SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for libcurl4-8.8.0-383.1.i586.rpm :

* Thu Jun 20 2024 Dirk Müller - add multibuild for minimal libcurl flavored build (useful for container environments)
* Thu Jun 20 2024 Dirk Müller - split zsh and fish completion into subpackages to have proper supplements
* Mon Jun 17 2024 Dirk Müller - remove mozilla-nss code (unsupported since 8.3.0)
* Fri May 24 2024 Pedro Monreal - Fix make install for curl-config.1
* docs/Makefile.am: make curl-config.1 install
* Fixed upstream in: github.com/curl/curl/pull/13741
* Add curl-make-install-curl-config.patch
* Wed May 22 2024 Pedro Monreal - Update to 8.8.0:
* Changes: - curl_version_info: provide librtmp version - file: add support for directory listings - lib: add curl_multi_waitfds - NTLM_WB: drop support - TLS: add support for ECH (Encrypted Client Hello) - urlapi: add CURLU_GET_EMPTY for empty queries and fragments
* Bugfixes: - build: prefer \"USE_IPV6\" macro internally (was: \"ENABLE_IPV6\") - cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set - cf-socket: don\'t try getting local IP without socket - cf-socket: remove references to l_ip, l_port - configure: make --disable-docs imply --disable-manual - curl.h: change CURL_SSLVERSION_
* from enum to defines - curl_path: make Curl_get_pathname use dynbuf - curl_sha512_256: do not use workaround for NetBSD when not needed - curl_sha512_256: fix detection of OpenSSL 1.1.1 or later - curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY - DEPRECATE.md: TLS libraries without 1.3 support - digest: replace strcpy for empty string with simple assignment - doc: pytest \"--repeat\" -> \"--count\" - docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd - dynbuf: fix returncode on memory error - ftp: add tracing support - ftp: fix socket leak on rare error - gnutls: lazy init the trust settings - hsts: explicitly skip blank lines - http2 + ngtcp2: pass CURLcode errors from callbacks - http2, http3: decouple stream state from easy handle - http2: emit RST when client write fails - http: HEAD response body tolerance - http: reject HTTP major version switch mid connection - http: with chunked POST forced, disable length check on read callback - idn: make Curl_idnconvert_hostname() use Curl_idn_decode() - if2ip: make the buf_size arg a size_t - krb5: use dynbuf - lib/cf-h1-proxy: silence compiler warnings (gcc 14) - lib: add trace support for client reads and writes - lib: bump hash sizes to \"size_t\" - lib: clear the easy handle\'s saved errno before transfer - lib: make protocol handlers store scheme name lowercase - lib: merge \"ENABLE_QUIC\" C macro into \"USE_HTTP3\" - libssh2: set length to 0 if strdup failed - openssl: do not set SSL_MODE_RELEASE_BUFFERS - openssl: revert keylog_callback support for LibreSSL - OS400: fix shellcheck warnings in scripts - quiche: expire all active transfers on connection close - quiche: trust its timeout handling - tls: use shared init code for TCP+QUIC - tool_cfgable: free {proxy_}cipher13_list on exit - url: do not URL decode proxy crendentials - url: fix use of an uninitialized variable - url: make parse_login_details use memdup0 - urlapi: allow setting port number zero - version: use msnprintf instead of strncpy - vtls: TLS session storage overhaul - wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC - websocket: avoid memory leak in error path
* Wed May 22 2024 Dominique Leuenberger - Add split-provides for libcurl-devel -> libcurl-devel-doc.
* Mon May 20 2024 Jan Engelhardt - Spin documentation off to libcurl-devel-doc, this saves buildroots 495 files and time (mandb is run in %posttrans).
* Wed Mar 27 2024 Pedro Monreal - Update to 8.7.1:
* Fixed empty tool_hugehelp.c file- Update to 8.7.0:
* Security fixes: - [bsc#1221665, CVE-2024-2004] Usage of disabled protocol - [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak - [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL - [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS
* Changes: - configure: add --disable-docs flag - CURLINFO_USED_PROXY: return bool whether the proxy was used - digest: support SHA-512/256
* Bugfixes: - asyn-thread: use wakeup_close to close the read descriptor - bufq: writing into a softlimit queue cannot be partial - cmake: add USE_OPENSSL_QUIC support - cookie: if psl fails, reject the cookie - curl: exit on config file parser errors - digest: add check for hashing error - docs/libcurl: add TLS backend info for all TLS options - file: use xfer buf for file:// transfers - ftp: do lineend conversions in client writer - ftp: fix socket wait activity in ftp_domore_getsock - http2: memory errors in the push callbacks are fatal - http2: push headers better cleanup - libssh/libssh2: return error on too big range - OpenSSL QUIC: adapt to v3.3.x - setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value - setopt: fix disabling all protocols - sha512_256: add support for GnuTLS and OpenSSL - smtp: fix STARTTLS - strtoofft: fix the overflow check - TIMER_STARTTRANSFER: set the same for everyone - TLS: start shutdown only when peer did not already close - tool_getparam: accept a blank -w \"\" - tool_getparam: handle non-existing (out of range) short-options - tool_operate: change precedence of server Retry-After time - transfer.c: break receive loop in speed limited transfers - version: allow building with ancient libpsl - vquic-tls: fix the error code returned for bad CA file - vtls: fix tls proxy peer verification - vtls: revert \"receive max buffer\" + add test case - VULN-DISCLOSURE-POLICY.md: update detail about CVE requests - websocket: fix curl_ws_recv()
* Remove patch upstream: - 0001-vtls-revert-receive-max-buffer-add-test-case.patch
* Tue Mar 12 2024 Pedro Monreal - Remove the nghttp2 version requirement as a version guard around the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation function was added in curl 8.0.1.
* Upstream commit: https://github.com/curl/curl/commit/744dcf22
* Thu Feb 08 2024 Fabian Vogt - Add patch to fix various TLS related issues including FTP over SSL transmission timeouts:
* 0001-vtls-revert-receive-max-buffer-add-test-case.patch- Switch to %autosetup
* Wed Jan 31 2024 Pedro Monreal - Update to 8.6.0: [bsc#1219149, CVE-2024-0853]
* Security fixes: - CVE-2024-0853: OCSP verification bypass with TLS session reuse
* Changes: - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T
* Bugfixes: - altsvc: free \'as\' when returning error - asyn-ares: with modern c-ares, use its default timeout - cf-socket: show errno in tcpkeepalive error messages - cmdline-opts: update availability for the
*-ca-native options - configure: when enabling QUIC, check that TLS supports QUIC - content_encoding: change return code to typedef\'ed enum - curl: show ipfs and ipns as supported \"protocols\" - CURLINFO_REFERER.3: clarify that it is the
*request
* header - dist: add tests/errorcodes.pl to the tarball - gen.pl: support ## for doing .IP in table-like lists - GHA: bump ngtcp2, gnutls, mod_h2, quiche - hostip: return error immediately when Curl_ip2addr() fails - http3/quiche: fix result code on a stream reset - http3: initial support for OpenSSL 3.2 QUIC stack - http: check for \"Host:\" case insensitively - http: fix off-by-one error in request method length check - http: only act on 101 responses when they are HTTP/1.1 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT - lib: error out on multissl + http3 - lib: fix variable undeclared error caused by `infof` changes - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding - lib: strndup/memdup instead of malloc, memcpy and null-terminate - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 - ngtcp2: put h3 at the front of alpn - openldap: fix an LDAP crash - openldap: fix STARTTLS - openssl: re-match LibreSSL deinit with init - rtsp: deal with borked server responses - sasl: make login option string override http auth - tool: prepend output_dir in header callback - tool_getparam: stop supporting `AATTfilename` style for --cookie - transfer: fix upload rate limiting, add test cases - url: don\'t set default CA paths for Secure Transport backend - url: for disabled protocols, mention if found in redirect - vquic: extract TLS setup into own source - websockets: check for negative payload lengths
* Remove patches fixed upstream: - curl-adjust-pollset-fix.patch - curl-tests-errorcodes.patch
* Rebase dont-mess-with-rpmoptflags.patch
* Fri Jan 05 2024 Michael Pujos - Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming: https://github.com/curl/curl/issues/12632
* Wed Dec 06 2023 Pedro Monreal - Update to 8.5.0:
* Security fixes: - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
* Changes: - gnutls: support CURLSSLOPT_NATIVE_CA - HTTP3: ngtcp2 builds are no longer experimental
* Bugfixes: - asyn-thread: use pipe instead of socketpair for IPC when available - cmake: fix OpenSSL quic detection in quiche builds - conncache: use the closure handle when disconnecting surplus connections - content_encoding: make Curl_all_content_encodings allocless - cookie: lowercase the domain names before PSL checks - Curl_http_body: cleanup properly when Curl_getformdata errors - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range - doh: provide better return code for responses w/o addresses - doh: use PIPEWAIT when HTTP/2 is attempted - duphandle: also free \'outcurl->cookies\' in error path - duphandle: make dupset() not return with pointers to old alloced data - duphandle: use strdup to clone
*COPYPOSTFIELDS if size is not set - easy: in duphandle, init the cookies for the new handle - easy_lock: add a pthread_mutex_t fallback - fopen: create new file using old file\'s mode - fopen: create short(er) temporary file name - getenv: PlayStation doesn\'t have getenv() - hostip: show the list of IPs when resolving is done - hsts: skip single-dot hostname - HTTP/2, HTTP/3: handle detach of onoing transfers - http: allow longer HTTP/2 request method names - hyper: temporarily remove HTTP/2 support - IPFS: fix IPFS_PATH and file parsing - multi: during ratelimit multi_getsock should return no sockets - multi: use pipe instead of socketpair to
