aboutsummaryrefslogtreecommitdiff
path: root/RELEASE-NOTES
blob: 0d8d27817e7d21a8858c9bebe4e4cbd6b0f23c26 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
Curl and libcurl 7.61.1

 Public curl releases:         176
 Command line options:         218
 curl_easy_setopt() options:   258
 Public functions in libcurl:  74
 Contributors:                 1787

This release includes the following bugfixes:

 o security advisory (CVE-2018-14618): NTLM password overflow via integer overflow [73]
 o CURLINFO_SIZE_UPLOAD: fix missing counter update [46]
 o CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
 o CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse [72]
 o Curl_getoff_all_pipelines: improved for multiplexed [3]
 o DEPRECATE: remove release date from 7.62.0
 o HTTP: Don't attempt to needlessly decompress redirect body [30]
 o INTERNALS: require GnuTLS >= 2.11.3 [62]
 o README.md: add LGTM.com code quality grade for C/C++ [42]
 o SSLCERTS: improve the openssl command line
 o Silence GCC 8 cast-function-type warnings [47]
 o ares: check for NULL in completed-callback [3]
 o asyn-thread: Remove unused macro [40]
 o auth: only pick CURLAUTH_BEARER if we *have* a Bearer token [15]
 o auth: pick Bearer authentication whenever a token is available [15]
 o cmake: CMake config files are defining CURL_STATICLIB for static builds [54]
 o cmake: Respect BUILD_SHARED_LIBS [35]
 o cmake: Update scripts to use consistent style [9]
 o cmake: bumped minimum version to 3.4 [34]
 o cmake: link curl to the OpenSSL targets instead of lib absolute paths [34]
 o configure: conditionally enable pedantic-errors [64]
 o configure: fix for -lpthread detection with OpenSSL and pkg-config [38]
 o conn: remove the boolean 'inuse' field [3]
 o content_encoding: accept up to 4 unknown trailer bytes after raw deflate data [5]
 o cookie tests: treat files as text
 o cookies: support creation-time attribute for cookies [75]
 o curl: Fix segfault when -H @headerfile is empty [23]
 o curl: add http code 408 to transient list for --retry [78]
 o curl: fix time-of-check, time-of-use race in dir creation [71]
 o curl: use Content-Disposition before the "URL end" for -OJ [29]
 o curl: warn the user if a given file name looks like an option [56]
 o curl_threads: silence bad-function-cast warning [69]
 o darwinssl: add support for ALPN negotiation [7]
 o docs/CURLOPT_URL: fix indentation [20]
 o docs/CURLOPT_WRITEFUNCTION: size is always 1 [19]
 o docs/SECURITY-PROCESS: mention bounty, drop pre-notify
 o docs/examples: add hiperfifo example using linux epoll/timerfd [21]
 o docs: add disallow-username-in-url.d and haproxy-protocol.d to dist [50]
 o docs: clarify NO_PROXY env variable functionality [70]
 o docs: improved the manual pages of some callbacks [48]
 o docs: mention NULL is fine input to several functions [43]
 o formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT [40]
 o gopher: Do not translate `?' to `%09' [67]
 o header output: switch off all styles, not just unbold [8]
 o hostip: fix unused variable warning
 o http2: Use correct format identifier for stream_id [77]
 o http2: abort the send_callback if not setup yet [63]
 o http2: avoid set_stream_user_data() before stream is assigned [61]
 o http2: check nghttp2_session_set_stream_user_data return code [55]
 o http2: clear the drain counter in Curl_http2_done [27]
 o http2: make sure to send after RST_STREAM [58]
 o http2: separate easy handle from connections better [12]
