1 Curl and libcurl 7.62.0
3 Public curl releases: 177
4 Command line options: 219
5 curl_easy_setopt() options: 261
6 Public functions in libcurl: 80
9 This release includes the following changes:
11 o multiplex: enable by default [4]
12 o url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled [4]
13 o setopt: add CURLOPT_DOH_URL [7]
14 o curl: --doh-url added [7]
15 o setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size [8]
16 o imap: change from "FETCH" to "UID FETCH" [9]
17 o configure: add option to disable automatic OpenSSL config loading [10]
18 o upkeep: add a connection upkeep API: curl_easy_upkeep() [11]
19 o URL-API: added five new functions [12]
20 o vtls: MesaLink is a new TLS backend [23]
22 This release includes the following bugfixes:
24 o CVE-2018-16839: SASL password overflow via integer overflow [107]
25 o CVE-2018-16840: use-after-free in handle close [108]
26 o CVE-2018-16842: warning message out-of-buffer read [114]
27 o CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated [5]
28 o Curl_dedotdotify(): always nul terminate returned string [46]
29 o Curl_follow: Always free the passed new URL [87]
30 o Curl_http2_done: fix memleak in error path [51]
31 o Curl_retry_request: fix memory leak [49]
32 o Curl_saferealloc: Fixed typo in docblock [40]
33 o FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output [78]
34 o GnutTLS: TLS 1.3 support [39]
35 o SECURITY-PROCESS: mention the bountygraph program [42]
36 o VS projects: add USE_IPV6: [91]
37 o Windows: fixes for MinGW targeting Windows Vista [82]
38 o anyauthput: fix compiler warning on 64-bit Windows [21]
39 o appveyor: add WinSSL builds [81]
40 o appveyor: run test suite (on Windows!) [65]
41 o certs: generate tests certs with sha256 digest algorithm [37]
42 o checksrc: enable strict mode and warnings [63]
43 o checksrc: handle zero scoped ignore commands [62]
44 o cmake: Backport to work with CMake 3.0 again [55]
45 o cmake: Improve config installation [60]
46 o cmake: add support for transitive ZLIB target [113]
47 o cmake: disable -Wpedantic-ms-format [84]
48 o cmake: don't require OpenSSL if USE_OPENSSL=OFF [35]
49 o cmake: fixed path used in generation of docs/tests [56]
50 o cmake: remove unused *SOCKLEN_T variables [102]
51 o cmake: suppress MSVC warning C4127 for libtest
52 o cmake: test and set missed defines during configuration [64]
53 o comment: Fix multiple typos in function parameters [69]
54 o config: Remove unused SIZEOF_VOIDP [104]
55 o config_win32: enable LDAPS [92]
56 o configure: force-use -lpthreads on HPUX [41]
57 o configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T [101]
58 o configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE [53]
59 o cookies: Remove redundant expired check [14]
60 o cookies: fix leak when writing cookies to file [15]
61 o curl-config.in: remove dependency on bc [99]
62 o curl.1: --ipv6 mutexes ipv4 (fixed typo) [98]
63 o curl: enabled Windows VT Support and UTF-8 output [57]
64 o curl: update the documentation of --tlsv1.0 [17]
65 o curl_multi_wait: call getsock before figuring out timeout [34]
66 o curl_ntlm_wb: check aprintf() return codes [75]
67 o curl_threads: fix classic MinGW compile break [54]
68 o darwinssl: Fix realloc memleak [32]
69 o darwinssl: more specific and unified error codes [6]
70 o data-binary.d: clarify default content-type is x-www-form-urlencoded [71]
71 o docs/BUG-BOUNTY: explain the bounty program [76]
