RELEASE-NOTES: 7.65.0 releasecurl-7_65_0

1 files changed, 44 insertions, 11 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 009300706..a29bf1c5a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -14,6 +14,8 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o CVE-2019-5435: Integer overflows in curl_url_set [87]
+ o CVE-2019-5436: tftp: use the current blksize for recvfrom() [82]
  o --config: clarify that initial : and = might need quoting [17]
  o AppVeyor: enable testing for WinSSL build [23]
  o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [52]
@@ -33,10 +35,11 @@ This release includes the following bugfixes:
  o altsvc: Fix building with cookies disabled [38]
  o auth: Rename the various authentication clean up functions [61]
  o base64: build conditionally if there are users
- o build-openssl.bat: lots of improvements and polish
+ o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
  o build: fix "clarify calculation precedence" warnings [63]
  o checksrc.bat: ignore snprintf warnings in docs/examples [67]
  o cirrus: Customize the disabled tests per FreeBSD version
+ o cleanup: remove FIXME and TODO comments [81]
  o cmake: avoid linking executable for some tests with cmake 3.6+ [18]
  o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use [19]
  o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP [46]
@@ -45,25 +48,34 @@ This release includes the following bugfixes:
  o configure: error out if OpenSSL wasn't detected when asked for [74]
  o configure: fix default location for fish completions [13]
  o cookie: Guard against possible NULL ptr deref [42]
+ o curl: make code work with protocol-disabled libcurl [78]
+ o curl: report error for "--no-" on non-boolean options [86]
  o curl_easy_getinfo.3: fix minor formatting mistake
  o curlver.h: use parenthesis in CURL_VERSION_BITS macro [45]
  o docs/BUG-BOUNTY: bug bounty time [48]
  o docs/INSTALL: fix broken link [62]
+ o docs/RELEASE-PROCEDURE: link to live iCalendar [79]
  o documentation: Fix several typos [7]
  o doh: acknowledge CURL_DISABLE_DOH
  o doh: disable DOH for the cases it doesn't work [66]
+ o examples: remove unused variables [88]
  o ftplistparser: fix LGTM alert "Empty block without comment" [14]
+ o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS [78]
  o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies [54]
  o http: acknowledge CURL_DISABLE_HTTP_AUTH
  o http: mark bundle as not for multiuse on < HTTP/2 response [41]
  o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled [65]
  o http_negotiate: do not treat failure of gss_init_sec_context() as fatal [53]
  o http_ntlm: Corrected the name of the include guard [64]
+ o http_ntlm_wb: Handle auth for only a single request [77]
+ o http_ntlm_wb: Return the correct error on receiving an empty auth message [77]
  o lib509: add missing include for strdup [22]
  o lib557: initialize variables [22]
  o makedebug: Fix ERRORLEVEL detection after running where.exe [58]
+ o mbedtls: enable use of EC keys [85]
  o mime: acknowledge CURL_DISABLE_MIME
  o multi: improved HTTP_1_1_REQUIRED handling [2]
+ o netrc: acknowledge CURL_DISABLE_NETRC [78]
  o nss: allow fifos and character devices for certificates [56]
  o nss: provide more specific error messages on failed init [43]
  o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup [70]
@@ -75,6 +87,7 @@ This release includes the following bugfixes:
  o parsedate: disabled on CURL_DISABLE_PARSEDATE
  o pingpong: disable more when no pingpong protocols are enabled
  o polarssl_threadlock: remove conditionally unused code [22]
+ o progress: acknowledge CURL_DISABLE_PROGRESS_METER [78]
  o proxy: acknowledge DISABLE_PROXY more
  o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries [3]
  o revert "multi: support verbose conncache closure handle" [69]
@@ -87,22 +100,28 @@ This release includes the following bugfixes:
  o socks: fix error message
  o socksd: new SOCKS 4+5 server for tests [31]
  o spnego_gssapi: fix return code on gss_init_sec_context() failure [53]
+ o ssh-libssh: remove unused variable [83]
  o ssh: define USE_SSH if SSH is enabled (any backend) [57]
+ o ssh: move variable declaration to where it's used [83]
  o test1002: correct the name
  o test2100: Fix typos in test description
  o tests/server/util: fix Windows Unicode build [21]
  o tests: Run global cleanup at end of tests [29]
  o tests: make Impacket (SMB server) Python 3 compatible [11]
  o tool_cb_wrt: fix bad-function-cast warning [5]
+ o tool_formparse: remove redundant assignment [83]
  o tool_help: Warn if curl and libcurl versions do not match [28]
  o tool_help: include <strings.h> for strcasecmp [4]
  o transfer: fix LGTM alert "Comparison is always true" [14]
+ o travis: add an osx http-only build [80]
  o travis: allow builds on branches named "ci"
  o travis: install dependencies only when needed [24]
  o travis: update some builds do Xenial [30]
  o travis: updated mesalink builds [35]
  o url: always clone the CUROPT_CURLU handle [26]
+ o url: convert the zone id from a IPv6 URL to correct scope id [89]
  o urlapi: add CURLUPART_ZONEID to set and get [59]
+ o urlapi: increase supported scheme length to 40 bytes [84]
  o urlapi: require a non-zero host name length when parsing URL [73]
  o urlapi: stricter CURLUPART_PORT parsing [33]
  o urlapi: strip off zone id from numerical IPv6 addresses [49]
@@ -124,16 +143,17 @@ advice from friends like these:
 
