curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

[RELEASE] curl 8.3.0

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 13 Sep 2023 08:30:22 +0200 (CEST)

Hello friends.

I'm happy to ship another release. This time there is a single CVE being
announced in association with it, so check the follow-up email with details on
that.

As always, download curl from https://curl.se/

curl and libcurl 8.3.0

  Public curl releases: 251
  Command line options: 257
  curl_easy_setopt() options: 303
  Public functions in libcurl: 92
  Contributors: 2977

This release includes the following changes:

  o curl: make %output{} in -w specify a file to write to [36]
  o gskit: remove [71]
  o lib: --disable-bindlocal builds curl without local binding support
  o nss: remove support for this TLS library [10]
  o tool: add "variable" support [1]
  o trace: make tracing available in non-debug builds [41]
  o url: change default value for CURLOPT_MAXREDIRS to 30 [46]
  o urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name [54]
  o wolfssl: support loading system CA certificates [8]

This release includes the following bugfixes:

  o altsvc: accept and parse IPv6 addresses in response headers [113]
  o asyn-ares: reduce timeout to 2000ms [148]
  o aws-sigv4: canonicalize the query [127]
  o aws-sigv4: fix having date header twice in some cases [141]
  o aws-sigv4: handle no-value user header entries [159]
  o bearssl: don't load CA certs when peer verification is disabled [33]
  o bearssl: handshake fix, provide proper get_select_socks() implementation [99]
  o build: fix portability of mancheck and checksrc targets
  o build: streamline non-UWP wincrypt detections [87]
  o c-hyper: adjust the hyper to curlcode conversion [52]
  o c-hyper: fix memory leaks in `Curl_http` [126]
  o cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP [61]
  o cf-socket: log successful interface bind [39]
  o CI/cirrus: disable python install on FreeBSD [83]
  o CI: add a 32-bit i686 Linux build [158]
  o CI: add caching to many jobs [19]
  o CI: move on to ngtcp2 v0.19.1 [154]
  o CI: move the Alpine build from Cirrus to GHA
  o CI: ngtcp2-linux: use separate caches for tls libraries [125]
  o CI: remove Windows builds from Cirrus, without replacement [131]
  o CI: switch macOS ARM build from Cirrus to Circle CI
  o CI: use master again for wolfssl
  o cirrus: install everthing with pkg, avoid pip [110]
  o cmake: add GnuTLS option [103]
  o cmake: add support for `CURL_DEFAULT_SSL_BACKEND` [128]
  o cmake: add support for single libcurl compilation pass [21]
  o cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms [80]
  o cmake: assume `wldap32` availability on Windows [81]
  o cmake: cache more config and delete unused ones [4]
  o cmake: detect `SSL_set0_wbio` in OpenSSL [22]
  o cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks [68]
  o cmake: fix to use variable for the curl namespace [79]
  o cmake: fixup H2 duplicate symbols for unity builds [23]
  o cmake: set SIZEOF_LONG_LONG in curl_config.h [165]
  o cmake: support building static and shared libcurl in one go [17]
  o cmdline-docs: make sure to phrase it as "added in ...." [161]
  o cmdline-docs: use present tense, not future [160]
  o cmdline-opts/docs: mention the negative option part [90]
  o cmdline-opts/page-header: clarify stronger that !opt == URL [123]
  o cmdline-opts/page-header: reorder, clean up [51]
  o configure, cmake, lib: more form api deprecation [7]
  o configure: fix `HAVE_TIME_T_UNSIGNED` check [153]
  o configure: trust pkg-config when it's used for zlib [149]
  o configure: use the pkg-config --libs-only-l flag for libssh2 [16]
  o connect: stop halving the remaining timeout when less than 600 ms left [147]
  o cookie-jar.d: emphasize that this option is ONLY writing cookies [72]
  o crypto: ensure crypto initialization works [69]
  o curl_url_get/set.3: add missing semicolon in SYNOPSIS
  o CURLINFO_CERTINFO.3: better explain curl_certinfo struct [64]
  o CURLINFO_TLS_SSL_PTR.3: clarify a recommendation [75]
  o CURLOPT_*TIMEOUT*: extend and clarify [101]
  o CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled [42]
  o CURLOPT_URL.3: add two URL API calls in the see-also section
  o CURLOPT_URL.3: explain curl_url_set() uses the same parser
  o digest: Use hostname to generate spn instead of realm [164]
  o disable.d: explain --disable not implemented prior to 7.50.0 [115]
  o docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0 [76]
  o docs/cmdline-opts: match the current output [104]
  o docs/cmdline-opts: spellfixes, typos and polish [9]
  o docs/cmdline: add small "warning" to verbose options [59]
  o docs/cmdline: remove repeated working for negotiate + ntlm [58]
  o docs/HYPER.md: document a workaround for a link error [73]
  o docs: add curl_global_trace to some SEE ALSO sections [133]
  o docs: link to the website versions instead of markdowns [3]
  o docs: mark --ssl-revoke-best-effort as Schannel specific [162]
  o docs: mention critical files in same directories as curl saves [119]
  o docs: removing "pausing transfers" from HYPER.md. [134]
  o docs: rewrite to present tense [105]
  o easy: remove #ifdefs to make code easier on the eye [34]
  o egd: delete feature detection and related source code [5]
  o ftp: fix temp write of ipv6 address [143]
  o gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens [50]
  o gen.pl: replace all single quotes with aq [78]
  o GHA: adding quiche workflow [35]
  o headers: accept leading whitespaces on first response header [37]
  o http2: avoid too early connection re-use/multiplexing [20]
  o http2: cleanup trace messages [56]
  o http2: disable asssertion blocking OSSFuzz testing [31]
