cURL / Mailing Lists / curl-library / Single Mail

curl-library

[RELEASE] curl and libcurl 7.42.0 is out!

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 22 Apr 2015 08:06:55 +0200 (CEST)

Hi,

I'm pleased to announce another curl release. Version 7.42.0 is uploaded and
available from http://curl.haxx.se/ as usual.

This time with no less than 4 associated security advisories. I will also be
sending them out separately following this announcement.

Curl and libcurl 7.42.0

  Public curl releases: 145
  Command line options: 173
  curl_easy_setopt() options: 216
  Public functions in libcurl: 58
  Contributors: 1265

This release includes the following changes:

  o openssl: show the cipher selection to use in verbose text
  o gtls: implement CURLOPT_CERTINFO
  o add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
  o curl: add --false-start option
  o add CURLOPT_PATH_AS_IS
  o curl: add --path-as-is option
  o curl: create output file on successful download of an empty file [21]

This release includes the following bugfixes:

  o ConnectionExists: for NTLM re-use, require credentials to match [26]
  o cookie: cookie parser out of boundary memory access [27]
  o fix_hostname: zero length host name caused -1 index offset [28]
  o http_done: close Negotiate connections when done [29]
  o sws: timeout idle CONNECT connections
  o nss: improve error handling in Curl_nss_random()
  o nss: do not skip Curl_nss_seed() if data is NULL
  o curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
  o http2: move lots of verbose output to be debug-only
  o dist: add extern-scan.pl to the tarball
  o http2: return recv error on unexpected EOF [1]
  o build: Use default RandomizedBaseAddress directive in VC9+ project files
  o build: Removed DataExecutionPrevention directive from VC9+ project files
  o tool: Updated the warnf() function to use the GlobalConfig structure
  o http2: Return error if stream was closed with other than NO_ERROR
  o mprintf.h: remove #ifdef CURLDEBUG
  o libtest: fixed linker errors on msvc [6]
  o tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
  o curl.1: fix "The the" typo
  o cmake: handle build definitions CURLDEBUG/DEBUGBUILD
  o openssl: remove all uses of USE_SSLEAY
  o multi: fix memory-leak on timeout (regression) [4]
  o curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
  o metalink: add some error checks [3]
  o TLS: make it possible to enable ALPN/NPN without HTTP/2
  o http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
  o conncontrol: only log changes to the connection bit
  o multi: fix *getsock() with CONNECT [2]
  o symbols.pl: handle '-' in the deprecated field [5]
  o MacOSX-Framework: use @rpath instead of @executable_path [7]
  o GnuTLS: add support for CURLOPT_CAPATH
  o GnuTLS: print negotiated TLS version and full cipher suite name
  o GnuTLS: don't print double newline after certificate dates
  o memanalyze.pl: handle free(NULL)
  o proxy: re-use proxy connections (regression) [8]
  o mk-ca-bundle: Don't report SHA1 numbers with "-q"
  o http: always send Host: header as first header [9]
  o openssl: sort ciphers to use based on strength [10]
  o openssl: use colons properly in the ciphers list
  o http2: detect premature close without data transfered [11]
  o hostip: Fix signal race in Curl_resolv_timeout
  o closesocket: call multi socket cb on close even with custom close [12]
  o mksymbolsmanpage.pl: use std header and generate better nroff header
  o connect: Fix happy eyeballs logic for IPv4-only builds [13]
  o curl_easy_perform.3: remove superfluous close brace from example
  o HTTP: don't use Expect: headers when on HTTP/2 [14]
  o Curl_sh_entry: remove unused 'timestamp'
  o docs/libcurl: makefile portability fix
  o mkhelp: Remove trailing carriage return from every line of input
  o nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
  o curl_easy_setopt.3: added a few missing options
  o metalink: fix resource leak in OOM
  o axtls: version 1.5.2 now requires that config.h be manually included
  o HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
  o cyassl: detect the library as renamed wolfssl
  o CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
  o CURLOPT_URL.3: Added "SECURITY CONCERNS
  o openssl: try to avoid accessing OCSP structs when possible
  o test938: added missing closing tags
  o testcurl: Allow '=' in values given on command line
  o tests/certs: added make target to rebuild certificates
  o tests/certs: rebuild certificates with modified key usage bits
  o gtls: avoid uninitialized variable
  o gtls: dereferencing NULL pointer
  o gtls: add check of return code
  o test1513: eliminated race condition in test run
  o dict: rename byte to avoid compiler shadowed declaration warning
  o curl_easy_recv/send: make them work with the multi interface
  o vtls: fix compile with --disable-crypto-auth but with SSL
  o openssl: adapt to ASN1/X509 things gone opaque in 1.1
  o openssl: verifystatus: only use the OCSP work-around <= 1.0.2a [15]
  o curl_memory: make curl_memory.h the second-last header file loaded
  o testcurl.pl: add the --notes option to supply more info about a build
  o cyassl: If wolfSSL then identify as such in version string
  o cyassl: Check for invalid length parameter in Curl_cyassl_random
  o cyassl: default to highest possible TLS version
  o Curl_ssl_md5sum: return CURLcode (fixes OOM)
  o polarssl: remove dead code
  o polarssl: called mbedTLS in 1.3.10 and later
  o globbing: fix step parsing for character globbing ranges
  o globbing: fix url number calculation when using range with step
  o multi: on a request completion, check all CONNECT_PEND transfers [16]
  o build: link curl to openssl libraries when openssl support is enabled
  o url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
  o vtls: Don't accept unknown CURLOPT_SSLVERSION values
  o build: Fix libcurl.sln erroneous mixed configurations
  o cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
  o cyassl: add SSL context callback support for CyaSSL
  o tool: only set SSL options if SSL is enabled
  o multi: remove_handle: move pending connections [17]
  o configure: Use KRB5CONFIG for krb5-config [18]
  o axtls: add timeout within Curl_axtls_connect
  o CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
  o cyassl: Fix library initialization return value
  o cookie: handle spaces after the name in Set-Cookie [19]
  o http2: Fix missing nghttp2_session_send call in Curl_http2_switched [20]
  o cyassl: Fix certificate load check
  o build-openssl.bat: Fix mixed line endings
  o checksrc.bat: Check lib\vtls source
  o DNS: fix refreshing of obsolete dns cache entries
  o CURLOPT_RESOLVE: actually implement removals
  o checksrc.bat: quotes to support an SRC_DIR with spaces
  o cyassl: Remove 'Connecting to' message from cyassl_connect_step2
  o cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
  o lib/transfer.c: Remove factor of 8 from sleep time calculation
  o lib/makefile.m32: add missing libs to build libcurl.dll
  o build: Generate source prerequisites for Visual Studio in generate.bat
  o cyassl: Include the CyaSSL build config
  o firefox-db2pem: fix wildcard to find Firefox default profile
  o BUGS: refer to the github issue tracker now as primary
  o vtls_openssl: improve several certificate error messages
  o cyassl: Add support for TLS extension SNI
  o parsecfg: do not continue past a zero termination
  o configure --with-nss=PATH: query pkg-config if available [22]
  o configure --with-nss: drop redundant if statement
  o cyassl: Fix include order [23]
  o HTTP: fix PUT regression with Negotiate [24]
  o curl_version_info.3: fixed the 'protocols' variable type [25]

