cURL / Mailing Lists / curl-users / Single Mail

curl-users

[RELEASE] curl 7.51.0

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 2 Nov 2016 08:04:44 +0100 (CET)

Hello friends,

I'm very happy to bring this brand new release to the world. Pay extra
attention to the security related issues fixed here. Separate individual
emails will be sent out after this announcement for each one of them with
details.

As always, you find all details and downloads over at https://curl.haxx.se/

Curl and libcurl 7.51.0

  Public curl releases: 160
  Command line options: 185
  curl_easy_setopt() options: 225
  Public functions in libcurl: 61
  Contributors: 1467

This release includes the following changes:

o nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
o New option: CURLOPT_KEEP_SENDING_ON_ERROR [10]

This release includes the following bugfixes:

  o CVE-2016-8615: cookie injection for other servers [28]
  o CVE-2016-8616: case insensitive password comparison [29]
  o CVE-2016-8617: OOB write via unchecked multiplication [30]
  o CVE-2016-8618: double-free in curl_maprintf [31]
  o CVE-2016-8619: double-free in krb5 code [32]
  o CVE-2016-8620: glob parser write/read out of bounds [33]
  o CVE-2016-8621: curl_getdate read out of bounds [34]
  o CVE-2016-8622: URL unescape heap overflow via integer truncation [35]
  o CVE-2016-8623: Use-after-free via shared cookies [36]
  o CVE-2016-8624: invalid URL parsing with '#' [37]
  o CVE-2016-8625: IDNA 2003 makes curl use wrong host [38]
  o openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 [1]
  o http: accept "Transfer-Encoding: chunked" for HTTP/2 as well [2]
  o LICENSE-MIXING.md: update with mbedTLS dual licensing [3]
  o examples/imap-append: Set size of data to be uploaded [4]
  o test2048: fix url
  o darwinssl: disable RC4 cipher-suite support
  o CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
  o openssl: don’t call CRYTPO_cleanup_all_ex_data [5]
  o libressl: fix version output [6]
  o easy: Reset all statistical session info in curl_easy_reset [7]
  o curl_global_cleanup.3: don't unload the lib with sub threads running [8]
  o dist: add CurlSymbolHiding.cmake to the tarball
  o docs: Remove that --proto is just used for initial retrieval [9]
  o configure: Fixed builds with libssh2 in a custom location
  o curl.1: --trace supports % for sending to stderr!
  o cookies: same domain handling changed to match browser behavior [11]
  o formpost: trying to attach a directory no longer crashes [12]
  o CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning [13]
  o formpost: avoid silent snprintf() truncation
  o ftp: fix Curl_ftpsendf
  o mprintf: return error on too many arguments
  o smb: properly check incoming packet boundaries [14]
  o GIT-INFO: remove the Mac 10.1-specific details [15]
  o resolve: add error message when resolving using SIGALRM [16]
  o cmake: add nghttp2 support [17]
  o dist: remove PDF and HTML converted docs from the releases [18]
  o configure: disable poll() in macOS builds [19]
  o vtls: only re-use session-ids using the same scheme
  o pipelining: skip to-be-closed connections when pipelining [20]
  o win: fix Universal Windows Platform build [21]
  o curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically [22]
  o maketgz: make it support "only" generating version info
  o Curl_socket_check: add extra check to avoid integer overflow
  o gopher: properly return error for poll failures
  o curl: set INTERLEAVEDATA too
  o polarssl: clear thread array at init
  o polarssl: fix unaligned SSL session-id lock
  o polarssl: reduce #ifdef madness with a macro
  o curl_multi_add_handle: set timeouts in closure handles [23]
  o configure: set min version flags for builds on mac [24]
  o INSTALL: converted to markdown => INSTALL.md
  o curl_multi_remove_handle: fix a double-free [25]
  o multi: fix inifinte loop in curl_multi_cleanup() [26]
  o nss: fix tight loop in non-blocking TLS handhsake over proxy [27]
  o mk-ca-bundle: Change URL retrieval to HTTPS-only by default [39]
  o mbedtls: stop using deprecated include file [40]
  o docs: fix req->data in multi-uv example [41]
  o configure: Fix test syntax for monotonic clock_gettime
  o CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2 [42]

This release includes the following known bugs:

o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Akshay Vernekar, Alexander Sinditskiy, Anders Bakken, Andreas Streichardt,
   Andrei Sedoi, Bernard Spil, Christian Heimes, Dan Fandrich,
   Daniel Gustafsson, Daniel Stenberg, Darío Hereñú, David Woodhouse,
   Fernando Muñoz, Gregory Szorc, Jeroen Ooms, Kamil Dudka, Luật Nguyễn,
   lukaszgn on github, Marcel Raad, Martin Frodl, Martin Storsjö,
   Michael Kaufmann, Michael Osipov, Miloš Ljumović, Nick Zitzmann,
   nopjmp on github, Paul Joyce, Rainer Müller, Ray Satiro, Remo E,
   Rider Linden, Sebastian Mundry, Sergei Kuzmin, Stephen Brokenshire,
   Tobias Stoeckmann, Toby Peterson, Todd Short, Tony Kelman, Torben Dannhauer,
   Valentin David,
   (40 contributors)

Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-02

This message: [ Message body ]
Next message: Daniel Stenberg: "[SECURITY ADVISORY] curl cookie injection for other servers"
Previous message: Chanikya Nadh Desu via curl-users: "Re: Curl command"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]