diff options
Diffstat (limited to 'RELEASE-NOTES')
-rw-r--r-- | RELEASE-NOTES | 55 |
1 files changed, 44 insertions, 11 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 009300706..a29bf1c5a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -14,6 +14,8 @@ This release includes the following changes: This release includes the following bugfixes: + o CVE-2019-5435: Integer overflows in curl_url_set [87] + o CVE-2019-5436: tftp: use the current blksize for recvfrom() [82] o --config: clarify that initial : and = might need quoting [17] o AppVeyor: enable testing for WinSSL build [23] o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [52] @@ -33,10 +35,11 @@ This release includes the following bugfixes: o altsvc: Fix building with cookies disabled [38] o auth: Rename the various authentication clean up functions [61] o base64: build conditionally if there are users - o build-openssl.bat: lots of improvements and polish + o build-openssl.bat: Fixed support for OpenSSL v1.1.0+ o build: fix "clarify calculation precedence" warnings [63] o checksrc.bat: ignore snprintf warnings in docs/examples [67] o cirrus: Customize the disabled tests per FreeBSD version + o cleanup: remove FIXME and TODO comments [81] o cmake: avoid linking executable for some tests with cmake 3.6+ [18] o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use [19] o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP [46] @@ -45,25 +48,34 @@ This release includes the following bugfixes: o configure: error out if OpenSSL wasn't detected when asked for [74] o configure: fix default location for fish completions [13] o cookie: Guard against possible NULL ptr deref [42] + o curl: make code work with protocol-disabled libcurl [78] + o curl: report error for "--no-" on non-boolean options [86] o curl_easy_getinfo.3: fix minor formatting mistake o curlver.h: use parenthesis in CURL_VERSION_BITS macro [45] o docs/BUG-BOUNTY: bug bounty time [48] o docs/INSTALL: fix broken link [62] + o docs/RELEASE-PROCEDURE: link to live iCalendar [79] o documentation: Fix several typos [7] o doh: acknowledge CURL_DISABLE_DOH o doh: disable DOH for the cases it doesn't work [66] + o examples: remove unused variables [88] o ftplistparser: fix LGTM alert "Empty block without comment" [14] + o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS [78] o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies [54] o http: acknowledge CURL_DISABLE_HTTP_AUTH o http: mark bundle as not for multiuse on < HTTP/2 response [41] o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled [65] o http_negotiate: do not treat failure of gss_init_sec_context() as fatal [53] o http_ntlm: Corrected the name of the include guard [64] + o http_ntlm_wb: Handle auth for only a single request [77] + o http_ntlm_wb: Return the correct error on receiving an empty auth message [77] o lib509: add missing include for strdup [22] o lib557: initialize variables [22] o makedebug: Fix ERRORLEVEL detection after running where.exe [58] + o mbedtls: enable use of EC keys [85] o mime: acknowledge CURL_DISABLE_MIME o multi: improved HTTP_1_1_REQUIRED handling [2] + o netrc: acknowledge CURL_DISABLE_NETRC [78] o nss: allow fifos and character devices for certificates [56] o nss: provide more specific error messages on failed init [43] o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup [70] @@ -75,6 +87,7 @@ This release includes the following bugfixes: o parsedate: disabled on CURL_DISABLE_PARSEDATE o pingpong: disable more when no pingpong protocols are enabled o polarssl_threadlock: remove conditionally unused code [22] + o progress: acknowledge CURL_DISABLE_PROGRESS_METER [78] o proxy: acknowledge DISABLE_PROXY more o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries [3] o revert "multi: support verbose conncache closure handle" [69] @@ -87,22 +100,28 @@ This release