aboutsummaryrefslogtreecommitdiff
path: root/RELEASE-NOTES
blob: a29bf1c5a5ba3c036dd4c1fe0c7d4d00ce4cb948 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
curl and libcurl 7.65.0

 Public curl releases:         181
 Command line options:         221
 curl_easy_setopt() options:   268
 Public functions in libcurl:  80
 Contributors:                 1929

This release includes the following changes:

 o CURLOPT_DNS_USE_GLOBAL_CACHE: removed [25]
 o CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse [37]
 o pipelining: removed [10]

This release includes the following bugfixes:

 o CVE-2019-5435: Integer overflows in curl_url_set [87]
 o CVE-2019-5436: tftp: use the current blksize for recvfrom() [82]
 o --config: clarify that initial : and = might need quoting [17]
 o AppVeyor: enable testing for WinSSL build [23]
 o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [52]
 o CURLOPT_ADDRESS_SCOPE: fix range check and more [32]
 o CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [75]
 o CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value [51]
 o CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [71]
 o CURL_MAX_INPUT_LENGTH: largest acceptable string input size [44]
 o Curl_disconnect: treat all CONNECT_ONLY connections as "dead" [39]
 o INTERNALS: Add code highlighting [47]
 o OS400/ccsidcurl: replace use of Curl_vsetopt [50]
 o OpenSSL: Report -fips in version if OpenSSL is built with FIPS [55]
 o README.md: fix no-consecutive-blank-lines Codacy warning [22]
 o VC15 project: remove MinimalRebuild
 o VS projects: use Unicode for VC10+ [16]
 o WRITEFUNCTION: add missing set_in_callback around callback [60]
 o altsvc: Fix building with cookies disabled [38]
 o auth: Rename the various authentication clean up functions [61]
 o base64: build conditionally if there are users
 o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
 o build: fix "clarify calculation precedence" warnings [63]
 o checksrc.bat: ignore snprintf warnings in docs/examples [67]
 o cirrus: Customize the disabled tests per FreeBSD version
 o cleanup: remove FIXME and TODO comments [81]
 o cmake: avoid linking executable for some tests with cmake 3.6+ [18]
 o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use [19]
 o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP [46]
 o cmake: set SSL_BACKENDS [12]
 o configure: avoid unportable `==' test(1) operator [1]
 o configure: error out if OpenSSL wasn't detected when asked for [74]
 o configure: fix default location for fish completions [13]
 o cookie: Guard against possible NULL ptr deref [42]
 o curl: make code work with protocol-disabled libcurl [78]
 o curl: report error for "--no-" on non-boolean options [86]
 o curl_easy_getinfo.3: fix minor formatting mistake
 o curlver.h: use parenthesis in CURL_VERSION_BITS macro [45]
 o docs/BUG-BOUNTY: bug bounty time [48]
 o docs/INSTALL: fix broken link [62]
 o docs/RELEASE-PROCEDURE: link to live iCalendar [79]
 o documentation: Fix several typos [7]
 o doh: acknowledge CURL_DISABLE_DOH
 o doh: disable DOH for the cases it doesn't work [66]
 o examples: remove unused variables [88]
 o ftplistparser: fix LGTM alert "Empty block without comment" [14]
 o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS [78]
 o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies [54]
 o http: acknowledge CURL_DISABLE_HTTP_AUTH
 o http: mark bundle as not for multiuse on < HTTP/2 response [41]
 o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled [65]
 o http_negotiate: do not treat failure of gss_init_sec_context() as fatal [53]
 o http_ntlm: Corrected the name of the include guard [64]
 o http_ntlm_wb: Handle auth for only a single request [77]
 o http_ntlm_wb: Return the correct error on receiving an empty auth message [77]
 o lib509: add missing include for strdup [22]
 o lib557: initialize variables [22]
 o makedebug: Fix ERRORLEVEL detection after running where.exe [58]
 o mbedtls: enable use of EC keys [85]
 o mime: acknowledge CURL_DISABLE_MIME
 o multi: improved HTTP_1_1_REQUIRED handling [2]