  o http2: fix in h2 proxy tunnel: progress in ingress on sending [32]
  o http2: polish things around POST [132]
  o http2: upgrade tests and add fix for non-existing stream [44]
  o http3/ngtcp2: shorten handshake, trace cleanup [13]
  o http3: quiche, handshake optimization, trace cleanup [63]
  o http: close the connection after a late 417 is received [109]
  o http: do not require a user name when using CURLAUTH_NEGOTIATE [86]
  o http: fix sending of large requests [156]
  o http: remove the p_pragma struct field [60]
  o http: return error when receiving too large header set [43]
  o hyper: fix a progress upload counter bug [122]
  o hyper: fix ownership problems [116]
  o hyper: remove `hyptransfer->endtask` [137]
  o imap: add a check for failing strdup()
  o imap: remove the only sscanf() call in the IMAP code [84]
  o include.d: explain headers not printed with --fail before 7.75.0 [155]
  o include/curl/mprintf.h: add __attribute__ for the prototypes [38]
  o krb5: fix "implicit conversion loses integer precision" warnings [152]
  o lib: add ability to disable auths individually [135]
  o lib: build fixups when built with most things disabled [97]
  o lib: fix a few *printf() flag mistakes [47]
  o lib: fix null ptr derefs and uninitialized vars (h2/h3) [107]
  o lib: move mimepost data from ->req.p.http to ->state [94]
  o libtest: use curl_free() to free libcurl allocated data [114]
  o list-only.d: mention SFTP as supported protocol [55]
  o macOS: fix target detection more [11]
  o misc: fix various typos [18]
  o multi.h: the 'revents' field of curl_waitfd is supported [117]
  o multi: more efficient pollfd count for poll [130]
  o multi: remove 'processing: <url>' debug message [142]
  o ngtcp2: fix handling of large requests [150]
  o openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` [65]
  o openssl: clear error queue after SSL_shutdown [120]
  o openssl: make aws-lc version support OCSP [48]
  o openssl: Support async cert verify callback [24]
  o openssl: switch to modern init for LibreSSL 2.7.0+ [70]
  o openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1 [66]
  o openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0 [67]
  o openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before [151]
  o os400: build test servers [136]
  o os400: do not check translatable options at build time [95]
  o os400: implement CLI tool [140]
  o page-footer: QLOGDIR works with ngtcp2 and quiche [62]
  o page-header: move up a URL paragraph from GLOBBING to URL
  o pytest: fix check for slow_network skips to only apply when intended [157]
  o quic: don't set SNI if hostname is an IP address [166]
  o quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
  o quiche: enable quiche to handle timeout events [82]
  o resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set [2]
  o revert "schannel: reverse the order of certinfo insertions" [14]
  o schannel: fix ordering of cert chain info [163]
  o schannel: fix user-set legacy algorithms in Windows 10 & 11 [53]
  o schannel: verify hostname independent of verify cert [74]
  o sectransp: fix compiler warnings [129]
  o sectransp: prevent CFRelease() of NULL [26]
  o secureserver.pl: fix stunnel path quoting [112]
  o secureserver.pl: fix stunnel version parsing [111]
  o SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline [146]
  o system.h: add CURL_OFF_T definitions on HP-UX with HP aCC [108]
  o test1304: build and skip without netrc support
  o test1554: check translatable string options in OS400 wrapper [96]
  o test1608: make it build and get skipped without shuffle DNS support
  o test687/688: two more basic --xattr tests [89]
  o tests/tftpd+mqttd: make variables static to silence picky warnings [57]
  o tests: add 'large-time' as a testable feature [92]
  o tests: add support for nested %if conditions [91]
  o tests: don't call HTTP errors OK in test cases
  o tests: ensure `libcurl.def` contains all exports [45]
  o tests: fix h3 server check and parallel instances [6]
  o tests: TLS session sharing test [100]
  o tests: update cookie expiry dates to far in the future [121]
  o time-cond.d: mention what happens on a missing file [93]
  o tool: avoid including leading spaces in the Location hyperlink [145]
  o tool: change some fopen failures from warnings to errors [144]
  o tool: make the length argument an int for printf()-.* flags [49]
  o tool_cb_wrt: fix invalid unicode for windows console [25]
  o tool_filetime: make -z work with file dates before 1970 [139]
  o tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR [12]
  o tool_operate: make aws-sigv4 not require TLS to be used
  o tool_paramhlp: improve str2num(): avoid unnecessary call to strlen() [118]
  o tool_urlglob: use the correct format specifier for curl_off_t in msnprintf [88]
  o transfer: also stop the sending on closed connection [124]
  o transfer: don't set TIMER_STARTTRANSFER on first send [77]
  o unit2600: fix build warning if built without verbose messages
  o url: remove infof() output for "still name resolving" [28]
  o urlapi: fix heap buffer overflow [30]
  o urlapi: make sure zoneid is also duplicated in curl_url_dup [29]
  o urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails [102]
  o urlapi: setting a blank URL ("") is not an ok URL [106]
  o vquic: show stringified messages for errno [40]
  o vtls: clarify "ALPN: offers" message [27]
  o winbuild: improve check for static zlib [15]
  o wolfSSL: avoid the OpenSSL compat API when not needed [85]
  o workflows/macos.yml: disable zstd and alt-svc in the http-only build [98]
  o write-out.d: clarify %{time_starttransfer}
  o ws: fix spelling mistakes in examples and tests [138]

