PaulHowarth/Blog/2023-03-20

Monday 20th March 2023

Local Packages

  • Updated curl to 8.0.0:

    • build: Remove support for curl_off_t < 8 bytes

    • .cirrus.yml: Bump to FreeBSD 13.2

    • aws_sigv4: Fall back to UNSIGNED-PAYLOAD for sign_as_s3

    • BINDINGS: Add Fortran binding

    • build: Drop the use of XC_AMEND_DISTCLEAN

    • build: Fix stdint/inttypes detection with non-autotools

    • cf-socket: Fix handling of remote addr for accepted tcp sockets

    • cf-socket: If socket is already connected, return CURLE_OK

    • cf-socket: Use port 80 when resolving name for local bind
    • CI: Don't run CI jobs if only another CI was changed

    • CI: Update ngtcp2 and nghttp2 for pytest

    • cmake: Delete unused HAVE__STRTOI64

    • cmake: Fix enabling LDAPS on Windows
    • cmake: Skip CA-path/bundle auto-detection in cross-builds

    • connect: Fix time_connect and time_appconnect timer statistics

    • cookie: Don't load cookies again when flushing

    • cookie: Parse without sscanf()

    • curl.h: Require gcc 12.1 for the deprecation magic

    • curl: Make -w's %{stderr} use the file set with --stderr

    • curl_path: Create the new path with dynbuf (CVE-2023-27534)

    • CURLOPT_PIPEWAIT: Allow waited reuse also for subsequent connections

    • CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket

    • CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe (CVE-2023-27537)

    • DEPRECATE: The original legacy mingw version 1

    • doc: Fix compiler warning in libcurl.m4

    • docs/cmdline-opts: Mark all global options

    • docs/SECURITY-PROCESS.md: Updates

    • docs: Extend the URL API descriptions

    • docs: Note '--data-urlencode' option

    • DYNBUF.md: Note Curl_dyn_add* calls Curl_dyn_free on failure

    • easy: Remove infof() debug leftover from curl_easy_recv

    • examples/http3.c: Use CURL_HTTP_VERSION_3

    • ftp: Active mode with SSL, add the filter

    • ftp: Add more conditions for connection reuse (CVE-2023-27535)

    • ftp: Allocate the wildcard struct on demand

    • ftp: Make the EPSV response parser not use sscanf

    • ftp: Replace sscanf for MDTM 213 response parsing

    • ftp: Replace sscanf for PASV parsing

    • gssapi: Align 'gss_OID_desc' to silence ld warnings on macOS ventura

    • headers: Make curl_easy_header and nextheader return different buffers

    • hostip: Avoid sscanf and extra buffer copies

    • http2: Fix error handling during parallel operations
    • http2: Fix for http2-prior-knowledge when reusing connections

    • http2: Fix handling of RST and GOAWAY to recognize partial transfers

    • http2: Fix upload busy loop

    • http: Don't send 100-continue for short PUT requests

    • http: Fix unix domain socket use in https connects

    • http: Rewrite the status line parser without sscanf

    • http_proxy: Parse the status line without sscanf

    • idn: Return error if the conversion ends up with a blank host

    • krb5: Avoid sscanf for parsing

    • lib1560: Test parsing URLs with ridiculously large fields

    • lib2305: Deal with CURLE_AGAIN

    • lib517: Verify time stamps without leading zeroes plus some more

    • lib: Silence clang/gcc -Wvla warnings in brotli headers

    • lib: Skip Curl_llist_destroy calls

    • libcurl-errors.3: Add the CURLHcode errors from curl_easy_header.3

    • libssh2: Only set the memory callbacks when debugging

    • libssh2: Remove unused variable from libssh2's struct

    • libssh: Use dynbuf instead of realloc

    • Makefile.mk: Delete redundant 'HAVE_LDAP_SSL' macro

    • Makefile.mk: Fix -g option in debug mode

    • mqtt: On send error, return error

    • multi: Make multi_perform ignore/unignore signals less often

    • multi: Remove PENDING + MSGSENT handles from the main linked list

    • ngtcp2-gnutls.yml: Bump to gnutls 3.8.0

    • ngtcp2: Fix unwanted close of file descriptor 0

    • page-footer: Add explanation for three missing exit codes

    • parsedate: Parse strings without using sscanf()

