc: remove the num field from the altsvc struct [109]
o appveyor: add non-debug plain autotools-based build [90]
o appveyor: disable flaky test 1501 and ignore broken 1056
o appveyor: disable test 1139 instead of ignoring it
o asyn-*: remove support for never-used NULL entry pointers [19]
o azure: use matrix strategy to avoid configuration redundancy [83]
o build: disable more code/data when built without proxy support [84]
o buildconf: remove -print from the find command that removes files
o checksrc: enhance the ASTERISKSPACE and update code accordingly [52]
o CI/macos: fix 'is already installed' errors by using bundle [94]
o cirrus: disable SFTP and SCP tests [7]
o CMake: add ENABLE_ALT_SVC option
o CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche) [34]
o CMake: add libssh build support [37]
o CMake: do not build test programs by default [30]
o CMake: fix runtests.pl with CMake, add new test targets [29]
o CMake: ignore INTERFACE_LIBRARY targets for pkg-config file [112]
o CMake: rebuild Makefile.inc.cmake when Makefile.inc changes [58]
o CODE_REVIEW.md: how to do code reviews in curl [108]
o configure: fix pthread check with static boringssl
o configure: for wolfSSL, check for the DES func needed for NTLM
o configure: only strip first -L from LDFLAGS [89]
o configure: repair the check if argv can be written to [47]
o configure: the wolfssh backend does not provide SCP [57]
o connect: improve happy eyeballs handling [118]
o connect: make happy eyeballs work for QUIC (again) [16]
o curl.1: Quote globbed URLs [51]
o curl: remove -J "informational" written on stdout [36]
o Curl_addrinfo: use one malloc instead of three [97]
o CURLINFO_ACTIVESOCKET.3: clarify the description [87]
o doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3 [5]
o doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax [20]
o docs/HTTP3: add qlog to the quiche build instruction
o docs/options-in-versions: which version added each cmdline option [53]
o docs: unify protocol lists [54]
o dynbuf: introduce internal generic dynamic buffer functions [17]
o easy: fix dangling pointer on easy_perform fail [26]
o examples/ephiperfifo: turn off interval when setting timerfd [79]
o examples/http2-down/upload: add error checks [78]
o examples: remove asiohiper.cpp [4]
o FILEFORMAT: add more features that tests can depend on
o FILEFORMAT: describe verify/stderr
o ftp: make domore_getsock() return the secondary socket properly
o ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void) [64]
o ftp: shut down the secondary connection properly when SSL is used [43]
o GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT [9]
o hostip: make Curl_printable_address not return anything [63]
o hostip: on macOS avoid DoH when given a numerical IP address [69]
o http2: keep trying to send pending frames after req.upload_done [40]
o http2: simplify and clean up trailer handling [6]
o HTTP3.md: clarify cargo build directory [77]
o http: move header storage to Curl_easy from connectdata [107]
o libcurl.pc: Merge Libs.private into Libs for static-only builds [28]
o libssh2: improved error output for wrong quote syntax [39]
o libssh2: keep sftp errors as 'unsigned long' [103]
o libssh2: set the expected total size in SCP upload init [2]
o libtest/cmake: Remove commented code [13]
o list-only.d: this option existed already in 4.0
o manpage: add three missing environment variables [121]
o multi: add defensive check on data->multi->num_alive [96]
o multi: implement wait using winsock events [120]
o ngtcp2: cleanup memory when failing to connect [70]
o ngtcp2: fix build with current ngtcp2 master implementing draft 28 [76]
o ngtcp2: fix happy eyeballs quic connect crash [118]
o ngtcp2: introduce qlog support [23]
o ngtcp2: never call fprintf() in lib code in release version
o ngtcp2: update with recent API changes [100]
o ntlm: enable NTLM support with wolfSSL [81]
o OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN [55]
o openssl: set FLAG_TRUSTED_FIRST unconditionally [105]
o projects: Add crypt32.lib to dependencies for all OpenSSL configs [93]
o quiche: clean up memory properly when failing to connect [71]
o quiche: enable qlog output [14]
o quiche: update SSLKEYLOGFILE support [98]
o Revert "buildconf: use find -execdir" [38]
o Revert "ssh: ignore timeouts during disconnect" [67]
o runtests: remove sleep calls [18]
o runtests: show elapsed test time with higher precision (ms)
o select: always use Sleep in Curl_wait_ms on Win32 [82]
o select: fix overflow protection in Curl_socket_check [22]
o sendf: make failf() use the mvsnprintf() return code [62]
o server/sws: fix asan warning on use of uninitialized variable
o server/util: fix logmsg format using curl_off_t argument [106]
o sha256: fixed potentially uninitialized variable [61]
o share: don't set the share flag it something fails [116]
o sockfilt: make select_ws stop waiting on exit signal event
o socks: detect connection close during handshake [95]
o socks: fix expected length of SOCKS5 reply [68]
o socks: remove unreachable breaks in socks.c and mime.c [101]
o source cleanup: remove all custom typedef structs [42]
o test1167: fixes in badsymbols.pl [73]
o test1177: look for curl.h in source directory [1]
o test1238: avoid tftpd being busy for tests shortly following [33]
o test613.pl: make tests 613 and 614 work with OpenSSH for Windows [8]
o test75: Remove precheck test
o tests: add https-proxy support to the test suite [49]
o tests: add support for SSH server variant specific transfer paths [24]
o tests: add two simple tests for --login-options [99]
o tests: make test 1248 + 1249 use %NOLISTENPORT [3]
o tests: pick a random port number for SSH [12]
o tests: run stunnel for HTTPS and FTPS on dynamic ports [11]
o timeouts: change millisecond timeouts to timediff_t from time_t [86]
o timeouts: move ms timeouts to timediff_t from int and long [104]
o tool: fixup a few --help descriptions [56]
o tool: support UTF-16 command line on Windows [46]
o tool_cfgable: free login_options at exit [102]
o tool_getparam: fix memory leak in parse_args
o tool_operate: fixed potentially uninitialized variables [60]
o tool_paramhlp: fixed potentially uninitialized strtol() variable [59]
o transfer: close connection after excess data has been read [66]
o travis: add "qlog" as feature in the quiche build
o travis: Add ngtcp2 and quiche tests for CMake
o travis: upgrade to bionic, clang-9, improve readability [35]
o typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *' [44]
o unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode' [88]
o url: accept "any length" credentials for proxy auth [72]
o url: alloc the download buffer at transfer start [85]
o url: reject too long input when parsing credentials [25]
o url: sort the protocol schemes in rough popularity order [32]
o urlapi: accept :: as a valid IPv6 address [15]
o urldata: leave the HTTP method untouched in the set.* struct [45]
o urlglob: treat literal IPv6 addresses with zone IDs as a host name [115]
o user-agent.d: spell out what happens given a blank argument [80]
o vauth/cleartext: fix theoretical integer overflow [50]
o version.d: expanded and alpha-sorted [110]
o vtls: Extract and simplify key log file handling from OpenSSL
o wolfssl: add SSLKEYLOGFILE support [65]
o wording: avoid blacklist/whitelist stereotypes [92]
o write-out.d: added "response_code"
Changes:
7.70.0
------
This release includes the following changes:
o curl: add --ssl-revoke-best-effort to allow a "best effort" revocation check
o mqtt: add new experimental protocol
o schannel: add "best effort" revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT
o writeout: support to generate JSON output with '%{json}'
This release includes the following bugfixes:
o appveyor: add Unicode winbuild jobs
o appveyor: completely disable tests that fail to timeout early
o appveyor: show failed tests in log even if test is ignored
o appveyor: sort builds by type and add two new variants
o appveyor: turn disabled tests into ignored result tests
o appveyor: use random test server ports based upon APPVEYOR_API_URL
o build: fixed build for systems with select() in unistd.h
o buildconf: avoid using tempfile when removing files
o checksrc: warn on obvious conditional blocks on the same line as if()
o CI-fuzz: increase fuzz time to 40 minutes
o ci/tests: fix Azure Pipelines not running Windows containers
o CI: add build with ngtcp2 + gnutls on Travis CI
o CI: bring GitHub Actions fuzzing job in line with macOS jobs
o CI: migrate macOS jobs from Azure and Travis CI to GitHub Actions
o CI: remove default Ubuntu build from GitHub Actions
o cirrus: no longer ignore test 504 which is working again
o cirrus: re-enable the FreeBSD 13 CI builds
o cleanup: insert newline after if() conditions
o cmake: add aliases so exported target names are available in tree
o cmake: add CMAKE_MSVC_RUNTIME_LIBRARY
o cmake: add support for building with wolfSSL
o cmake: Avoid MSVC C4273 warnings in send/recv checks
o cmdline: fix handling of OperationConfig linked list (--next)
o compressed.d: stress that the headers are not modified
o config: remove all defines of HAVE_DES_H
o configure: convert -I to -isystem as a last step
o configure: document 'compiler_num' for gcc
o configure: don't check for Security.framework when cross-compiling
o configure: fix -pedantic-errors for GCC 5 and later
o configure: remove use of -vec-report0 from CFLAGS with icc
o connect: happy eyeballs cleanup
o connect: store connection info for QUIC connections
o copyright: fix out-of-date copyright ranges and missing headers
o curl-functions.m4: remove inappropriate AC_REQUIRE
o curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented
o curl.h: update comment typo
o curl: allow both --etag-compare and --etag-save with same file name
o curl_setup: define _WIN32_WINNT_[OS] symbols
o CURLINFO_CONDITION_UNMET: return true for 304 http status code
o CURLINFO_NUM_CONNECTS: improve accuracy
o CURLOPT_WRITEFUNCTION.3: add inline example and new see-also
o dist: add mail-rcpt-allowfails.d to the tarball
o docs/make: generate curl.1 from listed files only
o docs: add warnings about FILE: URLs on Windows
o easy: fix curl_easy_duphandle for builds missing IPv6 that use c-ares
o examples/sessioninfo.c: add include to fix compiler warning
o github actions: run when pushed to master or */ci + PRs
o gnutls: bump lowest supported version to 3.1.10
o gnutls: Don't skip really long certificate fields
o gnutls: ensure TLS 1.3 when SRP isn't requested
o gopher: check remaining time left during write busy loop
o gskit: use our internal select wrapper for portability
o http2: Fix erroneous debug message that h2 connection closed
o http: don't consider upload done if the request isn't completely sent off
o http: free memory when Alt-Used header creation fails due to OOM
o lib/mk-ca-bundle: skip empty certs
o lib670: use the same Win32 API check as all other lib tests
o lib: fix typos in comments and errormessages
o lib: never define CURL_CA_BUNDLE with a getenv
o libcurl-multi.3: added missing full stop
o libssh: avoid options override by configuration files
o libssh: Use new ECDSA key types to check known hosts
o mailmap: fixup a few author names/fields
o Makefile.m32: Improve windres parameter compatibility
o Makefile: run the cd commands in a subshell
o memdebug: don't log free(NULL)
o mime: properly check Content-Type even if it has parameters
o multi-ssl: reset the SSL backend on `Curl_global_cleanup()`
o multi: improve parameter check for curl_multi_remove_handle
o nghttp2: 1.12.0 required
o ngtcp2: update to git master for the key installation API change
o nss: check for PK11_CreateDigestContext() returning NULL
o openssl: adapt to functions marked as deprecated since version 3
o OS400: update strings for ccsid-ifier (fixes the build)
o output.d: quote the URL when globbing
o packages: add OS400/chkstrings.c to the dist
o RELEASE-PROCEDURE.md: run the copyright.pl script!