includes the following bugfixes: o socks: fix error message o socksd: new SOCKS 4+5 server for tests [31] o spnego_gssapi: fix return code on gss_init_sec_context() failure [53] + o ssh-libssh: remove unused variable [83] o ssh: define USE_SSH if SSH is enabled (any backend) [57] + o ssh: move variable declaration to where it's used [83] o test1002: correct the name o test2100: Fix typos in test description o tests/server/util: fix Windows Unicode build [21] o tests: Run global cleanup at end of tests [29] o tests: make Impacket (SMB server) Python 3 compatible [11] o tool_cb_wrt: fix bad-function-cast warning [5] + o tool_formparse: remove redundant assignment [83] o tool_help: Warn if curl and libcurl versions do not match [28] o tool_help: include <strings.h> for strcasecmp [4] o transfer: fix LGTM alert "Comparison is always true" [14] + o travis: add an osx http-only build [80] o travis: allow builds on branches named "ci" o travis: install dependencies only when needed [24] o travis: update some builds do Xenial [30] o travis: updated mesalink builds [35] o url: always clone the CUROPT_CURLU handle [26] + o url: convert the zone id from a IPv6 URL to correct scope id [89] o urlapi: add CURLUPART_ZONEID to set and get [59] + o urlapi: increase supported scheme length to 40 bytes [84] o urlapi: require a non-zero host name length when parsing URL [73] o urlapi: stricter CURLUPART_PORT parsing [33] o urlapi: strip off zone id from numerical IPv6 addresses [49] @@ -124,16 +143,17 @@ advice from friends like these: Aron Bergman, Brad Spencer, cclauss on github, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Eli Schwartz, Even Rouault, - Frank Gevaerts, Gisle Vanem, Isaiah Norton, Jakub Zakrzewski, Jan Ehrhardt, - Jeroen Ooms, Jonathan Cardoso Machado, Jonathan Moerman, - Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch, l00p3r on Hackerone, - Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu, nevv on HackerOne/curl, - niner on github, Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh, - Poul T Lomholt, Ray Satiro, Reed Loden, Ricardo Gomes, Ricky Leverence, - Rikard Falkeborn, Roy Bellingan, Simon Warta, Steve Holme, Taiyu Len, - Tim Rühsen, Tom van der Woerdt, Tseng Jun, Viktor Szakats, Wenchao Li, - Wyatt O'Day, XmiliaH on github, Yiming Jing, - (46 contributors) + Frank Gevaerts, Gisle Vanem, GitYuanQu on github, Guy Poizat, Isaiah Norton, + Jakub Zakrzewski, Jan Ehrhardt, Jeroen Ooms, Jonathan Cardoso Machado, + Jonathan Moerman, Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch, + l00p3r on hackerone, Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu, + nevv on HackerOne/curl, niner on github, Olen Andoni, Omar Ramadan, + Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh, Poul T Lomholt, Ray Satiro, + Reed Loden, Ricardo Gomes, Ricky Leverence, Rikard Falkeborn, Roy Bellingan, + Simon Warta, Steve Holme, Taiyu Len, Tim Rühsen, Tom van der Woerdt, + Tseng Jun, Viktor Szakats, Wenchao Li, Wyatt O'Day, XmiliaH on github, + Yiming Jing, + (50 contributors) Thanks! (and sorry if I forgot to mention someone) @@ -215,3 +235,16 @@ References to bug reports and discussions on issues: [74] = https://curl.haxx.se/bug/?i=3824 [75] = https://curl.haxx.se/bug/?i=3711 [76] = https://curl.haxx.se/bug/?i=3863 + [77] = https://curl.haxx.se/bug/?i=3894 + [78] = https://curl.haxx.se/bug/?i=3844 + [79] = https://curl.haxx.se/bug/?i=3895 + [80] = https://curl.haxx.se/bug/?i=3887 + [81] = https://curl.haxx.se/bug/?i=3876 + [82] = https://curl.haxx.se/docs/CVE-2019-5436.html + [83] = https://curl.haxx.se/bug/?i=3873 + [84] = https://curl.haxx.se/bug/?i=3905 + [85] = https://curl.haxx.se/bug/?i=3892 + [86] = https://curl.haxx.se/bug/?i=3906 + [87] = https://curl.haxx.se/docs/CVE-2019-5435.html + [88] = https://curl.haxx.se/bug/?i=3908 + [89] = https://curl.haxx.se/bug/?i=3902 |