- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
OBS-URL: https://build.opensuse.org/request/show/1073050
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=330
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
OBS-URL: https://build.opensuse.org/request/show/1066056
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=327
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
OBS-URL: https://build.opensuse.org/request/show/1044030
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=325
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
OBS-URL: https://build.opensuse.org/request/show/1031305
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=321
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "control bytes"
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
OBS-URL: https://build.opensuse.org/request/show/1000420
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=317
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
OBS-URL: https://build.opensuse.org/request/show/985355
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=314
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
OBS-URL: https://build.opensuse.org/request/show/973058
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "see also" for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "protocols: all"
* docs/examples: workaround broken -Wno-pedantic-ms-format
OBS-URL: https://build.opensuse.org/request/show/945157
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=305
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
OBS-URL: https://build.opensuse.org/request/show/931828
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=304
- Update to 7.79.1:
* Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable: https://github.com/curl/curl/issues/7725
- tests/sshserver.pl: make it work with openssh-8.7p1
OBS-URL: https://build.opensuse.org/request/show/921012
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=303
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
[bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
* Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "dumping" 1xx HTTP responses
- curl-openssl.m4: show correct output for OpenSSL v3
- docs/MQTT: update state of username/password support
- docs: the security list is reached at security at curl.se now
- getparameter: fix the --local-port number parser
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- ngtcp2: remove the acked_crypto_offset struct field init
OBS-URL: https://build.opensuse.org/request/show/919068
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=301
- Update to 7.78.0:
[bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
[bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes:
- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
- hostip: make 'localhost' return fixed values
- mbedtls: add support for cert and key blob options
- metalink: remove all support for it
- mqtt: add support for username and password
* Bugfixes:
- ares: always store IPv6 addresses first
- c-hyper: abort CONNECT response reading early on non 2xx responses
- c-hyper: add support for transfer-encoding in the request
- c-hyper: bail on too long response headers
- c-hyper: clear NTLM auth buffer when request is issued
- c-hyper: fix NTLM on closed connection tested with test159
- conncache: lowercase the hash key for better match
- curl_multibyte: Remove local encoding fallbacks
- Curl_ntlm_core_mk_nt_hash: fix OOM in error path
- Curl_ssl_getsessionid: fail if no session cache exists
- easy: during upkeep, attach Curl_easy to connections in the cache
- gnutls: set the preferred TLS versions in correct order
- hsts: ignore numberical IP address hosts
- HSTS: not experimental anymore
- http2: init recvbuf struct for pushed streams
- http: fix crash in rate-limited upload
- http: make the haproxy support work with unix domain sockets
- http_proxy: deal with non-200 CONNECT response with Hyper
- lib: don't compare fd to FD_SETSIZE when using poll
OBS-URL: https://build.opensuse.org/request/show/907429
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=300
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
[bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes:
- CVE-2021-22297: schannel cipher selection surprise
- CVE-2021-22298: TELNET stack contents disclosure
- CVE-2021-22901: TLS session caching disaster
* Changes:
- configure: make the TLS library choice(s) explicit
- curl: ignore options asking for SSLv2 or SSLv3