o Revert "file: on Windows, refuse paths that start with \\"
o runtests: always put test number in servercmd file
o runtests: provide nicer errormsg when protocol "dump" file is empty
o schannel: Fix blocking timeout logic
o schannel: support .P12 or .PFX client certificates
o scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance
o select: make Curl_socket_check take timediff_t timeout
o select: move duplicate select preparation code into Curl_select
o select: remove typecast from SOCKET_WRITABLE/READABLE macros
o server/getpart: make the "XML-parser" stricter
o server/resolve: remove AI_CANONNAME to make macos tell the truth
o smtp: set auth correctly
o sockfilt: add logmsg output to select_ws_wait_thread on Windows
o sockfilt: fix broken pipe on Windows to be ready in select_ws
o sockfilt: fix handling of ready closed sockets on Windows
o sockfilt: fix race-condition of waiting threads and event handling
o socks: Fix blocking timeout logic
o src: Remove C99 constructs to ensure C89 compliance
o SSLCERTS.md: Fix example code for setting CA cert file
o test1148: tolerate progress updates better (again)
o test1154: set a proper name
o test1177: verify that all the CURL_VERSION_ bits are documented
o test1566: verify --etag-compare that gets a 304 back
o test1908: avoid using fixed port number in test data
o test2043: use revoked.badssl.com instead of revoked.grc.com
o test2100: fix static port instead of dynamic value being used
o tests/data: fix some XML formatting issues in test cases
o tests/FILEFORMAT: converted to markdown and extended
o tests/server/util.c: use curl_off_t instead of long for pid
o tests: add %NOLISTENPORT and use it
o tests: add Windows compatible pidwait like pidkill and pidterm
o tests: fix conflict between Cygwin/msys and Windows PIDs
o tests: introduce preprocessed test cases
o tests: make Python-based servers compatible with Python 2 and 3
o tests: make runtests check that disabled tests exists
o tests: move pingpong server to dynamic listening port
o tests: remove python_dependencies for smbserver from our tree
o tests: run the RTSP test server on a dynamic port number
o tests: run the SOCKS test server on a dynamic port number
o tests: run the sws server on "any port"
o tests: run the TFTP test server on a dynamic port number
o tests: use Cygwin/msys PIDs for stunnel and sshd on Windows
o tls: remove the BACKEND define kludge from most backends
o tool: do not declare functions with Curl_ prefix
o tool_operate: fix add_parallel_transfers when more are in queue
o transfer: cap retries of "dead connections" to 5
o transfer: Switch PUT to GET/HEAD on 303 redirect
o travis: bump the wolfssl CI build to use 4.4.0
o travis: update the ngtcp2 build to use the latest OpenSSL patch
o url: allow non-HTTPS altsvc-matching for debug builds
o version: add 'cainfo' and 'capath' to version info struct
o version: increase buffer space for ssl version output
o version: skip idn2_check_version() check and add precaution
o vquic: add support for GnuTLS backend of ngtcp2
o vtls: fix ssl_config memory-leak on out-of-memory
o warnless: remove code block for icc that didn't work
o windows: enable UnixSockets with all build toolchains
o windows: suppress UI in all CryptAcquireContext() calls
curl and libcurl 7.69.1
This release includes the following bugfixes:
* ares: store dns parameters for duphandle
* cirrus-ci: disable the FreeBSD 13 builds
* curl_share_setopt.3: Note sharing cookies doesn't enable the engine
* lib1564: reduce number of mid-wait wakeup calls
* libssh: Fix matching user-specified MD5 hex key
* MANUAL: update a dict-using command line
* mime: do not perform more than one read in a row
* mime: fix the binary encoder to handle large data properly
* mime: latch last read callback status
* multi: skip EINTR check on wakeup socket if it was closed
* pause: bail out on bad input
* pause: force a connection recheck after unpausing (take 2)
* pause: return early for calls that don't change pause state
* runtests.1: rephrase how to specify what tests to run
* runtests: fix missing use of exe_ext helper function
* seek: fix fall back for missing ftruncate on Windows
* sftp: fix segfault regression introduced in 7.69.0
* sha256: Added SecureTransport implementation
* sha256: Added WinCrypt implementation
* socks4: fix host resolve regression
* socks5: host name resolv regression fix
* tests/server: fix missing use of exe_ext helper function
* tests: fix static ip:port instead of dynamic values being used
* tests: make sleeping portable by avoiding select
* unit1612: fix the inclusion and compilation of the HMAC unit test
* urldata: remove the 'stream_was_rewound' connectdata struct member
* version: make curl_version* thread-safe without using global context
This release includes the following changes:
o polarssl: removed
o smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
o wolfSSH: new SSH backend
This release includes the following bugfixes:
o altsvc: improved header parser
o altsvc: keep a copy of the file name to survive handle reset
o altsvc: make saving the cache an atomic operation
o altsvc: use h3-27
o azure: disable brotli on the macos debug-builds
o build: remove all HAVE_OPENSSL_ENGINE_H defines
o checksrc.bat: Fix not being able to run script from the main curl dir
o cleanup: fix several comment typos
o cleanup: fix typos and wording in docs and comments
o cmake: add support for CMAKE_LTO option
o cmake: clean up and improve build procedures
o cmake: enable SMB for Windows builds
o cmake: improve libssh2 check on Windows
o cmake: Show HTTPS-proxy in the features output
o cmake: support specifying the target Windows version
o cmake: use check_symbol_exists also for inet_pton
o configure.ac: fix comments about --with-quiche
o configure: disable metalink if mbedTLS is specified
o configure: disable metalink support for incompatible SSL/TLS
o conn: do not reuse connection if SOCKS proxy credentials differ
o conncache: removed unused Curl_conncache_bundle_size()
o connect: remove some spurious infof() calls
o connection reuse: respect the max_concurrent_streams limits
o contributors: also include people who contributed to curl-www
o contrithanks: use the most recent tag by default
o cookie: check __Secure- and __Host- case sensitively
o cookies: make saving atomic with a rename
o create-dirs.d: mention the mode
o curl: avoid using strlen for testing if a string is empty
o curl: error on --alt-svc use w/o support
o curl: let -D merge headers in one file again
o curl: make #0 not output the full URL
o curl: make the -# spaceship bar not wrap the line
o curl: remove 'config' field from OutStruct
o curl:progressbarinit: ignore column width from terminals < 20
o curl_escape.3: add a link to curl_free
o curl_getenv.3: fix the memory handling description
o curl_global_init: assume the EINTR bit by default
o curl_global_init: move the IPv6 works status bool to multi handle
o CURLINFO_COOKIELIST.3: Fix example
o CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
o CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
o CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
o data.d: remove "Multiple files can also be specified"
o digest: do not quote algorithm in HTTP authorisation
o docs/HTTP3: add --enable-alt-svc to curl's configure
o docs/HTTP3: update the OpenSSL branch to use for ngtcp2
o docs: fix typo on CURLINFO_RETRY_AFTER
o easy: remove dead code
o form.d: fix two minor typos
o ftp: convert 'sock_accepted' to a plain boolean
o ftp: remove superfluous checking for crlf in user or pwd
o ftp: shrink temp buffers used for PORT
o github action: add CIFuzz
o github: Instructions to post "uname -a" on Unix systems in issues
o GnuTLS: always send client cert
o gtls: fixed compilation when using GnuTLS < 3.5.0
o hostip: move code to resolve IP address literals to `Curl_resolv`
o HTTP-COOKIES: describe the cookie file format
o HTTP-COOKIES: mention that a trailing newline is required
o http2: make pausing/unpausing set/clear local stream window
o http2: now requires nghttp2 >= 1.12.0
o http: added 417 response treatment
o http: increase EXPECT_100_THRESHOLD to 1Mb
o http: mark POSTs with no body as "upload done" from the start
o http: move "oauth_bearer" from connectdata to Curl_easy
o include: remove non-curl prefixed defines
o KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
o libssh2: add support for forcing a hostkey type
o libssh2: fix variable type
o libssh: improve known hosts handling
o llist: removed unused Curl_llist_move()
o location.d: the method change is from POST to GET only
o md4: fixed compilation issues when using GNU TLS gcrypt
o md4: use init/update/final functions in Secure Transport
o md5: added implementation for mbedTLS
o mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
o multi: change curl_multi_wait/poll to error on negative timeout
o multi: fix outdated comment
o multi: if Curl_readwrite sets 'comeback' use expire, not loop
o multi_done: if multiplexed, make conn->data point to another transfer
o multi_wait: stop loop when sread() returns zero
o ngtcp2: add error code for QUIC connection errors
o ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
o ngtcp2: update to git master and its draft-25 support
o ntlm: move the winbind data into the NTLM data structure
o ntlm: pass the Curl_easy structure to the private winbind functions
o ntlm: removed the dependency on the TLS libaries when using MD5
o ntlm_wb: use Curl_socketpair() for greater portability
o oauth2-bearer.d: works for HTTP too
o openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
o openssl: remove redundant assignment
o os400: fixed the build
o pause: force-drain the transfer on unpause
o quiche: update to draft-25
o README: mention that the docs is in docs/
o RELEASE-PROCEDURE: feature win is closed post-release a few days
o runtests: make random seed fixed for a month
o runtests: restore the command log
o schannel: make CURLOPT_CAINFO work better on Windows 7
o schannel_verify: Fix alt names manual verify for UNICODE builds
o sha256: use crypto implementations when available
o singleuse.pl: support new API functions, fix curl_dbg_ handling
o smtp: support the SMTPUTF8 extension
o smtp: support UTF-8 based host names in MAIL FROM
o SOCKS: make the connect phase non-blocking
o strcase: turn Curl_raw_tolower into static
o strerror: increase STRERROR_LEN 128 -> 256
o test1323: added missing 'unit test' feature requirement
o tests: add a unit test for MD4 digest generation
