Changes in 7.65.0 - May 22 2019

7.65.0 7.65.0 only

Changes:

Bugfixes:

CVE-2019-5435: Integer overflows in curl_url_set
CVE-2019-5436: tftp: use the current blksize for recvfrom()
--config: clarify that initial : and = might need quoting
AppVeyor: enable testing for WinSSL build
CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
CURLOPT_ADDRESS_SCOPE: fix range check and more
CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
INTERNALS: Add code highlighting
OS400/ccsidcurl: replace use of Curl_vsetopt
OpenSSL: Report -fips in version if OpenSSL is built with FIPS
README.md: fix no-consecutive-blank-lines Codacy warning
VC15 project: remove MinimalRebuild
VS projects: use Unicode for VC10+
WRITEFUNCTION: add missing set_in_callback around callback
altsvc: Fix building with cookies disabled
auth: Rename the various authentication clean up functions
base64: build conditionally if there are users
build-openssl.bat: Fixed support for OpenSSL v1.1.0+
build: fix "clarify calculation precedence" warnings
checksrc.bat: ignore snprintf warnings in docs/examples
cirrus: Customize the disabled tests per FreeBSD version
cleanup: remove FIXME and TODO comments
cmake: avoid linking executable for some tests with cmake 3.6+
cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
cmake: set SSL_BACKENDS
configure: avoid unportable `==' test(1) operator
configure: error out if OpenSSL wasn't detected when asked for
configure: fix default location for fish completions
cookie: Guard against possible NULL ptr deref
curl: make code work with protocol-disabled libcurl
curl: report error for "--no-" on non-boolean options
curl_easy_getinfo.3: fix minor formatting mistake
curlver.h: use parenthesis in CURL_VERSION_BITS macro
docs/BUG-BOUNTY: bug bounty time
docs/INSTALL: fix broken link
docs/RELEASE-PROCEDURE: link to live iCalendar
documentation: Fix several typos
doh: acknowledge CURL_DISABLE_DOH
doh: disable DOH for the cases it doesn't work
examples: remove unused variables
ftplistparser: fix LGTM alert "Empty block without comment"
hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
http: acknowledge CURL_DISABLE_HTTP_AUTH
http: mark bundle as not for multiuse on < HTTP/2 response
http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
http_negotiate: do not treat failure of gss_init_sec_context() as fatal
http_ntlm: Corrected the name of the include guard
http_ntlm_wb: Handle auth for only a single request
http_ntlm_wb: Return the correct error on receiving an empty auth message
lib509: add missing include for strdup
lib557: initialize variables
makedebug: Fix ERRORLEVEL detection after running where.exe
mbedtls: enable use of EC keys
mime: acknowledge CURL_DISABLE_MIME
multi: improved HTTP_1_1_REQUIRED handling
netrc: acknowledge CURL_DISABLE_NETRC
nss: allow fifos and character devices for certificates
nss: provide more specific error messages on failed init
ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
openssl: mark connection for close on TLS close_notify
openvms: Remove pre-processor for SecureTransport
openvms: Remove pre-processors for Windows
parse_proxy: use the URL parser API
parsedate: disabled on CURL_DISABLE_PARSEDATE
pingpong: disable more when no pingpong protocols are enabled
polarssl_threadlock: remove conditionally unused code
progress: acknowledge CURL_DISABLE_PROGRESS_METER
proxy: acknowledge DISABLE_PROXY more
resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
revert "multi: support verbose conncache closure handle"
sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
sasl: only enable if there's a protocol enabled using it
scripts: fix typos
singleipconnect: show port in the verbose "Trying ..." message
smtp: fix compiler warning
socks5: username and passwords must be shorter than 256
socks: fix error message
socksd: new SOCKS 4+5 server for tests
spnego_gssapi: fix return code on gss_init_sec_context() failure
ssh-libssh: remove unused variable
ssh: define USE_SSH if SSH is enabled (any backend)
ssh: move variable declaration to where it's used
test1002: correct the name
test2100: Fix typos in test description
tests/server/util: fix Windows Unicode build
tests: Run global cleanup at end of tests
tests: make Impacket (SMB server) Python 3 compatible
tool_cb_wrt: fix bad-function-cast warning
tool_formparse: remove redundant assignment
tool_help: Warn if curl and libcurl versions do not match
tool_help: include <strings.h> for strcasecmp
transfer: fix LGTM alert "Comparison is always true"
travis: add an osx http-only build
travis: allow builds on branches named "ci"
travis: install dependencies only when needed
travis: update some builds do Xenial
travis: updated mesalink builds
url: always clone the CUROPT_CURLU handle
url: convert the zone id from a IPv6 URL to correct scope id
urlapi: add CURLUPART_ZONEID to set and get
urlapi: increase supported scheme length to 40 bytes
urlapi: require a non-zero hostname length when parsing URL
urlapi: stricter CURLUPART_PORT parsing
urlapi: strip off zone id from numerical IPv6 addresses
urlapi: urlencode characters above 0x7f correctly
vauth/cleartext: update the PLAIN login to match RFC 4616
vauth/oauth2: Fix OAUTHBEARER token generation
vauth: Fix incorrect function description for Curl_auth_user_contains_domain
vtls: fix potential ssl_buffer stack overflow
wildcard: disable from build when FTP isn't present
winbuild: Support MultiSSL builds
xattr: skip unittest on unsupported platforms

Further

The previous release was 7.64.1. The next release was 7.65.1.