- hsts: enable by default
- SSL: support in-memory CA certs for some backends
- vtls: refuse setting any SSL version
* Bugfixes:
- configure: provide --with-openssl, deprecate --with-ssl
- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
- curl: include libmetalink version in --version output
- data_pending: check only SECONDARY socket for FTP(S) transfers
- gnutls: don't allow TLS 1.3 for versions that don't support it
- gnutls: make setting only the MAX TLS allowed version work
- http2: fix resource leaks in set_transfer_url() and push_promise()
- http: limit the initial send amount to used upload buffer size
- rustls: only return CURLE_AGAIN when TLS session is fully drained
- rustls: use ALPN
- schannel: Disable auto credentials; add an option to enable it
- schannel: Support strong crypto option
- sectransp: allow cipher name to be specified
- sockfilt: avoid getting stuck waiting for writable socket
OBS-URL: https://build.opensuse.org/request/show/895500
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=298
- Update to 7.76.0
* Security fixes:
- [bsc#1183933, CVE-2021-22876]: strip credentials from the
auto-referer header field
- [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
Curl_ssl_get/addsessionid()
* Changes:
- cookies: Support multiple -b parameters
- curl: add --fail-with-body
- doh: add options to disable ssl verification
- http: add support to read and store the referrer header
- sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
- vtls: initial implementation of rustls backend
* Bugfixes:
- CVE-2021-22876: strip credentials from the auto-referer header field
- CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
- c-hyper: support automatic content-encoding
- configure: only add OpenSSL paths if they are defined
- configure: provide Largefile feature for curl-config
- curl: set CURLOPT_NEW_FILE_PERMS if requested
- doh: Fix sharing user's resolve list with DOH handles
- doh: Inherit CURLOPT_STDERR from user's easy handle
- dynbuf: bump the max HTTP request to 1MB
- ftp: add 'list_only' to the transfer state struct
- ftp: add 'prefer_ascii' to the transfer state struct
- ftp: allow SIZE to fail when doing (resumed) upload
- ftp: avoid SIZE when asking for a TYPE A file
- ftp: fix memory leak in ftp_done
- ftp: never set data->set.ftp_append outside setopt
- gnutls: assume nettle crypto support
OBS-URL: https://build.opensuse.org/request/show/882316
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=294
- Update to 7.75.0
* Changes:
- curl: add --create-file-mode [mode]
- curl: add new variables to --write-out
- dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
- gopher: implement secure gopher protocol
- http: add Hyper as new optional HTTP backend
- http: introduce AWS HTTP v4 Signature support
* Bugfixes:
- cmake: Add an option to disable libidn2
- cmake: enable gophers correctly in curl-config
- cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
- digest_sspi: Show InitializeSecurityContext errors in verbose mode
- getinfo: build with disabled HTTP support
- http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
- http_proxy: Fix CONNECT chunked encoding race condition
- httpauth: make multi-request auth work with custom port
- lib: pass in 'struct Curl_easy *' to most functions
- lib: remove Curl_ prefix from many static functions
- lib: save a bit of space with some structure packing
- libssh: avoid plain free() of libssh-memory
- mime: make sure setting MIMEPOST to NULL resets properly
- multi_runsingle: bail out early on data->conn == NULL
- ngtcp2: Fix http3 upload stall
- ngtcp2: Fix stack buffer overflow
- openssl: lowercase the hostname before using it for SNI
- socks: use the download buffer instead
- speedcheck: exclude paused transfers
- tooĺ_writeout: fix the -w time output units
- url: if IDNA conversion fails, fallback to Transitional
OBS-URL: https://build.opensuse.org/request/show/869220
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=291
- Update to 7.74.0
* Changes:
hsts: add experimental support for Strict-Transport-Security
* Bugfixes:
- Inferior OCSP verification [bsc#1179593, CVE-2020-8286]
- FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285]
- trusting FTP PASV responses [bsc#1179398, CVE-2020-8284]
- Revert "multi: implement wait using winsock events"
- openssl: free mem_buf in error path
- ntlm: avoid malloc(0) on zero length user and domain
- ngtcp2: use the minimal version of QUIC supported by ngtcp2