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

Planned upcoming removals include:

  o support for space-separated NOPROXY patterns
  o support for the original legacy mingw version 1

  See https://curl.se/dev/deprecate.html for details

This release would not have looked like this without help, code, reports and
advice from friends like these:

   ad0p on github, Alexander Jaeger, Alexander Kanavin, apparentorder on github,
   balikalina on Github, Benoit Pierre, Chris Talbot, Christian Hesse,
   Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Dan Jacobson,
   Dave Cottlehuber, Davide Masserut, Derzsi Dániel, Douglas R. Reno,
   ed0d2b2ce19451f2, Emanuele Torre, Enrico Scholz, eppesuig, FC Stegerman,
   Gabriel Corona, Gerome Fournier, Gisle Vanem, Goro FUJI, Graham Campbell,
   Guillaume Algis, guoxinvmware on github, Harry Sintonen, Jacob Mealey,
   JazJas on github, John Bampton, John Hawthorn, John Walker, Joseph Tharayil,
   junsik on github, kyled-dell on github, Lukas Tribus, Maksim Arhipov,
   Maksim Sciepanienka, Marcel Raad, Marin Hannache, Markus Sommer,
   Martin Galvan, Mathew Benson, Matthias Gatto, Maurício Meneghini Fauth,
   Michael Osipov, Mohamed Daahir, Nathan Moinvaziri, Niall McGee,
   Nicholas Nethercote, Nicolas Noben, Nicolás Ojeda Bär, Oleg Jukovec,
   oliverpool on github, Pablo Busse, Patrick Monnerat,
   Philippe Antoine on HackerOne, pszlazak on github, Randall S. Becker,
   Ray Satiro, Richard W.M. Jones, Rutger Broekhoff, Ryan Schmidt,
   Samuel Chiang, Satana de Sant'Ana, Sergey, Sevan Janiyan, Stefan Eissing,
   Thomas M. DuBuisson, Thorsten Klein, trrui-huawei, Viktor Szakats, vvb2060,
   wangzhikun, Wilhelm von Thiele, Wyatt O'Day, yushicheng7788 on github,
   zhihaoy on github
   (80 contributors)

References to bug reports and discussions on issues:

