- Update to 7.69.0
* Changes:
- polarssl: removed
- smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
- wolfSSH: new SSH backend
* Bugfixes:
- altsvc: improved header parser
- altsvc: keep a copy of the file name to survive handle reset
- altsvc: make saving the cache an atomic operation
- altsvc: use h3-27
- azure: disable brotli on the macos debug-builds
- build: remove all HAVE_OPENSSL_ENGINE_H defines
- cleanup: fix several comment typos
- cleanup: fix typos and wording in docs and comments
- cmake: add support for CMAKE_LTO option
- cmake: clean up and improve build procedures
- cmake: Show HTTPS-proxy in the features output
- cmake: use check_symbol_exists also for inet_pton
- configure.ac: fix comments about --with-quiche
- configure: disable metalink if mbedTLS is specified
- configure: disable metalink support for incompatible SSL/TLS
- conn: do not reuse connection if SOCKS proxy credentials differ
- conncache: removed unused Curl_conncache_bundle_size()
- connect: remove some spurious infof() calls
- connection reuse: respect the max_concurrent_streams limits
- cookie: check __Secure- and __Host- case sensitively
- cookies: make saving atomic with a rename
- create-dirs.d: mention the mode
- curl: avoid using strlen for testing if a string is empty
- curl: error on --alt-svc use w/o support
OBS-URL: https://build.opensuse.org/request/show/781412
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=270
- Update to 7.68.0
* Changes:
- TLS: add BearSSL vtls implementation
- XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
- curl: add --etag-compare and --etag-save
- curl: add --parallel-immediate
- multi: add curl_multi_wakeup()
- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
* Bugfixes:
- CVE-2019-15601: file: on Windows, refuse paths that start with \\
- Azure Pipelines: add several builds
- CMake: add support for building with the NSS vtls backend
- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
- CURLOPT_HEADERFUNCTION.3: Document that size is always 1
- CURLOPT_QUOTE.3: fix typos
- CURLOPT_READFUNCTION.3: fix the example
- CURLOPT_URL.3: "curl supports SMB version 1 (only)"
- CURLOPT_VERBOSE.3: see also ERRORBUFFER
- HISTORY: added cmake, HTTP/3 and parallel downloads with curl
- HISTORY: the SMB(S) support landed in 2014
- INSTALL.md: provide Android build instructions
- KNOWN_BUGS: Connection information when using TCP Fast Open
- KNOWN_BUGS: LDAP on Windows doesn't work correctly
- KNOWN_BUGS: TLS session cache doesn't work with TFO
- OPENSOCKETFUNCTION.3: correct the purpose description
- TrackMemory tests: always remove CR before LF
- altsvc: bump to h3-24
- altsvc: make the save function ignore NULL filenames
- build: Disable Visual Studio warning "conditional expression is constant"
- build: fix for CURL_DISABLE_DOH
OBS-URL: https://build.opensuse.org/request/show/761809
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=266
- Update spec file with spec-cleaner
- Update to 7.67.0
* Changes:
- curl: added --no-progress-meter
- setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
- urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
* Bugfixes:
- BINDINGS: five new bindings addded
- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
- CURLOPT_TIMEOUT.3: remove the mention of "minutes"
- ESNI: initial build/setup support
- FTP: FTPFILE_NOCWD: avoid redundant CWDs
- FTP: allow "rubbish" prepended to the SIZE response
- FTP: remove trailing slash from path for LIST/MLSD
- FTP: skip CWD to entry dir when target is absolute
- FTP: url-decode path before evaluation
- HTTP3.md: move -p for mkdir, remove -j for make
- HTTP3: fix invalid use of sendto for connected UDP socket
- HTTP3: fix prefix parameter for ngtcp2 build
- HTTP3: show an --alt-svc using example too
- INSTALL: add missing space for configure commands
- INSTALL: add vcpkg installation instructions
- altsvc: accept quoted ma and persist values
- altsvc: both backends run h3-23 now
- appveyor: Add MSVC ARM64 build
- appveyor: Use two parallel compilation on appveyor with CMake
- appveyor: add --disable-proxy autotools build
- appveyor: publish artifacts on appveyor
- appveyor: upgrade VS2017 to VS2019
OBS-URL: https://build.opensuse.org/request/show/746069
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=262
- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
* Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
* Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "" file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- asyn-thread: create a socketpair to wait on
OBS-URL: https://build.opensuse.org/request/show/730075
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=260
- Update to 7.65.2
* Bugfixes:
- CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
- CMake: Fix finding Brotli on case-sensitive file systems
- CURLOPT_RANGE.3: Caution against using it for HTTP PUT
- CURLOPT_SEEKDATA.3: fix variable name
- bindlocal: detect and avoid IP version mismatches in bind()
- build: fix Codacy warnings
- c-ares: honor port numbers in CURLOPT_DNS_SERVERS
- config-os400: add getpeername and getsockname defines
- configure: --disable-progress-meter
- configure: fix --disable-code-coverage
- configure: more --disable switches to toggle off individual features
- configure: remove CURL_DISABLE_TLS_SRP
- conn_maxage: move the check to prune_dead_connections()
- curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
- docs: Explain behavior change in --tlsv1. options since 7.54
- docs: Fix links to OpenSSL docs
- docs: fix string suggesting HTTP/2 is not the default
- headers: Remove no longer exported functions
- http2: call done_sending on end of upload
- http2: don't call stream-close on already closed streams
- http2: remove CURL_DISABLE_TYPECHECK define
- http: allow overriding timecond with custom header
- http: clarify header buffer size calculation
- krb5: fix compiler warning
- lib: Use UTF-8 encoding in comments
- libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
- multi: enable multiplexing by default (again)
- multi: fix the transfer hashes in the socket hash entries
OBS-URL: https://build.opensuse.org/request/show/716040
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=257
- Update to 7.65.1
* Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "multipass" state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "bundles" per host name when doing proxy tunnels
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "openssl-only" comments for supported backends
- tests: add HAProxy keywords
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
OBS-URL: https://build.opensuse.org/request/show/707886
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=255
- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
* Changes:
- CURLOPT_DNS_USE_GLOBAL_CACHE: removed
- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
- pipelining: removed
* Bugfixes:
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- --config: clarify that initial : and = might need quoting
- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
- CURLOPT_ADDRESS_SCOPE: fix range check and more
- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
- CURL_MAX_INPUT_LENGTH: largest acceptable string input size
- Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
- OS400/ccsidcurl: replace use of Curl_vsetopt
- OpenSSL: Report -fips in version if OpenSSL is built with FIPS
- WRITEFUNCTION: add missing set_in_callback around callback
- altsvc: Fix building with cookies disabled
- auth: Rename the various authentication clean up functions
- base64: build conditionally if there are users
- cmake: avoid linking executable for some tests with cmake 3.6+
- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
- cmake: set SSL_BACKENDS
- configure: avoid unportable '==' test(1) operator
- configure: error out if OpenSSL wasn't detected when asked for
- configure: fix default location for fish completions
- cookie: Guard against possible NULL ptr deref
- curl: make code work with protocol-disabled libcurl
- curl: report error for "--no-" on non-boolean options
OBS-URL: https://build.opensuse.org/request/show/704763
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=253
- Install curl.fish completions file from curl rather than from the fish package
- update to version 7.64.1
* Changes:
- alt-svc: experiemental support added
- configure: add --with-amissl
* Bugfixes:
- AppVeyor: switch VS 2015 builds to VS 2017 image
- CURLU: fix NULL dereference when used over proxy
- Curl_easy: remove req.maxfd - never used!
- Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
- DoH: inherit some SSL options from user's easy handle
- Secure Transport: no more "darwinssl"
- Secure Transport: tvOS 11 is required for ALPN support
- cirrus: Added FreeBSD builds using Cirrus CI
- cleanup: make local functions static
- cli tool: do not use mime.h private structures
- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
- configure: add additional libraries to check for LDAP support
- configure: remove the unused fdopen macro
- configure: show features as well in the final summary
- conncache: use conn->data to know if a transfer owns it
- connection: never reuse CONNECT_ONLY connections
- connection_check: restore original conn->data after the check
- connection_check: set ->data to the transfer doing the check
- cookie: Add support for cookie prefixes
- cookies: dotless names can set cookies again
- cookies: fix NULL dereference if flushing cookies with no CookieInfo set
- curl.1: --user and --proxy-user are hidden from ps output
- curl.1: mark the argument to --cookie as
OBS-URL: https://build.opensuse.org/request/show/692902
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=251
- update to version 7.64.0
[bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
[bcs#1123378, CVE-2019-3823]
* Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
* Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year <= 2000
- build: make 'tidy' target work for metalink builds
- cmake: added checks for variadic macros
- cmake: updated check for HAVE_POLL_FINE to match autotools
- cmake: use lowercase for function name like the rest of the code
- configure: detect xlclang separately from clang
- configure: fix recv/send/select detection on Android
- configure: rewrite --enable-code-coverage
- conncache_unlock: avoid indirection by changing input argument type
- cookie: fix comment typo
- cookies: allow secure override when done over HTTPS
- cookies: extend domain checks to non psl builds
OBS-URL: https://build.opensuse.org/request/show/672083
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=244
- Update to version 7.63.0
Changes:
* curl: add %{stderr} and %{stdout} for --write-out
* curl: add undocumented option --dump-module-paths for w32
* setopt: add CURLOPT_CURLU
Bugfixes:
* (lib)curl.rc: fixup for minor bugs
* CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
* CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
* CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
* Curl_follow: accept non-supported schemes for "fake" redirects
* KNOWN_BUGS: add --proxy-any connection issue
* NTLM: Remove redundant ifdef USE_OPENSSL
* NTLM: force the connection to HTTP/1.1
* OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
* SECURITY-PROCESS: bountygraph shuts down again
* TODO: Have the URL API offer IDN decoding
* ares: remove fd from multi fd set when ares is about to close the fd
* axtls: removed
* checksrc: add COPYRIGHTYEAR check
* cmake: fix MIT/Heimdal Kerberos detection
* configure: include all libraries in ssl-libs fetch
* configure: show CFLAGS, LDFLAGS etc in summary
* connect: fix building for recent versions of Minix
* cookies: create the cookiejar even if no cookies to save
* cookies: expire "Max-Age=0" immediately
* curl: --local-port range was not "including"
* curl: fix --local-port integer overflow
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=239
- Update to version 7.61.1
Bugfixes:
* CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019)
* CURLINFO_SIZE_UPLOAD: fix missing counter update
* CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
* CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
* Curl_getoff_all_pipelines: improved for multiplexed
* DEPRECATE: remove release date from 7.62.0
* HTTP: Don't attempt to needlessly decompress redirect body
* INTERNALS: require GnuTLS >= 2.11.3
* README.md: add LGTM.com code quality grade for C/C++
* SSLCERTS: improve the openssl command line
* Silence GCC 8 cast-function-type warnings
* ares: check for NULL in completed-callback
* asyn-thread: Remove unused macro
* auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
* auth: pick Bearer authentication whenever a token is available
* cmake: CMake config files are defining CURL_STATICLIB for static builds
* cmake: Respect BUILD_SHARED_LIBS
* cmake: Update scripts to use consistent style
* cmake: bumped minimum version to 3.4
* cmake: link curl to the OpenSSL targets instead of lib absolute paths
* configure: conditionally enable pedantic-errors
