- Update to version 7.58.0
[bsc1076360, CVE-2018-1000005][bsc#1077001, CVE-2018-1000007]
Changes:
* new libssh-powered SSH SCP/SFTP back-end
* curl-config: add --ssl-backends
Bugfixes:
* http2: fix incorrect trailer buffer size
* http: prevent custom Authorization headers in redirects
* travis: add boringssl build
* examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
* SSL: Avoid magic allocation of SSL backend specific data
* lib: don't export all symbols, just everything curl_*
* libssh2: send the correct CURLE error code on scp file not found
* libssh2: return CURLE_UPLOAD_FAILED on failure to upload
* openssl: enable pkcs12 in boringssl builds
* libssh2: remove dead code from SSH_SFTP_QUOTE
* sasl_getmesssage: make sure we have a long enough string to pass
* conncache: fix several lock issues
* threaded-shared-conn.c: new example
* conncache: only allow multiplexing within same multi handle
* configure: check for netinet/in6.h
* URL: tolerate backslash after drive letter for FILE:
* openldap: add commented out debug possibilities
* include: get netinet/in.h before linux/tcp.h
* CONNECT: keep close connection flag in http_connect_state struct
* BINDINGS: another PostgreSQL client
* curl: limit -# update frequency for unknown total size
* configure: add AX_CODE_COVERAGE only if using gcc
* curl.h: remove incorrect comment about ERRORBUFFER
* openssl: improve data-pending check for https proxy
OBS-URL: https://build.opensuse.org/request/show/568861
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=214
- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816]
[bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818]
Changes:
* auth: add support for RFC7616 - HTTP Digest access authentication
* share: add support for sharing the connection cache
* HTTP: implement Brotli content encoding
Bugfixes:
* CVE-2017-8816: NTLM buffer overflow via integer overflow
* CVE-2017-8817: FTP wildcard out of bounds read
* CVE-2017-8818: SSL out of buffer access
* curl_mime_filedata.3: fix typos
* libtest: Add required test libraries for lib1552 and lib1553
* fix time diffs for systems using unsigned time_t
* ftplistparser: memory leak fix: free temporary memory always
* multi: allow table handle sizes to be overridden
* wildcards: don't use with non-supported protocols
* curl_fnmatch: return error on illegal wildcard pattern
* transfer: Fix chunked-encoding upload too early exit
* resolvers: only include anything if needed
* setopt: fix CURLOPT_SSH_AUTH_TYPES option read
* Curl_timeleft: change return type to timediff_t
* cmake: Export libcurl and curl targets to use by other cmake projects
* curl: in -F option arg, comma is a delimiter for files only
* curl: improved ";type=" handling in -F option arguments
* timeval: use mach_absolute_time() on MacOS
* curlx: the timeval functions are no longer provided as curlx_*
* mkhelp.pl: do not generate comment with current date
* memdebug: use send/recv signature for curl_dosend/curl_dorecv
* cookie: avoid NULL dereference
* url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
OBS-URL: https://build.opensuse.org/request/show/546402
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=210
- Update to version 7.56.1 [bsc#1063824]
Bugfixes:
* imap: if a FETCH response has no size, don't call write
callback [CVE-2017-1000257]
* ftp: UBsan fixup 'pointer index expression overflowed
* failf: skip the sprintf() if there are no consumers
* fuzzer: move to using external curl-fuzzer
* lib/Makefile.m32: allow customizing dll suffixes
* docs: fix typo in curl_mime_data_cb man page
* darwinssl: add support for TLSv1.3
* build: fix --disable-crypto-auth
* openssl: fix build without HAVE_OPAQUE_EVP_PKEY
* strtoofft: Remove extraneous null check
* multi_cleanup: call DONE on handles that never got that
* tests: added flaky keyword to tests 587 and 644
* pingpong: return error when trying to send without connection
* remove_handle: call multi_done() first, then clear dns cache pointer
* mime: be tolerant about setting the same header list twice in a part
* mime: improve unbinding top multipart from easy handle
* mime: avoid resetting a part's encoder when part's contents change
