| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: libcurl4 | Distribution: openSUSE Tumbleweed |
| Version: 8.11.0 | Vendor: openSUSE |
| Release: 1.1 | Build date: Wed Nov 6 09:43:16 2024 |
| Group: Unspecified | Build host: reproducible |
| Size: 721792 | Source RPM: curl-8.11.0-1.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://curl.se | |
| Summary: Library for transferring data from URLs | |
The cURL shared library for accessing data using different network protocols.
curl
* Wed Nov 06 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.11.0:
* Security fixes: [bsc#1232528, CVE-2024-9681]
- curl: HSTS subdomain overwrites parent cache entry
* Changes:
- curl: --create-dirs works for --dump-header as well
- gtls: Add P12 format support
- ipfs: add options to disable
- TLS: TLSv1.3 earlydata support for curl
- WebSockets: make support official (non-experimental)
* Bugfixes:
- build: clarify CA embed is for curl tool, mark default, improve summary
- build: show if CA bundle to embed was found
- build: tidy up and improve versioned-symbols options
- cmake/FindNGTCP2: use library path as hint for finding crypto module
- cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
- cmake: rename LDAP dependency config variables to match Find modules
- cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
- cmake: use OpenSSL for LDAP detection only if available
- curl: add build options for safe/no CA bundle search (Windows)
- curl: detect ECH support dynamically, not at build time
- curl_addrinfo: support operating systems with only getaddrinfo(3)
- ftp: fix 0-length last write on upload from stdin
- gnutls: use session cache for QUIC
- hsts: improve subdomain handling
- hsts: support "implied LWS" properly around max-age
- http2: auto reset stream on server eos
- json.md: cli-option '--json' is an alias of '--data-binary'
- lib: move curl_path.[ch] into vssh/
- lib: remove function pointer typecasts for hmac/sha256/md5
- libssh.c: handle EGAINS during proto-connect correctly
- libssh2: use the filename buffer when getting the homedir
- multi.c: warn/assert on stall only without timer
- negotiate: conditional check around GSS & SSL specific code
- netrc: cache the netrc file in memory
- ngtcp2: do not loop on recv
- ngtcp2: set max window size to 10x of initial (128KB)
- openssl quic: populate x509 store before handshake
- openssl: extend the OpenSSL error messages
- openssl: improve retries on shutdown
- quic: use send/recvmmsg when available
- schannel: fix TLS cert verification by IP SAN
- schannel: ignore error on recv beyond close notify
- select: use poll() if existing, avoid poll() with no sockets
- sendf: add condition to max-filesize check
- server/mqttd: fix two memory leaks
- setopt: return error for bad input to CURLOPT_RTSP_REQUEST
- setopt_cptr: make overflow check only done when needed
- tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
- tool: support --show-headers AND --remote-header-name
- tool_operate: make --skip-existing work for --parallel
- url: connection reuse on h3 connections
- url: use same credentials on redirect
- urlapi: normalize the IPv6 address
- version: say quictls in MSH3 builds
- vquic: fix compiler warning with gcc + MUSL
- vquic: recv_mmsg, use fewer, but larger buffers
- vtls: convert Curl_pin_peer_pubkey to use dynbuf
- vtls: convert pubkey_pem_to_der to use dynbuf
* Rebase curl-secure-getenv.patch
* Tue Sep 24 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.10.1:
* Bugfixes:
- autotools: fix `--with-ca-embed` build rule
- cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
- cmake: fix MSH3 to appear on the feature list
- connect: store connection info when really done
- FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
- http2: when uploading data from stdin, fix eos forwarding
- http: make max-filesize check not count ignored bodies
- lib: fix AF_INET6 use outside of USE_IPV6
- multi: check that the multi handle is valid in curl_multi_assign
- QUIC: on connect, keep on trying on draining server
- request: correctly reset the eos_sent flag
- setopt: remove superfluous use of ternary expressions
- singleuse: drop `Curl_memrchr()` for no-HTTP builds
- tool_cb_wrt: use "curl_response" if no file name in URL
- transfer: fix sendrecv() without interim poll
- vtls: fix `Curl_ssl_conn_config_match` doc param
* Wed Sep 11 2024 Pedro Monreal <pmonreal@suse.com>
- Update to version 8.10.0:
* Security fixes:
- [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
* Changes:
- curl: make --rate accept "number of units"
- curl: make --show-headers the same as --include
- curl: support --dump-header % to direct to stderr
- curl: support embedding a CA bundle and --dump-ca-embed
- curl: support repeated use of the verbose option; -vv etc
- curl: use libuv for parallel transfers with --test-event
- vtls: stop offering alpn http/1.1 for http2-prior-knowledge
* Bugfixes:
- curl: allow 500MB data URL encode strings
- curl: warn on unsupported SSL options
- Curl_rand_bytes to control env override
- curl_sha512_256: fix symbol collisions with nettle library
- dist: fix reproducible build from release tarball
- http2: fix GOAWAY message sent to server
- http2: improve rate limiting of downloads
- INSTALL.md: MultiSSL and QUIC are mutually exclusive
- lib: add eos flag to send methods
- lib: make SSPI global symbols use Curl_ prefix
- lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
- lib: remove the final strncpy() calls
- lib: remove use of RANDOM_FILE
- Makefile.mk: fixup enabling libidn2
- max-filesize.md: mention zero disables the limit
- mime: avoid inifite loop in client reader
- ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
- openssl quic: fix memory leak
- openssl: certinfo errors now fail correctly
- openssl: fix the data race when sharing an SSL session between threads
- openssl: improve shutdown handling
- POP3: fix multi-line responses
- pop3: use the protocol handler ->write_resp
- progress: ratelimit/progress tweaks
- rand: only provide weak random when needed
- sectransp: fix setting tls version
- setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
- sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
- sigpipe: init the struct so that first apply ignores
- smb: convert superflous assign into assert
- smtp: add tracing feature
- spnego_gssapi: implement TLS channel bindings for openssl
- src: delete `curlx_m*printf()` aliases
- ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
- tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
- tool_paramhlp: bump maximum post data size in memory to 16GB
- transfer: skip EOS read when download done
- url: fix connection reuse for HTTP/2 upgrades
- urlapi: verify URL *decoded* hostname when set
- urldata: introduce `data->mid`, a unique identifier inside a multi
- vtls: add SSLSUPP_CIPHER_LIST
- vtls: fix static function name collisions between TLS backends
- vtls: init ssl peer only once
- websocket: introduce blocking sends
- ws: flags to opcodes should ignore CURLWS_CONT flag
- x509asn1: raise size limit for x509 certification information
* Remove curl-sigpipe.patch upstream
* Rebase curl-secure-getenv.patch
* Mon Aug 12 2024 Pedro Monreal <pmonreal@suse.com>
- Fix regression introduced in version 8.9.1:
* sigpipe: init the struct so that first apply ignores
* Add curl-sigpipe.patch
* Wed Jul 31 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.9.1:
* Security fixes:
- curl: ASN.1 date parser overread [bsc#1228535, CVE-2024-7264]
* Bugfixes:
- cmake: detect 'libssh' via 'pkg-config'
- cmake: detect 'nettle' when building with GnuTLS
- connect: fix connection shutdown for event based processing
- curl: more defensive socket code for --ip-tos
- CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching
- CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe
- ftpserver.pl: make POP3 LIST serve content from the test file
- lib: survive some NULL input args
- os400: build cli manual.
