- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
OBS-URL: https://build.opensuse.org/request/show/1073050
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=330
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
OBS-URL: https://build.opensuse.org/request/show/1066056
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=327
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
OBS-URL: https://build.opensuse.org/request/show/1044030
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=325
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
OBS-URL: https://build.opensuse.org/request/show/1031305
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=321
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "control bytes"
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
OBS-URL: https://build.opensuse.org/request/show/1000420
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=317
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
OBS-URL: https://build.opensuse.org/request/show/985355
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=314
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
OBS-URL: https://build.opensuse.org/request/show/973058
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "see also" for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "protocols: all"
* docs/examples: workaround broken -Wno-pedantic-ms-format
OBS-URL: https://build.opensuse.org/request/show/945157
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=305
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
OBS-URL: https://build.opensuse.org/request/show/931828
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=304
- Update to 7.79.1:
* Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable: https://github.com/curl/curl/issues/7725
- tests/sshserver.pl: make it work with openssh-8.7p1
OBS-URL: https://build.opensuse.org/request/show/921012
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=303
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
[bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
* Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "dumping" 1xx HTTP responses
- curl-openssl.m4: show correct output for OpenSSL v3
- docs/MQTT: update state of username/password support
- docs: the security list is reached at security at curl.se now
- getparameter: fix the --local-port number parser
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- ngtcp2: remove the acked_crypto_offset struct field init
OBS-URL: https://build.opensuse.org/request/show/919068
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=301
- Update to 7.78.0:
[bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
[bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes:
- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
- hostip: make 'localhost' return fixed values
- mbedtls: add support for cert and key blob options
- metalink: remove all support for it
- mqtt: add support for username and password
* Bugfixes:
- ares: always store IPv6 addresses first
- c-hyper: abort CONNECT response reading early on non 2xx responses
- c-hyper: add support for transfer-encoding in the request
- c-hyper: bail on too long response headers
- c-hyper: clear NTLM auth buffer when request is issued
- c-hyper: fix NTLM on closed connection tested with test159
- conncache: lowercase the hash key for better match
- curl_multibyte: Remove local encoding fallbacks
- Curl_ntlm_core_mk_nt_hash: fix OOM in error path
- Curl_ssl_getsessionid: fail if no session cache exists
- easy: during upkeep, attach Curl_easy to connections in the cache
- gnutls: set the preferred TLS versions in correct order
- hsts: ignore numberical IP address hosts
- HSTS: not experimental anymore
- http2: init recvbuf struct for pushed streams
- http: fix crash in rate-limited upload
- http: make the haproxy support work with unix domain sockets
- http_proxy: deal with non-200 CONNECT response with Hyper
- lib: don't compare fd to FD_SETSIZE when using poll
OBS-URL: https://build.opensuse.org/request/show/907429
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=300
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
[bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes:
- CVE-2021-22297: schannel cipher selection surprise
- CVE-2021-22298: TELNET stack contents disclosure
- CVE-2021-22901: TLS session caching disaster
* Changes:
- configure: make the TLS library choice(s) explicit
- curl: ignore options asking for SSLv2 or SSLv3
- hsts: enable by default
- SSL: support in-memory CA certs for some backends
- vtls: refuse setting any SSL version
* Bugfixes:
- configure: provide --with-openssl, deprecate --with-ssl
- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
- curl: include libmetalink version in --version output
- data_pending: check only SECONDARY socket for FTP(S) transfers
- gnutls: don't allow TLS 1.3 for versions that don't support it
- gnutls: make setting only the MAX TLS allowed version work
- http2: fix resource leaks in set_transfer_url() and push_promise()
- http: limit the initial send amount to used upload buffer size
- rustls: only return CURLE_AGAIN when TLS session is fully drained
- rustls: use ALPN
- schannel: Disable auto credentials; add an option to enable it
- schannel: Support strong crypto option
- sectransp: allow cipher name to be specified
- sockfilt: avoid getting stuck waiting for writable socket
OBS-URL: https://build.opensuse.org/request/show/895500
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=298
- Update to 7.76.0
* Security fixes:
- [bsc#1183933, CVE-2021-22876]: strip credentials from the
auto-referer header field
- [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
Curl_ssl_get/addsessionid()
* Changes:
- cookies: Support multiple -b parameters
- curl: add --fail-with-body
- doh: add options to disable ssl verification
- http: add support to read and store the referrer header
- sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
- vtls: initial implementation of rustls backend
* Bugfixes:
- CVE-2021-22876: strip credentials from the auto-referer header field
- CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
- c-hyper: support automatic content-encoding
- configure: only add OpenSSL paths if they are defined
- configure: provide Largefile feature for curl-config
- curl: set CURLOPT_NEW_FILE_PERMS if requested
- doh: Fix sharing user's resolve list with DOH handles
- doh: Inherit CURLOPT_STDERR from user's easy handle
- dynbuf: bump the max HTTP request to 1MB
- ftp: add 'list_only' to the transfer state struct
- ftp: add 'prefer_ascii' to the transfer state struct
- ftp: allow SIZE to fail when doing (resumed) upload
- ftp: avoid SIZE when asking for a TYPE A file
- ftp: fix memory leak in ftp_done
- ftp: never set data->set.ftp_append outside setopt
- gnutls: assume nettle crypto support
OBS-URL: https://build.opensuse.org/request/show/882316
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=294
- Update to 7.75.0
* Changes:
- curl: add --create-file-mode [mode]
- curl: add new variables to --write-out
- dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
- gopher: implement secure gopher protocol
- http: add Hyper as new optional HTTP backend
- http: introduce AWS HTTP v4 Signature support
* Bugfixes:
- cmake: Add an option to disable libidn2
- cmake: enable gophers correctly in curl-config
- cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
- digest_sspi: Show InitializeSecurityContext errors in verbose mode
- getinfo: build with disabled HTTP support
- http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
- http_proxy: Fix CONNECT chunked encoding race condition
- httpauth: make multi-request auth work with custom port
- lib: pass in 'struct Curl_easy *' to most functions
- lib: remove Curl_ prefix from many static functions
- lib: save a bit of space with some structure packing
- libssh: avoid plain free() of libssh-memory
- mime: make sure setting MIMEPOST to NULL resets properly
- multi_runsingle: bail out early on data->conn == NULL
- ngtcp2: Fix http3 upload stall
- ngtcp2: Fix stack buffer overflow
- openssl: lowercase the hostname before using it for SNI
- socks: use the download buffer instead
- speedcheck: exclude paused transfers
- tooĺ_writeout: fix the -w time output units
- url: if IDNA conversion fails, fallback to Transitional
OBS-URL: https://build.opensuse.org/request/show/869220
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=291
