curl / Mailing Lists / curl-users / Single Mail

curl-users

[RELEASE] curl 7.64.0

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 6 Feb 2019 08:12:21 +0100 (CET)

Hello!

It is with great pleasure I declare that curl 7.64.0 has just been released.
As always, get it from:

   https://curl.haxx.se/

This time we also release no less than three security advisories together with
the new version. Be sure you check those out so you don't remain vulnerable
longer than you have to.

Onwards and upwards!

curl and libcurl 7.64.0

  Public curl releases: 179
  Command line options: 220
  curl_easy_setopt() options: 265
  Public functions in libcurl: 80
  Contributors: 1875

This release includes the following changes:

  o cookies: leave secure cookies alone [3]
  o hostip: support wildcard hosts [23]
  o http: Implement trailing headers for chunked transfers [7]
  o http: added options for allowing HTTP/0.9 responses [10]
  o timeval: Use high resolution timestamps on Windows [19]

This release includes the following bugfixes:

  o CVE-2018-16890: NTLM type-2 out-of-bounds buffer read [67]
  o CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow [68]
  o CVE-2019-3823: SMTP end-of-response out-of-bounds read [66]
  o FAQ: remove mention of sourceforge for github [22]
  o OS400: handle memory error in list conversion [4]
  o OS400: upgrade ILE/RPG binding.
  o README: add codacy code quality badge
  o Revert http_negotiate: do not close connection [31]
  o THANKS: added several missing names from year <= 2000
  o build: make 'tidy' target work for metalink builds
  o cmake: added checks for variadic macros [47]
  o cmake: updated check for HAVE_POLL_FINE to match autotools [39]
  o cmake: use lowercase for function name like the rest of the code [20]
  o configure: detect xlclang separately from clang [41]
  o configure: fix recv/send/select detection on Android [53]
  o configure: rewrite --enable-code-coverage [61]
  o conncache_unlock: avoid indirection by changing input argument type
  o cookie: fix comment typo [44]
  o cookies: allow secure override when done over HTTPS [34]
  o cookies: extend domain checks to non psl builds [12]
  o cookies: skip custom cookies when redirecting cross-site [36]
  o curl --xattr: strip credentials from any URL that is stored [33]
  o curl -J: refuse to append to the destination file [14]
  o curl/urlapi.h: include "curl.h" first [30]
  o curl_multi_remove_handle() don't block terminating c-ares requests [32]
  o darwinssl: accept setting max-tls with default min-tls [6]
  o disconnect: separate connections and easy handles better [18]
  o disconnect: set conn->data for protocol disconnect
  o docs/version.d: mention MultiSSL [26]
  o docs: fix the --tls-max description [2]
  o docs: use $(INSTALL_DATA) to install man page [64]
  o docs: use meaningless port number in CURLOPT_LOCALPORT example [58]
  o gopher: always include the entire gopher-path in request [5]
  o http2: clear pause stream id if it gets closed [8]
  o if2ip: remove unused function Curl_if_is_interface_name [9]
  o libssh: do not let libssh create socket [63]
  o libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh [62]
  o libssh: free sftp_canonicalize_path() data correctly [17]
  o libtest/stub_gssapi: use "real" snprintf [27]
  o mbedtls: use VERIFYHOST [15]
  o multi: multiplexing improvements [35]
  o multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time [57]
  o ntlm: fix NTMLv2 compliance [25]
  o ntlm_sspi: add support for channel binding [54]
  o openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated [46]
  o openssl: fix the SSL_get_tlsext_status_ocsp_resp call [40]
  o openvms: fix OpenSSL discovery on VAX [21]
  o openvms: fix typos in documentation
  o os400: add a missing closing bracket [50]
  o os400: fix extra parameter syntax error [50]
  o pingpong: change default response timeout to 120 seconds
  o pingpong: ignore regular timeout in disconnect phase [16]
  o printf: fix format specifiers [28]
  o runtests.pl: Fix perl call to include srcdir [65]
  o schannel: fix compiler warning [29]
  o schannel: preserve original certificate path parameter [52]
  o schannel: stop calling it "winssl" [56]
  o sigpipe: if mbedTLS is used, ignore SIGPIPE [59]
  o smb: fix incorrect path in request if connection reused [13]
  o ssh: log the libssh2 error message when ssh session startup fails [55]
  o test1558: verify CURLINFO_PROTOCOL on file:// transfer [51]
  o test1561: improve test name
  o test1653: make it survive torture tests
  o tests: allow tests to pass by 2037-02-12 [38]
  o tests: move objnames-* from lib into tests [42]
  o timediff: fix math for unsigned time_t [37]
  o timeval: Disable MSVC Analyzer GetTickCount warning [60]
  o tool_cb_prg: avoid integer overflow [49]
  o travis: added cmake build for osx [43]
  o urlapi: Fix port parsing of eol colon [1]
  o urlapi: distinguish possibly empty query [5]
  o urlapi: fix parsing ipv6 with zone index [24]
  o urldata: rename easy_conn to just conn [48]
  o winbuild: conditionally use /DZLIB_WINAPI [45]
  o wolfssl: fix memory-leak in threaded use [11]
  o spnego_sspi: add support for channel binding [69]

