diff options
Diffstat (limited to 'RELEASE-NOTES')
-rw-r--r-- | RELEASE-NOTES | 401 |
1 files changed, 232 insertions, 169 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 9574e14bb..644b6d78d 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,97 +1,134 @@ -curl and libcurl 7.64.0 +curl and libcurl 7.64.1 - Public curl releases: 179 - Command line options: 220 - curl_easy_setopt() options: 265 + Public curl releases: 180 + Command line options: 221 + curl_easy_setopt() options: 267 Public functions in libcurl: 80 - Contributors: 1875 + Contributors: 1929 This release includes the following changes: - o cookies: leave secure cookies alone [3] - o hostip: support wildcard hosts [23] - o http: Implement trailing headers for chunked transfers [7] - o http: added options for allowing HTTP/0.9 responses [10] - o timeval: Use high resolution timestamps on Windows [19] + o alt-svc: experiemental support added [74] + o configure: add --with-amissl [84] This release includes the following bugfixes: - o CVE-2018-16890: NTLM type-2 out-of-bounds buffer read [67] - o CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow [68] - o CVE-2019-3823: SMTP end-of-response out-of-bounds read [66] - o FAQ: remove mention of sourceforge for github [22] - o OS400: handle memory error in list conversion [4] - o OS400: upgrade ILE/RPG binding. - o README: add codacy code quality badge - o Revert http_negotiate: do not close connection [31] - o THANKS: added several missing names from year <= 2000 - o build: make 'tidy' target work for metalink builds - o cmake: added checks for variadic macros [47] - o cmake: updated check for HAVE_POLL_FINE to match autotools [39] - o cmake: use lowercase for function name like the rest of the code [20] - o configure: detect xlclang separately from clang [41] - o configure: fix recv/send/select detection on Android [53] - o configure: rewrite --enable-code-coverage [61] - o conncache_unlock: avoid indirection by changing input argument type - o cookie: fix comment typo [44] - o cookies: allow secure override when done over HTTPS [34] - o cookies: extend domain checks to non psl builds [12] - o cookies: skip custom cookies when redirecting cross-site [36] - o curl --xattr: strip credentials from any URL that is stored [33] - o curl -J: refuse to append to the destination file [14] - o curl/urlapi.h: include "curl.h" first [30] - o curl_multi_remove_handle() don't block terminating c-ares requests [32] - o darwinssl: accept setting max-tls with default min-tls [6] - o disconnect: separate connections and easy handles better [18] - o disconnect: set conn->data for protocol disconnect - o docs/version.d: mention MultiSSL [26] - o docs: fix the --tls-max description [2] - o docs: use $(INSTALL_DATA) to install man page [64] - o docs: use meaningless port number in CURLOPT_LOCALPORT example [58] - o gopher: always include the entire gopher-path in request [5] - o http2: clear pause stream id if it gets closed [8] - o if2ip: remove unused function Curl_if_is_interface_name [9] - o libssh: do not let libssh create socket [63] - o libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh [62] - o libssh: free sftp_canonicalize_path() data correctly [17] - o libtest/stub_gssapi: use "real" snprintf [27] - o mbedtls: use VERIFYHOST [15] - o multi: multiplexing improvements [35] - o multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time [57] - o ntlm: fix NTMLv2 compliance [25] - o ntlm_sspi: add support for channel binding [54] - o openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated [46] - o openssl: fix the SSL_get_tlsext_status_ocsp_resp call [40] - o openvms: fix OpenSSL discovery on VAX [21] - o openvms: fix typos in documentation - o os400: add a missing closing bracket [50] - o os400: fix extra parameter syntax error [50] - o pingpong: change default response timeout to 120 seconds - o pingpong: ignore regular timeout in disconnect phase [16] - o printf: fix format specifiers [28] - o runtests.pl: Fix perl call to include srcdir [65] - o schannel: fix compiler warning [29] - o schannel: preserve original certificate path parameter [52] - o schannel: stop calling it "winssl" [56] - o sigpipe: if mbedTLS is used, ignore SIGPIPE [59] - o smb: fix incorrect path in request if connection reused [13] - o ssh: log the libssh2 error message when ssh session startup fails [55] - o test1558: verify CURLINFO_PROTOCOL on file:// transfer [51] - o test1561: improve test name - o test1653: make it survive torture tests - o tests: allow tests to pass by 2037-02-12 [38] - o tests: move objnames-* from lib into tests [42] - o timediff: fix math for unsigned time_t [37] - o timeval: Disable MSVC Analyzer GetTickCount warning [60] - o tool_cb_prg: avoid integer overflow [49] - o travis: added cmake build for osx [43] - o urlapi: Fix port parsing of eol colon [1] - o urlapi: distinguish possibly empty query [5] - o urlapi: fix parsing ipv6 with zone index [24] - o urldata: rename easy_conn to just conn [48] - o winbuild: conditionally use /DZLIB_WINAPI [45] - o wolfssl: fix memory-leak in threaded use [11] - o spnego_sspi: add support for channel binding [69] + o AppVeyor: add MinGW-w64 and classic Mingw builds [55] + o AppVeyor: switch VS 2015 builds to VS 2017 image [49] + o CURLU: fix NULL dereference when used over proxy [73] + o Curl_easy: remove req.maxfd - never used! [58] + o Curl_now: figure out windows version in win32_init: [11] + o Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning [20] + o DoH: inherit some SSL options from user's easy handle [80] + o Secure Transport: no more "darwinssl" [56] + o Secure Transport: tvOS 11 is required for ALPN support [94] + o cirrus: Added FreeBSD builds using Cirrus CI + o cleanup: make local functions static [5] + o cli tool: do not use mime.h private structures [27] + o cmdline-opts/proxytunnel.d: the option tunnnels all protocols [83] + o configure: add additional libraries to check for LDAP support [45] + o configure: remove the unused fdopen macro [40] + o configure: show features as well in the final summary [15] + o conncache: use conn->data to know if a transfer owns it [95] + o connection: never reuse CONNECT_ONLY connections [35] + o connection_check: restore original conn->data after the check [14] + o connection_check: set ->data to the transfer doing the check [3] + o cookie: Add support for cookie prefixes [29] + o cookies: dotless names can set cookies again [81] + o cookies: fix NULL dereference if flushing cookies with no CookieInfo set [47] + o curl.1: --user and --proxy-user are hidden from ps output [86] + o curl.1: mark the argument to --cookie as <data|filename> [87] + o curl.h: use __has_declspec_attribute for shared builds [52] + o curl: display --version features sorted alphabetically [51] + o curl: fix FreeBSD compiler warning in the --xattr code [2] + o curl: remove MANUAL from -M output [38] + o curl_easy_duphandle.3: clarify that a duped handle has no shares [64] + o