o tests: add a unit test for SHA256 digest generation
o tests: add a unit test for the HMAC hash generation
o tests: deduce the tool name from the test case for unit tests
o tests: fix Python 3 compatibility of smbserver.py
o tool_dirhie: allow directory traversal during creation
o tool_homedir: change GetEnv() to use libcurl's curl_getenv()
o tool_util: improve Windows version of tvnow()
o travis: update non-OpenSSL Linux jobs to Bionic
o url: include the failure reason when curl_win32_idn_to_ascii() fails
o urlapi: guess scheme properly with credentials given
o urldata: do string enums without #ifdefs for build scripts
o vtls: refactor Curl_multissl_version to make the code clearer
o win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256
pkgsrc changes:
- Removes patch-configure hunks applied upstream
Changes:
7.68.0
------
This release includes the following changes:
o TLS: add BearSSL vtls implementation
o XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
o curl: add --etag-compare and --etag-save
o curl: add --parallel-immediate
o multi: add curl_multi_wakeup()
o openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
This release includes the following bugfixes:
o CVE-2019-15601: file: on Windows, refuse paths that start with \\
o Azure Pipelines: add several builds
o CMake: add support for building with the NSS vtls backend
o CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
o CURLOPT_HEADERFUNCTION.3: Document that size is always 1
o CURLOPT_QUOTE.3: fix typos
o CURLOPT_READFUNCTION.3: fix the example
o CURLOPT_URL.3: "curl supports SMB version 1 (only)"
o CURLOPT_VERBOSE.3: see also ERRORBUFFER
o HISTORY: added cmake, HTTP/3 and parallel downloads with curl
o HISTORY: the SMB(S) support landed in 2014
o INSTALL.md: provide Android build instructions
o KNOWN_BUGS: Connection information when using TCP Fast Open
o KNOWN_BUGS: LDAP on Windows doesn't work correctly
o KNOWN_BUGS: TLS session cache doesn't work with TFO
o OPENSOCKETFUNCTION.3: correct the purpose description
o TrackMemory tests: always remove CR before LF
o altsvc: bump to h3-24
o altsvc: make the save function ignore NULL filenames
o build: Disable Visual Studio warning "conditional expression is constant"
o build: fix for CURL_DISABLE_DOH
o checksrc.bat: Add a check for vquic and vssh directories
o checksrc: repair the copyrightyear check
o cirrus-ci: enable clang sanitizers on freebsd 13
o cirrus: Drop the FreeBSD 10.4 build
o config-win32: cpu-machine-OS for Windows on ARM
o configure: avoid unportable `==' test(1) operator
o configure: enable IPv6 support without `getaddrinfo`
o configure: fix typo in help text
o conncache: CONNECT_ONLY connections assumed always in-use
o conncache: fix multi-thread use of shared connection cache
o copyrights: fix copyright year range
o create_conn: prefer multiplexing to using new connections
o curl -w: handle a blank input file correctly
o curl.h: add two missing defines for "pre ISO C" compilers
o curl/parseconfig: fix mem-leak
o curl/parseconfig: use curl_free() to free memory allocated by libcurl
o curl: cleanup multi handle on failure
o curl: fix --upload-file . hangs if delay in STDIN
o curl: fix -T globbing
o curl: improved cleanup in upload error path
o curl: make a few char pointers point to const char instead
o curl: properly free mimepost data
o curl: show better error message when no homedir is found
o curl: show error for --http3 if libcurl lacks support
o curl_setup_once: consistently use WHILE_FALSE in macros
o define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
o docs: Change 'experiemental' to 'experimental'
o docs: TLS SRP doesn't work with TLS 1.3
o docs: fix several typos
o docs: mention CURL_MAX_INPUT_LENGTH restrictions
o doh: improved both encoding and decoding
o doh: make it behave when built without proxy support
o examples/postinmemory.c: Call curl_global_cleanup always
o examples/url2file.c: corrected erroneous comment
o examples: add multi-poll.c
o global_init: undo the "intialized" bump in case of failure
o hostip: suppress compiler warning
o http_ntlm: Remove duplicate NSS initialisation
o lib: Move lib/ssh.h -> lib/vssh/ssh.h
o lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
o lib: fix warnings found when porting to NuttX
o lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
o lib: remove erroneous +x file permission on some c files
o libssh2: add support for ECDSA and ed25519 knownhost keys
o multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
o multi: free sockhash on OOM
o multi_poll: avoid busy-loop when called without easy handles attached
o ngtcp2: Support the latest update key callback type
o ngtcp2: fix thread-safety bug in error-handling
o ngtcp2: free used resources on disconnect
o ngtcp2: handle key updates as ngtcp2 master branch tells us
o ngtcp2: increase QUIC window size when data is consumed
o ngtcp2: use overflow buffer for extra HTTP/3 data
o ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
o ntlm_wb: fix double-free in OOM
o openssl: Revert to less sensitivity for SYSCALL errors
o openssl: improve error message for SYSCALL during connect
o openssl: prevent recursive function calls from ctx callbacks
o openssl: retrieve reported LibreSSL version at runtime
o openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
o parsedate: offer a getdate_capped() alternative
o pause: avoid updating socket if done was already called
o projects: Fix Visual Studio projects SSH builds
o projects: Fix Visual Studio wolfSSL configurations
o quiche: reject HTTP/3 headers in the wrong order
o remove_handle: clear expire timers after multi_done()
o runtests: --repeat=[num] to repeat tests
o runtests: introduce --shallow to reduce huge torture tests
o schannel: fix --tls-max for when min is --tlsv1 or default
o setopt: Fix ALPN / NPN user option when built without HTTP2
o strerror: Add Curl_winapi_strerror for Win API specific errors
o strerror: Fix an error looking up some Windows error strings
o strerror: Fix compiler warning "empty expression"
o system.h: fix for MCST lcc compiler
o test/sws: search for "Testno:" header unconditionally if no testno
o test1175: verify symbols-in-versions and libcurl-errors.3 in sync
o test1270: a basic -w redirect_url test
o test1456: remove the use of a fixed local port number
o test1558: use double slash after file:
o test1560: require IPv6 for IPv6 aware URL parsing
o tests/lib1557: fix mem-leak in OOM
o tests/lib1559: fix mem-leak in OOM
o tests/lib1591: free memory properly on OOM, in the trailers callback
o tests/unit1607: fix mem-leak in OOM
o tests/unit1609: fix mem-leak in OOM
o tests/unit1620: fix bad free in OOM
o tests: Change NTLM tests to require SSL
o tests: Fix bounce requests with truncated writes
o tests: fix build with `CURL_DISABLE_DOH`
o tests: fix permissions of ssh keys in WSL
o tests: make it possible to set executable extensions
o tests: make sure checksrc runs on header files too
o tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
o tests: use DoH feature for DoH tests
o tests: use \r\n for log messages in WSL
o tool_operate: fix mem leak when failed config parse
o travis: Fix error detection
o travis: abandon coveralls, it is not reliable
o travis: build ngtcp2 with --enable-lib-only
o travis: export the CC/CXX variables when set
o vtls: make BearSSL possible to set with CURL_SSL_BACKEND
o winbuild: Define CARES_STATICLIB when WITH_CARES=static
o winbuild: Document CURL_STATICLIB requirement for static libcurl
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
Changes:
7.67.0
------
This release includes the following changes:
o curl: added --no-progress-meter
o setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
o urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
This release includes the following bugfixes:
o BINDINGS: five new bindings addded
o CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
o CURLOPT_TIMEOUT.3: remove the mention of "minutes"
o ESNI: initial build/setup support
o FTP: FTPFILE_NOCWD: avoid redundant CWDs
o FTP: allow "rubbish" prepended to the SIZE response
o FTP: remove trailing slash from path for LIST/MLSD
o FTP: skip CWD to entry dir when target is absolute
o FTP: url-decode path before evaluation
o HTTP3.md: move -p for mkdir, remove -j for make
o HTTP3: fix invalid use of sendto for connected UDP socket
o HTTP3: fix ngtcp2 Windows build
o HTTP3: fix prefix parameter for ngtcp2 build
o HTTP3: fix typo somehere1 > somewhere1
o HTTP3: show an --alt-svc using example too
o INSTALL: add missing space for configure commands
o INSTALL: add vcpkg installation instructions
o README: minor grammar fix
o altsvc: accept quoted ma and persist values
o altsvc: both backends run h3-23 now
o appveyor: Add MSVC ARM64 build
o appveyor: Use two parallel compilation on appveyor with CMake
o appveyor: add --disable-proxy autotools build
o appveyor: add 32-bit MinGW-w64 build
o appveyor: add a winbuild
o appveyor: add a winbuild that uses VS2017
o appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
o appveyor: publish artifacts on appveyor
o appveyor: upgrade VS2017 to VS2019
o asyn-thread: make use of Curl_socketpair() where available
o asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
o build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
o checksrc: fix uninitialized variable warning
o chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
o cirrus: Increase the git clone depth
o cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
o cirrus: switch off blackhole status on the freebsd CI machines
o cleanups: 21 various PVS-Studio warnings
o configure: only say ipv6 enabled when the variable is set
o configure: remove all cyassl references
o conn-reuse: requests wanting NTLM can reuse non-NTLM connections
o connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
o connect: silence sign-compare warning
o cookie: avoid harmless use after free
o cookie: pass in the correct cookie amount to qsort()
o cookies: change argument type for Curl_flush_cookies
o cookies: using a share with cookies shouldn't enable the cookie engine
o copyrights: update copyright notices to 2019
o curl: create easy handles on-demand and not ahead of time
o curl: ensure HTTP 429 triggers --retry
o curl: exit the create_transfers loop on errors
o curl: fix memory leaked by parse_metalink()
o curl: load large files with -d @ much faster
o docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
o docs: added multi-event.c example
