1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
curl and libcurl 7.66.0
Public curl releases: 185
Command line options: 225
curl_easy_setopt() options: 269
Public functions in libcurl: 81
Contributors: 1991
This release includes the following changes:
o CURLINFO_RETRY_AFTER: parse the Retry-After header value [35]
o HTTP3: initial (experimental still not working) support [5]
o curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool [27]
o curl: support parallel transfers with -Z [4]
o curl_multi_poll: a sister to curl_multi_wait() that waits more [28]
o sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID [27]
This release includes the following bugfixes:
o CVE-2019-5481: FTP-KRB double-free [64]
o CVE-2019-5482: TFTP small blocksize heap buffer overflow [65]
o CI: remove duplicate configure flag for LGTM.com
o CMake: remove needless newlines at end of gss variables
o CMake: use platform dependent name for dlopen() library [62]
o CURLINFO docs: mention that in redirects times are added [55]
o CURLOPT_ALTSVC.3: use a "" file name to not load from a file
o CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
o CURLOPT_HEADERFUNCTION.3: clarify [54]
o CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly [33]
o CURLOPT_READFUNCTION.3: provide inline example
o CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 [51]
o Curl_addr2string: take an addrlen argument too [61]
o Curl_fillreadbuffer: avoid double-free trailer buf on error [66]
o HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown [10]
o alt-svc: add protocol version selection masking [31]
o alt-svc: fix removal of expired cache entry [30]
o alt-svc: make it use h3-22 with ngtcp2 as well
o alt-svc: more liberal ALPN name parsing [17]
o alt-svc: send Alt-Used: in redirected requests [32]
o alt-svc: with quiche, use the quiche h3 alpn string [16]
o appveyor: pass on -k to make
o asyn-thread: create a socketpair to wait on [14]
o build-openssl: fix build with Visual Studio 2019 [45]
o cleanup: move functions out of url.c and make them static [58]
o cleanup: remove the 'numsocks' argument used in many places [25]
o configure: avoid undefined check_for_ca_bundle [37]
o curl.h: add CURL_HTTP_VERSION_3 to the version enum
o curl.h: fix outdated comment [23]
o curl: cap the maximum allowed values for retry time arguments [13]
o curl: handle a libcurl build without netrc support [63]
o curl: make use of CURLINFO_RETRY_AFTER when retrying [35]
o curl: remove outdated comment [24]
o curl: use .curlrc (with a dot) on Windows [52]
o curl: use CURLINFO_PROTOCOL to check for HTTP(s)
o curl_global_init_mem.3: mention it was added in 7.12.0
o curl_version: bump string buffer size to 250
o curl_version_info.3: mentioned ALTSVC and HTTP3
o curl_version_info: offer quic (and h3) library info [38]
o curl_version_info: provide nghttp2 details [2]
o defines: avoid underscore-prefixed defines [47]
o docs/ALTSVC: remove what works and the experimental explanation [34]
o docs/EXPERIMENTAL: explain what it means and what's experimental now
o docs/MANUAL.md: converted to markdown from plain text [3]
o docs/examples/curlx: fix errors [48]
o docs: s/curl_debug/curl_dbg_debug in comments and docs [36]
o easy: resize receive buffer on easy handle reset [9]
o examples: Avoid reserved names in hiperfifo examples [8]
o examples: add http3.c, altsvc.c and http3-present.c [40]
o getenv: support up to 4K environment variable contents on windows [21]
o http09: disable HTTP/0.9 by default in both tool and library [29]
o http2: when marked for closure and wanted to close == OK [56]
o http2_recv: trigger another read when the last data is returned [11]
o http: fix use of credentials from URL when using HTTP proxy [44]
o http_negotiate: improve handling of gss_init_sec_context() failures [18]
o md4: Use our own MD4 when no crypto libraries are available [15]
o multi: call detach_connection before Curl_disconnect [6]
o netrc: make the code try ".netrc" on Windows [52]
o nss: use TLSv1.3 as default if supported [39]
o openssl: build warning free with boringssl [50]
o openssl: use SSL_CTX_set_<min|max>_proto_version() when available [68]
o plan9: add support for running on Plan 9 [22]
o progress: reset download/uploaded counter between transfers [12]
o readwrite_data: repair setting the TIMER_STARTTRANSFER stamp [26]
o scp: fix directory name length used in memcpy [46]
o smb: init *msg to NULL in smb_send_and_recv() [60]
o smtp: check for and bail out on too short EHLO response [59]