- ngtcp2: advertise h3 ALPN unconditionally
- file: avoid duplicated code sequence
- openssl: guard against OOM on context creation
- docs: document the 8MB input string limit for curl_easy_escape
and curl_easy_setopt()
- hsts: add read/write callbacks
- hsts: add support for Strict-Transport-Security
- alt-svc: enable by default
- checksrc: warn on empty line before open brace
- connect: repair build without ipv6 availability
- curl.se: new home
- ftp: retry getpeername for FTP with TCP_FASTOPEN
- gnutls: fix memory leaks (certfields memory wasn't released)
- http: pass correct header size to debug callback for chunked post
- libssh2: fix transport over HTTPS proxy
- openssl: guard against OOM on context creation
- openssl: use OPENSSL_init_ssl() with >= 1.1.0
- Revert "multi: implement wait using winsock events"
- socks: check for DNS entries with the right port number
OBS-URL: https://build.opensuse.org/request/show/856452
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=288
- Update to 7.73.0
* Changes:
- curl: add --output-dir
- curl: support XDG_CONFIG_HOME to find .curlrc
- curl: update --help with categories
- curl_easy_option_*: new API for meta-data about easy options
- CURLE_PROXY: new error code
- mqtt: enable by default
- sftp: add new quote commands 'atime' and 'mtime'
- ssh: add the option CURLKHSTAT_FINE_REPLACE
- tls: add CURLOPT_SSL_EC_CURVES and --curves
* Bugfixes:
- base64: also build for smtp, pop3 and imap
- cleanups: avoid curl_ on local variables
- configure: let --enable-debug set -Wenum-conversion with gcc >= 10
- conn: check for connection being dead before reuse
- curl: in retry output don't call all problems "transient"
- curl: make checkpasswd, file2memory, file2string and
glob_match_url use dynbuf
- curl: retry delays in parallel mode no longer sleeps blocking
- curl: use curlx_dynbuf for realloc when loading config files
- curl:parallel_transfers: make sure retry readds the transfer
- curl_get_line: build only if cookies or alt-svc are enabled
- Curl_pgrsTime - return new time to avoid timeout integer overflow
- Curl_send: return error when pre_receive_plain can't malloc
- dynbuf: make sure Curl_dyn_tail() zero terminates
- etag: save and use the full received contents
- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
- ftp: avoid risk of reading uninitialized integers
- ftp: get rid of the PPSENDF macro
OBS-URL: https://build.opensuse.org/request/show/841883
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=286
- Update to 7.72.0 [bsc#1175109, CVE-2020-8231]
* Changes:
- content_encoding: add zstd decoding support
- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
- CURLINFO_EFFECTIVE_METHOD: added
* Bugfixes:
- CVE-2020-8231: libcurl: wrong connect-only connection
- curl-config: ignore REQUIRE_LIB_DEPS in --libs output
- curl: improve the existing file check with -J
- curl_multi_setopt: fix compiler warning "result is always false"
- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
- docs: Add video link to docs/CONTRIBUTE.md
- docs: clarify MAX_SEND/RECV_SPEED functionality
- ftp: don't do ssl_shutdown instead of ssl_close
- ftpserver: don't verify SMTP MAIL FROM names
- getinfo: reset retry-after value in initinfo
- gnutls: repair the build with 'CURL_DISABLE_PROXY'
- gtls: survive not being able to get name/issuer
- h2: repair trailer handling
- http2: close the http2 connection when no more requests may be sent
- http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
- libssh2: s/ssherr/sftperr/
- mprintf: Fix dollar string handling
- mprintf: Fix stack overflows
- multi_remove_handle: close unused connect-only connections
- ngtcp2: adapt to error code rename
- ngtcp2: adjust to recent sockaddr updates
- ngtcp2: update to modified qlog callback prototype
- ntlm: free target_info before (re-)malloc
- page-header: provide protocol details in the curl.1 man page
OBS-URL: https://build.opensuse.org/request/show/827742
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=284
- Update to 7.71.1
* Bugfixes:
- Curl_inet_ntop: always check the return code
- CURLOPT_READFUNCTION.3: provide the upload data size up front
- escape: make the URL decode able to reject only %00-bytes
- escape: zero length input should return a zero length output
- examples/multithread.c: call curl_global_cleanup()
- http2: set the correct URL in pushed transfers
- http: fix proxy auth with blank password
- mbedtls: fix build with disabled proxy support
- ngtcp2: sync with current master