o docs: disambiguate CURLUPART_HOST is for host name (ie no port)
o docs: note on failed handles not being counted by curl_multi_perform
o doh: allow only http and https in debug mode
o doh: avoid truncating DNS QTYPE to lower octet
o doh: clean up dangling DOH memory on easy close
o doh: fix (harmless) buffer overrun
o doh: fix undefined behaviour and open up for gcc and clang optimization
o doh: return early if there is no time left
o examples/sslbackend: fix -Wchar-subscripts warning
o examples: remove the "this exact code has not been verified"
o git: add tests/server/disabled to .gitignore
o gnutls: make gnutls_bye() not wait for response on shutdown
o http2: expire a timeout at end of stream
o http2: prevent dup'ed handles to send dummy PRIORITY frames
o http2: relax verification of :authority in push promise requests
o http2_recv: a closed stream trumps pause state
o http: lowercase headernames for HTTP/2 and HTTP/3
o ldap: Stop using wide char version of ldapp_err2string
o ldap: fix OOM error on missing query string
o mbedtls: add error message for cert validity starting in the future
o mime: when disabled, avoid C99 macro
o ngtcp2: adapt to API change
o ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
o ngtcp2: remove fprintf() calls
o openssl: close_notify on the FTP data connection doesn't mean closure
o openssl: fix compiler warning with LibreSSL
o openssl: use strerror on SSL_ERROR_SYSCALL
o os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
o parsedate: fix date parsing disabled builds
o quiche: don't close connection at end of stream
o quiche: persist connection details (fixes -I with --http3)
o quiche: set 'drain' when returning without having drained the queues
o quiche: update HTTP/3 config creation to new API
o redirect: handle redirects to absolute URLs containing spaces
o runtests: get textaware info from curl instead of perl
o schannel: reverse the order of certinfo insertions
o schannel_verify: Fix concurrent openings of CA file
o security: silence conversion warning
o setopt: handle ALTSVC set to NULL
o setopt: make it easier to add new enum values
o setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
o smb: check for full size message before reading message details
o smbserver: fix Python 3 compatibility
o socks: Fix destination host shown on SOCKS5 error
o test1162: disable MSYS2's POSIX path conversion
o test1591: fix spelling of http feature
o tests: add `connect to non-listen` keywords
o tests: fix narrowing conversion warnings
o tests: fix the test 3001 cert failures
o tests: makes tests succeed when using --disable-proxy
o tests: use %FILE_PWD for file:// URLs
o tests: use port 2 instead of 60000 for a safer non-listening port
o tool_operate: Fix retry sleep time shown to user when Retry-After
o travis: Add an ARM64 build
o url: Curl_free_request_state() should also free doh handles
o url: don't set appconnect time for non-ssl/non-ssh connections
o url: fix the NULL hostname compiler warning
o url: normalize CURLINFO_EFFECTIVE_URL
o url: only reuse TLS connections with matching pinning
o urlapi: avoid index underflow for short ipv6 hostnames
o urlapi: fix URL encoding when setting a full URL
o urlapi: fix unused variable warning
o urlapi: question mark within fragment is still fragment
o urldata: use 'bool' for the bit type on MSVC compilers
o vtls: Fix comment typo about macosx-version-min compiler flag
o vtls: fix narrowing conversion warnings
o winbuild/MakefileBuild.vc: Add vssh
o winbuild/MakefileBuild.vc: Fix line endings
o winbuild: Add manifest to curl.exe for proper OS version detection
o winbuild: add ENABLE_UNICODE option
Changes:
7.66.0
------
This release includes the following changes:
o CURLINFO_RETRY_AFTER: parse the Retry-After header value
o HTTP3: initial (experimental still not working) support
o curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
o curl: support parallel transfers with -Z
o curl_multi_poll: a sister to curl_multi_wait() that waits more
o sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
This release includes the following bugfixes:
o CVE-2019-5481: FTP-KRB double-free
o CVE-2019-5482: TFTP small blocksize heap buffer overflow
o CI: remove duplicate configure flag for LGTM.com
o CMake: remove needless newlines at end of gss variables
o CMake: use platform dependent name for dlopen() library
o CURLINFO docs: mention that in redirects times are added
o CURLOPT_ALTSVC.3: use a "" file name to not load from a file
o CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
o CURLOPT_HEADERFUNCTION.3: clarify
o CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
o CURLOPT_READFUNCTION.3: provide inline example
o CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
o Curl_addr2string: take an addrlen argument too
o Curl_fillreadbuffer: avoid double-free trailer buf on error
o HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
o alt-svc: add protocol version selection masking
o alt-svc: fix removal of expired cache entry
o alt-svc: make it use h3-22 with ngtcp2 as well
o alt-svc: more liberal ALPN name parsing
o alt-svc: send Alt-Used: in redirected requests
o alt-svc: with quiche, use the quiche h3 alpn string
o appveyor: pass on -k to make
o asyn-thread: create a socketpair to wait on
o build-openssl: fix build with Visual Studio 2019
o cleanup: move functions out of url.c and make them static
o cleanup: remove the 'numsocks' argument used in many places
o configure: avoid undefined check_for_ca_bundle
o curl.h: add CURL_HTTP_VERSION_3 to the version enum
o curl.h: fix outdated comment
o curl: cap the maximum allowed values for retry time arguments
o curl: handle a libcurl build without netrc support
o curl: make use of CURLINFO_RETRY_AFTER when retrying
o curl: remove outdated comment
o curl: use .curlrc (with a dot) on Windows
o curl: use CURLINFO_PROTOCOL to check for HTTP(s)
o curl_global_init_mem.3: mention it was added in 7.12.0
o curl_version: bump string buffer size to 250
o curl_version_info.3: mentioned ALTSVC and HTTP3
o curl_version_info: offer quic (and h3) library info
o curl_version_info: provide nghttp2 details
o defines: avoid underscore-prefixed defines
o docs/ALTSVC: remove what works and the experimental explanation
o docs/EXPERIMENTAL: explain what it means and what's experimental now
o docs/MANUAL.md: converted to markdown from plain text
o docs/examples/curlx: fix errors
o docs: s/curl_debug/curl_dbg_debug in comments and docs
o easy: resize receive buffer on easy handle reset
o examples: Avoid reserved names in hiperfifo examples
o examples: add http3.c, altsvc.c and http3-present.c
o getenv: support up to 4K environment variable contents on windows
o http09: disable HTTP/0.9 by default in both tool and library
o http2: when marked for closure and wanted to close == OK
o http2_recv: trigger another read when the last data is returned
o http: fix use of credentials from URL when using HTTP proxy
o http_negotiate: improve handling of gss_init_sec_context() failures
o md4: Use our own MD4 when no crypto libraries are available
o multi: call detach_connection before Curl_disconnect
o netrc: make the code try ".netrc" on Windows
o nss: use TLSv1.3 as default if supported
o openssl: build warning free with boringssl
o openssl: use SSL_CTX_set_<min|max>_proto_version() when available
o plan9: add support for running on Plan 9
o progress: reset download/uploaded counter between transfers
o readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
o scp: fix directory name length used in memcpy
o smb: init *msg to NULL in smb_send_and_recv()
o smtp: check for and bail out on too short EHLO response
o source: remove names from source comments
o spnego_sspi: add typecast to fix build warning
o src/makefile: fix uncompressed hugehelp.c generation
o ssh-libssh: do not specify O_APPEND when not in append mode
o ssh: move code into vssh for SSH backends
o sspi: fix memory leaks
o tests: Replace outdated test case numbering documentation
o tftp: return error when packet is too small for options
o timediff: make it 64 bit (if possible) even with 32 bit time_t
o travis: reduce number of torture tests in 'coverage'
o url: make use of new HTTP version if alt-svc has one
o urlapi: verify the IPv6 numerical address
o urldata: avoid 'generic', use dedicated pointers
o vauth: Use CURLE_AUTH_ERROR for auth function errors
Changes:
7.65.2
------
This release includes the following bugfixes:
o CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
o CMake: Convert errant elseif() to else()
o CMake: Fix finding Brotli on case-sensitive file systems
o CURLMOPT_SOCKETFUNCTION.3: clarified
o CURLMOPT_SOCKETFUNCTION.3: fix typo
o CURLOPT_CAINFO.3: polished wording
o CURLOPT_HEADEROPT.3: Fix example
o CURLOPT_RANGE.3: Caution against using it for HTTP PUT
o CURLOPT_SEEKDATA.3: fix variable name
o DEPRECATE: fixup versions and spelling
o bindlocal: detect and avoid IP version mismatches in bind()
o build: fix Codacy warnings
o buildconf.bat: fix header filename
o c-ares: honor port numbers in CURLOPT_DNS_SERVERS
o config-os400: add getpeername and getsockname defines
o configure: --disable-progress-meter
o configure: fix --disable-code-coverage
o configure: fix typo '--disable-http-uath'
o configure: more --disable switches to toggle off individual features
o configure: remove CURL_DISABLE_TLS_SRP
o conn_maxage: move the check to prune_dead_connections()
o curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
o curl_multi_wait.3: escape backslash in example
o docs: Explain behavior change in --tlsv1. options since 7.54
o docs: Fix links to OpenSSL docs
o docs: fix string suggesting HTTP/2 is not the default
o examples/fopen: fix comparison
o examples/htmltitle: use C++ casts between pointer types
o headers: Remove no longer exported functions
o http2: call done_sending on end of upload
o http2: don't call stream-close on already closed streams
o http2: remove CURL_DISABLE_TYPECHECK define
o http: allow overriding timecond with custom header
o http: clarify header buffer size calculation
o krb5: fix compiler warning
o lib: Use UTF-8 encoding in comments
o libcurl-tutorial.3: Fix small typo (mutipart -> multipart)
o libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
o multi: enable multiplexing by default (again)
o multi: fix the transfer hashes in the socket hash entries
o multi: make sure 'data' can present in several sockhash entries
o netrc: Return the correct error code when out of memory
o nss: don't set unused parameter
