Changes:
* nss: map CURL_SSLVERSION_DEFAULT to NSS default
* vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
* curl: introduce the --tlsv1.3 option to force TLS 1.3
* curl: Add --retry-connrefused
* proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
* curl: add --fail-early
Bugfixes:
* CVE-2016-9586: printf floating point buffer overflow
* curl -w: added more decimal digits to timing counters
* easy: Initialize info variables on easy init and duphandle
* http2: Don't send header fields prohibited by HTTP/2 spec
* ssh: check md5 fingerprints case insensitively (regression)
* openssl: initial TLS 1.3 adaptions
* SPNEGO: Fix memory leak when authentication fails
* realloc: use Curl_saferealloc to avoid common mistakes
* openssl: make sure to fail in the unlikely event that PRNG
seeding fails
* URL-parser: for file://[host]/ URLs, the [host] must be localhost
* timeval: prefer time_t to hold seconds instead of long
* glob: fix [a-c] globbing regression
* curl.1: Clarify --dump-header only writes received headers
* http2: Fix address sanitizer memcpy warning
* http2: Use huge HTTP/2 windows
* connects: Don't mix unix domain sockets with regular ones
* url: Fix conn reuse for local ports and interfaces
* x509: Limit ASN.1 structure sizes to 256K
* http2: check nghttp2_session_set_local_window_size exists
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=178
Changes:
* nss: additional cipher suites are now accepted by
CURLOPT_SSL_CIPHER_LIST
* New option: CURLOPT_KEEP_SENDING_ON_ERROR
Bugfixes:
* CVE-2016-8615: cookie injection for other servers
* CVE-2016-8616: case insensitive password comparison
* CVE-2016-8617: OOB write via unchecked multiplication
* CVE-2016-8618: double-free in curl_maprintf
* CVE-2016-8619: double-free in krb5 code
* CVE-2016-8620: glob parser write/read out of bounds
* CVE-2016-8621: curl_getdate read out of bounds
* CVE-2016-8622: URL unescape heap overflow via integer truncation
* CVE-2016-8623: Use-after-free via shared cookies
* CVE-2016-8624: invalid URL parsing with '#'
* CVE-2016-8625: IDNA 2003 makes curl use wrong host
* openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
* http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
* LICENSE-MIXING.md: update with mbedTLS dual licensing
* examples/imap-append: Set size of data to be uploaded
* test2048: fix url
* darwinssl: disable RC4 cipher-suite support
* CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
* openssl: don’t call CRYTPO_cleanup_all_ex_data
* libressl: fix version output
* easy: Reset all statistical session info in curl_easy_reset
* curl_global_cleanup.3: don't unload the lib with sub threads running
* dist: add CurlSymbolHiding.cmake to the tarball
* docs: Remove that --proto is just used for initial retrieval
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=176
Bugfixes:
* CVE-2016-7167: escape and unescape integer overflows
* mk-ca-bundle.pl: use SHA256 instead of SHA1
* checksrc: detect strtok() use
* errors: new alias CURLE_WEIRD_SERVER_REPLY
* http2: support > 64bit sized uploads
* openssl: fix bad memory free (regression)
* CMake: hide private library symbols
* http: refuse to pass on response body when NO_NODY is set
* cmake: fix curl-config --static-libs
* mbedtls: switch off NTLM in build if md4 isn't available
* curl: --create-dirs on windows groks both forward and
backward slashes
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=174
Bugfixes:
* mbedtls: Added support for NTLM
* SSH: fixed SFTP/SCP transfer problems
* multi: make Curl_expire() work with 0 ms timeouts
* mk-ca-bundle.pl: -m keeps ca cert meta data in output
* TFTP: Fix upload problem with piped input
* CURLOPT_TCP_NODELAY: now enabled by default
* mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
* http2: always wait for readable socket
* cmake: Enable win32 large file support by default
* cmake: Enable win32 threaded resolver by default
* winbuild: Avoid setting redundant CFLAGS to compile commands
* curl.h: make CURL_NO_OLDIES define CURL_STRICTER
* docs: make more markdown files use .md extension
* docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
* winbuild: Allow changing C compiler via environment variable CC
* rtsp: accept any RTSP session id
* HTTP: retry failed HEAD requests on reused connections too
* configure: add zlib search with pkg-config
* openssl: accept subjectAltName iPAddress if no dNSName match
* MANUAL: Remove invalid link to LDAP documentation
* socks: improved connection procedure
* proxy: reject attempts to use unsupported proxy schemes
* proxy: bring back use of "Proxy-Connection:"
* curl: allow "pkcs11:" prefix for client certificates
* spnego_sspi: fix memory leak in case *outlen is zero
* SOCKS: improve verbose output of SOCKS5 connection sequence
* SOCKS: display the hostname returned by the SOCKS5 proxy server