* mime: refuse to add subparts to one of their own descendants
* RTSP: avoid integer overflow on funny RTSP responses
* curl: don't pass semicolons when parsing Content-Disposition
* openssl: enable PKCS12 support for !BoringSSL
* FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
* CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
* CURLOPT_XFERINFODATA.3: fix duplicate see also
* test298: verify --ftp-method nowcwd with URL encoded path
* FTP: URL decode path for dir listing in nocwd mode
* smtp_done: fix memory leak on send failure
OBS-URL: https://build.opensuse.org/request/show/535940
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=208
- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254]
Changes:
* curl: enable compression for SCP/SFTP with --compressed-ssh
* libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
* vtls: added dynamic changing SSL backend with curl_global_sslset()
* new MIME API, curl_mime_init() and friends
* openssl: initial SSLKEYLOGFILE implementation
Security fixes:
* CVE-2017-1000254 FTP PWD response parser out of bounds read
Bugfixes:
* FTP: zero terminate the entry path even on bad input
* examples/ftpuploadresume.c: use portable code
* runtests: match keywords case insensitively
* strtoofft: reduce integer overflow risks globally
* zsh.pl: produce a working completion script again
* cmake: remove dead code for CURL_DISABLE_RTMP
* progress: Track total times following redirects
* configure: fix --disable-threaded-resolver
* configure: fix clang version detection
* darwinssi: fix error: variable length array used
* configure: check for __builtin_available() availability
* http_proxy: fix build error for CURL_DOES_CONVERSIONS
* examples/ftpuploadresume: checksrc compliance
* ftp: fix CWD when doing multicwd then nocwd on same connection
* system.h: remove all CURL_SIZEOF_* defines
* http: Don't wait on CONNECT when there is no proxy
* system.h: check for __ppc__ as well
* http2_recv: return error better on fatal h2 errors
* tftp: fix memory leak on too long filename
* system.h: fix build for hppa
OBS-URL: https://build.opensuse.org/request/show/532977
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=206
- Upstream fix to build libcurl man3 pages
* Added patch curl-man3.patch
- Disabled test1425 that fails in i586 architecture
* Added patch curl-disable-test1427-i586.patch
- Update to 7.55.0
Changes:
* curl: allow --header and --proxy-header read from file
* getinfo: provide sizes as curl_off_t
* curl: prevent binary output spewed to terminal
* curl: added --request-target
* curl: added --socks5-{basic,gssapi}: control socks5 auth
* libcurl: added CURLOPT_REQUEST_TARGET
* libcurl: added CURLOPT_SOCKS5_AUTH
Bugfixes:
* Security Fixes:
- glob: do not parse after a strtoul() overflow range
(CVE-2017-1000101, bsc#1051643)
- tftp: reject file name lengths that don't fit
(CVE-2017-1000100, bsc#1051644)
- file: output the correct buffer to the user
(CVE-2017-1000099, bsc#1051645)
* includes: remove curl/curlbuild.h and curl/curlrules.h
* dist: make the hugehelp.c not get regenerated unnecessarily
* timers: store internal time stamps as time_t instead of doubles
* progress: let "current speed" be UL + DL speeds combined
* http-proxy: do the HTTP CONNECT process entirely non-blocking
* lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
* fuzz: bring oss-fuzz initial code converted to C89
OBS-URL: https://build.opensuse.org/request/show/515937
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=201
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
* openssl: fix memory leak in servercert
* curl: set a 100K buffer size by default
* nss: do not leak PKCS #11 slot while loading a key
* nss: load libnssckbi.so if no other trust is specified
* curl: use utimes instead of obsolescent utime when available
* url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
* CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
* curl: non-boolean command line args reject --no- prefixes
* telnet: Write full buffer instead of byte-by-byte
* curl: remove --environment and tool_writeenv.c
* curl: generate the --help output
