Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: curl | Distribution: openSUSE Tumbleweed |
Version: 8.10.0 | Vendor: openSUSE |
Release: 1.1 | Build date: Wed Sep 11 08:36:42 2024 |
Group: Unspecified | Build host: reproducible |
Size: 525308 | Source RPM: curl-8.10.0-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://curl.se | |
Summary: A Tool for Transferring Data from URLs |
Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity.
curl
* Wed Sep 11 2024 Pedro Monreal <pmonreal@suse.com> - Update to version 8.10.0: * Security fixes: - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS * Changes: - curl: make --rate accept "number of units" - curl: make --show-headers the same as --include - curl: support --dump-header % to direct to stderr - curl: support embedding a CA bundle and --dump-ca-embed - curl: support repeated use of the verbose option; -vv etc - curl: use libuv for parallel transfers with --test-event - vtls: stop offering alpn http/1.1 for http2-prior-knowledge * Bugfixes: - curl: allow 500MB data URL encode strings - curl: warn on unsupported SSL options - Curl_rand_bytes to control env override - curl_sha512_256: fix symbol collisions with nettle library - dist: fix reproducible build from release tarball - http2: fix GOAWAY message sent to server - http2: improve rate limiting of downloads - INSTALL.md: MultiSSL and QUIC are mutually exclusive - lib: add eos flag to send methods - lib: make SSPI global symbols use Curl_ prefix - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name - lib: remove the final strncpy() calls - lib: remove use of RANDOM_FILE - Makefile.mk: fixup enabling libidn2 - max-filesize.md: mention zero disables the limit - mime: avoid inifite loop in client reader - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks - openssl quic: fix memory leak - openssl: certinfo errors now fail correctly - openssl: fix the data race when sharing an SSL session between threads - openssl: improve shutdown handling - POP3: fix multi-line responses - pop3: use the protocol handler ->write_resp - progress: ratelimit/progress tweaks - rand: only provide weak random when needed - sectransp: fix setting tls version - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL - sigpipe: init the struct so that first apply ignores - smb: convert superflous assign into assert - smtp: add tracing feature - spnego_gssapi: implement TLS channel bindings for openssl - src: delete `curlx_m*printf()` aliases - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build) - tool_operhlp: fix "potentially uninitialized local variable 'pc' used" - tool_paramhlp: bump maximum post data size in memory to 16GB - transfer: skip EOS read when download done - url: fix connection reuse for HTTP/2 upgrades - urlapi: verify URL *decoded* hostname when set - urldata: introduce `data->mid`, a unique identifier inside a multi - vtls: add SSLSUPP_CIPHER_LIST - vtls: fix static function name collisions between TLS backends - vtls: init ssl peer only once - websocket: introduce blocking sends - ws: flags to opcodes should ignore CURLWS_CONT flag - x509asn1: raise size limit for x509 certification information * Remove curl-sigpipe.patch upstream * Rebase curl-secure-getenv.patch * Mon Aug 12 2024 Pedro Monreal <pmonreal@suse.com> - Fix regression introduced in version 8.9.1: * sigpipe: init the struct so that first apply ignores * Add curl-sigpipe.patch * Wed Jul 31 2024 Pedro Monreal <pmonreal@suse.com> - Update to 8.9.1: * Security fixes: - curl: ASN.1 date parser overread [bsc#1228535, CVE-2024-7264] * Bugfixes: - cmake: detect 'libssh' via 'pkg-config' - cmake: detect 'nettle' when building with GnuTLS - connect: fix connection shutdown for event based processing - curl: more defensive socket code for --ip-tos - CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching - CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe - ftpserver.pl: make POP3 LIST serve content from the test file - lib: survive some NULL input args - os400: build cli manual. - os400: workaround an IBM ASCII run-time library bug - transfer: speed limiting fix for 32bit systems - vtls: avoid forward declaration in MultiSSL builds - x509asn1: unittests and fixes for gtime2str * Wed Jul 24 2024 Pedro Monreal <pmonreal@suse.com> - Update to 8.9.0: * Security fixes: - [bsc#1227888, CVE-2024-6197] curl: freeing stack buffer in utf8asn1str - [bsc#1228260, CVE-2024-6874] idn: tweak buffer use when converting with macidn * Changes: - curl: add --ip-tos (IP Type of Service / Traffic Class) - curl: add --mptcp - curl: add --vlan-priority - curl: add -w '%{num_retries} - gnutls: support CA caching - mbedtls: support CURLOPT_CERTINFO - noproxy: patterns need to be comma separated - socket: support binding to interface *AND* IP - tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt - urlapi: add CURLU_NO_GUESS_SCHEME - wolfssl: support CA caching * Bugfixes: - connection: shutdown TLS (for FTP) better - curl-config: revert to backticks to support old target envs - curl: allow etag and content-disposition for 3xx reply - curl: bsearch the --write-out variable name - curl: check for --disable case *sensitively* - doh: fix leak and zero-length HTTPS RR crash - file: separate fake headers and body with a stand-alone CRLF - ftp: remove redundant null pointer check in loop condition - gnutls: improve TLS shutdown - gnutls: pass in SNI name, not hostname when checking cert - hostip: skip error check for infallible function call - http/3: add shutdown support - http/3: resume upload on ack if we have more data to send - lib: add a few DEBUGASSERT(data) to aid code analyzers - lib: add failure reason on bind errors - lib: graceful connection shutdown - lib: xfer_setup and non-blocking shutdown - multi: add multi->proto_hash, a key-value store for protocol data - multi: do a final progress update on connect failure - multi: fix multi_wait() timeout handling - multi: fix pollset during RESOLVING phase - ngtcp2+quictls: fix cert-status use - noproxy: test bad ipv6 net size first - openssl/gnutls: rectify the TLS version checks for QUIC - openssl: fix hostname handling when using ECH - openssl: stop duplicate ssl key logging for legacy OpenSSL - quic: enable UDP GRO - quic: openssl quic, cmake and doc version update to 3.3.0 - quic: require at least OpenSSL 3.3 for QUIC - quic: update to quiche 0.22.0 - smtp: for starttls, do full upgrade - tool_operate: avoid explicitly setting verifypeer to 1 - tool_writeout: get certinfo only when needing it - transfer: avoid polling socket every transfer loop - transfer: conn close on paused upload - transfer: do not use EXPIRE_NOW while blocked - transfer: remove curl_upload_refill_watermark, no longer used - transfer: set CSELECT_IN if there is data pending - url: allow DoH transfers to override max connection limit - x509asn1: add some common ECDSA OIDs - x509asn1: ASN1tostr() should fail when 'constructed' is set - x509asn1: fallback to dotted OID representation - x509asn1: prevent NULL dereference - x509asn1: remove superfluous free() - x509asn1: remove two static variables * Rebase libcurl-ocloexec.patch * Remove curl-make-install-curl-config.patch upstream * Thu Jun 20 2024 Dirk Müller <dmueller@suse.com> - add multibuild for minimal libcurl flavored build (useful for container environments) * Thu Jun 20 2024 Dirk Müller <dmueller@suse.com> - split zsh and fish completion into subpackages to have proper supplements * Mon Jun 17 2024 Dirk Müller <dmueller@suse.com> - remove mozilla-nss code (unsupported since 8.3.0) * Fri May 24 2024 Pedro Monreal <pmonreal@suse.com> - Fix make install for curl-config.1 * docs/Makefile.am: make curl-config.1 install * Fixed upstream in: github.com/curl/curl/pull/13741 * Add curl-make-install-curl-config.patch * Wed May 22 2024 Pedro Monreal <pmonreal@suse.com> - Update to 8.8.0: * Changes: - curl_version_info: provide librtmp version - file: add support for directory listings - lib: add curl_multi_waitfds - NTLM_WB: drop support - TLS: add support for ECH (Encrypted Client Hello) - urlapi: add CURLU_GET_EMPTY for empty queries and fragments * Bugfixes: - build: prefer "USE_IPV6" macro internally (was: "ENABLE_IPV6") - cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set - cf-socket: don't try getting local IP without socket - cf-socket: remove references to l_ip, l_port - configure: make --disable-docs imply --disable-manual - curl.h: change CURL_SSLVERSION_* from enum to defines - curl_path: make Curl_get_pathname use dynbuf - curl_sha512_256: do not use workaround for NetBSD when not needed - curl_sha512_256: fix detection of OpenSSL 1.1.1 or later - curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY - DEPRECATE.md: TLS libraries without 1.3 support - digest: replace strcpy for empty string with simple assignment - doc: pytest "--repeat" -> "--count" - docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd - dynbuf: fix returncode on memory error - ftp: add tracing support - ftp: fix socket leak on rare error - gnutls: lazy init the trust settings - hsts: explicitly skip blank lines - http2 + ngtcp2: pass CURLcode errors from callbacks - http2, http3: decouple stream state from easy handle - http2: emit RST when client write fails - http: HEAD response body tolerance - http: reject HTTP major version switch mid connection - http: with chunked POST forced, disable length check on read callback - idn: make Curl_idnconvert_hostname() use Curl_idn_decode() - if2ip: make the buf_size arg a size_t - krb5: use dynbuf - lib/cf-h1-proxy: silence compiler warnings (gcc 14) - lib: add trace support for client reads and writes - lib: bump hash sizes to "size_t" - lib: clear the easy handle's saved errno before transfer - lib: make protocol handlers store scheme name lowercase - lib: merge "ENABLE_QUIC" C macro into "USE_HTTP3" - libssh2: set length to 0 if strdup failed - openssl: do not set SSL_MODE_RELEASE_BUFFERS - openssl: revert keylog_callback support for LibreSSL - OS400: fix shellcheck warnings in scripts - quiche: expire all active transfers on connection close - quiche: trust its timeout handling - tls: use shared init code for TCP+QUIC - tool_cfgable: free {proxy_}cipher13_list on exit - url: do not URL decode proxy crendentials - url: fix use of an uninitialized variable - url: make parse_login_details use memdup0 - urlapi: allow setting port number zero - version: use msnprintf instead of strncpy - vtls: TLS session storage overhaul - wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC - websocket: avoid memory leak in error path * Wed May 22 2024 Dominique Leuenberger <dimstar@opensuse.org> - Add split-provides for libcurl-devel -> libcurl-devel-doc. * Mon May 20 2024 Jan Engelhardt <jengelh@inai.de> - Spin documentation off to libcurl-devel-doc, this saves buildroots 495 files and time (mandb is run in %posttrans). * Wed Mar 27 2024 Pedro Monreal <pmonreal@suse.com> - Update to 8.7.1: * Fixed empty tool_hugehelp.c file - Update to 8.7.0: * Security fixes: - [bsc#1221665, CVE-2024-2004] Usage of disabled protocol - [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak - [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL - [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS * Changes: - configure: add --disable-docs flag - CURLINFO_USED_PROXY: return bool whether the proxy was used - digest: support SHA-512/256 * Bugfixes: - asyn-thread: use wakeup_close to close the read descriptor - bufq: writing into a softlimit queue cannot be partial - cmake: add USE_OPENSSL_QUIC support - cookie: if psl fails, reject the cookie - curl: exit on config file parser errors - digest: add check for hashing error - docs/libcurl: add TLS backend info for all TLS options - file: use xfer buf for file:// transfers - ftp: do lineend conversions in client writer - ftp: fix socket wait activity in ftp_domore_getsock - http2: memory errors in the push callbacks are fatal - http2: push headers better cleanup - libssh/libssh2: return error on too big range - OpenSSL QUIC: adapt to v3.3.x - setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value - setopt: fix disabling all protocols - sha512_256: add support for GnuTLS and OpenSSL - smtp: fix STARTTLS - strtoofft: fix the overflow check - TIMER_STARTTRANSFER: set the same for everyone - TLS: start shutdown only when peer did not already close - tool_getparam: accept a blank -w "" - tool_getparam: handle non-existing (out of range) short-options - tool_operate: change precedence of server Retry-After time - transfer.c: break receive loop in speed limited transfers - version: allow building with ancient libpsl - vquic-tls: fix the error code returned for bad CA file - vtls: fix tls proxy peer verification - vtls: revert "receive max buffer" + add test case - VULN-DISCLOSURE-POLICY.md: update detail about CVE requests - websocket: fix curl_ws_recv() * Remove patch upstream: - 0001-vtls-revert-receive-max-buffer-add-test-case.patch * Tue Mar 12 2024 Pedro Monreal <pmonreal@suse.com> - Remove the nghttp2 version requirement as a version guard around the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation function was added in curl 8.0.1. * Upstream commit: https://github.com/curl/curl/commit/744dcf22 * Thu Feb 08 2024 Fabian Vogt <fvogt@suse.com> - Add patch to fix various TLS related issues including FTP over SSL transmission timeouts: * 0001-vtls-revert-receive-max-buffer-add-test-case.patch - Switch to %autosetup * Wed Jan 31 2024 Pedro Monreal <pmonreal@suse.com> - Update to 8.6.0: [bsc#1219149, CVE-2024-0853] * Security fixes: - CVE-2024-0853: OCSP verification bypass with TLS session reuse * Changes: - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T * Bugfixes: - altsvc: free 'as' when returning error - asyn-ares: with modern c-ares, use its default timeout - cf-socket: show errno in tcpkeepalive error messages - cmdline-opts: update availability for the *-ca-native options - configure: when enabling QUIC, check that TLS supports QUIC - content_encoding: change return code to typedef'ed enum - curl: show ipfs and ipns as supported "protocols" - CURLINFO_REFERER.3: clarify that it is the *request* header - dist: add tests/errorcodes.pl to the tarball - gen.pl: support ## for doing .IP in table-like lists - GHA: bump ngtcp2, gnutls, mod_h2, quiche - hostip: return error immediately when Curl_ip2addr() fails - http3/quiche: fix result code on a stream reset - http3: initial support for OpenSSL 3.2 QUIC stack - http: check for "Host:" case insensitively - http: fix off-by-one error in request method length check - http: only act on 101 responses when they are HTTP/1.1 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT - lib: error out on multissl + http3 - lib: fix variable undeclared error caused by `infof` changes - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding - lib: strndup/memdup instead of malloc, memcpy and null-terminate - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 - ngtcp2: put h3 at the front of alpn - openldap: fix an LDAP crash - openldap: fix STARTTLS - openssl: re-match LibreSSL deinit with init - rtsp: deal with borked server responses - sasl: make login option string override http auth - tool: prepend output_dir in header callback - tool_getparam: stop supporting `@filename` style for --cookie - transfer: fix upload rate limiting, add test cases - url: don't set default CA paths for Secure Transport backend - url: for disabled protocols, mention if found in redirect - vquic: extract TLS setup into own source - websockets: check for negative payload lengths * Remove patches fixed upstream: - curl-adjust-pollset-fix.patch - curl-tests-errorcodes.patch * Rebase dont-mess-with-rpmoptflags.patch * Fri Jan 05 2024 Michael Pujos <pujos.michael@gmail.com> - Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming: https://github.com/curl/curl/issues/12632 * Wed Dec 06 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.5.0: * Security fixes: - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents * Changes: - gnutls: support CURLSSLOPT_NATIVE_CA - HTTP3: ngtcp2 builds are no longer experimental * Bugfixes: - asyn-thread: use pipe instead of socketpair for IPC when available - cmake: fix OpenSSL quic detection in quiche builds - conncache: use the closure handle when disconnecting surplus connections - content_encoding: make Curl_all_content_encodings allocless - cookie: lowercase the domain names before PSL checks - Curl_http_body: cleanup properly when Curl_getformdata errors - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range - doh: provide better return code for responses w/o addresses - doh: use PIPEWAIT when HTTP/2 is attempted - duphandle: also free 'outcurl->cookies' in error path - duphandle: make dupset() not return with pointers to old alloced data - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set - easy: in duphandle, init the cookies for the new handle - easy_lock: add a pthread_mutex_t fallback - fopen: create new file using old file's mode - fopen: create short(er) temporary file name - getenv: PlayStation doesn't have getenv() - hostip: show the list of IPs when resolving is done - hsts: skip single-dot hostname - HTTP/2, HTTP/3: handle detach of onoing transfers - http: allow longer HTTP/2 request method names - hyper: temporarily remove HTTP/2 support - IPFS: fix IPFS_PATH and file parsing - multi: during ratelimit multi_getsock should return no sockets - multi: use pipe instead of socketpair to *wakeup() - ngtcp2: fix races in stream handling - ntlm_wb: use pipe instead of socketpair when possible - openssl: avoid BN_num_bits() NULL pointer derefs - openssl: fix building with v3 `no-deprecated` + add CI test - openssl: fix infof() to avoid compiler warning for %s with null - openssl: identify the "quictls" backend correctly - openssl: include SIG and KEM algorithms in verbose - openssl: two multi pointer checks should probably rather be asserts - openssl: when a session-ID is reused, skip OCSP stapling - quic: make eyeballers connect retries stop at weird replies - quic: manage connection idle timeouts - setopt: check CURLOPT_TFTP_BLKSIZE range on set - socks: better buffer size checks for socks4a user and hostname - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice - tool: fix --capath when proxy support is disabled - tool_getparam: limit --rate to be smaller than number of ms - transfer: abort pause send when connection is marked for closing - transfer: avoid calling the read callback again after EOF - transfer: only reset the FTP wildcard engine in CLEAR state - url: don't touch the multi handle when closing internal handles - urlapi: avoid null deref if setting blank host to url encode - urlapi: skip appending NULL pointer query - urlapi: when URL encoding the fragment, pass in the right length - vtls: cleanup SSL config management - vtls: consistently use typedef names for OpenSSL structs - vtls: late clone of connection ssl config - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 * Rebase curl-secure-getenv.patch * Add curl-tests-errorcodes.patch * Wed Oct 11 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.4.0: * Security fixes: - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545] - cookie injection with none file [bsc#1215889, CVE-2023-38546] * Changes: - curl: add support for the IPFS protocols via HTTP gateway - curl_multi_get_handles: get easy handles from a multi handle - mingw: delete support for legacy mingw.org toolchain * Bugfixes: - base64: also build for curl - cf-socket: simulate slow/blocked receives in debug - configure: check for the capath by default - connect: expire the timeout when trying next - connect: only start the happy eyeballs timer when needed - cookie: do not store the expire or max-age strings - cookie: remove unnecessary struct fields - cookie: set ->running in cookie_init even if data is NULL - create-dirs.d: clarify it also uses --output-dirs - http2: refused stream handling for retry - http: h1/h2 proxy unification - http: use per-request counter to check too large headers - idn: if idn2_check_version returns NULL, return error - lib: enable hmac for digest as well - lib: let the max filesize option stop too big transfers too - lib: move handling of 'data->req.writer_stack' into Curl_client_write() - lib: provide and use Curl_hexencode - lib: use wrapper for curl_mime_data fseek callback - libssh2: fix error message on failed pubkey-from-file - libssh: cap SFTP packet size sent - MQTT: improve receive of ACKs - multi: do CURLM_CALL_MULTI_PERFORM at two more places - multi: round the timeout up to prevent early wakeups - openssl: improve ssl shutdown handling - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR - pytest: exclude test_03_goaway in CI runs due to timing dependency - quic: set ciphers/curves the same way regular TLS does - quiche: fix build error with --with-ca-fallback - socks: return error if hostname too long for remote resolve - tftpd: always use curl's own tftp.h - tool_getparam: accept variable expansion on file names too - upload-file.d: describe the file name slash/backslash handling - url: fall back to http/https proxy env-variable if ws/wss not set - url: fix netrc info message - wolfssh: do cleanup in Curl_ssh_cleanup - wolfssl: allow capath with CURLOPT_CAINFO_BLOB - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files - wolfssl: ignore errors in CA path * Rebase libcurl-ocloexec.patch * Wed Sep 13 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.3.0: [bsc#1215026, CVE-2023-38039] * Changes: - curl: make %output{} in -w specify a file to write to - gskit: remove - lib: --disable-bindlocal builds curl without local binding support - nss: remove support for this TLS library - tool: add "variable" support - trace: make tracing available in non-debug