- Revert "multi: implement wait using winsock events"
- sendf: improve the message on client write errors
- terminology: call them null-terminated strings
- tool_cb_hdr: Fix etag warning output and return code
- url: allow user + password to contain "control codes" for HTTP(S)
- vtls: compare cert blob when finding a connection to reuse
OBS-URL: https://build.opensuse.org/request/show/818117
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=282
- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177]
* Changes:
- CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
- setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
- setopt: support certificate options in memory with struct curl_blob
- tool: Add option --retry-all-errors to retry on any error
* Bugfixes:
- *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
- altsvc: bump to h3-29
- altsvc: fix 'dsthost' may be used uninitialized in this function
- altsvc: fix parser for lines ending with CRLF
- altsvc: remove the num field from the altsvc struct
- asyn-*: remove support for never-used NULL entry pointers
- azure: use matrix strategy to avoid configuration redundancy
- build: disable more code/data when built without proxy support
- buildconf: remove -print from the find command that removes files
- checksrc: enhance the ASTERISKSPACE and update code accordingly
- cirrus: disable SFTP and SCP tests
- CMake: add ENABLE_ALT_SVC option
- CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
- CMake: add libssh build support
- configure: fix pthread check with static boringssl
- configure: for wolfSSL, check for the DES func needed for NTLM
- configure: only strip first -L from LDFLAGS
- configure: repair the check if argv can be written to
- configure: the wolfssh backend does not provide SCP
- connect: improve happy eyeballs handling
- connect: make happy eyeballs work for QUIC (again)
- curl: remove -J "informational" written on stdout
- Curl_addrinfo: use one malloc instead of three
OBS-URL: https://build.opensuse.org/request/show/816791
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=280
- Update to 7.69.1
* Bugfixes:
- ares: store dns parameters for duphandle
- cirrus-ci: disable the FreeBSD 13 builds
- curl_share_setopt.3: Note sharing cookies doesn't enable the engine
- lib1564: reduce number of mid-wait wakeup calls
- libssh: Fix matching user-specified MD5 hex key
- MANUAL: update a dict-using command line
- mime: do not perform more than one read in a row
- mime: fix the binary encoder to handle large data properly
- mime: latch last read callback status
- multi: skip EINTR check on wakeup socket if it was closed
- pause: bail out on bad input
- pause: force a connection recheck after unpausing (take 2)
- pause: return early for calls that don't change pause state
- runtests.1: rephrase how to specify what tests to run
- runtests: fix missing use of exe_ext helper function
- seek: fix fall back for missing ftruncate on Windows
- sftp: fix segfault regression introduced by #4747 in 7.69.0
- sha256: Added SecureTransport implementation
- sha256: Added WinCrypt implementation
- socks4: fix host resolve regression
- socks5: host name resolv regression fix
- tests/server: fix missing use of exe_ext helper function
- tests: fix static ip:port instead of dynamic values being used
- tests: make sleeping portable by avoiding select
- unit1612: fix the inclusion and compilation of the HMAC unit test
- urldata: remove the 'stream_was_rewound' connectdata struct member
- version: make curl_version* thread-safe without using global context
OBS-URL: https://build.opensuse.org/request/show/784472
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=274
- Update to 7.69.0
* Changes:
- polarssl: removed
- smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
- wolfSSH: new SSH backend
* Bugfixes:
- altsvc: improved header parser
- altsvc: keep a copy of the file name to survive handle reset
- altsvc: make saving the cache an atomic operation
- altsvc: use h3-27
- azure: disable brotli on the macos debug-builds
- build: remove all HAVE_OPENSSL_ENGINE_H defines
- cleanup: fix several comment typos
- cleanup: fix typos and wording in docs and comments
- cmake: add support for CMAKE_LTO option
- cmake: clean up and improve build procedures
- cmake: Show HTTPS-proxy in the features output
- cmake: use check_symbol_exists also for inet_pton
- configure.ac: fix comments about --with-quiche
- configure: disable metalink if mbedTLS is specified