   Aron Bergman, Brad Spencer, cclauss on github, Dan Fandrich,
   Daniel Gustafsson, Daniel Stenberg, Eli Schwartz, Even Rouault,
-  Frank Gevaerts, Gisle Vanem, Isaiah Norton, Jakub Zakrzewski, Jan Ehrhardt,
-  Jeroen Ooms, Jonathan Cardoso Machado, Jonathan Moerman,
-  Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch, l00p3r on Hackerone,
-  Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu, nevv on HackerOne/curl,
-  niner on github, Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh,
-  Poul T Lomholt, Ray Satiro, Reed Loden, Ricardo Gomes, Ricky Leverence,
-  Rikard Falkeborn, Roy Bellingan, Simon Warta, Steve Holme, Taiyu Len,
-  Tim Rühsen, Tom van der Woerdt, Tseng Jun, Viktor Szakats, Wenchao Li,
-  Wyatt O'Day, XmiliaH on github, Yiming Jing,
-  (46 contributors)
+  Frank Gevaerts, Gisle Vanem, GitYuanQu on github, Guy Poizat, Isaiah Norton,
+  Jakub Zakrzewski, Jan Ehrhardt, Jeroen Ooms, Jonathan Cardoso Machado,
+  Jonathan Moerman, Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch,
+  l00p3r on hackerone, Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu,
+  nevv on HackerOne/curl, niner on github, Olen Andoni, Omar Ramadan,
+  Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh, Poul T Lomholt, Ray Satiro,
+  Reed Loden, Ricardo Gomes, Ricky Leverence, Rikard Falkeborn, Roy Bellingan,
+  Simon Warta, Steve Holme, Taiyu Len, Tim Rühsen, Tom van der Woerdt,
+  Tseng Jun, Viktor Szakats, Wenchao Li, Wyatt O'Day, XmiliaH on github,
+  Yiming Jing,
+  (50 contributors)
 
         Thanks! (and sorry if I forgot to mention someone)
 
@@ -215,3 +235,16 @@ References to bug reports and discussions on issues:
  [74] = https://curl.haxx.se/bug/?i=3824
  [75] = https://curl.haxx.se/bug/?i=3711
  [76] = https://curl.haxx.se/bug/?i=3863
+ [77] = https://curl.haxx.se/bug/?i=3894
+ [78] = https://curl.haxx.se/bug/?i=3844
+ [79] = https://curl.haxx.se/bug/?i=3895
+ [80] = https://curl.haxx.se/bug/?i=3887
+ [81] = https://curl.haxx.se/bug/?i=3876
+ [82] = https://curl.haxx.se/docs/CVE-2019-5436.html
+ [83] = https://curl.haxx.se/bug/?i=3873
+ [84] = https://curl.haxx.se/bug/?i=3905
+ [85] = https://curl.haxx.se/bug/?i=3892
+ [86] = https://curl.haxx.se/bug/?i=3906
+ [87] = https://curl.haxx.se/docs/CVE-2019-5435.html
+ [88] = https://curl.haxx.se/bug/?i=3908
+ [89] = https://curl.haxx.se/bug/?i=3902