*wakeup() - ngtcp2: fix races in stream handling - ntlm_wb: use pipe instead of socketpair when possible - openssl: avoid BN_num_bits() NULL pointer derefs - openssl: fix building with v3 `no-deprecated` + add CI test - openssl: fix infof() to avoid compiler warning for %s with null - openssl: identify the \"quictls\" backend correctly - openssl: include SIG and KEM algorithms in verbose - openssl: two multi pointer checks should probably rather be asserts - openssl: when a session-ID is reused, skip OCSP stapling - quic: make eyeballers connect retries stop at weird replies - quic: manage connection idle timeouts - setopt: check CURLOPT_TFTP_BLKSIZE range on set - socks: better buffer size checks for socks4a user and hostname - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice - tool: fix --capath when proxy support is disabled - tool_getparam: limit --rate to be smaller than number of ms - transfer: abort pause send when connection is marked for closing - transfer: avoid calling the read callback again after EOF - transfer: only reset the FTP wildcard engine in CLEAR state - url: don\'t touch the multi handle when closing internal handles - urlapi: avoid null deref if setting blank host to url encode - urlapi: skip appending NULL pointer query - urlapi: when URL encoding the fragment, pass in the right length - vtls: cleanup SSL config management - vtls: consistently use typedef names for OpenSSL structs - vtls: late clone of connection ssl config - vtls: use ALPN \"http/1.1\" for HTTP/1.x, including HTTP/1.0
* Rebase curl-secure-getenv.patch
* Add curl-tests-errorcodes.patch
* Wed Oct 11 2023 Pedro Monreal - Update to 8.4.0:
* Security fixes: - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545] - cookie injection with none file [bsc#1215889, CVE-2023-38546]
* Changes: - curl: add support for the IPFS protocols via HTTP gateway - curl_multi_get_handles: get easy handles from a multi handle - mingw: delete support for legacy mingw.org toolchain
* Bugfixes: - base64: also build for curl - cf-socket: simulate slow/blocked receives in debug - configure: check for the capath by default - connect: expire the timeout when trying next - connect: only start the happy eyeballs timer when needed - cookie: do not store the expire or max-age strings - cookie: remove unnecessary struct fields - cookie: set ->running in cookie_init even if data is NULL - create-dirs.d: clarify it also uses --output-dirs - http2: refused stream handling for retry - http: h1/h2 proxy unification - http: use per-request counter to check too large headers - idn: if idn2_check_version returns NULL, return error - lib: enable hmac for digest as well - lib: let the max filesize option stop too big transfers too - lib: move handling of \'data->req.writer_stack\' into Curl_client_write() - lib: provide and use Curl_hexencode - lib: use wrapper for curl_mime_data fseek callback - libssh2: fix error message on failed pubkey-from-file - libssh: cap SFTP packet size sent - MQTT: improve receive of ACKs - multi: do CURLM_CALL_MULTI_PERFORM at two more places - multi: round the timeout up to prevent early wakeups - openssl: improve ssl shutdown handling - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR - pytest: exclude test_03_goaway in CI runs due to timing dependency - quic: set ciphers/curves the same way regular TLS does - quiche: fix build error with --with-ca-fallback - socks: return error if hostname too long for remote resolve - tftpd: always use curl\'s own tftp.h - tool_getparam: accept variable expansion on file names too - upload-file.d: describe the file name slash/backslash handling - url: fall back to http/https proxy env-variable if ws/wss not set - url: fix netrc info message - wolfssh: do cleanup in Curl_ssh_cleanup - wolfssl: allow capath with CURLOPT_CAINFO_BLOB - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files - wolfssl: ignore errors in CA path
* Rebase libcurl-ocloexec.patch
* Wed Sep 13 2023 Pedro Monreal - Update to 8.3.0: [bsc#1215026, CVE-2023-38039]
* Changes: - curl: make %output{} in -w specify a file to write to - gskit: remove - lib: --disable-bindlocal builds curl without local binding support - nss: remove support for this TLS library - tool: add \"variable\" support - trace: make tracing available in non-debug builds - url: change default value for CURLOPT_MAXREDIRS to 30 - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
* Bugfixes: - altsvc: accept and parse IPv6 addresses in response headers - asyn-ares: reduce timeout to 2000ms - aws-sigv4: canonicalize the query - aws-sigv4: fix having date header twice in some cases - aws-sigv4: handle no-value user header entries - c-hyper: adjust the hyper to curlcode conversion - c-hyper: fix memory leaks in `Curl_http` - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the
*source
* IP - cf-socket: log successful interface bind - cmake: add GnuTLS option - cmake: add support for `CURL_DEFAULT_SSL_BACKEND` - cmake: detect `SSL_set0_wbio` in OpenSSL - configure: trust pkg-config when it\'s used for zlib - configure: use the pkg-config --libs-only-l flag for libssh2 - connect: stop halving the remaining timeout when less than 600 ms left - crypto: ensure crypto initialization works - digest: Use hostname to generate spn instead of realm - ftp: fix temp write of ipv6 address - headers: accept leading whitespaces on first response header - http2: fix in h2 proxy tunnel: progress in ingress on sending - http3/ngtcp2: shorten handshake, trace cleanup - http3: quiche, handshake optimization, trace cleanup - http: close the connection after a late 417 is received - http: fix sending of large requests - http: return error when receiving too large header set - lib: fix null ptr derefs and uninitialized vars (h2/h3) - lib: move mimepost data from ->req.p.http to ->state - list-only.d: mention SFTP as supported protocol - ngtcp2: fix handling of large requests - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` - openssl: clear error queue after SSL_shutdown - openssl: make aws-lc version support OCSP - openssl: Support async cert verify callback - openssl: switch to modern init for LibreSSL 2.7.0+ - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before - quic: don\'t set SNI if hostname is an IP address - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s - quiche: enable quiche to handle timeout events - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set - schannel: verify hostname independent of verify cert - tool_filetime: make -z work with file dates before 1970 - tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR - tool_operate: make aws-sigv4 not require TLS to be used - transfer: also stop the sending on closed connection - urlapi: fix heap buffer overflow - urlapi: setting a blank URL (\"\") is not an ok URL
* Fri Jul 28 2023 Pedro Monreal - Update to 8.2.1:
* Bugfixes: - cfilters: rename close/connect functions to avoid clashes - ciphers.d: put URL in first column - cmake: add \'libcurlu\'/\'libcurltool\' for unit tests - cmake: update ngtcp2 detection - configure: check for nghttp2_session_get_stream_local_window_size - docs: mark two TLS options for TLS, not SSL - docs: provide more see also for cipher options - hostip: return IPv6 first for localhost resolves - http2: fix regression on upload EOF handling - http: VLH, very large header test and fixes - libcurl-errors.3: add CURLUE_OK - os400: correct EXPECTED_STRING_LASTZEROTERMINATED - quiche: fix lookup of transfer at multi - quiche: fix segfault and other things - rustls: update rustls-ffi 0.10.0 - socks: print ipv6 address within brackets - src/mkhelp: strip off escape sequences - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T - transfer: do not clear the credentials on redirect to absolute URL - unittest: remove unneeded
*_LDADD - websocket: rename arguments/variables to match docs
* Wed Jul 19 2023 Pedro Monreal - Update to 8.2.0 [bsc#1213237, CVE-2023-32001]
* Security fix: - CVE-2023-32001: fopen race condition
* Changes: - curl: add --ca-native and --proxy-ca-native - curl: add --trace-ids - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS - haproxy: add --haproxy-clientip flag to set client IPs - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
* Bugfixes: - cf-socket: don\'t bypass fclosesocket callback if cancelled before connect - cf-socket: skip getpeername()/getsockname for TFTP - curl: count uploaded data to stop at the originally given size - curl: return error when asked to use an unsupported HTTP version - http2: fix crash in handling stream weights - http2: send HEADER & DATA together if possible - http3/ngtcp2: upload EAGAIN handling - http: rectify the outgoing Cookie: header field size check - hyper: fix EOF handling on input - imap: Provide method to disable SASL if it is advertised - libssh2: provide error message when setting host key type fails - libssh2: use custom memory functions - ngtcp2: assigning timeout, but value is overwritten before used - quiche: avoid NULL deref in debug logging - sectransp: fix EOF handling - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles - timeval: use CLOCK_MONOTONIC_RAW if available - tls13-ciphers.d: include Schannel - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION` - tool_operate: allow cookie lines up to 8200 bytes - tool_parsecfg: accept line lengths up to 10M - tool_writeout_json: fix encoding of control characters - transfer: clear credentials when redirecting to absolute URL - urlapi: have
*set(PATH) prepend a slash if one is missing - urlapi: scheme must start with alpha - vtls: avoid memory leak if sha256 call fails - websocket-cb: example doing WebSocket download using callback - ws: make the curl_ws_meta() return pointer a const
