curl/RELEASE-NOTES
2023-11-28 23:04:09 +01:00

395 lines
18 KiB
Plaintext

curl and libcurl 8.5.0
Public curl releases: 253
Command line options: 258
curl_easy_setopt() options: 303
Public functions in libcurl: 93
Contributors: 3035
This release includes the following changes:
o gnutls: support CURLSSLOPT_NATIVE_CA [31]
o HTTP3: ngtcp2 builds are no longer experimental [77]
This release includes the following bugfixes:
o appveyor: make VS2008-built curl tool runnable [93]
o asyn-thread: use pipe instead of socketpair for IPC when available [4]
o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128]
o autotools: avoid passing `LDFLAGS` twice to libcurl [127]
o autotools: delete LCC compiler support bits [137]
o autotools: fix/improve gcc and Apple clang version detection [136]
o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135]
o autotools: update references to deleted `crypt-auth` option [46]
o BINDINGS: add V binding [54]
o build: add `src/.checksrc` to source tarball [1]
o build: add more picky warnings and fix them [172]
o build: always revert `#pragma GCC diagnostic` after use [143]
o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107]
o build: delete support bits for obsolete Windows compilers [106]
o build: fix 'threadsafe' feature detection for older gcc [19]
o build: fix compiler warning with auths disabled [85]
o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120]
o build: picky warning updates [125]
o build: require Windows XP or newer [86]
o cfilter: provide call to tell connection to forget a socket [65]
o CI: add autotools, out-of-tree, debug build to distro check job [14]
o CI: ignore test 286 on Appveyor gcc 9 build [6]
o cmake: add `CURL_DISABLE_BINDLOCAL` option [146]
o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138]
o cmake: dedupe Windows system libs [114]
o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2]
o cmake: fix CURL_DISABLE_GETOPTIONS [12]
o cmake: fix multiple include of CURL package [96]
o cmake: fix OpenSSL quic detection in quiche builds [56]
o cmake: option to disable install & drop `curlu` target when unused [72]
o cmake: pre-fill rest of detection values for Windows [50]
o cmake: replace `check_library_exists_concat()` [23]
o cmake: speed up threads setup for Windows [68]
o cmake: speed up zstd detection [69]
o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123]
o configure: better --disable-http [80]
o configure: check for the fseeko declaration too [55]
o conncache: use the closure handle when disconnecting surplus connections [173]
o content_encoding: make Curl_all_content_encodings allocless [101]
o cookie: lowercase the domain names before PSL checks [160]
o curl.h: delete Symbian OS references [162]
o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21]
o curl.rc: switch out the copyright symbol for plain ASCII [167]
o curl: improved IPFS and IPNS URL support [87]
o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99]
o Curl_http_body: cleanup properly when Curl_getformdata errors [152]
o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57]
o curl_sspi: support more revocation error names in error messages [95]
o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165]
o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113]
o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45]
o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
o docs/example/keepalive.c: show TCP keep-alive options [73]
o docs/example/localport.c: show off CURLOPT_LOCALPORT [83]
o docs/examples/interface.c: show CURLOPT_INTERFACE use [84]
