| Curl and libcurl 7.62.0 |
| |
| Public curl releases: 177 |
| Command line options: 219 |
| curl_easy_setopt() options: 261 |
| Public functions in libcurl: 80 |
| Contributors: 1808 |
| |
| This release includes the following changes: |
| |
| o multiplex: enable by default [4] |
| o url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled [4] |
| o setopt: add CURLOPT_DOH_URL [7] |
| o curl: --doh-url added [7] |
| o setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size [8] |
| o imap: change from "FETCH" to "UID FETCH" [9] |
| o configure: add option to disable automatic OpenSSL config loading [10] |
| o upkeep: add a connection upkeep API: curl_easy_upkeep() [11] |
| o URL-API: added five new functions [12] |
| o vtls: MesaLink is a new TLS backend [23] |
| |
| This release includes the following bugfixes: |
| |
| o CVE-2018-16839: SASL password overflow via integer overflow [107] |
| o CVE-2018-16840: use-after-free in handle close [108] |
| o CVE-2018-16842: warning message out-of-buffer read [114] |
| o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated [5] |
| o Curl_dedotdotify(): always nul terminate returned string [46] |
| o Curl_follow: Always free the passed new URL [87] |
| o Curl_http2_done: fix memleak in error path [51] |
| o Curl_retry_request: fix memory leak [49] |
| o Curl_saferealloc: Fixed typo in docblock [40] |
| o FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output [78] |
| o GnutTLS: TLS 1.3 support [39] |
| o SECURITY-PROCESS: mention the bountygraph program [42] |
| o VS projects: add USE_IPV6: [91] |
| o Windows: fixes for MinGW targeting Windows Vista [82] |
| o anyauthput: fix compiler warning on 64-bit Windows [21] |
| o appveyor: add WinSSL builds [81] |
| o appveyor: run test suite (on Windows!) [65] |
| o certs: generate tests certs with sha256 digest algorithm [37] |
| o checksrc: enable strict mode and warnings [63] |
| o checksrc: handle zero scoped ignore commands [62] |
| o cmake: Backport to work with CMake 3.0 again [55] |
| o cmake: Improve config installation [60] |
| o cmake: add support for transitive ZLIB target [113] |
| o cmake: disable -Wpedantic-ms-format [84] |
| o cmake: don't require OpenSSL if USE_OPENSSL=OFF [35] |
| o cmake: fixed path used in generation of docs/tests [56] |
| o cmake: remove unused *SOCKLEN_T variables [102] |
| o cmake: suppress MSVC warning C4127 for libtest |
| o cmake: test and set missed defines during configuration [64] |
| o comment: Fix multiple typos in function parameters [69] |
| o config: Remove unused SIZEOF_VOIDP [104] |
| o config_win32: enable LDAPS [92] |
| o configure: force-use -lpthreads on HPUX [41] |
| o configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T [101] |
| o configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE [53] |
| o cookies: Remove redundant expired check [14] |
| o cookies: fix leak when writing cookies to file [15] |
| o curl-config.in: remove dependency on bc [99] |
| o curl.1: --ipv6 mutexes ipv4 (fixed typo) [98] |
| o curl: enabled Windows VT Support and UTF-8 output [57] |
| o curl: update the documentation of --tlsv1.0 [17] |
| o curl_multi_wait: call getsock before figuring out timeout [34] |
| o curl_ntlm_wb: check aprintf() return codes [75] |
| o curl_threads: fix classic MinGW compile break [54] |
| o darwinssl: Fix realloc memleak [32] |
| o darwinssl: more specific and unified error codes [6] |
| o data-binary.d: clarify default content-type is x-www-form-urlencoded [71] |