  [1] = https://curl.se/bug/?i=11346
  [2] = https://curl.se/bug/?i=11564
  [3] = https://github.com/curl/curl-www/issues/272
  [4] = https://curl.se/bug/?i=11551
  [5] = https://curl.se/bug/?i=11556
  [6] = https://curl.se/bug/?i=11553
  [7] = https://curl.se/bug/?i=9621
  [8] = https://curl.se/bug/?i=11452
  [9] = https://curl.se/bug/?i=11562
  [10] = https://curl.se/bug/?i=11459
  [11] = https://curl.se/bug/?i=11502
  [12] = https://curl.se/bug/?i=11325
  [13] = https://curl.se/bug/?i=11609
  [14] = https://curl.se/bug/?i=11536
  [15] = https://curl.se/bug/?i=11521
  [16] = https://curl.se/bug/?i=11538
  [17] = https://curl.se/bug/?i=11505
  [18] = https://curl.se/bug/?i=11561
  [19] = https://curl.se/bug/?i=11532
  [20] = https://curl.se/mail/lib-2023-07/0045.html
  [21] = https://curl.se/bug/?i=11546
  [22] = https://curl.se/bug/?i=11555
  [23] = https://curl.se/bug/?i=11550
  [24] = https://curl.se/bug/?i=11499
  [25] = https://curl.se/bug/?i=9841
  [26] = https://curl.se/bug/?i=9194
  [27] = https://curl.se/mail/lib-2023-07/0041.html
  [28] = https://curl.se/bug/?i=11394
  [29] = https://curl.se/mail/lib-2023-07/0047.html
  [30] = https://curl.se/bug/?i=11560
  [31] = https://curl.se/bug/?i=11500
  [32] = https://curl.se/bug/?i=11527
  [33] = https://curl.se/bug/?i=11457
  [34] = https://curl.se/bug/?i=11525
  [35] = https://curl.se/bug/?i=11517
  [36] = https://curl.se/bug/?i=11416
  [37] = https://curl.se/bug/?i=11605
  [38] = https://curl.se/bug/?i=11589
  [39] = https://curl.se/bug/?i=11608
  [40] = https://curl.se/bug/?i=11584
  [41] = https://curl.se/bug/?i=11421
  [42] = https://curl.se/bug/?i=11606
  [43] = https://curl.se/bug/?i=11582
  [44] = https://curl.se/bug/?i=11563
  [45] = https://curl.se/bug/?i=11570
  [46] = https://curl.se/bug/?i=11581
  [47] = https://curl.se/bug/?i=11579
  [48] = https://curl.se/bug/?i=11568
  [49] = https://curl.se/bug/?i=11578
  [50] = https://curl.se/bug/?i=11635
  [51] = https://curl.se/bug/?i=11638
  [52] = https://curl.se/bug/?i=11621
  [53] = https://curl.se/bug/?i=10741
  [54] = https://curl.se/bug/?i=11655
  [55] = https://curl.se/bug/?i=11628
  [56] = https://curl.se/bug/?i=11592
  [57] = https://curl.se/bug/?i=11594
  [58] = https://curl.se/bug/?i=11597
  [59] = https://curl.se/bug/?i=11596
  [60] = https://curl.se/bug/?i=11681
  [61] = https://curl.se/bug/?i=11619
  [62] = https://curl.se/bug/?i=11631
  [63] = https://curl.se/bug/?i=11618
  [64] = https://curl.se/bug/?i=11666
  [65] = https://curl.se/bug/?i=11617
  [66] = https://curl.se/bug/?i=11616
  [67] = https://curl.se/bug/?i=11615
  [68] = https://curl.se/bug/?i=11612
  [69] = https://curl.se/bug/?i=11614
  [70] = https://curl.se/bug/?i=11611
  [71] = https://curl.se/bug/?i=11460
  [72] = https://curl.se/bug/?i=11661
  [73] = https://curl.se/bug/?i=11653
  [74] = https://curl.haxx.se/mail/lib-2018-10/0113.html
  [75] = https://curl.se/bug/?i=11665
  [76] = https://curl.se/bug/?i=11651
  [77] = https://curl.se/bug/?i=11669
  [78] = https://curl.se/bug/?i=11645
  [79] = https://curl.se/bug/?i=1199308
  [80] = https://curl.se/bug/?i=11627
  [81] = https://curl.se/bug/?i=11624
  [82] = https://curl.se/bug/?i=11654
  [83] = https://curl.se/bug/?i=11705
  [84] = https://curl.se/bug/?i=11673
  [85] = https://curl.se/bug/?i=11752