* configure: fix for -lpthread detection with OpenSSL and pkg-config
* conn: remove the boolean 'inuse' field
* content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
* cookie tests: treat files as text
* cookies: support creation-time attribute for cookies
* curl: Fix segfault when -H @headerfile is empty
* curl: add http code 408 to transient list for --retry
OBS-URL: https://build.opensuse.org/request/show/633266
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=233
- Update to version 7.62.0
[bsc#1099793, CVE-2018-0500]
Changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
Bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "version 1"
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
OBS-URL: https://build.opensuse.org/request/show/623481
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=227
- Update to version 7.60.0
[bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301]
Changes:
* Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
* Add --haproxy-protocol for the command line tool
* Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
Bugfixes:
* FTP: shutdown response buffer overflow CVE-2018-1000300
* RTSP: bad headers buffer over-read CVE-2018-1000301
* FTP: fix typo in recursive callback detection for seeking
* test1208: marked flaky
* HTTP: make header-less responses still count correct body size
* user-agent.d:: mention --proxy-header as well
* http2: fixes typo
* cleanup: misc typos in strings and comments
* rate-limit: use three second window to better handle high speeds
* examples/hiperfifo.c: improved
* pause: when changing pause state, update socket state
* multi: improved pending transfers handling => improved performance
* curl_version_info.3: fix ssl_version description
* add_handle/easy_perform: clear errorbuffer on start if set
* cmake: add support for brotli
* parsedate: support UT timezone
* vauth/ntlm.h: fix the #ifdef header guard
* lib/curl_path.h: added #ifdef header guard
* vauth/cleartext: fix integer overflow check
* CURLINFO_COOKIELIST.3: made the example not leak memory
* cookie.d: mention that "-" as filename means stdin
* CURLINFO_SSL_VERIFYRESULT.3: fixed the example
* http2: read pending frames (including GOAWAY) in connection-check
OBS-URL: https://build.opensuse.org/request/show/609087
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=224
- Added message about protocol redirection not supported or
disabled to the function findprotocol() [bsc#1076446]
* Added curl-disabled-redirect-protocol-message.patch
- Update to version 7.59.0
[bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121]
[bsc#1084532, CVE-2018-1000122]
Changes:
* curl: add --proxy-pinnedpubkey
* added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
* CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
* Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
* Add new tool option --happy-eyeballs-timeout-ms
* Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
Bugfixes:
* openldap: check ldap_get_attribute_ber() results for NULL before using
* FTP: reject path components with control codes
* readwrite: make sure excess reads don't go beyond buffer end
* lib555: drop text conversion and encode data as ascii codes
* lib517: make variable static to avoid compiler warning
* lib544: sync ascii code data with textual data
* GSKit: restore pinnedpubkey functionality
* darwinssl: Don't import client certificates into Keychain on macOS
* parsedate: fix date parsing for systems with 32 bit long
* openssl: fix pinned public key build error in FIPS mode
* SChannel/WinSSL: Implement public key pinning
* cookies: remove verbose "cookie size:" output
* progress-bar: don't use stderr explicitly, use bar->out
* build: open VC15 projects with VS 2017
* curl_ctype: private is*() type macros and functions
OBS-URL: https://build.opensuse.org/request/show/586981
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=222
- Update to version 7.58.0
[bsc1076360, CVE-2018-1000005][bsc#1077001, CVE-2018-1000007]
Changes:
* new libssh-powered SSH SCP/SFTP back-end
* curl-config: add --ssl-backends
Bugfixes:
* http2: fix incorrect trailer buffer size
* http: prevent custom Authorization headers in redirects
* travis: add boringssl build
* examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
* SSL: Avoid magic allocation of SSL backend specific data
* lib: don't export all symbols, just everything curl_*
* libssh2: send the correct CURLE error code on scp file not found
* libssh2: return CURLE_UPLOAD_FAILED on failure to upload
