curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

[RELEASE] curl 7.66.0

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 11 Sep 2019 08:00:54 +0200 (CEST)

Hi friends!

I'm happy to ship another release. Do give the two security advisories an
extra look - there will be separate emails about them.

As always, download curl from https://curl.haxx.se/

curl and libcurl 7.66.0

  Public curl releases: 185
  Command line options: 225
  curl_easy_setopt() options: 269
  Public functions in libcurl: 81
  Contributors: 1991

This release includes the following changes:

  o CURLINFO_RETRY_AFTER: parse the Retry-After header value [35]
  o HTTP3: initial (experimental still not working) support [5]
  o curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool [27]
  o curl: support parallel transfers with -Z [4]
  o curl_multi_poll: a sister to curl_multi_wait() that waits more [28]
  o sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID [27]

This release includes the following bugfixes:

  o CVE-2019-5481: FTP-KRB double-free [64]
  o CVE-2019-5482: TFTP small blocksize heap buffer overflow [65]
  o CI: remove duplicate configure flag for LGTM.com
  o CMake: remove needless newlines at end of gss variables
  o CMake: use platform dependent name for dlopen() library [62]
  o CURLINFO docs: mention that in redirects times are added [55]
  o CURLOPT_ALTSVC.3: use a "" file name to not load from a file
  o CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
  o CURLOPT_HEADERFUNCTION.3: clarify [54]
  o CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly [33]
  o CURLOPT_READFUNCTION.3: provide inline example
  o CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 [51]
  o Curl_addr2string: take an addrlen argument too [61]
  o Curl_fillreadbuffer: avoid double-free trailer buf on error [66]
  o HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown [10]
  o alt-svc: add protocol version selection masking [31]
  o alt-svc: fix removal of expired cache entry [30]
  o alt-svc: make it use h3-22 with ngtcp2 as well
  o alt-svc: more liberal ALPN name parsing [17]
  o alt-svc: send Alt-Used: in redirected requests [32]
  o alt-svc: with quiche, use the quiche h3 alpn string [16]
  o appveyor: pass on -k to make
  o asyn-thread: create a socketpair to wait on [14]
  o build-openssl: fix build with Visual Studio 2019 [45]
  o cleanup: move functions out of url.c and make them static [58]
  o cleanup: remove the 'numsocks' argument used in many places [25]
  o configure: avoid undefined check_for_ca_bundle [37]
  o curl.h: add CURL_HTTP_VERSION_3 to the version enum
  o curl.h: fix outdated comment [23]
  o curl: cap the maximum allowed values for retry time arguments [13]
  o curl: handle a libcurl build without netrc support [63]
  o curl: make use of CURLINFO_RETRY_AFTER when retrying [35]
  o curl: remove outdated comment [24]
  o curl: use .curlrc (with a dot) on Windows [52]
  o curl: use CURLINFO_PROTOCOL to check for HTTP(s)
  o curl_global_init_mem.3: mention it was added in 7.12.0
  o curl_version: bump string buffer size to 250
  o curl_version_info.3: mentioned ALTSVC and HTTP3
  o curl_version_info: offer quic (and h3) library info [38]
  o curl_version_info: provide nghttp2 details [2]
  o defines: avoid underscore-prefixed defines [47]
  o docs/ALTSVC: remove what works and the experimental explanation [34]
  o docs/EXPERIMENTAL: explain what it means and what's experimental now
  o docs/MANUAL.md: converted to markdown from plain text [3]
  o docs/examples/curlx: fix errors [48]
  o docs: s/curl_debug/curl_dbg_debug in comments and docs [36]
  o easy: resize receive buffer on easy handle reset [9]
  o examples: Avoid reserved names in hiperfifo examples [8]
  o examples: add http3.c, altsvc.c and http3-present.c [40]
  o getenv: support up to 4K environment variable contents on windows [21]
  o http09: disable HTTP/0.9 by default in both tool and library [29]
  o http2: when marked for closure and wanted to close == OK [56]
  o http2_recv: trigger another read when the last data is returned [11]
  o http: fix use of credentials from URL when using HTTP proxy [44]
  o http_negotiate: improve handling of gss_init_sec_context() failures [18]
  o md4: Use our own MD4 when no crypto libraries are available [15]
  o multi: call detach_connection before Curl_disconnect [6]
  o netrc: make the code try ".netrc" on Windows [52]
  o nss: use TLSv1.3 as default if supported [39]
  o openssl: build warning free with boringssl [50]
  o openssl: use SSL_CTX_set_<min|max>_proto_version() when available [68]
  o plan9: add support for running on Plan 9 [22]
  o progress: reset download/uploaded counter between transfers [12]
  o readwrite_data: repair setting the TIMER_STARTTRANSFER stamp [26]
  o scp: fix directory name length used in memcpy [46]
  o smb: init *msg to NULL in smb_send_and_recv() [60]
  o smtp: check for and bail out on too short EHLO response [59]
  o source: remove names from source comments [1]
  o spnego_sspi: add typecast to fix build warning [49]
  o src/makefile: fix uncompressed hugehelp.c generation [19]
  o ssh-libssh: do not specify O_APPEND when not in append mode [7]
  o ssh: move code into vssh for SSH backends [53]
  o sspi: fix memory leaks [67]
  o tests: Replace outdated test case numbering documentation [43]
  o tftp: return error when packet is too small for options
  o timediff: make it 64 bit (if possible) even with 32 bit time_t [20]
  o travis: reduce number of torture tests in 'coverage' [42]
  o url: make use of new HTTP version if alt-svc has one [16]
  o urlapi: verify the IPv6 numerical address [69]
  o urldata: avoid 'generic', use dedicated pointers [57]
  o vauth: Use CURLE_AUTH_ERROR for auth function errors [41]

This release includes the following known bugs:

o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Alessandro Ghedini, Alex Mayorga, Amit Katyal, Balazs Kovacsics,
   Brad Spencer, Brandon Dong, Carlo Marcelo Arenas Bel�n, Christopher Head,
   Cl�ment Notin, codesniffer13 on github, Daniel Gustafsson, Daniel Stenberg,
   Dominik H�lzl, Eric Wong, Felix H�dicke, Gergely Nagy, Gisle Vanem,
   Igor Makarov, Ironbars13 on github, Jason Lee, Jeremy Lain�,
   Jonathan Cardoso Machado, Junho Choi, Kamil Dudka, Kyle Abramowitz,
   Kyohei Kadota, Lance Ware, Marcel Raad, Max Dymond, Michael Lee,
   Michal �aplygin, migueljcrum on github, Mike Crowe, niallor on github,
   osabc on github, patnyb on github, Patrick Monnerat, Peter Wu, Ray Satiro,
   Rolf Eike Beer, Steve Holme, Tatsuhiro Tsujikawa, The Infinnovation team,
   Thomas Vegas, Tom van der Woerdt, Yiming Jing,
   (46 contributors)

Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

-- 
  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-11

This message: [ Message body ]
Next message: Daniel Stenberg via curl-library: "[SECURITY ADVISORY] curl: FTP-KRB double-free"
Previous message: Rainer Canavan via curl-library: "Re: Curl and SSL in an IMB's OnDemand environment"
Next in thread: Jan Ehrhardt via curl-library: "Re: [RELEASE] curl 7.66.0"
Reply: Jan Ehrhardt via curl-library: "Re: [RELEASE] curl 7.66.0"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]