72 o docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers [89]
73 o docs/CIPHERS: fix the TLS 1.3 cipher names [95]
74 o docs/CIPHERS: mention the colon separation for OpenSSL [73]
75 o docs/examples: URL updates [45]
76 o docs: add "see also" links for SSL options [85]
77 o example/asiohiper: insert warning comment about its status [18]
78 o example/htmltidy: fix include paths of tidy libraries [52]
79 o examples/Makefile.m32: sync with core [44]
80 o examples/http2-pushinmemory: receive HTTP/2 pushed files in memory [33]
81 o examples/parseurl.c: show off the URL API [43]
82 o examples: Fix memory leaks from realloc errors [31]
83 o examples: do not wait when no transfers are running [16]
84 o ftp: include command in Curl_ftpsend sendbuffer [25]
85 o gskit: make sure to terminate version string [79]
86 o gtls: Values stored to but never read [97]
87 o hostip: fix check on Curl_shuffle_addr return value [77]
88 o http2: fix memory leaks on error-path [29]
89 o http: fix memleak in rewind error path [50]
90 o krb5: fix memory leak in krb_auth [25]
91 o ldap: show precise LDAP call in error message on Windows [83]
92 o lib: fix gcc8 warning on Windows [20]
93 o memory: add missing curl_printf header [30]
94 o memory: ensure to check allocation results [68]
95 o multi: Fix error handling in the SENDPROTOCONNECT state [112]
96 o multi: fix memory leak in content encoding related error path [59]
97 o multi: make the closure handle "inherit" CURLOPT_NOSIGNAL [90]
98 o netrc: free temporary strings if memory allocation fails [103]
99 o nss: fix nssckbi module loading on Windows [70]
100 o nss: try to connect even if libnssckbi.so fails to load [36]
101 o ntlm_wb: Fix memory leaks in ntlm_wb_response [24]
102 o ntlm_wb: bail out if the response gets overly large [13]
103 o openssl: assume engine support in 0.9.8 or later [27]
104 o openssl: enable TLS 1.3 post-handshake auth [47]
105 o openssl: fix gcc8 warning [19]
106 o openssl: load built-in engines too [48]
107 o openssl: make 'done' a proper boolean [97]
108 o openssl: output the correct cipher list on TLS 1.3 error [95]
109 o openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer [6]
110 o openssl: show "proper" version number for libressl builds [28]
111 o pipelining: deprecated [1]
112 o rand: add comment to skip a clang-tidy false positive
113 o rtmp: fix for compiling with lwIP [100]
114 o runtests: ignore disabled even when ranges are given [74]
115 o runtests: skip ld_preload tests on macOS [80]
116 o runtests: use Windows paths for Windows curl
117 o schannel: unified error code handling [6]
118 o sendf: Fix whitespace in infof/failf concatenation [26]
119 o ssh: free the session on init failures [96]
120 o ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code [6]
121 o system.h: use proper setting with Sun C++ as well [109]
122 o test1299: use single quotes around asterisk [72]
123 o test1452: mark as flaky [2]
124 o test1651: unit test Curl_extract_certinfo() [110]
125 o test320: strip out more HTML when comparing [66]
126 o tests/negtelnetserver.py: fix Python2-ism in neg TELNET server [67]
127 o tests: add unit tests for url.c [3]
128 o timeval: fix use of weak symbol clock_gettime() on Apple platforms [61]
129 o tool_cb_hdr: handle failure of rename() [94]
130 o travis: add a "make tidy" build that runs clang-tidy [105]
131 o travis: add build for "configure --disable-verbose" [93]