o source: remove names from source comments [1]
o spnego_sspi: add typecast to fix build warning [49]
o src/makefile: fix uncompressed hugehelp.c generation [19]
o ssh-libssh: do not specify O_APPEND when not in append mode [7]
o ssh: move code into vssh for SSH backends [53]
o sspi: fix memory leaks [67]
o tests: Replace outdated test case numbering documentation [43]
o tftp: return error when packet is too small for options
o timediff: make it 64 bit (if possible) even with 32 bit time_t [20]
o travis: reduce number of torture tests in 'coverage' [42]
o url: make use of new HTTP version if alt-svc has one [16]
o urlapi: verify the IPv6 numerical address [69]
o urldata: avoid 'generic', use dedicated pointers [57]
o vauth: Use CURLE_AUTH_ERROR for auth function errors [41]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Alessandro Ghedini, Alex Mayorga, Amit Katyal, Balazs Kovacsics,
Brad Spencer, Brandon Dong, Carlo Marcelo Arenas Belón, Christopher Head,
Clément Notin, codesniffer13 on github, Daniel Gustafsson, Daniel Stenberg,
Dominik Hölzl, Eric Wong, Felix Hädicke, Gergely Nagy, Gisle Vanem,
Igor Makarov, Ironbars13 on github, Jason Lee, Jeremy Lainé,
Jonathan Cardoso Machado, Junho Choi, Kamil Dudka, Kyle Abramowitz,
Kyohei Kadota, Lance Ware, Marcel Raad, Max Dymond, Michael Lee,
Michal Čaplygin, migueljcrum on github, Mike Crowe, niallor on github,
osabc on github, patnyb on github, Patrick Monnerat, Peter Wu, Ray Satiro,
Rolf Eike Beer, Steve Holme, Tatsuhiro Tsujikawa, The Infinnovation team,
Thomas Vegas, Tom van der Woerdt, Yiming Jing,
(46 contributors)
Thanks! (and sorry if I forgot to mention someone)
References to bug reports and discussions on issues:
[1] = https://curl.haxx.se/bug/?i=4129
[2] = https://curl.haxx.se/bug/?i=4121
[3] = https://curl.haxx.se/bug/?i=4131
[4] = https://curl.haxx.se/bug/?i=3804
[5] = https://curl.haxx.se/bug/?i=3500
[6] = https://curl.haxx.se/bug/?i=4144
[7] = https://curl.haxx.se/bug/?i=4147
[8] = https://curl.haxx.se/bug/?i=4153
[9] = https://curl.haxx.se/bug/?i=4143
[10] = https://curl.haxx.se/bug/?i=4138
[11] = https://curl.haxx.se/bug/?i=4043
[12] = https://curl.haxx.se/bug/?i=4084
[13] = https://curl.haxx.se/bug/?i=4166
[14] = https://curl.haxx.se/bug/?i=4157
[15] = https://curl.haxx.se/bug/?i=3780
[16] = https://curl.haxx.se/bug/?i=4183
[17] = https://curl.haxx.se/bug/?i=4182
[18] = https://curl.haxx.se/bug/?i=3992
[19] = https://curl.haxx.se/bug/?i=4176
[20] = https://curl.haxx.se/bug/?i=4165
[21] = https://curl.haxx.se/bug/?i=4174
[22] = https://curl.haxx.se/bug/?i=3701
[23] = https://curl.haxx.se/bug/?i=4167
[24] = https://curl.haxx.se/bug/?i=4172
[25] = https://curl.haxx.se/bug/?i=4169
[26] = https://curl.haxx.se/bug/?i=4136
[27] = https://curl.haxx.se/bug/?i=3653
[28] = https://curl.haxx.se/bug/?i=4163
[29] = https://curl.haxx.se/bug/?i=4191
[30] = https://curl.haxx.se/bug/?i=4192
[31] = https://curl.haxx.se/bug/?i=4201
[32] = https://curl.haxx.se/bug/?i=4199
[33] = https://curl.haxx.se/bug/?i=4197
[34] = https://curl.haxx.se/bug/?i=4198
[35] = https://curl.haxx.se/bug/?i=3794
[36] = https://curl.haxx.se/bug/?i=3794
[37] = https://curl.haxx.se/bug/?i=4213
[38] = https://curl.haxx.se/bug/?i=4216
[39] = https://curl.haxx.se/bug/?i=4187
[40] = https://curl.haxx.se/bug/?i=4221
[41] = https://curl.haxx.se/bug/?i=3848
[42] = https://curl.haxx.se/bug/?i=4223
[43] = https://curl.haxx.se/bug/?i=4227
[44] = https://curl.haxx.se/bug/?i=4228
[45] = https://curl.haxx.se/bug/?i=4188
[46] = https://curl.haxx.se/bug/?i=4258
[47] = https://curl.haxx.se/bug/?i=4254
[48] = https://curl.haxx.se/bug/?i=4248
[49] = https://curl.haxx.se/bug/?i=4245
[50] = https://curl.haxx.se/bug/?i=4244
[51] = https://curl.haxx.se/bug/?i=4241
[52] = https://curl.haxx.se/bug/?i=4230
[53] = https://curl.haxx.se/bug/?i=4235
[54] = https://curl.haxx.se/bug/?i=4273
[55] = https://curl.haxx.se/bug/?i=4250
[56] = https://curl.haxx.se/bug/?i=4267
[57] = https://curl.haxx.se/bug/?i=4290
[58] = https://curl.haxx.se/bug/?i=4289
[59] = https://curl.haxx.se/bug/?i=4287
[60] = https://curl.haxx.se/bug/?i=4286
[61] = https://curl.haxx.se/bug/?i=4283
[62] = https://curl.haxx.se/bug/?i=4279
[63] = https://curl.haxx.se/bug/?i=4302
[64] = https://curl.haxx.se/docs/CVE-2019-5481.html
[65] = https://curl.haxx.se/docs/CVE-2019-5482.html
[66] = https://curl.haxx.se/bug/?i=4307
[67] = https://curl.haxx.se/bug/?i=4299
[68] = https://curl.haxx.se/bug/?i=4304
[69] = https://curl.haxx.se/bug/?i=4315
|