- os400: workaround an IBM ASCII run-time library bug
- transfer: speed limiting fix for 32bit systems
- vtls: avoid forward declaration in MultiSSL builds
- x509asn1: unittests and fixes for gtime2str
* Wed Jul 24 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.9.0:
* Security fixes:
- [bsc#1227888, CVE-2024-6197] curl: freeing stack buffer
in utf8asn1str
- [bsc#1228260, CVE-2024-6874] idn: tweak buffer use when
converting with macidn
* Changes:
- curl: add --ip-tos (IP Type of Service / Traffic Class)
- curl: add --mptcp
- curl: add --vlan-priority
- curl: add -w '%{num_retries}
- gnutls: support CA caching
- mbedtls: support CURLOPT_CERTINFO
- noproxy: patterns need to be comma separated
- socket: support binding to interface *AND* IP
- tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt
- urlapi: add CURLU_NO_GUESS_SCHEME
- wolfssl: support CA caching
* Bugfixes:
- connection: shutdown TLS (for FTP) better
- curl-config: revert to backticks to support old target envs
- curl: allow etag and content-disposition for 3xx reply
- curl: bsearch the --write-out variable name
- curl: check for --disable case *sensitively*
- doh: fix leak and zero-length HTTPS RR crash
- file: separate fake headers and body with a stand-alone CRLF
- ftp: remove redundant null pointer check in loop condition
- gnutls: improve TLS shutdown
- gnutls: pass in SNI name, not hostname when checking cert
- hostip: skip error check for infallible function call
- http/3: add shutdown support
- http/3: resume upload on ack if we have more data to send
- lib: add a few DEBUGASSERT(data) to aid code analyzers
- lib: add failure reason on bind errors
- lib: graceful connection shutdown
- lib: xfer_setup and non-blocking shutdown
- multi: add multi->proto_hash, a key-value store for protocol data
- multi: do a final progress update on connect failure
- multi: fix multi_wait() timeout handling
- multi: fix pollset during RESOLVING phase
- ngtcp2+quictls: fix cert-status use
- noproxy: test bad ipv6 net size first
- openssl/gnutls: rectify the TLS version checks for QUIC
- openssl: fix hostname handling when using ECH
- openssl: stop duplicate ssl key logging for legacy OpenSSL
- quic: enable UDP GRO
- quic: openssl quic, cmake and doc version update to 3.3.0
- quic: require at least OpenSSL 3.3 for QUIC
- quic: update to quiche 0.22.0
- smtp: for starttls, do full upgrade
- tool_operate: avoid explicitly setting verifypeer to 1
- tool_writeout: get certinfo only when needing it
- transfer: avoid polling socket every transfer loop
- transfer: conn close on paused upload
- transfer: do not use EXPIRE_NOW while blocked
- transfer: remove curl_upload_refill_watermark, no longer used
- transfer: set CSELECT_IN if there is data pending
- url: allow DoH transfers to override max connection limit
- x509asn1: add some common ECDSA OIDs
- x509asn1: ASN1tostr() should fail when 'constructed' is set
- x509asn1: fallback to dotted OID representation
- x509asn1: prevent NULL dereference
- x509asn1: remove superfluous free()
- x509asn1: remove two static variables
* Rebase libcurl-ocloexec.patch
* Remove curl-make-install-curl-config.patch upstream
* Thu Jun 20 2024 Dirk Müller <dmueller@suse.com>
- add multibuild for minimal libcurl flavored build (useful for
container environments)
* Thu Jun 20 2024 Dirk Müller <dmueller@suse.com>
- split zsh and fish completion into subpackages to have
proper supplements
* Mon Jun 17 2024 Dirk Müller <dmueller@suse.com>
- remove mozilla-nss code (unsupported since 8.3.0)
* Fri May 24 2024 Pedro Monreal <pmonreal@suse.com>
- Fix make install for curl-config.1
* docs/Makefile.am: make curl-config.1 install
* Fixed upstream in: github.com/curl/curl/pull/13741
* Add curl-make-install-curl-config.patch
* Wed May 22 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.8.0:
* Changes:
- curl_version_info: provide librtmp version
- file: add support for directory listings
- lib: add curl_multi_waitfds
- NTLM_WB: drop support
- TLS: add support for ECH (Encrypted Client Hello)
- urlapi: add CURLU_GET_EMPTY for empty queries and fragments
* Bugfixes:
- build: prefer "USE_IPV6" macro internally (was: "ENABLE_IPV6")
- cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set
- cf-socket: don't try getting local IP without socket
- cf-socket: remove references to l_ip, l_port
- configure: make --disable-docs imply --disable-manual
- curl.h: change CURL_SSLVERSION_* from enum to defines
- curl_path: make Curl_get_pathname use dynbuf
- curl_sha512_256: do not use workaround for NetBSD when not needed
- curl_sha512_256: fix detection of OpenSSL 1.1.1 or later
- curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY
- DEPRECATE.md: TLS libraries without 1.3 support
- digest: replace strcpy for empty string with simple assignment
- doc: pytest "--repeat" -> "--count"
- docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd
- dynbuf: fix returncode on memory error
- ftp: add tracing support
- ftp: fix socket leak on rare error
- gnutls: lazy init the trust settings
- hsts: explicitly skip blank lines
- http2 + ngtcp2: pass CURLcode errors from callbacks
- http2, http3: decouple stream state from easy handle
- http2: emit RST when client write fails
- http: HEAD response body tolerance
- http: reject HTTP major version switch mid connection
- http: with chunked POST forced, disable length check on read callback
- idn: make Curl_idnconvert_hostname() use Curl_idn_decode()
- if2ip: make the buf_size arg a size_t
- krb5: use dynbuf
- lib/cf-h1-proxy: silence compiler warnings (gcc 14)
- lib: add trace support for client reads and writes
- lib: bump hash sizes to "size_t"
- lib: clear the easy handle's saved errno before transfer
- lib: make protocol handlers store scheme name lowercase
- lib: merge "ENABLE_QUIC" C macro into "USE_HTTP3"
- libssh2: set length to 0 if strdup failed
- openssl: do not set SSL_MODE_RELEASE_BUFFERS
- openssl: revert keylog_callback support for LibreSSL
- OS400: fix shellcheck warnings in scripts
- quiche: expire all active transfers on connection close
- quiche: trust its timeout handling
- tls: use shared init code for TCP+QUIC
- tool_cfgable: free {proxy_}cipher13_list on exit
- url: do not URL decode proxy crendentials
- url: fix use of an uninitialized variable
- url: make parse_login_details use memdup0
- urlapi: allow setting port number zero
- version: use msnprintf instead of strncpy
- vtls: TLS session storage overhaul
- wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC
- websocket: avoid memory leak in error path
* Wed May 22 2024 Dominique Leuenberger <dimstar@opensuse.org>
- Add split-provides for libcurl-devel -> libcurl-devel-doc.
* Mon May 20 2024 Jan Engelhardt <jengelh@inai.de>
- Spin documentation off to libcurl-devel-doc, this saves buildroots
495 files and time (mandb is run in %posttrans).
* Wed Mar 27 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.7.1:
* Fixed empty tool_hugehelp.c file
- Update to 8.7.0:
* Security fixes:
- [bsc#1221665, CVE-2024-2004] Usage of disabled protocol
- [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak
- [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL
- [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS
* Changes:
- configure: add --disable-docs flag
- CURLINFO_USED_PROXY: return bool whether the proxy was used
- digest: support SHA-512/256
* Bugfixes:
- asyn-thread: use wakeup_close to close the read descriptor
- bufq: writing into a softlimit queue cannot be partial
- cmake: add USE_OPENSSL_QUIC support
- cookie: if psl fails, reject the cookie
- curl: exit on config file parser errors
- digest: add check for hashing error
- docs/libcurl: add TLS backend info for all TLS options
- file: use xfer buf for file:// transfers
- ftp: do lineend conversions in client writer
- ftp: fix socket wait activity in ftp_domore_getsock
- http2: memory errors in the push callbacks are fatal
- http2: push headers better cleanup
- libssh/libssh2: return error on too big range
- OpenSSL QUIC: adapt to v3.3.x
- setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
- setopt: fix disabling all protocols
- sha512_256: add support for GnuTLS and OpenSSL
- smtp: fix STARTTLS
- strtoofft: fix the overflow check
- TIMER_STARTTRANSFER: set the same for everyone
- TLS: start shutdown only when peer did not already close
- tool_getparam: accept a blank -w ""
- tool_getparam: handle non-existing (out of range) short-options
- tool_operate: change precedence of server Retry-After time
- transfer.c: break receive loop in speed limited transfers
- version: allow building with ancient libpsl
- vquic-tls: fix the error code returned for bad CA file
- vtls: fix tls proxy peer verification
- vtls: revert "receive max buffer" + add test case
- VULN-DISCLOSURE-POLICY.md: update detail about CVE requests
- websocket: fix curl_ws_recv()
* Remove patch upstream:
- 0001-vtls-revert-receive-max-buffer-add-test-case.patch
* Tue Mar 12 2024 Pedro Monreal <pmonreal@suse.com>
- Remove the nghttp2 version requirement as a version guard around
the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
function was added in curl 8.0.1.
