mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-27 05:50:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
042cc1f69e
curl/RELEASE-NOTES
Daniel Stenberg 042cc1f69e - David Kierznowski notified us about a security flaw 
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
  which previous libcurl versions (by design) can be tricked to access an
  arbitrary local/different file instead of a remote one when
  CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
  together this the addition of two new setopt options for controlling this
  new behavior:

  o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
  follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
  excludes the FILE and SCP protocols and thus you nee to explicitly allow
  them in your app if you really want that behavior.

  o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
  using the primary URL option. This is useful if you want to allow a user or
  other outsiders control what URL to pass to libcurl and yet not allow all
  protocols libcurl may have been built to support.
2009-03-02 23:05:31 +00:00

71 lines
2.8 KiB
Plaintext
Raw Blame History

Curl and libcurl 7.19.4
Public curl releases: 110
Command line options: 132
curl_easy_setopt() options: 163
Public functions in libcurl: 58
Known libcurl bindings: 38
Contributors: 700
This release includes the following security-related fix:
o CVE-2009-0037 with the curl advisory here:
http://curl.haxx.se/docs/adv_20090303.html
This release includes the following changes:
o Added CURLOPT_NOPROXY and the corresponding --noproxy
o the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by
default in openssl 0.9.8j
o Added CURLOPT_TFTP_BLKSIZE
o Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with
the corresponding curl options --socks5-gssapi-service and
--socks5-gssapi-nec
o Improved IPv6 support when built with with c-ares >= 1.6.1
o Added CURLPROXY_HTTP_1_0 and --proxy1.0
o Added docs/libcurl/symbols-in-versions
o Added CURLINFO_CONDITION_UNMET
o Added support for Digest and NTLM authentication using GnuTLS
o CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even
when MKD fails
o GnuTLS initing moved to curl_global_init()
o Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS
This release includes the following bugfixes:
o missing ssh.obj in VS makefiles
o FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish
locale
o realms with quoted quotation marks in HTTP Digest headers
o VC9 makefiles are now really included
o multi interface memory leak with CURLMOPT_MAXCONNECTS set
o CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
CURLOPT_NOBODY set true
o memory leak on some libz errors for content encodings
o NSS-enabled build is repaired
o superfluous wait in SFTP downloads removed
o FTP with the multi interface no longer kills the control connection as
easily on transfer failures
o compilation halting when using VS2008 to build a Windows 2000 target
o ease creation of libcurl Mac OS X Framework
o CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1
if unknown
o Negotiate proxy authentication
o CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together
This release includes the following known bugs:
o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Lisa Xu, Daniel Fandrich, Craig A West, Alexey Borzov, Sharad Gupta,
Peter Sylvester, Chad Monroe, Markus Moeller, Yang Tse, Scott Cantor,
Patrick Scott, Hidemoto Nakada, Jocelyn Jaubert, Andre Guibert de Bruet,
Kamil Dudka, Patrik Thunstrom, Linus Nielsen Feltzing, Mark Incley,
Daniel Johnson, James Cheng, Brian J. Murrell, Senthil Raja Velu,
Markus Koetter, David Kierznowski, Michal Marek
Thanks! (and sorry if I forgot to mention someone)
Reference in New Issue View Git Blame Copy Permalink