PaulHowarth/Blog/2024-05-22

Wednesday 22nd May 2024

Local Packages

• Updated check (0.15.2) to fix check-devel for cmake users (Bug #2161231)

• Updated curl to 8.8.0:

  • curl_version_info: Provide librtmp version

  • file: Add support for directory listings

  • idn: Add native !AppleIDN (icucore) support for macOS/iOS

  • lib: Add curl_multi_waitfds

  • mbedTLS: Implement CURLOPT_SSL_CIPHER_LIST option

  • NTLM_WB: Drop support
  • TLS: Add support for ECH (Encrypted Client Hello)

  • urlapi: Add CURLU_GET_EMPTY for empty queries and fragments

  • appveyor: Drop unnecessary '--clean-first' cmake option

  • appveyor: Guard against crash-build with VS2008

  • appveyor: Make gcc 6 mingw64 job build-only

  • asyn-thread: Fix curl_global_cleanup crash in Windows

  • asyn-thread: Fix Curl_thread_create result check

  • autotools: Delete unused functions

  • autotools: Fix 'HAVE_IOCTLSOCKET_FIONBIO' test for gcc 14

  • autotools: Only probe for SGI MIPS compilers on IRIX

  • bearssl: Fix compiler warnings

  • bearssl: Use common code for cipher suite lookup

  • bufq: Remove duplicate word in comment

  • BUG-BOUNTY.md: Clarify the third party situation

  • build: Prefer 'USE_IPV6' macro internally (was: 'ENABLE_IPV6')

  • build: Remove MacOSX-Framework script

  • cd2nroff/manage: Use UTC when SOURCE_DATE_EPOCH is set

  • cf-https-connect: Use timeouts as unsigned ints

  • cf-socket: Don't try getting local IP without socket

  • cf-socket: Remove references to l_ip, l_port

  • ci: Add curl-for-win builds: Linux MUSL, macOS, Windows

  • cmake: Add 'BUILD_EXAMPLES' option to build examples

  • cmake: Add librtmp/rtmpdump option and detection

  • cmake: Check fseeko after detecting HAVE_FILE_OFFSET_BITS

  • cmake: Do not pass linker flags to the static library tool

  • cmake: Enable '-pedantic-errors' for clang when 'CURL_WERROR=ON'

  • cmake: FindNGHTTP2 add static lib name to find_library call

  • cmake: Fix 'CURL_WERROR=ON' for old CMake and use it in GHA/linux-old

  • cmake: Fix 'HAVE_IOCTLSOCKET_FIONBIO' test with gcc 14

  • cmake: Fix up 'DEPENDS' filename

  • cmake: Forward 'USE_LIBRTMP' option to C

  • cmake: Generate misc manpages and install 'mk-ca-bundle.pl'

  • cmake: Initialize 'BUILD_TESTING' before first use

  • cmake: Speed up libcurl doc building again

  • cmake: Tidy-up to use 'WORKING_DIRECTORY'

  • cmake: Use namespaced custom target names

  • cmdline-docs: Fix make install with configure --disable-docs

  • configure: Error on missing perl if docs or manual is enabled

  • configure: Make --disable-docs imply --disable-manual

  • content_encoding: Brotli and others, pass through 0-length writes

  • content_encoding: Ignore duplicate chunked encoding

  • content_encoding: Reject transfer-encoding after chunked

  • contrithanks: Honor 'CURLWWW' variable

  • curl-confopts.m4: Define CARES_NO_DEPRECATED when c-ares is used

  • curl.h: Change CURL_SSLVERSION_* from enum to defines

  • curl: Make --help adapt to the terminal width

  • curl: Use curl_getenv instead of the curlx_ version

  • Curl_creader_read: Init two variables to avoid using them uninited

  • curl_easy_pause.md: Use correct defines in example

  • curl_getdate.md: Document two-digit year handling

  • curl_global_trace.md: Shorten the description

  • curl_multibyte: Remove access() function wrapper for Windows

  • curl_path: Make Curl_get_pathname use dynbuf

  • curl_setup.h: Add support for IAR compiler

  • curl_setup.h: Detect 'inline' support

  • curl_sha512_256: Do not use workaround for NetBSD when not needed

  • curl_sha512_256: Fix detection of OpenSSL 1.1.1 or later

  • curl_url_get.md: Clarify queries and fragments and CURLU_GET_EMPTY

  • CURLINFO_REQUEST_SIZE: Fixed, add tests for transfer infos reported

  • CURLOPT_WRITEFUNCTION.md: Fix the callback proto in the example

  • cw-out: improved error handling

  • DEPRECATE.md: TLS libraries without 1.3 support

  • digest: Replace strcpy for empty string with simple assignment

  • dist: 'set -eu', fix shellcheck, make reproducible and smaller tarballs

  • dist: Add files missing from release tarball
  • dist: Add reproducible dir entries to tarballs