builds - url: change default value for CURLOPT_MAXREDIRS to 30 - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name * Bugfixes: - altsvc: accept and parse IPv6 addresses in response headers - asyn-ares: reduce timeout to 2000ms - aws-sigv4: canonicalize the query - aws-sigv4: fix having date header twice in some cases - aws-sigv4: handle no-value user header entries - c-hyper: adjust the hyper to curlcode conversion - c-hyper: fix memory leaks in `Curl_http` - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP - cf-socket: log successful interface bind - cmake: add GnuTLS option - cmake: add support for `CURL_DEFAULT_SSL_BACKEND` - cmake: detect `SSL_set0_wbio` in OpenSSL - configure: trust pkg-config when it's used for zlib - configure: use the pkg-config --libs-only-l flag for libssh2 - connect: stop halving the remaining timeout when less than 600 ms left - crypto: ensure crypto initialization works - digest: Use hostname to generate spn instead of realm - ftp: fix temp write of ipv6 address - headers: accept leading whitespaces on first response header - http2: fix in h2 proxy tunnel: progress in ingress on sending - http3/ngtcp2: shorten handshake, trace cleanup - http3: quiche, handshake optimization, trace cleanup - http: close the connection after a late 417 is received - http: fix sending of large requests - http: return error when receiving too large header set - lib: fix null ptr derefs and uninitialized vars (h2/h3) - lib: move mimepost data from ->req.p.http to ->state - list-only.d: mention SFTP as supported protocol - ngtcp2: fix handling of large requests - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` - openssl: clear error queue after SSL_shutdown - openssl: make aws-lc version support OCSP - openssl: Support async cert verify callback - openssl: switch to modern init for LibreSSL 2.7.0+ - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before - quic: don't set SNI if hostname is an IP address - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s - quiche: enable quiche to handle timeout events - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set - schannel: verify hostname independent of verify cert - tool_filetime: make -z work with file dates before 1970 - tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR - tool_operate: make aws-sigv4 not require TLS to be used - transfer: also stop the sending on closed connection - urlapi: fix heap buffer overflow - urlapi: setting a blank URL ("") is not an ok URL * Fri Jul 28 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.2.1: * Bugfixes: - cfilters: rename close/connect functions to avoid clashes - ciphers.d: put URL in first column - cmake: add 'libcurlu'/'libcurltool' for unit tests - cmake: update ngtcp2 detection - configure: check for nghttp2_session_get_stream_local_window_size - docs: mark two TLS options for TLS, not SSL - docs: provide more see also for cipher options - hostip: return IPv6 first for localhost resolves - http2: fix regression on upload EOF handling - http: VLH, very large header test and fixes - libcurl-errors.3: add CURLUE_OK - os400: correct EXPECTED_STRING_LASTZEROTERMINATED - quiche: fix lookup of transfer at multi - quiche: fix segfault and other things - rustls: update rustls-ffi 0.10.0 - socks: print ipv6 address within brackets - src/mkhelp: strip off escape sequences - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T - transfer: do not clear the credentials on redirect to absolute URL - unittest: remove unneeded *_LDADD - websocket: rename arguments/variables to match docs * Wed Jul 19 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.2.0 [bsc#1213237, CVE-2023-32001] * Security fix: - CVE-2023-32001: fopen race condition * Changes: - curl: add --ca-native and --proxy-ca-native - curl: add --trace-ids - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS - haproxy: add --haproxy-clientip flag to set client IPs - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID * Bugfixes: - cf-socket: don't bypass fclosesocket callback if cancelled before connect - cf-socket: skip getpeername()/getsockname for TFTP - curl: count uploaded data to stop at the originally given size - curl: return error when asked to use an unsupported HTTP version - http2: fix crash in handling stream weights - http2: send HEADER & DATA together if possible - http3/ngtcp2: upload EAGAIN handling - http: rectify the outgoing Cookie: header field size check - hyper: fix EOF handling on input - imap: Provide method to disable SASL if it is advertised - libssh2: provide error message when setting host key type fails - libssh2: use custom memory functions - ngtcp2: assigning timeout, but value is overwritten before used - quiche: avoid NULL deref in debug logging - sectransp: fix EOF handling - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles - timeval: use CLOCK_MONOTONIC_RAW if available - tls13-ciphers.d: include Schannel - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION` - tool_operate: allow cookie lines up to 8200 bytes - tool_parsecfg: accept line lengths up to 10M - tool_writeout_json: fix encoding of control characters - transfer: clear credentials when redirecting to absolute URL - urlapi: have *set(PATH) prepend a slash if one is missing - urlapi: scheme must start with alpha - vtls: avoid memory leak if sha256 call fails - websocket-cb: example doing WebSocket download using callback - ws: make the curl_ws_meta() return pointer a const * Tue May 30 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.1.2: * Bugfixes: - configure: quote the assignments for run-compiler - configure: without pkg-config and no custom path, use -lnghttp2 - curl: cache the --trace-time value for a second - http2: fix EOF handling on uploads with auth negotiation - http3: send EOF indicator early as possible - lib1560: verify more scheme guessing - lib: remove unused functions, make single-use static - libcurl.m4: remove trailing 'dnl' that causes this to break autoconf - libssh: when keyboard-interactive auth fails, try password - misc: fix spelling mistakes - page-header: mention curl version and how to figure out current release - page-header: minor wording polish in the URL segment - scripts/singleuse.pl: add more API calls - urlapi: remove superfluous host name check * Tue May 23 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.1.1: * Bugfixes: - cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND - checksrc: disallow spaces before labels - curl_easy_getinfo: clarify on return data types - docs: document that curl_url_cleanup(NULL) is a safe no-op - hostip: move easy_lock.h include above curl_memory.h - http2: double http request parser max line length - http2: increase stream window size to 10 MB - lib: rename struct 'http_req' to 'httpreq' - ngtcp2: proper handling of uint64_t when adjusting send buffer - sectransp.c: make the code c89 compatible - select: avoid returning an error on EINTR from select() or poll() - url: provide better error message when URLs fail to parse - urlapi: allow numerical parts in the host name * Wed May 17 2023 David Anes <david.anes@suse.com> - Update to 8.1.0: * Security fixes: - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319] - siglongjmp race condition [bsc#1211231, CVE-2023-28320] - IDN wildcard match [bsc#1211232, CVE-2023-28321] - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322] - See also: https://curl.se/docs/security.html * Changes: - curl: add --proxy-http2 - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 - hostip: refuse to resolve the .onion TLD - tool_writeout: add URL component variables * Bugfixes: - See full changelog here: https://curl.se/changes.html#8_1_0 * Tue Mar 21 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.0.1: * Bugfixes: - fix crash in curl_easy_cleanup * Mon Mar 20 2023 Pedro Monreal <pmonreal@suse.com> - Update to 8.0.0: * Security fixes: - TELNET option IAC injection [bsc#1209209, CVE-2023-27533] - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534] - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535] - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536] - HSTS double-free [bsc#1209213, CVE-2023-27537] - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538] * Changes: - build: remove support for curl_off_t < 8 bytes * Bugfixes: - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 - BINDINGS: add Fortran binding - cf-socket: use port 80 when resolving name for local bind - cookie: don't load cookies again when flushing - curl_path: create the new path with dynbuf - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure - ftp: active mode with SSL, add the filter - hostip: avoid sscanf and extra buffer copies - http2: fix for http2-prior-knowledge when reusing connections - http2: fix handling of RST and GOAWAY to recognize partial transfers - http: don't send 100-continue for short PUT requests - http: fix unix domain socket use in https connects - libssh: use dynbuf instead of realloc - ngtcp2-gnutls.yml: bump to gnutls 3.8.0 - sectransp: make read_cert() use a dynbuf when loading - telnet: only accept option arguments in ascii - telnet: parse telnet options without sscanf - url: fix the SSH connection reuse check - url: only reuse connections with same GSS delegation - urlapi: '%' is illegal in host names - ws: keep the socket non-blocking * Rebase libcurl-ocloexec.patch * Mon Feb 20 2023 Guillaume GARDET <guillaume.gardet@opensuse.org> - Update to 7.88.1: * Bugfix release - Drop upstreamed patch: * curl-fix-uninitialized-value-in-tests.patch * Wed Feb 15 2023 Pedro Monreal <pmonreal@suse.com> - Update to 7.88.0: [bsc#1207990, CVE-2023-23914] [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916] * Security fixes: - CVE-2023-23914: HSTS ignored on multiple requests - CVE-2023-23915: HSTS amnesia with --parallel - CVE-2023-23916: HTTP multi-header compression denial of service * Changes: - curl.h: add CURL_HTTP_VERSION_3ONLY - share: add sharing of HSTS cache among handles - src: add --http3-only - tool_operate: share HSTS between handles - urlapi: add CURLU_PUNYCODE - writeout: add %{certs} and %{num_certs} * Bugfixes: - cf-socket: keep sockaddr local in the socket filters - cfilters:Curl_conn_get_select_socks: use the first non-connected filter - curl.h: allow up to 10M buffer size - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated - curl/websockets.h: extend the websocket frame struct - curl: output warning at --verbose output for debug-enabled version - curl_free.3: fix return type of `curl_free` - curl_log: for failf/infof and debug logging implementations - dict: URL decode the entire path always - docs/DEPRECATE.md: deprecate gskit - easyoptions: fix header printing in generation script - haxproxy: send before TLS handhshake - hsts.d: explain hsts more - hsts: handle adding the same host name again - HTTP/[23]: continue upload when state.drain is set - http: decode transfer encoding first - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro - http_proxy: do not assign data->req.p.http use local copy - lib: connect/h2/h3 refactor - libssh2: try sha2 algos for hostkey methods - md4: fix build with GnuTLS + OpenSSL v1 - ngtcp2: replace removed define and stop using removed function - noproxy: support for space-separated names is deprecated - nss: implement data_pending method - openldap: fix missing sasl symbols at build in specific configs - openssl: adapt to boringssl's error code type - openssl: don't ignore CA paths when using Windows CA store (redux) - openssl: don't log raw record headers - openssl: make the BIO_METHOD a local variable in the connection filter - openssl: only use CA_BLOB if verifying peer - openssl: remove attached easy handles from SSL instances - openssl: store the CA after first send (ClientHello) - setopt: use >, not >=, when checking if uarg is larger than uint-max - smb: return error on upload without size - socketpair: allow localhost MITM sniffers - strdup: name it Curl_strdup - tool_getparam: fix hiding of command line secrets - tool_operate: fix error codes on bad URL & OOM - tool_operate: repair --rate - transfer: break the read loop when RECV is cleared - typecheck: accept expressions for option/info parameters - urlapi: avoid Curl_dyn_addf() for hex outputs - urlapi: skip path checks if path is just "/" - urlapi: skip the extra dedotdot alloc if no dot in path - urldata: cease storing TLS auth type - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP - urldata: make set.http200aliases conditional on HTTP being present - urldata: move the cookefilelist to the 'set' struct - urldata: remove unused struct fields, made more conditional - vquic: stabilization and improvements - vtls: fix hostname handling in filters - vtls: manage current easy handle in nested cfilter calls - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used * Rebase libcurl-ocloexec.patch * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091 - runtests: fix "uninitialized value $port" - Add curl-fix-uninitialized-value-in-tests.patch * Wed Dec 21 2022 David Anes <david.anes@suse.com> - Update to 7.87.0: * Security fixes: - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free * Changes - curl: add --url-query - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit - lib: add CURL_WRITEFUNC_ERROR to signal write callback error - openssl: reduce CA certificate bundle reparsing by caching - version: add a feature names array to curl_version_info_data * Bugfixes - altsvc: fix rejection of negative port numbers - aws_sigv4: consult x-%s-content-sha256 for payload hash - aws_sigv4: fix typos in aws_sigv4.c - base64: better alloc size - base64: encode without using snprintf - base64: faster base64 decoding - build: assume assert.h is always available - build: assume errno.h is always available - c-hyper: CONNECT respones are not server responses - c-hyper: fix multi-request mechanism - CI: Change FreeBSD image from 12.3 to 12.4 - CI: LGTM.com will be shut down in December 2022 - ci: Remove zuul fuzzing job as it's superseded by CIFuzz - cmake: check for cross-compile, not for toolchain - CMake: fix build with `CURL_USE_GSSAPI` - cmake: really enable warnings with clang - cmake: set the soname on the shared library - cmdline-opts/gen.pl: fix the linkifier - cmdline-opts/page-footer: remove long option nroff formatting - config-mac: define HAVE_SYS_IOCTL_H - config-mac: fix typo: size_T -> size_t - config-mac: remove HAVE_SYS_SELECT_H - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW - configure: require fork for NTLM-WB - contributors.sh: actually use $CURLWWW instead of just setting it - cookie: compare cookie prefixes case insensitively - cookie: expire cookies at once when max-age is negative - cookie: open cookie jar as a binary file - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS - curl-rustls.m4: on macOS, rustls also needs the Security framework - curl.h: include <sys/select.h> on SerenityOS - curl.h: name all public function parameters - curl.h: reword comment to not use deprecated option - curl: override the numeric locale and set "C" by force - curl: timeout in the read callback - curl_endian: remove Curl_write64_le from header - curl_get_line: allow last line without newline char - curl_path: do not add '/' if homedir ends with one - curl_url_get.3: remove spurious backtick - curl_url_set.3: document CURLU_DISALLOW_USER - curl_url_set.3: fix typo - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE - CURLOPT_COOKIEFILE.3: advice => advise - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw" - CURLOPT_POST.3: Explain setting to 0 changes request type - docs/curl_ws_send: Fixed typo in websocket docs - docs/EARLY-RELEASE.md: how to determine an early release - docs/examples: spell correction ('Retrieve') - docs/INSTALL.md: expand on static builds - docs/WEBSOCKET.md: explain the URL use - docs: add missing parameters for --retry flag - docs: add more "SEE ALSO" links to CA related pages - docs: explain the noproxy CIDR notation support - docs: extend the dump-header documentation - docs: remove performance note in CURLOPT_SSL_VERIFYPEER - examples/10-at-a-time: fix possible skipped final transfers - examples: update descriptions - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH - gen.pl: do not generate CURLHELP bitmask lines > 79 characters - GHA: clarify workflows permissions, set least possible privilege - GHA: NSS use clang instead of clang-9 - gnutls: use common gnutls init and verify code for ngtcp2 - headers: add endif comments - HTTP-COOKIES.md: mention that http://localhost is a secure context - HTTP-COOKIES.md: update the 6265bis link to draft-11 - http: do not send PROXY more than once - http: fix the ::1 comparison for IPv6 localhost for cookies - http: set 'this_is_a_follow' in the Location: logic - http: use the IDN decoded name in HSTS checks - hyper: classify headers as CONNECT and 1XX - hyper: fix handling of hyper_task's when reusing the same address - idn: remove Curl_win32_ascii_to_idn - INSTALL: update operating systems and CPU archs - KNOWN_BUGS: remove eight entries - lib1560: add some basic IDN host name tests - lib: connection filters (cfilter) addition to curl: - lib: feature deprecation warnings in gcc >= 4.3 - lib: fix some type mismatches and remove unneeded typecasts - lib: parse numbers with fixed known base 10 - lib: remove bad set.opt_no_body assignments - lib: rewind BEFORE request instead of AFTER previous - lib: sync guard for Curl_getaddrinfo_ex() definition and use - lib: use size_t or int etc instead of longs - libcurl-errors.3: remove duplicate word - libssh2: return error when ssh_hostkeyfunc returns error - limit-rate.d: see also --rate - log2changes.pl: wrap long lines at 80 columns - Makefile.mk: address minor issues - Makefile.mk: improve a GNU Make hack - Makefile.mk: portable Makefile.m32 - maketgz: set the right version in lib/libcurl.plist - mime: relax easy/mime structures binding - misc: Fix incorrect spelling - misc: remove duplicated include files - misc: typo and grammar fixes - negtelnetserver.py: have it call its close() method - netrc.d: provide mutext info - netware: remove leftover traces - noproxy: also match with adjacent comma - noproxy: guard against empty hostnames in noproxy check - noproxy: tailmatch like in 7.85.0 and earlier - nroff-scan.pl: detect double highlights - ntlm: improve comment for encrypt_des - ntlm: silence ubsan warning about copying from null target_info pointer - openssl/mbedtls: use %d for outputing port with failf (int) - openssl: prefix errors with '[lib]/[version]: ' - os400: use platform socklen_t in Curl_getnameinfo_a - page-header: grammar improvement (display transfer rate) - proxy: refactor haproxy protocol handling as connection filter - README.md: remove badges and xmas-tree garnish - rtsp: fix RTSP auth - runtests: --no-debuginfod now disables DEBUGINFOD_URLS - runtests: do CRLF replacements per section only - scripts/checksrc.pl: detect duplicated include files - sendf: change Curl_read_plain to wrap Curl_recv_plain - sendf: remove unnecessary if condition - setup: do not require __MRC__ defined for Mac OS 9 builds - smb/telnet: do not free the protocol struct in *_done() - socks: fix username max size is 255 (0xFF) - spellcheck.words: remove 'github' as an accepted word - ssl-reqd.d: clarify that this is for upgrading connections only - strcase: use curl_str(n)equal for case insensitive matches - styled-output.d: this option does not work on Windows - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS - system.h: support 64-bit curl_off_t for NonStop 32-bit - test1421: fix typo - test3026: reduce runtime in legacy mingw builds - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ - tests: add authorityInfoAccess to generated certs - tests: add HTTP/3 test case, custom location for proper nghttpx - tls: backends use connection filters for IO, enabling HTTPS-proxy - tool: determine the correct fopen option for -D - tool_cfgable: free the ssl_ec_curves on exit - tool_cfgable: make socks5_gssapi_nec a boolean - tool_formparse: avoid clobbering on function params - tool_getparam: make --no-get work as the opposite of --get - tool_operate: provide better errmsg for -G with bad URL - tool_operate: when aborting, make sure there is a non-NULL error buffer - tool_paramhlp: free the proto strings on exit - url: move back the IDN conversion of proxy names - urlapi: reject more bad letters from the host name: &+() - urldata: change port num storage to int and unsigned short - vms: remove SIZEOF_SHORT - vtls: fix build without proxy support - vtls: localization of state data in filters - WEBSOCKET.md: fix broken link - Websocket: fixes for partial frames and buffer updates - websockets: fix handling of partial frames - windows: fail early with a missing windres in autotools - windows: fix linking .rc to shared curl with autotools - winidn: drop WANT_IDN_PROTOTYPES - ws: if no connection is around, return error - ws: return CURLE_NOT_BUILT_IN when websockets not built in - x509asn1: avoid freeing unallocated pointers * Wed Nov 16 2022 Luciano Santos <luc14n0@opensuse.org> - Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. This will make Zypper/cURL unusable in some corner cases where users installing something that requires libcurl4 before doing full system upgrade, thus updating the cURL stack, but not libnghttp2's. Background: boo#1204983, Factory mailing list threadd: "? broken dependency in curl and/or *zyp* ?", and forums thread: Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. * Wed Oct 26 2022 Pedro Monreal <pmonreal@suse.com> - Update to 7.86.0: * Security fixes: - POST following PUT confusion [bsc#1204383, CVE-2022-32221] - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916] * Changes: - NPN: remove support