aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libs/curl/RELEASE-NOTES
blob: 990e5388655f1dbe31a513f2c327647eab501e1a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
curl and libcurl 7.74.0 

 Public curl releases:         196 
 Command line options:         235 
 curl_easy_setopt() options:   284 
 Public functions in libcurl:  85 
 Contributors:                 2287 

This release includes the following changes:

 o hsts: add experimental support for Strict-Transport-Security [37] 

This release includes the following bugfixes:

 o CVE-2020-8286: Inferior OCSP verification [93] 
 o CVE-2020-8285: FTP wildcard stack overflow [95] 
 o CVE-2020-8284: trusting FTP PASV responses [97] 
 o acinclude: detect manually set minimum macos/ipod version [46] 
 o alt-svc: enable (in the build) by default [20] 
 o alt-svc: minimize variable scope and avoid "DEAD_STORE" [51] 
 o asyn: use 'struct thread_data *' instead of 'void *' [84] 
 o checksrc: warn on empty line before open brace [13] 
 o CI/appveyor: disable test 571 in two cmake builds [22] 
 o CI/azure: improve on flakiness by avoiding libtool wrappers [7] 
 o CI/tests: enable test target on TravisCI for CMake builds [38] 
 o CI/travis: add brotli and zstd to the libssh2 build [27] 
 o cirrus: build with FreeBSD 12.2 in CirrusCI [80] 
 o cmake: call the feature unixsockets without dash [26] 
 o cmake: check for linux/tcp.h [91] 
 o cmake: correctly handle linker flags for static libs [52] 
 o cmake: don't pass -fvisibility=hidden to clang-cl on Windows [53] 
 o cmake: don't use reserved target name 'test' [79] 
 o cmake: make BUILD_TESTING dependent option [30] 
 o cmake: make CURL_ZLIB a tri-state variable [70] 
 o cmake: set the unicode feature in curl-config on Windows [23] 
 o cmake: store IDN2 information in curl_config.h [25] 
 o cmake: use libcurl.rc in all Windows builds [69] 
 o configure: pass -pthread to Libs.private for pkg-config [50] 
 o configure: use pkgconfig to find openSSL when cross-compiling [28] 
 o connect: repair build without ipv6 availability [19] 
 o curl.1: add an "OUTPUT" section at the top of the manpage [32] 
 o curl.se: new home [59] 
 o curl: add compatibility for Amiga and GCC 6.5 [61] 
 o curl: only warn not fail, if not finding the home dir [15] 
 o curl_easy_escape: limit output string length to 3 * max input [55] 
 o Curl_pgrsStartNow: init speed limit time stamps at start [48] 
 o curl_setup: USE_RESOLVE_ON_IPS is for Apple native resolver use 
 o curl_url_set.3: fix typo in the RETURN VALUE section [3] 
 o CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo [34] 
 o CURLOPT_HSTS.3: document the file format [82] 
 o CURLOPT_NOBODY.3: fix typo [6] 
 o CURLOPT_TCP_NODELAY.3: fix comment in example code [8] 
 o CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well 
 o docs: document the 8MB input string limit [57] 
 o docs: fix typos and markup in ETag manpage sections [87] 
 o docs: Fix various typos in documentation [58] 
 o examples/httpput: remove use of CURLOPT_PUT [39] 
 o FAQ: refreshed [56] 
 o file: avoid duplicated code sequence [77] 
 o ftp: retry getpeername for FTP with TCP_FASTOPEN [100] 
 o gnutls: fix memory leaks (certfields memory wasn't released) [41] 
 o header.d: mention the "Transfer-Encoding: chunked" handling [45] 
 o HISTORY: the new domain 