curl_multi_remove_handle.3: use at any time, just not from within callbacks + o curl_url.3: this API is not experimental anymore + o dns: release sharelock as soon as possible [1] + o docs: update max-redirs.d phrasing [59] + o easy: fix win32 init to work without CURL_GLOBAL_WIN32 [30] + o examples/10-at-a-time.c: improve readability and simplify + o examples/cacertinmem.c: use multiple certificates for loading CA-chain [54] + o examples/crawler: Fix the Accept-Encoding setting + o examples/ephiperfifo.c: various fixes [63] + o examples/externalsocket: add missing close socket calls [78] + o examples/http2-download: cleaned up + o examples/http2-serverpush: add some sensible error checks [31] + o examples/http2-upload: cleaned up + o examples/httpcustomheader: Value stored to 'res' is never read + o examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' + o examples/sftpuploadresume: Value stored to 'result' is never read + o examples: only include <curl/curl.h> [70] + o examples: remove recursive calls to curl_multi_socket_action [42] + o examples: remove superfluous null-pointer checks + o file: fix "Checking if unsigned variable 'readcount' is less than zero." [90] + o fnmatch: disable if FTP is disabled [25] + o gnutls: remove call to deprecated gnutls_compression_get_name [66] + o gopher: remove check for path == NULL [69] + o gssapi: fix deprecated header warnings [16] + o hostip: make create_hostcache_id avoid alloc + free [4] + o http2: multi_connchanged() moved from multi.c, only used for h2 [21] + o http2: verify :athority in push promise requests [37] + o http: make adding a blank header thread-safe [33] + o http: send payload when (proxy) authentication is done [89] + o http: set state.infilesize when sending multipart formposts [57] + o makefile: make checksrc and hugefile commands "silent" [85] + o mbedtls: make it build even if MBEDTLS_VERSION_C isn't set [24] + o mbedtls: release sessionid resources on error [28] + o memdebug: log pointer before freeing its data [91] + o memdebug: make debug-specific functions use curl_dbg_ prefix [82] + o mime: put the boundary buffer into the curl_mime struct [18] + o multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME [43] + o multi: remove verbose "Expire in" ... messages [23] + o multi: removed unused code for request retries [79] + o multi: support verbose conncache closure handle [72] + o negotiate: fix for HTTP POST with Negotiate [88] + o openssl: add support for TLS ASYNC state [46] + o openssl: if cert type is ENG and no key specified, key is ENG too [93] + o pretransfer: don't strlen() POSTFIELDS set for GET requests [22] + o rand: Fix a mismatch between comments in source and header [32] + o runtests: detect "schannel" as an alias for "winssl" [50] + o schannel: be quiet - remove verbose output [19] + o schannel: close TLS before removing conn from cache [10] + o schannel: support CALG_ECDH_EPHEM algorithm [44] + o scripts/completion.pl: also generate fish completion file [67] + o singlesocket: fix the 'sincebefore' placement [36] + o source: fix two 'nread' may be used uninitialized warnings [68] + o ssh: fix Condition '!status' is always true [60] + o ssh: loop the state machine if not done and not blocking [71] + o strerror: make the strerror function use local buffers [48] + o system_win32: move win32_init here from easy.c [65] + o test578: make it read data from the correct test + o tests: Fixed XML validation errors in some test files + o tests: add stderr comparison to