 o http: fix for tiny "HTTP/0.9" response [51]
 o http_proxy: Remove unused macro SELECT_TIMEOUT [40]
 o lib/Makefile: only do symbol hiding if told to [32]
 o lib1502: fix memory leak in torture test [44]
 o lib1522: fix curl_easy_setopt argument type
 o libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation [66]
 o mime: check Curl_rand_hex's return code [22]
 o multi: always do the COMPLETED procedure/state [3]
 o openssl: assume engine support in 1.0.0 or later [2]
 o openssl: fix debug messages [39]
 o projects: Improve Windows perl detection in batch scripts [49]
 o retry: return error if rewind was necessary but didn't happen [28]
 o reuse_conn(): memory leak - free old_conn->options [17]
 o schannel: client certificate store opening fix [68]
 o schannel: enable CALG_TLS1PRF for w32api >= 5.1
 o schannel: fix MinGW compile break [1]
 o sftp: don't send post-qoute sequence when retrying a connection [79]
 o smb: fix memory leak on early failure [26]
 o smb: fix memory-leak in URL parse error path [4]
 o smb_getsock: always wait for write socket too [11]
 o ssh-libssh: fix infinite connect loop on invalid private key [53]
 o ssh-libssh: reduce excessive verbose output about pubkey auth [53]
 o ssh-libssh: use FALLTHROUGH to silence gcc8 [76]
 o ssl: set engine implicitly when a PKCS#11 URI is provided [36]
 o sws: handle EINTR when calling select() [24]
 o system_win32: fix version checking [16]
 o telnet: Remove unused macros TELOPTS and TELCMDS [40]
 o test1143: disable MSYS2's POSIX path conversion [10]
 o test1148: disable if decimal separator is not point [65]
 o test1307: (fnmatch testing) disabled [31]
 o test1422: add required file feature [6]
 o test1531: Add timeout [41]
 o test1540: Remove unused macro TEST_HANG_TIMEOUT [40]
 o test214: disable MSYS2's POSIX path conversion for URL
 o test320: treat curl320.out file as binary [14]
 o tests/http_pipe.py: Use /usr/bin/env to find python
 o tests: Don't use Windows path %PWD for SSH tests [74]
 o tests: fixes for Windows line endlings [13]
 o tool_operate: Fix setting proxy TLS 1.3 ciphers
 o travis: build darwinssl on macos 10.12 to fix linker errors [33]
 o travis: execute "set -eo pipefail" for coverage build [45]
 o travis: run a 'make checksrc' too [25]
 o travis: update to GCC-8 [52]
 o travis: verify that man pages can be regenerated [50]
 o upload: allocate upload buffer on-demand [60]
 o upload: change default UPLOAD_BUFSIZE to 64KB [60]
 o urldata: remove unused pipe_broke struct field [57]
 o vtls: reinstantiate engine on duplicated handles [59]
 o windows: implement send buffer tuning [37]
 o wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random [18]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  adnn on github, Anderson Toshiyuki Sasaki, Andrei Virtosu, Anton Gerasimov,
  Bas van Schaik, Carie Pointer, Christopher Head, clbr on github,
  Dan Fandrich, Daniel Gustafsson, Daniel Jeliński, Daniel Stenberg,
  Darío Hereñú, Even Rouault, Harry Sintonen, Ihor Karpenko, Jakub Zakrzewski,
  Jeffrey Walton, Jeroen Ooms, Johannes Schindelin, John Butterfield,
  Josh Bialkowski, Kamil Dudka, Kirill Marchuk, Laurent Bonnans,
  Leonardo Taccari, Marcel Raad, Markus Elfring, Michael Kaufmann,
  Nick Zitzmann, Nikos Mavrogiannopoulos, Patrick Monnerat, Paul Howarth,
  Przemysław Tomaszewski, pszemus on github, Ran Mozes, Ray Satiro,
  Rikard Falkeborn, Rodger Combs, Ruslan Baratov, Sergei Nikulov,