* http/sasl: Query authentication mechanism supported by SSPI before using
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=171
Bugfixes:
* TLS: switch off SSL session id when client cert is used
* TLS: only reuse connections with the same client cert
* curl_multi_cleanup: clear connection pointer for easy handles
* include the CURLINFO_HTTP_VERSION man page into the release tarball
* include the http2-server.pl script in the release tarball
* test558: fix test by stripping file paths from FD lines
* spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
* tests: Fix for http/2 feature
* cmake: Fix for schannel support
* curl.h: make public types void * again
* win32: fix a potential memory leak in Curl_load_library
* travis: fix OSX build by re-installing libtool
* mbedtls: Fix debug function name
- removed 0001-tests-distribute-the-http2-server.pl-script-too.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=169
- update to 7.50.0
Changes:
* http: add CURLINFO_HTTP_VERSION and %{http_version}
Bugfixes:
* openssl: fix build with OPENSSL_NO_COMP
* cmake: Added missing mbedTLS support
* URL parser: allow URLs to use one, two or three slashes
* curl: fix -q [regression]
* openssl: Use correct buffer sizes for error messages
* curl: fix SIGSEGV while parsing URL with too many globs
* vtls: fix ssl session cache race condition
* http: Fix HTTP/2 connection reuse [regression]
* checksrc: Add LoadLibrary to the banned functions list
* configure: occasional ignorance of --enable-symbol-hiding with GCC
* http2: test17xx are the first real HTTP/2 tests
* resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
* curl_multi_socket_action.3: rewording
* CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
* cmake: Fix build with winldap
* openssl: fix cert check with non-DNS name fields present
* curl.1: mention the units for the progress meter
* openssl: use more 'const' to fix build warnings with 1.1.0 branch
* cmake: now using BUILD_TESTING=ON/OFF
* vtls: Only call add/getsession if session id is enabled
* headers: forward declare CURL, CURLM and CURLSH as structs
* configure: improve detection of CA bundle path on FreeBSD
* SFTP: set a generic error when no SFTP one exists
* curl_global_init.3: expand on the SSL and WIN32 bits purpose
* conn: don't free easy handle data in handler->disconnect
* cookie.c: Fix misleading indentation
OBS-URL: https://build.opensuse.org/request/show/412565
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=168
- update to 7.47.0
* fixes CVE-2016-0755 (bsc#962983)
(NTLM credentials not-checked for proxy connection re-use)
* drop curl-fix-zsh-completion.patch (upstream)
Changes:
* version: Add flag CURL_VERSION_PSL for libpsl
* http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
* curl: use 2TLS by default
* curl --expect100-timeout: added
* Add .dir-locals and set c-basic-offset to 2 (for emacs)
OBS-URL: https://build.opensuse.org/request/show/356290
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=154
- Update to 7.43.0
* Added CURLOPT_PROXY_SERVICE_NAME
* Added CURLOPT_SERVICE_NAME
* New curl option: --proxy-service-name
* Mew curl option: --service-name
* New curl option: --data-raw
* Added CURLOPT_PIPEWAIT
* Added support for multiplexing transfers using HTTP/2, enable
this with the new CURLPIPE_MULTIPLEX bit for
CURLMOPT_PIPELINING
* HTTP/2: requires nghttp2 1.0.0 or later
* scripts: add zsh.pl for generating zsh completion
* curl.h: add CURL_HTTP_VERSION_2
* CVE-2015-3236: lingering HTTP credentials in connection re-use
* CVE-2015-3237: SMB send off unrelated memory contents
- Disable HTTP/2 as it would create build cycle
OBS-URL: https://build.opensuse.org/request/show/312733
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=135
- update to 7.40.0:
* fixes CVE-2014-8150 (bnc#911363)
* Changes:
http_digest: Added support for Windows SSPI based authentication
version info: Added Kerberos V5 to the supported features
Makefile: Added VC targets for WinIDN
config-win32: Introduce build targets for VS2012+
SSL: Add PEM format support for public key pinning
smtp: Added support for the conversion of Unix newlines during mail send
smb: Added initial support for the SMB/CIFS protocol
Added support for HTTP over unix domain sockets,
via CURLOPT_UNIX_SOCKET_PATH and --unix-socket
sasl: Added support for GSS-API based Kerberos V5 authentication
OBS-URL: https://build.opensuse.org/request/show/280328
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=121
- update to 7.39.0:
- changes:
SSLv3 is disabled by default
CURLOPT_COOKIELIST: Added "RELOAD" command
build: Added WinIDN build configuration options to Visual Studio projects
ssh: improve key file search
SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
vtls: remove QsoSSL support, use gskit!