for and use of - Websockets: initial support * Bugfixes: - altsvc: reject bad port numbers - autotools: reduce brute-force when detecting recv/send arg list - aws_sigv4: fix header computation - cli tool: do not use disabled protocols - connect: change verbose IPv6 address:port to [address]:port - connect: fix builds without AF_INET6 - connect: fix Curl_updateconninfo for TRNSPRT_UNIX - connect: fix the wrong error message on connect failures - content_encoding: use writer struct subclasses for different encodings - cookie: reject cookie names or content with TAB characters - curl/add_file_name_to_url: use the libcurl URL parser - curl/get_url_file_name: use libcurl URL parser - curl: warn for --ssl use, considered insecure - docs/libcurl/symbols-in-versions: add several missing symbols - ftp: ignore a 550 response to MDTM - functypes: provide the recv and send arg and return types - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - header: define public API functions as extern c - headers: reset the requests counter at transfer start - hostip: guard PF_INET6 use - hostip: lazily wait to figure out if IPv6 works until needed - http, vauth: always provide Curl_allow_auth_to_host() functionality - http2: make nghttp2 less picky about field whitespace - http: try parsing Retry-After: as a number first - http_proxy: restore the protocol pointer on error - lib: add missing limits.h includes - lib: prepare the incoming of additional protocols - lib: sanitize conditional exclusion around MIME - libssh: if sftp_init fails, don't get the sftp error code - mprintf: reject two kinds of precision for the same argument - mqtt: return error for too long topic - netrc: compare user name case sensitively - netrc: replace fgets with Curl_get_line - netrc: use the URL-decoded user - ngtcp2: fix build errors due to changes in ngtcp2 library - noproxy: support proxies specified using cidr notation - openssl: make certinfo available for QUIC - resolve: make forced IPv4 resolve only use A queries - schannel: ban server ALPN change during recv renegotiation - schannel: don't reset recv/send function pointers on renegotiation - schannel: when importing PFX, disable key persistence - setopt: use the handler table for protocol name to number conversions - setopt: when POST is set, reset the 'upload' field - single_transfer: use the libcurl URL parser when appending query parts - smb: replace CURL_WIN32 with WIN32 - tool: avoid generating ambiguous escaped characters in --libcurl - tool_main: exit at once if out of file descriptors - tool_operate: more transfer cleanup after parallel transfer fail - tool_operate: prevent over-queuing in parallel mode - tool_paramhelp: asserts verify maximum sizes for string loading - tool_xattr: save the original URL, not the final redirected one - url: a zero-length userinfo part in the URL is still a (blank) user - url: allow non-HTTPS HSTS-matching for debug builds - url: rename function due to name-clash in Watt-32 - url: use IDN decoded names for HSTS checks - urlapi: detect scheme better when not guessing - urlapi: fix parsing URL without slash with CURLU_URLENCODE - urlapi: reject more bad characters from the host name field * Remove patch upstream: - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch * Sat Oct 08 2022 Vasily Ulyanov <vasily.ulyanov@suse.com> - Update connection info when using UNIX socket as endpoint connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch * Fri Sep 30 2022 Pedro Monreal <pmonreal@suse.com> - Change the deprecated configure option --enable-hidden-symbols to the new --enable-symbol-hiding. * Wed Aug 31 2022 Pedro Monreal <pmonreal@suse.com> - Update to 7.85.0: * Security fixes: [bsc#1202593, CVE-2022-35252] - control code in cookie denial of service * Changes: - quic: add support via wolfSSL - schannel: Add TLS 1.3 support - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR * Bugfixes: - asyn-thread: fix socket leak on OOM - asyn-thread: make getaddrinfo_complete return CURLcode - base64: base64url encoding has no padding - configure: fix broken m4 syntax in TLS options - configure: if asked to use TLS, fail if no TLS lib was detected - connect: add quic connection information - connect: set socktype/protocol correctly - cookie: reject cookies with "control bytes" - cookie: treat a blank domain in Set-Cookie: as non-existing - curl: output warning when a cookie is dropped due to size - Curl_close: call Curl_resolver_cancel to avoid memory-leak - digest: fix memory leak, fix not quoted 'opaque' - digest: fix missing increment of 'nc' value for auth-int - digest: pass over leading spaces in qop values - digest: reject broken header with session protocol but without qop - doh: use https protocol by default - easy_lock.h: include sched.h if available to fix build - easy_lock.h: use __asm__ instead of asm to fix build - easy_lock: switch to using atomic_int instead of bool - ftp: use a correct expire ID for timer expiry - h2h3: fix overriding the 'TE: Trailers' header - hostip: resolve *.localhost to 127.0.0.1/::1 - HTTP3.md: update to msh3 v0.4.0 - hyper: use wakers for curl pause/resume - lib3026: reduce the number of threads to 100 - libssh2: make atime/mtime date overflow return error - libssh2: provide symlink name in SFTP dir listing - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - multi: use larger dns hash table for multi interface - multi_wait: fix skipping to populate revents for extra_fds - netrc: Use the password from lines without login - ngtcp2: Fix build error due to change in nghttp3 prototypes - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks - openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL - openssl: add cert path in error message - openssl: add details to "unable to set client certificate" error - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel - select: do not return fatal error on EINTR from poll() - sendf: fix paused header writes since after the header API - sendf: skip storing HTTP headers if HTTP disabled - url: really use the user provided in the url when netrc entry exists - url: reject URLs with hostnames longer than 65535 bytes - url: treat missing usernames in netrc as empty - urldata: reduce size of several struct fields - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend * Remove tests-for-32bit.patch fixed in the update * Rebase libcurl-ocloexec.patch * Sun Jul 24 2022 Dirk Müller <dmueller@suse.com> - add tests-for-32bit.patch to fix testsuite on 32bit platforms * Mon Jun 27 2022 David Anes <david.anes@suse.com> - Update to 7.84.0: * Security fixes: - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service * Changes: - curl: add --rate to set max request rate per time unit - curl: deprecate --random-file and --egd-file - curl_version_info: add CURL_VERSION_THREADSAFE - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - lib: make curl_global_init() threadsafe when possible - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - opts: deprecate RANDOM_FILE and EGDSOCKET - socks: support unix sockets for socks proxy * Bugfixes: - aws-sigv4: fix potentional NULL pointer arithmetic - bindlocal: don't use a random port if port number would wrap - c-hyper: mark status line as status for Curl_client_write() - ci: avoid `cmake -Hpath` - CI: bump FreeBSD 13.0 to 13.1 - ci: update github actions - cmake: add libpsl support - cmake: do not add libcurl.rc to the static libcurl library - cmake: enable curl.rc for all Windows targets - cmake: fix detecting libidn2 - cmake: support adding a suffix to the OS value - configure: skip libidn2 detection when winidn is used - configure: use the SED value to invoke sed - configure: warn about rustls being experimental - content_encoding: return error on too many compression steps - cookie: address secure domain overlay - cookie: apply limits - copyright.pl: parse and use .reuse/dep5 for skips - copyright: make repository REUSE compliant - curl.1: add a few see also --tls-max - curl.1: mention exit code zero too - curl: re-enable --no-remote-name - curl_easy_pause.3: remove explanation of progress function - curl_getdate.3: document that some illegal dates pass through - Curl_parsenetrc: don't access local pwbuf outside of scope - curl_url_set.3: clarify by default using known schemes only - CURLOPT_ALTSVC.3: document the file format - CURLOPT_FILETIME.3: fix the protocols this works with - CURLOPT_HTTPHEADER.3: improve comment in example - CURLOPT_NETRC.3: document the .netrc file format - CURLOPT_PORT.3: We discourage using this option - CURLOPT_RANGE.3: remove ranged upload advice - digest: added detection of more syntax error in server headers - digest: tolerate missing "realm" - digest: unquote realm and nonce before processing - DISABLED: disable 1021 for hyper again - docs/cmdline-opts: add copyright and license identifier to each file - docs/CONTRIBUTE.md: document the 'needs-votes' concept - docs: clarify data replacement policy for MIME API - doh: remove UNITTEST macro definition - examples/crawler.c: use the curl license - examples: remove fopen.c and rtsp.c - FAQ: Clarify Windows double quote usage - fopen: add Curl_fopen() for better overwriting of files - ftp: restore protocol state after http proxy CONNECT - ftp: when failing to do a secure GSSAPI login, fail hard - GHA/hyper: enable debug in the build - gssapi: improve handling of errors from gss_display_status - gssapi: initialize gss_buffer_desc strings - headers api: remove EXPERIMENTAL tag - http2: always debug print stream id in decimal with %u - http2: reject overly many push-promise headers - http: restore header folding behavior - hyper: use 'alt-used' - krb5: return error properly on decode errors - lib: make more protocol specific struct fields #ifdefed - libcurl-security.3: add "Secrets in memory" - libcurl-security.3: document CRLF header injection - libssh: skip the fake-close when libssh does the right thing - links: update dead links to the curl-wiki - log2changes: do not indent empty lines [ci skip] - macos9: remove partial support - Makefile.am: fix portability issues - Makefile.m32: delete obsolete options, improve -On [ci skip] - Makefile.m32: delete two obsolete OpenSSL options [ci skip] - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - max-time.d: clarify max-time sets max transfer time - mprintf: ignore clang non-literal format string - netrc: check %USERPROFILE% as well on Windows - netrc: support quoted strings - ngtcp2: allow curl to send larger UDP datagrams - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types - ngtcp2: enable Linux GSO - ngtcp2: extend QUIC transport parameters buffer - ngtcp2: fix alert_read_func return value - ngtcp2: fix typo in preprocessor condition - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - ngtcp2: send appropriate connection close error code - ngtcp2: support boringssl crypto backend - ngtcp2: use helper funcs