* Tue May 30 2023 Pedro Monreal - Update to 8.1.2:
* Bugfixes: - configure: quote the assignments for run-compiler - configure: without pkg-config and no custom path, use -lnghttp2 - curl: cache the --trace-time value for a second - http2: fix EOF handling on uploads with auth negotiation - http3: send EOF indicator early as possible - lib1560: verify more scheme guessing - lib: remove unused functions, make single-use static - libcurl.m4: remove trailing \'dnl\' that causes this to break autoconf - libssh: when keyboard-interactive auth fails, try password - misc: fix spelling mistakes - page-header: mention curl version and how to figure out current release - page-header: minor wording polish in the URL segment - scripts/singleuse.pl: add more API calls - urlapi: remove superfluous host name check
* Tue May 23 2023 Pedro Monreal - Update to 8.1.1:
* Bugfixes: - cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND - checksrc: disallow spaces before labels - curl_easy_getinfo: clarify on return data types - docs: document that curl_url_cleanup(NULL) is a safe no-op - hostip: move easy_lock.h include above curl_memory.h - http2: double http request parser max line length - http2: increase stream window size to 10 MB - lib: rename struct \'http_req\' to \'httpreq\' - ngtcp2: proper handling of uint64_t when adjusting send buffer - sectransp.c: make the code c89 compatible - select: avoid returning an error on EINTR from select() or poll() - url: provide better error message when URLs fail to parse - urlapi: allow numerical parts in the host name
* Wed May 17 2023 David Anes - Update to 8.1.0:
* Security fixes: - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319] - siglongjmp race condition [bsc#1211231, CVE-2023-28320] - IDN wildcard match [bsc#1211232, CVE-2023-28321] - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322] - See also: https://curl.se/docs/security.html
* Changes: - curl: add --proxy-http2 - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 - hostip: refuse to resolve the .onion TLD - tool_writeout: add URL component variables
* Bugfixes: - See full changelog here: https://curl.se/changes.html#8_1_0
* Tue Mar 21 2023 Pedro Monreal - Update to 8.0.1:
* Bugfixes: - fix crash in curl_easy_cleanup
* Mon Mar 20 2023 Pedro Monreal - Update to 8.0.0:
* Security fixes: - TELNET option IAC injection [bsc#1209209, CVE-2023-27533] - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534] - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535] - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536] - HSTS double-free [bsc#1209213, CVE-2023-27537] - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes: - build: remove support for curl_off_t < 8 bytes
* Bugfixes: - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 - BINDINGS: add Fortran binding - cf-socket: use port 80 when resolving name for local bind - cookie: don\'t load cookies again when flushing - curl_path: create the new path with dynbuf - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe - DYNBUF.md: note Curl_dyn_add
* calls Curl_dyn_free on failure - ftp: active mode with SSL, add the filter - hostip: avoid sscanf and extra buffer copies - http2: fix for http2-prior-knowledge when reusing connections - http2: fix handling of RST and GOAWAY to recognize partial transfers - http: don\'t send 100-continue for short PUT requests - http: fix unix domain socket use in https connects - libssh: use dynbuf instead of realloc - ngtcp2-gnutls.yml: bump to gnutls 3.8.0 - sectransp: make read_cert() use a dynbuf when loading - telnet: only accept option arguments in ascii - telnet: parse telnet options without sscanf - url: fix the SSH connection reuse check - url: only reuse connections with same GSS delegation - urlapi: \'%\' is illegal in host names - ws: keep the socket non-blocking
* Rebase libcurl-ocloexec.patch
* Mon Feb 20 2023 Guillaume GARDET - Update to 7.88.1:
* Bugfix release- Drop upstreamed patch:
* curl-fix-uninitialized-value-in-tests.patch
* Wed Feb 15 2023 Pedro Monreal - Update to 7.88.0: [bsc#1207990, CVE-2023-23914] [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes: - CVE-2023-23914: HSTS ignored on multiple requests - CVE-2023-23915: HSTS amnesia with --parallel - CVE-2023-23916: HTTP multi-header compression denial of service
* Changes: - curl.h: add CURL_HTTP_VERSION_3ONLY - share: add sharing of HSTS cache among handles - src: add --http3-only - tool_operate: share HSTS between handles - urlapi: add CURLU_PUNYCODE - writeout: add %{certs} and %{num_certs}
* Bugfixes: - cf-socket: keep sockaddr local in the socket filters - cfilters:Curl_conn_get_select_socks: use the first non-connected filter - curl.h: allow up to 10M buffer size - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated - curl/websockets.h: extend the websocket frame struct - curl: output warning at --verbose output for debug-enabled version - curl_free.3: fix return type of `curl_free` - curl_log: for failf/infof and debug logging implementations - dict: URL decode the entire path always - docs/DEPRECATE.md: deprecate gskit - easyoptions: fix header printing in generation script - haxproxy: send before TLS handhshake - hsts.d: explain hsts more - hsts: handle adding the same host name again - HTTP/[23]: continue upload when state.drain is set - http: decode transfer encoding first - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro - http_proxy: do not assign data->req.p.http use local copy - lib: connect/h2/h3 refactor - libssh2: try sha2 algos for hostkey methods - md4: fix build with GnuTLS + OpenSSL v1 - ngtcp2: replace removed define and stop using removed function - noproxy: support for space-separated names is deprecated - nss: implement data_pending method - openldap: fix missing sasl symbols at build in specific configs - openssl: adapt to boringssl\'s error code type - openssl: don\'t ignore CA paths when using Windows CA store (redux) - openssl: don\'t log raw record headers - openssl: make the BIO_METHOD a local variable in the connection filter - openssl: only use CA_BLOB if verifying peer - openssl: remove attached easy handles from SSL instances - openssl: store the CA after first send (ClientHello) - setopt: use >, not >=, when checking if uarg is larger than uint-max - smb: return error on upload without size - socketpair: allow localhost MITM sniffers - strdup: name it Curl_strdup - tool_getparam: fix hiding of command line secrets - tool_operate: fix error codes on bad URL & OOM - tool_operate: repair --rate - transfer: break the read loop when RECV is cleared - typecheck: accept expressions for option/info parameters - urlapi: avoid Curl_dyn_addf() for hex outputs - urlapi: skip path checks if path is just \"/\" - urlapi: skip the extra dedotdot alloc if no dot in path - urldata: cease storing TLS auth type - urldata: make \'ftp_create_missing_dirs\' depend on FTP || SFTP - urldata: make set.http200aliases conditional on HTTP being present - urldata: move the cookefilelist to the \'set\' struct - urldata: remove unused struct fields, made more conditional - vquic: stabilization and improvements - vtls: fix hostname handling in filters - vtls: manage current easy handle in nested cfilter calls - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* Rebase libcurl-ocloexec.patch
* Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091 - runtests: fix \"uninitialized value $port\" - Add curl-fix-uninitialized-value-in-tests.patch
* Wed Dec 21 2022 David Anes - Update to 7.87.0:
* Security fixes: - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes - curl: add --url-query - CURLOPT_QUICK_EXIT: don\'t wait for DNS thread on exit - lib: add CURL_WRITEFUNC_ERROR to signal write callback error - openssl: reduce CA certificate bundle reparsing by caching - version: add a feature names array to curl_version_info_data
* Bugfixes - altsvc: fix rejection of negative port numbers - aws_sigv4: consult x-%s-content-sha256 for payload hash - aws_sigv4: fix typos in aws_sigv4.c - base64: better alloc size - base64: encode without using snprintf - base64: faster base64 decoding - build: assume assert.h is always available - build: assume errno.h is always available - c-hyper: CONNECT respones are not server responses - c-hyper: fix multi-request mechanism - CI: Change FreeBSD image from 12.3 to 12.4 - CI: LGTM.com will be shut down in December 2022 - ci: Remove zuul fuzzing job as it\'s superseded by CIFuzz - cmake: check for cross-compile, not for toolchain - CMake: fix build with `CURL_USE_GSSAPI` - cmake: really enable warnings with clang - cmake: set the soname on the shared library - cmdline-opts/gen.pl: fix the linkifier - cmdline-opts/page-footer: remove long option nroff formatting - config-mac: define HAVE_SYS_IOCTL_H - config-mac: fix typo: size_T -> size_t - config-mac: remove HAVE_SYS_SELECT_H - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW - configure: require fork for NTLM-WB - contributors.sh: actually use $CURLWWW instead of just setting it - cookie: compare cookie prefixes case insensitively - cookie: expire cookies at once when max-age is negative - cookie: open cookie jar as a binary file - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS - curl-rustls.m4: on macOS, rustls also needs the Security framework - curl.h: include on SerenityOS - curl.h: name all public function parameters - curl.h: reword comment to not use deprecated option - curl: override the numeric locale and set \"C\" by force - curl: timeout in the read callback - curl_endian: remove Curl_write64_le from header - curl_get_line: allow last line without newline char - curl_path: do not add \'/\' if homedir ends with one - curl_url_get.3: remove spurious backtick - curl_url_set.3: document CURLU_DISALLOW_USER - curl_url_set.3: fix typo - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE - CURLOPT_COOKIEFILE.3: advice => advise - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is \"raw\" - CURLOPT_POST.3: Explain setting to 0 changes request type - docs/curl_ws_send: Fixed typo in websocket docs - docs/EARLY-RELEASE.md: how to determine an early release - docs/examples: spell correction (\'Retrieve\') - docs/INSTALL.md: expand on static builds - docs/WEBSOCKET.md: explain the URL use - docs: add missing parameters for --retry flag - docs: add more \"SEE ALSO\" links to CA related pages - docs: explain the noproxy CIDR notation support - docs: extend the dump-header documentation - docs: remove performance note in CURLOPT_SSL_VERIFYPEER - examples/10-at-a-time: fix possible skipped final transfers - examples: update descriptions - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH - gen.pl: do not generate CURLHELP bitmask lines > 79 characters - GHA: clarify workflows permissions, set least possible privilege - GHA: NSS use clang instead of clang-9 - gnutls: use common gnutls init and verify code for ngtcp2 - headers: add endif comments - HTTP-COOKIES.md: mention that http://localhost is a secure context - HTTP-COOKIES.md: update the 6265bis link to draft-11 - http: do not send PROXY more than once - http: fix the ::1 comparison for IPv6 localhost for cookies - http: set \'this_is_a_follow\' in the Location: logic - http: use the IDN decoded name in HSTS checks - hyper: classify headers as CONNECT and 1XX - hyper: fix handling of hyper_task\'s when reusing the same address - idn: remove Curl_win32_ascii_to_idn - INSTALL: update operating systems and CPU archs - KNOWN_BUGS: remove eight entries - lib1560: add some basic IDN host name tests - lib: connection filters (cfilter) addition to curl: - lib: feature deprecation warnings in gcc >= 4.3 - lib: fix some type mismatches and remove unneeded typecasts - lib: parse numbers with fixed known base 10 - lib: remove bad set.opt_no_body assignments - lib: rewind BEFORE request instead of AFTER previous - lib: sync guard for Curl_getaddrinfo_ex() definition and use - lib: use size_t or int etc instead of longs - libcurl-errors.3: remove duplicate word - libssh2: return error when ssh_hostkeyfunc returns error - limit-rate.d: see also --rate - log2changes.pl: wrap long lines at 80 columns - Makefile.mk: address minor issues - Makefile.mk: improve a GNU Make hack - Makefile.mk: portable Makefile.m32 - maketgz: set the right version in lib/libcurl.plist - mime: relax easy/mime structures binding - misc: Fix incorrect spelling - misc: remove duplicated include files - misc: typo and grammar fixes - negtelnetserver.py: have it call its close() method - netrc.d: provide mutext info - netware: remove leftover traces - noproxy: also match with adjacent comma - noproxy: guard against empty hostnames in noproxy check - noproxy: tailmatch like in 7.85.0 and earlier - nroff-scan.pl: detect double highlights - ntlm: improve comment for encrypt_des - ntlm: silence ubsan warning about copying from null target_info pointer - openssl/mbedtls: use %d for outputing port with failf (int) - openssl: prefix errors with \'[lib]/[version]: \' - os400: use platform socklen_t in Curl_getnameinfo_a - page-header: grammar improvement (display transfer rate) - proxy: refactor haproxy protocol handling as connection filter - README.md: remove badges and xmas-tree garnish - rtsp: fix RTSP auth - runtests: --no-debuginfod now disables DEBUGINFOD_URLS - runtests: do CRLF replacements per section only - scripts/checksrc.pl: detect duplicated include files - sendf: change Curl_read_plain to wrap Curl_recv_plain - sendf: remove unnecessary if condition - setup: do not require __MRC__ defined for Mac OS 9 builds - smb/telnet: do not free the protocol struct in
*_done() - socks: fix username max size is 255 (0xFF) - spellcheck.words: remove \'github\' as an accepted word - ssl-reqd.d: clarify that this is for upgrading connections only - strcase: use curl_str(n)equal for case insensitive matches - styled-output.d: this option does not work on Windows - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS - system.h: support 64-bit curl_off_t for NonStop 32-bit - test1421: fix typo - test3026: reduce runtime in legacy mingw builds - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ - tests: add authorityInfoAccess to generated certs - tests: add HTTP/3 test case, custom location for proper nghttpx - tls: backends use connection filters for IO, enabling HTTPS-proxy - tool: determine the correct fopen option for -D - tool_cfgable: free the ssl_ec_curves on exit - tool_cfgable: make socks5_gssapi_nec a boolean - tool_formparse: avoid clobbering on function params - tool_getparam: make --no-get work as the opposite of --get - tool_operate: provide better errmsg for -G with bad URL - tool_operate: when aborting, make sure there is a non-NULL error buffer - tool_paramhlp: free the proto strings on exit - url: move back the IDN conversion of proxy names - urlapi: reject more bad letters from the host name: &+() - urldata: change port num storage to int and unsigned short - vms: remove SIZEOF_SHORT - vtls: fix build without proxy support - vtls: localization of state data in filters - WEBSOCKET.md: fix broken link - Websocket: fixes for partial frames and buffer updates - websockets: fix handling of partial frames - windows: fail early with a missing windres in autotools - windows: fix linking .rc to shared curl with autotools - winidn: drop WANT_IDN_PROTOTYPES - ws: if no connection is around, return error - ws: return CURLE_NOT_BUILT_IN when websockets not built in - x509asn1: avoid freeing unallocated pointers
* Wed Nov 16 2022 Luciano Santos - Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl\'s 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. This will make Zypper/cURL unusable in some corner cases where users installing something that requires libcurl4 before doing full system upgrade, thus updating the cURL stack, but not libnghttp2\'s. Background: boo#1204983, Factory mailing list threadd: \"? broken dependency in curl and/or
*zyp
* ?\", and forums thread: Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
* Wed Oct 26 2022 Pedro Monreal - Update to 7.86.0:
* Security fixes: - POST following PUT confusion [bsc#1204383, CVE-2022-32221] - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes: - NPN: remove support for and use of - Websockets: initial support
* Bugfixes: - altsvc: reject bad port numbers - autotools: reduce brute-force when detecting recv/send arg list - aws_sigv4: fix header computation - cli tool: do not use disabled protocols - connect: change verbose IPv6 address:port to [address]:port - connect: fix builds without AF_INET6 - connect: fix Curl_updateconninfo for TRNSPRT_UNIX - connect: fix the wrong error message on connect failures - content_encoding: use writer struct subclasses for different encodings - cookie: reject cookie names or content with TAB characters - curl/add_file_name_to_url: use the libcurl URL parser - curl/get_url_file_name: use libcurl URL parser - curl: warn for --ssl use, considered insecure - docs/libcurl/symbols-in-versions: add several missing symbols - ftp: ignore a 550 response to MDTM - functypes: provide the recv and send arg and return types - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - header: define public API functions as extern c - headers: reset the requests counter at transfer start - hostip: guard PF_INET6 use - hostip: lazily wait to figure out if IPv6 works until needed - http, vauth: always provide Curl_allow_auth_to_host() functionality - http2: make nghttp2 less picky about field whitespace - http: try parsing Retry-After: as a number first - http_proxy: restore the protocol pointer on error - lib: add missing limits.h includes - lib: prepare the incoming of additional protocols - lib: sanitize conditional exclusion around MIME - libssh: if sftp_init fails, don\'t get the sftp error code - mprintf: reject two kinds of precision for the same argument - mqtt: return error for too long topic - netrc: compare user name case sensitively - netrc: replace fgets with Curl_get_line - netrc: use the URL-decoded user - ngtcp2: fix build errors due to changes in ngtcp2 library - noproxy: support proxies specified using cidr notation - openssl: make certinfo available for QUIC - resolve: make forced IPv4 resolve only use A queries - schannel: ban server ALPN change during recv renegotiation - schannel: don\'t reset recv/send function pointers on renegotiation - schannel: when importing PFX, disable key persistence - setopt: use the handler table for protocol name to number conversions - setopt: when POST is set, reset the \'upload\' field - single_transfer: use the libcurl URL parser when appending query parts - smb: replace CURL_WIN32 with WIN32 - tool: avoid generating ambiguous escaped characters in --libcurl - tool_main: exit at once if out of file descriptors - tool_operate: more transfer cleanup after parallel transfer fail - tool_operate: prevent over-queuing in parallel mode - tool_paramhelp: asserts verify maximum sizes for string loading - tool_xattr: save the original URL, not the final redirected one - url: a zero-length userinfo part in the URL is still a (blank) user - url: allow non-HTTPS HSTS-matching for debug builds - url: rename function due to name-clash in Watt-32 - url: use IDN decoded names for HSTS checks - urlapi: detect scheme better when not guessing - urlapi: fix parsing URL without slash with CURLU_URLENCODE - urlapi: reject more bad characters from the host name field
* Remove patch upstream: - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Sat Oct 08 2022 Vasily Ulyanov - Update connection info when using UNIX socket as endpoint connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Fri Sep 30 2022 Pedro Monreal - Change the deprecated configure option --enable-hidden-symbols to the new --enable-symbol-hiding.