o docs/libcurl: fix three minor man page format mistakes [26]
o docs/libcurl: SYNSOPSIS cleanup [150]
o docs: add supported version for the json write-out [92]
o docs: clarify that curl passes on input unfiltered [47]
o docs: fix function typo in curl_easy_option_next.3 [36]
o docs: KNOWN_BUGS cleanup
o docs: preserve the modification date when copying the prebuilt man page [89]
o docs: remove bold from some man page SYNOPSIS sections [90]
o docs: use SOURCE_DATE_EPOCH for generated manpages [16]
o doh: provide better return code for responses w/o addresses [133]
o doh: use PIPEWAIT when HTTP/2 is attempted [63]
o duphandle: also free 'outcurl->cookies' in error path [122]
o duphandle: make dupset() not return with pointers to old alloced data [109]
o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132]
o easy: in duphandle, init the cookies for the new handle [131]
o easy: remove duplicate wolfSSH init call [37]
o easy_lock: add a pthread_mutex_t fallback [13]
o fopen: create new file using old file's mode [153]
o fopen: create short(er) temporary file name [155]
o getenv: PlayStation doesn't have getenv() [41]
o GHA: move mod_h2 version in CI to v2.0.25 [43]
o hostip: show the list of IPs when resolving is done [35]
o hostip: silence compiler warning `-Wparentheses-equality` [62]
o hsts: skip single-dot hostname [67]
o HTTP/2, HTTP/3: handle detach of onoing transfers [134]
o http2: header conversion tightening [33]
o http2: provide an error callback and failf the message [53]
o http2: safer invocation of populate_binsettings [8]
o http: allow longer HTTP/2 request method names [112]
o http: avoid Expect: 100-continue if Upgrade: is used [15]
o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81]
o http: fix `-Wunused-parameter` with no auth and no proxy [149]
o http: fix `-Wunused-variable` compiler warning [115]
o http: fix empty-body warning [76]
o http_aws_sigv4: canonicalise valueless query params [88]
o hyper: temporarily remove HTTP/2 support [139]
o IPFS: fix IPFS_PATH and file parsing [119]
o keylog: disable if unused [145]
o lib: add and use Curl_strndup() [97]
o lib: apache style infof and trace macros/functions [71]
o lib: fix gcc warning in printf call [7]
o libcurl-errors.3: sync with current public headers [156]
o libcurl-thread.3: simplify the TLS section [79]
o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103]
o Makefile.mk: fix `-rtmp` option for non-Windows
o mime: store "form escape" as a single bit [170]
o misc: fix -Walloc-size warnings [118]
o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61]
o multi: use pipe instead of socketpair to *wakeup() [18]
o ntlm_wb: use pipe instead of socketpair when possible [44]
o openldap: move the alloc of ldapconninfo to *connect() [29]
o openldap: set the callback argument in oldap_do [30]
o openssl: avoid BN_num_bits() NULL pointer derefs [9]
o openssl: enable `infof_certstack` for 1.1 and LibreSSL 3.6 [157]
o openssl: fix building with v3 `no-deprecated` + add CI test [161]
o openssl: fix infof() to avoid compiler warning for %s with null [70]
o openssl: identify the "quictls" backend correctly [82]
o openssl: include SIG and KEM algorithms in verbose [52]
o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58]
o openssl: two multi pointer checks should probably rather be asserts [91]
o openssl: when a session-ID is reused, skip OCSP stapling [142]
o page-footer: clarify exit code 25 [51]
o projects: add VC14.20 project files [104]
o pytest: use lower count in repeat tests [98]
o quic: make eyeballers connect retries stop at weird replies [140]