* Upstream commit: https://github.com/curl/curl/commit/744dcf22
* Thu Feb 08 2024 Fabian Vogt <fvogt@suse.com>
- Add patch to fix various TLS related issues including FTP over SSL
transmission timeouts:
* 0001-vtls-revert-receive-max-buffer-add-test-case.patch
- Switch to %autosetup
* Wed Jan 31 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 8.6.0: [bsc#1219149, CVE-2024-0853]
* Security fixes:
- CVE-2024-0853: OCSP verification bypass with TLS session reuse
* Changes:
- add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T
* Bugfixes:
- altsvc: free 'as' when returning error
- asyn-ares: with modern c-ares, use its default timeout
- cf-socket: show errno in tcpkeepalive error messages
- cmdline-opts: update availability for the *-ca-native options
- configure: when enabling QUIC, check that TLS supports QUIC
- content_encoding: change return code to typedef'ed enum
- curl: show ipfs and ipns as supported "protocols"
- CURLINFO_REFERER.3: clarify that it is the *request* header
- dist: add tests/errorcodes.pl to the tarball
- gen.pl: support ## for doing .IP in table-like lists
- GHA: bump ngtcp2, gnutls, mod_h2, quiche
- hostip: return error immediately when Curl_ip2addr() fails
- http3/quiche: fix result code on a stream reset
- http3: initial support for OpenSSL 3.2 QUIC stack
- http: check for "Host:" case insensitively
- http: fix off-by-one error in request method length check
- http: only act on 101 responses when they are HTTP/1.1
- lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
- lib: error out on multissl + http3
- lib: fix variable undeclared error caused by `infof` changes
- lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
- lib: strndup/memdup instead of malloc, memcpy and null-terminate
- libssh2: use `libssh2_session_callback_set2()` with v1.11.1
- ngtcp2: put h3 at the front of alpn
- openldap: fix an LDAP crash
- openldap: fix STARTTLS
- openssl: re-match LibreSSL deinit with init
- rtsp: deal with borked server responses
- sasl: make login option string override http auth
- tool: prepend output_dir in header callback
- tool_getparam: stop supporting `@filename` style for --cookie
- transfer: fix upload rate limiting, add test cases
- url: don't set default CA paths for Secure Transport backend
- url: for disabled protocols, mention if found in redirect
- vquic: extract TLS setup into own source
- websockets: check for negative payload lengths
* Remove patches fixed upstream:
- curl-adjust-pollset-fix.patch
- curl-tests-errorcodes.patch
* Rebase dont-mess-with-rpmoptflags.patch
* Fri Jan 05 2024 Michael Pujos <pujos.michael@gmail.com>
- Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming:
https://github.com/curl/curl/issues/12632
* Wed Dec 06 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.5.0:
* Security fixes:
- [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
- [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
* Changes:
- gnutls: support CURLSSLOPT_NATIVE_CA
- HTTP3: ngtcp2 builds are no longer experimental
* Bugfixes:
- asyn-thread: use pipe instead of socketpair for IPC when available
- cmake: fix OpenSSL quic detection in quiche builds
- conncache: use the closure handle when disconnecting surplus connections
- content_encoding: make Curl_all_content_encodings allocless
- cookie: lowercase the domain names before PSL checks
- Curl_http_body: cleanup properly when Curl_getformdata errors
- CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
- doh: provide better return code for responses w/o addresses
- doh: use PIPEWAIT when HTTP/2 is attempted
- duphandle: also free 'outcurl->cookies' in error path
- duphandle: make dupset() not return with pointers to old alloced data
- duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
- easy: in duphandle, init the cookies for the new handle
- easy_lock: add a pthread_mutex_t fallback
- fopen: create new file using old file's mode
- fopen: create short(er) temporary file name
- getenv: PlayStation doesn't have getenv()
- hostip: show the list of IPs when resolving is done
- hsts: skip single-dot hostname
- HTTP/2, HTTP/3: handle detach of onoing transfers
- http: allow longer HTTP/2 request method names
- hyper: temporarily remove HTTP/2 support
- IPFS: fix IPFS_PATH and file parsing
- multi: during ratelimit multi_getsock should return no sockets
- multi: use pipe instead of socketpair to *wakeup()
- ngtcp2: fix races in stream handling
- ntlm_wb: use pipe instead of socketpair when possible
- openssl: avoid BN_num_bits() NULL pointer derefs
- openssl: fix building with v3 `no-deprecated` + add CI test
- openssl: fix infof() to avoid compiler warning for %s with null
- openssl: identify the "quictls" backend correctly
- openssl: include SIG and KEM algorithms in verbose
- openssl: two multi pointer checks should probably rather be asserts
- openssl: when a session-ID is reused, skip OCSP stapling
- quic: make eyeballers connect retries stop at weird replies
- quic: manage connection idle timeouts
- setopt: check CURLOPT_TFTP_BLKSIZE range on set
- socks: better buffer size checks for socks4a user and hostname
- socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
- tool: fix --capath when proxy support is disabled
- tool_getparam: limit --rate to be smaller than number of ms
- transfer: abort pause send when connection is marked for closing
- transfer: avoid calling the read callback again after EOF
- transfer: only reset the FTP wildcard engine in CLEAR state
- url: don't touch the multi handle when closing internal handles
- urlapi: avoid null deref if setting blank host to url encode
- urlapi: skip appending NULL pointer query
- urlapi: when URL encoding the fragment, pass in the right length
- vtls: cleanup SSL config management
- vtls: consistently use typedef names for OpenSSL structs
- vtls: late clone of connection ssl config
- vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
* Rebase curl-secure-getenv.patch
* Add curl-tests-errorcodes.patch
* Wed Oct 11 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.4.0:
* Security fixes:
- SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545]
- cookie injection with none file [bsc#1215889, CVE-2023-38546]
* Changes:
- curl: add support for the IPFS protocols via HTTP gateway
- curl_multi_get_handles: get easy handles from a multi handle
- mingw: delete support for legacy mingw.org toolchain
* Bugfixes:
- base64: also build for curl
- cf-socket: simulate slow/blocked receives in debug
- configure: check for the capath by default
- connect: expire the timeout when trying next
- connect: only start the happy eyeballs timer when needed
- cookie: do not store the expire or max-age strings
- cookie: remove unnecessary struct fields
- cookie: set ->running in cookie_init even if data is NULL
- create-dirs.d: clarify it also uses --output-dirs
- http2: refused stream handling for retry
- http: h1/h2 proxy unification
- http: use per-request counter to check too large headers
- idn: if idn2_check_version returns NULL, return error
- lib: enable hmac for digest as well
- lib: let the max filesize option stop too big transfers too
- lib: move handling of 'data->req.writer_stack' into Curl_client_write()
- lib: provide and use Curl_hexencode
- lib: use wrapper for curl_mime_data fseek callback
- libssh2: fix error message on failed pubkey-from-file
- libssh: cap SFTP packet size sent
- MQTT: improve receive of ACKs
- multi: do CURLM_CALL_MULTI_PERFORM at two more places
- multi: round the timeout up to prevent early wakeups
- openssl: improve ssl shutdown handling
- openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
- pytest: exclude test_03_goaway in CI runs due to timing dependency
- quic: set ciphers/curves the same way regular TLS does
- quiche: fix build error with --with-ca-fallback
- socks: return error if hostname too long for remote resolve
- tftpd: always use curl's own tftp.h
- tool_getparam: accept variable expansion on file names too
- upload-file.d: describe the file name slash/backslash handling
- url: fall back to http/https proxy env-variable if ws/wss not set
- url: fix netrc info message
- wolfssh: do cleanup in Curl_ssh_cleanup
- wolfssl: allow capath with CURLOPT_CAINFO_BLOB
- wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
- wolfssl: ignore errors in CA path
* Rebase libcurl-ocloexec.patch
* Wed Sep 13 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.3.0: [bsc#1215026, CVE-2023-38039]
* Changes:
- curl: make %output{} in -w specify a file to write to
- gskit: remove
- lib: --disable-bindlocal builds curl without local binding support
- nss: remove support for this TLS library
- tool: add "variable" support
- trace: make tracing available in non-debug builds
- url: change default value for CURLOPT_MAXREDIRS to 30
- urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
* Bugfixes:
- altsvc: accept and parse IPv6 addresses in response headers
- asyn-ares: reduce timeout to 2000ms
- aws-sigv4: canonicalize the query
- aws-sigv4: fix having date header twice in some cases
- aws-sigv4: handle no-value user header entries
- c-hyper: adjust the hyper to curlcode conversion
- c-hyper: fix memory leaks in `Curl_http`
- cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