    • parsedate: Replace sscanf() for time stamp parsing

    • quic/schannel: Fix compiler warnings

    • rand: Use arc4random as fallback when available

    • rate.d: Single URLs make no sense in --rate example

    • RELEASE-PROCEDURE.md: Update coming release dates

    • rtsp: Avoid sscanf for parsing

    • runtests: Use a hash table for server port numbers

    • sectransp: Fix compiler warning c89 mixed code/declaration

    • sectransp: Make read_cert() use a dynbuf when loading

    • secure-transport: Fix recv return code handling

    • select: Stop treating POLLRDBAND as an error

    • setopt: Move the CURLOPT_CHUNK_DATA pointer to the set struct

    • socket: Detect "dead" connections better, e.g. not fit for reuse

    • src: Silence wmain() warning for all build methods

    • telnet: Only accept option arguments in ascii (CVE-2023-27533)

    • telnet: Parse NEW_ENVIRON without sscanf

    • telnet: Parse telnet options without sscanf

    • telnet: Parse the WS= argument without sscanf

    • test1470: Test socks proxy using unix sockets and connect to https

    • test1960: Verify CURL_SOCKOPT_ALREADY_CONNECTED

    • test2600: Detect when ALARM_TIMEOUT is in use and adjust

    • test422: Verify --next used without a prior URL

    • tests/http: Add pytest to GHA and improve tests

    • tests: Add 'cookies' features

    • tests: Add timeout, SLOWDOWN and DELAY keywords to tests

    • tests: Fix gnutls-serv check

    • tests: Fix MSVC unreachable code warnings in unit tests

    • tests: Hack to build most unit tests under cmake

    • tests: HTTP server fix-ups

    • tests: Keep cmake unit tests names in sync

    • tests: Make CPPFLAGS common to all unit tests

    • tests: Make first.c the same for both lib tests and unit tests

    • tests: Support for imaps/pop3s/smtps protocols

    • tests: Sync option lists in runtests.pl and its man page

    • tests: Test secure mail protocols with explicit SSL requests

    • tests: Use AM_CPPFILES to modify flags in unit tests

    • tests: Use dynamic ports numbers in pytest suite

    • tool: Dump headers even if file is write-only

    • tool: Improve --stderr handling

    • tool_getparam: Don't add a new node for just --no-remote-name

    • tool_getparam: Error if --next is used without a prior URL

    • tool_operate: Avoid fclose(NULL) on bad header dump file

    • tool_operate: Propagate error codes for missing URL after --next

    • tool_progress: Shut off progress meter for --silent in parallel

    • tool_writeout_json: Fix the output for duplicate header names

    • transfer: Limit Windows SO_SNDBUF updates to once a second

    • url: Fix cookielist memleak when curl_easy_reset

    • url: Fix logic in connection reuse to deny reuse on "unclean" connections

    • url: Fix the SSH connection reuse check (CVE-2023-27538)

    • url: Only reuse connections with same GSS delegation (CVE-2023-27536)

    • url: Remove dummy protocol handler

    • urlapi: '%' is illegal in host names

    • urlapi: Avoid mutating internals in getter routine

    • urlapi: Parse IPv6 literals without ENABLE_IPV6

    • urlapi: Take const args in _dup and _get functions

    • wildcard: Remove files and move functions into ftplistparser.c

    • winbuild: Fix makefile clean

    • wolfssl: Add quic/ngtcp2 detection in cmake, and fix builds

    • wolfSSL: Resurrect the BIO 'io_result'

    • ws: Keep the socket non-blocking

    • x509asn1.c: Use correct format specifier for infof() call

    • x509asn1: Use plain %x, not %lx, when the arg is an int

  • Updated curl to 8.0.1:

    • Revert "multi: remove PENDING + MSGSENT handles"

Recent