o quic: manage connection idle timeouts [5]
o quiche: use quiche_conn_peer_transport_params() [116]
o rand: fix build error with autotools + LibreSSL [111]
o resolve.d: drop a multi use-sentence [100]
o RTSP: improved RTP parser [32]
o sasl: fix `-Wunused-function` compiler warning [124]
o schannel: add CA cache support for files and memory blobs [121]
o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171]
o setopt: remove outdated cookie comment [64]
o setopt: remove superfluous use of ternary expressions [169]
o socks: better buffer size checks for socks4a user and hostname [20]
o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38]
o test1683: remove commented-out check alternatives
o test3103: add missing quotes around a test tag attribute
o test613: stop showing an error on missing output file
o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48]
o tests/server: add more SOCKS5 handshake error checking [27]
o tests: Fix Windows test helper tool search & use it for handle64 [17]
o tidy-up: casing typos, delete unused Windows version aliases [144]
o tool: fix --capath when proxy support is disabled [28]
o tool: support bold headers in Windows [117]
o tool_cb_hdr: add an additional parsing check [129]
o tool_cb_prg: make the carriage return fit for wide progress bars [159]
o tool_cb_wrt: fix write output for very old Windows versions [24]
o tool_getparam: limit --rate to be smaller than number of ms [3]
o tool_operate: do not mix memory models [108]
o tool_operate: fix links in ipfs errors [22]
o tool_parsecfg: make warning output propose double-quoting [164]
o tool_urlglob: fix build for old gcc versions [25]
o tool_urlglob: make multiply() bail out on negative values [11]
o transfer: avoid calling the read callback again after EOF [130]
o transfer: only reset the FTP wildcard engine in CLEAR state [42]
o url: don't touch the multi handle when closing internal handles [40]
o url: find scheme with a "perfect hash" [141]
o url: fix `-Wzero-length-array` with no protocols [147]
o url: fix builds with `CURL_DISABLE_HTTP` [148]
o url: protocol handler lookup tidy-up [66]
o url: proxy ssl connection reuse fix [94]
o urlapi: avoid null deref if setting blank host to url encode [75]
o urlapi: skip appending NULL pointer query [74]
o urlapi: when URL encoding the fragment, pass in the right length [59]
o urldata: make maxconnects a 32 bit value [166]
o urldata: move async resolver state from easy handle to connectdata [34]
o urldata: move cookielist from UserDefined to UrlState [126]
o urldata: move hstslist from 'set' to 'state' [105]
o urldata: move the 'internal' boolean to the state struct [39]
o vssh: remove the #ifdef for Curl_ssh_init, use empty macro
o vtls: cleanup SSL config management [78]
o vtls: late clone of connection ssl config [60]
o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102]
o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110]
o windows: use built-in `_WIN32` macro to detect Windows [163]
o wolfssh: remove redundant static prototypes [168]
o wolfssl: add default case for wolfssl_connect_step1 switch [49]
o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)
Planned upcoming removals include:
o support for space-separated NOPROXY patterns
See https://curl.se/dev/deprecate.html for details
This release would not have looked like this without help, code, reports and
advice from friends like these:
12932 on github, Alex Bozarth, Alexey Larikov, Alex Klyubin, Ammar Faizi,
Andrew Kurushin, Anubhav Rai, boilingoden, calvin2021y on github,
Carlos Henrique Lima Melara, Casey Bodley, Charlie C, Dan Fandrich,