- cf-socket: log successful interface bind
- cmake: add GnuTLS option
- cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
- cmake: detect `SSL_set0_wbio` in OpenSSL
- configure: trust pkg-config when it's used for zlib
- configure: use the pkg-config --libs-only-l flag for libssh2
- connect: stop halving the remaining timeout when less than 600 ms left
- crypto: ensure crypto initialization works
- digest: Use hostname to generate spn instead of realm
- ftp: fix temp write of ipv6 address
- headers: accept leading whitespaces on first response header
- http2: fix in h2 proxy tunnel: progress in ingress on sending
- http3/ngtcp2: shorten handshake, trace cleanup
- http3: quiche, handshake optimization, trace cleanup
- http: close the connection after a late 417 is received
- http: fix sending of large requests
- http: return error when receiving too large header set
- lib: fix null ptr derefs and uninitialized vars (h2/h3)
- lib: move mimepost data from ->req.p.http to ->state
- list-only.d: mention SFTP as supported protocol
- ngtcp2: fix handling of large requests
- openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
- openssl: clear error queue after SSL_shutdown
- openssl: make aws-lc version support OCSP
- openssl: Support async cert verify callback
- openssl: switch to modern init for LibreSSL 2.7.0+
- openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
- quic: don't set SNI if hostname is an IP address
- quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
- quiche: enable quiche to handle timeout events
- resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
- schannel: verify hostname independent of verify cert
- tool_filetime: make -z work with file dates before 1970
- tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR
- tool_operate: make aws-sigv4 not require TLS to be used
- transfer: also stop the sending on closed connection
- urlapi: fix heap buffer overflow
- urlapi: setting a blank URL ("") is not an ok URL
* Fri Jul 28 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.2.1:
* Bugfixes:
- cfilters: rename close/connect functions to avoid clashes
- ciphers.d: put URL in first column
- cmake: add 'libcurlu'/'libcurltool' for unit tests
- cmake: update ngtcp2 detection
- configure: check for nghttp2_session_get_stream_local_window_size
- docs: mark two TLS options for TLS, not SSL
- docs: provide more see also for cipher options
- hostip: return IPv6 first for localhost resolves
- http2: fix regression on upload EOF handling
- http: VLH, very large header test and fixes
- libcurl-errors.3: add CURLUE_OK
- os400: correct EXPECTED_STRING_LASTZEROTERMINATED
- quiche: fix lookup of transfer at multi
- quiche: fix segfault and other things
- rustls: update rustls-ffi 0.10.0
- socks: print ipv6 address within brackets
- src/mkhelp: strip off escape sequences
- tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
- transfer: do not clear the credentials on redirect to absolute URL
- unittest: remove unneeded *_LDADD
- websocket: rename arguments/variables to match docs
* Wed Jul 19 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.2.0 [bsc#1213237, CVE-2023-32001]
* Security fix:
- CVE-2023-32001: fopen race condition
* Changes:
- curl: add --ca-native and --proxy-ca-native
- curl: add --trace-ids
- CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
- haproxy: add --haproxy-clientip flag to set client IPs
- lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
* Bugfixes:
- cf-socket: don't bypass fclosesocket callback if cancelled before connect
- cf-socket: skip getpeername()/getsockname for TFTP
- curl: count uploaded data to stop at the originally given size
- curl: return error when asked to use an unsupported HTTP version
- http2: fix crash in handling stream weights
- http2: send HEADER & DATA together if possible
- http3/ngtcp2: upload EAGAIN handling
- http: rectify the outgoing Cookie: header field size check
- hyper: fix EOF handling on input
- imap: Provide method to disable SASL if it is advertised
- libssh2: provide error message when setting host key type fails
- libssh2: use custom memory functions
- ngtcp2: assigning timeout, but value is overwritten before used
- quiche: avoid NULL deref in debug logging
- sectransp: fix EOF handling
- system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
- timeval: use CLOCK_MONOTONIC_RAW if available
- tls13-ciphers.d: include Schannel
- tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
- tool_operate: allow cookie lines up to 8200 bytes
- tool_parsecfg: accept line lengths up to 10M
- tool_writeout_json: fix encoding of control characters
- transfer: clear credentials when redirecting to absolute URL
- urlapi: have *set(PATH) prepend a slash if one is missing
- urlapi: scheme must start with alpha
- vtls: avoid memory leak if sha256 call fails
- websocket-cb: example doing WebSocket download using callback
- ws: make the curl_ws_meta() return pointer a const
* Tue May 30 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.1.2:
* Bugfixes:
- configure: quote the assignments for run-compiler
- configure: without pkg-config and no custom path, use -lnghttp2
- curl: cache the --trace-time value for a second
- http2: fix EOF handling on uploads with auth negotiation
- http3: send EOF indicator early as possible
- lib1560: verify more scheme guessing
- lib: remove unused functions, make single-use static
- libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
- libssh: when keyboard-interactive auth fails, try password
- misc: fix spelling mistakes
- page-header: mention curl version and how to figure out current release
- page-header: minor wording polish in the URL segment
- scripts/singleuse.pl: add more API calls
- urlapi: remove superfluous host name check
* Tue May 23 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.1.1:
* Bugfixes:
- cf-socket: completely remove the disabled
USE_RECV_BEFORE_SEND_WORKAROUND
- checksrc: disallow spaces before labels
- curl_easy_getinfo: clarify on return data types
- docs: document that curl_url_cleanup(NULL) is a safe no-op
- hostip: move easy_lock.h include above curl_memory.h
- http2: double http request parser max line length
- http2: increase stream window size to 10 MB
- lib: rename struct 'http_req' to 'httpreq'
- ngtcp2: proper handling of uint64_t when adjusting send buffer
- sectransp.c: make the code c89 compatible
- select: avoid returning an error on EINTR from select() or poll()
- url: provide better error message when URLs fail to parse
- urlapi: allow numerical parts in the host name
* Wed May 17 2023 David Anes <david.anes@suse.com>
- Update to 8.1.0:
* Security fixes:
- UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319]
- siglongjmp race condition [bsc#1211231, CVE-2023-28320]
- IDN wildcard match [bsc#1211232, CVE-2023-28321]
- POST-after-PUT confusion [bsc#1211233, CVE-2023-28322]
- See also: https://curl.se/docs/security.html
* Changes:
- curl: add --proxy-http2
- CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
- hostip: refuse to resolve the .onion TLD
- tool_writeout: add URL component variables
* Bugfixes:
- See full changelog here: https://curl.se/changes.html#8_1_0
* Tue Mar 21 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.0.1:
* Bugfixes:
- fix crash in curl_easy_cleanup
* Mon Mar 20 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
- url: only reuse connections with same GSS delegation
- urlapi: '%' is illegal in host names
- ws: keep the socket non-blocking
* Rebase libcurl-ocloexec.patch
* Mon Feb 20 2023 Guillaume GARDET <guillaume.gardet@opensuse.org>
- Update to 7.88.1:
* Bugfix release
- Drop upstreamed patch:
* curl-fix-uninitialized-value-in-tests.patch
* Wed Feb 15 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
- http_proxy: do not assign data->req.p.http use local copy
- lib: connect/h2/h3 refactor
- libssh2: try sha2 algos for hostkey methods
- md4: fix build with GnuTLS + OpenSSL v1
- ngtcp2: replace removed define and stop using removed function
- noproxy: support for space-separated names is deprecated
- nss: implement data_pending method
- openldap: fix missing sasl symbols at build in specific configs
- openssl: adapt to boringssl's error code type
- openssl: don't ignore CA paths when using Windows CA store (redux)
- openssl: don't log raw record headers
- openssl: make the BIO_METHOD a local variable in the connection filter
- openssl: only use CA_BLOB if verifying peer
- openssl: remove attached easy handles from SSL instances
- openssl: store the CA after first send (ClientHello)
- setopt: use >, not >=, when checking if uarg is larger than uint-max
- smb: return error on upload without size
- socketpair: allow localhost MITM sniffers
- strdup: name it Curl_strdup
- tool_getparam: fix hiding of command line secrets
- tool_operate: fix error codes on bad URL & OOM
- tool_operate: repair --rate
- transfer: break the read loop when RECV is cleared
- typecheck: accept expressions for option/info parameters
- urlapi: avoid Curl_dyn_addf() for hex outputs
- urlapi: skip path checks if path is just "/"
- urlapi: skip the extra dedotdot alloc if no dot in path
- urldata: cease storing TLS auth type
- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