* curl.1: clarify --config
* curl.1: mention --oauth2-bearer's argument
* ssh: fix memory leak in disconnect due to timeout
* redirect: store the "would redirect to" URL when max redirs is reached
* file: make speedcheck use current time for checks
* urlglob: fix division by zero
- Update to 7.54.1
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=193
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter buffer overflow
* openssl: fix memory leak in servercert
* curl: set a 100K buffer size by default
* nss: do not leak PKCS #11 slot while loading a key
* nss: load libnssckbi.so if no other trust is specified
* curl: use utimes instead of obsolescent utime when available
* url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
* CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
* curl: non-boolean command line args reject --no- prefixes
* telnet: Write full buffer instead of byte-by-byte
* curl: remove --environment and tool_writeenv.c
* curl: generate the --help output
* curl.1: clarify --config
* curl.1: mention --oauth2-bearer's argument
* ssh: fix memory leak in disconnect due to timeout
* redirect: store the "would redirect to" URL when max redirs is reached
* file: make speedcheck use current time for checks
* urlglob: fix division by zero
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=191
Changes:
* Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION
* Add --max-tls
* Add CURLOPT_SUPPRESS_CONNECT_HEADERS
* Add --suppress-connect-headers
Bugfixes:
* CVE-2017-7468: switch off SSL session id when client cert is used
* tests: use consistent environment variables for setting charset
* proxy: fixed a memory leak on OOM
* ftp: removed an erroneous free in an OOM path
* ftp: fixed a NULL pointer dereference on OOM
* gopher: fixed detection of an error condition from Curl_urldecode
* url: fix unix-socket support for proxy-disabled builds
* fix potential use of uninitialized variables
* ares: return error at once if timed out before name resolve starts
* URL: return error on malformed URLs with junk after port number
* http2: Fix assertion error on redirect with CL=0
* --insecure: clarify that this option is for server connections
* authneg: clear auth.multi flag at http_done
* curl_easy_reset: Also reset the authentication state
* proxy: skip SSL initialization for closed connections
* http_proxy: ignore TE and CL in CONNECT 2xx responses
* multi: fix streamclose() crash in debug mode
* openssl: fall back on SSL_ERROR_* string when no error detail
* asiohiper: make sure socket is open in event_cb
* curl: check for end of input in writeout backslash handling
* openssl: exclude DSA code when OPENSSL_NO_DSA is defined
* http: Fix proxy connection reuse with basic-auth
* pause: handle mixed types of data when paused
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=188
Bugfixes:
* url: Improve CURLOPT_PROXY_CAPATH error handling
* urldata: include curl_sspi.h when Windows SSPI is enabled
* formdata: check for EOF when reading from stdin
* tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
* url: Default the proxy CA bundle location to CURL_CA_BUNDLE
* rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=186
Changes:
* unix_socket: added --abstract-unix-socket and
CURLOPT_ABSTRACT_UNIX_SOCKET
* CURLOPT_BUFFERSIZE: support enlarging receive buffer
Bugfixes:
* CVE-2017-2629: make SSL_VERIFYSTATUS work again
* gnutls-random: check return code for failed random
* openssl-random: check return code when asking for random
* http: remove "Curl_http_done: called premature" message
* cyassl: use time_t instead of long for timeout
* build-wolfssl: Sync config with wolfSSL 3.10
* ftp-gss: check for init before use
* configure: accept --with-libidn2 instead
* ftp: failure to resolve proxy should return that error code
* curl.1: add three more exit codes
* docs/ciphers: link to our own new page about ciphers
* vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl
* darwinssl: fix iOS build
* darwinssl: fix CFArrayRef leak
* cmake: use crypt32.lib when building with OpenSSL on windows
* curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
