#acl PaulHowarth:read,write,admin,revert,delete All:read === Wednesday 15th February 2023 === ==== Fedora Project ==== * Updated `perl-parent` to 0.241 in F-38 and Rawhide: * Actually include the changes documented for version 0.240 ==== Local Packages ==== * Updated `curl` to 7.88.0: * `curl.h`: Add `CURL_HTTP_VERSION_3ONLY` * `share`: Add sharing of HSTS cache among handles ([[CVE:2023-23914|CVE-2023-23914]]) * `src`: Add `--http3-only` * `tool_operate`: Share HSTS between handles ([[CVE:2023-23915|CVE-2023-23915]]) * `urlapi`: Add `CURLU_PUNYCODE` * `writeout`: Add `%{certs}` and `%{num_certs}` * cf-socket: Fix build when not `HAVE_GETPEERNAME` * cf-socket: Keep `sockaddr` local in the socket filters * cfilters: `Curl_conn_get_select_socks`: Use the first non-connected filter * CI: Add a workflow to automatically label pull requests * CI: Add `pytest` GHA to CI test/tests-httpd on a HTTP/3 setup * CI: Retry failed downloads to reduce spurious failures * CI: Update wolfssl / wolfssh to 5.5.4 / 1.4.12 * cmake: Bump requirement to 3.7 * cmake: Check for `sendmsg` * cmake: Delete redundant macro definition '`SECURITY_WIN32`' * cmake: Fix dev warning due to mismatched arg * cmake: Fix the `snprintf` detection * cmake: Remove deprecated symbols check * cmake: Set `SOVERSION` also for macOS * cmake: Use `list APPEND` syntax for `CMAKE_REQUIRED_DEFINITIONS` * `cmdline-opts`/`Makefile`: On error, do not leave a partial * `CODEOWNERS`: Remove the peeps mentioned as CI owners * `connect`: Fix access of pointer before `NULL` check * `connect`: Fix build when not `ENABLE_IPV6` * `connect`: Fix strategy testing for attempts, timeouts and happy-eyeball * connections: Introduce http/3 happy eyeballs * content_encoding: Do not reset stage counter for each header ([[CVE:2023-23916|CVE-2023-23916]]) * `CONTRIBUTE`: More formally specify the commit description * cookies: `fp` is always not `NULL` * `copyright.pl`: Cease doing year verifications * copyright: Update all copyright lines and remove year ranges * `curl.1`: Make help, version and manual sections "custom" * `curl.h`: Allow up to 10M buffer size * `curl.h`: Mark `CURLSSLBACKEND_MESALINK` as deprecated * `curl/websockets.h`: Extend the websocket frame struct * `curl`: Output warning at `--verbose` output for debug-enabled version * `curl_free.3`: Fix return type of '`curl_free`' * `curl_global_sslset.3`: Clarify the openssl situation * `curl_log`: For `failf`/`infof` and debug logging implementations * `curl_setup`: Disable by default `recv`-before-`send` in Windows * `curl_version_info.3`: Fix typo * `curl_ws_send.3`: Clarify how to send multi-frame messages * `CURLOPT_HEADERDATA.3`: Warn DLL users must set `write` function * `CURLOPT_READFUNCTION.3`: The callback '`size`' arg is always 1 * `CURLOPT_WRITEFUNCTION.3`: Fix memory leak in example * `dict`: URL decode the entire path always * `docs/DEPRECATE.md`: Deprecate `gskit` * docs: Add link to !GitHub Discussions * docs: Mention indirect effects of `--insecure` * docs: `POSTFIELDSIZE` must be set to `-1` with read function * doh: `ifdef` IPv6 code * easyoptions: Fix header printing in generation script * escape: Hex decode with a lookup-table * escape: Use table lookup when adding `%`-codes to output * examples: Remove the `curlgtk.c` example * `fopen`: Remove unnecessary assignment * `ftpserver`: Lower the `DATA` connect timeout to speed up torture tests * `GHA/macos.yml`: Bump to `gcc`-12 * `GHA/macos`: Use `Xcode_14.0.1` for `cmake` builds * `GHA`: Add job on Slackware 15.0 * `GHA`: Bump `ngtcp2` workflow dependencies * `GHA`: Enable websockets in the torture job * `GHA`: Move the `quiche` job here from zuul * `GHA`: Use designated `ngtcp2` and its dependencies versions * `haxproxy`: Send before TLS handshake * `header.d`: Add a header file example * `hsts.d`: Explain HSTS more * hsts: Handle adding the same host name again * HTTP/[23]: Continue upload when `state.drain` is set * `http2`: Aggregate small `SETTINGS`/`PRIO`/`WIN_UPDATE` frames * `http2`: Fix compiler warning due to uninitialized variable * `http2`: Minor buffer and error path fixes * `http2`: When using `printf %.*s`, the `length` arg must be '`int`' * HTTP3: Mention what needs to be in place to remove `EXPERIMENTAL` label * `http`: Add additional condition for including `stdint.h` * `http`: Decode transfer encoding first * `http`: Fix "part of conditional expression is always false" * `http`: Remove the trace message "Mark bundle... multiuse" * `http_aws_sigv4`: Remove typecasts from `HMAC_SHA256` macro * `http_proxy`: Do not assign `data->req.p.http`, use local copy * `INSTALL`: Document how to use multiple TLS backends * `lib670`: Make `test.h` the first include * lib: `connect`/`h2`/`h3` refactor * lib: Fix typos * lib: Fix typos in comments that repeat a word * `libssh2`: Try `sha2` algos for `hostkey` methods * `libtest`: Add a `sleep` macro for Windows * Linux CI: Update some dependencies to latest tag * `Makefile.mk`: Fix wolfssl and mbedtls default paths * man pages: Call the custom user pointer '`clientp`' consistently * md4: Fix build with GnuTLS + OpenSSL v1 * misc: Fix grammar and spelling * misc: Fix spelling * misc: Reduce struct and struct field sizes * msh3: Add support for request payload * msh3: Update to v0.5 Release * msh3: Update to v0.6 * multi: Stop sending empty HTTP/3 UDP datagrams on Windows * `multihandle`: Turn `bool` `struct` fields into bits * `ngtcp2`: Add `CURLOPT_SSL_CTX_FUNCTION` support for openssl+wolfssl * `ngtcp2`: Fix the build without '`sendmsg`' * `ngtcp2`: Replace removed define and stop using removed function * `no-clobber.d`: Only use long form options in man page text * `noproxy`: Support for space-separated names is deprecated * nss: Implement `data_pending` method * `openldap`: Fix missing sasl symbols at build in specific configs * `openssl`: Adapt to `boringssl`'s error code type * `openssl`: Don't ignore CA paths when using Windows CA store (redux) * `openssl`: Don't log raw record headers * `openssl`: Make the `BIO_METHOD` a local variable in the connection filter * `openssl`: Only use `CA_BLOB` if verifying peer * `openssl`: Remove attached easy handles from SSL instances * `openssl`: Store the CA after first send (`ClientHello`) * `os400`: Fixes to `make-lib.sh` and `initscript.sh` * packages: Remove Android, update `README` * `release-notes.pl`: Check fixes/closes lines better * Revert "x509asn1: avoid freeing unallocated pointers" * `runtest.pl`: Add expected fourth return value * `runtests`: Tear down http2/http3 servers when https server is stopped * `runtests`: Consider warnings fatal and error on them * `runtests`: Fix detection of TLS backends * `runtests`: Make '`mbedtls`' a testable feature * `rustls`: Improve error messages * `scripts/delta`: Show percent of number of files changed since last tag * scripts: Fix Appveyor job detection in `cijobs.pl` * scripts: Set file mode `+x` on all perl and shell scripts * sectransp: Fix for incomplete read/writes * `SECURITY-PROCESS.md`: Document severity levels * `setopt`: Address undefined behaviour by checking for null * `setopt`: Move the `SHA256` opt within `#ifdef libssh2` * `setopt`: Use `>`, not `>=`, when checking if `uarg` is larger than `uint`-max * smb: Return error on upload without size * socketpair: Allow localhost MITM sniffers * `strdup`: Name it `Curl_strdup` * `system.h`: Assume OS400 is always built with ILEC compiler * `test1560`: Use a UTF8-using locale when run * `test2304`: Remove `stdout` verification * `tests-httpd`: Basic infra to run `curl` against an apache httpd * tests: Add 3 new HTTP/2 test cases, plus `https:` support for `nghttpx` * tests: Add tests for `HTTP/2` and `HTTP/3` to verify the header API * tests: Avoid use of `sha1` in certificates * tls: Fixes for wolfssl + openssl combo builds * `tool_getparam`: Fix hiding of command line secrets * `tool_operate`: Fix '`CURLOPT_SOCKS5_GSSAPI_NEC`' type * `tool_operate`: Fix error codes during DOS filename sanitize * `tool_operate`: Fix error codes on bad URL and OOM * `tool_operate`: Fix headerfile writing * `tool_operate`: Repair `--rate` * transfer: Break the read loop when `RECV` is cleared * `typecheck`: Accept expressions for option/info parameters * url: Fix part of conditional expression is always true * `urlapi`: Avoid `Curl_dyn_addf()` for hex outputs * `urlapi`: Fix part of conditional expression is always true: `qlen` * `urlapi`: Skip path checks if path is just "`/`" * `urlapi`: Skip the extra `dedotdot` `alloc` if no dot in path * `urldata`: Cease storing TLS auth type * `urldata`: Make '`ftp_create_missing_dirs`' depend on `FTP || SFTP` * `urldata`: Make `set.http200aliases` conditional on HTTP being present * `urldata`: Move the `cookefilelist` to the '`set`' struct * `urldata`: Remove unused struct fields, made more conditional * `vquic`: Stabilization and improvements * vtls: Fix hostname handling in filters * vtls: Manage current easy handle in nested `cfilter` calls * vtls: Use ALPN HTTP/1.0 when HTTP/1.0 is used * winbuild: Document that `arm64` is supported * Windows: Always use `curl`'s `basename()` implementation * wolfssl: Remove deprecated post-quantum algorithms * `workflows/linux.yml`: Merge 3 common packages * `write-out.d`: Add '`since version`' to `%{header_json}` documentation * `write-out.d`: Clarify Windows `%` symbol escaping * ws: Fix `autoping` handling * ws: Fix `multiframe` `send` handling * ws: Fix `recv` of larger frames * ws: Remove bad assert * ws: Unstick `connect`-only shutdown * ws: Use `%Ou` for outputting `curl_off_t` with `info()` * `x509asn1`: Fix compile errors and warnings * zuul: Stop using this CI service . I added a patch from Fedora to disable the upstream warnings-as-fatal behaviour in `runtests.pl` since the tests do actually generate some warnings that need to be fixed upstream * Updated `perl-parent` to 0.241 as per the Fedora version ----