- configure: disable metalink support for incompatible SSL/TLS
- conn: do not reuse connection if SOCKS proxy credentials differ
- conncache: removed unused Curl_conncache_bundle_size()
- connect: remove some spurious infof() calls
- connection reuse: respect the max_concurrent_streams limits
- cookie: check __Secure- and __Host- case sensitively
- cookies: make saving atomic with a rename
- create-dirs.d: mention the mode
- curl: avoid using strlen for testing if a string is empty
- curl: error on --alt-svc use w/o support
OBS-URL: https://build.opensuse.org/request/show/781412
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=270
- Update to 7.68.0
* Changes:
- TLS: add BearSSL vtls implementation
- XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
- curl: add --etag-compare and --etag-save
- curl: add --parallel-immediate
- multi: add curl_multi_wakeup()
- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
* Bugfixes:
- CVE-2019-15601: file: on Windows, refuse paths that start with \\
- Azure Pipelines: add several builds
- CMake: add support for building with the NSS vtls backend
- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
- CURLOPT_HEADERFUNCTION.3: Document that size is always 1
- CURLOPT_QUOTE.3: fix typos
- CURLOPT_READFUNCTION.3: fix the example
- CURLOPT_URL.3: "curl supports SMB version 1 (only)"
- CURLOPT_VERBOSE.3: see also ERRORBUFFER
- HISTORY: added cmake, HTTP/3 and parallel downloads with curl
- HISTORY: the SMB(S) support landed in 2014
- INSTALL.md: provide Android build instructions
- KNOWN_BUGS: Connection information when using TCP Fast Open
- KNOWN_BUGS: LDAP on Windows doesn't work correctly
- KNOWN_BUGS: TLS session cache doesn't work with TFO
- OPENSOCKETFUNCTION.3: correct the purpose description
- TrackMemory tests: always remove CR before LF
- altsvc: bump to h3-24
- altsvc: make the save function ignore NULL filenames
- build: Disable Visual Studio warning "conditional expression is constant"
- build: fix for CURL_DISABLE_DOH
OBS-URL: https://build.opensuse.org/request/show/761809
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=266
- Update spec file with spec-cleaner
- Update to 7.67.0
* Changes:
- curl: added --no-progress-meter
- setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
- urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
* Bugfixes:
- BINDINGS: five new bindings addded
- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
- CURLOPT_TIMEOUT.3: remove the mention of "minutes"
- ESNI: initial build/setup support
- FTP: FTPFILE_NOCWD: avoid redundant CWDs
- FTP: allow "rubbish" prepended to the SIZE response
- FTP: remove trailing slash from path for LIST/MLSD
- FTP: skip CWD to entry dir when target is absolute
- FTP: url-decode path before evaluation
- HTTP3.md: move -p for mkdir, remove -j for make
- HTTP3: fix invalid use of sendto for connected UDP socket
- HTTP3: fix prefix parameter for ngtcp2 build
- HTTP3: show an --alt-svc using example too
- INSTALL: add missing space for configure commands
- INSTALL: add vcpkg installation instructions
- altsvc: accept quoted ma and persist values
- altsvc: both backends run h3-23 now
- appveyor: Add MSVC ARM64 build
- appveyor: Use two parallel compilation on appveyor with CMake
- appveyor: add --disable-proxy autotools build
- appveyor: publish artifacts on appveyor
- appveyor: upgrade VS2017 to VS2019
OBS-URL: https://build.opensuse.org/request/show/746069
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=262
- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
* Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
* Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "" file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- asyn-thread: create a socketpair to wait on
OBS-URL: https://build.opensuse.org/request/show/730075
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=260
- Update to 7.65.2
* Bugfixes:
- CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
- CMake: Fix finding Brotli on case-sensitive file systems
- CURLOPT_RANGE.3: Caution against using it for HTTP PUT
- CURLOPT_SEEKDATA.3: fix variable name
- bindlocal: detect and avoid IP version mismatches in bind()
- build: fix Codacy warnings
- c-ares: honor port numbers in CURLOPT_DNS_SERVERS
- config-os400: add getpeername and getsockname defines
- configure: --disable-progress-meter
- configure: fix --disable-code-coverage
- configure: more --disable switches to toggle off individual features