This release includes the following known bugs:

o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Alessandro Ghedini, Alexander Pepper, Ben Darnell, Brad King,
   Charles Romestant, Christian Weisgerber, Dagobert Michelsen, Dan Fandrich,
   Daniel Stenberg, Da-Yoon Chung, Emil Lerner, Fabian Keil, Frank Gevaerts,
   Frank Meier, Hanno B�ck, Isaac Boukris, Jeroen Ooms, Jiri Dvorak,
   John Marshall, Jonathan Cardoso Machado, Jon Seymour, Kamil Dudka,
   Kyle L. Huff, Markus Elfring, Matthew Hall, Michael Osipov,
   Michael Stapelberg, Michel Promonet, Mostyn Bramley-Moore, Nick Zitzmann,
   Paras Sethia, Patrick Monnerat, Paul Howarth, Peter Laser, Rainer Canavan,
   Ray Satiro, Richard Moore, Sergei Nikulov, Stefan B�hler, Stefan Eissing,
   Steve Havelka, Steve Holme, Tatsuhiro Tsujikawa, Thomas Ruecker,
   Tobias Stoeckmann, Viktor Szak�ts, Yamada Yasuharu,
   (47 contributors)

Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-22

This message: [ Message body ]
Next message: Daniel Stenberg: "[SECURITY ADVISORY] Re-using authenticated connection when unauthenticated"
Previous message: mm.w: "Re: not receiving CURLMSG_DONE or other end-of-transfer signals"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]