to simplify TLS handshake integration - ntlm: provide a fixed fake host name - projects: fix third-party SSL library build paths for Visual Studio - quic: add Curl_quic_idle - quiche: support ca-fallback - rand: stop detecting /dev/urandom in cross-builds - remote-name.d: mention --output-dir - runtests.pl: add the --repeat parameter to the --help output - runtests: fix skipping tests not done event-based - runtests: skip starting the ssh server if user name is lacking - scripts/copyright.pl: fix the exclusion to not ignore man pages - sectransp: check for a function defined when __BLOCKS__ is undefined - select: return error from "lethal" poll/select errors - server/sws: support spaces in the HTTP request path - speed-limit/time.d: mention these affect transfers in either direction - strcase: some optimisations - test 2081: add a valid reply for the second request - test 675: add missing CR so the test passes when run through Privoxy - test414: add the '--resolve' keyword - test681: verify --no-remote-name - tests 266, 116 and 1540: add a small write delay - tests/data/test1501: kill ftp server after slow LIST response - tests/getpart: fix getpartattr to work with "data" and "data2" - tests/server/sws.c: change the HTTP writedelay unit to milliseconds - test{440,441,493,977}: add "HTTP proxy" keywords - tool_getparam: fix --parallel-max maximum value constraint - tool_operate: make sure --fail-with-body works with --retry - transfer: fix potential NULL pointer dereference - transfer: maintain --path-as-is after redirects - transfer: upload performance; avoid tiny send - url: free old conn better on reuse - url: remove redundant #ifdefs in allocate_conn() - url: URL encode the path when extracted, if spaces were set - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts - urlapi: support CURLU_URLENCODE for curl_url_get() - urldata: reduce size of a few struct fields - urldata: remove three unused booleans from struct UserDefined - urldata: store tcp_keepidle and tcp_keepintvl as ints - version: allow stricmp() for sorting the feature list - vtls: make curl_global_sslset thread-safe - wolfssh.h: removed - wolfssl: correct the failf() message when a handle can't be made - wolfSSL: explicitly use compatibility layer - x509asn1: mark msnprintf return as unchecked * Wed May 11 2022 David Anes <david.anes@suse.com> - Update to 7.83.1: * Security fixes: - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD - (bsc#1199220, CVE-2022-27778) removes wrong file on error * Bugfixes: - altsvc: fix host name matching for trailing dots - cirrus: Update to FreeBSD 12.3 - cirrus: Use pip for Python packages on FreeBSD - conn: fix typo 'connnection' -> 'connection' in two function names - cookies: make bad_domain() not consider a trailing dot fine - curl: free resource in error path - curl: guard against size_t wraparound in no-clobber code - CURLOPT_DOH_URL.3: mention the known bug - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well - CURLOPT_SSH_AUTH_TYPES.3: fix the default - data/test376: set a proper name - GHA/mbedtls: enabled nghttp2 in the build - gha: build msh3 - gskit: fixed bogus setsockopt calls - gskit: remove unused function set_callback - hsts: ignore trailing dots when comparing hosts names - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION - http: move Curl_allow_auth_to_host() - http_proxy/hyper: handle closed connections - hyper: fix test 357 - Makefile: fix "make ca-firefox" - mbedtls: bail out if rng init fails - mbedtls: fix compile when h2-enabled - mbedtls: fix some error messages - misc: use "autoreconf -fi" instead buildconf - msh3: get msh3 version from MsH3Version - msh3: print boolean value as text representation - msh3: psss remote_port to MsH3ConnectionOpen - ngtcp2: add ca-fallback support for OpenSSL backend - nss: return error if seemingly stuck in a cert loop - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - post_per_transfer: remove the updated file name - sectransp: bail out if SSLSetPeerDomainName fails - tests/server: declare variable 'reqlogfile' static - tests: fix markdown formatting in README - test{898,974,976}: add 'HTTP proxy' keywords - tls: check more TLS details for connection reuse - url: check SSH config match on connection reuse - urlapi: address (harmless) UndefinedBehavior sanitizer warning - urlapi: reject percent-decoding host name into separator bytes - x509asn1: make do_pubkey handle EC public keys * Fri Apr 22 2022 David Anes <david.anes@suse.com> - Patches rework: * Refreshed all patches as -p1. * Use autopatch macro. * Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch * Removed (already upstream): - curl-fix-verifyhost.patch - Update to 7.83.0: * Security fixes: - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse - (bsc#1198608, CVE-2022-27774) Credential leak on redirect - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use * Changes: - curl: add %header{name} experimental support in -w handling - curl: add %{header_json} experimental support in -w handling - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - msh3: add support for QUIC and HTTP/3 using msh3 * Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - BINDINGS.md: add Hollywood binding - CI: Do not use buildconf. Instead, just use: autoreconf -fi - CI: install Python package impacket to run SMB test 1451 - configure.ac: move -pthread CFLAGS setting back where it used to be - configure: bump the copyright year range int the generated output - conncache: include the zone id in the "bundle" hashkey - connecache: remove duplicate connc->closure_handle check - connect: make Curl_getconnectinfo work with conn cache from share handle - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined - cookie.d: clarify when cookies are sent - cookies: improve errorhandling for reading cookiefile - curl/system.h: update ifdef condition for MCST-LCC compiler - curl: error out if -T and -d are used for the same URL - curl: error out when options need features not present in libcurl - curl: escape '?' in generated --libcurl code - curl: fix segmentation fault for empty output file names. - curl_easy_header: fix typos in documentation - CURLINFO_PRIMARY_PORT.3: clarify which port this is - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs - CURLOPT_PROGRESSFUNCTION.3: fix typo in example - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype - docs/HYPER.md: updated to reflect current hyper build needs - docs/opts: Mention Schannel client cert type is P12 - docs: Fix missing semicolon in example code - docs: lots of minor language polish - English: use American spelling consistently - fail.d: tweak the description - firefox-db2pem.sh: make the shell script safer - ftp: fix error message for partial file upload - gen.pl: change wording for mutexed options - GHA: add openssl3 jobs moved over from zuul - GHA: build hyper with nightly rustc - GHA: move bearssl jobs over from zuul - gha: move the event-based test over from Zuul - gtls: fix build for disabled TLS-SRP - http2: handle DONE called for the paused stream - http2: RST the stream if we stop it on our own will - http: avoid auth/cookie on redirects same host diff port - http: close the stream (not connection) on time condition abort - http: reject header contents with nul bytes - http: return error on colon-less HTTP headers - http: streamclose "already downloaded" - hyper: fix status_line() return code - hyper: fix tests 580 and 581 for hyper - hyper: no h2c support - infof: consistent capitalization of warning messages - ipv4/6.d: clarify that they are about using IP addresses - json.d: fix typo (overriden -> overridden) - keepalive-time.d: It takes many probes to detect brokenness - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - lib670: avoid double check result - lib: #ifdef on USE_HTTP2 better - lib: fix some misuse of curlx_convert_wchar_to_UTF8 - lib: remove exclamation marks - libssh2: compare sha256 strings case sensitively - libssh2: make the md5 comparison fail if wrong length - libssh: fix build with old libssh versions - libssh: fix double close - libssh: Improve fix for missing SSH_S_ stat macros - libssh: unstick SFTP transfers when done event-based - macos: set .plist version in autoconf - mbedtls: remove 'protocols' array from backend when ALPN is not used - mbedtls: remove server_fd from backend - mk-ca-bundle.pl: Use stricter logic to process the certificates - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl - mlc_config.json: add file to ignore known troublesome URLs - mqtt: better handling of TCP disconnect mid-message - ngtcp2: add client certificate authentication for OpenSSL - ngtcp2: avoid busy loop in low CWND situation - ngtcp2: deal with sub-millisecond timeout - ngtcp2: disconnect the QUIC connection proper - ngtcp2: enlarge H3_SEND_SIZE - ngtcp2: fix HTTP/3 upload stall and avoid busy loop - ngtcp2: fix memory leak - ngtcp2: fix QUIC_IDLE_TIMEOUT - ngtcp2: make curl 1ms faster - ngtcp2: remove remote_addr which is not used in a meaningful way - ngtcp2: update to work after recent ngtcp2 updates - ngtcp2: use token when detecting :status header field - nonblock: restore setsockopt method to curlx_nonblock - openssl: check SSL_get_peer_cert_chain return value - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL - openssl: fix CN check error code - options: remove mistaken space before paren in prototype - perl: removed a double semicolon at end of line - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood - projects/README: converted to markdown - projects: Update VC version names for VS2017, VS2022 - rtsp: don't let CSeq error override earlier errors - runtests: add 'bearssl' as testable feature - runtests: make 'oldlibssh' be before 0.9.4 - schannel: remove dead code that will never run - scripts/copyright.pl: ignore the new mlc_config.json file - scripts: move three scripts from lib/ to scripts/ - test1135: sync with recent API updates - test1459: disable for oldlibssh - test375: fix line endings on Windows - test386: Fix an incorrect test markup tag - test718: edited slightly to return better HTTP - tests/server/util.h: align WIN32 condition with util.c - tests: refactor server/socksd.c to support --unix-socket - timediff.