o nss: inspect returnvalue of token check
o nss: only cache valid CRL entries
o nss: support using libnss on macOS
o openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
o openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
o openssl: fix pubkey/signature algorithm detection in certinfo
o openssl: remove outdated comment
o os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
o quote.d: asterisk prefix works for SFTP as well
o runtests: keep logfiles around by default
o runtests: report single test time + total duration
o smb: Use the correct error code for access denied on file open
o sws: remove unused variables
o system_win32: fix clang warning
o system_win32: fix typo
o test1165: verify that CURL_DISABLE_ symbols are in sync
o test1521: adapt to SLISTPOINT
o test1523: test CURLOPT_LOW_SPEED_LIMIT
o test153: fix content-length to avoid occasional hang
o test188/189: fix Content-Length
o tests: have runtests figure out disabled features
o tests: support non-localhost HOSTIP for dict/smb servers
o tests: update fixed IP for hostip/clientip split
o tool_cb_prg: Fix integer overflow in progress bar
o travis: disable threaded resolver for coverage build
o travis: enable alt-svc for coverage build
o travis: enable brotli for all xenial jobs
o travis: enable libssh2 for coverage build
o travis: enable warnings-as-errors for coverage build
o travis: update scan-build job to xenial
o typecheck: CURLOPT_CONNECT_TO takes an slist too
o typecheck: add 3 missing strings and a callback data pointer
o unit1654: cleanup on memory failure
o unpause: trigger a timeout for event-based transfers
o url: Fix CURLOPT_MAXAGE_CONN time comparison
o win32: make DLL loading a no-op for UWP
o winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG
o winbuild: use WITH_PREFIX if given
o wolfssl: refer to it as wolfSSL only
Changes:
7.65.1
------
This release includes the following bugfixes:
o CURLOPT_LOW_SPEED_* repaired
o NTLM: reset proxy "multipass" state when CONNECT request is done
o PolarSSL: deprecate support step 1. Removed from configure
o appveyor: add Visual Studio solution build
o cmake: check for if_nametoindex()
o cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
o config-win32: add support for if_nametoindex and getsockname
o conncache: Remove the DEBUGASSERT on length check
o conncache: make "bundles" per host name when doing proxy tunnels
o curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
o curl_share_setopt.3: improve wording
o dump-header.d: spell out that no headers == empty file
o example/http2-download: fix format specifier
o examples: cleanups and compiler warning fixes
o http2: Stop drain from being permanently set
o http: don't parse body-related headers in bodyless responses
o md4: build correctly with openssl without MD4
o md4: include the mbedtls config.h to get the MD4 info
o multi: track users of a socket better
o nss: allow to specify TLS 1.3 ciphers if supported by NSS
o parse_proxy: make sure portptr is initialized
o parse_proxy: use the IPv6 zone id if given
o sectransp: handle errSSLPeerAuthCompleted from SSLRead()
o singlesocket: use separate variable for inner loop
o ssl: Update outdated "openssl-only" comments for supported backends
o tests: add HAProxy keywords
o tests: add support to test against OpenSSH for Windows
o tests: make test 1420 and 1406 work with rtsp-disabled libcurl
o tls13-docs: mention it is only for OpenSSL >= 1.1.1
o tool_parse_cfg: Avoid 2 fopen() for WIN32
o tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
o url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
o url: fix bad feature-disable #ifdef
o url: use correct port in ConnectionExists()
o winbuild: Use two space indentation
pkgsrc changes:
- Remove patch-configure test(1) `==' -> `=' hunk applied upstream
Changes:
7.65.0
------
This release includes the following changes:
o CURLOPT_DNS_USE_GLOBAL_CACHE: removed
o CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
o pipelining: removed
This release includes the following bugfixes:
o CVE-2019-5435: Integer overflows in curl_url_set
o CVE-2019-5436: tftp: use the current blksize for recvfrom()
o --config: clarify that initial : and = might need quoting
o AppVeyor: enable testing for WinSSL build
o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
o CURLOPT_ADDRESS_SCOPE: fix range check and more
o CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
o CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
o CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
o CURL_MAX_INPUT_LENGTH: largest acceptable string input size
o Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
o INTERNALS: Add code highlighting
o OS400/ccsidcurl: replace use of Curl_vsetopt
o OpenSSL: Report -fips in version if OpenSSL is built with FIPS
o README.md: fix no-consecutive-blank-lines Codacy warning
o VC15 project: remove MinimalRebuild
o VS projects: use Unicode for VC10+
o WRITEFUNCTION: add missing set_in_callback around callback
o altsvc: Fix building with cookies disabled
o auth: Rename the various authentication clean up functions
o base64: build conditionally if there are users
o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
o build: fix "clarify calculation precedence" warnings
o checksrc.bat: ignore snprintf warnings in docs/examples
o cirrus: Customize the disabled tests per FreeBSD version
o cleanup: remove FIXME and TODO comments
o cmake: avoid linking executable for some tests with cmake 3.6+
o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
o cmake: set SSL_BACKENDS
o configure: avoid unportable `==' test(1) operator
o configure: error out if OpenSSL wasn't detected when asked for
o configure: fix default location for fish completions
o cookie: Guard against possible NULL ptr deref
o curl: make code work with protocol-disabled libcurl
o curl: report error for "--no-" on non-boolean options
o curl_easy_getinfo.3: fix minor formatting mistake
o curlver.h: use parenthesis in CURL_VERSION_BITS macro
o docs/BUG-BOUNTY: bug bounty time
o docs/INSTALL: fix broken link
o docs/RELEASE-PROCEDURE: link to live iCalendar
o documentation: Fix several typos
o doh: acknowledge CURL_DISABLE_DOH
o doh: disable DOH for the cases it doesn't work
o examples: remove unused variables
o ftplistparser: fix LGTM alert "Empty block without comment"
o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
o http: acknowledge CURL_DISABLE_HTTP_AUTH
o http: mark bundle as not for multiuse on < HTTP/2 response
o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
o http_negotiate: do not treat failure of gss_init_sec_context() as fatal
o http_ntlm: Corrected the name of the include guard
o http_ntlm_wb: Handle auth for only a single request
o http_ntlm_wb: Return the correct error on receiving an empty auth message
o lib509: add missing include for strdup
o lib557: initialize variables
o makedebug: Fix ERRORLEVEL detection after running where.exe
o mbedtls: enable use of EC keys
o mime: acknowledge CURL_DISABLE_MIME
o multi: improved HTTP_1_1_REQUIRED handling
o netrc: acknowledge CURL_DISABLE_NETRC
o nss: allow fifos and character devices for certificates
o nss: provide more specific error messages on failed init
o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
o ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
o openssl: mark connection for close on TLS close_notify
o openvms: Remove pre-processor for SecureTransport
o openvms: Remove pre-processors for Windows
o parse_proxy: use the URL parser API
o parsedate: disabled on CURL_DISABLE_PARSEDATE
o pingpong: disable more when no pingpong protocols are enabled
o polarssl_threadlock: remove conditionally unused code
o progress: acknowledge CURL_DISABLE_PROGRESS_METER
o proxy: acknowledge DISABLE_PROXY more
o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
o revert "multi: support verbose conncache closure handle"
o sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
o sasl: only enable if there's a protocol enabled using it
o scripts: fix typos
o singleipconnect: show port in the verbose "Trying ..." message
o smtp: fix compiler warning
o socks5: user name and passwords must be shorter than 256
o socks: fix error message
o socksd: new SOCKS 4+5 server for tests
o spnego_gssapi: fix return code on gss_init_sec_context() failure
o ssh-libssh: remove unused variable
o ssh: define USE_SSH if SSH is enabled (any backend)
o ssh: move variable declaration to where it's used
o test1002: correct the name
o test2100: Fix typos in test description
o tests/server/util: fix Windows Unicode build
o tests: Run global cleanup at end of tests
o tests: make Impacket (SMB server) Python 3 compatible
o tool_cb_wrt: fix bad-function-cast warning
o tool_formparse: remove redundant assignment
o tool_help: Warn if curl and libcurl versions do not match
o tool_help: include <strings.h> for strcasecmp
o transfer: fix LGTM alert "Comparison is always true"
o travis: add an osx http-only build
o travis: allow builds on branches named "ci"
o travis: install dependencies only when needed
o travis: update some builds do Xenial
o travis: updated mesalink builds
o url: always clone the CUROPT_CURLU handle
o url: convert the zone id from a IPv6 URL to correct scope id
o urlapi: add CURLUPART_ZONEID to set and get
o urlapi: increase supported scheme length to 40 bytes
o urlapi: require a non-zero host name length when parsing URL
o urlapi: stricter CURLUPART_PORT parsing
o urlapi: strip off zone id from numerical IPv6 addresses
o urlapi: urlencode characters above 0x7f correctly
o vauth/cleartext: update the PLAIN login to match RFC 4616
o vauth/oauth2: Fix OAUTHBEARER token generation
o vauth: Fix incorrect function description for Curl_auth_user_contains_domain
o vtls: fix potential ssl_buffer stack overflow
o wildcard: disable from build when FTP isn't present
o winbuild: Support MultiSSL builds
o xattr: skip unittest on unsupported platforms
pkgsrc changes:
- No longer install MANUAL, it is no longer available
- Remove patch-lib_hostcheck.c, <netinet/in.h> is already included few
lines before
- Take MAINTAINERSHIP
Changes:
7.64.1
======
This release includes the following changes:
o alt-svc: experiemental support added [74]
o configure: add --with-amissl [84]
This release includes the following bugfixes:
o AppVeyor: add MinGW-w64 and classic Mingw builds [55]
o AppVeyor: switch VS 2015 builds to VS 2017 image [49]
o CURLU: fix NULL dereference when used over proxy [73]
o Curl_easy: remove req.maxfd - never used! [58]