Daniel Jeliński, Daniel Stenberg, David Suter, Emanuele Torre, Enno Boland,
enWILLYado on github, Faraz Fallahi, Gisle Vanem, Goro FUJI, Harry Mallon,
Harry Sintonen, icy17 on github, Jacob Hoffman-Andrews,
Jan Alexander Steffens, Jeroen Ooms, Jiehong on github, Jiri Hruska,
Junho Choi, Kai Pastor, Kareem, Kartatz on Github, kirbyn17 on hackerone,
lkordos on github, Loïc Yhuel, LoRd_MuldeR, lRoccoon on github,
Maksymilian Arciemowicz, Manfred Schwarb, Marcel Raad, Marcin Rataj,
Mark Gaiser, Martin Schmatz, Michael Kaufmann, Nico Rieck, Niracler Li,
ohyeaah on github, Ophir Lojkine, Paweł Wegner, Philip Heiduck, Ray Satiro,
rilysh, Robert Southee, Romain Geissler, Sam James, Samuel Henrique,
sd0 on hackerone, Smackd0wn, Sohom Datta, Stefan Eissing, Steven Allen,
Tim Hill, Torben Dury, Turiiya, Viktor Szakats, yushicheng7788 on github,
zhengqwe on github, 積丹尼 Dan Jacobson
(70 contributors)
References to bug reports and discussions on issues:
[1] = https://curl.se/bug/?i=12084
[2] = https://curl.se/bug/?i=12093
[3] = https://curl.se/bug/?i=12116
[4] = https://curl.se/bug/?i=12146
[5] = https://curl.se/bug/?i=12064
[6] = https://curl.se/bug/?i=12040
[7] = https://curl.se/bug/?i=12082
[8] = https://curl.se/bug/?i=12101
[9] = https://curl.se/bug/?i=12099
[10] = https://curl.se/bug/?i=12108
[11] = https://curl.se/bug/?i=12102
[12] = https://curl.se/bug/?i=12091
[13] = https://curl.se/bug/?i=12090
[14] = https://curl.se/bug/?i=12088
[15] = https://curl.se/bug/?i=12022
[16] = https://curl.se/bug/?i=12092
[17] = https://curl.se/bug/?i=12115
[18] = https://curl.se/bug/?i=12142
[19] = https://curl.se/bug/?i=12125
[20] = https://curl.se/bug/?i=12139
[21] = https://curl.se/bug/?i=12107
[22] = https://curl.se/bug/?i=12133
[23] = https://curl.se/bug/?i=11285
[24] = https://curl.se/bug/?i=12131
[25] = https://curl.se/bug/?i=12124
[26] = https://curl.se/bug/?i=12126
[27] = https://curl.se/bug/?i=12117
[28] = https://curl.se/bug/?i=12089
[29] = https://curl.se/bug/?i=12166
[30] = https://curl.se/bug/?i=12166
[31] = https://curl.se/bug/?i=12137
[32] = https://curl.se/bug/?i=12052
[33] = https://curl.se/bug/?i=12097
[34] = https://curl.se/bug/?i=12198
[35] = https://curl.se/bug/?i=12145
[36] = https://curl.se/bug/?i=12170
[37] = https://curl.se/bug/?i=12168
[38] = https://curl.se/bug/?i=11949
[39] = https://curl.se/bug/?i=12165
[40] = https://curl.se/bug/?i=12165
[41] = https://curl.se/bug/?i=12140
[42] = https://curl.se/bug/?i=11775
[43] = https://curl.se/bug/?i=12157
[44] = https://curl.se/bug/?i=12149
[45] = https://curl.se/bug/?i=12201
[46] = https://curl.se/bug/?i=12194
[47] = https://curl.se/bug/?i=12249
[48] = https://curl.se/bug/?i=12195
[49] = https://curl.se/bug/?i=12218
[50] = https://curl.se/bug/?i=12044
[51] = https://curl.se/bug/?i=12189
[52] = https://curl.se/bug/?i=12030
[53] = https://curl.se/bug/?i=12179
[54] = https://curl.se/bug/?i=12182
[55] = https://curl.se/bug/?i=12086
[56] = https://curl.se/bug/?i=12160
[57] = https://curl.se/bug/?i=12221
[58] = https://curl.se/bug/?i=12155
[59] = https://curl.se/bug/?i=12250
[60] = https://curl.se/bug/?i=12237
[61] = https://curl.se/bug/?i=12213
[62] = https://curl.se/bug/?i=12215
[63] = https://curl.se/bug/?i=12214
[64] = https://curl.se/bug/?i=12206
[65] = https://curl.se/bug/?i=12207
[66] = https://curl.se/bug/?i=12216
[67] = https://curl.se/bug/?i=12247
[68] = https://curl.se/bug/?i=12202
[69] = https://curl.se/bug/?i=12200
[70] = https://curl.se/bug/?i=12196
[71] = https://curl.se/bug/?i=12083
[72] = https://curl.se/bug/?i=12287
[73] = https://curl.se/bug/?i=12242