132 o travis: bump the Secure Transport build to use xcode [58]
133 o travis: make distcheck scan for BOM markers [86]
134 o unit1300: fix stack-use-after-scope AddressSanitizer warning [106]
135 o urldata: Fix "connecting" comment
136 o urlglob: improve error message on bad globs [22]
137 o vtls: fix ssl version "or later" behavior change for many backends [38]
138 o x509asn1: Fix SAN IP address verification [88]
139 o x509asn1: always check return code from getASN1Element() [110]
140 o x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert [6]
141 o x509asn1: suppress left shift on signed value [111]
143 This release includes the following known bugs:
145 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
147 This release would not have looked like this without help, code, reports and
148 advice from friends like these:
150 Alexey Eremikhin, Brad King, Brian Carpenter, Christian Heimes, Colin Hogben,
151 Daniel Gustafsson, Daniel Shahaf, Daniel Stenberg, Dario Weißer,
152 Dave Reisner, Dima Pasechnik, Dmitry Kostjuchenko, Doron Behar,
153 Eason-Yu on github, Erik Minekus, Even Rouault, Gisle Vanem, Han Han,
154 Harry Sintonen, jakirkham on github, Jean Fabrice, Jim Fuller, Kamil Dudka,
155 Loganaden Velvindron, Marcel Raad, Marc Hörsken, Martin Ankerl,
156 Matthew Whitehead, Max Dymond, Maxime Legros, Michael Kaufmann, Nate Prewitt,
157 Nicklas Avén, Nick Zitzmann, Patrick Monnerat, Philipp Waehnert, Rainer Jung,
158 Ray Satiro, Rich Turner, Rick Deist, Ricky-Tigg on github, Rikard Falkeborn,
159 Ruslan Baratov, Sergei Nikulov, Shaun Jackman, Thomas Glanzmann, Tuomo Rinne,
160 Viktor Szakats, Yiming Jing,
163 Thanks! (and sorry if I forgot to mention someone)
165 References to bug reports and discussions on issues:
167 [1] = https://curl.haxx.se/bug/?i=2705
168 [2] = https://curl.haxx.se/bug/?i=2941
169 [3] = https://curl.haxx.se/bug/?i=2937
170 [4] = https://curl.haxx.se/bug/?i=2709
171 [5] = https://curl.haxx.se/bug/?i=2942
172 [6] = https://curl.haxx.se/bug/?i=2901
173 [7] = https://curl.haxx.se/bug/?i=2668
174 [8] = https://curl.haxx.se/bug/?i=2896
175 [9] = https://curl.haxx.se/bug/?i=2789
176 [10] = https://curl.haxx.se/bug/?i=2724
177 [11] = https://curl.haxx.se/bug/?i=1641
178 [12] = https://curl.haxx.se/bug/?i=2842
179 [13] = https://curl.haxx.se/bug/?i=2959
180 [14] = https://curl.haxx.se/bug/?i=2962
181 [15] = https://curl.haxx.se/bug/?i=2957
182 [16] = https://curl.haxx.se/bug/?i=2948
183 [17] = https://curl.haxx.se/bug/?i=2955
184 [18] = https://curl.haxx.se/bug/?i=2407
185 [19] = https://curl.haxx.se/bug/?i=2980
186 [20] = https://curl.haxx.se/bug/?i=2979
187 [21] = https://curl.haxx.se/bug/?i=2972
188 [22] = https://curl.haxx.se/bug/?i=2763
189 [23] = https://curl.haxx.se/bug/?i=2984
190 [24] = https://curl.haxx.se/bug/?i=2966
191 [25] = https://curl.haxx.se/bug/?i=2985
192 [26] = https://curl.haxx.se/bug/?i=2986
193 [27] = https://curl.haxx.se/bug/?i=2983
194 [28] = https://curl.haxx.se/bug/?i=2989
195 [29] = https://curl.haxx.se/bug/?i=2992
196 [30] = https://curl.haxx.se/bug/?i=2999
197 [31] = https://curl.haxx.se/bug/?i=2991
198 [32] = https://curl.haxx.se/bug/?i=3005
199 [33] = https://curl.haxx.se/bug/?i=3004
200 [34] = https://curl.haxx.se/bug/?i=2996
201 [35] = https://curl.haxx.se/bug/?i=3001
202 [36] = https://curl.haxx.se/bug/?i=3016
203 [37] = https://curl.haxx.se/bug/?i=3014
204 [38] = https://curl.haxx.se/bug/?i=2969
205 [39] = https://curl.haxx.se/bug/?i=2971