- urldata: make set.http200aliases conditional on HTTP being present
- urldata: move the cookefilelist to the 'set' struct
- urldata: remove unused struct fields, made more conditional
- vquic: stabilization and improvements
- vtls: fix hostname handling in filters
- vtls: manage current easy handle in nested cfilter calls
- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* Rebase libcurl-ocloexec.patch
* Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
- runtests: fix "uninitialized value $port"
- Add curl-fix-uninitialized-value-in-tests.patch
* Wed Dec 21 2022 David Anes <david.anes@suse.com>
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
- config-mac: define HAVE_SYS_IOCTL_H
- config-mac: fix typo: size_T -> size_t
- config-mac: remove HAVE_SYS_SELECT_H
- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
- configure: require fork for NTLM-WB
- contributors.sh: actually use $CURLWWW instead of just setting it
- cookie: compare cookie prefixes case insensitively
- cookie: expire cookies at once when max-age is negative
- cookie: open cookie jar as a binary file
- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
- curl-rustls.m4: on macOS, rustls also needs the Security framework
- curl.h: include <sys/select.h> on SerenityOS
- curl.h: name all public function parameters
- curl.h: reword comment to not use deprecated option
- curl: override the numeric locale and set "C" by force
- curl: timeout in the read callback
- curl_endian: remove Curl_write64_le from header
- curl_get_line: allow last line without newline char
- curl_path: do not add '/' if homedir ends with one
- curl_url_get.3: remove spurious backtick
- curl_url_set.3: document CURLU_DISALLOW_USER
- curl_url_set.3: fix typo
- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
- CURLOPT_COOKIEFILE.3: advice => advise
- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
- CURLOPT_POST.3: Explain setting to 0 changes request type
- docs/curl_ws_send: Fixed typo in websocket docs
- docs/EARLY-RELEASE.md: how to determine an early release
- docs/examples: spell correction ('Retrieve')
- docs/INSTALL.md: expand on static builds
- docs/WEBSOCKET.md: explain the URL use
- docs: add missing parameters for --retry flag
- docs: add more "SEE ALSO" links to CA related pages
- docs: explain the noproxy CIDR notation support
- docs: extend the dump-header documentation
- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
- examples/10-at-a-time: fix possible skipped final transfers
- examples: update descriptions
- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
- GHA: clarify workflows permissions, set least possible privilege
- GHA: NSS use clang instead of clang-9
- gnutls: use common gnutls init and verify code for ngtcp2
- headers: add endif comments
- HTTP-COOKIES.md: mention that http://localhost is a secure context
- HTTP-COOKIES.md: update the 6265bis link to draft-11
- http: do not send PROXY more than once
- http: fix the ::1 comparison for IPv6 localhost for cookies
- http: set 'this_is_a_follow' in the Location: logic
- http: use the IDN decoded name in HSTS checks
- hyper: classify headers as CONNECT and 1XX
- hyper: fix handling of hyper_task's when reusing the same address
- idn: remove Curl_win32_ascii_to_idn
- INSTALL: update operating systems and CPU archs
- KNOWN_BUGS: remove eight entries
- lib1560: add some basic IDN host name tests
- lib: connection filters (cfilter) addition to curl:
- lib: feature deprecation warnings in gcc >= 4.3
- lib: fix some type mismatches and remove unneeded typecasts
- lib: parse numbers with fixed known base 10
- lib: remove bad set.opt_no_body assignments
- lib: rewind BEFORE request instead of AFTER previous
- lib: sync guard for Curl_getaddrinfo_ex() definition and use
- lib: use size_t or int etc instead of longs
- libcurl-errors.3: remove duplicate word
- libssh2: return error when ssh_hostkeyfunc returns error
- limit-rate.d: see also --rate
- log2changes.pl: wrap long lines at 80 columns
- Makefile.mk: address minor issues
- Makefile.mk: improve a GNU Make hack
- Makefile.mk: portable Makefile.m32
- maketgz: set the right version in lib/libcurl.plist
- mime: relax easy/mime structures binding
- misc: Fix incorrect spelling
- misc: remove duplicated include files
- misc: typo and grammar fixes
- negtelnetserver.py: have it call its close() method
- netrc.d: provide mutext info
- netware: remove leftover traces
- noproxy: also match with adjacent comma
- noproxy: guard against empty hostnames in noproxy check
- noproxy: tailmatch like in 7.85.0 and earlier
- nroff-scan.pl: detect double highlights
- ntlm: improve comment for encrypt_des
- ntlm: silence ubsan warning about copying from null target_info pointer
- openssl/mbedtls: use %d for outputing port with failf (int)
- openssl: prefix errors with '[lib]/[version]: '
- os400: use platform socklen_t in Curl_getnameinfo_a
- page-header: grammar improvement (display transfer rate)
- proxy: refactor haproxy protocol handling as connection filter
- README.md: remove badges and xmas-tree garnish
- rtsp: fix RTSP auth
- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
- runtests: do CRLF replacements per section only
- scripts/checksrc.pl: detect duplicated include files
- sendf: change Curl_read_plain to wrap Curl_recv_plain
- sendf: remove unnecessary if condition
- setup: do not require __MRC__ defined for Mac OS 9 builds
- smb/telnet: do not free the protocol struct in *_done()
- socks: fix username max size is 255 (0xFF)
- spellcheck.words: remove 'github' as an accepted word
- ssl-reqd.d: clarify that this is for upgrading connections only
- strcase: use curl_str(n)equal for case insensitive matches
- styled-output.d: this option does not work on Windows
- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
- system.h: support 64-bit curl_off_t for NonStop 32-bit
- test1421: fix typo
- test3026: reduce runtime in legacy mingw builds
- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
- tests: add authorityInfoAccess to generated certs
- tests: add HTTP/3 test case, custom location for proper nghttpx
- tls: backends use connection filters for IO, enabling HTTPS-proxy
- tool: determine the correct fopen option for -D
- tool_cfgable: free the ssl_ec_curves on exit
- tool_cfgable: make socks5_gssapi_nec a boolean
- tool_formparse: avoid clobbering on function params
- tool_getparam: make --no-get work as the opposite of --get
- tool_operate: provide better errmsg for -G with bad URL
- tool_operate: when aborting, make sure there is a non-NULL error buffer
- tool_paramhlp: free the proto strings on exit
- url: move back the IDN conversion of proxy names
- urlapi: reject more bad letters from the host name: &+()
- urldata: change port num storage to int and unsigned short
- vms: remove SIZEOF_SHORT
- vtls: fix build without proxy support
- vtls: localization of state data in filters
- WEBSOCKET.md: fix broken link
- Websocket: fixes for partial frames and buffer updates
- websockets: fix handling of partial frames
- windows: fail early with a missing windres in autotools
- windows: fix linking .rc to shared curl with autotools
- winidn: drop WANT_IDN_PROTOTYPES
- ws: if no connection is around, return error
- ws: return CURLE_NOT_BUILT_IN when websockets not built in
- x509asn1: avoid freeing unallocated pointers
* Wed Nov 16 2022 Luciano Santos <luc14n0@opensuse.org>
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
a bandaid. Curl's 7.86.0 release introduces the use of
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
introduced by nghttp2 1.50.0 release, without introducing a check
for the function/right version in their build scripts. This will
make Zypper/cURL unusable in some corner cases where users
installing something that requires libcurl4 before doing full
system upgrade, thus updating the cURL stack, but not
libnghttp2's. Background: boo#1204983, Factory mailing list
threadd:
"? broken dependency in curl and/or *zyp* ?", and forums thread:
Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
* Wed Oct 26 2022 Pedro Monreal <pmonreal@suse.com>
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- lib: add missing limits.h includes
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- libssh: if sftp_init fails, don't get the sftp error code
- mprintf: reject two kinds of precision for the same argument
- mqtt: return error for too long topic
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- resolve: make forced IPv4 resolve only use A queries
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool_main: exit at once if out of file descriptors
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_xattr: save the original URL, not the final redirected one
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: reject more bad characters from the host name field
* Remove patch upstream:
- connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Sat Oct 08 2022 Vasily Ulyanov <vasily.ulyanov@suse.com>
- Update connection info when using UNIX socket as endpoint
connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Fri Sep 30 2022 Pedro Monreal <pmonreal@suse.com>
- Change the deprecated configure option --enable-hidden-symbols
to the new --enable-symbol-hiding.