| o docs/BUG-BOUNTY: explain the bounty program [76] |
| o docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers [89] |
| o docs/CIPHERS: fix the TLS 1.3 cipher names [95] |
| o docs/CIPHERS: mention the colon separation for OpenSSL [73] |
| o docs/examples: URL updates [45] |
| o docs: add "see also" links for SSL options [85] |
| o example/asiohiper: insert warning comment about its status [18] |
| o example/htmltidy: fix include paths of tidy libraries [52] |
| o examples/Makefile.m32: sync with core [44] |
| o examples/http2-pushinmemory: receive HTTP/2 pushed files in memory [33] |
| o examples/parseurl.c: show off the URL API [43] |
| o examples: Fix memory leaks from realloc errors [31] |
| o examples: do not wait when no transfers are running [16] |
| o ftp: include command in Curl_ftpsend sendbuffer [25] |
| o gskit: make sure to terminate version string [79] |
| o gtls: Values stored to but never read [97] |
| o hostip: fix check on Curl_shuffle_addr return value [77] |
| o http2: fix memory leaks on error-path [29] |
| o http: fix memleak in rewind error path [50] |
| o krb5: fix memory leak in krb_auth [25] |
| o ldap: show precise LDAP call in error message on Windows [83] |
| o lib: fix gcc8 warning on Windows [20] |
| o memory: add missing curl_printf header [30] |
| o memory: ensure to check allocation results [68] |
| o multi: Fix error handling in the SENDPROTOCONNECT state [112] |
| o multi: fix memory leak in content encoding related error path [59] |
| o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL [90] |
| o netrc: free temporary strings if memory allocation fails [103] |
| o nss: fix nssckbi module loading on Windows [70] |
| o nss: try to connect even if libnssckbi.so fails to load [36] |
| o ntlm_wb: Fix memory leaks in ntlm_wb_response [24] |
| o ntlm_wb: bail out if the response gets overly large [13] |
| o openssl: assume engine support in 0.9.8 or later [27] |
| o openssl: enable TLS 1.3 post-handshake auth [47] |
| o openssl: fix gcc8 warning [19] |
| o openssl: load built-in engines too [48] |
| o openssl: make 'done' a proper boolean [97] |
| o openssl: output the correct cipher list on TLS 1.3 error [95] |
| o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer [6] |
| o openssl: show "proper" version number for libressl builds [28] |
| o pipelining: deprecated [1] |
| o rand: add comment to skip a clang-tidy false positive |
| o rtmp: fix for compiling with lwIP [100] |
| o runtests: ignore disabled even when ranges are given [74] |
| o runtests: skip ld_preload tests on macOS [80] |
| o runtests: use Windows paths for Windows curl |
| o schannel: unified error code handling [6] |
| o sendf: Fix whitespace in infof/failf concatenation [26] |
| o ssh: free the session on init failures [96] |
| o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code [6] |
| o system.h: use proper setting with Sun C++ as well [109] |
| o test1299: use single quotes around asterisk [72] |
| o test1452: mark as flaky [2] |
| o test1651: unit test Curl_extract_certinfo() [110] |
| o test320: strip out more HTML when comparing [66] |
| o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server [67] |
| o tests: add unit tests for url.c [3] |
| o timeval: fix use of weak symbol clock_gettime() on Apple platforms [61] |
| o tool_cb_hdr: handle failure of rename() [94] |
| o travis: add a "make tidy" build that runs clang-tidy [105] |
