| curl and libcurl 7.64.0 |
| |
| Public curl releases: 179 |
| Command line options: 220 |
| curl_easy_setopt() options: 265 |
| Public functions in libcurl: 80 |
| Contributors: 1875 |
| |
| This release includes the following changes: |
| |
| o cookies: leave secure cookies alone [3] |
| o hostip: support wildcard hosts [23] |
| o http: Implement trailing headers for chunked transfers [7] |
| o http: added options for allowing HTTP/0.9 responses [10] |
| o timeval: Use high resolution timestamps on Windows [19] |
| |
| This release includes the following bugfixes: |
| |
| o CVE-2018-16890: NTLM type-2 out-of-bounds buffer read [67] |
| o CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow [68] |
| o CVE-2019-3823: SMTP end-of-response out-of-bounds read [66] |
| o FAQ: remove mention of sourceforge for github [22] |
| o OS400: handle memory error in list conversion [4] |
| o OS400: upgrade ILE/RPG binding. |
| o README: add codacy code quality badge |
| o Revert http_negotiate: do not close connection [31] |
| o THANKS: added several missing names from year <= 2000 |
| o build: make 'tidy' target work for metalink builds |
| o cmake: added checks for variadic macros [47] |
| o cmake: updated check for HAVE_POLL_FINE to match autotools [39] |
| o cmake: use lowercase for function name like the rest of the code [20] |
| o configure: detect xlclang separately from clang [41] |
| o configure: fix recv/send/select detection on Android [53] |
| o configure: rewrite --enable-code-coverage [61] |
| o conncache_unlock: avoid indirection by changing input argument type |
| o cookie: fix comment typo [44] |
| o cookies: allow secure override when done over HTTPS [34] |
| o cookies: extend domain checks to non psl builds [12] |
| o cookies: skip custom cookies when redirecting cross-site [36] |
| o curl --xattr: strip credentials from any URL that is stored [33] |
| o curl -J: refuse to append to the destination file [14] |
| o curl/urlapi.h: include "curl.h" first [30] |
| o curl_multi_remove_handle() don't block terminating c-ares requests [32] |
| o darwinssl: accept setting max-tls with default min-tls [6] |
| o disconnect: separate connections and easy handles better [18] |
| o disconnect: set conn->data for protocol disconnect |
| o docs/version.d: mention MultiSSL [26] |
| o docs: fix the --tls-max description [2] |
| o docs: use $(INSTALL_DATA) to install man page [64] |
| o docs: use meaningless port number in CURLOPT_LOCALPORT example [58] |
| o gopher: always include the entire gopher-path in request [5] |
| o http2: clear pause stream id if it gets closed [8] |
| o if2ip: remove unused function Curl_if_is_interface_name [9] |
| o libssh: do not let libssh create socket [63] |
| o libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh [62] |
| o libssh: free sftp_canonicalize_path() data correctly [17] |
| o libtest/stub_gssapi: use "real" snprintf [27] |
| o mbedtls: use VERIFYHOST [15] |
| o multi: multiplexing improvements [35] |
| o multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time [57] |
| o ntlm: fix NTMLv2 compliance [25] |
| o ntlm_sspi: add support for channel binding [54] |
| o openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated [46] |
| o openssl: fix the SSL_get_tlsext_status_ocsp_resp call [40] |
| o openvms: fix OpenSSL discovery on VAX [21] |
| o openvms: fix typos in documentation |
| o os400: add a missing closing bracket [50] |
| o os400: fix extra parameter syntax error [50] |
| o pingpong: change default response timeout to 120 seconds |
| o pingpong: ignore regular timeout in disconnect phase [16] |
| o printf: fix format specifiers [28] |
| o runtests.pl: Fix perl call to include srcdir [65] |
| o schannel: fix compiler warning [29] |
| o schannel: preserve original certificate path parameter [52] |
| o schannel: stop calling it "winssl" [56] |
| o sigpipe: if mbedTLS is used, ignore SIGPIPE [59] |
| o smb: fix incorrect path in request if connection reused [13] |
| o ssh: log the libssh2 error message when ssh session startup fails [55] |
| o test1558: verify CURLINFO_PROTOCOL on file:// transfer [51] |
| o test1561: improve test name |
| o test1653: make it survive torture tests |
| o tests: allow tests to pass by 2037-02-12 [38] |
| o tests: move objnames-* from lib into tests [42] |
| o timediff: fix math for unsigned time_t [37] |
| o timeval: Disable MSVC Analyzer GetTickCount warning [60] |
| o tool_cb_prg: avoid integer overflow [49] |
| o travis: added cmake build for osx [43] |
| o urlapi: Fix port parsing of eol colon [1] |
| o urlapi: distinguish possibly empty query [5] |
| o urlapi: fix parsing ipv6 with zone index [24] |
