summaryrefslogtreecommitdiff
path: root/RELEASE-NOTES
blob: 654a72a14cba6e30f4c609aa74c7b2caf96a9df6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
curl and libcurl 7.79.0

 Public curl releases:         202
 Command line options:         242
 curl_easy_setopt() options:   290
 Public functions in libcurl:  85
 Contributors:                 2484

This release includes the following changes:

 o bearssl: support CURLOPT_CAINFO_BLOB [3]
 o http: consider cookies over localhost to be secure [24]
 o secure transport: support CURLINFO_CERTINFO [63]

This release includes the following bugfixes:

 o CVE-2021-22945: clear the leftovers pointer when sending succeeds [112]
 o CVE-2021-22946: do not ignore --ssl-reqd [111]
 o CVE-2021-22947: reject STARTTLS server response pipelining [110]
 o ares: use ares_getaddrinfo() [51]
 o asyn-ares.c: move all version number checks to the top
 o auth: do not append zero-terminator to authorisation id in kerberos [32]
 o auth: properly handle byte order in kerberos security message [36]
 o auth: use sasl authzid option in kerberos [34]
 o auth: we do not support a security layer after kerberos authentication [35]
 o BINDINGS.md: update links to use https where available [50]
 o build: fix compiler warnings [39]
 o c-hyper: deal with Expect: 100-continue combined with POSTFIELDS [66]
 o c-hyper: fix header value passed to debug callback [46]
 o c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection [65]
 o c-hyper: initial step for 100-continue support [43]
 o c-hyper: initial support for "dumping" 1xx HTTP responses [40]
 o c-hyper: remove the hyper_executor_poll() loop from Curl_http [13]
 o CI/cirrus: reduce compile time with increased parallism [19]
 o CI: use GitHub Container Registry instead of Docker Hub [47]
 o cirrus: Add FreeBSD 13.0 job and disable sanitizer build [128]
 o cmake: avoid poll() on macOS [59]
 o cmake: sync CURL_DISABLE options [55]
 o codeql: fix error "Resource not accessible by integration" [61]
 o compressed.d: it's a request, not an order [21]
 o config.d: escape the backslash properly [81]
 o config.d: note that curlrc is used even when --config [107]
 o config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
 o configure.ac: revert bad nghttp2 library detection improvements [9]
 o configure: error out if both ngtcp2 and quiche are specified [30]
 o configure: make --disable-hsts work [106]
 o configure: set classic mingw minimum OS version to XP [83]
 o configure: tweak nghttp2 library name fix [2]
 o connect: get local port + ip also when reusing connections [95]
 o connect: remove superfluous conditional [23]
 o curl-openssl.m4: check lib64 for the pkg-config file [14]
 o curl-openssl.m4: show correct output for OpenSSL v3 [75]
 o curl.1: mention "global" flags [7]
 o curl.1: provide examples for each option [99]
 o curl: add warning for ignored data after quoted form parameter [60]
 o curl: add warning for incompatible parameters usage [102]
 o curl: better error message when -O fails to get a good name [88]
 o curl: stop retry if Retry-After: is longer than allowed [104]
 o curl_easy_setopt.3: improve the string copy wording [89]
 o Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited [116]
 o curl_setup.h: sync values for HTTP_ONLY [82]
 o curl_url_get.3: clarify about path and query [45]
 o CURLMOPT_TIMERFUNCTION.3: remove misplaced "time" [5]
 o CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited [8]
