PaulHowarth/Blog/2018-09-05

Wednesday 5th September 2018

Local Packages

  • Updated curl to 7.61.1:

    • Fix NTLM password overflow via integer overflow (CVE-2018-14618)

    • CURLINFO_SIZE_UPLOAD: Fix missing counter update

    • CURLOPT_ACCEPT_ENCODING.3: List them comma-separated

    • CURLOPT_SSL_CTX_FUNCTION.3: Might cause accidental connection reuse

    • Curl_getoff_all_pipelines: Improved for multiplexed

    • DEPRECATE: Remove release date from 7.62.0

    • HTTP: Don't attempt to needlessly decompress redirect body

    • INTERNALS: Require GnuTLS ≥ 2.11.3

    • README.md: Add LGTM.com code quality grade for C/C++

    • SSLCERTS: Improve the openssl command line

    • Silence GCC 8 cast-function-type warnings

    • ares: Check for NULL in completed-callback

    • asyn-thread: Remove unused macro

    • auth: Only pick CURLAUTH_BEARER if we have a Bearer token

    • auth: Pick Bearer authentication whenever a token is available

    • cmake: CMake config files are defining CURL_STATICLIB for static builds

    • cmake: Respect BUILD_SHARED_LIBS

    • cmake: Update scripts to use consistent style
    • cmake: Bumped minimum version to 3.4

    • cmake: Link curl to the OpenSSL targets instead of library absolute paths

    • configure: Conditionally enable pedantic-errors

    • configure: Fix for -lpthread detection with OpenSSL and pkg-config

    • conn: Remove the boolean 'inuse' field

    • content_encoding: Accept up to 4 unknown trailer bytes after raw deflate data

    • cookie tests: Treat files as text
    • cookies: Support creation-time attribute for cookies

    • curl: Fix segfault when -H @headerfile is empty

    • curl: Add http code 408 to transient list for --retry

    • curl: Fix time-of-check, time-of-use race in directory creation

    • curl: Use Content-Disposition before the "URL end" for -OJ

    • curl: Warn the user if a given file name looks like an option

    • curl_threads: Silence bad-function-cast warning

    • darwinssl: Add support for ALPN negotiation

    • docs/CURLOPT_URL: Fix indentation

    • docs/CURLOPT_WRITEFUNCTION: Size is always 1

    • docs/SECURITY-PROCESS: Mention bounty, drop pre-notify

    • docs/examples: Add hiperfifo example using linux epoll/timerfd

    • docs: Add disallow-username-in-url.d and haproxy-protocol.d to dist

    • docs: Clarify NO_PROXY environment variable functionality

    • docs: Improved the manual pages of some callbacks

    • docs: Mention NULL is fine input to several functions

    • formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT

    • gopher: Do not translate '?' to '%09'

    • header output: Switch off all styles, not just unbold
    • hostip: Fix unused variable warning

    • http2: Use correct format identifier for stream_id

    • http2: Abort the send_callback if not set up yet

    • http2: Avoid set_stream_user_data() before stream is assigned

    • http2: Check nghttp2_session_set_stream_user_data return code

    • http2: Clear the drain counter in Curl_http2_done

    • http2: Make sure to send after RST_STREAM

    • http2: Separate easy handle from connections better

    • http: Fix for tiny "HTTP/0.9" response

    • http_proxy: Remove unused macro SELECT_TIMEOUT

    • lib/Makefile: Only do symbol hiding if told to

    • lib1502: Fix memory leak in torture test

    • lib1522: Fix curl_easy_setopt argument type

    • libcurl-thread.3: Expand somewhat on the NO_SIGNAL motivation

    • mime: Check Curl_rand_hex's return code

    • multi: Always do the COMPLETED procedure/state

    • openssl: Assume engine support in 1.0.0 or later
    • openssl: Fix debug messages
    • projects: Improve Windows perl detection in batch scripts
    • retry: Return error if rewind was necessary but didn't happen

    • reuse_conn(): Memory leak - free old_conn->options

    • schannel: Client certificate store opening fix

    • schannel: Enable CALG_TLS1PRF for w32api ≥ 5.1

    • schannel: Fix MinGW compile break
    • sftp: Don't send post-quote sequence when retrying a connection
    • smb: Fix memory leak on early failure
    • smb: Fix memory-leak in URL parse error path
    • smb_getsock: Always wait for write socket too
    • ssh-libssh: Fix infinite connect loop on invalid private key
    • ssh-libssh: Reduce excessive verbose output about pubkey auth

    • ssh-libssh: Use FALLTHROUGH to silence gcc8

    • ssl: Set engine implicitly when a PKCS#11 URI is provided

    • sws: Handle EINTR when calling select()

    • system_win32: Fix version checking

    • telnet: Remove unused macros TELOPTS and TELCMDS

    • test1143: Disable MSYS2's POSIX path conversion

    • test1148: Disable if decimal separator is not point

    • test1307: (fnmatch testing) disabled

    • test1422: Add required file feature

    • test1531: Add timeout

    • test1540: Remove unused macro TEST_HANG_TIMEOUT

    • test214: Disable MSYS2's POSIX path conversion for URL

    • test320: Treat curl320.out file as binary

    • tests/http_pipe.py: Use /usr/bin/env to find python

    • tests: Don't use Windows path %PWD for SSH tests

    • tests: Fixes for Windows line endings

    • tool_operate: Fix setting proxy TLS 1.3 ciphers

    • travis: Build darwinssl on macos 10.12 to fix linker errors

    • travis: Execute "set -eo pipefail" for coverage build

    • travis: Run a 'make checksrc' too

    • travis: Update to GCC-8
    • travis: Verify that man pages can be regenerated

    • upload: Allocate upload buffer on-demand

    • upload: Change default UPLOAD_BUFSIZE to 64KB

    • urldata: Remove unused pipe_broke struct field

    • vtls: Re-instantiate engine on duplicated handles
    • windows: Implement send buffer tuning

    • wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random

Recent