1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
curl and libcurl 7.64.0
Public curl releases: 179
Command line options: 220
curl_easy_setopt() options: 265
Public functions in libcurl: 80
Contributors: 1875
This release includes the following changes:
o cookies: leave secure cookies alone [3]
o hostip: support wildcard hosts [23]
o http: Implement trailing headers for chunked transfers [7]
o http: added options for allowing HTTP/0.9 responses [10]
o timeval: Use high resolution timestamps on Windows [19]
This release includes the following bugfixes:
o CVE-2018-16890: NTLM type-2 out-of-bounds buffer read [67]
o CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow [68]
o CVE-2019-3823: SMTP end-of-response out-of-bounds read [66]
o FAQ: remove mention of sourceforge for github [22]
o OS400: handle memory error in list conversion [4]
o OS400: upgrade ILE/RPG binding.
o README: add codacy code quality badge
o Revert http_negotiate: do not close connection [31]
o THANKS: added several missing names from year <= 2000
o build: make 'tidy' target work for metalink builds
o cmake: added checks for variadic macros [47]
o cmake: updated check for HAVE_POLL_FINE to match autotools [39]
o cmake: use lowercase for function name like the rest of the code [20]
o configure: detect xlclang separately from clang [41]
o configure: fix recv/send/select detection on Android [53]
o configure: rewrite --enable-code-coverage [61]
o conncache_unlock: avoid indirection by changing input argument type
o cookie: fix comment typo [44]
o cookies: allow secure override when done over HTTPS [34]
o cookies: extend domain checks to non psl builds [12]
o cookies: skip custom cookies when redirecting cross-site [36]
o curl --xattr: strip credentials from any URL that is stored [33]
o curl -J: refuse to append to the destination file [14]
o curl/urlapi.h: include "curl.h" first [30]
o curl_multi_remove_handle() don't block terminating c-ares requests [32]
o darwinssl: accept setting max-tls with default min-tls [6]
o disconnect: separate connections and easy handles better [18]
o disconnect: set conn->data for protocol disconnect
o docs/version.d: mention MultiSSL [26]
o docs: fix the --tls-max description [2]
o docs: use $(INSTALL_DATA) to install man page [64]
o docs: use meaningless port number in CURLOPT_LOCALPORT example [58]
o gopher: always include the entire gopher-path in request [5]
o http2: clear pause stream id if it gets closed [8]
o if2ip: remove unused function Curl_if_is_interface_name [9]
o libssh: do not let libssh create socket [63]
o libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh [62]
o libssh: free sftp_canonicalize_path() data correctly [17]
o libtest/stub_gssapi: use "real" snprintf [27]
o mbedtls: use VERIFYHOST [15]
o multi: multiplexing improvements [35]
o multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time [57]
o ntlm: fix NTMLv2 compliance [25]
o ntlm_sspi: add support for channel binding [54]
o openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated [46]
o openssl: fix the SSL_get_tlsext_status_ocsp_resp call [40]
o openvms: fix OpenSSL discovery on VAX [21]
o openvms: fix typos in documentation
o os400: add a missing closing bracket [50]
o os400: fix extra parameter syntax error [50]
o pingpong: change default response timeout to 120 seconds
o pingpong: ignore regular timeout in disconnect phase [16]
o printf: fix format specifiers [28]
o runtests.pl: Fix perl call to include srcdir [65]
o schannel: fix compiler warning [29]
o schannel: preserve original certificate path parameter [52]
o schannel: stop calling it "winssl" [56]
o sigpipe: if mbedTLS is used, ignore SIGPIPE [59]
o smb: fix incorrect path in request if connection reused [13]
o ssh: log the libssh2 error message when ssh session startup fails [55]
o test1558: verify CURLINFO_PROTOCOL on file:// transfer [51]
o test1561: improve test name
o test1653: make it survive torture tests
o tests: allow tests to pass by 2037-02-12 [38]
o tests: move objnames-* from lib into tests [42]
o timediff: fix math for unsigned time_t [37]
o timeval: Disable MSVC Analyzer GetTickCount warning [60]
o tool_cb_prg: avoid integer overflow [49]
o travis: added cmake build for osx [43]