* Wed Aug 31 2022 Pedro Monreal - Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252] - control code in cookie denial of service
* Changes: - quic: add support via wolfSSL - schannel: Add TLS 1.3 support - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes: - asyn-thread: fix socket leak on OOM - asyn-thread: make getaddrinfo_complete return CURLcode - base64: base64url encoding has no padding - configure: fix broken m4 syntax in TLS options - configure: if asked to use TLS, fail if no TLS lib was detected - connect: add quic connection information - connect: set socktype/protocol correctly - cookie: reject cookies with \"control bytes\" - cookie: treat a blank domain in Set-Cookie: as non-existing - curl: output warning when a cookie is dropped due to size - Curl_close: call Curl_resolver_cancel to avoid memory-leak - digest: fix memory leak, fix not quoted \'opaque\' - digest: fix missing increment of \'nc\' value for auth-int - digest: pass over leading spaces in qop values - digest: reject broken header with session protocol but without qop - doh: use https protocol by default - easy_lock.h: include sched.h if available to fix build - easy_lock.h: use __asm__ instead of asm to fix build - easy_lock: switch to using atomic_int instead of bool - ftp: use a correct expire ID for timer expiry - h2h3: fix overriding the \'TE: Trailers\' header - hostip: resolve
*.localhost to 127.0.0.1/::1 - HTTP3.md: update to msh3 v0.4.0 - hyper: use wakers for curl pause/resume - lib3026: reduce the number of threads to 100 - libssh2: make atime/mtime date overflow return error - libssh2: provide symlink name in SFTP dir listing - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - multi: use larger dns hash table for multi interface - multi_wait: fix skipping to populate revents for extra_fds - netrc: Use the password from lines without login - ngtcp2: Fix build error due to change in nghttp3 prototypes - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks - openssl: add \'CURL_BORINGSSL_VERSION\' to identify BoringSSL - openssl: add cert path in error message - openssl: add details to \"unable to set client certificate\" error - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel - select: do not return fatal error on EINTR from poll() - sendf: fix paused header writes since after the header API - sendf: skip storing HTTP headers if HTTP disabled - url: really use the user provided in the url when netrc entry exists - url: reject URLs with hostnames longer than 65535 bytes - url: treat missing usernames in netrc as empty - urldata: reduce size of several struct fields - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
* Remove tests-for-32bit.patch fixed in the update
* Rebase libcurl-ocloexec.patch
* Sun Jul 24 2022 Dirk Müller - add tests-for-32bit.patch to fix testsuite on 32bit platforms
* Mon Jun 27 2022 David Anes - Update to 7.84.0:
* Security fixes: - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes: - curl: add --rate to set max request rate per time unit - curl: deprecate --random-file and --egd-file - curl_version_info: add CURL_VERSION_THREADSAFE - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - lib: make curl_global_init() threadsafe when possible - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - opts: deprecate RANDOM_FILE and EGDSOCKET - socks: support unix sockets for socks proxy
* Bugfixes: - aws-sigv4: fix potentional NULL pointer arithmetic - bindlocal: don\'t use a random port if port number would wrap - c-hyper: mark status line as status for Curl_client_write() - ci: avoid `cmake -Hpath` - CI: bump FreeBSD 13.0 to 13.1 - ci: update github actions - cmake: add libpsl support - cmake: do not add libcurl.rc to the static libcurl library - cmake: enable curl.rc for all Windows targets - cmake: fix detecting libidn2 - cmake: support adding a suffix to the OS value - configure: skip libidn2 detection when winidn is used - configure: use the SED value to invoke sed - configure: warn about rustls being experimental - content_encoding: return error on too many compression steps - cookie: address secure domain overlay - cookie: apply limits - copyright.pl: parse and use .reuse/dep5 for skips - copyright: make repository REUSE compliant - curl.1: add a few see also --tls-max - curl.1: mention exit code zero too - curl: re-enable --no-remote-name - curl_easy_pause.3: remove explanation of progress function - curl_getdate.3: document that some illegal dates pass through - Curl_parsenetrc: don\'t access local pwbuf outside of scope - curl_url_set.3: clarify by default using known schemes only - CURLOPT_ALTSVC.3: document the file format - CURLOPT_FILETIME.3: fix the protocols this works with - CURLOPT_HTTPHEADER.3: improve comment in example - CURLOPT_NETRC.3: document the .netrc file format - CURLOPT_PORT.3: We discourage using this option - CURLOPT_RANGE.3: remove ranged upload advice - digest: added detection of more syntax error in server headers - digest: tolerate missing \"realm\" - digest: unquote realm and nonce before processing - DISABLED: disable 1021 for hyper again - docs/cmdline-opts: add copyright and license identifier to each file - docs/CONTRIBUTE.md: document the \'needs-votes\' concept - docs: clarify data replacement policy for MIME API - doh: remove UNITTEST macro definition - examples/crawler.c: use the curl license - examples: remove fopen.c and rtsp.c - FAQ: Clarify Windows double quote usage - fopen: add Curl_fopen() for better overwriting of files - ftp: restore protocol state after http proxy CONNECT - ftp: when failing to do a secure GSSAPI login, fail hard - GHA/hyper: enable debug in the build - gssapi: improve handling of errors from gss_display_status - gssapi: initialize gss_buffer_desc strings - headers api: remove EXPERIMENTAL tag - http2: always debug print stream id in decimal with %u - http2: reject overly many push-promise headers - http: restore header folding behavior - hyper: use \'alt-used\' - krb5: return error properly on decode errors - lib: make more protocol specific struct fields #ifdefed - libcurl-security.3: add \"Secrets in memory\" - libcurl-security.3: document CRLF header injection - libssh: skip the fake-close when libssh does the right thing - links: update dead links to the curl-wiki - log2changes: do not indent empty lines [ci skip] - macos9: remove partial support - Makefile.am: fix portability issues - Makefile.m32: delete obsolete options, improve -On [ci skip] - Makefile.m32: delete two obsolete OpenSSL options [ci skip] - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - max-time.d: clarify max-time sets max transfer time - mprintf: ignore clang non-literal format string - netrc: check %USERPROFILE% as well on Windows - netrc: support quoted strings - ngtcp2: allow curl to send larger UDP datagrams - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types - ngtcp2: enable Linux GSO - ngtcp2: extend QUIC transport parameters buffer - ngtcp2: fix alert_read_func return value - ngtcp2: fix typo in preprocessor condition - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - ngtcp2: send appropriate connection close error code - ngtcp2: support boringssl crypto backend - ngtcp2: use helper funcs to simplify TLS handshake integration - ntlm: provide a fixed fake host name - projects: fix third-party SSL library build paths for Visual Studio - quic: add Curl_quic_idle - quiche: support ca-fallback - rand: stop detecting /dev/urandom in cross-builds - remote-name.d: mention --output-dir - runtests.pl: add the --repeat parameter to the --help output - runtests: fix skipping tests not done event-based - runtests: skip starting the ssh server if user name is lacking - scripts/copyright.pl: fix the exclusion to not ignore man pages - sectransp: check for a function defined when __BLOCKS__ is undefined - select: return error from \"lethal\" poll/select errors - server/sws: support spaces in the HTTP request path - speed-limit/time.d: mention these affect transfers in either direction - strcase: some optimisations - test 2081: add a valid reply for the second request - test 675: add missing CR so the test passes when run through Privoxy - test414: add the \'--resolve\' keyword - test681: verify --no-remote-name - tests 266, 116 and 1540: add a small write delay - tests/data/test1501: kill ftp server after slow LIST response - tests/getpart: fix getpartattr to work with \"data\" and \"data2\" - tests/server/sws.c: change the HTTP writedelay unit to milliseconds - test{440,441,493,977}: add \"HTTP proxy\" keywords - tool_getparam: fix --parallel-max maximum value constraint - tool_operate: make sure --fail-with-body works with --retry - transfer: fix potential NULL pointer dereference - transfer: maintain --path-as-is after redirects - transfer: upload performance; avoid tiny send - url: free old conn better on reuse - url: remove redundant #ifdefs in allocate_conn() - url: URL encode the path when extracted, if spaces were set - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts - urlapi: support CURLU_URLENCODE for curl_url_get() - urldata: reduce size of a few struct fields - urldata: remove three unused booleans from struct UserDefined - urldata: store tcp_keepidle and tcp_keepintvl as ints - version: allow stricmp() for sorting the feature list - vtls: make curl_global_sslset thread-safe - wolfssh.h: removed - wolfssl: correct the failf() message when a handle can\'t be made - wolfSSL: explicitly use compatibility layer - x509asn1: mark msnprintf return as unchecked
