PaulHowarth/Blog/2015-04-22

Wednesday 22nd April 2015

Local Packages

  • Updated curl to 7.42.0:

    • openssl: Show the cipher selection to use in verbose text

    • gtls: Implement CURLOPT_CERTINFO

    • Add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)

    • curl: Add --false-start option

    • Add CURLOPT_PATH_AS_IS

    • curl: Add --path-as-is option

    • curl: Create output file on successful download of an empty file

    • ConnectionExists: For NTLM re-use, require credentials to match (CVE-2015-3143)

    • Cookie: Cookie parser out of boundary memory access (CVE-2015-3145)

    • fix_hostname: Zero length host name caused -1 index offset (CVE-2015-3144)

    • http_done: Close Negotiate connections when done (CVE-2015-3148)

    • sws: Timeout idle CONNECT connections

    • nss: Improve error handling in Curl_nss_random()

    • nss: Do not skip Curl_nss_seed() if data is NULL

    • curl-config.in: Eliminate double quotes around CURL_CA_BUNDLE

    • http2: Move lots of verbose output to be debug-only

    • dist: Add extern-scan.pl to the tarball

    • http2: Return recv error on unexpected EOF

    • Build: Use default RandomizedBaseAddress directive in VC9+ project files

    • Build: Removed DataExecutionPrevention directive from VC9+ project files

    • Tool: Updated the warnf() function to use the GlobalConfig structure

    • http2: Return error if stream was closed with other than NO_ERROR

    • mprintf.h: Remove #ifdef CURLDEBUG

    • libtest: Fixed linker errors on msvc

    • Tool: Use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE

    • curl.1: Fix "The the" typo

    • cmake: Handle build definitions CURLDEBUG/DEBUGBUILD

    • openssl: Remove all uses of USE_SSLEAY

    • multi: Fix memory-leak on timeout (regression)

    • curl_easy_setopt.3: Added CURLOPT_SSL_VERIFYSTATUS

    • metalink: Add some error checks

    • TLS: Make it possible to enable ALPN/NPN without HTTP/2

    • http2: Use CURL_HTTP_VERSION_* symbols instead of NPN_*

    • conncontrol: Only log changes to the connection bit

    • multi: Fix *getsock() with CONNECT

    • symbols.pl: Handle '-' in the deprecated field

    • MacOSX-Framework: Use @rpath instead of @executable_path

    • GnuTLS: Add support for CURLOPT_CAPATH

    • GnuTLS: Print negotiated TLS version and full cipher suite name
    • GnuTLS: Don't print double newline after certificate dates

    • memanalyze.pl: Handle free(NULL)

    • proxy: Re-use proxy connections (regression)

    • mk-ca-bundle: Don't report SHA1 numbers with "-q"

    • http: Always send Host: header as first header

    • openssl: Sort ciphers to use based on strength

    • openssl: Use colons properly in the ciphers list

    • http2: Detect premature close without data transferred

    • hostip: Fix signal race in Curl_resolv_timeout

    • closesocket: Call multi socket callback on close even with custom close

    • mksymbolsmanpage.pl: Use std header and generate better nroff header

    • connect: Fix happy eyeballs logic for IPv4-only builds

    • curl_easy_perform.3: Remove superfluous close brace from example

    • HTTP: Don't use Expect: headers when on HTTP/2

    • Curl_sh_entry: Remove unused 'timestamp'

    • docs/libcurl: Makefile portability fix

    • mkhelp: Remove trailing carriage return from every line of input

    • nss: Explicitly tell NSS to disable NPN/ALPN when libcurl disables it

    • curl_easy_setopt.3: Added a few missing options

    • metalink: Fix resource leak in OOM

    • axtls: Version 1.5.2 now requires that config.h be manually included

    • HTTP: Don't switch to HTTP/2 from 1.1 until we get the 101

    • cyassl: Detect the library as renamed wolfssl

    • CURLOPT_HTTPHEADER.3: Add a "SECURITY CONCERNS" section

    • CURLOPT_URL.3: Added "SECURITY CONCERNS"

    • openssl: Try to avoid accessing OCSP structs when possible

    • test938: Added missing closing tags

    • testcurl: Allow '=' in values given on command line

    • tests/certs: Added make target to rebuild certificates

    • tests/certs: Rebuild certificates with modified key usage bits

    • gtls: Avoid uninitialized variable

    • gtls: Dereferencing NULL pointer

    • gtls: Add check of return code

    • test1513: Eliminated race condition in test run

    • dict: Rename byte to avoid compiler shadowed declaration warning

    • curl_easy_recv/send: Make them work with the multi interface

    • vtls: Fix compile with --disable-crypto-auth but with SSL

    • openssl: Adapt to ASN1/X509 things gone opaque in 1.1

    • openssl: verifystatus: Only use the OCSP work-around ≤ 1.0.2a

    • curl_memory: Make curl_memory.h the second-last header file loaded

    • testcurl.pl: Add the --notes option to supply more info about a build

    • cyassl: If wolfSSL then identify as such in version string

    • cyassl: Check for invalid length parameter in Curl_cyassl_random

    • cyassl: Default to highest possible TLS version

    • Curl_ssl_md5sum: Return CURLcode (fixes OOM)

    • polarssl: Remove dead code

    • polarssl: Called mbedTLS in 1.3.10 and later

    • Globbing: Fix step parsing for character globbing ranges
    • Globbing: Fix URL number calculation when using range with step

    • multi: On a request completion, check all CONNECT_PEND transfers

    • Build: Link curl to openssl libraries when openssl support is enabled

    • url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined

    • vtls: Don't accept unknown CURLOPT_SSLVERSION values

    • Build: Fix libcurl.sln erroneous mixed configurations

    • cyassl: Remove undefined reference to CyaSSL_no_filesystem_verify

    • cyassl: Add SSL context callback support for CyaSSL

    • Tool: Only set SSL options if SSL is enabled

    • multi: Remove_handle: move pending connections

    • configure: Use KRB5CONFIG for krb5-config

    • axtls: Add timeout within Curl_axtls_connect

    • CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"

    • cyassl: Fix library initialization return value

    • Cookie: Handle spaces after the name in Set-Cookie

    • http2: Fix missing nghttp2_session_send call in Curl_http2_switched

    • cyassl: Fix certificate load check

    • build-openssl.bat: Fix mixed line endings

    • checksrc.bat: Check lib\vtls source

    • DNS: Fix refreshing of obsolete dns cache entries

    • CURLOPT_RESOLVE: Actually implement removals

    • checksrc.bat: Quotes to support a SRC_DIR with spaces

    • cyassl: Remove 'Connecting to' message from cyassl_connect_step2

    • cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size

    • lib/transfer.c: Remove factor of 8 from sleep time calculation

    • lib/makefile.m32: Add missing libs to build libcurl.dll

    • Build: Generate source prerequisites for Visual Studio in generate.bat

    • cyassl: Include the CyaSSL build config

    • firefox-db2pem: Fix wildcard to find Firefox default profile

    • BUGS: Refer to the github issue tracker now as primary

    • vtls_openssl: Improve several certificate error messages

    • cyassl: Add support for TLS extension SNI

    • parsecfg: Do not continue past a zero termination

    • configure --with-nss=PATH: Query pkg-config if available

    • configure --with-nss: Drop redundant if statement

    • cyassl: Fix include order

    • HTTP: Fix PUT regression with Negotiate

    • curl_version_info.3: Fixed the 'protocols' variable type

  • Updated perl-File-ShareDir-ProjectDistDir to 1.000007:

    • Add a deterrent notice

Recent