- configure: remove CURL_DISABLE_TLS_SRP
- conn_maxage: move the check to prune_dead_connections()
- curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
- docs: Explain behavior change in --tlsv1. options since 7.54
- docs: Fix links to OpenSSL docs
- docs: fix string suggesting HTTP/2 is not the default
- headers: Remove no longer exported functions
- http2: call done_sending on end of upload
- http2: don't call stream-close on already closed streams
- http2: remove CURL_DISABLE_TYPECHECK define
- http: allow overriding timecond with custom header
- http: clarify header buffer size calculation
- krb5: fix compiler warning
- lib: Use UTF-8 encoding in comments
- libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
- multi: enable multiplexing by default (again)
- multi: fix the transfer hashes in the socket hash entries
OBS-URL: https://build.opensuse.org/request/show/716040
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=257
- Update to 7.65.1
* Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "multipass" state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "bundles" per host name when doing proxy tunnels
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "openssl-only" comments for supported backends
- tests: add HAProxy keywords
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
OBS-URL: https://build.opensuse.org/request/show/707886
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=255
- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
* Changes:
- CURLOPT_DNS_USE_GLOBAL_CACHE: removed
- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
- pipelining: removed
* Bugfixes:
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- --config: clarify that initial : and = might need quoting
- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
- CURLOPT_ADDRESS_SCOPE: fix range check and more
- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
- CURL_MAX_INPUT_LENGTH: largest acceptable string input size
- Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
- OS400/ccsidcurl: replace use of Curl_vsetopt
- OpenSSL: Report -fips in version if OpenSSL is built with FIPS
- WRITEFUNCTION: add missing set_in_callback around callback
- altsvc: Fix building with cookies disabled
- auth: Rename the various authentication clean up functions
- base64: build conditionally if there are users
- cmake: avoid linking executable for some tests with cmake 3.6+
- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
- cmake: set SSL_BACKENDS
- configure: avoid unportable '==' test(1) operator
- configure: error out if OpenSSL wasn't detected when asked for
- configure: fix default location for fish completions
- cookie: Guard against possible NULL ptr deref
- curl: make code work with protocol-disabled libcurl
- curl: report error for "--no-" on non-boolean options
OBS-URL: https://build.opensuse.org/request/show/704763
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=253
- Install curl.fish completions file from curl rather than from the fish package
- update to version 7.64.1
* Changes:
- alt-svc: experiemental support added
- configure: add --with-amissl
* Bugfixes:
- AppVeyor: switch VS 2015 builds to VS 2017 image
- CURLU: fix NULL dereference when used over proxy
- Curl_easy: remove req.maxfd - never used!
- Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
- DoH: inherit some SSL options from user's easy handle
- Secure Transport: no more "darwinssl"
- Secure Transport: tvOS 11 is required for ALPN support
- cirrus: Added FreeBSD builds using Cirrus CI
- cleanup: make local functions static
- cli tool: do not use mime.h private structures
- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
- configure: add additional libraries to check for LDAP support
- configure: remove the unused fdopen macro
- configure: show features as well in the final summary
- conncache: use conn->data to know if a transfer owns it
- connection: never reuse CONNECT_ONLY connections
- connection_check: restore original conn->data after the check
- connection_check: set ->data to the transfer doing the check
- cookie: Add support for cookie prefixes
- cookies: dotless names can set cookies again
- cookies: fix NULL dereference if flushing cookies with no CookieInfo set
- curl.1: --user and --proxy-user are hidden from ps output
- curl.1: mark the argument to --cookie as
OBS-URL: https://build.opensuse.org/request/show/692902
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=251