 o netrc: acknowledge CURL_DISABLE_NETRC [78]
 o nss: allow fifos and character devices for certificates [56]
 o nss: provide more specific error messages on failed init [43]
 o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup [70]
 o ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
 o openssl: mark connection for close on TLS close_notify [36]
 o openvms: Remove pre-processor for SecureTransport [40]
 o openvms: Remove pre-processors for Windows [40]
 o parse_proxy: use the URL parser API [72]
 o parsedate: disabled on CURL_DISABLE_PARSEDATE
 o pingpong: disable more when no pingpong protocols are enabled
 o polarssl_threadlock: remove conditionally unused code [22]
 o progress: acknowledge CURL_DISABLE_PROGRESS_METER [78]
 o proxy: acknowledge DISABLE_PROXY more
 o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries [3]
 o revert "multi: support verbose conncache closure handle" [69]
 o sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
 o sasl: only enable if there's a protocol enabled using it
 o scripts: fix typos
 o singleipconnect: show port in the verbose "Trying ..." message
 o smtp: fix compiler warning [15]
 o socks5: user name and passwords must be shorter than 256 [8]
 o socks: fix error message
 o socksd: new SOCKS 4+5 server for tests [31]
 o spnego_gssapi: fix return code on gss_init_sec_context() failure [53]
 o ssh-libssh: remove unused variable [83]
 o ssh: define USE_SSH if SSH is enabled (any backend) [57]
 o ssh: move variable declaration to where it's used [83]
 o test1002: correct the name
 o test2100: Fix typos in test description
 o tests/server/util: fix Windows Unicode build [21]
 o tests: Run global cleanup at end of tests [29]
 o tests: make Impacket (SMB server) Python 3 compatible [11]
 o tool_cb_wrt: fix bad-function-cast warning [5]
 o tool_formparse: remove redundant assignment [83]
 o tool_help: Warn if curl and libcurl versions do not match [28]
 o tool_help: include <strings.h> for strcasecmp [4]
 o transfer: fix LGTM alert "Comparison is always true" [14]
 o travis: add an osx http-only build [80]
 o travis: allow builds on branches named "ci"
 o travis: install dependencies only when needed [24]
 o travis: update some builds do Xenial [30]
 o travis: updated mesalink builds [35]
 o url: always clone the CUROPT_CURLU handle [26]
 o url: convert the zone id from a IPv6 URL to correct scope id [89]
 o urlapi: add CURLUPART_ZONEID to set and get [59]
 o urlapi: increase supported scheme length to 40 bytes [84]
 o urlapi: require a non-zero host name length when parsing URL [73]
 o urlapi: stricter CURLUPART_PORT parsing [33]
 o urlapi: strip off zone id from numerical IPv6 addresses [49]
 o urlapi: urlencode characters above 0x7f correctly [9]
 o vauth/cleartext: update the PLAIN login to match RFC 4616 [27]
 o vauth/oauth2: Fix OAUTHBEARER token generation [6]
 o vauth: Fix incorrect function description for Curl_auth_user_contains_domain [68]
 o vtls: fix potential ssl_buffer stack overflow [76]
 o wildcard: disable from build when FTP isn't present
 o winbuild: Support MultiSSL builds [34]
 o xattr: skip unittest on unsupported platforms [20]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Aron Bergman, Brad Spencer, cclauss on github, Dan Fandrich,
  Daniel Gustafsson, Daniel Stenberg, Eli Schwartz, Even Rouault,
  Frank Gevaerts, Gisle Vanem, GitYuanQu on github, Guy Poizat, Isaiah Norton,
  Jakub Zakrzewski, Jan Ehrhardt, Jeroen Ooms, Jonathan Cardoso Machado,
  Jonathan Moerman, Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch,
  l00p3r on hackerone, Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu,
  nevv on HackerOne/curl, niner on github, Olen Andoni, Omar Ramadan,
  Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh, Poul T Lomholt, Ray Satiro,
  Reed Loden, Ricardo Gomes, Ricky Leverence, Rikard Falkeborn, Roy Bellingan,
  Simon Warta, Steve Holme, Taiyu Len, Tim Rühsen, Tom van der Woerdt,
  Tseng Jun, Viktor Szakats, Wenchao Li, Wyatt O'Day, XmiliaH on github,
  Yiming Jing,
  (50 contributors)

