Wednesday 11th October 2023
Local Packages
Updated curl (8.2.1) to fix cookie injection with none file (CVE-2023-38546) and SOCKS5 heap buffer overflow (CVE-2023-38545)
Updated curl to 8.4.0:
curl: Add support for the IPFS protocols via HTTP gateway
curl_multi_get_handles: Get easy handles from a multi handle
mingw: Delete support for legacy mingw.org toolchain
acinclude.m4: Document proper system truststore on FreeBSD
appveyor: Fix yamlint issues, indent
appveyor: Rewrite batch in PowerShell + CI improvements
autotools: Adjust 'CURL_CA_PATH' value to CMake
autotools: Restore 'HAVE_IOCTL_*' detections
base64: Also build for curl
bufq: Remove Curl_bufq_skip_and_shift (unused)
- build: Delete checks for C89 standard headers
build: Do not publish 'HAVE_BORINGSSL', 'HAVE_AWSLC' macros
- cf-socket: Simulate slow/blocked receives in debug
cmake, configure: Also link with CoreServices
cmake: Add check for suseconds_t
cmake: Add feature checks for 'memrchr' and 'getifaddrs'
- cmake: Add missing checks
cmake: Delete old 'HAVE_LDAP_URL_PARSE' logic
cmake: Detect 'HAVE_CLOCK_GETTIME_MONOTONIC_RAW'
cmake: Detect 'HAVE_GETADDRINFO_THREADSAFE'
cmake: Detect 'sys/wait.h' and 'netinet/udp.h'
- cmake: Detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS
cmake: Disable unity mode with Windows Unicode + TrackMemory
cmake: Fix 'HAVE_LDAP_SSL', 'HAVE_LDAP_URL_PARSE' on non-Windows
cmake: Fix 'HAVE_WRITABLE_ARGV' detection
- cmake: Fix duplicate symbols when linking tests
cmake: Fix missing 'zlib.h' when compiling 'libcurltool'
cmake: Fix stderr initialization in unity builds
cmake: Fix the help text to the static build option in CMakeLists.txt
- cmake: Fix unity builds for more build combinations
- cmake: Fix unity symbol collisions in h2 builds
cmake: Fix unity with Windows Unicode + TrackMemory
- cmake: Improve OpenLDAP builds
cmake: lib 'CURL_STATICLIB' fixes (Windows)
- cmake: Move global headers to specific checks
cmake: Pre-cache 'HAVE_BASENAME' for mingw-w64 and MSVC
cmake: Pre-cache 'HAVE_POLL_FINE' on Windows
cmake: Tidy-up 'NOT_NEED_LBER_H' detection
cmake: Validate 'CURL_DEFAULT_SSL_BACKEND' config value
configure: Check for the capath by default
- configure: Remove unused checks
- configure: Replace adhoc domain with 'localhost' in tests
configure: Sort AC_CHECK_FUNCS
connect: Expire the timeout when trying next
connect: Only start the happy eyeballs timer when needed
- cookie: Do not store the expire or max-age strings
cookie: Remove unnecessary struct fields (CVE-2023-38546)
cookie: Set ->running in cookie_init even if data is NULL
create-dirs.d: Clarify it also uses --output-dirs
curl.h: Mark CURLSSLBACKEND_NSS as deprecated since 8.3.0
curl_easy_pause.3: Mention h2/h3 buffering
curl_easy_pause.3: Mention it works within callbacks
curl_easy_pause: Set "in callback" true on exit if true
CURLOPT_DEBUGFUNCTION.3: Warn about internal handles
docs/libcurl/opts/Makefile.inc: Add missing manpage files
docs: Adapt SEE ALSO sections to new requirements
docs: Explain how PINNEDPUBLICKEY is independent of VERIFYPEER
docs: Replace made up domains with example.com
docs: Update curl man page references
docs: Use CURLSSLBACKEND_NONE
doh: Inherit DEBUGFUNCTION/DATA
escape: Replace Curl_isunreserved with ISUNRESERVED
FAQ: How do I upgrade curl.exe in Windows?
