- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
* Changes:
- CURLOPT_DNS_USE_GLOBAL_CACHE: removed
- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
- pipelining: removed
* Bugfixes:
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- --config: clarify that initial : and = might need quoting
- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
- CURLOPT_ADDRESS_SCOPE: fix range check and more
- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
- CURL_MAX_INPUT_LENGTH: largest acceptable string input size
- Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
- OS400/ccsidcurl: replace use of Curl_vsetopt
- OpenSSL: Report -fips in version if OpenSSL is built with FIPS
- WRITEFUNCTION: add missing set_in_callback around callback
- altsvc: Fix building with cookies disabled
- auth: Rename the various authentication clean up functions
- base64: build conditionally if there are users
- cmake: avoid linking executable for some tests with cmake 3.6+
- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
- cmake: set SSL_BACKENDS
- configure: avoid unportable '==' test(1) operator
- configure: error out if OpenSSL wasn't detected when asked for
- configure: fix default location for fish completions
- cookie: Guard against possible NULL ptr deref
- curl: make code work with protocol-disabled libcurl
- curl: report error for "--no-" on non-boolean options
OBS-URL: https://build.opensuse.org/request/show/704763
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=253
- Install curl.fish completions file from curl rather than from the fish package
- update to version 7.64.1
* Changes:
- alt-svc: experiemental support added
- configure: add --with-amissl
* Bugfixes:
- AppVeyor: switch VS 2015 builds to VS 2017 image
- CURLU: fix NULL dereference when used over proxy
- Curl_easy: remove req.maxfd - never used!
- Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
- DoH: inherit some SSL options from user's easy handle
- Secure Transport: no more "darwinssl"
- Secure Transport: tvOS 11 is required for ALPN support
- cirrus: Added FreeBSD builds using Cirrus CI
- cleanup: make local functions static
- cli tool: do not use mime.h private structures
- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
- configure: add additional libraries to check for LDAP support
- configure: remove the unused fdopen macro
- configure: show features as well in the final summary
- conncache: use conn->data to know if a transfer owns it
- connection: never reuse CONNECT_ONLY connections
- connection_check: restore original conn->data after the check
- connection_check: set ->data to the transfer doing the check
- cookie: Add support for cookie prefixes
- cookies: dotless names can set cookies again
- cookies: fix NULL dereference if flushing cookies with no CookieInfo set
- curl.1: --user and --proxy-user are hidden from ps output
- curl.1: mark the argument to --cookie as
OBS-URL: https://build.opensuse.org/request/show/692902
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=251
- update to version 7.64.0
[bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
[bcs#1123378, CVE-2019-3823]
* Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
* Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year <= 2000
- build: make 'tidy' target work for metalink builds
- cmake: added checks for variadic macros
- cmake: updated check for HAVE_POLL_FINE to match autotools
- cmake: use lowercase for function name like the rest of the code
- configure: detect xlclang separately from clang
- configure: fix recv/send/select detection on Android
- configure: rewrite --enable-code-coverage
- conncache_unlock: avoid indirection by changing input argument type
- cookie: fix comment typo
- cookies: allow secure override when done over HTTPS
- cookies: extend domain checks to non psl builds
OBS-URL: https://build.opensuse.org/request/show/672083
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=244
- Provide libcurl4 = %version in the mini library package
- Update to version 7.63.0
Changes:
* curl: add %{stderr} and %{stdout} for --write-out
* curl: add undocumented option --dump-module-paths for w32
* setopt: add CURLOPT_CURLU
Bugfixes:
* (lib)curl.rc: fixup for minor bugs
* CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
* CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
* CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
* Curl_follow: accept non-supported schemes for "fake" redirects
* KNOWN_BUGS: add --proxy-any connection issue