o urlapi: Fix port parsing of eol colon [1]
o urlapi: distinguish possibly empty query [5]
o urlapi: fix parsing ipv6 with zone index [24]
o urldata: rename easy_conn to just conn [48]
o winbuild: conditionally use /DZLIB_WINAPI [45]
o wolfssl: fix memory-leak in threaded use [11]
o spnego_sspi: add support for channel binding [69]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alessandro Ghedini, Andrei Neculau, Archangel SDY, Ayoub Boudhar, Ben Kohler,
Bernhard M. Wiedemann, Brad Spencer, Brian Carpenter, Claes Jakobsson,
Daniel Gustafsson, Daniel Stenberg, David Garske, dnivras on github,
Eric Rosenquist, Etienne Simard, Felix Hädicke, Florian Pritz,
Frank Gevaerts, Giorgos Oikonomou, Gisle Vanem, GitYuanQu on github,
Haibo Huang, Harry Sintonen, Helge Klein, Huzaifa Sidhpurwala,
jasal82 on github, Jeremie Rapin, Jeroen Ooms, Joel Depooter, John Marshall,
jonrumsey on github, Julian Z, Kamil Dudka, Katsuhiko YOSHIDA, Kees Dekker,
Ladar Levison, Leonardo Taccari, Marcel Raad, Markus Moeller,
masbug on github, Matus Uzak, Michael Kujawa, Patrick Monnerat, Pavel Pavlov,
Peng Li, Ray Satiro, Rikard Falkeborn, Ruslan Baratov, Sergei Nikulov,
Shlomi Fish, Tobias Lindgren, Tom van der Woerdt, Viktor Szakats,
Wenxiang Qian, William A. Rowe Jr, Zhao Yisha,
(56 contributors)
Thanks! (and sorry if I forgot to mention someone)
References to bug reports and discussions on issues:
[1] = https://curl.haxx.se/bug/?i=3365
[2] = https://curl.haxx.se/bug/?i=3368
[3] = https://curl.haxx.se/bug/?i=2956
[4] = https://curl.haxx.se/bug/?i=3372
[5] = https://curl.haxx.se/bug/?i=3369
[6] = https://curl.haxx.se/bug/?i=3367
[7] = https://curl.haxx.se/bug/?i=3350
[8] = https://curl.haxx.se/bug/?i=3392
[9] = https://curl.haxx.se/bug/?i=3401
[10] = https://curl.haxx.se/bug/?i=2873
[11] = https://curl.haxx.se/bug/?i=3395
[12] = https://curl.haxx.se/bug/?i=2964
[13] = https://curl.haxx.se/bug/?i=3388
[14] = https://curl.haxx.se/bug/?i=3380
[15] = https://curl.haxx.se/bug/?i=3376
[16] = https://curl.haxx.se/bug/?i=3264
[17] = https://curl.haxx.se/bug/?i=3402
[18] = https://curl.haxx.se/bug/?i=3400
[19] = https://curl.haxx.se/bug/?i=3318
[20] = https://curl.haxx.se/bug/?i=3196
[21] = https://curl.haxx.se/bug/?i=3407
[22] = https://curl.haxx.se/bug/?i=3410
[23] = https://curl.haxx.se/bug/?i=3406
[24] = https://curl.haxx.se/bug/?i=3411
[25] = https://curl.haxx.se/bug/?i=3286
[26] = https://curl.haxx.se/bug/?i=3432
[27] = https://curl.haxx.se/mail/lib-2019-01/0000.html
[28] = https://curl.haxx.se/bug/?i=3426
[29] = https://curl.haxx.se/bug/?i=3435
[30] = https://curl.haxx.se/bug/?i=3438
[31] = https://curl.haxx.se/bug/?i=3384
[32] = https://curl.haxx.se/bug/?i=3371
[33] = https://curl.haxx.se/bug/?i=3423
[34] = https://curl.haxx.se/bug/?i=3445
[35] = https://curl.haxx.se/bug/?i=3436
[36] = https://curl.haxx.se/bug/?i=3417
[37] = https://curl.haxx.se/bug/?i=3449
[38] = https://curl.haxx.se/bug/?i=3443
[39] = https://curl.haxx.se/bug/?i=3292
[40] = https://curl.haxx.se/bug/?i=3477
[41] = https://curl.haxx.se/bug/?i=3474
[42] = https://curl.haxx.se/bug/?i=3470
[43] = https://curl.haxx.se/bug/?i=3468
[44] = https://curl.haxx.se/bug/?i=3469
[45] = https://curl.haxx.se/bug/?i=3133
[46] = https://curl.haxx.se/bug/?i=3462
[47] = https://curl.haxx.se/bug/?i=3459
[48] = https://curl.haxx.se/bug/?i=3442
[49] = https://curl.haxx.se/bug/?i=3456
[50] = https://curl.haxx.se/bug/?i=3453
[51] = https://curl.haxx.se/bug/?i=3447
[52] = https://curl.haxx.se/bug/?i=3480
[53] = https://curl.haxx.se/bug/?i=3484
[54] = https://curl.haxx.se/bug/?i=3280
[55] = https://curl.haxx.se/bug/?i=3481
[56] = https://curl.haxx.se/bug/?i=3504
[57] = https://curl.haxx.se/mail/lib-2019-01/0073.html
[58] = https://curl.haxx.se/bug/?i=3513
[59] = https://curl.haxx.se/bug/?i=3502
[60] = https://curl.haxx.se/bug/?i=3437
[61] = https://curl.haxx.se/bug/?i=3497
[62] = https://curl.haxx.se/bug/?i=3493
[63] = https://curl.haxx.se/bug/?i=3491
[64] = https://curl.haxx.se/bug/?i=3518
[65] = https://curl.haxx.se/bug/?i=3496
[66] = https://curl.haxx.se/docs/CVE-2019-3823.html
[67] = https://curl.haxx.se/docs/CVE-2018-16890.html
[68] = https://curl.haxx.se/docs/CVE-2019-3822.html
[69] = https://curl.haxx.se/bug/?i=3503
|