GHA/linux: Run singleuse to detect single-use global functions
- GHA: Add workflow to compare configure vs. cmake outputs
h2-proxy: Remove left-over mistake in drain_tunnel()
- h2: Test case and fix for pausing h2 streams
h3: Add support for ngtcp2 with AWS-LC builds
- http2: Refused stream handling for retry
http: Fix CURL_DISABLE_BEARER_AUTH breakage
- http: h1/h2 proxy unification
http: Remove wrong comment for http_should_fail
- http: Use per-request counter to check too large headers
http_aws_sigv4: Fix sorting with empty parts
- idn: Fix WinIDN null ptr deref on bad host
idn: If idn2_check_version returns NULL, return error
inet_ntop: Add typecast to silence Coverity
lib: Disambiguate Curl_client_write flag semantics
- lib: Enable hmac for digest as well
lib: failf/infof compiler warnings
- lib: Let the max filesize option stop too big transfers too
lib: Move handling of 'data->req.writer_stack' into Curl_client_write()
lib: Provide and use Curl_hexencode
lib: Remove TIME_WITH_SYS_TIME
lib: Use wrapper for curl_mime_data fseek callback
libssh2: Fix error message on failed pubkey-from-file
libssh: Cap SFTP packet size sent
Makefile.mk: Always set 'CURL_STATICLIB' for lib (Windows)
MANUAL.md: Change domain to example.com
- misc: Better random strings
- MQTT: Improve receive of ACKs
multi: Do CURLM_CALL_MULTI_PERFORM at two more places
- multi: Fix small timeouts
multi: Remove Curl_multi_dump
- multi: Round the timeout up to prevent early wakeups
multi: Set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE
- openssl: Improve ssl shutdown handling
openssl: Use X509_ALGOR_get0 instead of reaching into X509_ALGOR
pytest: Exclude test_03_goaway in CI runs due to timing dependency
- quic: Set ciphers/curves the same way regular TLS does
quiche: Fix build error with --with-ca-fallback
RELEASE-PROCEDURE.md: Updated coming release dates
runtests: Display the test status if tests appear hung
runtests: Eliminate a warning on old perl versions
socks: Return error if hostname too long for remote resolve (CVE-2023-38545)
src/mkhelp: Make generated code pass 'checksrc'
test1056: Disable on Windows
test1474: Disable test on NetBSD, OpenBSD and Solaris 10
test1592: Greatly increase the maximum test timeout
test1903: Actually verify the cookies after the test
test1906: Set a lower timeout since it's hit on Windows
test2600: Remove special case handling for USE_ALARM_TIMEOUT
test650: Fix an end tag typo
test661: Return from test early in case of curl error
test: Add missing <feature>s
tests: Close the shell used to start sshd
- tests: Fix a race condition in ftp server disconnect
- tests: Fix compiler warnings
- tests: Fix zombie processes left behind by FTP tests
tests: Improve SLOWDOWN test reliability by reducing sent data
tests: Increase lib571 timeout from 3s to 30s
tests: Log the test result code after each libtest
- tests: Propagate errors in libtests
tests: Set --expect100-timeout to improve test reliability
tests: Show which curl tool 'runtests.pl' is using
- tests: Stop overriding the lock timeout
tftpd: Always use curl's own tftp.h
tool: Use our own stderr variable
tool_cb_wrt: Fix debug assertion
tool_getparam: Accept variable expansion on file names too
tool_setopt: Remove unused function tool_setopt_flags
upload-file.d: Describe the file name slash/backslash handling
url: Fall back to http/https proxy env-variable if ws/wss not set
url: Fix netrc info message
- warnless: Remove unused functions
wolfssh: Do cleanup in Curl_ssh_cleanup
wolfssl: Allow capath with CURLOPT_CAINFO_BLOB
wolfssl: If CURLOPT_CAINFO_BLOB is set, ignore the CA files
- wolfssl: Ignore errors in CA path