[ch]: add curlx helper functions for timeval conversions - tls: make mbedtls and NSS check for h2, not nghttp2 - tool and tests: force flush of all buffers at end of program - tool_cb_hdr: Turn the Location: into a terminal hyperlink - tool_getparam: error out on missing -K file - tool_listhelp.c: uppercase URL - tool_operate: fix a scan-build warning - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - transfer: redirects to other protocols or ports clear auth - unit1620: call global_init before calling Curl_open - url: check sasl additional parameters for connection reuse. - vtls: provide a unified APLN-disagree string for all backends - vtls: use a backend standard message for "ALPN: offers %s" - vtls: use a generic "ALPN, server accepted" message - winbuild/README.md: fixup dead link - winbuild: Add a Visual Studio example to the README - wolfssl: fix compiler error without IPv6 * Fri Mar 11 2022 Pedro Monreal <pmonreal@suse.com> - Fix: openssl: fix CN check error code * Add curl-fix-verifyhost.patch * Mon Mar 07 2022 Paolo Stivanin <info@paolostivanin.com> - Update to 7.82.0: * curl: add --json command line option * curl: make it so that sensitive command line arguments do not show as easily in the output of ps(1) * curl_multi_socket.3: remove callback and typical usage descriptions * ftp: provide error message for control bytes in path * ldap: return CURLE_URL_MALFORMAT for bad URL * lib: remove support for CURL_DOES_CONVERSIONS * mqtt: plug some memory leaks * multi: allow user callbacks to call curl_multi_assign * multi: remember connection_id before returning connection to pool * multi: set in_callback for multi interface callbacks * netware: remove support * ngtcp2: adapt to changed end of headers callback proto * openldap: implement SASL authentication * openssl: return error if TLS 1.3 is requested when not supported * sectransp: mark a 3DES cipher as weak * smb: pass socket for writing and reading data instead of FIRSTSOCKET * tool_getparam: DNS options that need c-ares now fail without it * TPF: drop support * url: given a user in the URL, find pwd for that user in netrc * url: keep trailing dot in host name * urlapi: handle "redirects" smarter * urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled * urldata: remove conn->bits.user_passwd * Sun Jan 09 2022 Dirk Müller <dmueller@suse.com> - update to 7.81.0: * mime: use percent-escaping for multipart form field and file names * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer * azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper * BINDINGS: add cURL client for PostgreSQL * BINDINGS: add one from Everything curl and update a link * checksrc: detect more kinds of NULL comparisons we avoid * CI: build examples for additional code verification * CI: bump job to use mbedtls 3.1.0 * cmake: don't set _USRDLL on a static Windows build * cmake: prevent dev warning due to mismatched arg * cmake: private identifiers use CURL_ instead of CMAKE_ prefix * config.d: update documentation to match the path search * configure: add -lm to configure for rustls build. * configure: better diagnostics if hyper is built wrong * configure: don't enable TLS when --without-* flags are used * configure: fix runtime-lib detection on macOS * curl.1: require "see also" for every documented option * curl: improve error message for --head with -J * curl_easy_cleanup.3: remove from multi handle first * curl_easy_escape.3: call curl_easy_cleanup in example * curl_easy_unescape.3: call curl_easy_cleanup in example * curl_multi_init.3: fix EXAMPLE formatting * curl_multi_perform/socket_action.3: clarify what errors mean * curl_share_setopt.3: split out options into their own manpages * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL * digest: compute user:realm:pass digest w/o userhash * docs/checksrc: Add documentation for STRERROR * docs/cmdline-opts: do not say "protocols: all" * docs/examples: workaround broken -Wno-pedantic-ms-format * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing * docs/INSTALL.md: typo fix : added missing "get" verb * docs/URL-SYNTAX.md: space is not fine in a given URL * docs: add known bugs list to HTTP3.md * docs: address proselint nits * docs: consistent manpage SYNOPSIS * docs: fix dead links, remove ECH.md * docs: fix typo in OpenSSL 3 build instructions * docs: Update the Reducing Size section * example/progressfunc: remove code for old libcurls * examples/multi-single.c: remove WAITMS() * FAQ: typo fix : "yout" ➤ "your" * ftp: disable warning 4706 in MSVC * gen.pl: improve example output format * github workflow: add wolfssl (removed from zuul) * github/workflows: add mbedtls and mbedtls-clang (removed from zuul) * gtls: check return code for gnutls_alpn_set_protocols * hash: lazy-alloc the table in Curl_hash_add() * http2:set_transfer_url() return early on OOM * HTTP3: update quiche build instructions * http: enable haproxy support for hyper backend * http: Fix CURLOPT_HTTP200ALIASES * http_proxy: don't close the socket (too early) * insecure.d: detail its use for SFTP and SCP as well * insecure.d: expand and clarify * libcurl-multi.3: "SOCKS proxy handshakes" are not blocking * libcurl-security.3: mention address and URL mitigations * libssh2: fix error message for sha256 mismatch * libtest: avoid "assignment within conditional expression" * lift: ignore is a deprecated config option, use ignoreRules * linkcheck.yml: add CI job that checks markdown links * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion * Makefile.m32: rename -winssl option to -schannel and tidy up * mbedTLS: add support for CURLOPT_CAINFO_BLOB * mbedtls: fix CURLOPT_SSLCERT_BLOB * mbedtls: fix private member designations for v3.1.0 * misc: remove unused doh flags when CURL_DISABLE_DOH is defined * misc: s/e-mail/email * multi: cleanup the socket hash when destroying it * multi: handle errors returned from socket/timer callbacks * multi: shut down CONNECT in Curl_detach_connnection * netrc.d: edit the .netrc example to look nicer * ngtcp2: verify the server cert on connect (quictls) * ngtcp2: verify the server certificate for the gnutls case * nss:set_cipher don't clobber the cipher list * openldap: implement STARTTLS * openldap: process search query response messages one by one * openldap: several minor improvements * openldap: simplify ldif generation code * openssl: check the return value of BIO_new() * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+ * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable * openssl: remove usage of deprecated `SSL_get_peer_certificate` * openssl: use non-deprecated API to read key parameters * page-footer: add a mention of how to report bugs to the man page * page-footer: document more environment variables * request.d: refer to 'method' rather than 'command' * retry-all-errors.d: make the example complete * runtests: make the SSH library a testable feature * rustls: read of zero bytes might be okay * rustls: remove comment about checking handshaking * rustls: remove incorrect EOF check * sha256/md5: return errors when init fails * socks5: use appropriate ATYP for numerical IP address host names * test1156: enable for hyper * test1156: fixup the stdout check for Windows * test1525: tweaked for hyper * test1526: enable for hyper * test1527: enable for hyper * test1528: enable for hyper * test1554: adjust for hyper * test1556: adjust for hyper * test302[12]: run only with the libssh2 backend * test661: enable for hyper * tests/CI.md: add more information on CI environments * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 * tftp: mark protocol as not possible to do over CONNECT * tool_findfile: updated search for a file in the homedir * tool_operate: only set SSH related libcurl options for SSH URLs * tool_operate: warn if too many output arguments were found * url.c: fix the SIGPIPE comment for Curl_close * url: check ssl_config when re-use proxy connection * url: reduce ssl backend count for CURL_DISABLE_PROXY builds * urlapi: accept port number zero * urlapi: if possible, shorten given numerical IPv6 addresses * urlapi: provide more detailed return codes * urlapi: reject short file URLs * version_win32: Check build number and platform id * vtls/rustls: adapt to the updated rustls_version proto * writeout: fix %{http_version} for HTTP/3 * x509asn1: return early on errors * zuul.d: update rustls-ffi to version 0.8.2 * zuul: fix quiche build pointing to wrong Cargo * Tue Nov 16 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.80.0: * Changes: - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse - CURLOPT_PREREQFUNCTION: add new callback - libssh2: add SHA256 fingerprint support - urlapi: add curl_url_strerror() * Bugfixes: - aws-sigv4: make signature work when post data is binary - c-hyper: don't abort CONNECT responses early when auth-in-progress - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work - cmake: add CURL_ENABLE_SSL option - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED - configure.ac: replace krb5-config with pkg-config - configure: when hyper is selected, deselect nghttp2 - curl-confopts.m4: remove --enable/disable-hidden-symbols - curl-openssl.m4: modify library order for openssl linking - curl_ntlm_core: use OpenSSL only if DES is available - Curl_updateconninfo: store addresses for QUIC connections too - ftp: make the MKD retry to retry once per directory - http: fix Basic auth with empty name field in URL - http: reject HTTP response codes < 100 - http: remove assert that breaks hyper - http: set content length earlier - imap: display quota information - libssh2: Get the version at runtime if possible - md5: fix compilation with OpenSSL 3.0 API - ngtcp2: advertise h3 as well as h3-29 - ngtcp2: compile with the latest nghttp3 - ngtcp2: use latest QUIC TLS RFC9001 - NTLM: use DES_set_key_unchecked with OpenSSL - openssl: if verifypeer is not requested, skip the CA loading - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway - schannel: fix memory leak due to failed SSL connection - sendf: accept zero-length data in Curl_client_write() - sha256: use high-level EVP interface for OpenSSL - sws: fix memory leak on exit - tool_operate: a failed etag save now only fails that transfer - url: check the return value of curl_url() - url: set "k->size" -1 at start of request - urlapi: skip a strlen(), pass in zero - urlapi: URL decode percent-encoded host names - vtls: Fix a memory leak if an SSL session cannot be added to the cache - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity * Use --with-openssl configure option, --with-ssl is now deprecated * Wed Sep 22 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.79.1: * Bugfixes: - Curl_http2_setup: don't change connection data on repeat invokes - curl_multi_fdset: make FD_SET() not operate on sockets out of range - dist: provide lib/.checksrc in the tarball - FAQ: add GOPHERS + curl works on data, not files - hsts: CURLSTS_FAIL from hsts read callback should fail transfer - hsts: handle unlimited expiry - http: fix the broken >3 digit response code detection - strerror: use sys_errlist instead of strerror on Windows - test1184: disable: https://github.com/curl/curl/issues/7725 - tests/sshserver.pl: make it work with openssh-8.7p1 * Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com> - Temporarily disable flaky test 1184 * See https://github.com/curl/curl/issues/7725 * Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.79.0: [bsc#1190213, CVE-2021-22945] [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947] * Changes: - bearssl: support