 o CURLOPT_SSL_CTX_*.3: tidy up the example [15]
 o CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also [90]
 o docs/MQTT: update state of username/password support [4]
 o docs: remove experimental mentions from HSTS and MQTT [93]
 o docs: the security list is reached at security at curl.se now [124]
 o easy: use a custom implementation of wcsdup on Windows [31]
 o examples/*hiperfifo.c: fix calloc arguments to match function proto [103]
 o examples/cookie_interface: avoid printfing time_t directly [18]
 o examples/cookie_interface: fix scan-build printf warning [16]
 o examples/ephiperfifo.c: simplify signal handler [42]
 o FAQ: add two dev related questions [108]
 o getparameter: fix the --local-port number parser [58]
 o happy-eyeballs-timeout-ms.d: polish the wording [10]
 o hostip: Make Curl_ipv6works function independent of getaddrinfo [26]
 o http2: Curl_http2_setup needs to init stream data in all invokes [119]
 o http2: revert a change that broke upgrade to h2c [57]
 o http2: revert call the handle-closed function correctly on closed stream [25]
 o http: disallow >3-digit response codes [80]
 o http: ignore content-length if any transfer-encoding is used [101]
 o http_proxy: clear 'sending' when the outgoing request is sent [6]
 o http_proxy: fix the User-Agent inclusion in CONNECT [115]
 o http_proxy: fix user-agent and custom headers for CONNECT with hyper [38]
 o http_proxy: only wait for writable socket while sending request [78]
 o INTERNALS: bump c-ares requirement to 1.16.0
 o INTERNALS: c-ares has a new home: c-ares.org
 o lib: don't use strerror() [127]
 o libcurl-errors.3: clarify two CURLUcode errors [72]
 o limit-rate.d: clarify base unit [17]
 o mailing lists: move from cool.haxx.se to lists.haxx.se
 o mbedtls: avoid using a large buffer on the stack [105]
 o mbedTLS: initial 3.0.0 support [33]
 o mbedtls_threadlock: fix unused variable warning [11]
 o mksymbolsmanpage.pl: Fix showing symbol's last used version [76]
 o mksymbolsmanpage.pl: match symbols case insenitively [77]
 o multi: fix compiler warning with `CURL_DISABLE_WAKEUP` [96]
 o ngtcp2: compile with the latest ngtcp2 and nghttp3 [12]
 o ngtcp2: fix build with ngtcp2 and nghttp3 [117]
 o ngtcp2: remove the acked_crypto_offset struct field init [64]
 o ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read [28]
 o ngtcp2: reset the oustanding send buffer again when drained [53]
 o ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream [29]
 o ngtcp2: stop buffering crypto data [85]
 o ngtcp2: utilize crypto API functions to simplify [52]
 o openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA [98]
 o openssl: when creating a new context, there cannot be an old one [48]
 o opt-docs: make sure all man pages have examples [92]
 o opt-docs: verify man page sections + order [91]
 o opts docs: unify phrasing in NAME header [126]
 o output.d: add method to suppress response bodies [49]
 o page-header: add GOPHERS, simplify wording in the 1st para [94]
 o progress: fix a compile warning on some systems [54]
 o progress: make trspeed avoid floats [100]
 o runtests: add option -u to error on server unexpectedly alive [125]
 o schannel: Work around typo in classic mingw macro [84]
 o scripts: invoke interpreters through /usr/bin/env [68]
 o setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper [70]
 o strerror.h: remove the #include from files not using it
 o symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version [73]
