Monday 20th March 2023
Local Packages
Updated curl to 8.0.0:
build: Remove support for curl_off_t < 8 bytes
.cirrus.yml: Bump to FreeBSD 13.2
aws_sigv4: Fall back to UNSIGNED-PAYLOAD for sign_as_s3
BINDINGS: Add Fortran binding
build: Drop the use of XC_AMEND_DISTCLEAN
build: Fix stdint/inttypes detection with non-autotools
- cf-socket: Fix handling of remote addr for accepted tcp sockets
cf-socket: If socket is already connected, return CURLE_OK
- cf-socket: Use port 80 when resolving name for local bind
- CI: Don't run CI jobs if only another CI was changed
CI: Update ngtcp2 and nghttp2 for pytest
cmake: Delete unused HAVE__STRTOI64
- cmake: Fix enabling LDAPS on Windows
- cmake: Skip CA-path/bundle auto-detection in cross-builds
connect: Fix time_connect and time_appconnect timer statistics
- cookie: Don't load cookies again when flushing
cookie: Parse without sscanf()
curl.h: Require gcc 12.1 for the deprecation magic
curl: Make -w's %{stderr} use the file set with --stderr
curl_path: Create the new path with dynbuf (CVE-2023-27534)
CURLOPT_PIPEWAIT: Allow waited reuse also for subsequent connections
CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket
CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe (CVE-2023-27537)
DEPRECATE: The original legacy mingw version 1
doc: Fix compiler warning in libcurl.m4
docs/cmdline-opts: Mark all global options
docs/SECURITY-PROCESS.md: Updates
- docs: Extend the URL API descriptions
docs: Note '--data-urlencode' option
DYNBUF.md: Note Curl_dyn_add* calls Curl_dyn_free on failure
easy: Remove infof() debug leftover from curl_easy_recv
examples/http3.c: Use CURL_HTTP_VERSION_3
- ftp: Active mode with SSL, add the filter
ftp: Add more conditions for connection reuse (CVE-2023-27535)
- ftp: Allocate the wildcard struct on demand
ftp: Make the EPSV response parser not use sscanf
ftp: Replace sscanf for MDTM 213 response parsing
ftp: Replace sscanf for PASV parsing
gssapi: Align 'gss_OID_desc' to silence ld warnings on macOS ventura
headers: Make curl_easy_header and nextheader return different buffers
hostip: Avoid sscanf and extra buffer copies
- http2: Fix error handling during parallel operations
- http2: Fix for http2-prior-knowledge when reusing connections
http2: Fix handling of RST and GOAWAY to recognize partial transfers
- http2: Fix upload busy loop
http: Don't send 100-continue for short PUT requests
- http: Fix unix domain socket use in https connects
http: Rewrite the status line parser without sscanf
http_proxy: Parse the status line without sscanf
idn: Return error if the conversion ends up with a blank host
krb5: Avoid sscanf for parsing
lib1560: Test parsing URLs with ridiculously large fields
lib2305: Deal with CURLE_AGAIN
lib517: Verify time stamps without leading zeroes plus some more
lib: Silence clang/gcc -Wvla warnings in brotli headers
lib: Skip Curl_llist_destroy calls
libcurl-errors.3: Add the CURLHcode errors from curl_easy_header.3
libssh2: Only set the memory callbacks when debugging
libssh2: Remove unused variable from libssh2's struct
libssh: Use dynbuf instead of realloc
Makefile.mk: Delete redundant 'HAVE_LDAP_SSL' macro
Makefile.mk: Fix -g option in debug mode
mqtt: On send error, return error
multi: Make multi_perform ignore/unignore signals less often
multi: Remove PENDING + MSGSENT handles from the main linked list
ngtcp2-gnutls.yml: Bump to gnutls 3.8.0
ngtcp2: Fix unwanted close of file descriptor 0
- page-footer: Add explanation for three missing exit codes
parsedate: Parse strings without using sscanf()
parsedate: Replace sscanf() for time stamp parsing
quic/schannel: Fix compiler warnings
rand: Use arc4random as fallback when available
rate.d: Single URLs make no sense in --rate example
RELEASE-PROCEDURE.md: Update coming release dates
rtsp: Avoid sscanf for parsing
runtests: Use a hash table for server port numbers
sectransp: Fix compiler warning c89 mixed code/declaration
sectransp: Make read_cert() use a dynbuf when loading
secure-transport: Fix recv return code handling
select: Stop treating POLLRDBAND as an error
setopt: Move the CURLOPT_CHUNK_DATA pointer to the set struct
socket: Detect "dead" connections better, e.g. not fit for reuse
src: Silence wmain() warning for all build methods
telnet: Only accept option arguments in ascii (CVE-2023-27533)
telnet: Parse NEW_ENVIRON without sscanf
telnet: Parse telnet options without sscanf
telnet: Parse the WS= argument without sscanf
test1470: Test socks proxy using unix sockets and connect to https
test1960: Verify CURL_SOCKOPT_ALREADY_CONNECTED
test2600: Detect when ALARM_TIMEOUT is in use and adjust
test422: Verify --next used without a prior URL
tests/http: Add pytest to GHA and improve tests
tests: Add 'cookies' features
tests: Add timeout, SLOWDOWN and DELAY keywords to tests
tests: Fix gnutls-serv check
- tests: Fix MSVC unreachable code warnings in unit tests
tests: Hack to build most unit tests under cmake
- tests: HTTP server fix-ups
tests: Keep cmake unit tests names in sync
tests: Make CPPFLAGS common to all unit tests
tests: Make first.c the same for both lib tests and unit tests
tests: Support for imaps/pop3s/smtps protocols
tests: Sync option lists in runtests.pl and its man page
- tests: Test secure mail protocols with explicit SSL requests
tests: Use AM_CPPFILES to modify flags in unit tests
tests: Use dynamic ports numbers in pytest suite
- tool: Dump headers even if file is write-only
tool: Improve --stderr handling
tool_getparam: Don't add a new node for just --no-remote-name
tool_getparam: Error if --next is used without a prior URL
tool_operate: Avoid fclose(NULL) on bad header dump file
tool_operate: Propagate error codes for missing URL after --next
tool_progress: Shut off progress meter for --silent in parallel
tool_writeout_json: Fix the output for duplicate header names
transfer: Limit Windows SO_SNDBUF updates to once a second
url: Fix cookielist memleak when curl_easy_reset
- url: Fix logic in connection reuse to deny reuse on "unclean" connections
url: Fix the SSH connection reuse check (CVE-2023-27538)
url: Only reuse connections with same GSS delegation (CVE-2023-27536)
- url: Remove dummy protocol handler
urlapi: '%' is illegal in host names
- urlapi: Avoid mutating internals in getter routine
urlapi: Parse IPv6 literals without ENABLE_IPV6
urlapi: Take const args in _dup and _get functions
wildcard: Remove files and move functions into ftplistparser.c
- winbuild: Fix makefile clean
wolfssl: Add quic/ngtcp2 detection in cmake, and fix builds
wolfSSL: Resurrect the BIO 'io_result'
- ws: Keep the socket non-blocking
x509asn1.c: Use correct format specifier for infof() call
x509asn1: Use plain %x, not %lx, when the arg is an int
Updated curl to 8.0.1:
Revert "multi: remove PENDING + MSGSENT handles"