o Curl_now: figure out windows version in win32_init: [11]
o Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning [20]
o DoH: inherit some SSL options from user's easy handle [80]
o Secure Transport: no more "darwinssl" [56]
o Secure Transport: tvOS 11 is required for ALPN support [94]
o cirrus: Added FreeBSD builds using Cirrus CI
o cleanup: make local functions static [5]
o cli tool: do not use mime.h private structures [27]
o cmdline-opts/proxytunnel.d: the option tunnnels all protocols [83]
o configure: add additional libraries to check for LDAP support [45]
o configure: remove the unused fdopen macro [40]
o configure: show features as well in the final summary [15]
o conncache: use conn->data to know if a transfer owns it [95]
o connection: never reuse CONNECT_ONLY connections [35]
o connection_check: restore original conn->data after the check [14]
o connection_check: set ->data to the transfer doing the check [3]
o cookie: Add support for cookie prefixes [29]
o cookies: dotless names can set cookies again [81]
o cookies: fix NULL dereference if flushing cookies with no CookieInfo set [47]
o curl.1: --user and --proxy-user are hidden from ps output [86]
o curl.1: mark the argument to --cookie as <data|filename> [87]
o curl.h: use __has_declspec_attribute for shared builds [52]
o curl: display --version features sorted alphabetically [51]
o curl: fix FreeBSD compiler warning in the --xattr code [2]
o curl: remove MANUAL from -M output [38]
o curl_easy_duphandle.3: clarify that a duped handle has no shares [64]
o curl_multi_remove_handle.3: use at any time, just not from within callbacks
o curl_url.3: this API is not experimental anymore
o dns: release sharelock as soon as possible [1]
o docs: update max-redirs.d phrasing [59]
o easy: fix win32 init to work without CURL_GLOBAL_WIN32 [30]
o examples/10-at-a-time.c: improve readability and simplify
o examples/cacertinmem.c: use multiple certificates for loading CA-chain [54]
o examples/crawler: Fix the Accept-Encoding setting
o examples/ephiperfifo.c: various fixes [63]
o examples/externalsocket: add missing close socket calls [78]
o examples/http2-download: cleaned up
o examples/http2-serverpush: add some sensible error checks [31]
o examples/http2-upload: cleaned up
o examples/httpcustomheader: Value stored to 'res' is never read
o examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
o examples/sftpuploadresume: Value stored to 'result' is never read
o examples: only include <curl/curl.h> [70]
o examples: remove recursive calls to curl_multi_socket_action [42]
o examples: remove superfluous null-pointer checks
o file: fix "Checking if unsigned variable 'readcount' is less than zero." [90]
o fnmatch: disable if FTP is disabled [25]
o gnutls: remove call to deprecated gnutls_compression_get_name [66]
o gopher: remove check for path == NULL [69]
o gssapi: fix deprecated header warnings [16]
o hostip: make create_hostcache_id avoid alloc + free [4]
o http2: multi_connchanged() moved from multi.c, only used for h2 [21]
o http2: verify :athority in push promise requests [37]
o http: make adding a blank header thread-safe [33]
o http: send payload when (proxy) authentication is done [89]
o http: set state.infilesize when sending multipart formposts [57]
o makefile: make checksrc and hugefile commands "silent" [85]
o mbedtls: make it build even if MBEDTLS_VERSION_C isn't set [24]
o mbedtls: release sessionid resources on error [28]
o memdebug: log pointer before freeing its data [91]
o memdebug: make debug-specific functions use curl_dbg_ prefix [82]
o mime: put the boundary buffer into the curl_mime struct [18]
o multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME [43]
o multi: remove verbose "Expire in" ... messages [23]
o multi: removed unused code for request retries [79]
o multi: support verbose conncache closure handle [72]
o negotiate: fix for HTTP POST with Negotiate [88]
o openssl: add support for TLS ASYNC state [46]
o openssl: if cert type is ENG and no key specified, key is ENG too [93]
o pretransfer: don't strlen() POSTFIELDS set for GET requests [22]
o rand: Fix a mismatch between comments in source and header [32]
o runtests: detect "schannel" as an alias for "winssl" [50]
o schannel: be quiet - remove verbose output [19]
o schannel: close TLS before removing conn from cache [10]
o schannel: support CALG_ECDH_EPHEM algorithm [44]
o scripts/completion.pl: also generate fish completion file [67]
o singlesocket: fix the 'sincebefore' placement [36]
o source: fix two 'nread' may be used uninitialized warnings [68]
o ssh: fix Condition '!status' is always true [60]
o ssh: loop the state machine if not done and not blocking [71]
o strerror: make the strerror function use local buffers [48]
o system_win32: move win32_init here from easy.c [65]
o test578: make it read data from the correct test
o tests: Fixed XML validation errors in some test files
o tests: add stderr comparison to the test suite [26]
o tests: fix multiple may be used uninitialized warnings
o threaded-resolver: shutdown the resolver thread without error message [61]
o tool_cb_wrt: fix writing to Windows null device NUL [96]
o tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr [84]
o tool_operate: build on AmigaOS [84]
o tool_operate: fix typecheck warning [9]
o transfer.c: do not compute length of undefined hex buffer
o travis: add build using gnutls [75]
o travis: add scan-build [13]
o travis: bump the used wolfSSL version to 4.0.0 [92]
o travis: enable valgrind for the iconv tests [12]
o travis: use updated compiler versions: clang 7 and gcc 8 [77]
o unit1307: require FTP support [17]
o unit1651: survive curl_easy_init() fails
o url/idnconvert: remove scan for <= 32 ascii values [6]
o url: change conn shutdown order to ensure SOCKETFUNCTION callbacks [39]
o urlapi: reduce variable scope, remove unreachable 'break' [7]
o urldata: convert bools to bitfields and move to end [53]
o urldata: simplify bytecounters [62]
o urlglob: Argument with 'nonnull' attribute passed null
o version.c: silent scan-build even when librtmp is not enabled
o vtls: rename some of the SSL functions [84]
o wolfssl: stop custom-adding curves [41]
o x509asn1: "Dereference of null pointer"
o x509asn1: cleanup and unify code layout [34]
o zsh.pl: escape ':' character [8]
o zsh.pl: update regex to better match curl -h output [8]
curl and libcurl 7.64.0
This release includes the following changes:
* cookies: leave secure cookies alone
* hostip: support wildcard hosts
* http: Implement trailing headers for chunked transfers
* http: added options for allowing HTTP/0.9 responses
* timeval: Use high resolution timestamps on Windows
This release includes the following bugfixes:
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
* CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
* CVE-2019-3823: SMTP end-of-response out-of-bounds read
* FAQ: remove mention of sourceforge for github
* OS400: handle memory error in list conversion
* OS400: upgrade ILE/RPG binding.
* README: add codacy code quality badge
* Revert http_negotiate: do not close connection
* THANKS: added several missing names from year <= 2000
* build: make 'tidy' target work for metalink builds
* cmake: added checks for variadic macros
* cmake: updated check for HAVE_POLL_FINE to match autotools
* cmake: use lowercase for function name like the rest of the code
* configure: detect xlclang separately from clang
* configure: fix recv/send/select detection on Android
* configure: rewrite --enable-code-coverage
* conncache_unlock: avoid indirection by changing input argument type
* cookie: fix comment typo
* cookies: allow secure override when done over HTTPS
* cookies: extend domain checks to non psl builds
* cookies: skip custom cookies when redirecting cross-site
* curl --xattr: strip credentials from any URL that is stored
* curl -J: refuse to append to the destination file
* curl/urlapi.h: include "curl.h" first
* curl_multi_remove_handle() don't block terminating c-ares requests
* darwinssl: accept setting max-tls with default min-tls
* disconnect: separate connections and easy handles better
* disconnect: set conn->data for protocol disconnect
* docs/version.d: mention MultiSSL
* docs: fix the --tls-max description
* docs: use $(INSTALL_DATA) to install man page
* docs: use meaningless port number in CURLOPT_LOCALPORT example
* gopher: always include the entire gopher-path in request
* http2: clear pause stream id if it gets closed
* if2ip: remove unused function Curl_if_is_interface_name
* libssh: do not let libssh create socket
* libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
* libssh: free sftp_canonicalize_path() data correctly
* libtest/stub_gssapi: use "real" snprintf
* mbedtls: use VERIFYHOST
* multi: multiplexing improvements
* multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
* ntlm: fix NTMLv2 compliance
* ntlm_sspi: add support for channel binding
* openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
* openssl: fix the SSL_get_tlsext_status_ocsp_resp call
* openvms: fix OpenSSL discovery on VAX
* openvms: fix typos in documentation
* os400: add a missing closing bracket
* os400: fix extra parameter syntax error
* pingpong: change default response timeout to 120 seconds
* pingpong: ignore regular timeout in disconnect phase
* printf: fix format specifiers
* runtests.pl: Fix perl call to include srcdir
* schannel: fix compiler warning
* schannel: preserve original certificate path parameter
* schannel: stop calling it "winssl"
* sigpipe: if mbedTLS is used, ignore SIGPIPE
* smb: fix incorrect path in request if connection reused
* ssh: log the libssh2 error message when ssh session startup fails
* test1558: verify CURLINFO_PROTOCOL on file:// transfer
* test1561: improve test name
* test1653: make it survive torture tests
* tests: allow tests to pass by 2037-02-12
* tests: move objnames-* from lib into tests
* timediff: fix math for unsigned time_t
* timeval: Disable MSVC Analyzer GetTickCount warning
* tool_cb_prg: avoid integer overflow
* travis: added cmake build for osx
* urlapi: Fix port parsing of eol colon
* urlapi: distinguish possibly empty query
* urlapi: fix parsing ipv6 with zone index
* urldata: rename easy_conn to just conn
* winbuild: conditionally use /DZLIB_WINAPI
* wolfssl: fix memory-leak in threaded use
* spnego_sspi: add support for channel binding
pkgsrc changes:
- Remove no longer needed patch-lib_connect.c: imported upstream
Changes:
7.63.0
------
