PaulHowarth/Blog/2023-02-15

Wednesday 15th February 2023

Fedora Project

  • Updated perl-parent to 0.241 in F-38 and Rawhide:

    • Actually include the changes documented for version 0.240

Local Packages

  • Updated curl to 7.88.0:

    • curl.h: Add CURL_HTTP_VERSION_3ONLY

    • share: Add sharing of HSTS cache among handles (CVE-2023-23914)

    • src: Add --http3-only

    • tool_operate: Share HSTS between handles (CVE-2023-23915)

    • urlapi: Add CURLU_PUNYCODE

    • writeout: Add %{certs} and %{num_certs}

    • cf-socket: Fix build when not HAVE_GETPEERNAME

    • cf-socket: Keep sockaddr local in the socket filters

    • cfilters: Curl_conn_get_select_socks: Use the first non-connected filter

    • CI: Add a workflow to automatically label pull requests

    • CI: Add pytest GHA to CI test/tests-httpd on a HTTP/3 setup

    • CI: Retry failed downloads to reduce spurious failures
    • CI: Update wolfssl / wolfssh to 5.5.4 / 1.4.12
    • cmake: Bump requirement to 3.7

    • cmake: Check for sendmsg

    • cmake: Delete redundant macro definition 'SECURITY_WIN32'

    • cmake: Fix dev warning due to mismatched arg

    • cmake: Fix the snprintf detection

    • cmake: Remove deprecated symbols check

    • cmake: Set SOVERSION also for macOS

    • cmake: Use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS

    • cmdline-opts/Makefile: On error, do not leave a partial

    • CODEOWNERS: Remove the peeps mentioned as CI owners

    • connect: Fix access of pointer before NULL check

    • connect: Fix build when not ENABLE_IPV6

    • connect: Fix strategy testing for attempts, timeouts and happy-eyeball

    • connections: Introduce http/3 happy eyeballs

    • content_encoding: Do not reset stage counter for each header (CVE-2023-23916)

    • CONTRIBUTE: More formally specify the commit description

    • cookies: fp is always not NULL

    • copyright.pl: Cease doing year verifications

    • copyright: Update all copyright lines and remove year ranges

    • curl.1: Make help, version and manual sections "custom"

    • curl.h: Allow up to 10M buffer size

    • curl.h: Mark CURLSSLBACKEND_MESALINK as deprecated

    • curl/websockets.h: Extend the websocket frame struct

    • curl: Output warning at --verbose output for debug-enabled version

    • curl_free.3: Fix return type of 'curl_free'

    • curl_global_sslset.3: Clarify the openssl situation

    • curl_log: For failf/infof and debug logging implementations

    • curl_setup: Disable by default recv-before-send in Windows

    • curl_version_info.3: Fix typo

    • curl_ws_send.3: Clarify how to send multi-frame messages

    • CURLOPT_HEADERDATA.3: Warn DLL users must set write function

    • CURLOPT_READFUNCTION.3: The callback 'size' arg is always 1

    • CURLOPT_WRITEFUNCTION.3: Fix memory leak in example

    • dict: URL decode the entire path always

    • docs/DEPRECATE.md: Deprecate gskit

    • docs: Add link to GitHub Discussions

    • docs: Mention indirect effects of --insecure

    • docs: POSTFIELDSIZE must be set to -1 with read function

    • doh: ifdef IPv6 code

    • easyoptions: Fix header printing in generation script
    • escape: Hex decode with a lookup-table

    • escape: Use table lookup when adding %-codes to output

    • examples: Remove the curlgtk.c example

    • fopen: Remove unnecessary assignment

    • ftpserver: Lower the DATA connect timeout to speed up torture tests

    • GHA/macos.yml: Bump to gcc-12

    • GHA/macos: Use Xcode_14.0.1 for cmake builds

    • GHA: Add job on Slackware 15.0

    • GHA: Bump ngtcp2 workflow dependencies

    • GHA: Enable websockets in the torture job

    • GHA: Move the quiche job here from zuul

    • GHA: Use designated ngtcp2 and its dependencies versions

    • haxproxy: Send before TLS handshake

    • header.d: Add a header file example

    • hsts.d: Explain HSTS more

    • hsts: Handle adding the same host name again

    • HTTP/[23]: Continue upload when state.drain is set

    • http2: Aggregate small SETTINGS/PRIO/WIN_UPDATE frames

    • http2: Fix compiler warning due to uninitialized variable

    • http2: Minor buffer and error path fixes

    • http2: When using printf %.*s, the length arg must be 'int'

    • HTTP3: Mention what needs to be in place to remove EXPERIMENTAL label

    • http: Add additional condition for including stdint.h

    • http: Decode transfer encoding first

    • http: Fix "part of conditional expression is always false"

    • http: Remove the trace message "Mark bundle... multiuse"

