PaulHowarth/Blog/2023-10-11

Wednesday 11th October 2023

Local Packages

  • Updated curl (8.2.1) to fix cookie injection with none file (CVE-2023-38546) and SOCKS5 heap buffer overflow (CVE-2023-38545)

  • Updated curl to 8.4.0:

    • curl: Add support for the IPFS protocols via HTTP gateway

    • curl_multi_get_handles: Get easy handles from a multi handle

    • mingw: Delete support for legacy mingw.org toolchain

    • acinclude.m4: Document proper system truststore on FreeBSD

    • appveyor: Fix yamlint issues, indent

    • appveyor: Rewrite batch in PowerShell + CI improvements

    • autotools: Adjust 'CURL_CA_PATH' value to CMake

    • autotools: Restore 'HAVE_IOCTL_*' detections

    • base64: Also build for curl

    • bufq: Remove Curl_bufq_skip_and_shift (unused)

    • build: Delete checks for C89 standard headers

    • build: Do not publish 'HAVE_BORINGSSL', 'HAVE_AWSLC' macros

    • cf-socket: Simulate slow/blocked receives in debug

    • cmake, configure: Also link with CoreServices

    • cmake: Add check for suseconds_t

    • cmake: Add feature checks for 'memrchr' and 'getifaddrs'

    • cmake: Add missing checks

    • cmake: Delete old 'HAVE_LDAP_URL_PARSE' logic

    • cmake: Detect 'HAVE_CLOCK_GETTIME_MONOTONIC_RAW'

    • cmake: Detect 'HAVE_GETADDRINFO_THREADSAFE'

    • cmake: Detect 'sys/wait.h' and 'netinet/udp.h'

    • cmake: Detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS

    • cmake: Disable unity mode with Windows Unicode + TrackMemory

    • cmake: Fix 'HAVE_LDAP_SSL', 'HAVE_LDAP_URL_PARSE' on non-Windows

    • cmake: Fix 'HAVE_WRITABLE_ARGV' detection

    • cmake: Fix duplicate symbols when linking tests

    • cmake: Fix missing 'zlib.h' when compiling 'libcurltool'

    • cmake: Fix stderr initialization in unity builds

    • cmake: Fix the help text to the static build option in CMakeLists.txt

    • cmake: Fix unity builds for more build combinations
    • cmake: Fix unity symbol collisions in h2 builds

    • cmake: Fix unity with Windows Unicode + TrackMemory

    • cmake: Improve OpenLDAP builds

    • cmake: lib 'CURL_STATICLIB' fixes (Windows)

    • cmake: Move global headers to specific checks

    • cmake: Pre-cache 'HAVE_BASENAME' for mingw-w64 and MSVC

    • cmake: Pre-cache 'HAVE_POLL_FINE' on Windows

    • cmake: Tidy-up 'NOT_NEED_LBER_H' detection

    • cmake: Validate 'CURL_DEFAULT_SSL_BACKEND' config value

    • configure: Check for the capath by default

    • configure: Remove unused checks
    • configure: Replace adhoc domain with 'localhost' in tests

    • configure: Sort AC_CHECK_FUNCS

    • connect: Expire the timeout when trying next

    • connect: Only start the happy eyeballs timer when needed

    • cookie: Do not store the expire or max-age strings

    • cookie: Remove unnecessary struct fields (CVE-2023-38546)

    • cookie: Set ->running in cookie_init even if data is NULL

    • create-dirs.d: Clarify it also uses --output-dirs

    • curl.h: Mark CURLSSLBACKEND_NSS as deprecated since 8.3.0

    • curl_easy_pause.3: Mention h2/h3 buffering

    • curl_easy_pause.3: Mention it works within callbacks

    • curl_easy_pause: Set "in callback" true on exit if true

    • CURLOPT_DEBUGFUNCTION.3: Warn about internal handles

    • docs/libcurl/opts/Makefile.inc: Add missing manpage files

    • docs: Adapt SEE ALSO sections to new requirements

    • docs: Explain how PINNEDPUBLICKEY is independent of VERIFYPEER

    • docs: Replace made up domains with example.com

    • docs: Update curl man page references

    • docs: Use CURLSSLBACKEND_NONE

    • doh: Inherit DEBUGFUNCTION/DATA

    • escape: Replace Curl_isunreserved with ISUNRESERVED

    • FAQ: How do I upgrade curl.exe in Windows?