 o http3: fix two build errors, silence warnings [10] 
 o http3: use the master branch of GnuTLS for testing [88] 
 o http: pass correct header size to debug callback for chunked post [44] 
 o http_proxy: use enum with state names for 'keepon' [54] 
 o httpput-postfields.c: new example doing PUT with POSTFIELDS [35] 
 o infof/failf calls: fix format specifiers [78] 
 o libssh2: fix build with disabled proxy support [17] 
 o libssh2: fix transport over HTTPS proxy [31] 
 o libssh2: require version 1.0 or later [24] 
 o Makefile.m32: add support for HTTP/3 via ngtcp2+nghttp3 [11] 
 o Makefile.m32: add support for UNICODE builds [85] 
 o mqttd: fclose test file when done [60] 
 o NEW-PROTOCOL: document what needs to be done to add one [92] 
 o ngtcp2: adapt to recent nghttp3 updates [49] 
 o ngtcp2: advertise h3 ALPN unconditionally [72] 
 o ngtcp2: Fix build error due to symbol name change [90] 
 o ngtcp2: use the minimal version of QUIC supported by ngtcp2 [67] 
 o ntlm: avoid malloc(0) on zero length user and domain [96] 
 o openssl: acknowledge SRP disabling in configure properly [9] 
 o openssl: free mem_buf in error path [94] 
 o openssl: guard against OOM on context creation [68] 
 o openssl: use OPENSSL_init_ssl() with >= 1.1.0 [66] 
 o os400: Sync libcurl API options [5] 
 o packages/OS400: make the source code-style compliant [4] 
 o quiche: close the connection [89] 
 o quiche: remove 'static' from local buffer [71] 
 o range.d: clarify that curl will not parse multipart responses [36] 
 o range.d: fix typo 
 o Revert "multi: implement wait using winsock events" [99] 
 o rtsp: error out on empty Session ID, unified the code 
 o rtsp: fixed Session ID comparison to refuse prefix [65] 
 o rtsp: fixed the RTST Session ID mismatch in test 570 [64] 
 o runtests: return error if no tests ran [16] 
 o runtests: revert the mistaken edit of $CURL 
 o runtests: show keywords when no tests ran [33] 
 o scripts/completion.pl: parse all opts [101] 
 o socks: check for DNS entries with the right port number [74] 
 o src/tool_filetime: disable -Wformat on mingw for this file [2] 
 o strerror: use 'const' as the string should never be modified [18] 
 o test122[12]: remove these two tests [1] 
 o test506: make it not run in c-ares builds [75] 
 o tests/*server.py: close log file after each log line [81] 
 o tests/server/tftpd.c: close upload file right after transfer [62] 
 o tests/util.py: fix compatibility with Python 2 [83] 
 o tests: add missing global_init/cleanup calls [42] 
 o tests: fix some http/2 tests for older versions of nghttpx [47] 
 o tool_debug_cb: do not assume zero-terminated data 
 o tool_help: make "output" description less confusing [21] 
 o tool_operate: --retry for HTTP 408 responses too [43] 
 o tool_operate: bail out proper on errors during parallel transfers [29] 
 o tool_operate: fix compiler warning when --libcurl is disabled [12] 
 o tool_writeout: use off_t getinfo-types instead of doubles [76] 
 o travis: use ninja-build for CMake builds [63] 
 o travis: use valgrind when running tests for debug builds [40] 
 o urlapi: don't accept blank port number field without scheme [98] 
 o urlapi: URL encode a '+' in the query part [14] 
 o urldata: remove 'void *protop' and create the union 'p' [86] 
 o vquic/ngtcp2.h: define local_addr as sockaddr_storage [73] 