mk-ca-bundle: added SHA-384 signature algorithm
docs: added many examples for libcurl opts and other doc improvements
build: Added VC ssh2 target to main Makefile
MinGW: Added support to build with nghttp2
NetWare: Added support to build with nghttp2
build: added Watcom support to build with WinSSL
build: Added optional specific version generation of VC project files
... and a bunch of bugfixes
- refreshed libcurl-ocloexec.patch
- removed gpg-offline verification
- spec-cleaned curl.spec
OBS-URL: https://build.opensuse.org/request/show/261640
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=117
- update to 7.38.0
* fixes CVE-2014-3613 (bnc#894575) and CVE-2014-3620 (bnc#895991)
* cookie leaks with IP address as domain and TLDs respectively
Changes:
supports HTTP/2 draft-14
CURLE_HTTP2 is a new error code
CURLAUTH_NEGOTIATE is a new auth define
CURL_VERSION_GSSAPI is a new capability bit
no longer use fbopenssl for anything
schannel: use CryptGenRandom for random numbers
axtls: define curlssl_random using axTLS's PRNG
cyassl: use RNG_GenerateBlock to generate a good random number
findprotocol: show unsupported protocol within quotes
version: detect and show LibreSSL
version: detect and show BoringSSL
imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
http2: requires nghttp2 0.6.0 or later
Bugfixes:
SECURITY ADVISORY: cookie leak with IP address as domain
SECURITY ADVISORY: cookie leak for TLDs
And many other fixes
OBS-URL: https://build.opensuse.org/request/show/248327
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=113
- update to 7.37.0
This release includes many bugfixes and the following changes:
* URL parser: IPv6 zone identifiers are now supported
* CURLOPT_PROXYHEADER: set headers for proxy-only
* CURLOPT_HEADEROPT: added
* curl: add --proxy-header
* sasl: Added support for DIGEST-MD5 via Windows SSPI
* sasl: Added DIGEST-MD5 qop-option validation in native challange handling
* imap: Expanded mailbox SEARCH support to use URL query strings [7]
* imap: Extended FETCH support to include PARTIAL URL specifier [7]
* nss: implement non-blocking SSL handshake
* build: Reworked Visual Studio project files
* poll: enable poll on darwin13
* mk-ca-bundle: added -p
* libtests: add a wait_ms() function
- dropped patches:
* curl-mkhelp.patch (upstream)
* curl-test815.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/236974
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=109
- update to 7.36
* fixes CVE-2014-0138 (bnc#868627) and CVE-2014-0139 (bnc#868629)
* NEW FEATURES:
ntlm: Added support for NTLMv2
tool: Added support for URL specific options
openssl: add ALPN support
gtls: add ALPN support
nss: add ALPN and NPN support
added CURLOPT_EXPECT_100_TIMEOUT_MS
tool: add --no-alpn and --no-npn
added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
http2: build with current nghttp2 version
openssl: info message with SSL version used
* dropped curl-test172_cookie_expiration.patch (upstream)
* added patches to make it build:
- curl-mkhelp.patch
- curl-test815.patch
OBS-URL: https://build.opensuse.org/request/show/229525
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=106
- update to 7.35.0
* security fix:
CVE-2014-0015: re-use of wrong HTTP NTLM connection (bnc#858673)
* changes:
imap/pop3/smtp: Added support for SASL authentication downgrades
imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
TheArtOfHttpScripting: major update, converted layout and more
mprintf: Added support for I, I32 and I64 size specifiers
makefile: Added support for VC7, VC11 and VC12
SSL: protocol version can be specified more precisely
imap/pop3/smtp: Added graceful cancellation of SASL authentication
Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
base64: Added validation of base64 input strings when decoding
curl_easy_setopt: Added the ability to set the login options separately