[74] = https://curl.se/bug/?i=12240
[75] = https://curl.se/bug/?i=12240
[76] = https://curl.se/bug/?i=12262
[77] = https://curl.se/bug/?i=12235
[78] = https://curl.se/bug/?i=12204
[79] = https://curl.se/bug/?i=12233
[80] = https://curl.se/bug/?i=12223
[81] = https://curl.se/bug/?i=10521
[82] = https://curl.se/bug/?i=12270
[83] = https://curl.se/bug/?i=12230
[84] = https://curl.se/bug/?i=12229
[85] = https://curl.se/bug/?i=12227
[86] = https://curl.se/bug/?i=12225
[87] = https://curl.se/bug/?i=12148
[88] = https://curl.se/bug/?i=8107
[89] = https://curl.se/bug/?i=12199
[90] = https://curl.se/bug/?i=12267
[91] = https://curl.se/bug/?i=12264
[92] = https://curl.se/bug/?i=12266
[93] = https://curl.se/bug/?i=12263
[94] = https://curl.se/bug/?i=12255
[95] = https://curl.se/bug/?i=12239
[96] = https://curl.se/bug/?i=11913
[97] = https://curl.se/bug/?i=12251
[98] = https://curl.se/bug/?i=12248
[99] = https://curl.se/bug/?i=12315
[100] = https://curl.se/bug/?i=12294
[101] = https://curl.se/bug/?i=12289
[102] = https://curl.se/bug/?i=12259
[103] = https://curl.se/bug/?i=12288
[104] = https://curl.se/bug/?i=12282
[105] = https://curl.se/bug/?i=12315
[106] = https://curl.se/bug/?i=12222
[107] = https://curl.se/bug/?i=12275
[108] = https://curl.se/bug/?i=12280
[109] = https://curl.se/bug/?i=12337
[110] = https://curl.se/bug/?i=12278
[111] = https://curl.se/bug/?i=12257
[112] = https://curl.se/bug/?i=12311
[113] = https://curl.se/bug/?i=12277
[114] = https://curl.se/bug/?i=12307
[115] = https://curl.se/bug/?i=12228
[116] = https://curl.se/bug/?i=12180
[117] = https://curl.se/bug/?i=12321
[118] = https://curl.se/bug/?i=12292
[119] = https://curl.se/bug/?i=12152
[120] = https://curl.se/bug/?i=12273
[121] = https://curl.se/bug/?i=12261
[122] = https://curl.se/bug/?i=12329
[123] = https://curl.se/bug/?i=12325
[124] = https://curl.se/bug/?i=12326
[125] = https://curl.se/bug/?i=12324
[126] = https://curl.se/bug/?i=12323
[127] = https://curl.se/bug/?i=12310
[128] = https://curl.se/bug/?i=12312
[129] = https://curl.se/bug/?i=12320
[130] = https://curl.se/mail/lib-2023-11/0017.html
[131] = https://curl.se/bug/?i=12318
[132] = https://curl.se/bug/?i=12317
[133] = https://curl.se/bug/?i=12365
[134] = https://curl.se/bug/?i=12356
[135] = https://curl.se/bug/?i=12346
[136] = https://curl.se/bug/?i=12362
[137] = https://curl.se/bug/?i=12357
[138] = https://curl.se/bug/?i=12353
[139] = https://curl.se/bug/?i=12191
[140] = https://curl.se/bug/?i=12400
[141] = https://curl.se/bug/?i=12347
[142] = https://curl.se/bug/?i=12399
[143] = https://curl.se/bug/?i=12352
[144] = https://curl.se/bug/?i=12351
[145] = https://curl.se/bug/?i=12350
[146] = https://curl.se/bug/?i=12345
[147] = https://curl.se/bug/?i=12344
[148] = https://curl.se/bug/?i=12343
[149] = https://curl.se/bug/?i=12338
[150] = https://curl.se/bug/?i=12402
[152] = https://curl.se/bug/?i=12410
[153] = https://curl.se/bug/?i=12299
[155] = https://curl.se/bug/?i=12388
[156] = https://curl.se/bug/?i=12424
[157] = https://curl.se/bug/?i=12385
[159] = https://curl.se/bug/?i=12407
[160] = https://curl.se/bug/?i=12387
[161] = https://curl.se/bug/?i=12384
[162] = https://curl.se/bug/?i=12378
[163] = https://curl.se/bug/?i=12376
[164] = https://curl.se/bug/?i=12409
[165] = https://curl.se/bug/?i=12382
[166] = https://curl.se/bug/?i=12375
[167] = https://curl.se/bug/?i=12403
[168] = https://curl.se/bug/?i=12381
[169] = https://curl.se/bug/?i=12374
[170] = https://curl.se/bug/?i=12374
[171] = https://curl.se/bug/?i=12374
[172] = https://curl.se/bug/?i=12331
[173] = https://curl.se/bug/?i=12367