curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: [RELEASE] curl 7.77.0

From: Bill Mercer via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 26 May 2021 14:03:14 +0000

Congratulations on this milestone, and thanks for always reacting quickly to address security concerns.



> -----Original Message-----
> From: curl-users <curl-users-bounces_at_cool.haxx.se> On Behalf Of Daniel
> Stenberg via curl-users
> Sent: Wednesday, May 26, 2021 2:43 AM
> To: curl users <curl-users_at_cool.haxx.se>; curl-announce_at_cool.haxx.se;
> libcurl hacking <curl-library_at_cool.haxx.se>
> Cc: Daniel Stenberg <daniel_at_haxx.se>
> Subject: [RELEASE] curl 7.77.0
>
> Hi friends!
>
> I'm happy to announce the 200th curl release and we called it curl 7.77.0.
> This release comes with no less than *three* fixed security vulnerabilites and
> you will see those announcement in separate emails following this email.
>
> Download curl as always from https://curl.se/
>
> curl and libcurl 7.77.0
>
> Public curl releases: 200
> Command line options: 242
> curl_easy_setopt() options: 290
> Public functions in libcurl: 85
> Contributors: 2408
>
> This release includes the following changes:
>
> o configure: make the TLS library choice(s) explicit [3]
> o curl: ignore options asking for SSLv2 or SSLv3 [10]
> o hsts: enable by default [8]
> o SSL: support in-memory CA certs for some backends [85]
> o vtls: refuse setting any SSL version [9]
>
> This release includes the following bugfixes:
>
> o CVE-2021-22297: schannel cipher selection surprise [132]
> o CVE-2021-22298: TELNET stack contents disclosure [131]
> o CVE-2021-22901: TLS session caching disaster [130]
> o AmigaOS: add functions definitions for SHA256 [126]
> o build: fix compilation for Windows UWP platform [82]
> o c-hyper: don't write to set.writeheader if null [67]
> o c-hyper: fix handling of zero-byte chunk from hyper [39]
> o c-hyper: handle body on HYPER_TASK_EMPTY [104]
> o checksrc: complain on == NULL or != 0 checks in conditions [20]
> o CI/cirrus: add shared and static Windows release builds [102]
> o cmake: add CURL_ENABLE_EXPORT_TARGET option [133]
> o cmake: check for getppid and utimes [87]
> o cmake: detect CURL_SA_FAMILY_T [124]
> o cmake: fix two invokes result in different curl_config.h [123]
> o cmake: make libcurl output filename configurable [41]
> o cmake: Use multithreaded compilation on VS 2008+ [122]
> o config: remove now-unused macros [107]
> o configure: if asked for, fail if ldap is not found [109]
> o configure: provide --with-openssl, deprecate --with-ssl [15]
> o conn: add 'attach' to protocol handler, make libssh2 use it [119]
> o connect: use CURL_SA_FAMILY_T for portability [34]
> o ConnectionExists: respect requests for h1 connections better
> o cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies [1]
> o curl-wolfssl.m4: without custom include path, assume /usr/include [116]
> o curl: include libmetalink version in --version output [111]
> o Curl_http_header: check for colon when matching Persistent-Auth [51]
> o Curl_http_input_auth: require valid separator after negotiation type [52]
> o Curl_input_digest: require space after Digest [50]
> o curl_mprintf.3: add description [73]
> o curl_setup: provide the shutdown flags wider [33]
> o curl_url_set.3: add memory management information [38]
> o CURLcode: add CURLE_SSL_CLIENTCERT [47]
> o CURLOPT_CAPATH.3: defaults to a path, not NULL [103]
> o CURLOPT_IPRESOLVE: preventing wrong IP version from being used [125]