| o travis: add build for "configure --disable-verbose" [93] |
| o travis: bump the Secure Transport build to use xcode [58] |
| o travis: make distcheck scan for BOM markers [86] |
| o unit1300: fix stack-use-after-scope AddressSanitizer warning [106] |
| o urldata: Fix "connecting" comment |
| o urlglob: improve error message on bad globs [22] |
| o vtls: fix ssl version "or later" behavior change for many backends [38] |
| o x509asn1: Fix SAN IP address verification [88] |
| o x509asn1: always check return code from getASN1Element() [110] |
| o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert [6] |
| o x509asn1: suppress left shift on signed value [111] |
| |
| This release includes the following known bugs: |
| |
| o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html) |
| |
| This release would not have looked like this without help, code, reports and |
| advice from friends like these: |
| |
| Alexey Eremikhin, Brad King, Brian Carpenter, Christian Heimes, Colin Hogben, |
| Daniel Gustafsson, Daniel Shahaf, Daniel Stenberg, Dario Weißer, |
| Dave Reisner, Dima Pasechnik, Dmitry Kostjuchenko, Doron Behar, |
| Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, Han Han, |
| Harry Sintonen, jakirkham on github, Jean Fabrice, Jim Fuller, Kamil Dudka, |
| Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl, |
| Matthew Whitehead, Max Dymond, Maxime Legros, Michael Kaufmann, Nate Prewitt, |
| Nicklas Avén, Nick Zitzmann, Patrick Monnerat, Philipp Waehnert, Rainer Jung, |
| Ray Satiro, Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn, |
| Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, Tuomo Rinne, |
| Viktor Szakats, Yiming Jing, |
| (49 contributors) |
| |
| Thanks! (and sorry if I forgot to mention someone) |
| |
| References to bug reports and discussions on issues: |
| |
| [1] = https://curl.haxx.se/bug/?i=2705 |
| [2] = https://curl.haxx.se/bug/?i=2941 |
| [3] = https://curl.haxx.se/bug/?i=2937 |
| [4] = https://curl.haxx.se/bug/?i=2709 |
| [5] = https://curl.haxx.se/bug/?i=2942 |
| [6] = https://curl.haxx.se/bug/?i=2901 |
| [7] = https://curl.haxx.se/bug/?i=2668 |
| [8] = https://curl.haxx.se/bug/?i=2896 |
| [9] = https://curl.haxx.se/bug/?i=2789 |
| [10] = https://curl.haxx.se/bug/?i=2724 |
| [11] = https://curl.haxx.se/bug/?i=1641 |
| [12] = https://curl.haxx.se/bug/?i=2842 |
| [13] = https://curl.haxx.se/bug/?i=2959 |
| [14] = https://curl.haxx.se/bug/?i=2962 |
| [15] = https://curl.haxx.se/bug/?i=2957 |
| [16] = https://curl.haxx.se/bug/?i=2948 |
| [17] = https://curl.haxx.se/bug/?i=2955 |
| [18] = https://curl.haxx.se/bug/?i=2407 |
| [19] = https://curl.haxx.se/bug/?i=2980 |
| [20] = https://curl.haxx.se/bug/?i=2979 |
| [21] = https://curl.haxx.se/bug/?i=2972 |
| [22] = https://curl.haxx.se/bug/?i=2763 |
| [23] = https://curl.haxx.se/bug/?i=2984 |
| [24] = https://curl.haxx.se/bug/?i=2966 |
| [25] = https://curl.haxx.se/bug/?i=2985 |
| [26] = https://curl.haxx.se/bug/?i=2986 |
| [27] = https://curl.haxx.se/bug/?i=2983 |
| [28] = https://curl.haxx.se/bug/?i=2989 |
| [29] = https://curl.haxx.se/bug/?i=2992 |
| [30] = https://curl.haxx.se/bug/?i=2999 |
| [31] = https://curl.haxx.se/bug/?i=2991 |
| [32] = https://curl.haxx.se/bug/?i=3005 |
| [33] = https://curl.haxx.se/bug/?i=3004 |
| [34] = https://curl.haxx.se/bug/?i=2996 |
| [35] = https://curl.haxx.se/bug/?i=3001 |
| [36] = https://curl.haxx.se/bug/?i=3016 |
| [37] = https://curl.haxx.se/bug/?i=3014 |
| [38] = https://curl.haxx.se/bug/?i=2969 |