  • dist: Do not require Perl in 'maketgz'

  • dist: Remove the curl-config.1 from the tarball

  • dist: Verify tarball reproducibility in CI

  • DISTROS: Add patch and issues link for curl-for-win

  • DISTROS: Cygwin updates

  • dllmain: Call OpenSSL thread clean-up for Windows and Cygwin

  • doc: pytest '--repeat' -> '--count'

  •  docs/cmdline-opts: Invoke managen using a relative path

  • docs/cmdline-opts: Mention STARTTLS for --ssl and --ssl-reqd

  • docs: Add CURLOPT_NOPROGRESS to CURLOPT_XFERINFOFUNCTION example

  • docs: Clarify CURLOPT_MAXFILESIZE and CURLOPT_MAXFILESIZE_LARGE

  • docs: Fix some CURLINFO examples

  • doh: Fix typo in comment
  • doh: Remove unused function prototype
  • dynbuf: Fix return code on memory error

  • examples: Fix/silence '-Wsign-conversion'

  • EXPERIMENTAL: Add graduation requirements for each feature

  • file: Remove useless assignment
  • ftp: Add tracing support

  • ftp: Fix build for CURL_DISABLE_VERBOSE_STRINGS

  • ftp: Fix socket leak on rare error
  • GHA: Add NetBSD, OpenBSD, FreeBSD/arm64 and OmniOS jobs
  • GHA: Add shellcheck job and fix warnings, shell tidy-ups

  • GHA: Add valgrind to a wolfSSL build

  • GHA: On macOS remove $HOME/.curlrc

  • GHA: Pin dependencies
  • gnutls: Lazy init the trust settings
  • h3/ngtcp2: Improve error handling

  • hash: Change 'slots' to size_t from int

  • hash: Delete unused debug function
  • hsts: Explicitly skip blank lines
  • hsts: Remove single-use single-line function

  • http tests: In CI skip test_02_23* for quiche

  • http2+ngtcp2: Pass CURLcode errors from callbacks

  • http2, http3: Decouple stream state from easy handle
  • http2: Emit RST when client write fails
  • http3: quiche+ngtcp2 improvements
  • http: Acknowledge a returned error code

  • http: HEAD response body tolerance

  • http: Reject HTTP major version switch mid-connection
  • http: Remove redundant check

  • http: With chunked POST forced, disable length check on read callback

  • http_aws_sigv4: Remove useless assignment

  • idn: Make Curl_idnconvert_hostname() use Curl_idn_decode()

  • if2ip: Make the buf_size arg a size_t

  • INSTALL-CMAKE.md: Explain 'cmake -G <generator-name>'

  • krb5: Use dynbuf
  • ldap: Fix unused variables (seen on OmniOS)

  • lib/cf-h1-proxy: Silence compiler warnings (gcc 14)

  • lib: Add trace support for client reads and writes

  • lib: Bump hash sizes to 'size_t'

  • lib: Clear the easy handle's saved errno before transfer

  • lib: Fix compiler warnings (gcc)
  • lib: Make protocol handlers store scheme name lowercase

  • lib: Merge 'ENABLE_QUIC' C macro into 'USE_HTTP3'

  • lib: Remove two instances of "only only" messages

  • lib: Silence '-Wsign-conversion' in base64, strcase, mprintf

  • lib: Silence warnings on comma misuse

  • lib: Use '#error' instead of invalid syntax in 'curl_setup_once.h'

  • lib: Use multi instead of multi_easy for the active multi

  • libcurl-opts: Mention pipelining less

  • libssh2: Delete redundant feature guard

  • libssh2: Replace 'access()' with 'stat()'

  • libssh2: Set length to 0 if strdup failed

  • m4: Fix rustls pkg-config codepath

  • MAIL-ETIQUETTE: Convert to markdown

  • makefile: Remove the sorting from the vc-ide action

  • maketgz: Put docs/RELEASE-TOOL.md into the tarball

  • managen: Fix the option sort order

  • mbedtls: Call mbedtls_ssl_setup() after RNG callback is set

  • mbedtls: Cut off trailing newlines from debug logs
  • mbedtls: Fix building with v3 in CMake Unity mode
  • mbedtls: Support TLS 1.3

  • mime: Avoid using access()