smtp: Added support for additional SMTP commands
curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
nss: allow to use TLS > 1.0 if built against recent NSS
SECURITY: added this document to describe our security processes
parseconfig: warn if unquoted white spaces are detected
* and many bugfixes
- fix test failure because of an expired cookie (bnc#862144)
* added curl-test172_cookie_expiration.patch
- refresh libcurl-ocloexec.patch
OBS-URL: https://build.opensuse.org/request/show/220853
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=102
- update to 7.33.0
* fixes CVE-2013-4545 (bnc#849596)
= curl: ssl cert checks unclear behaviour
o test code for testing the event based API
o CURLM_ADDED_ALREADY: new error code
o test TFTP server: support "writedelay" within <servercmd>
o krb4 support has been removed
o imap/pop3/smtp: added basic SASL XOAUTH2 support
o Pass password to OpenSSL engine by user interface
o c-ares: Add support for various DNS binding options
o cookies: add expiration
o curl: added --oauth2-bearer option
OBS-URL: https://build.opensuse.org/request/show/208925
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=100
- curl 7.32.0
* curl: allow timeouts to accept decimal values
* CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
* SIGPIPE: ignored while inside the library
* OpenSSL: check for read errors
* configure: automake 1.14 compatibility tweak
* curl_multi_wait: set revents for extra fds
* global dns cache: didn't work (regression)
* mk-ca-bundle.1: don't install on make install
OBS-URL: https://build.opensuse.org/request/show/186690
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=98
- update to 7.31.0
* includes fix for CVE-2013-2174 (bnc#824517)
* SECURITY VULNERABILITY: curl_easy_unescape() may parse data
beyond the end of the input buffer [26]
* Changes:
darwinssl: add TLS session resumption
darwinssl: add TLS crypto authentication
imap/pop3/smtp: Added support for ;auth= in the URL
imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
usercertinmem.c: add example showing user cert in memory
url: Added smtp and pop3 hostnames to the protocol detection list
imap/pop3/smtp: Added support for enabling the SASL initial response
curl -E: allow to use ':' in certificate nicknames
OBS-URL: https://build.opensuse.org/request/show/180754
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=94
- update to 7.30.0
includes security fixes for CVE-2013-0249 and CVE-2013-1944
(bugs bnc#814655 and bnc#802411 respectively)
(dropped curl-CVE-2013-0249.patch)
- Changes:
imap: Changed response tag generation to be completely unique
imap: Added support for SASL-IR extension
imap: Added support for the list command
imap: Added support for the append command
imap: Added custom request parsing
imap: Added support to the fetch command for UID and SECTION properties
imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
imap/pop3/smtp: Added support for the STARTTLS capability
checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS
for new multi interface connection handling
Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE,
CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL
and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
test: offer "automake" output and check for perl better
always-multi: always use non-blocking internals
imap: Added support for sasl digest-md5 authentication
imap: Added support for sasl cram-md5 authentication
imap: Added support for sasl ntlm authentication
imap: Added support for sasl login authentication
imap: Added support for sasl plain text authentication
imap: Added support for login disabled server capability
mk-ca-bundle: add -f, support passing to stdout and more
writeout: -w now supports remote_ip/port and local_ip/port
OBS-URL: https://build.opensuse.org/request/show/163742
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=92