* Wed May 11 2022 David Anes - Update to 7.83.1:
* Security fixes: - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD - (bsc#1199220, CVE-2022-27778) removes wrong file on error
* Bugfixes: - altsvc: fix host name matching for trailing dots - cirrus: Update to FreeBSD 12.3 - cirrus: Use pip for Python packages on FreeBSD - conn: fix typo \'connnection\' -> \'connection\' in two function names - cookies: make bad_domain() not consider a trailing dot fine - curl: free resource in error path - curl: guard against size_t wraparound in no-clobber code - CURLOPT_DOH_URL.3: mention the known bug - CURLOPT_HSTS
*FUNCTION.3: document the involved structs as well - CURLOPT_SSH_AUTH_TYPES.3: fix the default - data/test376: set a proper name - GHA/mbedtls: enabled nghttp2 in the build - gha: build msh3 - gskit: fixed bogus setsockopt calls - gskit: remove unused function set_callback - hsts: ignore trailing dots when comparing hosts names - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION - http: move Curl_allow_auth_to_host() - http_proxy/hyper: handle closed connections - hyper: fix test 357 - Makefile: fix \"make ca-firefox\" - mbedtls: bail out if rng init fails - mbedtls: fix compile when h2-enabled - mbedtls: fix some error messages - misc: use \"autoreconf -fi\" instead buildconf - msh3: get msh3 version from MsH3Version - msh3: print boolean value as text representation - msh3: psss remote_port to MsH3ConnectionOpen - ngtcp2: add ca-fallback support for OpenSSL backend - nss: return error if seemingly stuck in a cert loop - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - post_per_transfer: remove the updated file name - sectransp: bail out if SSLSetPeerDomainName fails - tests/server: declare variable \'reqlogfile\' static - tests: fix markdown formatting in README - test{898,974,976}: add \'HTTP proxy\' keywords - tls: check more TLS details for connection reuse - url: check SSH config match on connection reuse - urlapi: address (harmless) UndefinedBehavior sanitizer warning - urlapi: reject percent-decoding host name into separator bytes - x509asn1: make do_pubkey handle EC public keys
* Fri Apr 22 2022 David Anes - Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream): - curl-fix-verifyhost.patch- Update to 7.83.0:
* Security fixes: - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse - (bsc#1198608, CVE-2022-27774) Credential leak on redirect - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes: - curl: add %header{name} experimental support in -w handling - curl: add %{header_json} experimental support in -w handling - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - BINDINGS.md: add Hollywood binding - CI: Do not use buildconf. Instead, just use: autoreconf -fi - CI: install Python package impacket to run SMB test 1451 - configure.ac: move -pthread CFLAGS setting back where it used to be - configure: bump the copyright year range int the generated output - conncache: include the zone id in the \"bundle\" hashkey - connecache: remove duplicate connc->closure_handle check - connect: make Curl_getconnectinfo work with conn cache from share handle - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined - cookie.d: clarify when cookies are sent - cookies: improve errorhandling for reading cookiefile - curl/system.h: update ifdef condition for MCST-LCC compiler - curl: error out if -T and -d are used for the same URL - curl: error out when options need features not present in libcurl - curl: escape \'?\' in generated --libcurl code - curl: fix segmentation fault for empty output file names. - curl_easy_header: fix typos in documentation - CURLINFO_PRIMARY_PORT.3: clarify which port this is - CURLOPT
*TLSAUTH.3: they only work with OpenSSL or GnuTLS - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs - CURLOPT_PROGRESSFUNCTION.3: fix typo in example - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype - docs/HYPER.md: updated to reflect current hyper build needs - docs/opts: Mention Schannel client cert type is P12 - docs: Fix missing semicolon in example code - docs: lots of minor language polish - English: use American spelling consistently - fail.d: tweak the description - firefox-db2pem.sh: make the shell script safer - ftp: fix error message for partial file upload - gen.pl: change wording for mutexed options - GHA: add openssl3 jobs moved over from zuul - GHA: build hyper with nightly rustc - GHA: move bearssl jobs over from zuul - gha: move the event-based test over from Zuul - gtls: fix build for disabled TLS-SRP - http2: handle DONE called for the paused stream - http2: RST the stream if we stop it on our own will - http: avoid auth/cookie on redirects same host diff port - http: close the stream (not connection) on time condition abort - http: reject header contents with nul bytes - http: return error on colon-less HTTP headers - http: streamclose \"already downloaded\" - hyper: fix status_line() return code - hyper: fix tests 580 and 581 for hyper - hyper: no h2c support - infof: consistent capitalization of warning messages - ipv4/6.d: clarify that they are about using IP addresses - json.d: fix typo (overriden -> overridden) - keepalive-time.d: It takes many probes to detect brokenness - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - lib670: avoid double check result - lib: #ifdef on USE_HTTP2 better - lib: fix some misuse of curlx_convert_wchar_to_UTF8 - lib: remove exclamation marks - libssh2: compare sha256 strings case sensitively - libssh2: make the md5 comparison fail if wrong length - libssh: fix build with old libssh versions - libssh: fix double close - libssh: Improve fix for missing SSH_S_ stat macros - libssh: unstick SFTP transfers when done event-based - macos: set .plist version in autoconf - mbedtls: remove \'protocols\' array from backend when ALPN is not used - mbedtls: remove server_fd from backend - mk-ca-bundle.pl: Use stricter logic to process the certificates - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl - mlc_config.json: add file to ignore known troublesome URLs - mqtt: better handling of TCP disconnect mid-message - ngtcp2: add client certificate authentication for OpenSSL - ngtcp2: avoid busy loop in low CWND situation - ngtcp2: deal with sub-millisecond timeout - ngtcp2: disconnect the QUIC connection proper - ngtcp2: enlarge H3_SEND_SIZE - ngtcp2: fix HTTP/3 upload stall and avoid busy loop - ngtcp2: fix memory leak - ngtcp2: fix QUIC_IDLE_TIMEOUT - ngtcp2: make curl 1ms faster - ngtcp2: remove remote_addr which is not used in a meaningful way - ngtcp2: update to work after recent ngtcp2 updates - ngtcp2: use token when detecting :status header field - nonblock: restore setsockopt method to curlx_nonblock - openssl: check SSL_get_peer_cert_chain return value - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL - openssl: fix CN check error code - options: remove mistaken space before paren in prototype - perl: removed a double semicolon at end of line - pop3/smtp: return
*WEIRD_SERVER_REPLY when not understood - projects/README: converted to markdown - projects: Update VC version names for VS2017, VS2022 - rtsp: don\'t let CSeq error override earlier errors - runtests: add \'bearssl\' as testable feature - runtests: make \'oldlibssh\' be before 0.9.4 - schannel: remove dead code that will never run - scripts/copyright.pl: ignore the new mlc_config.json file - scripts: move three scripts from lib/ to scripts/ - test1135: sync with recent API updates - test1459: disable for oldlibssh - test375: fix line endings on Windows - test386: Fix an incorrect test markup tag - test718: edited slightly to return better HTTP - tests/server/util.h: align WIN32 condition with util.c - tests: refactor server/socksd.c to support --unix-socket - timediff.[ch]: add curlx helper functions for timeval conversions - tls: make mbedtls and NSS check for h2, not nghttp2 - tool and tests: force flush of all buffers at end of program - tool_cb_hdr: Turn the Location: into a terminal hyperlink - tool_getparam: error out on missing -K file - tool_listhelp.c: uppercase URL - tool_operate: fix a scan-build warning - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - transfer: redirects to other protocols or ports clear auth - unit1620: call global_init before calling Curl_open - url: check sasl additional parameters for connection reuse. - vtls: provide a unified APLN-disagree string for all backends - vtls: use a backend standard message for \"ALPN: offers %s\" - vtls: use a generic \"ALPN, server accepted\" message - winbuild/README.md: fixup dead link - winbuild: Add a Visual Studio example to the README - wolfssl: fix compiler error without IPv6
* Fri Mar 11 2022 Pedro Monreal - Fix: openssl: fix CN check error code
* Add curl-fix-verifyhost.patch
* Mon Mar 07 2022 Paolo Stivanin - Update to 7.82.0:
* curl: add --json command line option
* curl: make it so that sensitive command line arguments do not show as easily in the output of ps(1)
* curl_multi_socket.3: remove callback and typical usage descriptions
* ftp: provide error message for control bytes in path
* ldap: return CURLE_URL_MALFORMAT for bad URL
* lib: remove support for CURL_DOES_CONVERSIONS
* mqtt: plug some memory leaks
* multi: allow user callbacks to call curl_multi_assign
* multi: remember connection_id before returning connection to pool
* multi: set in_callback for multi interface callbacks
* netware: remove support
