| Curl and libcurl 7.61.1 |
| |
| Public curl releases: 176 |
| Command line options: 218 |
| curl_easy_setopt() options: 258 |
| Public functions in libcurl: 74 |
| Contributors: 1787 |
| |
| This release includes the following bugfixes: |
| |
| o security advisory (CVE-2018-14618): NTLM password overflow via integer overflow [73] |
| o CURLINFO_SIZE_UPLOAD: fix missing counter update [46] |
| o CURLOPT_ACCEPT_ENCODING.3: list them comma-separated |
| o CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse [72] |
| o Curl_getoff_all_pipelines: improved for multiplexed [3] |
| o DEPRECATE: remove release date from 7.62.0 |
| o HTTP: Don't attempt to needlessly decompress redirect body [30] |
| o INTERNALS: require GnuTLS >= 2.11.3 [62] |
| o README.md: add LGTM.com code quality grade for C/C++ [42] |
| o SSLCERTS: improve the openssl command line |
| o Silence GCC 8 cast-function-type warnings [47] |
| o ares: check for NULL in completed-callback [3] |
| o asyn-thread: Remove unused macro [40] |
| o auth: only pick CURLAUTH_BEARER if we *have* a Bearer token [15] |
| o auth: pick Bearer authentication whenever a token is available [15] |
| o cmake: CMake config files are defining CURL_STATICLIB for static builds [54] |
| o cmake: Respect BUILD_SHARED_LIBS [35] |
| o cmake: Update scripts to use consistent style [9] |
| o cmake: bumped minimum version to 3.4 [34] |
| o cmake: link curl to the OpenSSL targets instead of lib absolute paths [34] |
| o configure: conditionally enable pedantic-errors [64] |
| o configure: fix for -lpthread detection with OpenSSL and pkg-config [38] |
| o conn: remove the boolean 'inuse' field [3] |
| o content_encoding: accept up to 4 unknown trailer bytes after raw deflate data [5] |
| o cookie tests: treat files as text |
| o cookies: support creation-time attribute for cookies [75] |
| o curl: Fix segfault when -H @headerfile is empty [23] |
| o curl: add http code 408 to transient list for --retry [78] |
| o curl: fix time-of-check, time-of-use race in dir creation [71] |
| o curl: use Content-Disposition before the "URL end" for -OJ [29] |
| o curl: warn the user if a given file name looks like an option [56] |
| o curl_threads: silence bad-function-cast warning [69] |
| o darwinssl: add support for ALPN negotiation [7] |
| o docs/CURLOPT_URL: fix indentation [20] |
| o docs/CURLOPT_WRITEFUNCTION: size is always 1 [19] |
| o docs/SECURITY-PROCESS: mention bounty, drop pre-notify |
| o docs/examples: add hiperfifo example using linux epoll/timerfd [21] |
| o docs: add disallow-username-in-url.d and haproxy-protocol.d to dist [50] |
| o docs: clarify NO_PROXY env variable functionality [70] |
| o docs: improved the manual pages of some callbacks [48] |
| o docs: mention NULL is fine input to several functions [43] |
| o formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT [40] |
| o gopher: Do not translate `?' to `%09' [67] |
| o header output: switch off all styles, not just unbold [8] |
| o hostip: fix unused variable warning |
| o http2: Use correct format identifier for stream_id [77] |
| o http2: abort the send_callback if not setup yet [63] |
| o http2: avoid set_stream_user_data() before stream is assigned [61] |
| o http2: check nghttp2_session_set_stream_user_data return code [55] |
| o http2: clear the drain counter in Curl_http2_done [27] |
| o http2: make sure to send after RST_STREAM [58] |
| o http2: separate easy handle from connections better [12] |
| o http: fix for tiny "HTTP/0.9" response [51] |
| o http_proxy: Remove unused macro SELECT_TIMEOUT [40] |
| o lib/Makefile: only do symbol hiding if told to [32] |
| o lib1502: fix memory leak in torture test [44] |