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = https://curl.haxx.se/bug/?i=3709
 [2] = https://curl.haxx.se/bug/?i=3707
 [3] = https://curl.haxx.se/bug/?i=3699
 [4] = https://curl.haxx.se/bug/?i=3715
 [5] = https://curl.haxx.se/bug/?i=3718
 [6] = https://curl.haxx.se/bug/?i=2487
 [7] = https://curl.haxx.se/bug/?i=3724
 [8] = https://curl.haxx.se/bug/?i=3737
 [9] = https://curl.haxx.se/bug/?i=3741
 [10] = https://curl.haxx.se/bug/?i=3651
 [11] = https://curl.haxx.se/bug/?i=3731
 [12] = https://curl.haxx.se/bug/?i=3736
 [13] = https://curl.haxx.se/bug/?i=3723
 [14] = https://curl.haxx.se/bug/?i=3732
 [15] = https://curl.haxx.se/bug/?i=3729
 [16] = https://curl.haxx.se/bug/?i=3720
 [17] = https://curl.haxx.se/bug/?i=3738
 [18] = https://curl.haxx.se/bug/?i=3744
 [19] = https://curl.haxx.se/bug/?i=3743
 [20] = https://curl.haxx.se/bug/?i=3759
 [21] = https://curl.haxx.se/bug/?i=3758
 [22] = https://curl.haxx.se/bug/?i=3739
 [23] = https://curl.haxx.se/bug/?i=3725
 [24] = https://curl.haxx.se/bug/?i=3721
 [25] = https://curl.haxx.se/bug/?i=3654
 [26] = https://curl.haxx.se/bug/?i=3753
 [27] = https://curl.haxx.se/bug/?i=3757
 [28] = https://curl.haxx.se/bug/?i=3774
 [29] = https://curl.haxx.se/bug/?i=3783
 [30] = https://curl.haxx.se/bug/?i=3777
 [31] = https://curl.haxx.se/bug/?i=3752
 [32] = https://curl.haxx.se/bug/?i=3713
 [33] = https://curl.haxx.se/bug/?i=3762
 [34] = https://curl.haxx.se/bug/?i=3772
 [35] = https://curl.haxx.se/bug/?i=3823
 [36] = https://curl.haxx.se/bug/?i=3750
 [37] = https://curl.haxx.se/bug/?i=3782
 [38] = https://curl.haxx.se/bug/?i=3717
 [39] = https://curl.haxx.se/mail/lib-2019-04/0052.html
 [40] = https://curl.haxx.se/bug/?i=3768
 [41] = https://curl.haxx.se/bug/?i=3813
 [42] = https://curl.haxx.se/bug/?i=3820
 [43] = https://curl.haxx.se/bug/?i=3808
 [44] = https://curl.haxx.se/bug/?i=3805
 [45] = https://curl.haxx.se/bug/?i=3809
 [46] = https://curl.haxx.se/bug/?i=3769
 [47] = https://curl.haxx.se/bug/?i=3801
 [48] = https://curl.haxx.se/bug/?i=3488
 [49] = https://curl.haxx.se/bug/?i=3817
 [50] = https://curl.haxx.se/bug/?i=3833
 [51] = https://curl.haxx.se/bug/?i=3829
 [52] = https://curl.haxx.se/bug/?i=3537
 [53] = https://curl.haxx.se/bug/?i=3726
 [54] = https://curl.haxx.se/bug/?i=3570
 [55] = https://curl.haxx.se/bug/?i=3771
 [56] = https://curl.haxx.se/bug/?i=3807
 [57] = https://curl.haxx.se/bug/?i=3846
 [58] = https://curl.haxx.se/bug/?i=3838
 [59] = https://curl.haxx.se/bug/?i=3834
 [60] = https://curl.haxx.se/bug/?i=3837
 [61] = https://curl.haxx.se/bug/?i=3869
 [62] = https://curl.haxx.se/bug/?i=3818
 [63] = https://curl.haxx.se/bug/?i=3866
 [64] = https://curl.haxx.se/bug/?i=3867
 [65] = https://curl.haxx.se/bug/?i=3861
 [66] = https://curl.haxx.se/bug/?i=3850
 [67] = https://curl.haxx.se/bug/?i=3862
 [68] = https://curl.haxx.se/bug/?i=3860
 [69] = https://curl.haxx.se/bug/?i=3856
 [70] = https://curl.haxx.se/bug/?i=3858
 [71] = https://curl.haxx.se/bug/?i=3885
 [72] = https://curl.haxx.se/bug/?i=3878
 [73] = https://curl.haxx.se/bug/?i=3880
 [74] = https://curl.haxx.se/bug/?i=3824
 [75] = https://curl.haxx.se/bug/?i=3711
 [76] = https://curl.haxx.se/bug/?i=3863
 [77] = https://curl.haxx.se/bug/?i=3894
 [78] = https://curl.haxx.se/bug/?i=3844
 [79] = https://curl.haxx.se/bug/?i=3895
 [80] = https://curl.haxx.se/bug/?i=3887
 [81] = https://curl.haxx.se/bug/?i=3876
 [82] = https://curl.haxx.se/docs/CVE-2019-5436.html
 [83] = https://curl.haxx.se/bug/?i=3873
 [84] = https://curl.haxx.se/bug/?i=3905
 [85] = https://curl.haxx.se/bug/?i=3892
 [86] = https://curl.haxx.se/bug/?i=3906
 [87] = https://curl.haxx.se/docs/CVE-2019-5435.html
 [88] = https://curl.haxx.se/bug/?i=3908
 [89] = https://curl.haxx.se/bug/?i=3902