| [39] = https://curl.haxx.se/bug/?i=2971 |
| [40] = https://curl.haxx.se/bug/?i=3029 |
| [41] = https://curl.haxx.se/bug/?i=2697 |
| [42] = https://curl.haxx.se/bug/?i=3032 |
| [43] = https://curl.haxx.se/bug/?i=3030 |
| [44] = https://curl.haxx.se/bug/?i=3033 |
| [45] = https://curl.haxx.se/bug/?i=3036 |
| [46] = https://curl.haxx.se/bug/?i=3039 |
| [47] = https://curl.haxx.se/bug/?i=3026 |
| [48] = https://curl.haxx.se/bug/?i=3023 |
| [49] = https://curl.haxx.se/bug/?i=3042 |
| [50] = https://curl.haxx.se/bug/?i=3044 |
| [51] = https://curl.haxx.se/bug/?i=3046 |
| [52] = https://curl.haxx.se/bug/?i=3050 |
| [53] = https://curl.haxx.se/bug/?i=3006 |
| [54] = https://github.com/curl/curl/issues/2924#issuecomment-424334807 |
| [55] = https://curl.haxx.se/bug/?i=3055 |
| [56] = https://curl.haxx.se/bug/?i=3056 |
| [57] = https://curl.haxx.se/bug/?i=3008 |
| [58] = https://curl.haxx.se/bug/?i=3062 |
| [59] = https://curl.haxx.se/bug/?i=3063 |
| [60] = https://curl.haxx.se/bug/?i=2849 |
| [61] = https://curl.haxx.se/bug/?i=3048 |
| [62] = https://curl.haxx.se/bug/?i=3096 |
| [63] = https://curl.haxx.se/bug/?i=3090 |
| [64] = https://curl.haxx.se/bug/?i=3097 |
| [65] = https://curl.haxx.se/bug/?i=3100 |
| [66] = https://curl.haxx.se/bug/?i=3093 |
| [67] = https://curl.haxx.se/bug/?i=2929 |
| [68] = https://curl.haxx.se/bug/?i=3084 |
| [69] = https://curl.haxx.se/bug/?i=3079 |
| [70] = https://curl.haxx.se/bug/?i=3086 |
| [71] = https://curl.haxx.se/bug/?i=3085 |
| [72] = https://github.com/curl/curl/issues/1751#issuecomment-321522580 |
| [73] = https://curl.haxx.se/bug/?i=3077 |
| [74] = https://curl.haxx.se/bug/?i=3075 |
| [75] = https://curl.haxx.se/bug/?i=3111 |
| [76] = https://curl.haxx.se/bug/?i=3067 |
| [77] = https://curl.haxx.se/bug/?i=3110 |
| [78] = https://curl.haxx.se/bug/?i=3083 |
| [79] = https://curl.haxx.se/bug/?i=3105 |
| [80] = https://curl.haxx.se/bug/?i=2394 |
| [81] = https://curl.haxx.se/bug/?i=3104 |
| [82] = https://curl.haxx.se/bug/?i=3113 |
| [83] = https://curl.haxx.se/bug/?i=3118 |
| [84] = https://curl.haxx.se/bug/?i=3120 |
| [85] = https://curl.haxx.se/bug/?i=3121 |
| [86] = https://curl.haxx.se/bug/?i=3126 |
| [87] = https://curl.haxx.se/bug/?i=3124 |
| [88] = https://curl.haxx.se/bug/?i=3102 |
| [89] = https://curl.haxx.se/bug/?i=3159 |
| [90] = https://curl.haxx.se/bug/?i=3138 |
| [91] = https://curl.haxx.se/bug/?i=3137 |
| [92] = https://curl.haxx.se/bug/?i=3137 |
| [93] = https://curl.haxx.se/bug/?i=3144 |
| [94] = https://curl.haxx.se/bug/?i=3140 |
| [95] = https://curl.haxx.se/bug/?i=3178 |
| [96] = https://curl.haxx.se/bug/?i=3179 |
| [97] = https://curl.haxx.se/bug/?i=3176 |
| [98] = https://curl.haxx.se/bug/?i=3171 |
| [99] = https://curl.haxx.se/bug/?i=3143 |
| [100] = https://curl.haxx.se/bug/?i=3155 |
| [101] = https://curl.haxx.se/bug/?i=3168 |
| [102] = https://curl.haxx.se/bug/?i=3166 |
| [103] = https://curl.haxx.se/bug/?i=3122 |
| [104] = https://curl.haxx.se/bug/?i=3162 |
| [105] = https://curl.haxx.se/bug/?i=3182 |
| [106] = https://curl.haxx.se/bug/?i=3182 |
| [107] = https://curl.haxx.se/docs/CVE-2018-16839.html |
| [108] = https://curl.haxx.se/docs/CVE-2018-16840.html |
| [109] = https://curl.haxx.se/bug/?i=3181 |
| [110] = https://curl.haxx.se/bug/?i=3163 |
| [111] = https://curl.haxx.se/bug/?i=3163 |
| [112] = https://curl.haxx.se/bug/?i=3170 |
| [113] = https://curl.haxx.se/bug/?i=3123 |
| [114] = https://curl.haxx.se/docs/CVE-2018-16842.html |