* NTLM: Remove redundant ifdef USE_OPENSSL
* NTLM: force the connection to HTTP/1.1
* OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
* SECURITY-PROCESS: bountygraph shuts down again
* TODO: Have the URL API offer IDN decoding
* ares: remove fd from multi fd set when ares is about to close the fd
* axtls: removed
* checksrc: add COPYRIGHTYEAR check
* cmake: fix MIT/Heimdal Kerberos detection
* configure: include all libraries in ssl-libs fetch
* configure: show CFLAGS, LDFLAGS etc in summary
* connect: fix building for recent versions of Minix
* cookies: create the cookiejar even if no cookies to save
* cookies: expire "Max-Age=0" immediately
* curl: --local-port range was not "including"
* curl: fix --local-port integer overflow
OBS-URL: https://build.opensuse.org/request/show/667017
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=141
- Update to version 7.63.0
Changes:
* curl: add %{stderr} and %{stdout} for --write-out
* curl: add undocumented option --dump-module-paths for w32
* setopt: add CURLOPT_CURLU
Bugfixes:
* (lib)curl.rc: fixup for minor bugs
* CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
* CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
* CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
* Curl_follow: accept non-supported schemes for "fake" redirects
* KNOWN_BUGS: add --proxy-any connection issue
* NTLM: Remove redundant ifdef USE_OPENSSL
* NTLM: force the connection to HTTP/1.1
* OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
* SECURITY-PROCESS: bountygraph shuts down again
* TODO: Have the URL API offer IDN decoding
* ares: remove fd from multi fd set when ares is about to close the fd
* axtls: removed
* checksrc: add COPYRIGHTYEAR check
* cmake: fix MIT/Heimdal Kerberos detection
* configure: include all libraries in ssl-libs fetch
* configure: show CFLAGS, LDFLAGS etc in summary
* connect: fix building for recent versions of Minix
* cookies: create the cookiejar even if no cookies to save
* cookies: expire "Max-Age=0" immediately
* curl: --local-port range was not "including"
* curl: fix --local-port integer overflow
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=239
- Update to version 7.61.1
Bugfixes:
* CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019)
* CURLINFO_SIZE_UPLOAD: fix missing counter update
* CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
* CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
* Curl_getoff_all_pipelines: improved for multiplexed
* DEPRECATE: remove release date from 7.62.0
* HTTP: Don't attempt to needlessly decompress redirect body
* INTERNALS: require GnuTLS >= 2.11.3
* README.md: add LGTM.com code quality grade for C/C++
* SSLCERTS: improve the openssl command line
* Silence GCC 8 cast-function-type warnings
* ares: check for NULL in completed-callback
* asyn-thread: Remove unused macro
* auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
* auth: pick Bearer authentication whenever a token is available
* cmake: CMake config files are defining CURL_STATICLIB for static builds
* cmake: Respect BUILD_SHARED_LIBS
* cmake: Update scripts to use consistent style
* cmake: bumped minimum version to 3.4
* cmake: link curl to the OpenSSL targets instead of lib absolute paths
* configure: conditionally enable pedantic-errors
* configure: fix for -lpthread detection with OpenSSL and pkg-config
* conn: remove the boolean 'inuse' field
* content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
* cookie tests: treat files as text
* cookies: support creation-time attribute for cookies
* curl: Fix segfault when -H @headerfile is empty
* curl: add http code 408 to transient list for --retry
OBS-URL: https://build.opensuse.org/request/show/633266
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=233
- Update to version 7.62.0
[bsc#1099793, CVE-2018-0500]
Changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
Bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "version 1"
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
OBS-URL: https://build.opensuse.org/request/show/623481
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=227
- Update to version 7.60.0
[bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301]
Changes:
* Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
* Add --haproxy-protocol for the command line tool
* Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
Bugfixes:
* FTP: shutdown response buffer overflow CVE-2018-1000300
* RTSP: bad headers buffer over-read CVE-2018-1000301