 o test1138: remove trailing space to make work with hyper [71]
 o test1173: check references to libcurl options [69]
 o test1280: CRLFify the response to please hyper [86]
 o test1565: fix windows build errors [27]
 o test365: verify response with chunked AND Content-Length headers
 o tests/*server.pl: flush output before executing subprocess [41]
 o tests/*server.py: remove pidfile on server termination [1]
 o tests/runtests.pl: cleanup copy&paste mistakes and unused code
 o tests/server/*.c: align handling of portfile argument and file [56]
 o tests: adjust the tftpd output to work with hyper mode [97]
 o tests: be explicit about using 'python3' instead of 'python' [67]
 o tests: enable test 1129 for hyper builds [87]
 o tests: make three tests pass until 2037 [22]
 o tool/tests: fix potential year 2038 issues [20]
 o tool_operate: Fix --fail-early with parallel transfers [62]
 o url: fix compiler warning in no-verbose builds [120]
 o urlapi.c:seturl: assert URL instead of using if-check [74]
 o vtls: fix typo in schannel_verify.c [44]
 o winbuild/README.md: clarify GEN_PDB option
 o wolfssl: clean up wolfcrypt error queue [79]
 o write-out.d: clarify size_download/upload [118]
 o x509asn1: fix heap over-read when parsing x509 certificates [37]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  a1346054 on github, Aleksandr Krotov, Alex Crichton, April King,
  Artur Sinila, Barry Pollard, Bastian Krause, Benau on github,
  Bernhard M. Wiedemann, Bin Lan, Brian Carpenter, Bylon2 on github,
  Cao ZhenXiang, Carlo Marcelo Arenas Belón, Christian Weisgerber,
  Colin O'Dell, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
  Daniel Woelfel, Dan Jacobson, David Cook, Don J Olmstead, Ehren Bendler,
  Emil Engler, Gambit Communications, Gergely Nagy, Gisle Vanem,
  git-bruh on github, Gleb Ivanovsky, Ikko Ashimine, Inho Oh, Jan Schaumann,
  Jan Verbeek, Jeff Mears, Jeremy Falcon, Jonathan Cardoso Machado, Josh Soref,
  Kari Pahula, Marcel Raad, Marc Hörsken, Max Dymond, Michael Kaufmann,
  Michał Antoniak, modbw on github, Oleg Pudeyev, Oleguer Llopart,
  Patrick Monnerat, Paul Johnson, Randall S. Becker, Ray Satiro, Rui Pinheiro,
  Sergey Markelov, T200proX7 on github, Tatsuhiro Tsujikawa, Tk Xiong,
  Viktor Szakats, Vincent Grande, Yaobin Wen, z2-2z on github,
  z2_ on hackerone, zloi-user on github,
  (62 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=7506
 [2] = https://curl.se/bug/?i=7485
 [3] = https://curl.se/bug/?i=7468
 [4] = https://curl.se/bug/?i=7474
 [5] = https://curl.se/bug/?i=7470
 [6] = https://curl.se/bug/?i=7155
 [7] = https://curl.se/bug/?i=7457
 [8] = https://curl.se/bug/?i=7441
 [9] = https://curl.se/bug/?i=7514
 [10] = https://curl.se/bug/?i=7433
 [11] = https://curl.se/bug/?i=7393
 [12] = https://curl.se/bug/?i=7541
 [13] = https://curl.se/bug/?i=7499
 [14] = https://curl.se/bug/?i=7503
 [15] = https://curl.se/bug/?i=7500
 [16] = https://curl.se/bug/?i=7497
 [17] = https://curl.se/bug/?i=7439
 [18] = https://curl.se/bug/?i=7490
 [19] = https://curl.se/bug/?i=7505
 [20] = https://curl.se/bug/?i=7466
 [21] = https://curl.se/bug/?i=7516
 [22] = https://curl.se/bug/?i=7512
 [23] = https://curl.se/bug/?i=7511
 [24] = https://curl.se/bug/?i=6733
 [25] = https://curl.se/bug/?i=7400
 [26] = https://curl.se/bug/?i=7529
 [27] = https://curl.se/bug/?i=7527
 [28] = https://curl.se/bug/?i=7546
 [29] = https://curl.se/bug/?i=7546
 [30] = https://curl.se/bug/?i=7545
 [31] = https://curl.se/bug/?i=7540