> o CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data [40]
> o data_pending: check only SECONDARY socket for FTP(S) transfers [117]
> o docs/TheArtOfHttpScripting: fix markdown links [129]
> o docs: camelcase it like GitHub everywhere [62]
> o docs: cookies from HTTP headers need domain set [121]
> o docs: fix typo in fail-with-body doc [63]
> o docs: improve INTERNALS.md regarding getsock cb [105]
> o docs: replace dots with dashes in markdown enums [101]
> o easy: ignore sigpipe in curl_easy_send [69]
> o FILEFORMAT: mention sectransp as a feature [89]
> o GIT-INFO: suggest using autoreconf instead of buildconf [96]
> o github: add a workflow with libssh2 on macOS using cmake [81]
> o github: inhibit deprecated declarations for clang on macOS [118]
> o GnuTLS: don't allow TLS 1.3 for versions that don't support it [77]
> o gnutls: make setting only the MAX TLS allowed version work [83]
> o gskit: fix CURL_DISABLE_PROXY build [57]
> o gskit: fix undefined reference to 'conn' [58]
> o hostip.h: remove declaration of unimplemented function [108]
> o hostip: remove the debug code for LocalHost [113]
> o http2: call the handle-closed function correctly on closed stream [37]
> o http2: fix a resource leak in push_promise() [54]
> o http2: fix resource leaks in set_transfer_url() [55]
> o http2: make sure pause is done on HTTP [120]
> o http2: move the stream error field to the per-transfer storage [36]
> o http2: skip immediate parsing of payload following protocol switch [90]
> o http2: use nghttp2_session_upgrade2 instead of
> nghttp2_session_upgrade [91]
> o HTTP3.md: fix nghttp2's HTTP/3 server port [21]
> o HTTP3.md: make the ngtcp2 build use the quictls fork [98]
> o http: deal with partial CONNECT sends [97]
> o http: fix the check for 'Authorization' with Bearer [53]
> o http: limit the initial send amount to used upload buffer size [99]
> o http: reset the header buffer when sending the request [61]
> o http: use offsets inst of integer literals for header parsing [95]
> o INSTALL: add IBM i specific quirks [75]
> o krb5/name_to_level: replace checkprefix with curl_strequal [49]
> o krb5: don't use 'static' to store PBSZ size response [23]
> o krb5: remove the unused 'overhead' function [35]
> o lib/hostip6.c: make NAT64 address synthesis on macOS work [135]
> o lib1564.c: enable last wakeup test part on Windows [26]
> o lib: fix 0-length Curl_client_write calls [60]
> o lib: fix some misuse of curlx_convert_UTF8_to_tchar [64]
> o libcurl-security.3: be careful of setuid [66]
> o libcurl-security.3: don't try to filter IPv4 hosts based on the URL [71]
> o libcurl.3: mention the URL API [76]
> o libssh2: fix Value stored to 'sshp' is never read [13]
> o libssh2: ignore timeout during disconnect [45]
> o libssh: fix "empty expression statement has no effect" warnings [7]
> o libtest: remove lib530.c [88]
> o m4: add security frameworks on Mac when compiling rustls [31]
> o multi: don't close connection HTTP_1_1_REQUIRED
> o multi: fix slow write/upload performance on Windows [27]
> o multi: reduce Win32 API calls to improve performance [28]
> o ngtcp2: fix the cb_acked_stream_data_offset proto [46]
> o NSS: add ciphers to map [30]
> o NSS: make colons, commas and spaces valid separators in cipher list [106]
> o nss_set_blocking: avoid static for sock_opt [72]
> o ntlm: precaution against super huge type2 offsets [65]
> o openldap: protect SSL-specific code with proper #ifdef [12]