* Wed Aug 31 2022 Pedro Monreal <pmonreal@suse.com>
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "control bytes"
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
- HTTP3.md: update to msh3 v0.4.0
- hyper: use wakers for curl pause/resume
- lib3026: reduce the number of threads to 100
- libssh2: make atime/mtime date overflow return error
- libssh2: provide symlink name in SFTP dir listing
- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
- multi: use larger dns hash table for multi interface
- multi_wait: fix skipping to populate revents for extra_fds
- netrc: Use the password from lines without login
- ngtcp2: Fix build error due to change in nghttp3 prototypes
- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
- openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
- openssl: add cert path in error message
- openssl: add details to "unable to set client certificate" error
- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
- select: do not return fatal error on EINTR from poll()
- sendf: fix paused header writes since after the header API
- sendf: skip storing HTTP headers if HTTP disabled
- url: really use the user provided in the url when netrc entry exists
- url: reject URLs with hostnames longer than 65535 bytes
- url: treat missing usernames in netrc as empty
- urldata: reduce size of several struct fields
- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
* Remove tests-for-32bit.patch fixed in the update
* Rebase libcurl-ocloexec.patch
* Sun Jul 24 2022 Dirk Müller <dmueller@suse.com>
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
* Mon Jun 27 2022 David Anes <david.anes@suse.com>
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
- content_encoding: return error on too many compression steps
- cookie: address secure domain overlay
- cookie: apply limits
- copyright.pl: parse and use .reuse/dep5 for skips
- copyright: make repository REUSE compliant
- curl.1: add a few see also --tls-max
- curl.1: mention exit code zero too
- curl: re-enable --no-remote-name
- curl_easy_pause.3: remove explanation of progress function
- curl_getdate.3: document that some illegal dates pass through
- Curl_parsenetrc: don't access local pwbuf outside of scope
- curl_url_set.3: clarify by default using known schemes only
- CURLOPT_ALTSVC.3: document the file format
- CURLOPT_FILETIME.3: fix the protocols this works with
- CURLOPT_HTTPHEADER.3: improve comment in example
- CURLOPT_NETRC.3: document the .netrc file format
- CURLOPT_PORT.3: We discourage using this option
- CURLOPT_RANGE.3: remove ranged upload advice
- digest: added detection of more syntax error in server headers
- digest: tolerate missing "realm"
- digest: unquote realm and nonce before processing
- DISABLED: disable 1021 for hyper again
- docs/cmdline-opts: add copyright and license identifier to each file
- docs/CONTRIBUTE.md: document the 'needs-votes' concept
- docs: clarify data replacement policy for MIME API
- doh: remove UNITTEST macro definition
- examples/crawler.c: use the curl license
- examples: remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
- fopen: add Curl_fopen() for better overwriting of files
- ftp: restore protocol state after http proxy CONNECT
- ftp: when failing to do a secure GSSAPI login, fail hard
- GHA/hyper: enable debug in the build
- gssapi: improve handling of errors from gss_display_status
- gssapi: initialize gss_buffer_desc strings
- headers api: remove EXPERIMENTAL tag
- http2: always debug print stream id in decimal with %u
- http2: reject overly many push-promise headers
- http: restore header folding behavior
- hyper: use 'alt-used'
- krb5: return error properly on decode errors
- lib: make more protocol specific struct fields #ifdefed
- libcurl-security.3: add "Secrets in memory"
- libcurl-security.3: document CRLF header injection
- libssh: skip the fake-close when libssh does the right thing
- links: update dead links to the curl-wiki
- log2changes: do not indent empty lines [ci skip]
- macos9: remove partial support
- Makefile.am: fix portability issues
- Makefile.m32: delete obsolete options, improve -On [ci skip]
- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
- max-time.d: clarify max-time sets max transfer time
- mprintf: ignore clang non-literal format string
- netrc: check %USERPROFILE% as well on Windows
- netrc: support quoted strings
- ngtcp2: allow curl to send larger UDP datagrams
- ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
- ngtcp2: enable Linux GSO
- ngtcp2: extend QUIC transport parameters buffer
- ngtcp2: fix alert_read_func return value
- ngtcp2: fix typo in preprocessor condition
- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
- ngtcp2: send appropriate connection close error code
- ngtcp2: support boringssl crypto backend
- ngtcp2: use helper funcs to simplify TLS handshake integration
- ntlm: provide a fixed fake host name
- projects: fix third-party SSL library build paths for Visual Studio
- quic: add Curl_quic_idle
- quiche: support ca-fallback
- rand: stop detecting /dev/urandom in cross-builds
- remote-name.d: mention --output-dir
- runtests.pl: add the --repeat parameter to the --help output
- runtests: fix skipping tests not done event-based
- runtests: skip starting the ssh server if user name is lacking
- scripts/copyright.pl: fix the exclusion to not ignore man pages
- sectransp: check for a function defined when __BLOCKS__ is undefined
- select: return error from "lethal" poll/select errors
- server/sws: support spaces in the HTTP request path
- speed-limit/time.d: mention these affect transfers in either direction
- strcase: some optimisations
- test 2081: add a valid reply for the second request
- test 675: add missing CR so the test passes when run through Privoxy
- test414: add the '--resolve' keyword
- test681: verify --no-remote-name
- tests 266, 116 and 1540: add a small write delay
- tests/data/test1501: kill ftp server after slow LIST response
- tests/getpart: fix getpartattr to work with "data" and "data2"
- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: add "HTTP proxy" keywords
- tool_getparam: fix --parallel-max maximum value constraint
- tool_operate: make sure --fail-with-body works with --retry
- transfer: fix potential NULL pointer dereference
- transfer: maintain --path-as-is after redirects
- transfer: upload performance; avoid tiny send
- url: free old conn better on reuse
- url: remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
- urlapi: support CURLU_URLENCODE for curl_url_get()
- urldata: reduce size of a few struct fields
- urldata: remove three unused booleans from struct UserDefined
- urldata: store tcp_keepidle and tcp_keepintvl as ints
- version: allow stricmp() for sorting the feature list
- vtls: make curl_global_sslset thread-safe
- wolfssh.h: removed
- wolfssl: correct the failf() message when a handle can't be made
- wolfSSL: explicitly use compatibility layer
- x509asn1: mark msnprintf return as unchecked
* Wed May 11 2022 David Anes <david.anes@suse.com>
- Update to 7.83.1:
* Security fixes:
- (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
- (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
- (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
- (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
- (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
- (bsc#1199220, CVE-2022-27778) removes wrong file on error
* Bugfixes:
- altsvc: fix host name matching for trailing dots
- cirrus: Update to FreeBSD 12.3
- cirrus: Use pip for Python packages on FreeBSD
- conn: fix typo 'connnection' -> 'connection' in two function names
- cookies: make bad_domain() not consider a trailing dot fine
- curl: free resource in error path
- curl: guard against size_t wraparound in no-clobber code
- CURLOPT_DOH_URL.3: mention the known bug
- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
- CURLOPT_SSH_AUTH_TYPES.3: fix the default
- data/test376: set a proper name
- GHA/mbedtls: enabled nghttp2 in the build
- gha: build msh3
- gskit: fixed bogus setsockopt calls
- gskit: remove unused function set_callback
- hsts: ignore trailing dots when comparing hosts names
- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
- http: move Curl_allow_auth_to_host()
- http_proxy/hyper: handle closed connections
- hyper: fix test 357
- Makefile: fix "make ca-firefox"
- mbedtls: bail out if rng init fails
- mbedtls: fix compile when h2-enabled
- mbedtls: fix some error messages
- misc: use "autoreconf -fi" instead buildconf
- msh3: get msh3 version from MsH3Version
- msh3: print boolean value as text representation
- msh3: psss remote_port to MsH3ConnectionOpen
- ngtcp2: add ca-fallback support for OpenSSL backend
- nss: return error if seemingly stuck in a cert loop
- openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
- post_per_transfer: remove the updated file name
- sectransp: bail out if SSLSetPeerDomainName fails
- tests/server: declare variable 'reqlogfile' static
- tests: fix markdown formatting in README
- test{898,974,976}: add 'HTTP proxy' keywords
- tls: check more TLS details for connection reuse
- url: check SSH config match on connection reuse
- urlapi: address (harmless) UndefinedBehavior sanitizer warning
- urlapi: reject percent-decoding host name into separator bytes
- x509asn1: make do_pubkey handle EC public keys
* Fri Apr 22 2022 David Anes <david.anes@suse.com>
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
- conncache: include the zone id in the "bundle" hashkey
- connecache: remove duplicate connc->closure_handle check
- connect: make Curl_getconnectinfo work with conn cache from share handle
- connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
- cookie.d: clarify when cookies are sent
- cookies: improve errorhandling for reading cookiefile
- curl/system.h: update ifdef condition for MCST-LCC compiler
- curl: error out if -T and -d are used for the same URL
- curl: error out when options need features not present in libcurl
- curl: escape '?' in generated --libcurl code
- curl: fix segmentation fault for empty output file names.
- curl_easy_header: fix typos in documentation
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
- CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
- CURLOPT_PROGRESSFUNCTION.3: fix typo in example
- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
- docs/HYPER.md: updated to reflect current hyper build needs
- docs/opts: Mention Schannel client cert type is P12
- docs: Fix missing semicolon in example code
- docs: lots of minor language polish
- English: use American spelling consistently
- fail.d: tweak the description
- firefox-db2pem.sh: make the shell script safer
- ftp: fix error message for partial file upload
- gen.pl: change wording for mutexed options
- GHA: add openssl3 jobs moved over from zuul
- GHA: build hyper with nightly rustc
- GHA: move bearssl jobs over from zuul
- gha: move the event-based test over from Zuul
- gtls: fix build for disabled TLS-SRP
- http2: handle DONE called for the paused stream
- http2: RST the stream if we stop it on our own will
- http: avoid auth/cookie on redirects same host diff port
- http: close the stream (not connection) on time condition abort
- http: reject header contents with nul bytes
- http: return error on colon-less HTTP headers
- http: streamclose "already downloaded"
- hyper: fix status_line() return code
- hyper: fix tests 580 and 581 for hyper
- hyper: no h2c support
- infof: consistent capitalization of warning messages
- ipv4/6.d: clarify that they are about using IP addresses
- json.d: fix typo (overriden -> overridden)
- keepalive-time.d: It takes many probes to detect brokenness
- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
- lib670: avoid double check result
- lib: #ifdef on USE_HTTP2 better
- lib: fix some misuse of curlx_convert_wchar_to_UTF8
- lib: remove exclamation marks
- libssh2: compare sha256 strings case sensitively
- libssh2: make the md5 comparison fail if wrong length
- libssh: fix build with old libssh versions
- libssh: fix double close
- libssh: Improve fix for missing SSH_S_ stat macros
- libssh: unstick SFTP transfers when done event-based
- macos: set .plist version in autoconf
- mbedtls: remove 'protocols' array from backend when ALPN is not used
- mbedtls: remove server_fd from backend
- mk-ca-bundle.pl: Use stricter logic to process the certificates
- mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
- mlc_config.json: add file to ignore known troublesome URLs
- mqtt: better handling of TCP disconnect mid-message
- ngtcp2: add client certificate authentication for OpenSSL
- ngtcp2: avoid busy loop in low CWND situation
- ngtcp2: deal with sub-millisecond timeout
- ngtcp2: disconnect the QUIC connection proper
- ngtcp2: enlarge H3_SEND_SIZE
- ngtcp2: fix HTTP/3 upload stall and avoid busy loop
- ngtcp2: fix memory leak
- ngtcp2: fix QUIC_IDLE_TIMEOUT
- ngtcp2: make curl 1ms faster
- ngtcp2: remove remote_addr which is not used in a meaningful way
- ngtcp2: update to work after recent ngtcp2 updates
- ngtcp2: use token when detecting :status header field
- nonblock: restore setsockopt method to curlx_nonblock
- openssl: check SSL_get_peer_cert_chain return value
- openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
- openssl: fix CN check error code
- options: remove mistaken space before paren in prototype
- perl: removed a double semicolon at end of line
- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
- projects/README: converted to markdown
- projects: Update VC version names for VS2017, VS2022
- rtsp: don't let CSeq error override earlier errors
- runtests: add 'bearssl' as testable feature
- runtests: make 'oldlibssh' be before 0.9.4
- schannel: remove dead code that will never run
- scripts/copyright.pl: ignore the new mlc_config.json file
- scripts: move three scripts from lib/ to scripts/
- test1135: sync with recent API updates
- test1459: disable for oldlibssh
- test375: fix line endings on Windows
- test386: Fix an incorrect test markup tag
- test718: edited slightly to return better HTTP
- tests/server/util.h: align WIN32 condition with util.c
- tests: refactor server/socksd.c to support --unix-socket
- timediff.[ch]: add curlx helper functions for timeval conversions
- tls: make mbedtls and NSS check for h2, not nghttp2
- tool and tests: force flush of all buffers at end of program
- tool_cb_hdr: Turn the Location: into a terminal hyperlink
- tool_getparam: error out on missing -K file
- tool_listhelp.c: uppercase URL
- tool_operate: fix a scan-build warning
- tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
- transfer: redirects to other protocols or ports clear auth
- unit1620: call global_init before calling Curl_open
- url: check sasl additional parameters for connection reuse.