  • misc: Fix typos, quoting and spelling

  • mprintf: Check fputc error rather than matching returned character

  • mqtt: When Curl_xfer_recv returns error, don't use nread

  • multi: Avoid memory-leak risk

  • multi: Introduce SETUP state for better timeouts

  • multi: multi_wait improvements

  • multi: Remove the unused Curl_preconnect function

  • multi: Remove useless assignment
  • multi: Timeout handles even without connection
  • openldap: Create ldap URLs correctly for IPv6 addresses

  • openssl: Do not set SSL_MODE_RELEASE_BUFFERS

  • openssl: Revert keylog_callback support for LibreSSL

  • OS400: Fix shellcheck warnings in scripts
  • projects: Drop MSVC project files for recent versions

  • pytest: Add DELETE tests, check server version

  • pytest: Fixes for recent python, add FTP tests
  • quic: Fix up duplicate static function name (for cmake unity)
  • quiche: Expire all active transfers on connection close
  • quiche: Trust its timeout handling

  • RELEASE-PROCEDURE: Mention an initial working build

  • request: Make Curl_req_init return void

  • request: Paused upload on completed download, assess connection

  • reuse: Add copyright + license info to individual docs/*.md files

  • ROADMAP: Remove completed entries, mention websocket

  • rustls: Fix handshake done handling
  • rustls: Fix partial send handling

  • rustls: Remove incorrect SSLSUPP_TLS13_CIPHERSUITES flag

  • rustsls: Fix error code on receive
  • sendf: Fix two typos in comments

  • sendf: Useless assignment in cr_lc_read()

  • setopt: Acknowledge errors proper for CURLOPT_COOKIEJAR

  • setopt: Make the setstropt_userpwd args compulsory

  • setopt: Remove check for 'option' that is always true

  • setopt: Warn on Curl_set*opt() uses not using the return value

  • smtp: Result of Curl_bufq_cread was not used

  • socket: Remove redundant call to getsockname

  • socketpair: Fix compilation when USE_UNIX_SOCKETS is not defined

  • src: Tidy up types, add necessary casts

  • telnet: Check return code from fileno()

  • tests/http: Fix compiler warning

  • tests: Add -q as first option when invoking curl for tests

  • tests: Check caddy server version to match test expectations
  • tests: Enable test 1117 for hyper

  • tests: Fix feature case in test1481

  • tests: Fix test 1167 to skip digit-only symbols

  • tests: Make the unit test result type 'CURLcode'

  • tests: Mark tftpd timer function as noreturn

  • tests: Tidy up types in server code

  • tls: Fix SecureTransport + BearSSL cmake unity builds

  • tls: Remove EXAMPLEs from deprecated options

  • tls: Use shared init code for TCP+QUIC

  • tool: Move tool_ftruncate64 to tool_util.c

  • tool_cb_rea: Limit rate unpause for -T . uploads

  • tool_cfgable: free {proxy_}cipher13_list on exit

  • tool_getparam: Output warning for leading unicode quote character

  • tool_getparam: Remove two redundant conditions

  • tool_operate: Don't truncate the etag save file by default

  • tool_operate: Initialize vars unconditionally in post_per_transfer

  • tool_paramhlp: Remove duplicate assign

  • tool_xattr: "Guess" URL scheme if none is provided

  • tool_xattr: In debug builds, act normally if CURL_FAKE_XATTR is not set

  • transfer: Remove useless assignment
  • url: Do not URL decode proxy credentials
  • url: Fix use of an uninitialized variable

  • url: Make parse_login_details use memdup0

  • url: Remove duplicate call to Curl_conncache_remove_conn when pruning

  • urlapi: Allow setting port number zero
  • urlapi: Fix relative redirects to fragment-only
  • urldata: Remove fields not used depending on used features

  • vauth: Make two functions void that always just returned OK

  • version: Use msnprintf instead of strncpy

  • vquic-tls: Use correct cert name check API for wolfSSL

  • vquic: Use CURL_FORMAT_CURL_OFF_T for 64-bit printf output

  • vtls: TLS session storage overhaul

  • wakeup_create: Use FD_CLOEXEC/SOCK_CLOEXEC

  • warnless: Delete orphan declarations
  • websocket: Avoid memory leak in error path

  • winbuild: Add ENABLE_WEBSOCKETS option

  • winbuild: Use $(RC) correctly

  • wolfssl: Plug memory leak in wolfssl_connect_step2()

  • x509asn1: Return error on missing OID

• Updated libxml2 to 2.12.7:

• Security:

  • Fix buffer overread with 'xmllint --htmlout' (CVE-2024-34459)

• Regressions:

  • xmllint: Fix --pedantic option

  • save: Handle invalid parent pointers in xhtmlNodeDumpOutput