  [86] = https://sourceforge.net/p/curl/bugs/440/
  [87] = https://curl.se/bug/?i=11657
  [88] = https://curl.se/bug/?i=11698
  [89] = https://curl.se/bug/?i=11697
  [90] = https://curl.se/bug/?i=11695
  [91] = https://curl.se/bug/?i=11728
  [92] = https://curl.se/bug/?i=11696
  [93] = https://curl.se/bug/?i=11727
  [94] = https://curl.se/bug/?i=11680
  [95] = https://curl.se/bug/?i=11650
  [96] = https://curl.se/bug/?i=11650
  [97] = https://curl.se/bug/?i=11687
  [98] = https://curl.se/bug/?i=11683
  [99] = https://curl.se/bug/?i=11675
  [100] = https://curl.se/bug/?i=11675
  [101] = https://curl.se/bug/?i=11686
  [102] = https://curl.se/bug/?i=11674
  [103] = https://curl.se/bug/?i=11685
  [104] = https://curl.se/bug/?i=11723
  [105] = https://curl.se/bug/?i=11713
  [106] = https://curl.se/bug/?i=11714
  [107] = https://curl.se/bug/?i=11739
  [108] = https://curl.se/bug/?i=11718
  [109] = https://curl.se/bug/?i=11678
  [110] = https://curl.se/bug/?i=11711
  [111] = https://curl.se/bug/?i=11722
  [112] = https://curl.se/bug/?i=11721
  [113] = https://curl.se/bug/?i=11737
  [114] = https://curl.se/bug/?i=11746
  [115] = https://curl.se/bug/?i=11710
  [116] = https://curl.se/bug/?i=11745
  [117] = https://curl.se/bug/?i=11749
  [118] = https://curl.se/bug/?i=11742
  [119] = https://curl.se/bug/?i=11530
  [120] = https://curl.se/bug/?i=11736
  [121] = https://curl.se/bug/?i=11576
  [122] = https://curl.se/bug/?i=11780
  [123] = https://curl.se/bug/?i=11734
  [124] = https://curl.se/bug/?i=11769
  [125] = https://curl.se/bug/?i=11766
  [126] = https://curl.se/bug/?i=11729
  [127] = https://curl.se/bug/?i=11794
  [128] = https://curl.se/bug/?i=11774
  [129] = https://curl.se/bug/?i=11773
  [130] = https://curl.se/bug/?i=11792
  [131] = https://curl.se/bug/?i=11771
  [132] = https://curl.se/bug/?i=11756
  [133] = https://curl.se/bug/?i=11791
  [134] = https://curl.se/bug/?i=11764
  [135] = https://curl.se/bug/?i=11490
  [136] = https://curl.se/bug/?i=11547
  [137] = https://curl.se/bug/?i=11779
  [138] = https://curl.se/bug/?i=11784
  [139] = https://curl.se/bug/?i=11785
  [140] = https://curl.se/bug/?i=11547
  [141] = https://curl.se/bug/?i=11738
  [142] = https://curl.se/bug/?i=11759
  [143] = https://curl.se/bug/?i=11747
  [144] = https://curl.se/bug/?i=11677
  [145] = https://curl.se/bug/?i=11735
  [146] = https://curl.se/bug/?i=11757
  [147] = https://curl.se/bug/?i=11693
  [148] = https://curl.se/bug/?i=11753
  [149] = https://curl.se/mail/lib-2023-08/0081.html
  [150] = https://curl.se/bug/?i=11815
  [151] = https://curl.se/bug/?i=11800
  [152] = https://curl.se/bug/?i=11814
  [153] = https://curl.se/bug/?i=11825
  [154] = https://curl.se/bug/?i=11809
  [155] = https://curl.se/bug/?i=11822
  [156] = https://curl.se/bug/?i=11342
  [157] = https://curl.se/bug/?i=11801
  [158] = https://curl.se/bug/?i=11799
  [159] = https://curl.se/bug/?i=11664
  [160] = https://curl.se/bug/?i=11821
  [161] = https://curl.se/bug/?i=11821
  [162] = https://curl.se/bug/?i=11760
  [163] = https://curl.se/bug/?i=11632
  [164] = https://curl.se/bug/?i=11395
  [165] = https://curl.se/bug/?i=11839
  [166] = https://curl.se/bug/?i=11827

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html


-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-09-13