- vtls: provide a unified APLN-disagree string for all backends
- vtls: use a backend standard message for "ALPN: offers %s"
- vtls: use a generic "ALPN, server accepted" message
- winbuild/README.md: fixup dead link
- winbuild: Add a Visual Studio example to the README
- wolfssl: fix compiler error without IPv6
* Fri Mar 11 2022 Pedro Monreal <pmonreal@suse.com>
- Fix: openssl: fix CN check error code
* Add curl-fix-verifyhost.patch
* Mon Mar 07 2022 Paolo Stivanin <info@paolostivanin.com>
- Update to 7.82.0:
* curl: add --json command line option
* curl: make it so that sensitive command line arguments do not
show as easily in the output of ps(1)
* curl_multi_socket.3: remove callback and typical usage descriptions
* ftp: provide error message for control bytes in path
* ldap: return CURLE_URL_MALFORMAT for bad URL
* lib: remove support for CURL_DOES_CONVERSIONS
* mqtt: plug some memory leaks
* multi: allow user callbacks to call curl_multi_assign
* multi: remember connection_id before returning connection to pool
* multi: set in_callback for multi interface callbacks
* netware: remove support
* ngtcp2: adapt to changed end of headers callback proto
* openldap: implement SASL authentication
* openssl: return error if TLS 1.3 is requested when not supported
* sectransp: mark a 3DES cipher as weak
* smb: pass socket for writing and reading data instead of FIRSTSOCKET
* tool_getparam: DNS options that need c-ares now fail without it
* TPF: drop support
* url: given a user in the URL, find pwd for that user in netrc
* url: keep trailing dot in host name
* urlapi: handle "redirects" smarter
* urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
* urldata: remove conn->bits.user_passwd
* Sun Jan 09 2022 Dirk Müller <dmueller@suse.com>
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "see also" for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "protocols: all"
* docs/examples: workaround broken -Wno-pedantic-ms-format
* docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
* docs/INSTALL.md: typo fix : added missing "get" verb
* docs/URL-SYNTAX.md: space is not fine in a given URL
* docs: add known bugs list to HTTP3.md
* docs: address proselint nits
* docs: consistent manpage SYNOPSIS
* docs: fix dead links, remove ECH.md
* docs: fix typo in OpenSSL 3 build instructions
* docs: Update the Reducing Size section
* example/progressfunc: remove code for old libcurls
* examples/multi-single.c: remove WAITMS()
* FAQ: typo fix : "yout" ➤ "your"
* ftp: disable warning 4706 in MSVC
* gen.pl: improve example output format
* github workflow: add wolfssl (removed from zuul)
* github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
* gtls: check return code for gnutls_alpn_set_protocols
* hash: lazy-alloc the table in Curl_hash_add()
* http2:set_transfer_url() return early on OOM
* HTTP3: update quiche build instructions
* http: enable haproxy support for hyper backend
* http: Fix CURLOPT_HTTP200ALIASES
* http_proxy: don't close the socket (too early)
* insecure.d: detail its use for SFTP and SCP as well
* insecure.d: expand and clarify
* libcurl-multi.3: "SOCKS proxy handshakes" are not blocking
* libcurl-security.3: mention address and URL mitigations
* libssh2: fix error message for sha256 mismatch
* libtest: avoid "assignment within conditional expression"
* lift: ignore is a deprecated config option, use ignoreRules
* linkcheck.yml: add CI job that checks markdown links
* m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
* Makefile.m32: rename -winssl option to -schannel and tidy up
* mbedTLS: add support for CURLOPT_CAINFO_BLOB
* mbedtls: fix CURLOPT_SSLCERT_BLOB
* mbedtls: fix private member designations for v3.1.0
* misc: remove unused doh flags when CURL_DISABLE_DOH is defined
* misc: s/e-mail/email
* multi: cleanup the socket hash when destroying it
* multi: handle errors returned from socket/timer callbacks
* multi: shut down CONNECT in Curl_detach_connnection
* netrc.d: edit the .netrc example to look nicer
* ngtcp2: verify the server cert on connect (quictls)
* ngtcp2: verify the server certificate for the gnutls case
* nss:set_cipher don't clobber the cipher list
* openldap: implement STARTTLS
* openldap: process search query response messages one by one
* openldap: several minor improvements
* openldap: simplify ldif generation code
* openssl: check the return value of BIO_new()
* openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
* openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
* openssl: remove usage of deprecated `SSL_get_peer_certificate`
* openssl: use non-deprecated API to read key parameters
* page-footer: add a mention of how to report bugs to the man page
* page-footer: document more environment variables
* request.d: refer to 'method' rather than 'command'
* retry-all-errors.d: make the example complete
* runtests: make the SSH library a testable feature
* rustls: read of zero bytes might be okay
* rustls: remove comment about checking handshaking
* rustls: remove incorrect EOF check
* sha256/md5: return errors when init fails
* socks5: use appropriate ATYP for numerical IP address host names
* test1156: enable for hyper
* test1156: fixup the stdout check for Windows
* test1525: tweaked for hyper
* test1526: enable for hyper
* test1527: enable for hyper
* test1528: enable for hyper
* test1554: adjust for hyper
* test1556: adjust for hyper
* test302[12]: run only with the libssh2 backend
* test661: enable for hyper
* tests/CI.md: add more information on CI environments
* tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
* tftp: mark protocol as not possible to do over CONNECT
* tool_findfile: updated search for a file in the homedir
* tool_operate: only set SSH related libcurl options for SSH URLs
* tool_operate: warn if too many output arguments were found
* url.c: fix the SIGPIPE comment for Curl_close
* url: check ssl_config when re-use proxy connection
* url: reduce ssl backend count for CURL_DISABLE_PROXY builds
* urlapi: accept port number zero
* urlapi: if possible, shorten given numerical IPv6 addresses
* urlapi: provide more detailed return codes
* urlapi: reject short file URLs
* version_win32: Check build number and platform id
* vtls/rustls: adapt to the updated rustls_version proto
* writeout: fix %{http_version} for HTTP/3
* x509asn1: return early on errors
* zuul.d: update rustls-ffi to version 0.8.2
* zuul: fix quiche build pointing to wrong Cargo
* Tue Nov 16 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
- openssl: if verifypeer is not requested, skip the CA loading
- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
- schannel: fix memory leak due to failed SSL connection
- sendf: accept zero-length data in Curl_client_write()
- sha256: use high-level EVP interface for OpenSSL
- sws: fix memory leak on exit
- tool_operate: a failed etag save now only fails that transfer
- url: check the return value of curl_url()
- url: set "k->size" -1 at start of request
- urlapi: skip a strlen(), pass in zero
- urlapi: URL decode percent-encoded host names
- vtls: Fix a memory leak if an SSL session cannot be added to the cache
- wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
* Use --with-openssl configure option, --with-ssl is now deprecated
* Wed Sep 22 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.79.1:
* Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable: https://github.com/curl/curl/issues/7725
- tests/sshserver.pl: make it work with openssh-8.7p1
* Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com>
- Temporarily disable flaky test 1184
* See https://github.com/curl/curl/issues/7725
* Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
[bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
* Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "dumping" 1xx HTTP responses
- curl-openssl.m4: show correct output for OpenSSL v3
- docs/MQTT: update state of username/password support
- docs: the security list is reached at security at curl.se now
- getparameter: fix the --local-port number parser
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- ngtcp2: remove the acked_crypto_offset struct field init
- ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
- ngtcp2: reset the oustanding send buffer again when drained
- ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
- ngtcp2: stop buffering crypto data
- ngtcp2: utilize crypto API functions to simplify
- openssl: when creating a new context, there cannot be an old one
- scripts: invoke interpreters through /usr/bin/env
- tests/runtests.pl: cleanup copy&paste mistakes and unused code
- tests: be explicit about using 'python3' instead of 'python'