206 [40] = https://curl.haxx.se/bug/?i=3029
207 [41] = https://curl.haxx.se/bug/?i=2697
208 [42] = https://curl.haxx.se/bug/?i=3032
209 [43] = https://curl.haxx.se/bug/?i=3030
210 [44] = https://curl.haxx.se/bug/?i=3033
211 [45] = https://curl.haxx.se/bug/?i=3036
212 [46] = https://curl.haxx.se/bug/?i=3039
213 [47] = https://curl.haxx.se/bug/?i=3026
214 [48] = https://curl.haxx.se/bug/?i=3023
215 [49] = https://curl.haxx.se/bug/?i=3042
216 [50] = https://curl.haxx.se/bug/?i=3044
217 [51] = https://curl.haxx.se/bug/?i=3046
218 [52] = https://curl.haxx.se/bug/?i=3050
219 [53] = https://curl.haxx.se/bug/?i=3006
220 [54] = https://github.com/curl/curl/issues/2924#issuecomment-424334807
221 [55] = https://curl.haxx.se/bug/?i=3055
222 [56] = https://curl.haxx.se/bug/?i=3056
223 [57] = https://curl.haxx.se/bug/?i=3008
224 [58] = https://curl.haxx.se/bug/?i=3062
225 [59] = https://curl.haxx.se/bug/?i=3063
226 [60] = https://curl.haxx.se/bug/?i=2849
227 [61] = https://curl.haxx.se/bug/?i=3048
228 [62] = https://curl.haxx.se/bug/?i=3096
229 [63] = https://curl.haxx.se/bug/?i=3090
230 [64] = https://curl.haxx.se/bug/?i=3097
231 [65] = https://curl.haxx.se/bug/?i=3100
232 [66] = https://curl.haxx.se/bug/?i=3093
233 [67] = https://curl.haxx.se/bug/?i=2929
234 [68] = https://curl.haxx.se/bug/?i=3084
235 [69] = https://curl.haxx.se/bug/?i=3079
236 [70] = https://curl.haxx.se/bug/?i=3086
237 [71] = https://curl.haxx.se/bug/?i=3085
238 [72] = https://github.com/curl/curl/issues/1751#issuecomment-321522580
239 [73] = https://curl.haxx.se/bug/?i=3077
240 [74] = https://curl.haxx.se/bug/?i=3075
241 [75] = https://curl.haxx.se/bug/?i=3111
242 [76] = https://curl.haxx.se/bug/?i=3067
243 [77] = https://curl.haxx.se/bug/?i=3110
244 [78] = https://curl.haxx.se/bug/?i=3083
245 [79] = https://curl.haxx.se/bug/?i=3105
246 [80] = https://curl.haxx.se/bug/?i=2394
247 [81] = https://curl.haxx.se/bug/?i=3104
248 [82] = https://curl.haxx.se/bug/?i=3113
249 [83] = https://curl.haxx.se/bug/?i=3118
250 [84] = https://curl.haxx.se/bug/?i=3120
251 [85] = https://curl.haxx.se/bug/?i=3121
252 [86] = https://curl.haxx.se/bug/?i=3126
253 [87] = https://curl.haxx.se/bug/?i=3124
254 [88] = https://curl.haxx.se/bug/?i=3102
255 [89] = https://curl.haxx.se/bug/?i=3159
256 [90] = https://curl.haxx.se/bug/?i=3138
257 [91] = https://curl.haxx.se/bug/?i=3137
258 [92] = https://curl.haxx.se/bug/?i=3137
259 [93] = https://curl.haxx.se/bug/?i=3144
260 [94] = https://curl.haxx.se/bug/?i=3140
261 [95] = https://curl.haxx.se/bug/?i=3178
262 [96] = https://curl.haxx.se/bug/?i=3179
263 [97] = https://curl.haxx.se/bug/?i=3176
264 [98] = https://curl.haxx.se/bug/?i=3171
265 [99] = https://curl.haxx.se/bug/?i=3143
266 [100] = https://curl.haxx.se/bug/?i=3155
267 [101] = https://curl.haxx.se/bug/?i=3168
268 [102] = https://curl.haxx.se/bug/?i=3166
269 [103] = https://curl.haxx.se/bug/?i=3122
270 [104] = https://curl.haxx.se/bug/?i=3162
271 [105] = https://curl.haxx.se/bug/?i=3182
272 [106] = https://curl.haxx.se/bug/?i=3182
273 [107] = https://curl.haxx.se/docs/CVE-2018-16839.html
274 [108] = https://curl.haxx.se/docs/CVE-2018-16840.html
275 [109] = https://curl.haxx.se/bug/?i=3181
276 [110] = https://curl.haxx.se/bug/?i=3163
277 [111] = https://curl.haxx.se/bug/?i=3163
278 [112] = https://curl.haxx.se/bug/?i=3170
279 [113] = https://curl.haxx.se/bug/?i=3123
280 [114] = https://curl.haxx.se/docs/CVE-2018-16842.html
projects / platform / upstream / curl.git / blob