> o openldap: replace ldap_ prefix on private functions [84]
> o openssl: fix build error with OpenSSL < 1.0.2 [4]
> o openssl: remove unneeded cast for CertOpenSystemStore() [93]
> o os400: additional support for options metadata [24]
> o progress: fix scan-build-11 warnings [92]
> o progress: reset limit_size variables at transfer start [114]
> o progress: when possible, calculate transfer speeds with microseconds [48]
> o README.md: delete Codacy UTM parameters [5]
> o Revert "Revert 'multi: implement wait using winsock events'" [26]
> o rustls: only return CURLE_AGAIN when TLS session is fully drained [2]
> o rustls: use ALPN [56]
> o sasl: use 'unsigned short' to store mechanism [112]
> o schannel: Disable auto credentials; add an option to enable it [18]
> o schannel: Support strong crypto option [44]
> o sectransp: allow cipher name to be specified [29]
> o sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer [136]
> o sigpipe: ignore SIGPIPE when using wolfSSL as well [70]
> o sockfilt: avoid getting stuck waiting for writable socket [80]
> o sockfilt: fix invalid increment of handles index variable nfd [79]
> o sws: #ifdef S_IFSOCK use [32]
> o sws: allow HTTP requests up to 2MB in size [100]
> o test server: take care of siginterrupt() deprecation [25]
> o test2100: make it run with and require IPv6 [127]
> o tests/disable-scan.pl: also scan all m4 files [17]
> o tests/getpart: generate output URL encoded for better diffs [128]
> o tests: ignore case of chunked hex numbers in tests [86]
> o tls: add USE_HTTP2 define [59]
> o tool_getparam: handle failure of curlx_convert_tchar_to_UTF8() [78]
> o tool_getparam: replace (in-place) '%20' by '+' according to RFC1866 [14]
> o tool_operate: don't discard failed parallel transfer result [16]
> o tool_writeout: fix the HTTP_CODE json output [11]
> o travis: disable the failing libssh build [94]
> o URL-SYNTAX: update IDNA section for WHATWG spec changes [74]
> o urlapi: "normalize" numerical IPv4 host names [6]
> o vauth: factor base64 conversions out of authentication procedures [22]
> o version: add gsasl_version to curl_version_info_data [43]
> o version: add OpenLDAP version in the output [110]
> o vtls: deduplicate some DISABLE_PROXY ifdefs [19]
> o vtls: reset ssl use flag upon negotiation failure [42]
> o wolfssl: handle SSL_write() returns 0 for error [68]
> o wolfssl: remove SSLv3 support leftovers [115]
>
> This release includes the following known bugs:
>
> o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)
>
> This release would not have looked like this without help, code, reports and
> advice from friends like these:
>
> 3eka on github, Alessandro Ghedini, Andrew Barnert, Ayushman Singh
> Chauhan,
> Benjamin Riefenstahl, Blake Burkhart, Brad Spencer, Calvin Buckley,
> Cameron Cawley, Dan Fandrich, Daniel Carpenter, Daniel Gustafsson,
> Daniel Stenberg, David Cook, Denis Goleshchikhin, Dmitry Karpov,
> Dmitry Kostjuchenko, ebejan on github, Emil Engler, Georeth Zhou,
> Gergely Nagy, Gilles Vollant, Harry Sintonen, Howard Chu, Ikko Ashimine,
> Illarion Taev, Jacob Hoffman-Andrews, Jakub Zakrzewski, Javier Blazquez,
> J. Bromley, Jeroen Ooms, Joel Depooter, Joel Jakobsson, Johann150 on
> github,
> Jon Rumsey, Kamil Dudka, Kevin Burke, Kevin R. Bulgrien, Koichi Shiraishi,
> Lucas Clemente Vella, Lucas Servén Marín, MAntoniak on github, Marc
> Aldorasi,
> Marcel Raad, Marc Hörsken, Martin Dorey, Martin Halle, Matias N.