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html) 

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Andreas Fischer, asavah on github, b9a1 on github, Baruch Siach, 
  Basuke Suzuki, bobmitchell1956 on github, BrumBrum on hackerone, 
  Cristian Morales Vega, d4d on hackerone, Daiki Ueno, Daniel Gustafsson, 
  Daniel Stenberg, Dietmar Hauser, Dirk Wetter, emanruse on github, 
  Emil Engler, hamstergene on github, Harry Sintonen, Jacob Hoffman-Andrews, 
  Jakub Zakrzewski, Jeroen Ooms, Jon Rumsey, José Joaquín Atria, Junho Choi, 
  Kael1117 on github, Klaus Crusius, Kovalkov Dmitrii, Marcel Raad, 
  Marc Hörsken, Marc Schlatter, Niranjan Hasabnis, nosajsnikta on github, 
  Oliver Urbann, Per Nilsson, Philipp Klaus Krause, Ray Satiro, 
  Rikard Falkeborn, Rui LIU, Sergei Nikulov, Thomas Danielsson, Tobias Hieta, 
  Tom G. Christensen, Varnavas Papaioannou, Viktor Szakats, Vincent Torri, 
  xnynx on github, 
  (46 contributors)

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=6080 
 [2] = https://curl.se/bug/?i=6079 
 [3] = https://curl.se/bug/?i=6102 
 [4] = https://curl.se/bug/?i=6085 
 [5] = https://curl.se/bug/?i=6083 
 [6] = https://curl.se/bug/?i=6097 
 [7] = https://curl.se/bug/?i=6049 
 [8] = https://curl.se/bug/?i=6096 
 [9] = https://curl.se/mail/lib-2020-10/0037.html 
 [10] = https://curl.se/bug/?i=6093 
 [11] = https://curl.se/bug/?i=6092 
 [12] = https://curl.se/bug/?i=6095 
 [13] = https://curl.se/bug/?i=6088 
 [14] = https://curl.se/bug/?i=6086 
 [15] = https://curl.se/bug/?i=6200 
 [16] = https://curl.se/bug/?i=6053 
 [17] = https://curl.se/bug/?i=6125 
 [18] = https://curl.se/bug/?i=6068 
 [19] = https://curl.se/bug/?i=6069 
 [20] = https://curl.se/bug/?i=5868 
 [21] = https://curl.se/bug/?i=6118 
 [22] = https://curl.se/bug/?i=6119 
 [23] = https://curl.se/bug/?i=6117 
 [24] = https://curl.se/bug/?i=6116 
 [25] = https://curl.se/bug/?i=6108 
 [26] = https://curl.se/bug/?i=6108 
 [27] = https://curl.se/bug/?i=6105 
 [28] = https://curl.se/bug/?i=6145 
 [29] = https://curl.se/bug/?i=6141 
 [30] = https://curl.se/bug/?i=6072 
 [31] = https://curl.se/bug/?i=6113 
 [32] = https://curl.se/bug/?i=6134 
 [33] = https://curl.se/bug/?i=6126 
 [34] = https://curl.se/bug/?i=6131 
 [35] = https://curl.se/bug/?i=6188 
 [36] = https://curl.se/bug/?i=6124 
 [37] = https://curl.se/bug/?i=5896 
 [38] = https://curl.se/bug/?i=6074 
 [39] = https://curl.se/bug/?i=6186 
 [40] = https://curl.se/bug/?i=6154 
 [41] = https://curl.se/bug/?i=6153 
 [42] = https://curl.se/bug/?i=6156 
 [43] = https://curl.se/bug/?i=6155 
 [44] = https://curl.se/bug/?i=6147 
 [45] = https://curl.se/bug/?i=6148 
 [46] = https://curl.se/bug/?i=6138 
 [47] = https://curl.se/bug/?i=6139 
 [48] = https://curl.se/bug/?i=6162 
 [49] = https://curl.se/bug/?i=6185 
 [50] = https://curl.se/bug/?i=6168 
 [51] = https://curl.se/bug/?i=6182 
 [52] = https://curl.se/bug/?i=6195 
 [53] = https://curl.se/bug/?i=6194 
 [54] = https://curl.se/mail/lib-2020-11/0026.html 
 [55] = https://curl.se/bug/?i=6192 
 [56] = https://curl.se/bug/?i=6177 
 [57] = https://curl.se/bug/?i=6190 
 [58] = https://curl.se/bug/?i=6171 
 [59] = https://curl.se/bug/?i=6172 
 [60] = https://curl.se/bug/?i=6058 
 [61] = https://curl.se/bug/?i=6220 
 [62] = https://curl.se/bug/?i=6058 
 [63] = https://curl.se/bug/?i=6077 
 [64] = https://curl.se/bug/?i=6161 
 [65] = https://curl.se/bug/?i=6161 
 [66] = https://curl.se/bug/?i=6254 
 [67] = https://curl.se/bug/?i=6250 
 [68] = https://curl.se/bug/?i=6224 
 [69] = https://curl.se/bug/?i=6215 
 [70] = https://curl.se/bug/?i=6173 
 [71] = https://curl.se/bug/?i=6223 
 [72] = https://curl.se/bug/?i=6250 
 [73] = https://curl.se/bug/?i=6250 
 [74] = https://curl.se/bug/?i=6247 
 [75] = https://curl.se/bug/?i=6247 
 [76] = https://curl.se/bug/?i=6248 
 [77] = https://curl.se/bug/?i=6249 
 [78] = https://curl.se/bug/?i=6241 
 [79] = https://curl.se/bug/?i=6257 
 [80] = https://curl.se/bug/?i=6211 
 [81] = https://curl.se/bug/?i=6058 
 [82] = https://curl.se/bug/?i=6205 
 [83] = https://curl.se/bug/?i=6259 
 [84] = https://curl.se/bug/?i=6239 
 [85] = https://curl.se/bug/?i=6228 
 [86] = https://curl.se/bug/?i=6238 
 [87] = https://curl.se/bug/?i=6273 
 [88] = https://curl.se/bug/?i=6235 
 [89] = https://curl.se/bug/?i=6213 
 [90] = https://curl.se/bug/?i=6271 
 [91] = https://curl.se/bug/?i=6252 
 [92] = https://curl.se/bug/?i=6263 
 [93] = https://curl.se/docs/CVE-2020-8286.html 
 [94] = https://curl.se/bug/?i=6267 
 [95] = https://curl.se/docs/CVE-2020-8285.html 
 [96] = https://curl.se/bug/?i=6264 
 [97] = https://curl.se/docs/CVE-2020-8284.html 
 [98] = https://curl.se/bug/?i=6283 
 [99] = https://curl.se/bug/?i=6146 
 [100] = https://curl.se/bug/?i=6252 
 [101] = https://curl.se/bug/?i=6280