* digest_sspi: copy terminating NUL as well
* curl: fix --remote-time incorrect times on Windows
* curl.1: several updates and corrections
* content_encoding: change return code on a failure
* curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
* docs: TCP_KEEPALIVE start and interval default to 60
* darwinssl: --insecure overrides --cacert if both settings are in use
* TheArtOfHttpScripting: grammar
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=184
Changes:
* nss: map CURL_SSLVERSION_DEFAULT to NSS default
* vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
* curl: introduce the --tlsv1.3 option to force TLS 1.3
* curl: Add --retry-connrefused
* proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
* curl: add --fail-early
Bugfixes:
* CVE-2016-9586: printf floating point buffer overflow
* curl -w: added more decimal digits to timing counters
* easy: Initialize info variables on easy init and duphandle
* http2: Don't send header fields prohibited by HTTP/2 spec
* ssh: check md5 fingerprints case insensitively (regression)
* openssl: initial TLS 1.3 adaptions
* SPNEGO: Fix memory leak when authentication fails
* realloc: use Curl_saferealloc to avoid common mistakes
* openssl: make sure to fail in the unlikely event that PRNG
seeding fails
* URL-parser: for file://[host]/ URLs, the [host] must be localhost
* timeval: prefer time_t to hold seconds instead of long
* glob: fix [a-c] globbing regression
* curl.1: Clarify --dump-header only writes received headers
* http2: Fix address sanitizer memcpy warning
* http2: Use huge HTTP/2 windows
* connects: Don't mix unix domain sockets with regular ones
* url: Fix conn reuse for local ports and interfaces
* x509: Limit ASN.1 structure sizes to 256K
* http2: check nghttp2_session_set_local_window_size exists
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=178
Changes:
* nss: additional cipher suites are now accepted by
CURLOPT_SSL_CIPHER_LIST
* New option: CURLOPT_KEEP_SENDING_ON_ERROR
Bugfixes:
* CVE-2016-8615: cookie injection for other servers
* CVE-2016-8616: case insensitive password comparison
* CVE-2016-8617: OOB write via unchecked multiplication
* CVE-2016-8618: double-free in curl_maprintf
* CVE-2016-8619: double-free in krb5 code
* CVE-2016-8620: glob parser write/read out of bounds
* CVE-2016-8621: curl_getdate read out of bounds
* CVE-2016-8622: URL unescape heap overflow via integer truncation
* CVE-2016-8623: Use-after-free via shared cookies
* CVE-2016-8624: invalid URL parsing with '#'
* CVE-2016-8625: IDNA 2003 makes curl use wrong host
* openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
* http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
* LICENSE-MIXING.md: update with mbedTLS dual licensing
* examples/imap-append: Set size of data to be uploaded
* test2048: fix url
* darwinssl: disable RC4 cipher-suite support
* CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
* openssl: don’t call CRYTPO_cleanup_all_ex_data
* libressl: fix version output
* easy: Reset all statistical session info in curl_easy_reset
* curl_global_cleanup.3: don't unload the lib with sub threads running
* dist: add CurlSymbolHiding.cmake to the tarball
* docs: Remove that --proto is just used for initial retrieval
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=176
Bugfixes:
* CVE-2016-7167: escape and unescape integer overflows
* mk-ca-bundle.pl: use SHA256 instead of SHA1
* checksrc: detect strtok() use
* errors: new alias CURLE_WEIRD_SERVER_REPLY
* http2: support > 64bit sized uploads
* openssl: fix bad memory free (regression)
* CMake: hide private library symbols
* http: refuse to pass on response body when NO_NODY is set
* cmake: fix curl-config --static-libs
* mbedtls: switch off NTLM in build if md4 isn't available
* curl: --create-dirs on windows groks both forward and
backward slashes
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=174
Bugfixes:
* mbedtls: Added support for NTLM
* SSH: fixed SFTP/SCP transfer problems
* multi: make Curl_expire() work with 0 ms timeouts
* mk-ca-bundle.pl: -m keeps ca cert meta data in output
* TFTP: Fix upload problem with piped input
* CURLOPT_TCP_NODELAY: now enabled by default
* mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
* http2: always wait for readable socket
* cmake: Enable win32 large file support by default
* cmake: Enable win32 threaded resolver by default
* winbuild: Avoid setting redundant CFLAGS to compile commands
* curl.h: make CURL_NO_OLDIES define CURL_STRICTER
* docs: make more markdown files use .md extension
* docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
* winbuild: Allow changing C compiler via environment variable CC
* rtsp: accept any RTSP session id
* HTTP: retry failed HEAD requests on reused connections too
* configure: add zlib search with pkg-config
* openssl: accept subjectAltName iPAddress if no dNSName match
* MANUAL: Remove invalid link to LDAP documentation
* socks: improved connection procedure
* proxy: reject attempts to use unsupported proxy schemes
* proxy: bring back use of "Proxy-Connection:"
* curl: allow "pkcs11:" prefix for client certificates
* spnego_sspi: fix memory leak in case *outlen is zero
* SOCKS: improve verbose output of SOCKS5 connection sequence
* SOCKS: display the hostname returned by the SOCKS5 proxy server
* http/sasl: Query authentication mechanism supported by SSPI before using
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=171
Bugfixes:
* TLS: switch off SSL session id when client cert is used
* TLS: only reuse connections with the same client cert
* curl_multi_cleanup: clear connection pointer for easy handles
* include the CURLINFO_HTTP_VERSION man page into the release tarball
* include the http2-server.pl script in the release tarball
* test558: fix test by stripping file paths from FD lines
* spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
* tests: Fix for http/2 feature
* cmake: Fix for schannel support
* curl.h: make public types void * again
* win32: fix a potential memory leak in Curl_load_library
* travis: fix OSX build by re-installing libtool
* mbedtls: Fix debug function name
- removed 0001-tests-distribute-the-http2-server.pl-script-too.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=169
- update to 7.50.0
Changes:
* http: add CURLINFO_HTTP_VERSION and %{http_version}
Bugfixes:
* openssl: fix build with OPENSSL_NO_COMP
* cmake: Added missing mbedTLS support
* URL parser: allow URLs to use one, two or three slashes
* curl: fix -q [regression]
* openssl: Use correct buffer sizes for error messages
* curl: fix SIGSEGV while parsing URL with too many globs
* vtls: fix ssl session cache race condition
* http: Fix HTTP/2 connection reuse [regression]
* checksrc: Add LoadLibrary to the banned functions list
* configure: occasional ignorance of --enable-symbol-hiding with GCC
* http2: test17xx are the first real HTTP/2 tests
* resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
* curl_multi_socket_action.3: rewording
* CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
* cmake: Fix build with winldap
* openssl: fix cert check with non-DNS name fields present
* curl.1: mention the units for the progress meter
* openssl: use more 'const' to fix build warnings with 1.1.0 branch
* cmake: now using BUILD_TESTING=ON/OFF
* vtls: Only call add/getsession if session id is enabled
* headers: forward declare CURL, CURLM and CURLSH as structs
* configure: improve detection of CA bundle path on FreeBSD
* SFTP: set a generic error when no SFTP one exists
* curl_global_init.3: expand on the SSL and WIN32 bits purpose
* conn: don't free easy handle data in handler->disconnect
* cookie.c: Fix misleading indentation
OBS-URL: https://build.opensuse.org/request/show/412565
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=168
- update to 7.47.0
* fixes CVE-2016-0755 (bsc#962983)
(NTLM credentials not-checked for proxy connection re-use)
* drop curl-fix-zsh-completion.patch (upstream)
Changes:
* version: Add flag CURL_VERSION_PSL for libpsl
* http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
* curl: use 2TLS by default
* curl --expect100-timeout: added
* Add .dir-locals and set c-basic-offset to 2 (for emacs)
OBS-URL: https://build.opensuse.org/request/show/356290
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=154