> Goldberg,
> Max Dymond, Michael Kolechkin, Michael O'Farrell, Michał Antoniak,
> Michal Rus, Morten Minde Neergaard, Oliver Urbann, Orgad Shaneh,
> Patrick Monnerat, Paweł Wegner, Peng-Yu Chen, Pontus Lundkvist, Radek
> Zajic,
> Ralph Langendam, Ray Satiro, rcombs on github, Rich FitzJohn,
> Ryan Beck-Buysse, Sergey Markelov, sergio-nsk on github, Stefan Karpinski,
> Timo Lange, Timothy Gu, tmkk on github, Tobias Gabriel, Tommy Odom,
> Travis Burtrum, Tuomas Siipola, ustcqidi on github, Victor Vieux,
> Viktor Szakats, Wes Hinsley, Ymir1711 on github, Yusuke Nakamura,
> (82 contributors)
>
> References to bug reports and discussions on issues:
>
> [1] = https://curl.se/bug/?i=6889
> [2] = https://curl.se/bug/?i=6894
> [3] = https://curl.se/bug/?i=6897
> [4] = https://curl.se/bug/?i=6920
> [5] = https://curl.se/bug/?i=6919
> [6] = https://curl.se/bug/?i=6863
> [7] = https://curl.se/bug/?i=6847
> [8] = https://curl.se/bug/?i=6700
> [9] = https://curl.se/bug/?i=6773
> [10] = https://curl.se/bug/?i=6772
> [11] = https://curl.se/bug/?i=6905
> [12] = https://curl.se/bug/?i=6901
> [13] = https://curl.se/bug/?i=6900
> [14] = https://curl.se/bug/?i=6895
> [15] = https://curl.se/bug/?i=6887
> [16] = https://curl.se/bug/?i=6921
> [17] = https://curl.se/bug/?i=1165
> [18] = https://curl.se/bug/?i=2262
> [19] = https://curl.se/bug/?i=6660
> [20] = https://curl.se/bug/?i=6912
> [21] = https://curl.se/bug/?i=6964
> [22] = https://curl.se/bug/?i=6654
> [23] = https://curl.se/bug/?i=6963
> [24] = https://curl.se/bug/?i=6574
> [25] = https://curl.se/bug/?i=6529
> [26] = https://curl.se/bug/?i=6245
> [27] = https://curl.se/bug/?i=6146
> [28] = https://curl.se/bug/?i=6146
> [29] = https://curl.se/bug/?i=6464
> [30] = https://curl.se/bug/?i=6670
> [31] = https://curl.se/bug/?i=6955
> [32] = https://curl.se/mail/lib-2021-04/0074.html
> [33] = https://curl.se/mail/lib-2021-04/0073.html
> [34] = https://curl.se/mail/lib-2021-04/0071.html
> [35] = https://curl.se/bug/?i=6947
> [36] = https://curl.se/bug/?i=6910
> [37] = https://curl.se/bug/?i=6862
> [38] = https://curl.se/bug/?i=6953
> [39] = https://curl.se/bug/?i=6951
> [40] = https://curl.se/bug/?i=6943
> [41] = https://curl.se/bug/?i=6933
> [42] = https://curl.se/bug/?i=6934
> [43] = https://curl.se/bug/?i=6843
> [44] = https://curl.se/bug/?i=6734
> [45] = https://curl.se/bug/?i=6990
> [46] = https://curl.se/mail/lib-2021-05/0019.html
> [47] = https://curl.se/bug/?i=6721
> [48] = https://curl.se/bug/?i=7017
> [49] = https://curl.se/bug/?i=6993
> [50] = https://curl.se/bug/?i=6993
> [51] = https://curl.se/bug/?i=6993
> [52] = https://curl.se/bug/?i=6993
> [53] = https://curl.se/bug/?i=6988
> [54] = https://curl.se/bug/?i=6986
> [55] = https://curl.se/bug/?i=6986
> [56] = https://curl.se/bug/?i=6960
> [57] = https://curl.se/bug/?i=6981
> [58] = https://curl.se/bug/?i=6980
> [59] = https://curl.se/bug/?i=6959
> [60] = https://curl.se/bug/?i=6954
> [61] = https://curl.se/bug/?i=7018