  Thomas Klausner, Tobias Blomberg, Viktor Szakats, Zero King, Zhaoyang Wu,
  (46 contributors)

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = https://github.com/curl/curl/pull/2721#issuecomment-403636043
 [2] = https://curl.haxx.se/bug/?i=2732
 [3] = https://curl.haxx.se/bug/?i=2733
 [4] = https://curl.haxx.se/bug/?i=2740
 [5] = https://curl.haxx.se/bug/?i=2719
 [6] = https://curl.haxx.se/bug/?i=2741
 [7] = https://curl.haxx.se/bug/?i=2731
 [8] = https://curl.haxx.se/bug/?i=2736
 [9] = https://curl.haxx.se/bug/?i=2727
 [10] = https://curl.haxx.se/bug/?i=2765
 [11] = https://curl.haxx.se/bug/?i=2768
 [12] = https://curl.haxx.se/bug/?i=2751
 [13] = https://curl.haxx.se/bug/?i=2772
 [14] = https://curl.haxx.se/bug/?i=2776
 [15] = https://curl.haxx.se/bug/?i=2754
 [16] = https://curl.haxx.se/bug/?i=2792
 [17] = https://curl.haxx.se/bug/?i=2790
 [18] = https://curl.haxx.se/bug/?i=2784
 [19] = https://curl.haxx.se/bug/?i=2787
 [20] = https://curl.haxx.se/bug/?i=2788
 [21] = https://curl.haxx.se/bug/?i=2804
 [22] = https://curl.haxx.se/bug/?i=2795
 [23] = https://curl.haxx.se/bug/?i=2797
 [24] = https://curl.haxx.se/bug/?i=2808
 [25] = https://curl.haxx.se/bug/?i=2811
 [26] = https://curl.haxx.se/bug/?i=2769
 [27] = https://curl.haxx.se/bug/?i=2800
 [28] = https://curl.haxx.se/bug/?i=2801
 [29] = https://curl.haxx.se/bug/?i=2783
 [30] = https://curl.haxx.se/bug/?i=2798
 [31] = https://curl.haxx.se/bug/?i=2825
 [32] = https://curl.haxx.se/bug/?i=2830
 [33] = https://curl.haxx.se/bug/?i=2835
 [34] = https://curl.haxx.se/bug/?i=2753
 [35] = https://curl.haxx.se/bug/?i=2755
 [36] = https://curl.haxx.se/bug/?i=2333
 [37] = https://curl.haxx.se/mail/lib-2018-07/0080.html
 [38] = https://curl.haxx.se/bug/?i=2848
 [39] = https://curl.haxx.se/bug/?i=2806
 [40] = https://curl.haxx.se/bug/?i=2852
 [41] = https://curl.haxx.se/bug/?i=2853
 [42] = https://curl.haxx.se/bug/?i=2857
 [43] = https://curl.haxx.se/bug/?i=2837
 [44] = https://curl.haxx.se/bug/?i=2861
 [45] = https://curl.haxx.se/bug/?i=2862
 [46] = https://curl.haxx.se/bug/?i=2847
 [47] = https://curl.haxx.se/bug/?i=2860
 [48] = https://curl.haxx.se/bug/?i=2868
 [49] = https://curl.haxx.se/bug/?i=2865
 [50] = https://curl.haxx.se/bug/?i=2856
 [51] = https://curl.haxx.se/bug/?i=2420
 [52] = https://curl.haxx.se/bug/?i=2869
 [53] = https://curl.haxx.se/bug/?i=2879
 [54] = https://curl.haxx.se/bug/?i=2817
 [55] = https://curl.haxx.se/bug/?i=2880
 [56] = https://curl.haxx.se/bug/?i=2885
 [57] = https://curl.haxx.se/bug/?i=2871
 [58] = https://curl.haxx.se/bug/?i=2882
 [59] = https://curl.haxx.se/bug/?i=2829
 [60] = https://curl.haxx.se/bug/?i=2892
 [61] = https://curl.haxx.se/bug/?i=2894
 [62] = https://curl.haxx.se/bug/?i=2890
 [63] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
 [64] = https://curl.haxx.se/bug/?i=2747
 [65] = https://curl.haxx.se/bug/?i=2786
 [66] = https://curl.haxx.se/bug/?i=2904
 [67] = https://curl.haxx.se/bug/?i=2910
 [68] = https://curl.haxx.se/mail/lib-2018-08/0198.html
 [69] = https://curl.haxx.se/bug/?i=2908
 [70] = https://curl.haxx.se/bug/?i=2773
 [71] = https://curl.haxx.se/bug/?i=2739
 [72] = https://curl.haxx.se/bug/?i=2915
 [73] = https://curl.haxx.se/docs/CVE-2018-14618.html
 [74] = https://curl.haxx.se/bug/?i=2920
 [75] = https://curl.haxx.se/bug/?i=2524
 [76] = https://curl.haxx.se/bug/?i=2922
 [77] = https://curl.haxx.se/bug/?i=2928
 [78] = https://curl.haxx.se/bug/?i=2925
 [79] = https://curl.haxx.se/bug/?i=2939