Numbers

  the 255th and 256th releases
  5 changes
  56 days (total: 9,504)
  162 bug-fixes (total: 10,050)
  246 commits (total: 31,931)
  0 new public libcurl function (total: 93)
  0 new curl_easy_setopt() option (total: 304)
  0 new curl command line option (total: 258)
  92 contributors, 56 new (total: 3,133)
  37 authors, 15 new (total: 1,252)
  4 security fixes (total: 155)

Versions

  I first released 8.7.0, but immediately someone pointed out that one of
  the files in the tarballs was broken, so I fixed the issue, created a
  new set of tarballs, bumped the version and uploaded the new set. The
  new release is 8.7.1 but of course it has the same set of changes. We
  just pretend we did not upload 8.7.0.

Release presentation

  At 10:00 CET (09:00 UTC) on March 27 I will do a [1]live-streamed
  release presentation as usual.

Security

    * [2]CVE-2024-2004: Usage of disabled protocol. (low)
      When a protocol selection parameter option disables all protocols
      without adding any then the default set of protocols would remain
      in the allowed set due to an error in the logic for removing
      protocols.
    * [3]CVE-2024-2398: HTTP/2 push headers memory-leak. (medium)
      When an application tells libcurl it wants to allow HTTP/2 server
      push, and the amount of received headers for the push surpasses the
      maximum allowed limit (1000), libcurl aborts the server push. When
      aborting, libcurl inadvertently does not free all the previously
      allocated headers and instead leaks the memory.
    * [4]CVE-2024-2379: QUIC certificate check bypass with wolfSSL. (low)
      libcurl skips the certificate verification for a QUIC connection
      under certain conditions, when built to use wolfSSL. If told to use
      an unknown/bad cipher or curve, the error path accidentally skips
      the verification and returns OK, thus ignoring any certificate
      problems.
    * [5]CVE-2024-2466: TLS certificate check bypass with mbedTLS.
      (medium)
      libcurl did not check the server certificate of TLS connections
      done to a host specified as an IP address, when built to use
      mbedTLS.

Changes

    * configure: add –disable-docs flag. This skips the step generating
      the manpages, which for many people is unnecessary.
    * CURLINFO_USED_PROXY: return bool whether the proxy was used. Useful
      when having a filter that only lets some transfers use the proxy.
    * write-out: add ‘%{proxy_used}’. The same as above but for the tool.
    * digest: support SHA-512/256. Support more modern digest
      authentication.
    * DoH: add trace configuration. Now you get more DoH tracing/logging
      using the general trace mechanism.

Bugfixes

  Some of the bugfixes from this cycle that might be worth noticing:
    * configure: find libpsl with pkg-config. Makes configure better at
      finding libpsl and making use of the correct flags and
      sub-dependencies when linking with it.
    * configure: find rustls with pkg-config. Similar adjustment but for
      rustls.
    * cookie: if psl fails, reject the cookie. A run-time failure should
      not allow the cookie through.
    * curl: exit on config file parser errors. We can insist on the
      config file to be correct as otherwise something unintended might
      go through.
    * curl: make –libcurl output better CURLOPT_*SSLVERSION. This option
      takes a bitmask made out of two separate enum ranges.
    * file: use xfer buf for file:// transfers. The main effect being
      that it can use a larger buffer which can make faster transfers.
    * http: better error message for HTTP/1.x response without status
      line
    * https-proxy: use IP address and cert with ip in alt names.
      Connecting to a HTTPS proxy using an IP address with a URL also
      using an IP address and those addresses were different versions,
      curl would get it wrong.
    * mprintf: fix format prefix I32/I64 for windows compilers
    * OpenSSL QUIC: adapt to v3.3.x. Pending improvements in OpenSSL is
      going to enhance curl’s ability to do HTTP/3 using it.
    * paramhlp: fix CRLF-stripping files with “-d @file”. curl would do
      wrong for line ending consisting of CR only
    * rustls: make curl compile with 0.12.0. Adjusted to use the modified
      APIs.
    * schannel: fix hang on unexpected server close
    * sendf: ignore response body to HEAD. A regression made curl
      complain if a HEAD request would get body data.
    * smtp: fix STARTTLS. Another regression fixed.
    * strtoofft: fix the overflow check. The previous overflow check was
      relying on undefined behavior. This is in code only for platforms
      without a proper native parser for 64 bit sized numbers.
    * TLS: start shutdown only when peer did not already close.
    * curl: only parse etag + content-disposition for 2xx.
    * curl: accept a blank -w “”
    * curl: handle non-existing (out of range) short-options
    * curl: change precedence of server Retry-After time
    * curl: shorter –help texts. With some polish to make the output look
      nicer, in particular “curl –help all”.
    * transfer.c: break receive loop in speed limited transfers, To make
      libcurl adapt more precisely to the network speed limit set by the
      application.

tech, open source and networking

References

  1. https://www.twitch.tv/curlhacker
  2. https://curl.se/docs/CVE-2024-2004.html
  3. https://curl.se/docs/CVE-2024-2398.html
  4. https://curl.se/docs/CVE-2024-2379.html
  5. https://curl.se/docs/CVE-2024-2466.html

You are viewing proxied material from 1436.ninja. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.