the test suite [26] + o tests: fix multiple may be used uninitialized warnings + o threaded-resolver: shutdown the resolver thread without error message [61] + o tool_cb_wrt: fix writing to Windows null device NUL [96] + o tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr [84] + o tool_operate: build on AmigaOS [84] + o tool_operate: fix typecheck warning [9] + o transfer.c: do not compute length of undefined hex buffer + o travis: add build using gnutls [75] + o travis: add scan-build [13] + o travis: bump the used wolfSSL version to 4.0.0 [92] + o travis: enable valgrind for the iconv tests [12] + o travis: use updated compiler versions: clang 7 and gcc 8 [77] + o unit1307: require FTP support [17] + o unit1651: survive curl_easy_init() fails + o url/idnconvert: remove scan for <= 32 ascii values [6] + o url: change conn shutdown order to ensure SOCKETFUNCTION callbacks [39] + o urlapi: reduce variable scope, remove unreachable 'break' [7] + o urldata: convert bools to bitfields and move to end [53] + o urldata: simplify bytecounters [62] + o urlglob: Argument with 'nonnull' attribute passed null + o version.c: silent scan-build even when librtmp is not enabled + o vtls: rename some of the SSL functions [84] + o wolfssl: stop custom-adding curves [41] + o x509asn1: "Dereference of null pointer" + o x509asn1: cleanup and unify code layout [34] + o zsh.pl: escape ':' character [8] + o zsh.pl: update regex to better match curl -h output [8] This release includes the following known bugs: @@ -100,91 +137,117 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Alessandro Ghedini, Andrei Neculau, Archangel SDY, Ayoub Boudhar, Ben Kohler, - Bernhard M. Wiedemann, Brad Spencer, Brian Carpenter, Claes Jakobsson, - Daniel Gustafsson, Daniel Stenberg, David Garske, dnivras on github, - Eric Rosenquist, Etienne Simard, Felix Hädicke, Florian Pritz, - Frank Gevaerts, Giorgos Oikonomou, Gisle Vanem, GitYuanQu on github, - Haibo Huang, Harry Sintonen, Helge Klein, Huzaifa Sidhpurwala, - jasal82 on github, Jeremie Rapin, Jeroen Ooms, Joel Depooter, John Marshall, - jonrumsey on github, Julian Z, Kamil Dudka, Katsuhiko YOSHIDA, Kees Dekker, - Ladar Levison, Leonardo Taccari, Marcel Raad, Markus Moeller, - masbug on github, Matus Uzak, Michael Kujawa, Patrick Monnerat, Pavel Pavlov, - Peng Li, Ray Satiro, Rikard Falkeborn, Ruslan Baratov, Sergei Nikulov, - Shlomi Fish, Tobias Lindgren, Tom van der Woerdt, Viktor Szakats, - Wenxiang Qian, William A. Rowe Jr, Zhao Yisha, - (56 contributors) + accountantM on github, Alessandro Ghedini, Andre Guibert de Bruet, + Arnaud Rebillout, Bernd Mueller, Björn Stenberg, buzo-ffm on github, + Chris Araman, Christian Schmitz, Chris Young, d912e3 on github, Dan Fandrich, + Daniel Gustafsson, Daniel Lublin, Daniel Stenberg, David Garske, + David Woodhouse, Dominik Hölzl, Don J Olmstead, Eric Curtin, Frank Gevaerts, + Gisle Vanem, James Brown, Jan Alexander Steffens, jnbr on github, + MAntoniak on github, Marcel Raad, Marc Schlatter, Matt McClure, Michael Felt, + Michael Schmid, Michael Wallner, Michał Antoniak, nedres on github, + nianxuejie on github, Nick Zitzmann, Nicolas Grekas, Patrick Monnerat, + Paul Groke, Pavel Löbl, Ray Satiro, Renaud Allard, Romain Geissler, + Sara Golemon, Simon Legner, tholin on github, Tim Rühsen, Volker Schmid, + wesinator on github, + (49 contributors) Thanks! (and sorry if I forgot to mention someone) References to bug reports and discussions on issues: - [1] = https://curl.haxx.se/bug/?i=3365 - [2] = https://curl.haxx.se/bug/?i=3368 - [3] = https://curl.haxx.se/bug/?i=2956 - [4] = https://curl.haxx.se/bug/?i=3372 - [5] = https://curl.haxx.se/bug/?i=3369 - [6] = https://curl.haxx.se/bug/?i=3367 - [7] = https://curl.haxx.se/bug/?i=3350 - [8] = https://curl.haxx.se/bug/?i=3392 - [9] = https://curl.haxx.se/bug/?i=3401 - [10] = https://curl.haxx.se/bug/?i=2873 - [11] = https://curl.haxx.se/bug/?i=3395 - [12] = https://curl.haxx.se/bug/?i=2964 - [13] = https://curl.haxx.se/bug/?i=3388 - [14] = https://curl.haxx.se/bug/?i=3380 - [15] = https://curl.haxx.se/bug/?i=3376 - [16] = https://curl.haxx.se/bug/?i=3264 - [17] = https://curl.haxx.se/bug/?i=3402 - [18] = https://curl.haxx.se/bug/?i=3400 - [19] = https://curl.haxx.se/bug/?i=3318 - [20] = https://curl.haxx.se/bug/?i=3196 - [21] = https://curl.haxx.se/bug/?i=3407 - [22] = https://curl.haxx.se/bug/?i=3410 - [23] = https://curl.haxx.se/bug/?i=3406 - [24] = https://curl.haxx.se/bug/?i=3411 - [25] = https://curl.haxx.se/bug/?i=3286 - [26] = https://curl.haxx.se/bug/?i=3432 - [27] = https://curl.haxx.se/mail/lib-2019-01/0000.html - [28] = https://curl.haxx.se/bug/?i=3426 - [29] = https://curl.haxx.se/bug/?i=3435 - [30] = https://curl.haxx.se/bug/?i=3438 - [31] = https://curl.haxx.se/bug/?i=3384 - [32] = https://curl.haxx.se/bug/?i=3371 - [33] = https://curl.haxx.se/bug/?i=3423 - [34] = https://curl.haxx.se/bug/?i=3445 - [35] = https://curl.haxx.se/bug/?i=3436 - [36] = https://curl.haxx.se/bug/?i=3417 - [37] = https://curl.haxx.se/bug/?i=3449 - [38] = https://curl.haxx.se/bug/?i=3443 - [39] = https://curl.haxx.se/bug/?i=3292 - [40] = https://curl.haxx.se/bug/?i=3477 - [41] = https://curl.haxx.se/bug/?i=3474 - [42] = https://curl.haxx.se/bug/?i=3470 - [43] = https://curl.haxx.se/bug/?i=3468 - [44] = https://curl.haxx.se/bug/?i=3469 - [45] = https://curl.haxx.se/bug/?i=3133 - [46] = https://curl.haxx.se/bug/?i=3462 - [47] = https://curl.haxx.se/bug/?i=3459 - [48] = https://curl.haxx.se/bug/?i=3442 - [49] = https://curl.haxx.se/bug/?i=3456 - [50] = https://curl.haxx.se/bug/?i=3453 - [51] = https://curl.haxx.se/bug/?i=3447 - [52] = https://curl.haxx.se/bug/?i=3480 - [53] = https://curl.haxx.se/bug/?i=3484 - [54] = https://curl.haxx.se/bug/?i=3280 - [55] = https://curl.haxx.se/bug/?i=3481 - [56] = https://curl.haxx.se/bug/?i=3504 - [57] = https://curl.haxx.se/mail/lib-2019-01/0073.html - [58] = https://curl.haxx.se/bug/?i=3513 - [59] = https://curl.haxx.se/bug/?i=3502 - [60] = https://curl.haxx.se/bug/?i=3437 - [61] = https://curl.haxx.se/bug/?i=3497 - [62] = https://curl.haxx.se/bug/?i=3493 - [63] = https://curl.haxx.se/bug/?i=3491 - [64] = https://curl.haxx.se/bug/?i=3518 - [65] = https://curl.haxx.se/bug/?i=3496 - [66] = https://curl.haxx.se/docs/CVE-2019-3823.html - [67] = https://curl.haxx.se/docs/CVE-2018-16890.html - [68] = https://curl.haxx.se/docs/CVE-2019-3822.html - [69] = https://curl.haxx.se/bug/?i=3503 + [1] = https://curl.haxx.se/bug/?i=3516 + [2] = https://curl.haxx.se/bug/?i=3550 + [3] = https://curl.haxx.se/bug/?i=3541 + [4] = https://curl.haxx.se/bug/?i=3544 + [5] = https://curl.haxx.se/bug/?i=3538 + [6] = https://curl.haxx.se/bug/?i=3539 + [7] = https://curl.haxx.se/bug/?i=3540 + [8] = https://bugs.debian.org/921452 + [9] = https://curl.haxx.se/bug/?i=3534 + [10] = https://curl.haxx.se/bug/?i=3412 + [11] = https://curl.haxx.se/bug/?i=3572 + [12] = https://curl.haxx.se/bug/?i=3571 + [13] = https://curl.haxx.se/bug/?i=3564 + [14] = https://curl.haxx.se/bug/?i=3542 + [15] = https://curl.haxx.se/bug/?i=3569 + [16] = https://curl.haxx.se/bug/?i=3566 + [17] = https://curl.haxx.se/bug/?i=3565 + [18] = https://curl.haxx.se/bug/?i=3561 + [19] = https://curl.haxx.se/bug/?i=3552 + [20] = https://curl.haxx.se/bug/?i=3562 + [21] = https://curl.haxx.se/bug/?i=3557 + [22] = https://curl.haxx.se/bug/?i=3548 + [23] = https://curl.haxx.se/mail/archive-2019-02/0013.html + [24] = https://curl.haxx.se/bug/?i=3553 + [25] = https://curl.haxx.se/bug/?i=3551 + [26] = https://curl.haxx.se/bug/?i=3536 + [27] = https://curl.haxx.se/bug/?i=3532 + [28] = https://curl.haxx.se/bug/?i=3574 + [29] = https://curl.haxx.se/bug/?i=3554 + [30] = https://curl.haxx.se/bug/?i=3313 + [31] = https://curl.haxx.se/bug/?i=3580 + [32] = https://curl.haxx.se/bug/?i=3584 + [33] = https://curl.haxx.se/bug/?i=3578 + [34] = https://curl.haxx.se/bug/?i=3582 + [35] = https://curl.haxx.se/mail/lib-2019-02/0064.html + [36] = https://curl.haxx.se/bug/?i=3585 + [37] = https://curl.haxx.se/bug/?i=3577 + [38] = https://curl.haxx.se/bug/?i=3587 + [39] = https://curl.haxx.se/mail/lib-2019-02/0101.html + [40] = https://curl.haxx.se/bug/?i=3600 + [41] = https://curl.haxx.se/bug/?i=3599 + [42] = https://curl.haxx.se/bug/?i=3537 + [43] = https://curl.haxx.se/bug/?i=3602 + [44] = https://curl.haxx.se/bug/?i=3608 + [45] = https://curl.haxx.se/bug/?i=3595 + [46] = https://curl.haxx.se/bug/?i=3591 + [47] = https://curl.haxx.se/bug/?i=3613 + [48] = https://curl.haxx.se/bug/?i=3612 + [49] = https://curl.haxx.se/bug/?i=3606 + [50] = https://curl.haxx.se/bug/?i=3609 + [51] = https://curl.haxx.se/bug/?i=3611 + [52] = https://curl.haxx.se/bug/?i=3616 + [53] = https://curl.haxx.se/bug/?i=3610 + [54] = https://curl.haxx.se/bug/?i=3421 + [55] = https://curl.haxx.se/bug/?i=3623 + [56] = https://curl.haxx.se/bug/?i=3619 + [57] = https://curl.haxx.se/mail/archive-2019-02/0023.html + [58] = https://curl.haxx.se/bug/?i=3626 + [59] = https://curl.haxx.se/bug/?i=3631 + [60] = https://curl.haxx.se/bug/?i=3628 + [61] = https://curl.haxx.se/bug/?i=3629 + [62] = https://curl.haxx.se/bug/?i=3627 + [63] = https://curl.haxx.se/bug/?i=3632 + [64] = https://curl.haxx.se/bug/?i=3592 + [65] = https://curl.haxx.se/bug/?i=3625 + [66] = https://curl.haxx.se/bug/?i=3636 + [67] = https://curl.haxx.se/bug/?i=3545 + [68] = https://curl.haxx.se/bug/?i=3546 + [69] = https://curl.haxx.se/bug/?i=3617 + [70] = https://curl.haxx.se/bug/?i=3645 + [71] = https://curl.haxx.se/bug/?i=3506 + [72] = https://curl.haxx.se/bug/?i=3618 + [73] = https://curl.haxx.se/bug/?i=3641 + [74] = https://curl.haxx.se/bug/?i=3498 + [76] = https://curl.haxx.se/bug/?i=3637 + [77] = https://curl.haxx.se/bug/?i=3670 + [78] = https://curl.haxx.se/bug/?i=3663 + [79] = https://curl.haxx.se/bug/?i=3666 + [80] = https://curl.haxx.se/bug/?i=3660 + [81] = https://curl.haxx.se/bug/?i=3649 + [82] = https://curl.haxx.se/bug/?i=3656 + [83] = https://curl.haxx.se/bug/?i=3658 + [84] = https://curl.haxx.se/bug/?i=3677 + [85] = https://curl.haxx.se/bug/?i=3681 + [86] = https://curl.haxx.se/bug/?i=3680 + [87] = https://curl.haxx.se/bug/?i=3682 + [88] = https://curl.haxx.se/bug/?i=1261 + [89] = https://curl.haxx.se/bug/?i=2431 + [90] = https://curl.haxx.se/bug/?i=3672 + [91] = https://curl.haxx.se/bug/?i=3671 + [92] = https://curl.haxx.se/bug/?i=3697 + [93] = https://curl.haxx.se/bug/?i=3692 + [94] = https://curl.haxx.se/bug/?i=3689 + [95] = https://curl.haxx.se/bug/?i=3686 + [96] = https://github.com/curl/curl/issues/3175#issuecomment-439068724 + |