    • http_aws_sigv4: Remove typecasts from HMAC_SHA256 macro

    • http_proxy: Do not assign data->req.p.http, use local copy

    • INSTALL: Document how to use multiple TLS backends

    • lib670: Make test.h the first include

    • lib: connect/h2/h3 refactor

    • lib: Fix typos
    • lib: Fix typos in comments that repeat a word

    • libssh2: Try sha2 algos for hostkey methods

    • libtest: Add a sleep macro for Windows

    • Linux CI: Update some dependencies to latest tag

    • Makefile.mk: Fix wolfssl and mbedtls default paths

    • man pages: Call the custom user pointer 'clientp' consistently

    • md4: Fix build with GnuTLS + OpenSSL v1
    • misc: Fix grammar and spelling
    • misc: Fix spelling
    • misc: Reduce struct and struct field sizes
    • msh3: Add support for request payload
    • msh3: Update to v0.5 Release
    • msh3: Update to v0.6
    • multi: Stop sending empty HTTP/3 UDP datagrams on Windows

    • multihandle: Turn bool struct fields into bits

    • ngtcp2: Add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl

    • ngtcp2: Fix the build without 'sendmsg'

    • ngtcp2: Replace removed define and stop using removed function

    • no-clobber.d: Only use long form options in man page text

    • noproxy: Support for space-separated names is deprecated

    • nss: Implement data_pending method

    • openldap: Fix missing sasl symbols at build in specific configs

    • openssl: Adapt to boringssl's error code type

    • openssl: Don't ignore CA paths when using Windows CA store (redux)

    • openssl: Don't log raw record headers

    • openssl: Make the BIO_METHOD a local variable in the connection filter

    • openssl: Only use CA_BLOB if verifying peer

    • openssl: Remove attached easy handles from SSL instances

    • openssl: Store the CA after first send (ClientHello)

    • os400: Fixes to make-lib.sh and initscript.sh

    • packages: Remove Android, update README

    • release-notes.pl: Check fixes/closes lines better

    • Revert "x509asn1: avoid freeing unallocated pointers"

    • runtest.pl: Add expected fourth return value

    • runtests: Tear down http2/http3 servers when https server is stopped

    • runtests: Consider warnings fatal and error on them

    • runtests: Fix detection of TLS backends

    • runtests: Make 'mbedtls' a testable feature

    • rustls: Improve error messages

    • scripts/delta: Show percent of number of files changed since last tag

    • scripts: Fix Appveyor job detection in cijobs.pl

    • scripts: Set file mode +x on all perl and shell scripts

    • sectransp: Fix for incomplete read/writes

    • SECURITY-PROCESS.md: Document severity levels

    • setopt: Address undefined behaviour by checking for null

    • setopt: Move the SHA256 opt within #ifdef libssh2

    • setopt: Use >, not >=, when checking if uarg is larger than uint-max

    • smb: Return error on upload without size
    • socketpair: Allow localhost MITM sniffers

    • strdup: Name it Curl_strdup

    • system.h: Assume OS400 is always built with ILEC compiler

    • test1560: Use a UTF8-using locale when run

    • test2304: Remove stdout verification

    • tests-httpd: Basic infra to run curl against an apache httpd

    • tests: Add 3 new HTTP/2 test cases, plus https: support for nghttpx

    • tests: Add tests for HTTP/2 and HTTP/3 to verify the header API

    • tests: Avoid use of sha1 in certificates

    • tls: Fixes for wolfssl + openssl combo builds

    • tool_getparam: Fix hiding of command line secrets

    • tool_operate: Fix 'CURLOPT_SOCKS5_GSSAPI_NEC' type

    • tool_operate: Fix error codes during DOS filename sanitize

    • tool_operate: Fix error codes on bad URL and OOM

    • tool_operate: Fix headerfile writing

    • tool_operate: Repair --rate

    • transfer: Break the read loop when RECV is cleared

    • typecheck: Accept expressions for option/info parameters

    • url: Fix part of conditional expression is always true

    • urlapi: Avoid Curl_dyn_addf() for hex outputs

    • urlapi: Fix part of conditional expression is always true: qlen

    • urlapi: Skip path checks if path is just "/"

    • urlapi: Skip the extra dedotdot alloc if no dot in path

    • urldata: Cease storing TLS auth type

    • urldata: Make 'ftp_create_missing_dirs' depend on FTP || SFTP

    • urldata: Make set.http200aliases conditional on HTTP being present

    • urldata: Move the cookefilelist to the 'set' struct

    • urldata: Remove unused struct fields, made more conditional

    • vquic: Stabilization and improvements

    • vtls: Fix hostname handling in filters

    • vtls: Manage current easy handle in nested cfilter calls

    • vtls: Use ALPN HTTP/1.0 when HTTP/1.0 is used

    • winbuild: Document that arm64 is supported

    • Windows: Always use curl's basename() implementation

    • wolfssl: Remove deprecated post-quantum algorithms

    • workflows/linux.yml: Merge 3 common packages

    • write-out.d: Add 'since version' to %{header_json} documentation

    • write-out.d: Clarify Windows % symbol escaping

    • ws: Fix autoping handling

    • ws: Fix multiframe send handling

    • ws: Fix recv of larger frames

    • ws: Remove bad assert

    • ws: Unstick connect-only shutdown

    • ws: Use %Ou for outputting curl_off_t with info()

    • x509asn1: Fix compile errors and warnings

    • zuul: Stop using this CI service

  • I added a patch from Fedora to disable the upstream warnings-as-fatal behaviour in runtests.pl since the tests do actually generate some warnings that need to be fixed upstream

  • Updated perl-parent to 0.241 as per the Fedora version

Recent