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Alessandro Ghedini, Andrei Neculau, Archangel SDY, Ayoub Boudhar, Ben Kohler,
   Bernhard M. Wiedemann, Brad Spencer, Brian Carpenter, Claes Jakobsson,
   Daniel Gustafsson, Daniel Stenberg, David Garske, dnivras on github,
   Eric Rosenquist, Etienne Simard, Felix Hädicke, Florian Pritz,
   Frank Gevaerts, Giorgos Oikonomou, Gisle Vanem, GitYuanQu on github,
   Haibo Huang, Harry Sintonen, Helge Klein, Huzaifa Sidhpurwala,
   jasal82 on github, Jeremie Rapin, Jeroen Ooms, Joel Depooter, John Marshall,
   jonrumsey on github, Julian Z, Kamil Dudka, Katsuhiko YOSHIDA, Kees Dekker,
   Ladar Levison, Leonardo Taccari, Marcel Raad, Markus Moeller,
   masbug on github, Matus Uzak, Michael Kujawa, Patrick Monnerat, Pavel Pavlov,
   Peng Li, Ray Satiro, Rikard Falkeborn, Ruslan Baratov, Sergei Nikulov,
   Shlomi Fish, Tobias Lindgren, Tom van der Woerdt, Viktor Szakats,
   Wenxiang Qian, William A. Rowe Jr, Zhao Yisha,
   (56 contributors)

         Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

  [1] = https://curl.haxx.se/bug/?i=3365
  [2] = https://curl.haxx.se/bug/?i=3368
  [3] = https://curl.haxx.se/bug/?i=2956
  [4] = https://curl.haxx.se/bug/?i=3372
  [5] = https://curl.haxx.se/bug/?i=3369
  [6] = https://curl.haxx.se/bug/?i=3367
  [7] = https://curl.haxx.se/bug/?i=3350
  [8] = https://curl.haxx.se/bug/?i=3392
  [9] = https://curl.haxx.se/bug/?i=3401
  [10] = https://curl.haxx.se/bug/?i=2873
  [11] = https://curl.haxx.se/bug/?i=3395
  [12] = https://curl.haxx.se/bug/?i=2964
  [13] = https://curl.haxx.se/bug/?i=3388
  [14] = https://curl.haxx.se/bug/?i=3380
  [15] = https://curl.haxx.se/bug/?i=3376
  [16] = https://curl.haxx.se/bug/?i=3264
  [17] = https://curl.haxx.se/bug/?i=3402
  [18] = https://curl.haxx.se/bug/?i=3400
  [19] = https://curl.haxx.se/bug/?i=3318
  [20] = https://curl.haxx.se/bug/?i=3196
  [21] = https://curl.haxx.se/bug/?i=3407
  [22] = https://curl.haxx.se/bug/?i=3410
  [23] = https://curl.haxx.se/bug/?i=3406
  [24] = https://curl.haxx.se/bug/?i=3411
  [25] = https://curl.haxx.se/bug/?i=3286
  [26] = https://curl.haxx.se/bug/?i=3432
  [27] = https://curl.haxx.se/mail/lib-2019-01/0000.html
  [28] = https://curl.haxx.se/bug/?i=3426
  [29] = https://curl.haxx.se/bug/?i=3435
  [30] = https://curl.haxx.se/bug/?i=3438
  [31] = https://curl.haxx.se/bug/?i=3384
  [32] = https://curl.haxx.se/bug/?i=3371
  [33] = https://curl.haxx.se/bug/?i=3423
  [34] = https://curl.haxx.se/bug/?i=3445
  [35] = https://curl.haxx.se/bug/?i=3436
  [36] = https://curl.haxx.se/bug/?i=3417
  [37] = https://curl.haxx.se/bug/?i=3449
  [38] = https://curl.haxx.se/bug/?i=3443
  [39] = https://curl.haxx.se/bug/?i=3292
  [40] = https://curl.haxx.se/bug/?i=3477
  [41] = https://curl.haxx.se/bug/?i=3474
  [42] = https://curl.haxx.se/bug/?i=3470
  [43] = https://curl.haxx.se/bug/?i=3468
  [44] = https://curl.haxx.se/bug/?i=3469
  [45] = https://curl.haxx.se/bug/?i=3133
  [46] = https://curl.haxx.se/bug/?i=3462
  [47] = https://curl.haxx.se/bug/?i=3459
  [48] = https://curl.haxx.se/bug/?i=3442
  [49] = https://curl.haxx.se/bug/?i=3456
  [50] = https://curl.haxx.se/bug/?i=3453
  [51] = https://curl.haxx.se/bug/?i=3447
  [52] = https://curl.haxx.se/bug/?i=3480
  [53] = https://curl.haxx.se/bug/?i=3484
  [54] = https://curl.haxx.se/bug/?i=3280
  [55] = https://curl.haxx.se/bug/?i=3481
  [56] = https://curl.haxx.se/bug/?i=3504
  [57] = https://curl.haxx.se/mail/lib-2019-01/0073.html
  [58] = https://curl.haxx.se/bug/?i=3513
  [59] = https://curl.haxx.se/bug/?i=3502
  [60] = https://curl.haxx.se/bug/?i=3437
  [61] = https://curl.haxx.se/bug/?i=3497
  [62] = https://curl.haxx.se/bug/?i=3493
  [63] = https://curl.haxx.se/bug/?i=3491
  [64] = https://curl.haxx.se/bug/?i=3518
  [65] = https://curl.haxx.se/bug/?i=3496
  [66] = https://curl.haxx.se/docs/CVE-2019-3823.html
  [67] = https://curl.haxx.se/docs/CVE-2018-16890.html
  [68] = https://curl.haxx.se/docs/CVE-2019-3822.html
  [69] = https://curl.haxx.se/bug/?i=3503

-- 
  / daniel.haxx.se

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-06