This release includes the following changes:
o curl: add %{stderr} and %{stdout} for --write-out
o curl: add undocumented option --dump-module-paths for win32
o setopt: add CURLOPT_CURLU
This release includes the following bugfixes:
o (lib)curl.rc: fixup for minor bugs
o CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
o CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
o CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
o Curl_follow: accept non-supported schemes for "fake" redirects
o KNOWN_BUGS: add --proxy-any connection issue
o NTLM: Remove redundant ifdef USE_OPENSSL
o NTLM: force the connection to HTTP/1.1
o OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
o SECURITY-PROCESS: bountygraph shuts down again
o TODO: Have the URL API offer IDN decoding
o ares: remove fd from multi fd set when ares is about to close the fd
o axtls: removed
o checksrc: add COPYRIGHTYEAR check
o cmake: fix MIT/Heimdal Kerberos detection
o configure: include all libraries in ssl-libs fetch
o configure: show CFLAGS, LDFLAGS etc in summary
o connect: fix building for recent versions of Minix
o cookies: create the cookiejar even if no cookies to save
o cookies: expire "Max-Age=0" immediately
o curl: --local-port range was not "including"
o curl: fix --local-port integer overflow
o curl: fix memory leak reading --writeout from file
o curl: fixed UTF-8 in current console code page (Windows)
o curl_easy_perform: fix timeout handling
o curl_global_sslset(): id == -1 is not necessarily an error
o curl_multibyte: fix a malloc overcalculation
o curle: move deprecated error code to ifndef block
o docs: curl_formadd field and file names are now escaped
o docs: escape "\n" codes
o doh: fix memory leak in OOM situation
o doh: make it work for h2-disabled builds too
o examples/ephiperfifo: report error when epoll_ctl fails
o ftp: avoid two unsigned int overflows in FTP listing parser
o host names: allow trailing dot in name resolve, then strip it
o http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
o http: don't set CURLINFO_CONDITION_UNMET for http status code 204
o http: fix HTTP Digest auth to include query in URI
o http_negotiate: do not close connection until negotiation is completed
o impacket: add LICENSE
o infof: clearly indicate truncation
o ldap: fix LDAP URL parsing regressions
o libcurl: stop reading from paused transfers
o mprintf: avoid unsigned integer overflow warning
o netrc: don't ignore the login name specified with "--user"
o nss: Fall back to latest supported SSL version
o nss: Fix compatibility with nss versions 3.14 to 3.15
o nss: fix fallthrough comment to fix picky compiler warning
o nss: remove version selecting dead code
o nss: set default max-tls to 1.3/1.2
o openssl: Remove SSLEAY leftovers
o openssl: do not log excess "TLS app data" lines for TLS 1.3
o openssl: do not use file BIOs if not requested
o openssl: fix unused variable compiler warning with old openssl
o openssl: support session resume with TLS 1.3
o openvms: fix example name
o os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
o os400: add CURLOPT_CURLU to ILE/RPG binding
o os400: fix return type of curl_easy_pause() in ILE/RPG binding
o packages: remove old leftover files and dirs
o pop3: only do APOP with a valid timestamp
o runtests: use the local curl for verifying
o schannel: be consistent in Schannel capitalization
o schannel: better CURLOPT_CERTINFO support
o schannel: use Curl_ prefix for global private symbols
o snprintf: renamed and we now only use msnprintf()
o ssl: fix compilation with OpenSSL 0.9.7
o ssl: replace all internal uses of CURLE_SSL_CACERT
o symbols-in-versions: add missing CURLU_ symbols
o test328: verify Content-Encoding: none
o tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
o tests: drop http_pipe.py script no longer used
o tool_cb_wrt: Silence function cast compiler warning
o tool_doswin: Fix uninitialized field warning
o travis: build with clang sanitizers
o travis: remove curl before a normal build
o url: a short host name + port is not a scheme
o url: fix IPv6 numeral address parser
o urlapi: only skip encoding the first '=' with APPENDQUERY set
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alessandro Ghedini, Alexey Melnichuk, Antoni Villalonga, Ben Greear,
bobmitchell1956 on github, Brad King, Brian Carpenter, daboul on github,
Daniel Gustafsson, Daniel Stenberg, Dave Reisner, David Benjamin,
Dheeraj Sangamkar, dtmsecurity on github, Elia Tufarolo, Frank Gevaerts,
Gergely Nagy, Gisle Vanem, Hagai Auro, Han Han, infinnovation-dev on github,
James Knight, Jérémy Rocher, Jeroen Ooms, Jim Fuller, Johannes Schindelin,
Kamil Dudka, Konstantin Kushnir, Marcel Raad, Marc Hörsken, Marcos Diazr,
Michael Kaufmann, NTMan on Github, Patrick Monnerat, Paul Howarth,
Pavel Pavlov, Peter Wu, Ray Satiro, Rod Widdowson, Romain Fliedel,
Samuel Surtees, Sevan Janiyan, Stefan Kanthak, Sven Blumenstein, Tim Rühsen,
Tobias Hintze, Tomas Hoger, tonystz on Github, tpaukrt on github,
Viktor Szakats, Yasuhiro Matsumoto,
(51 contributors)
Thanks! (and sorry if I forgot to mention someone)
Changes:
7.62.0
------
This release includes the following changes:
o multiplex: enable by default
o url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
o setopt: add CURLOPT_DOH_URL
o curl: --doh-url added
o setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
o imap: change from "FETCH" to "UID FETCH"
o configure: add option to disable automatic OpenSSL config loading
o upkeep: add a connection upkeep API: curl_easy_upkeep()
o URL-API: added five new functions
o vtls: MesaLink is a new TLS backend
This release includes the following bugfixes:
o CVE-2018-16839: SASL password overflow via integer overflow
o CVE-2018-16840: use-after-free in handle close
o CVE-2018-16842: warning message out-of-buffer read
o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
o Curl_dedotdotify(): always nul terminate returned string
o Curl_follow: Always free the passed new URL
o Curl_http2_done: fix memleak in error path
o Curl_retry_request: fix memory leak
o Curl_saferealloc: Fixed typo in docblock
o FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
o GnutTLS: TLS 1.3 support
o SECURITY-PROCESS: mention the bountygraph program
o VS projects: add USE_IPV6:
o Windows: fixes for MinGW targeting Windows Vista
o anyauthput: fix compiler warning on 64-bit Windows
o appveyor: add WinSSL builds
o appveyor: run test suite (on Windows!)
o certs: generate tests certs with sha256 digest algorithm
o checksrc: enable strict mode and warnings
o checksrc: handle zero scoped ignore commands
o cmake: Backport to work with CMake 3.0 again
o cmake: Improve config installation
o cmake: add support for transitive ZLIB target
o cmake: disable -Wpedantic-ms-format
o cmake: don't require OpenSSL if USE_OPENSSL=OFF
o cmake: fixed path used in generation of docs/tests
o cmake: remove unused *SOCKLEN_T variables
o cmake: suppress MSVC warning C4127 for libtest
o cmake: test and set missed defines during configuration
o comment: Fix multiple typos in function parameters
o config: Remove unused SIZEOF_VOIDP
o config_win32: enable LDAPS
o configure: force-use -lpthreads on HPUX
o configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
o configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
o cookies: Remove redundant expired check
o cookies: fix leak when writing cookies to file
o curl-config.in: remove dependency on bc
o curl.1: --ipv6 mutexes ipv4 (fixed typo)
o curl: enabled Windows VT Support and UTF-8 output
o curl: update the documentation of --tlsv1.0
o curl_multi_wait: call getsock before figuring out timeout
o curl_ntlm_wb: check aprintf() return codes
o curl_threads: fix classic MinGW compile break
o darwinssl: Fix realloc memleak
o darwinssl: more specific and unified error codes
o data-binary.d: clarify default content-type is x-www-form-urlencoded
o docs/BUG-BOUNTY: explain the bounty program
o docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
o docs/CIPHERS: fix the TLS 1.3 cipher names
o docs/CIPHERS: mention the colon separation for OpenSSL
o docs/examples: URL updates
o docs: add "see also" links for SSL options
o example/asiohiper: insert warning comment about its status
o example/htmltidy: fix include paths of tidy libraries
o examples/Makefile.m32: sync with core
o examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
o examples/parseurl.c: show off the URL API
o examples: Fix memory leaks from realloc errors
o examples: do not wait when no transfers are running
o ftp: include command in Curl_ftpsend sendbuffer
o gskit: make sure to terminate version string
o gtls: Values stored to but never read
o hostip: fix check on Curl_shuffle_addr return value
o http2: fix memory leaks on error-path
o http: fix memleak in rewind error path
o krb5: fix memory leak in krb_auth
o ldap: show precise LDAP call in error message on Windows
o lib: fix gcc8 warning on Windows
o memory: add missing curl_printf header
o memory: ensure to check allocation results
o multi: Fix error handling in the SENDPROTOCONNECT state
o multi: fix memory leak in content encoding related error path
o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
o netrc: free temporary strings if memory allocation fails
o nss: fix nssckbi module loading on Windows
o nss: try to connect even if libnssckbi.so fails to load
o ntlm_wb: Fix memory leaks in ntlm_wb_response
o ntlm_wb: bail out if the response gets overly large
o openssl: assume engine support in 0.9.8 or later
o openssl: enable TLS 1.3 post-handshake auth
o openssl: fix gcc8 warning
o openssl: load built-in engines too
o openssl: make 'done' a proper boolean
o openssl: output the correct cipher list on TLS 1.3 error
o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
o openssl: show "proper" version number for libressl builds
o pipelining: deprecated
o rand: add comment to skip a clang-tidy false positive
o rtmp: fix for compiling with lwIP
o runtests: ignore disabled even when ranges are given
o runtests: skip ld_preload tests on macOS
o runtests: use Windows paths for Windows curl
o schannel: unified error code handling
o sendf: Fix whitespace in infof/failf concatenation
o ssh: free the session on init failures
o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
o system.h: use proper setting with Sun C++ as well
o test1299: use single quotes around asterisk
o test1452: mark as flaky
o test1651: unit test Curl_extract_certinfo()
o test320: strip out more HTML when comparing