| o urldata: rename easy_conn to just conn [48] |
| o winbuild: conditionally use /DZLIB_WINAPI [45] |
| o wolfssl: fix memory-leak in threaded use [11] |
| o spnego_sspi: add support for channel binding [69] |
| |
| This release includes the following known bugs: |
| |
| o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html) |
| |
| This release would not have looked like this without help, code, reports and |
| advice from friends like these: |
| |
| Alessandro Ghedini, Andrei Neculau, Archangel SDY, Ayoub Boudhar, Ben Kohler, |
| Bernhard M. Wiedemann, Brad Spencer, Brian Carpenter, Claes Jakobsson, |
| Daniel Gustafsson, Daniel Stenberg, David Garske, dnivras on github, |
| Eric Rosenquist, Etienne Simard, Felix Hädicke, Florian Pritz, |
| Frank Gevaerts, Giorgos Oikonomou, Gisle Vanem, GitYuanQu on github, |
| Haibo Huang, Harry Sintonen, Helge Klein, Huzaifa Sidhpurwala, |
| jasal82 on github, Jeremie Rapin, Jeroen Ooms, Joel Depooter, John Marshall, |
| jonrumsey on github, Julian Z, Kamil Dudka, Katsuhiko YOSHIDA, Kees Dekker, |
| Ladar Levison, Leonardo Taccari, Marcel Raad, Markus Moeller, |
| masbug on github, Matus Uzak, Michael Kujawa, Patrick Monnerat, Pavel Pavlov, |
| Peng Li, Ray Satiro, Rikard Falkeborn, Ruslan Baratov, Sergei Nikulov, |
| Shlomi Fish, Tobias Lindgren, Tom van der Woerdt, Viktor Szakats, |
| Wenxiang Qian, William A. Rowe Jr, Zhao Yisha, |
| (56 contributors) |
| |
| Thanks! (and sorry if I forgot to mention someone) |
| |
| References to bug reports and discussions on issues: |
| |
| [1] = https://curl.haxx.se/bug/?i=3365 |
| [2] = https://curl.haxx.se/bug/?i=3368 |
| [3] = https://curl.haxx.se/bug/?i=2956 |
| [4] = https://curl.haxx.se/bug/?i=3372 |
| [5] = https://curl.haxx.se/bug/?i=3369 |
| [6] = https://curl.haxx.se/bug/?i=3367 |
| [7] = https://curl.haxx.se/bug/?i=3350 |
| [8] = https://curl.haxx.se/bug/?i=3392 |
| [9] = https://curl.haxx.se/bug/?i=3401 |
| [10] = https://curl.haxx.se/bug/?i=2873 |
| [11] = https://curl.haxx.se/bug/?i=3395 |
| [12] = https://curl.haxx.se/bug/?i=2964 |
| [13] = https://curl.haxx.se/bug/?i=3388 |
| [14] = https://curl.haxx.se/bug/?i=3380 |
| [15] = https://curl.haxx.se/bug/?i=3376 |
| [16] = https://curl.haxx.se/bug/?i=3264 |
| [17] = https://curl.haxx.se/bug/?i=3402 |
| [18] = https://curl.haxx.se/bug/?i=3400 |
| [19] = https://curl.haxx.se/bug/?i=3318 |
| [20] = https://curl.haxx.se/bug/?i=3196 |
| [21] = https://curl.haxx.se/bug/?i=3407 |
| [22] = https://curl.haxx.se/bug/?i=3410 |
| [23] = https://curl.haxx.se/bug/?i=3406 |
| [24] = https://curl.haxx.se/bug/?i=3411 |
| [25] = https://curl.haxx.se/bug/?i=3286 |
| [26] = https://curl.haxx.se/bug/?i=3432 |
| [27] = https://curl.haxx.se/mail/lib-2019-01/0000.html |
| [28] = https://curl.haxx.se/bug/?i=3426 |
| [29] = https://curl.haxx.se/bug/?i=3435 |
| [30] = https://curl.haxx.se/bug/?i=3438 |
| [31] = https://curl.haxx.se/bug/?i=3384 |
| [32] = https://curl.haxx.se/bug/?i=3371 |
| [33] = https://curl.haxx.se/bug/?i=3423 |
| [34] = https://curl.haxx.se/bug/?i=3445 |
| [35] = https://curl.haxx.se/bug/?i=3436 |
| [36] = https://curl.haxx.se/bug/?i=3417 |
| [37] = https://curl.haxx.se/bug/?i=3449 |
| [38] = https://curl.haxx.se/bug/?i=3443 |
| [39] = https://curl.haxx.se/bug/?i=3292 |
| [40] = https://curl.haxx.se/bug/?i=3477 |
| [41] = https://curl.haxx.se/bug/?i=3474 |
| [42] = https://curl.haxx.se/bug/?i=3470 |
| [43] = https://curl.haxx.se/bug/?i=3468 |
| [44] = https://curl.haxx.se/bug/?i=3469 |
| [45] = https://curl.haxx.se/bug/?i=3133 |
| [46] = https://curl.haxx.se/bug/?i=3462 |
| [47] = https://curl.haxx.se/bug/?i=3459 |
| [48] = https://curl.haxx.se/bug/?i=3442 |
| [49] = https://curl.haxx.se/bug/?i=3456 |
| [50] = https://curl.haxx.se/bug/?i=3453 |
| [51] = https://curl.haxx.se/bug/?i=3447 |
| [52] = https://curl.haxx.se/bug/?i=3480 |
| [53] = https://curl.haxx.se/bug/?i=3484 |
| [54] = https://curl.haxx.se/bug/?i=3280 |
| [55] = https://curl.haxx.se/bug/?i=3481 |
| [56] = https://curl.haxx.se/bug/?i=3504 |
| [57] = https://curl.haxx.se/mail/lib-2019-01/0073.html |
| [58] = https://curl.haxx.se/bug/?i=3513 |
| [59] = https://curl.haxx.se/bug/?i=3502 |
| [60] = https://curl.haxx.se/bug/?i=3437 |
| [61] = https://curl.haxx.se/bug/?i=3497 |
| [62] = https://curl.haxx.se/bug/?i=3493 |
| [63] = https://curl.haxx.se/bug/?i=3491 |
| [64] = https://curl.haxx.se/bug/?i=3518 |
| [65] = https://curl.haxx.se/bug/?i=3496 |
| [66] = https://curl.haxx.se/docs/CVE-2019-3823.html |
| [67] = https://curl.haxx.se/docs/CVE-2018-16890.html |
| [68] = https://curl.haxx.se/docs/CVE-2019-3822.html |
| [69] = https://curl.haxx.se/bug/?i=3503 |