* FTP: fix typo in recursive callback detection for seeking
* test1208: marked flaky
* HTTP: make header-less responses still count correct body size
* user-agent.d:: mention --proxy-header as well
* http2: fixes typo
* cleanup: misc typos in strings and comments
* rate-limit: use three second window to better handle high speeds
* examples/hiperfifo.c: improved
* pause: when changing pause state, update socket state
* multi: improved pending transfers handling => improved performance
* curl_version_info.3: fix ssl_version description
* add_handle/easy_perform: clear errorbuffer on start if set
* cmake: add support for brotli
* parsedate: support UT timezone
* vauth/ntlm.h: fix the #ifdef header guard
* lib/curl_path.h: added #ifdef header guard
* vauth/cleartext: fix integer overflow check
* CURLINFO_COOKIELIST.3: made the example not leak memory
* cookie.d: mention that "-" as filename means stdin
* CURLINFO_SSL_VERIFYRESULT.3: fixed the example
* http2: read pending frames (including GOAWAY) in connection-check
OBS-URL: https://build.opensuse.org/request/show/609087
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=224
- Added message about protocol redirection not supported or
disabled to the function findprotocol() [bsc#1076446]
* Added curl-disabled-redirect-protocol-message.patch
- Update to version 7.59.0
[bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121]
[bsc#1084532, CVE-2018-1000122]
Changes:
* curl: add --proxy-pinnedpubkey
* added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
* CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
* Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
* Add new tool option --happy-eyeballs-timeout-ms
* Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
Bugfixes:
* openldap: check ldap_get_attribute_ber() results for NULL before using
* FTP: reject path components with control codes
* readwrite: make sure excess reads don't go beyond buffer end
* lib555: drop text conversion and encode data as ascii codes
* lib517: make variable static to avoid compiler warning
* lib544: sync ascii code data with textual data
* GSKit: restore pinnedpubkey functionality
* darwinssl: Don't import client certificates into Keychain on macOS
* parsedate: fix date parsing for systems with 32 bit long
* openssl: fix pinned public key build error in FIPS mode
* SChannel/WinSSL: Implement public key pinning
* cookies: remove verbose "cookie size:" output
* progress-bar: don't use stderr explicitly, use bar->out
* build: open VC15 projects with VS 2017
* curl_ctype: private is*() type macros and functions
OBS-URL: https://build.opensuse.org/request/show/586981
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=222
- Update to version 7.58.0
[bsc1076360, CVE-2018-1000005][bsc#1077001, CVE-2018-1000007]
Changes:
* new libssh-powered SSH SCP/SFTP back-end
* curl-config: add --ssl-backends
Bugfixes:
* http2: fix incorrect trailer buffer size
* http: prevent custom Authorization headers in redirects
* travis: add boringssl build
* examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
* SSL: Avoid magic allocation of SSL backend specific data
* lib: don't export all symbols, just everything curl_*
* libssh2: send the correct CURLE error code on scp file not found
* libssh2: return CURLE_UPLOAD_FAILED on failure to upload
* openssl: enable pkcs12 in boringssl builds
* libssh2: remove dead code from SSH_SFTP_QUOTE
* sasl_getmesssage: make sure we have a long enough string to pass
* conncache: fix several lock issues
* threaded-shared-conn.c: new example
* conncache: only allow multiplexing within same multi handle
* configure: check for netinet/in6.h
* URL: tolerate backslash after drive letter for FILE:
* openldap: add commented out debug possibilities
* include: get netinet/in.h before linux/tcp.h
* CONNECT: keep close connection flag in http_connect_state struct
* BINDINGS: another PostgreSQL client
* curl: limit -# update frequency for unknown total size
* configure: add AX_CODE_COVERAGE only if using gcc
* curl.h: remove incorrect comment about ERRORBUFFER
* openssl: improve data-pending check for https proxy
OBS-URL: https://build.opensuse.org/request/show/568861
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=214
- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816]
[bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818]
Changes:
* auth: add support for RFC7616 - HTTP Digest access authentication
* share: add support for sharing the connection cache
* HTTP: implement Brotli content encoding
Bugfixes:
* CVE-2017-8816: NTLM buffer overflow via integer overflow
* CVE-2017-8817: FTP wildcard out of bounds read
* CVE-2017-8818: SSL out of buffer access
* curl_mime_filedata.3: fix typos
* libtest: Add required test libraries for lib1552 and lib1553
* fix time diffs for systems using unsigned time_t
* ftplistparser: memory leak fix: free temporary memory always
* multi: allow table handle sizes to be overridden
* wildcards: don't use with non-supported protocols
* curl_fnmatch: return error on illegal wildcard pattern
* transfer: Fix chunked-encoding upload too early exit
* resolvers: only include anything if needed
* setopt: fix CURLOPT_SSH_AUTH_TYPES option read
* Curl_timeleft: change return type to timediff_t
* cmake: Export libcurl and curl targets to use by other cmake projects
* curl: in -F option arg, comma is a delimiter for files only
* curl: improved ";type=" handling in -F option arguments
* timeval: use mach_absolute_time() on MacOS
* curlx: the timeval functions are no longer provided as curlx_*
* mkhelp.pl: do not generate comment with current date
* memdebug: use send/recv signature for curl_dosend/curl_dorecv
* cookie: avoid NULL dereference
* url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
OBS-URL: https://build.opensuse.org/request/show/546402
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=210
- Update to version 7.56.1 [bsc#1063824]
Bugfixes:
* imap: if a FETCH response has no size, don't call write
callback [CVE-2017-1000257]
* ftp: UBsan fixup 'pointer index expression overflowed
* failf: skip the sprintf() if there are no consumers
* fuzzer: move to using external curl-fuzzer
* lib/Makefile.m32: allow customizing dll suffixes
* docs: fix typo in curl_mime_data_cb man page
* darwinssl: add support for TLSv1.3
* build: fix --disable-crypto-auth
* openssl: fix build without HAVE_OPAQUE_EVP_PKEY
* strtoofft: Remove extraneous null check
* multi_cleanup: call DONE on handles that never got that
* tests: added flaky keyword to tests 587 and 644
* pingpong: return error when trying to send without connection
* remove_handle: call multi_done() first, then clear dns cache pointer
* mime: be tolerant about setting the same header list twice in a part
* mime: improve unbinding top multipart from easy handle
* mime: avoid resetting a part's encoder when part's contents change
* mime: refuse to add subparts to one of their own descendants
* RTSP: avoid integer overflow on funny RTSP responses
* curl: don't pass semicolons when parsing Content-Disposition
* openssl: enable PKCS12 support for !BoringSSL
* FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
* CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
* CURLOPT_XFERINFODATA.3: fix duplicate see also
* test298: verify --ftp-method nowcwd with URL encoded path
* FTP: URL decode path for dir listing in nocwd mode
* smtp_done: fix memory leak on send failure
OBS-URL: https://build.opensuse.org/request/show/535940
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=208
- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254]
Changes:
* curl: enable compression for SCP/SFTP with --compressed-ssh
* libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
* vtls: added dynamic changing SSL backend with curl_global_sslset()
* new MIME API, curl_mime_init() and friends
* openssl: initial SSLKEYLOGFILE implementation
Security fixes:
* CVE-2017-1000254 FTP PWD response parser out of bounds read
Bugfixes:
* FTP: zero terminate the entry path even on bad input
* examples/ftpuploadresume.c: use portable code
* runtests: match keywords case insensitively
* strtoofft: reduce integer overflow risks globally
* zsh.pl: produce a working completion script again
* cmake: remove dead code for CURL_DISABLE_RTMP
* progress: Track total times following redirects
* configure: fix --disable-threaded-resolver
* configure: fix clang version detection
* darwinssi: fix error: variable length array used
* configure: check for __builtin_available() availability
* http_proxy: fix build error for CURL_DOES_CONVERSIONS
* examples/ftpuploadresume: checksrc compliance
* ftp: fix CWD when doing multicwd then nocwd on same connection
* system.h: remove all CURL_SIZEOF_* defines
* http: Don't wait on CONNECT when there is no proxy
* system.h: check for __ppc__ as well
* http2_recv: return error better on fatal h2 errors
* tftp: fix memory leak on too long filename
* system.h: fix build for hppa
OBS-URL: https://build.opensuse.org/request/show/532977
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=206