* openssl: enable pkcs12 in boringssl builds
* libssh2: remove dead code from SSH_SFTP_QUOTE
* sasl_getmesssage: make sure we have a long enough string to pass
* conncache: fix several lock issues
* threaded-shared-conn.c: new example
* conncache: only allow multiplexing within same multi handle
* configure: check for netinet/in6.h
* URL: tolerate backslash after drive letter for FILE:
* openldap: add commented out debug possibilities
* include: get netinet/in.h before linux/tcp.h
* CONNECT: keep close connection flag in http_connect_state struct
* BINDINGS: another PostgreSQL client
* curl: limit -# update frequency for unknown total size
* configure: add AX_CODE_COVERAGE only if using gcc
* curl.h: remove incorrect comment about ERRORBUFFER
* openssl: improve data-pending check for https proxy
OBS-URL: https://build.opensuse.org/request/show/568861
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=214
- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816]
[bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818]
Changes:
* auth: add support for RFC7616 - HTTP Digest access authentication
* share: add support for sharing the connection cache
* HTTP: implement Brotli content encoding
Bugfixes:
* CVE-2017-8816: NTLM buffer overflow via integer overflow
* CVE-2017-8817: FTP wildcard out of bounds read
* CVE-2017-8818: SSL out of buffer access
* curl_mime_filedata.3: fix typos
* libtest: Add required test libraries for lib1552 and lib1553
* fix time diffs for systems using unsigned time_t
* ftplistparser: memory leak fix: free temporary memory always
* multi: allow table handle sizes to be overridden
* wildcards: don't use with non-supported protocols
* curl_fnmatch: return error on illegal wildcard pattern
* transfer: Fix chunked-encoding upload too early exit
* resolvers: only include anything if needed
* setopt: fix CURLOPT_SSH_AUTH_TYPES option read
* Curl_timeleft: change return type to timediff_t
* cmake: Export libcurl and curl targets to use by other cmake projects
* curl: in -F option arg, comma is a delimiter for files only
* curl: improved ";type=" handling in -F option arguments
* timeval: use mach_absolute_time() on MacOS
* curlx: the timeval functions are no longer provided as curlx_*
* mkhelp.pl: do not generate comment with current date
* memdebug: use send/recv signature for curl_dosend/curl_dorecv
* cookie: avoid NULL dereference
* url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
OBS-URL: https://build.opensuse.org/request/show/546402
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=210
- Update to version 7.56.1 [bsc#1063824]
Bugfixes:
* imap: if a FETCH response has no size, don't call write
callback [CVE-2017-1000257]
* ftp: UBsan fixup 'pointer index expression overflowed
* failf: skip the sprintf() if there are no consumers
* fuzzer: move to using external curl-fuzzer
* lib/Makefile.m32: allow customizing dll suffixes
* docs: fix typo in curl_mime_data_cb man page
* darwinssl: add support for TLSv1.3
* build: fix --disable-crypto-auth
* openssl: fix build without HAVE_OPAQUE_EVP_PKEY
* strtoofft: Remove extraneous null check
* multi_cleanup: call DONE on handles that never got that
* tests: added flaky keyword to tests 587 and 644
* pingpong: return error when trying to send without connection
* remove_handle: call multi_done() first, then clear dns cache pointer
* mime: be tolerant about setting the same header list twice in a part
* mime: improve unbinding top multipart from easy handle
* mime: avoid resetting a part's encoder when part's contents change
* mime: refuse to add subparts to one of their own descendants
* RTSP: avoid integer overflow on funny RTSP responses
* curl: don't pass semicolons when parsing Content-Disposition
* openssl: enable PKCS12 support for !BoringSSL
* FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
* CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
* CURLOPT_XFERINFODATA.3: fix duplicate see also
* test298: verify --ftp-method nowcwd with URL encoded path
* FTP: URL decode path for dir listing in nocwd mode
* smtp_done: fix memory leak on send failure
OBS-URL: https://build.opensuse.org/request/show/535940
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=208
- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254]
Changes:
* curl: enable compression for SCP/SFTP with --compressed-ssh
* libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
* vtls: added dynamic changing SSL backend with curl_global_sslset()
* new MIME API, curl_mime_init() and friends