    • GHA/linux: Run singleuse to detect single-use global functions

    • GHA: Add workflow to compare configure vs. cmake outputs

    • h2-proxy: Remove left-over mistake in drain_tunnel()

    • h2: Test case and fix for pausing h2 streams

    • h3: Add support for ngtcp2 with AWS-LC builds

    • http2: Refused stream handling for retry

    • http: Fix CURL_DISABLE_BEARER_AUTH breakage

    • http: h1/h2 proxy unification

    • http: Remove wrong comment for http_should_fail

    • http: Use per-request counter to check too large headers

    • http_aws_sigv4: Fix sorting with empty parts

    • idn: Fix WinIDN null ptr deref on bad host

    • idn: If idn2_check_version returns NULL, return error

    • inet_ntop: Add typecast to silence Coverity

    • lib: Disambiguate Curl_client_write flag semantics

    • lib: Enable hmac for digest as well

    • lib: failf/infof compiler warnings

    • lib: Let the max filesize option stop too big transfers too

    • lib: Move handling of 'data->req.writer_stack' into Curl_client_write()

    • lib: Provide and use Curl_hexencode

    • lib: Remove TIME_WITH_SYS_TIME

    • lib: Use wrapper for curl_mime_data fseek callback

    • libssh2: Fix error message on failed pubkey-from-file

    • libssh: Cap SFTP packet size sent

    • Makefile.mk: Always set 'CURL_STATICLIB' for lib (Windows)

    • MANUAL.md: Change domain to example.com

    • misc: Better random strings
    • MQTT: Improve receive of ACKs

    • multi: Do CURLM_CALL_MULTI_PERFORM at two more places

    • multi: Fix small timeouts

    • multi: Remove Curl_multi_dump

    • multi: Round the timeout up to prevent early wakeups

    • multi: Set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE

    • openssl: Improve ssl shutdown handling

    • openssl: Use X509_ALGOR_get0 instead of reaching into X509_ALGOR

    • pytest: Exclude test_03_goaway in CI runs due to timing dependency

    • quic: Set ciphers/curves the same way regular TLS does

    • quiche: Fix build error with --with-ca-fallback

    • RELEASE-PROCEDURE.md: Updated coming release dates

    • runtests: Display the test status if tests appear hung

    • runtests: Eliminate a warning on old perl versions

    • socks: Return error if hostname too long for remote resolve (CVE-2023-38545)

    • src/mkhelp: Make generated code pass 'checksrc'

    • test1056: Disable on Windows

    • test1474: Disable test on NetBSD, OpenBSD and Solaris 10

    • test1592: Greatly increase the maximum test timeout

    • test1903: Actually verify the cookies after the test

    • test1906: Set a lower timeout since it's hit on Windows

    • test2600: Remove special case handling for USE_ALARM_TIMEOUT

    • test650: Fix an end tag typo

    • test661: Return from test early in case of curl error

    • test: Add missing <feature>s

    • tests: Close the shell used to start sshd

    • tests: Fix a race condition in ftp server disconnect
    • tests: Fix compiler warnings
    • tests: Fix zombie processes left behind by FTP tests

    • tests: Improve SLOWDOWN test reliability by reducing sent data

    • tests: Increase lib571 timeout from 3s to 30s

    • tests: Log the test result code after each libtest

    • tests: Propagate errors in libtests

    • tests: Set --expect100-timeout to improve test reliability

    • tests: Show which curl tool 'runtests.pl' is using

    • tests: Stop overriding the lock timeout

    • tftpd: Always use curl's own tftp.h

    • tool: Use our own stderr variable

    • tool_cb_wrt: Fix debug assertion

    • tool_getparam: Accept variable expansion on file names too

    • tool_setopt: Remove unused function tool_setopt_flags

    • upload-file.d: Describe the file name slash/backslash handling

    • url: Fall back to http/https proxy env-variable if ws/wss not set

    • url: Fix netrc info message

    • warnless: Remove unused functions

    • wolfssh: Do cleanup in Curl_ssh_cleanup

    • wolfssl: Allow capath with CURLOPT_CAINFO_BLOB

    • wolfssl: If CURLOPT_CAINFO_BLOB is set, ignore the CA files

    • wolfssl: Ignore errors in CA path

Recent