o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
o tests: add unit tests for url.c
o timeval: fix use of weak symbol clock_gettime() on Apple platforms
o tool_cb_hdr: handle failure of rename()
o travis: add a "make tidy" build that runs clang-tidy
o travis: add build for "configure --disable-verbose"
o travis: bump the Secure Transport build to use xcode
o travis: make distcheck scan for BOM markers
o unit1300: fix stack-use-after-scope AddressSanitizer warning
o urldata: Fix "connecting" comment
o urlglob: improve error message on bad globs
o vtls: fix ssl version "or later" behavior change for many backends
o x509asn1: Fix SAN IP address verification
o x509asn1: always check return code from getASN1Element()
o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
o x509asn1: suppress left shift on signed value
This release includes the following bugfixes:
o security advisory (CVE-2018-14618): NTLM password overflow via integer overflow [73]
o CURLINFO_SIZE_UPLOAD: fix missing counter update [46]
o CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
o CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse [72]
o Curl_getoff_all_pipelines: improved for multiplexed [3]
o DEPRECATE: remove release date from 7.62.0
o HTTP: Don't attempt to needlessly decompress redirect body [30]
o INTERNALS: require GnuTLS >= 2.11.3 [62]
o README.md: add LGTM.com code quality grade for C/C++ [42]
o SSLCERTS: improve the openssl command line
o Silence GCC 8 cast-function-type warnings [47]
o ares: check for NULL in completed-callback [3]
o asyn-thread: Remove unused macro [40]
o auth: only pick CURLAUTH_BEARER if we *have* a Bearer token [15]
o auth: pick Bearer authentication whenever a token is available [15]
o cmake: CMake config files are defining CURL_STATICLIB for static builds [54]
o cmake: Respect BUILD_SHARED_LIBS [35]
o cmake: Update scripts to use consistent style [9]
o cmake: bumped minimum version to 3.4 [34]
o cmake: link curl to the OpenSSL targets instead of lib absolute paths [34]
o configure: conditionally enable pedantic-errors [64]
o configure: fix for -lpthread detection with OpenSSL and pkg-config [38]
o conn: remove the boolean 'inuse' field [3]
o content_encoding: accept up to 4 unknown trailer bytes after raw deflate data [5]
o cookie tests: treat files as text
o cookies: support creation-time attribute for cookies [75]
o curl: Fix segfault when -H @headerfile is empty [23]
o curl: add http code 408 to transient list for --retry [78]
o curl: fix time-of-check, time-of-use race in dir creation [71]
o curl: use Content-Disposition before the "URL end" for -OJ [29]
o curl: warn the user if a given file name looks like an option [56]
o curl_threads: silence bad-function-cast warning [69]
o darwinssl: add support for ALPN negotiation [7]
o docs/CURLOPT_URL: fix indentation [20]
o docs/CURLOPT_WRITEFUNCTION: size is always 1 [19]
o docs/SECURITY-PROCESS: mention bounty, drop pre-notify
o docs/examples: add hiperfifo example using linux epoll/timerfd [21]
o docs: add disallow-username-in-url.d and haproxy-protocol.d to dist [50]
o docs: clarify NO_PROXY env variable functionality [70]
o docs: improved the manual pages of some callbacks [48]
o docs: mention NULL is fine input to several functions [43]
o formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT [40]
o gopher: Do not translate `?' to `%09' [67]
o header output: switch off all styles, not just unbold [8]
o hostip: fix unused variable warning
o http2: Use correct format identifier for stream_id [77]
o http2: abort the send_callback if not setup yet [63]
o http2: avoid set_stream_user_data() before stream is assigned [61]
o http2: check nghttp2_session_set_stream_user_data return code [55]
o http2: clear the drain counter in Curl_http2_done [27]
o http2: make sure to send after RST_STREAM [58]
o http2: separate easy handle from connections better [12]
o http: fix for tiny "HTTP/0.9" response [51]
o http_proxy: Remove unused macro SELECT_TIMEOUT [40]
o lib/Makefile: only do symbol hiding if told to [32]
o lib1502: fix memory leak in torture test [44]
o lib1522: fix curl_easy_setopt argument type
o libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation [66]
o mime: check Curl_rand_hex's return code [22]
o multi: always do the COMPLETED procedure/state [3]
o openssl: assume engine support in 1.0.0 or later [2]
o openssl: fix debug messages [39]
o projects: Improve Windows perl detection in batch scripts [49]
o retry: return error if rewind was necessary but didn't happen [28]
o reuse_conn(): memory leak - free old_conn->options [17]
o schannel: client certificate store opening fix [68]
o schannel: enable CALG_TLS1PRF for w32api >= 5.1
o schannel: fix MinGW compile break [1]
o sftp: don't send post-qoute sequence when retrying a connection [79]
o smb: fix memory leak on early failure [26]
o smb: fix memory-leak in URL parse error path [4]
o smb_getsock: always wait for write socket too [11]
o ssh-libssh: fix infinite connect loop on invalid private key [53]
o ssh-libssh: reduce excessive verbose output about pubkey auth [53]
o ssh-libssh: use FALLTHROUGH to silence gcc8 [76]
o ssl: set engine implicitly when a PKCS#11 URI is provided [36]
o sws: handle EINTR when calling select() [24]
o system_win32: fix version checking [16]
o telnet: Remove unused macros TELOPTS and TELCMDS [40]
o test1143: disable MSYS2's POSIX path conversion [10]
o test1148: disable if decimal separator is not point [65]
o test1307: (fnmatch testing) disabled [31]
o test1422: add required file feature [6]
o test1531: Add timeout [41]
o test1540: Remove unused macro TEST_HANG_TIMEOUT [40]
o test214: disable MSYS2's POSIX path conversion for URL
o test320: treat curl320.out file as binary [14]
o tests/http_pipe.py: Use /usr/bin/env to find python
o tests: Don't use Windows path %PWD for SSH tests [74]
o tests: fixes for Windows line endlings [13]
o tool_operate: Fix setting proxy TLS 1.3 ciphers
o travis: build darwinssl on macos 10.12 to fix linker errors [33]
o travis: execute "set -eo pipefail" for coverage build [45]
o travis: run a 'make checksrc' too [25]
o travis: update to GCC-8 [52]
o travis: verify that man pages can be regenerated [50]
o upload: allocate upload buffer on-demand [60]
o upload: change default UPLOAD_BUFSIZE to 64KB [60]
o urldata: remove unused pipe_broke struct field [57]
o vtls: reinstantiate engine on duplicated handles [59]
o windows: implement send buffer tuning [37]
o wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random [18]
Curl and libcurl 7.61.0
This release includes the following changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
This release includes the following bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "version 1"
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
* multi: provide a socket to wait for in Curl_protocol_getsock
* content_encoding: handle zlib versions too old for Z_BLOCK
* winbuild: only delete OUTFILE if it exists
* winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
* schannel: add failf calls for client certificate failures
* cmake: Fix the test for fsetxattr and strerror_r
* curl.1: Fix cmdline-opts reference errors
* cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
* cmake: check for getpwuid_r
* configure: fix ssh2 linking when built with a static mbedtls
* psl: use latest psl and refresh it periodically
* fnmatch: insist on escaped bracket to match
* KNOWN_BUGS: restore text regarding 2101
* INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
* configure: override AR_FLAGS to silence warning
* os400: implement mime api EBCDIC wrappers
* curl.rc: embed manifest for correct Windows version detection
* strictness: correct {infof, failf} format specifiers
* tests: update .gitignore for libtests
* configure: check for declaration of getpwuid_r
* fnmatch: use the system one if available
* CURLOPT_RESOLVE: always purge old entry first
* multi: remove a potentially bad DEBUGF()
* curl_addrinfo: use same #ifdef conditions in source as header
* build: remove the Borland specific makefiles
* axTLS: not considered fit for use
* cmdline-opts/cert-type.d: mention "p12" as a recognized type
* system.h: add support for IBM xlc C compiler
* tests/libtest: Add lib1521 to nodist_SOURCES
* mk-ca-bundle.pl: leave certificate name untouched
* boringssl + schannel: undef X509_NAME in lib/schannel.h
* openssl: assume engine support in 1.0.1 or later
* cppcheck: fix warnings
* test 46: make test pass after year 2025
* schannel: support selecting ciphers
* Curl_debug: remove dead printhost code
* test 1455: unflakified
* Curl_init_do: handle NULL connection pointer passed in
* progress: remove a set of unused defines
* mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
* GOVERNANCE.md: explains how this project is run
* configure: use pkg-config for c-ares detection
* configure: enhance ability to build with static openssl
* maketgz: fix sed issues on OSX
* multi: fix memory leak when stopped during name resolve
* CURLOPT_INTERFACE.3: interface names not supported on Windows
* url: fix dangling conn->data pointer
* cmake: allow multiple SSL backends
* system.h: fix for gcc on 32 bit OpenServer
* ConnectionExists: make sure conn->data is set when "taking" a connection
* multi: fix crash due to dangling entry in connect-pending list
* CURLOPT_SSL_VERIFYPEER.3: Add performance note
* netrc: use a larger buffer to support longer passwords
* url: check Curl_conncache_add_conn return code
* configure: Add dependent libraries after crypto
* easy_perform: faster local name resolves by using *multi_timeout()
* getnameinfo: not used, removed all configure checks
* travis: add a build using the synchronous name resolver
* CURLINFO_TLS_SSL_PTR.3: improve the example
* openssl: allow TLS 1.3 by default
* openssl: make the requested TLS version the *minimum* wanted
* openssl: Remove some dead code
* telnet: fix clang warnings
* DEPRECATE: new doc describing planned item removals
* example/crawler.c: simple crawler based on libxml2
* libssh: goto DISCONNECT state on error, not SESSION_FREE
* CMake: Remove unused functions
* darwinssl: allow High Sierra users to build the code using GCC
* scripts: include _curl as part of CLEANFILES
* examples: fix -Wformat warnings
* curl_setup: include <winerror.h> before <windows.h>
* schannel: make more cipher options conditional
* CMake: remove redundant and old end-of-block syntax
* post303.d: clarify that this is an RFC violation
adam
leot
gdt
nia
wiz
jperkin
ryoon
sevan