* openssl: initial SSLKEYLOGFILE implementation
Security fixes:
* CVE-2017-1000254 FTP PWD response parser out of bounds read
Bugfixes:
* FTP: zero terminate the entry path even on bad input
* examples/ftpuploadresume.c: use portable code
* runtests: match keywords case insensitively
* strtoofft: reduce integer overflow risks globally
* zsh.pl: produce a working completion script again
* cmake: remove dead code for CURL_DISABLE_RTMP
* progress: Track total times following redirects
* configure: fix --disable-threaded-resolver
* configure: fix clang version detection
* darwinssi: fix error: variable length array used
* configure: check for __builtin_available() availability
* http_proxy: fix build error for CURL_DOES_CONVERSIONS
* examples/ftpuploadresume: checksrc compliance
* ftp: fix CWD when doing multicwd then nocwd on same connection
* system.h: remove all CURL_SIZEOF_* defines
* http: Don't wait on CONNECT when there is no proxy
* system.h: check for __ppc__ as well
* http2_recv: return error better on fatal h2 errors
* tftp: fix memory leak on too long filename
* system.h: fix build for hppa
OBS-URL: https://build.opensuse.org/request/show/532977
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=206
- Upstream fix to build libcurl man3 pages
* Added patch curl-man3.patch
- Disabled test1425 that fails in i586 architecture
* Added patch curl-disable-test1427-i586.patch
- Update to 7.55.0
Changes:
* curl: allow --header and --proxy-header read from file
* getinfo: provide sizes as curl_off_t
* curl: prevent binary output spewed to terminal
* curl: added --request-target
* curl: added --socks5-{basic,gssapi}: control socks5 auth
* libcurl: added CURLOPT_REQUEST_TARGET
* libcurl: added CURLOPT_SOCKS5_AUTH
Bugfixes:
* Security Fixes:
- glob: do not parse after a strtoul() overflow range
(CVE-2017-1000101, bsc#1051643)
- tftp: reject file name lengths that don't fit
(CVE-2017-1000100, bsc#1051644)
- file: output the correct buffer to the user
(CVE-2017-1000099, bsc#1051645)
* includes: remove curl/curlbuild.h and curl/curlrules.h
* dist: make the hugehelp.c not get regenerated unnecessarily
* timers: store internal time stamps as time_t instead of doubles
* progress: let "current speed" be UL + DL speeds combined
* http-proxy: do the HTTP CONNECT process entirely non-blocking
* lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
* fuzz: bring oss-fuzz initial code converted to C89
OBS-URL: https://build.opensuse.org/request/show/515937
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=201
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
* openssl: fix memory leak in servercert
* curl: set a 100K buffer size by default
* nss: do not leak PKCS #11 slot while loading a key
* nss: load libnssckbi.so if no other trust is specified
* curl: use utimes instead of obsolescent utime when available
* url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
* CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
* curl: non-boolean command line args reject --no- prefixes
* telnet: Write full buffer instead of byte-by-byte
* curl: remove --environment and tool_writeenv.c
* curl: generate the --help output
* curl.1: clarify --config
* curl.1: mention --oauth2-bearer's argument
* ssh: fix memory leak in disconnect due to timeout
* redirect: store the "would redirect to" URL when max redirs is reached
* file: make speedcheck use current time for checks
* urlglob: fix division by zero
- Update to 7.54.1
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=193
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter buffer overflow
* openssl: fix memory leak in servercert
* curl: set a 100K buffer size by default
* nss: do not leak PKCS #11 slot while loading a key
* nss: load libnssckbi.so if no other trust is specified
* curl: use utimes instead of obsolescent utime when available
* url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
* CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
* curl: non-boolean command line args reject --no- prefixes
* telnet: Write full buffer instead of byte-by-byte
* curl: remove --environment and tool_writeenv.c
* curl: generate the --help output
* curl.1: clarify --config
* curl.1: mention --oauth2-bearer's argument
* ssh: fix memory leak in disconnect due to timeout
* redirect: store the "would redirect to" URL when max redirs is reached
* file: make speedcheck use current time for checks
* urlglob: fix division by zero
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=191