 [32] = https://curl.se/bug/?i=7008
 [33] = https://curl.se/bug/?i=7428
 [34] = https://curl.se/bug/?i=7008
 [35] = https://curl.se/bug/?i=7008
 [36] = https://curl.se/bug/?i=7008
 [37] = https://curl.se/bug/?i=7536
 [38] = https://curl.se/bug/?i=7598
 [39] = https://curl.se/bug/?i=7528
 [40] = https://curl.se/bug/?i=7597
 [41] = https://curl.se/bug/?i=7530
 [42] = https://curl.se/bug/?i=7310
 [43] = https://curl.se/bug/?i=7568
 [44] = https://curl.se/bug/?i=7566
 [45] = https://curl.se/bug/?i=7563
 [46] = https://curl.se/bug/?i=7567
 [47] = https://curl.se/bug/?i=7587
 [48] = https://curl.se/bug/?i=7585
 [49] = https://curl.se/bug/?i=7560
 [50] = https://curl.se/bug/?i=7558
 [51] = https://curl.se/bug/?i=7364
 [52] = https://curl.se/bug/?i=7551
 [53] = https://curl.se/bug/?i=7538
 [54] = https://curl.se/bug/?i=7549
 [55] = https://curl.se/bug/?i=7624
 [56] = https://curl.se/bug/?i=7574
 [57] = https://curl.se/bug/?i=7633
 [58] = https://curl.se/bug/?i=7582
 [59] = https://curl.se/bug/?i=7595
 [60] = https://curl.se/bug/?i=7394
 [61] = https://curl.se/bug/?i=7575
 [62] = https://curl.se/bug/?i=6939
 [63] = https://curl.se/bug/?i=4130
 [64] = https://curl.se/bug/?i=7578
 [65] = https://curl.se/bug/?i=7617
 [66] = https://curl.se/bug/?i=7616
 [67] = https://curl.se/bug/?i=7602
 [68] = https://curl.se/bug/?i=7602
 [69] = https://curl.se/bug/?i=7656
 [70] = https://curl.se/bug/?i=7614
 [71] = https://curl.se/bug/?i=7613
 [72] = https://curl.se/bug/?i=7611
 [73] = https://curl.se/bug/?i=7609
 [74] = https://curl.se/bug/?i=7610
 [75] = https://curl.se/bug/?i=7606
 [76] = https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
 [77] = https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
 [78] = https://curl.se/bug/?i=7589
 [79] = https://curl.se/bug/?i=7594
 [80] = https://curl.se/bug/?i=7641
 [81] = https://curl.se/bug/?i=7603
 [82] = https://curl.se/bug/?i=7601
 [83] = https://curl.se/bug/?i=7581
 [84] = https://curl.se/bug/?i=7580
 [85] = https://curl.se/bug/?i=7637
 [86] = https://curl.se/bug/?i=7639
 [87] = https://curl.se/bug/?i=7638
 [88] = https://curl.se/bug/?i=7628
 [89] = https://curl.se/bug/?i=7632
 [90] = https://curl.se/bug/?i=7656
 [91] = https://curl.se/bug/?i=7656
 [92] = https://curl.se/bug/?i=7656
 [93] = https://github.com/curl/curl/pull/6700#issuecomment-913792863
 [94] = https://curl.se/bug/?i=7665
 [95] = https://curl.se/bug/?i=7660
 [96] = https://curl.se/bug/?i=7661
 [97] = https://curl.se/bug/?i=7658
 [98] = https://curl.se/bug/?i=7652
 [99] = https://curl.se/bug/?i=7654
 [100] = https://curl.se/bug/?i=7645
 [101] = https://curl.se/bug/?i=7643
 [102] = https://curl.se/bug/?i=7674
 [103] = https://curl.se/bug/?i=7678
 [104] = https://curl.se/bug/?i=7675
 [105] = https://curl.se/bug/?i=7586
 [106] = https://curl.se/bug/?i=7669
 [107] = https://github.com/curl/curl/pull/7666#issuecomment-912214751
 [108] = https://curl.se/bug/?i=7715
 [110] = https://curl.se/docs/CVE-2021-22947.html
 [111] = https://curl.se/docs/CVE-2021-22946.html
 [112] = https://curl.se/docs/CVE-2021-22945.html
 [115] = https://curl.se/bug/?i=7705
 [116] = https://curl.se/bug/?i=7710
 [117] = https://curl.se/bug/?i=7709
 [118] = https://curl.se/bug/?i=7702
 [119] = https://curl.se/bug/?i=7630
 [120] = https://curl.se/bug/?i=7700
 [124] = https://curl.se/bug/?i=7689
 [125] = https://curl.se/bug/?i=7180
 [126] = https://curl.se/bug/?i=7688
 [127] = https://curl.se/bug/?i=7685
 [128] = https://curl.se/bug/?i=7592