CURLOPT_CAINFO_BLOB - http: consider cookies over localhost to be secure - secure transport: support CURLINFO_CERTINFO * Bugfixes: - CVE-2021-22945: clear the leftovers pointer when sending succeeds - CVE-2021-22946: do not ignore --ssl-reqd - CVE-2021-22947: reject STARTTLS server response pipelining - auth: do not append zero-terminator to authorisation id in kerberos - auth: properly handle byte order in kerberos security message - auth: use sasl authzid option in kerberos - auth: we do not support a security layer after kerberos authentication - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection - c-hyper: initial step for 100-continue support - c-hyper: initial support for "dumping" 1xx HTTP responses - curl-openssl.m4: show correct output for OpenSSL v3 - docs/MQTT: update state of username/password support - docs: the security list is reached at security at curl.se now - getparameter: fix the --local-port number parser - hostip: Make Curl_ipv6works function independent of getaddrinfo - http_proxy: fix the User-Agent inclusion in CONNECT - http_proxy: fix user-agent and custom headers for CONNECT with hyper - http_proxy: only wait for writable socket while sending request - mailing lists: move from cool.haxx.se to lists.haxx.se - mbedtls: avoid using a large buffer on the stack - mbedTLS: initial 3.0.0 support - ngtcp2: remove the acked_crypto_offset struct field init - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read - ngtcp2: reset the oustanding send buffer again when drained - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream - ngtcp2: stop buffering crypto data - ngtcp2: utilize crypto API functions to simplify - openssl: when creating a new context, there cannot be an old one - scripts: invoke interpreters through /usr/bin/env - tests/runtests.pl: cleanup copy&paste mistakes and unused code - tests: be explicit about using 'python3' instead of 'python' - tool/tests: fix potential year 2038 issues - tool_operate: Fix --fail-early with parallel transfers - x509asn1: fix heap over-read when parsing x509 certificates * Rebase libcurl-ocloexec.patch * Wed Jul 21 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.78.0: [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923] [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925] * Changes: - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax - hostip: make 'localhost' return fixed values - mbedtls: add support for cert and key blob options - metalink: remove all support for it - mqtt: add support for username and password * Bugfixes: - ares: always store IPv6 addresses first - c-hyper: abort CONNECT response reading early on non 2xx responses - c-hyper: add support for transfer-encoding in the request - c-hyper: bail on too long response headers - c-hyper: clear NTLM auth buffer when request is issued - c-hyper: fix NTLM on closed connection tested with test159 - conncache: lowercase the hash key for better match - curl_multibyte: Remove local encoding fallbacks - Curl_ntlm_core_mk_nt_hash: fix OOM in error path - Curl_ssl_getsessionid: fail if no session cache exists - easy: during upkeep, attach Curl_easy to connections in the cache - gnutls: set the preferred TLS versions in correct order - hsts: ignore numberical IP address hosts - HSTS: not experimental anymore - http2: init recvbuf struct for pushed streams - http: fix crash in rate-limited upload - http: make the haproxy support work with unix domain sockets - http_proxy: deal with non-200 CONNECT response with Hyper - lib: don't compare fd to FD_SETSIZE when using poll - lib: fix compiler warnings with CURL_DISABLE_NETRC - lib: fix type of len passed to *printf's %*s - lib: more %u for port and int for %*s fixes - lib: use %u instead of %ld for port number printf - libssh2: limit time a disconnect can take to 1 second - mqtt: detect illegal and too large file size - msnprintf: return number of printed characters excluding null byte - multi: add scan-build-6 work-around in curl_multi_fdset - multi: alter transfer timeout ordering - multi: do not switch off connect_only flag when closing - multi: fix crash in curl_multi_wait / curl_multi_poll - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS - openssl: avoid static variable for seed flag - openssl: don't remove session id entry in disassociate - socketpair: fix potential hangs - socks4: scan for the IPv4 address in resolve results - ssl: read pending close notify alert before closing the connection - telnet: fix option parser to not send uninitialized contents - TLS: prevent shutdown loops to get stuck - vtls: exit addsessionid if no cache is inited - vtls: fix connection reuse checks for issuer cert and case sensitivity * Wed May 26 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.77.0: [bsc#1186114, CVE-2021-22898] [bsc#1186115, bsc#1185579, CVE-2021-22901] * Security fixes: - CVE-2021-22297: schannel cipher selection surprise - CVE-2021-22298: TELNET stack contents disclosure - CVE-2021-22901: TLS session caching disaster * Changes: - configure: make the TLS library choice(s) explicit - curl: ignore options asking for SSLv2 or SSLv3 - hsts: enable by default - SSL: support in-memory CA certs for some backends - vtls: refuse setting any SSL version * Bugfixes: - configure: provide --with-openssl, deprecate --with-ssl - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies - curl: include libmetalink version in --version output - data_pending: check only SECONDARY socket for FTP(S) transfers - gnutls: don't allow TLS 1.3 for versions that don't support it - gnutls: make setting only the MAX TLS allowed version work - http2: fix resource leaks in set_transfer_url() and push_promise() - http: limit the initial send amount to used upload buffer size - rustls: only return CURLE_AGAIN when TLS session is fully drained - rustls: use ALPN - schannel: Disable auto credentials; add an option to enable it - schannel: Support strong crypto option - sectransp: allow cipher name to be specified - sockfilt: avoid getting stuck waiting for writable socket * Sun Apr 25 2021 Dirk Müller <dmueller@suse.com> - update to 7.76.1: - ngtcp2: Use ALPN h3-29 for now - TODO: remove 18.22 --fail-with-body * Wed Mar 31 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.76.0 * Security fixes: - [bsc#1183933, CVE-2021-22876]: strip credentials from the auto-referer header field - [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to Curl_ssl_get/addsessionid() * Changes: - cookies: Support multiple -b parameters - curl: add --fail-with-body - doh: add options to disable ssl verification - http: add support to read and store the referrer header - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl - vtls: initial implementation of rustls backend * Bugfixes: - CVE-2021-22876: strip credentials from the auto-referer header field - CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid() - c-hyper: support automatic content-encoding - configure: only add OpenSSL paths if they are defined - configure: provide Largefile feature for curl-config - curl: set CURLOPT_NEW_FILE_PERMS if requested - doh: Fix sharing user's resolve list with DOH handles - doh: Inherit CURLOPT_STDERR from user's easy handle - dynbuf: bump the max HTTP request to 1MB - ftp: add 'list_only' to the transfer state struct - ftp: add 'prefer_ascii' to the transfer state struct - ftp: allow SIZE to fail when doing (resumed) upload - ftp: avoid SIZE when asking for a TYPE A file - ftp: fix memory leak in ftp_done - ftp: never set data->set.ftp_append outside setopt - gnutls: assume nettle crypto support - http2: don't set KEEP_SEND when there's no more data to be sent - http2: fail if connection terminated without END_STREAM - http: do not add a referrer header with empty value - http: strip default port from URL sent to proxy - http: use credentials from transfer, not connection - lib: remove 'conn->data' completely - multi: close the connection when h2=>h1 downgrading - multi: do once-per-transfer inits in before_perform in DID state - multi: rename the multi transfer states - multi: update pending list when removing handle - ngtcp2: adapt to the new recv_datagram callback - ngtcp2: clarify calculation precedence - ngtcp2: sync with recent API updates - openssl: adapt to v3's new const for a few API calls - openssl: ensure to check SSL_CTX_set_alpn_protos return values - openssl: remove get_ssl_version_txt in favor of SSL_get_version - parse_proxy: fix a memory leak in the OOM path - url: fix memory leak if OOM in the HSTS handling - url: fix possible use-after-free in default protocol - urldata: don't touch data->set.httpversion at run-time - urldata: merge "struct DynamicStatic" into "struct UrlState" - urldata: remove the 'rtspversion' field - urldata: remove the _ORIG suffix from string names - wolfssl: don't store a NULL sessionid * Thu Mar 04 2021 Cristian Rodríguez <crrodriguez@opensuse.org> - Harden build, enable full RELRO - Never allow undefined symbols anywhere. * Thu Feb 04 2021 Pedro Monreal <pmonreal@suse.com> - Update to 7.75.0 * Changes: - curl: add --create-file-mode [mode] - curl: add new variables to --write-out - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries - gopher: implement secure gopher protocol - http: add Hyper as new optional HTTP backend - http: introduce AWS HTTP v4 Signature support * Bugfixes: - cmake: Add an option to disable libidn2 - cmake: enable gophers correctly in curl-config - cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG - digest_sspi: Show InitializeSecurityContext errors in verbose mode - getinfo: build with disabled HTTP support - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy - http_proxy: Fix CONNECT chunked encoding race condition - httpauth: make multi-request auth work with custom port - lib: pass in 'struct Curl_easy *' to most functions - lib: remove Curl_ prefix from many static functions - lib: save a bit of space with some structure packing - libssh: avoid plain free() of libssh-memory - mime: make sure setting MIMEPOST to NULL resets properly - multi_runsingle: bail out early on data->conn == NULL - ngtcp2: Fix http3 upload stall - ngtcp2: Fix stack buffer overflow - openssl: lowercase the hostname before using it for SNI - socks: use the download buffer instead - speedcheck: exclude paused transfers - tooĺ_writeout: fix the -w time output units - url: if IDNA conversion fails, fallback to Transitional - Refresh libcurl-ocloexec.patch
/usr/bin/curl /usr/share/doc/packages/curl /usr/share/doc/packages/curl/BUGS.md /usr/share/doc/packages/curl/CHANGES.md /usr/share/doc/packages/curl/FAQ /usr/share/doc/packages/curl/FEATURES.md /usr/share/doc/packages/curl/README /usr/share/doc/packages/curl/RELEASE-NOTES /usr/share/doc/packages/curl/TODO /usr/share/doc/packages/curl/TheArtOfHttpScripting.md /usr/share/man/man1/curl.1.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Sep 26 01:30:13 2024