aboutsummaryrefslogtreecommitdiff
path: root/RELEASE-NOTES
blob: 1d38efa6f200bfa32bbb73588b0bbc301dbdf2d1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Curl and libcurl 7.38.0

 Public curl releases:         141
 Command line options:         162
 curl_easy_setopt() options:   208
 Public functions in libcurl:  58
 Contributors:                 1216

This release includes the following changes:

 o CURLE_HTTP2 is a new error code
 o CURLAUTH_NEGOTIATE is a new auth define
 o CURL_VERSION_GSSAPI is a new capability bit
 o no longer use fbopenssl for anything
 o schannel: use CryptGenRandom for random numbers
 o axtls: define curlssl_random using axTLS's PRNG
 o cyassl: use RNG_GenerateBlock to generate a good random number
 o findprotocol: show unsupported protocol within quotes
 o version: detect and show LibreSSL
 o version: detect and show BoringSSL
 o imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
 o http2: requires nghttp2 0.6.0 or later

This release includes the following bugfixes:

 o CVE-2014-3613: cookie leak with IP address as domain [25]
 o CVE-2014-3620: cookie leak for TLDs [26]

 o fix a build failure on Debian when NSS support is enabled [1]
 o HTTP/2: fixed compiler warnings when built disabled [2]
 o cyassl: return the correct error code on no CA cert
 o http: Deprecate GSS-Negotiate macros due to bad naming
 o http: Fixed Negotiate: authentication
 o multi: Improve proxy CONNECT performance (regression) [3]
 o ntlm_wb: Avoid invoking ntlm_auth helper with empty username
 o ntlm_wb: Fix hard-coded limit on NTLM auth packet size
 o url.c: use the preferred symbol name: *READDATA [4]
 o smtp: fixed a segfault during test 1320 torture test
 o cyassl: made it compile with version 2.0.6 again
 o nss: do not check the version of NSS at run time
 o c-ares: fix build without IPv6 support [5]
 o HTTP/2: use base64url encoding [6]
 o SSPI Negotiate: Fix 3 memory leaks
 o libtest: fixed duplicated line in Makefile [7]
 o conncache: fix compiler warning [8]
 o openssl: make ossl_send return CURLE_OK better
 o HTTP/2: Support expect: 100-continue
 o HTTP/2: Fix infinite loop in readwrite_data()
 o parsedate: fix the return code for an overflow edge condition
 o darwinssl: don't use strtok()
 o http_negotiate_sspi: Fixed specific username and password not working [9]
 o openssl: replace call to OPENSSL_config [10]
 o http2: show the received header for better debugging
 o HTTP/2: Move :authority before non-pseudo header fields
 o HTTP/2: Reset promised stream, not its associated stream
 o HTTP/2: added some more logging for debugging stream problems
 o ntlm: Added support for SSPI package info query
 o ntlm: Fixed hard coded buffer for SSPI based auth packet generation
 o sasl_sspi: Fixed memory leak with not releasing Package Info struct
 o sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
 o sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
 o http_negotiate_sspi: Use a dynamic buffer for SPN generation
 o sasl_sspi: Fixed missing free of challenge buffer on SPN failure
 o sasl_sspi: Fixed hard coded buffer for response generation
 o Curl_poll + Curl_wait_ms: fix timeout return value
 o docs/SSLCERTS: update the section about NSS database
 o create_conn: prune dead connections [11]
 o openssl: fix version report for the 0.9.8 branch
 o mk-ca-bundle.pl: switched to using hg.mozilla.org [12]
 o http: fix the Content-Range: parser [13]
 o Curl_disconnect: don't free the URL [14]
 o win32: Fixed WinSock 2 #if [15]
 o NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
 o curl.1: clarify --limit-rate's effect on both directions [16]
 o disconnect: don't touch easy-related state on disconnects [17]
 o Cmake: big cleanup and numerous fixes
 o HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
 o HTTP/2: Reset promised stream, not its associated stream
 o configure.ac: Add support for recent GSS-API implementations for HP-UX
 o CONNECT: close proxy connections that fail [18]
 o CURLOPT_NOBODY.3: clarify this option is for downloads [19]
 o darwinssl: fix CA certificate checking using PEM format [20]
 o resolve: cache lookup for async resolvers [21]
 o low-speed-limit: avoid timeout flood [22]
 o polarssl: implement CURLOPT_SSLVERSION [23]
 o multi: convert CURLM_STATE_CONNECT_PEND handling to a list [24]
 o curl_multi_cleanup: remove superfluous NULL assigns
 o polarssl: support CURLOPT_CAPATH / --capath
 o progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alessandro Ghedini, Andre Heinecke, Anthon Pang, Askar Safin, Brandon Casey,
  Catalin Patulea, Dan Fandrich, Daniel Stenberg, Dave Reisner, David Meyer,
  David Shaw, David Woodhouse, Dimitrios Siganos, Ed Morley, Fabian Keil,
  Florian Weimer, Frank Gevaerts, Frank Meier, Haris Okanovic, Jakub Zakrzewski,
  Jan Ehrhardt, John Coffey, Jonatan Vela, Jose Alf, Kamil Dudka,
  Leonardo Rosati, Marcel Raad, Michael Osipov, Michael Wallner, Paras S,
  Patrick Monnerat, Paul Saab, Peter Wang, Rafaël Carré, Sergey Nikulov,
  Spork Schivago, Steve Holme, Tatsuhiro Tsujikawa, Tim Ruehsen, Toby Peterson,
  Vilmos Nebehaj,

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = http://curl.haxx.se/mail/lib-2014-07/0209.html
 [2] = http://curl.haxx.se/mail/lib-2014-07/0202.html
 [3] = http://curl.haxx.se/bug/view.cgi?id=1397
 [4] = http://curl.haxx.se/bug/view.cgi?id=1398
 [5] = http://curl.haxx.se/mail/lib-2014-07/0337.html
 [6] = https://github.com/tatsuhiro-t/nghttp2/issues/62
 [7] = https://github.com/bagder/curl/pull/105
 [8] = http://curl.haxx.se/bug/view.cgi?id=1399
 [9] = http://curl.haxx.se/mail/lib-2014-06/0224.html
 [10] = http://curl.haxx.se/bug/view.cgi?id=1401
 [11] = http://curl.haxx.se/mail/lib-2014-06/0189.html
 [12] = http://curl.haxx.se/bug/view.cgi?id=1409
 [13] = http://curl.haxx.se/mail/lib-2014-06/0221.html
 [14] = http://curl.haxx.se/mail/lib-2014-08/0148.html
 [15] = http://curl.haxx.se/mail/lib-2014-08/0155.html
 [16] = http://curl.haxx.se/bug/view.cgi?id=1414
 [17] = http://curl.haxx.se/mail/lib-2014-08/0148.html
 [18] = http://curl.haxx.se/bug/view.cgi?id=1381
 [19] = http://curl.haxx.se/mail/lib-2014-08/0236.html
 [20] = https://github.com/bagder/curl/pull/115
 [21] = https://github.com/bagder/curl/pull/112
 [22] = http://curl.haxx.se/mail/lib-2014-06/0235.html
 [23] = http://curl.haxx.se/bug/view.cgi?id=1419
 [24] = http://curl.haxx.se/mail/lib-2014-07/0206.html
 [25] = http://curl.haxx.se/docs/adv_20140910A.html
 [26] = http://curl.haxx.se/docs/adv_20140910B.html