> [62] = https://curl.se/bug/?i=6979
> [63] = https://curl.se/bug/?i=6977
> [64] = https://github.com/curl/curl/pull/6602#issuecomment-825236763
> [65] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
> [66] = https://curl.se/bug/?i=6970
> [67] = https://curl.se/bug/?i=6619
> [68] = https://curl.se/bug/?i=6967
> [69] = https://curl.se/bug/?i=6965
> [70] = https://curl.se/bug/?i=6966
> [71] = https://curl.se/bug/?i=6942
> [72] = https://curl.se/bug/?i=6945
> [73] = https://curl.se/bug/?i=7010
> [74] = https://curl.se/bug/?i=7026
> [75] = https://curl.se/bug/?i=6830
> [76] = https://curl.se/bug/?i=7009
> [77] = https://curl.se/bug/?i=7014
> [78] = https://curl.se/bug/?i=7023
> [79] = https://curl.se/bug/?i=6992
> [80] = https://curl.se/bug/?i=6992
> [81] = https://curl.se/bug/?i=7047
> [82] = https://curl.se/bug/?i=7006
> [83] = https://curl.se/bug/?i=6998
> [84] = https://curl.se/bug/?i=7004
> [85] = https://curl.se/bug/?i=6662
> [86] = https://curl.se/bug/?i=6987
> [87] = https://curl.se/bug/?i=6997
> [88] = https://curl.se/bug/?i=6999
> [89] = https://curl.se/bug/?i=7001
> [90] = https://curl.se/bug/?i=7036
> [91] = https://curl.se/bug/?i=7041
> [92] = https://curl.se/mail/lib-2021-05/0022.html
> [93] = https://curl.se/bug/?i=7025
> [94] = https://curl.se/bug/?i=7011
> [95] = https://curl.se/bug/?i=7032
> [96] = https://curl.se/bug/?i=7033
> [97] = https://curl.se/bug/?i=6950
> [98] = https://curl.se/bug/?i=7031
> [99] = https://curl.se/bug/?i=7022
> [100] = https://curl.se/bug/?i=7075
> [101] = https://curl.se/bug/?i=7093
> [102] = https://curl.se/bug/?i=6991
> [103] = https://curl.se/bug/?i=7062
> [104] = https://curl.se/bug/?i=7064
> [105] = https://curl.se/bug/?i=7092
> [106] = https://curl.se/bug/?i=7110
> [107] = https://curl.se/bug/?i=7094
> [108] = https://curl.se/bug/?i=7094
> [109] = https://curl.se/bug/?i=7053
> [110] = https://curl.se/bug/?i=7054
> [111] = https://curl.se/bug/?i=7112
> [112] = https://curl.se/bug/?i=7045
> [113] = https://curl.se/bug/?i=7044
> [114] = https://curl.se/bug/?i=7042
> [115] = https://curl.se/bug/?i=7088
> [116] = https://curl.se/bug/?i=7085
> [117] = https://curl.se/bug/?i=7068
> [118] = https://curl.se/bug/?i=7081
> [119] = https://curl.se/bug/?i=6898
> [120] = https://curl.se/bug/?i=7079
> [121] = https://curl.se/bug/?i=6723
> [122] = https://curl.se/bug/?i=7109
> [123] = https://curl.se/bug/?i=7100
> [124] = https://curl.se/bug/?i=7049
> [125] = https://curl.se/bug/?i=6853
> [126] = https://github.com/jens-maus/amissl/issues/15
> [127] = https://curl.se/bug/?i=7083
> [128] = https://curl.se/bug/?i=7083
> [129] = https://curl.se/bug/?i=7097
> [130] = https://curl.se/docs/CVE-2021-22901.html
> [131] = https://curl.se/docs/CVE-2021-22898.html
> [132] = https://curl.se/docs/CVE-2021-22897.html
> [133] = https://curl.se/bug/?i=7060
> [135] = https://curl.se/bug/?i=7121
> [136] = https://curl.se/bug/?i=7126
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2021-05-26