| o lib1522: fix curl_easy_setopt argument type |
| o libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation [66] |
| o mime: check Curl_rand_hex's return code [22] |
| o multi: always do the COMPLETED procedure/state [3] |
| o openssl: assume engine support in 1.0.0 or later [2] |
| o openssl: fix debug messages [39] |
| o projects: Improve Windows perl detection in batch scripts [49] |
| o retry: return error if rewind was necessary but didn't happen [28] |
| o reuse_conn(): memory leak - free old_conn->options [17] |
| o schannel: client certificate store opening fix [68] |
| o schannel: enable CALG_TLS1PRF for w32api >= 5.1 |
| o schannel: fix MinGW compile break [1] |
| o sftp: don't send post-qoute sequence when retrying a connection [79] |
| o smb: fix memory leak on early failure [26] |
| o smb: fix memory-leak in URL parse error path [4] |
| o smb_getsock: always wait for write socket too [11] |
| o ssh-libssh: fix infinite connect loop on invalid private key [53] |
| o ssh-libssh: reduce excessive verbose output about pubkey auth [53] |
| o ssh-libssh: use FALLTHROUGH to silence gcc8 [76] |
| o ssl: set engine implicitly when a PKCS#11 URI is provided [36] |
| o sws: handle EINTR when calling select() [24] |
| o system_win32: fix version checking [16] |
| o telnet: Remove unused macros TELOPTS and TELCMDS [40] |
| o test1143: disable MSYS2's POSIX path conversion [10] |
| o test1148: disable if decimal separator is not point [65] |
| o test1307: (fnmatch testing) disabled [31] |
| o test1422: add required file feature [6] |
| o test1531: Add timeout [41] |
| o test1540: Remove unused macro TEST_HANG_TIMEOUT [40] |
| o test214: disable MSYS2's POSIX path conversion for URL |
| o test320: treat curl320.out file as binary [14] |
| o tests/http_pipe.py: Use /usr/bin/env to find python |
| o tests: Don't use Windows path %PWD for SSH tests [74] |
| o tests: fixes for Windows line endlings [13] |
| o tool_operate: Fix setting proxy TLS 1.3 ciphers |
| o travis: build darwinssl on macos 10.12 to fix linker errors [33] |
| o travis: execute "set -eo pipefail" for coverage build [45] |
| o travis: run a 'make checksrc' too [25] |
| o travis: update to GCC-8 [52] |
| o travis: verify that man pages can be regenerated [50] |
| o upload: allocate upload buffer on-demand [60] |
| o upload: change default UPLOAD_BUFSIZE to 64KB [60] |
| o urldata: remove unused pipe_broke struct field [57] |
| o vtls: reinstantiate engine on duplicated handles [59] |
| o windows: implement send buffer tuning [37] |
| o wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random [18] |
| |
| This release includes the following known bugs: |
| |
| o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html) |
| |
| This release would not have looked like this without help, code, reports and |
| advice from friends like these: |
| |
| adnn on github, Anderson Toshiyuki Sasaki, Andrei Virtosu, Anton Gerasimov, |
| Bas van Schaik, Carie Pointer, Christopher Head, clbr on github, |
| Dan Fandrich, Daniel Gustafsson, Daniel Jeliński, Daniel Stenberg, |
| Darío Hereñú, Even Rouault, Harry Sintonen, Ihor Karpenko, Jakub Zakrzewski, |
| Jeffrey Walton, Jeroen Ooms, Johannes Schindelin, John Butterfield, |
| Josh Bialkowski, Kamil Dudka, Kirill Marchuk, Laurent Bonnans, |
| Leonardo Taccari, Marcel Raad, Markus Elfring, Michael Kaufmann, |
| Nick Zitzmann, Nikos Mavrogiannopoulos, Patrick Monnerat, Paul Howarth, |
| Przemysław Tomaszewski, pszemus on github, Ran Mozes, Ray Satiro, |
| Rikard Falkeborn, Rodger Combs, Ruslan Baratov, Sergei Nikulov, |
| Thomas Klausner, Tobias Blomberg, Viktor Szakats, Zero King, Zhaoyang Wu, |
| (46 contributors) |