- tool/tests: fix potential year 2038 issues
- tool_operate: Fix --fail-early with parallel transfers
- x509asn1: fix heap over-read when parsing x509 certificates
* Rebase libcurl-ocloexec.patch
* Wed Jul 21 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.78.0:
[bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
[bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes:
- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
- hostip: make 'localhost' return fixed values
- mbedtls: add support for cert and key blob options
- metalink: remove all support for it
- mqtt: add support for username and password
* Bugfixes:
- ares: always store IPv6 addresses first
- c-hyper: abort CONNECT response reading early on non 2xx responses
- c-hyper: add support for transfer-encoding in the request
- c-hyper: bail on too long response headers
- c-hyper: clear NTLM auth buffer when request is issued
- c-hyper: fix NTLM on closed connection tested with test159
- conncache: lowercase the hash key for better match
- curl_multibyte: Remove local encoding fallbacks
- Curl_ntlm_core_mk_nt_hash: fix OOM in error path
- Curl_ssl_getsessionid: fail if no session cache exists
- easy: during upkeep, attach Curl_easy to connections in the cache
- gnutls: set the preferred TLS versions in correct order
- hsts: ignore numberical IP address hosts
- HSTS: not experimental anymore
- http2: init recvbuf struct for pushed streams
- http: fix crash in rate-limited upload
- http: make the haproxy support work with unix domain sockets
- http_proxy: deal with non-200 CONNECT response with Hyper
- lib: don't compare fd to FD_SETSIZE when using poll
- lib: fix compiler warnings with CURL_DISABLE_NETRC
- lib: fix type of len passed to *printf's %*s
- lib: more %u for port and int for %*s fixes
- lib: use %u instead of %ld for port number printf
- libssh2: limit time a disconnect can take to 1 second
- mqtt: detect illegal and too large file size
- msnprintf: return number of printed characters excluding null byte
- multi: add scan-build-6 work-around in curl_multi_fdset
- multi: alter transfer timeout ordering
- multi: do not switch off connect_only flag when closing
- multi: fix crash in curl_multi_wait / curl_multi_poll
- ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
- openssl: avoid static variable for seed flag
- openssl: don't remove session id entry in disassociate
- socketpair: fix potential hangs
- socks4: scan for the IPv4 address in resolve results
- ssl: read pending close notify alert before closing the connection
- telnet: fix option parser to not send uninitialized contents
- TLS: prevent shutdown loops to get stuck
- vtls: exit addsessionid if no cache is inited
- vtls: fix connection reuse checks for issuer cert and case sensitivity
* Wed May 26 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
[bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes:
- CVE-2021-22297: schannel cipher selection surprise
- CVE-2021-22298: TELNET stack contents disclosure
- CVE-2021-22901: TLS session caching disaster
* Changes:
- configure: make the TLS library choice(s) explicit
- curl: ignore options asking for SSLv2 or SSLv3
- hsts: enable by default
- SSL: support in-memory CA certs for some backends
- vtls: refuse setting any SSL version
* Bugfixes:
- configure: provide --with-openssl, deprecate --with-ssl
- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
- curl: include libmetalink version in --version output
- data_pending: check only SECONDARY socket for FTP(S) transfers
- gnutls: don't allow TLS 1.3 for versions that don't support it
- gnutls: make setting only the MAX TLS allowed version work
- http2: fix resource leaks in set_transfer_url() and push_promise()
- http: limit the initial send amount to used upload buffer size
- rustls: only return CURLE_AGAIN when TLS session is fully drained
- rustls: use ALPN
- schannel: Disable auto credentials; add an option to enable it
- schannel: Support strong crypto option
- sectransp: allow cipher name to be specified
- sockfilt: avoid getting stuck waiting for writable socket
* Sun Apr 25 2021 Dirk Müller <dmueller@suse.com>
- update to 7.76.1:
- ngtcp2: Use ALPN h3-29 for now
- TODO: remove 18.22 --fail-with-body
* Wed Mar 31 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.76.0
* Security fixes:
- [bsc#1183933, CVE-2021-22876]: strip credentials from the
auto-referer header field
- [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
Curl_ssl_get/addsessionid()
* Changes:
- cookies: Support multiple -b parameters
- curl: add --fail-with-body
- doh: add options to disable ssl verification
- http: add support to read and store the referrer header
- sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
- vtls: initial implementation of rustls backend
* Bugfixes:
- CVE-2021-22876: strip credentials from the auto-referer header field
- CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
- c-hyper: support automatic content-encoding
- configure: only add OpenSSL paths if they are defined
- configure: provide Largefile feature for curl-config
- curl: set CURLOPT_NEW_FILE_PERMS if requested
- doh: Fix sharing user's resolve list with DOH handles
- doh: Inherit CURLOPT_STDERR from user's easy handle
- dynbuf: bump the max HTTP request to 1MB
- ftp: add 'list_only' to the transfer state struct
- ftp: add 'prefer_ascii' to the transfer state struct
- ftp: allow SIZE to fail when doing (resumed) upload
- ftp: avoid SIZE when asking for a TYPE A file
- ftp: fix memory leak in ftp_done
- ftp: never set data->set.ftp_append outside setopt
- gnutls: assume nettle crypto support
- http2: don't set KEEP_SEND when there's no more data to be sent
- http2: fail if connection terminated without END_STREAM
- http: do not add a referrer header with empty value
- http: strip default port from URL sent to proxy
- http: use credentials from transfer, not connection
- lib: remove 'conn->data' completely
- multi: close the connection when h2=>h1 downgrading
- multi: do once-per-transfer inits in before_perform in DID state
- multi: rename the multi transfer states
- multi: update pending list when removing handle
- ngtcp2: adapt to the new recv_datagram callback
- ngtcp2: clarify calculation precedence
- ngtcp2: sync with recent API updates
- openssl: adapt to v3's new const for a few API calls
- openssl: ensure to check SSL_CTX_set_alpn_protos return values
- openssl: remove get_ssl_version_txt in favor of SSL_get_version
- parse_proxy: fix a memory leak in the OOM path
- url: fix memory leak if OOM in the HSTS handling
- url: fix possible use-after-free in default protocol
- urldata: don't touch data->set.httpversion at run-time
- urldata: merge "struct DynamicStatic" into "struct UrlState"
- urldata: remove the 'rtspversion' field
- urldata: remove the _ORIG suffix from string names
- wolfssl: don't store a NULL sessionid
* Thu Mar 04 2021 Cristian Rodríguez <crrodriguez@opensuse.org>
- Harden build, enable full RELRO
- Never allow undefined symbols anywhere.
* Thu Feb 04 2021 Pedro Monreal <pmonreal@suse.com>
- Update to 7.75.0
* Changes:
- curl: add --create-file-mode [mode]
- curl: add new variables to --write-out
- dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
- gopher: implement secure gopher protocol
- http: add Hyper as new optional HTTP backend
- http: introduce AWS HTTP v4 Signature support
* Bugfixes:
- cmake: Add an option to disable libidn2
- cmake: enable gophers correctly in curl-config
- cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
- digest_sspi: Show InitializeSecurityContext errors in verbose mode
- getinfo: build with disabled HTTP support
- http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
- http_proxy: Fix CONNECT chunked encoding race condition
- httpauth: make multi-request auth work with custom port
- lib: pass in 'struct Curl_easy *' to most functions
- lib: remove Curl_ prefix from many static functions
- lib: save a bit of space with some structure packing
- libssh: avoid plain free() of libssh-memory
- mime: make sure setting MIMEPOST to NULL resets properly
- multi_runsingle: bail out early on data->conn == NULL
- ngtcp2: Fix http3 upload stall
- ngtcp2: Fix stack buffer overflow
- openssl: lowercase the hostname before using it for SNI
- socks: use the download buffer instead
- speedcheck: exclude paused transfers
- tooĺ_writeout: fix the -w time output units
- url: if IDNA conversion fails, fallback to Transitional
- Refresh libcurl-ocloexec.patch
/usr/lib64/libcurl.so.4 /usr/lib64/libcurl.so.4.8.0 /usr/share/licenses/libcurl4 /usr/share/licenses/libcurl4/COPYING
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Nov 13 00:41:02 2024