* ngtcp2: adapt to changed end of headers callback proto
* openldap: implement SASL authentication
* openssl: return error if TLS 1.3 is requested when not supported
* sectransp: mark a 3DES cipher as weak
* smb: pass socket for writing and reading data instead of FIRSTSOCKET
* tool_getparam: DNS options that need c-ares now fail without it
* TPF: drop support
* url: given a user in the URL, find pwd for that user in netrc
* url: keep trailing dot in host name
* urlapi: handle \"redirects\" smarter
* urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
* urldata: remove conn->bits.user_passwd
* Sun Jan 09 2022 Dirk Müller - update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the \"w/o HTTP/SMTP/IMAP\" build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don\'t set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don\'t enable TLS when --without-
* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require \"see also\" for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say \"protocols: all\"
* docs/examples: workaround broken -Wno-pedantic-ms-format
* docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
* docs/INSTALL.md: typo fix : added missing \"get\" verb
* docs/URL-SYNTAX.md: space is not fine in a given URL
* docs: add known bugs list to HTTP3.md
* docs: address proselint nits
* docs: consistent manpage SYNOPSIS
* docs: fix dead links, remove ECH.md
* docs: fix typo in OpenSSL 3 build instructions
* docs: Update the Reducing Size section
* example/progressfunc: remove code for old libcurls
* examples/multi-single.c: remove WAITMS()
* FAQ: typo fix : \"yout\" ➤ \"your\"
* ftp: disable warning 4706 in MSVC
* gen.pl: improve example output format
* github workflow: add wolfssl (removed from zuul)
* github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
* gtls: check return code for gnutls_alpn_set_protocols
* hash: lazy-alloc the table in Curl_hash_add()
* http2:set_transfer_url() return early on OOM
* HTTP3: update quiche build instructions
* http: enable haproxy support for hyper backend
* http: Fix CURLOPT_HTTP200ALIASES
* http_proxy: don\'t close the socket (too early)
* insecure.d: detail its use for SFTP and SCP as well
* insecure.d: expand and clarify
* libcurl-multi.3: \"SOCKS proxy handshakes\" are not blocking
* libcurl-security.3: mention address and URL mitigations
* libssh2: fix error message for sha256 mismatch
* libtest: avoid \"assignment within conditional expression\"
* lift: ignore is a deprecated config option, use ignoreRules
* linkcheck.yml: add CI job that checks markdown links
* m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
* Makefile.m32: rename -winssl option to -schannel and tidy up
* mbedTLS: add support for CURLOPT_CAINFO_BLOB
* mbedtls: fix CURLOPT_SSLCERT_BLOB
* mbedtls: fix private member designations for v3.1.0
* misc: remove unused doh flags when CURL_DISABLE_DOH is defined
* misc: s/e-mail/email
* multi: cleanup the socket hash when destroying it
* multi: handle errors returned from socket/timer callbacks
* multi: shut down CONNECT in Curl_detach_connnection
* netrc.d: edit the .netrc example to look nicer
* ngtcp2: verify the server cert on connect (quictls)
* ngtcp2: verify the server certificate for the gnutls case
* nss:set_cipher don\'t clobber the cipher list
* openldap: implement STARTTLS
* openldap: process search query response messages one by one
* openldap: several minor improvements
* openldap: simplify ldif generation code
* openssl: check the return value of BIO_new()
* openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
* openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
* openssl: remove usage of deprecated `SSL_get_peer_certificate`
* openssl: use non-deprecated API to read key parameters
* page-footer: add a mention of how to report bugs to the man page
* page-footer: document more environment variables
* request.d: refer to \'method\' rather than \'command\'
* retry-all-errors.d: make the example complete
* runtests: make the SSH library a testable feature
* rustls: read of zero bytes might be okay
* rustls: remove comment about checking handshaking
* rustls: remove incorrect EOF check
* sha256/md5: return errors when init fails
* socks5: use appropriate ATYP for numerical IP address host names
* test1156: enable for hyper
* test1156: fixup the stdout check for Windows
* test1525: tweaked for hyper
* test1526: enable for hyper
* test1527: enable for hyper
* test1528: enable for hyper
* test1554: adjust for hyper
* test1556: adjust for hyper
* test302[12]: run only with the libssh2 backend
* test661: enable for hyper
* tests/CI.md: add more information on CI environments
* tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
* tftp: mark protocol as not possible to do over CONNECT
* tool_findfile: updated search for a file in the homedir
* tool_operate: only set SSH related libcurl options for SSH URLs
* tool_operate: warn if too many output arguments were found
* url.c: fix the SIGPIPE comment for Curl_close
* url: check ssl_config when re-use proxy connection
* url: reduce ssl backend count for CURL_DISABLE_PROXY builds
* urlapi: accept port number zero
* urlapi: if possible, shorten given numerical IPv6 addresses
* urlapi: provide more detailed return codes
* urlapi: reject short file URLs
* version_win32: Check build number and platform id
* vtls/rustls: adapt to the updated rustls_version proto
* writeout: fix %{http_version} for HTTP/3
* x509asn1: return early on errors
* zuul.d: update rustls-ffi to version 0.8.2
* zuul: fix quiche build pointing to wrong Cargo
* Tue Nov 16 2021 Pedro Monreal - Update to 7.80.0:
* Changes: - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse - CURLOPT_PREREQFUNCTION: add new callback - libssh2: add SHA256 fingerprint support - urlapi: add curl_url_strerror()
* Bugfixes: - aws-sigv4: make signature work when post data is binary - c-hyper: don\'t abort CONNECT responses early when auth-in-progress - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work - cmake: add CURL_ENABLE_SSL option - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED - configure.ac: replace krb5-config with pkg-config - configure: when hyper is selected, deselect nghttp2 - curl-confopts.m4: remove --enable/disable-hidden-symbols - curl-openssl.m4: modify library order for openssl linking - curl_ntlm_core: use OpenSSL only if DES is available - Curl_updateconninfo: store addresses for QUIC connections too - ftp: make the MKD retry to retry once per directory - http: fix Basic auth with empty name field in URL - http: reject HTTP response codes < 100 - http: remove assert that breaks hyper - http: set content length earlier - imap: display quota information - libssh2: Get the version at runtime if possible - md5: fix compilation with OpenSSL 3.0 API - ngtcp2: advertise h3 as well as h3-29 - ngtcp2: compile with the latest nghttp3 - ngtcp2: use latest QUIC TLS RFC9001 - NTLM: use DES_set_key_unchecked with OpenSSL - openssl: if verifypeer is not requested, skip the CA loading - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway - schannel: fix memory leak due to failed SSL connection - sendf: accept zero-length data in Curl_client_write() - sha256: use high-level EVP interface for OpenSSL - sws: fix memory leak on exit - tool_operate: a failed etag save now only fails that transfer - url: check the return value of curl_url() - url: set \"k->size\" -1 at start of request - urlapi: skip a strlen(), pass in zero - urlapi: URL decode percent-encoded host names - vtls: Fix a memory leak if an SSL session cannot be added to the cache - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
* Use --with-openssl configure option, --with-ssl is now deprecated
* Wed Sep 22 2021 Pedro Monreal - Update to 7.79.1:
* Bugfixes: - Curl_http2_setup: don\'t change connection data on repeat invokes - curl_multi_fdset: make FD_SET() not operate on sockets out of range - dist: provide lib/.checksrc in the tarball - FAQ: add GOPHERS + curl works on data, not files - hsts: CURLSTS_FAIL from hsts read callback should fail transfer - hsts: handle unlimited expiry - http: fix the broken >3 digit response code detection - strerror: use sys_errlist instead of strerror on Windows - test1184: disable: https://github.com/curl/curl/issues/7725 - tests/sshserver.pl: make it work with openssh-8.7p1
* Wed Sep 15 2021 Pedro Monreal - Temporarily disable flaky test 1184
* See https://github.com/curl/curl/issues/7725
* Wed Sep 15 2021 Pedro Monreal - Update to 7.79.0: [bsc#1190213, CVE-2021-22945] [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes: - bearssl: support CURLOPT_CAINFO_BLOB - http: consider cookies over localhost to be secure - secure transport: support CURLINFO_CERTINFO