| |
| Thanks! (and sorry if I forgot to mention someone) |
| |
| References to bug reports and discussions on issues: |
| |
| [1] = https://github.com/curl/curl/pull/2721#issuecomment-403636043 |
| [2] = https://curl.haxx.se/bug/?i=2732 |
| [3] = https://curl.haxx.se/bug/?i=2733 |
| [4] = https://curl.haxx.se/bug/?i=2740 |
| [5] = https://curl.haxx.se/bug/?i=2719 |
| [6] = https://curl.haxx.se/bug/?i=2741 |
| [7] = https://curl.haxx.se/bug/?i=2731 |
| [8] = https://curl.haxx.se/bug/?i=2736 |
| [9] = https://curl.haxx.se/bug/?i=2727 |
| [10] = https://curl.haxx.se/bug/?i=2765 |
| [11] = https://curl.haxx.se/bug/?i=2768 |
| [12] = https://curl.haxx.se/bug/?i=2751 |
| [13] = https://curl.haxx.se/bug/?i=2772 |
| [14] = https://curl.haxx.se/bug/?i=2776 |
| [15] = https://curl.haxx.se/bug/?i=2754 |
| [16] = https://curl.haxx.se/bug/?i=2792 |
| [17] = https://curl.haxx.se/bug/?i=2790 |
| [18] = https://curl.haxx.se/bug/?i=2784 |
| [19] = https://curl.haxx.se/bug/?i=2787 |
| [20] = https://curl.haxx.se/bug/?i=2788 |
| [21] = https://curl.haxx.se/bug/?i=2804 |
| [22] = https://curl.haxx.se/bug/?i=2795 |
| [23] = https://curl.haxx.se/bug/?i=2797 |
| [24] = https://curl.haxx.se/bug/?i=2808 |
| [25] = https://curl.haxx.se/bug/?i=2811 |
| [26] = https://curl.haxx.se/bug/?i=2769 |
| [27] = https://curl.haxx.se/bug/?i=2800 |
| [28] = https://curl.haxx.se/bug/?i=2801 |
| [29] = https://curl.haxx.se/bug/?i=2783 |
| [30] = https://curl.haxx.se/bug/?i=2798 |
| [31] = https://curl.haxx.se/bug/?i=2825 |
| [32] = https://curl.haxx.se/bug/?i=2830 |
| [33] = https://curl.haxx.se/bug/?i=2835 |
| [34] = https://curl.haxx.se/bug/?i=2753 |
| [35] = https://curl.haxx.se/bug/?i=2755 |
| [36] = https://curl.haxx.se/bug/?i=2333 |
| [37] = https://curl.haxx.se/mail/lib-2018-07/0080.html |
| [38] = https://curl.haxx.se/bug/?i=2848 |
| [39] = https://curl.haxx.se/bug/?i=2806 |
| [40] = https://curl.haxx.se/bug/?i=2852 |
| [41] = https://curl.haxx.se/bug/?i=2853 |
| [42] = https://curl.haxx.se/bug/?i=2857 |
| [43] = https://curl.haxx.se/bug/?i=2837 |
| [44] = https://curl.haxx.se/bug/?i=2861 |
| [45] = https://curl.haxx.se/bug/?i=2862 |
| [46] = https://curl.haxx.se/bug/?i=2847 |
| [47] = https://curl.haxx.se/bug/?i=2860 |
| [48] = https://curl.haxx.se/bug/?i=2868 |
| [49] = https://curl.haxx.se/bug/?i=2865 |
| [50] = https://curl.haxx.se/bug/?i=2856 |
| [51] = https://curl.haxx.se/bug/?i=2420 |
| [52] = https://curl.haxx.se/bug/?i=2869 |
| [53] = https://curl.haxx.se/bug/?i=2879 |
| [54] = https://curl.haxx.se/bug/?i=2817 |
| [55] = https://curl.haxx.se/bug/?i=2880 |
| [56] = https://curl.haxx.se/bug/?i=2885 |
| [57] = https://curl.haxx.se/bug/?i=2871 |
| [58] = https://curl.haxx.se/bug/?i=2882 |
| [59] = https://curl.haxx.se/bug/?i=2829 |
| [60] = https://curl.haxx.se/bug/?i=2892 |
| [61] = https://curl.haxx.se/bug/?i=2894 |
| [62] = https://curl.haxx.se/bug/?i=2890 |
| [63] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012 |
| [64] = https://curl.haxx.se/bug/?i=2747 |
| [65] = https://curl.haxx.se/bug/?i=2786 |
| [66] = https://curl.haxx.se/bug/?i=2904 |
| [67] = https://curl.haxx.se/bug/?i=2910 |
| [68] = https://curl.haxx.se/mail/lib-2018-08/0198.html |
| [69] = https://curl.haxx.se/bug/?i=2908 |
| [70] = https://curl.haxx.se/bug/?i=2773 |
| [71] = https://curl.haxx.se/bug/?i=2739 |
| [72] = https://curl.haxx.se/bug/?i=2915 |
| [73] = https://curl.haxx.se/docs/CVE-2018-14618.html |
| [74] = https://curl.haxx.se/bug/?i=2920 |
| [75] = https://curl.haxx.se/bug/?i=2524 |
| [76] = https://curl.haxx.se/bug/?i=2922 |
| [77] = https://curl.haxx.se/bug/?i=2928 |
| [78] = https://curl.haxx.se/bug/?i=2925 |
| [79] = https://curl.haxx.se/bug/?i=2939 |