* Bugfixes: - CVE-2021-22945: clear the leftovers pointer when sending succeeds - CVE-2021-22946: do not ignore --ssl-reqd - CVE-2021-22947: reject STARTTLS server response pipelining - auth: do not append zero-terminator to authorisation id in kerberos - auth: properly handle byte order in kerberos security message - auth: use sasl authzid option in kerberos - auth: we do not support a security layer after kerberos authentication - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection - c-hyper: initial step for 100-continue support - c-hyper: initial support for \"dumping\" 1xx HTTP responses - curl-openssl.m4: show correct output for OpenSSL v3 - docs/MQTT: update state of username/password support - docs: the security list is reached at security at curl.se now - getparameter: fix the --local-port number parser - hostip: Make Curl_ipv6works function independent of getaddrinfo - http_proxy: fix the User-Agent inclusion in CONNECT - http_proxy: fix user-agent and custom headers for CONNECT with hyper - http_proxy: only wait for writable socket while sending request - mailing lists: move from cool.haxx.se to lists.haxx.se - mbedtls: avoid using a large buffer on the stack - mbedTLS: initial 3.0.0 support - ngtcp2: remove the acked_crypto_offset struct field init - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read - ngtcp2: reset the oustanding send buffer again when drained - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream - ngtcp2: stop buffering crypto data - ngtcp2: utilize crypto API functions to simplify - openssl: when creating a new context, there cannot be an old one - scripts: invoke interpreters through /usr/bin/env - tests/runtests.pl: cleanup copy&paste mistakes and unused code - tests: be explicit about using \'python3\' instead of \'python\' - tool/tests: fix potential year 2038 issues - tool_operate: Fix --fail-early with parallel transfers - x509asn1: fix heap over-read when parsing x509 certificates
* Rebase libcurl-ocloexec.patch
* Wed Jul 21 2021 Pedro Monreal - Update to 7.78.0: [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923] [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes: - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax - hostip: make \'localhost\' return fixed values - mbedtls: add support for cert and key blob options - metalink: remove all support for it - mqtt: add support for username and password
* Bugfixes: - ares: always store IPv6 addresses first - c-hyper: abort CONNECT response reading early on non 2xx responses - c-hyper: add support for transfer-encoding in the request - c-hyper: bail on too long response headers - c-hyper: clear NTLM auth buffer when request is issued - c-hyper: fix NTLM on closed connection tested with test159 - conncache: lowercase the hash key for better match - curl_multibyte: Remove local encoding fallbacks - Curl_ntlm_core_mk_nt_hash: fix OOM in error path - Curl_ssl_getsessionid: fail if no session cache exists - easy: during upkeep, attach Curl_easy to connections in the cache - gnutls: set the preferred TLS versions in correct order - hsts: ignore numberical IP address hosts - HSTS: not experimental anymore - http2: init recvbuf struct for pushed streams - http: fix crash in rate-limited upload - http: make the haproxy support work with unix domain sockets - http_proxy: deal with non-200 CONNECT response with Hyper - lib: don\'t compare fd to FD_SETSIZE when using poll - lib: fix compiler warnings with CURL_DISABLE_NETRC - lib: fix type of len passed to
*printf\'s %
*s - lib: more %u for port and int for %
*s fixes - lib: use %u instead of %ld for port number printf - libssh2: limit time a disconnect can take to 1 second - mqtt: detect illegal and too large file size - msnprintf: return number of printed characters excluding null byte - multi: add scan-build-6 work-around in curl_multi_fdset - multi: alter transfer timeout ordering - multi: do not switch off connect_only flag when closing - multi: fix crash in curl_multi_wait / curl_multi_poll - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS - openssl: avoid static variable for seed flag - openssl: don\'t remove session id entry in disassociate - socketpair: fix potential hangs - socks4: scan for the IPv4 address in resolve results - ssl: read pending close notify alert before closing the connection - telnet: fix option parser to not send uninitialized contents - TLS: prevent shutdown loops to get stuck - vtls: exit addsessionid if no cache is inited - vtls: fix connection reuse checks for issuer cert and case sensitivity
* Wed May 26 2021 Pedro Monreal - Update to 7.77.0: [bsc#1186114, CVE-2021-22898] [bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes: - CVE-2021-22297: schannel cipher selection surprise - CVE-2021-22298: TELNET stack contents disclosure - CVE-2021-22901: TLS session caching disaster
* Changes: - configure: make the TLS library choice(s) explicit - curl: ignore options asking for SSLv2 or SSLv3 - hsts: enable by default - SSL: support in-memory CA certs for some backends - vtls: refuse setting any SSL version
* Bugfixes: - configure: provide --with-openssl, deprecate --with-ssl - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies - curl: include libmetalink version in --version output - data_pending: check only SECONDARY socket for FTP(S) transfers - gnutls: don\'t allow TLS 1.3 for versions that don\'t support it - gnutls: make setting only the MAX TLS allowed version work - http2: fix resource leaks in set_transfer_url() and push_promise() - http: limit the initial send amount to used upload buffer size - rustls: only return CURLE_AGAIN when TLS session is fully drained - rustls: use ALPN - schannel: Disable auto credentials; add an option to enable it - schannel: Support strong crypto option - sectransp: allow cipher name to be specified - sockfilt: avoid getting stuck waiting for writable socket
* Sun Apr 25 2021 Dirk Müller - update to 7.76.1: - ngtcp2: Use ALPN h3-29 for now - TODO: remove 18.22 --fail-with-body
* Wed Mar 31 2021 Pedro Monreal - Update to 7.76.0
* Security fixes: - [bsc#1183933, CVE-2021-22876]: strip credentials from the auto-referer header field - [bsc#1183934, CVE-2021-22890]: add \'isproxy\' argument to Curl_ssl_get/addsessionid()
* Changes: - cookies: Support multiple -b parameters - curl: add --fail-with-body - doh: add options to disable ssl verification - http: add support to read and store the referrer header - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl - vtls: initial implementation of rustls backend
* Bugfixes: - CVE-2021-22876: strip credentials from the auto-referer header field - CVE-2021-22890: add \'isproxy\' argument to Curl_ssl_get/addsessionid() - c-hyper: support automatic content-encoding - configure: only add OpenSSL paths if they are defined - configure: provide Largefile feature for curl-config - curl: set CURLOPT_NEW_FILE_PERMS if requested - doh: Fix sharing user\'s resolve list with DOH handles - doh: Inherit CURLOPT_STDERR from user\'s easy handle - dynbuf: bump the max HTTP request to 1MB - ftp: add \'list_only\' to the transfer state struct - ftp: add \'prefer_ascii\' to the transfer state struct - ftp: allow SIZE to fail when doing (resumed) upload - ftp: avoid SIZE when asking for a TYPE A file - ftp: fix memory leak in ftp_done - ftp: never set data->set.ftp_append outside setopt - gnutls: assume nettle crypto support - http2: don\'t set KEEP_SEND when there\'s no more data to be sent - http2: fail if connection terminated without END_STREAM - http: do not add a referrer header with empty value - http: strip default port from URL sent to proxy - http: use credentials from transfer, not connection - lib: remove \'conn->data\' completely - multi: close the connection when h2=>h1 downgrading - multi: do once-per-transfer inits in before_perform in DID state - multi: rename the multi transfer states - multi: update pending list when removing handle - ngtcp2: adapt to the new recv_datagram callback - ngtcp2: clarify calculation precedence - ngtcp2: sync with recent API updates - openssl: adapt to v3\'s new const for a few API calls - openssl: ensure to check SSL_CTX_set_alpn_protos return values - openssl: remove get_ssl_version_txt in favor of SSL_get_version - parse_proxy: fix a memory leak in the OOM path - url: fix memory leak if OOM in the HSTS handling - url: fix possible use-after-free in default protocol - urldata: don\'t touch data->set.httpversion at run-time - urldata: merge \"struct DynamicStatic\" into \"struct UrlState\" - urldata: remove the \'rtspversion\' field - urldata: remove the _ORIG suffix from string names - wolfssl: don\'t store a NULL sessionid
* Thu Mar 04 2021 Cristian Rodríguez - Harden build, enable full RELRO- Never allow undefined symbols anywhere.
* Thu Feb 04 2021 Pedro Monreal - Update to 7.75.0
* Changes: - curl: add --create-file-mode [mode] - curl: add new variables to --write-out - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries - gopher: implement secure gopher protocol - http: add Hyper as new optional HTTP backend - http: introduce AWS HTTP v4 Signature support
* Bugfixes: - cmake: Add an option to disable libidn2 - cmake: enable gophers correctly in curl-config - cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG - digest_sspi: Show InitializeSecurityContext errors in verbose mode - getinfo: build with disabled HTTP support - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy - http_proxy: Fix CONNECT chunked encoding race condition - httpauth: make multi-request auth work with custom port - lib: pass in \'struct Curl_easy
*\' to most functions - lib: remove Curl_ prefix from many static functions - lib: save a bit of space with some structure packing - libssh: avoid plain free() of libssh-memory - mime: make sure setting MIMEPOST to NULL resets properly - multi_runsingle: bail out early on data->conn == NULL - ngtcp2: Fix http3 upload stall - ngtcp2: Fix stack buffer overflow - openssl: lowercase the hostname before using it for SNI - socks: use the download buffer instead - speedcheck: exclude paused transfers - tooĺ_writeout: fix the -w time output units - url: if IDNA conversion fails, fallback to Transitional- Refresh libcurl-ocloexec.patch
 
ICM