[ANNOUNCEMENT] Updated: curl/libcurl4/-devel/-doc, mingw64-x86_64-curl 7.88.1

Cygwin curl Maintainer via Cygwin-announce cygwin-announce@cygwin.com
Tue Feb 21 03:08:57 GMT 2023


The following packages have been upgraded in the Cygwin distribution:

* curl			7.88.1
* libcurl4		7.88.1
* libcurl-devel		7.88.1
* libcurl-doc		7.88.1
* mingw64-x86_64-curl	7.88.1

NOTE:
This release has been built with debug options disabled, as they are
strongly discouraged for production use, and displays warning messages.

Command line tool and Library supporting transferring files with
URL syntax, using FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, and
FILE, SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form
based upload, proxies, cookies, user+password authentication (Basic,
Digest, NTLM, Negotiate...), file transfer resume, proxy tunneling and a
busload of other useful tricks.

For more information see the project home page:

	https://curl.se/

As there are multiple components and many changes each release please
see below or read /usr/share/doc/curl/RELEASE-NOTES after installation;
for complete details of changes since the previous Cygwin release see:

	/usr/share/doc/curl/CHANGES
or
	https://curl.se/changes.html


curl and libcurl 7.88.1		2023-02-20 

* Public curl releases:         214
* Command line options:         250
* curl_easy_setopt() options:   302
* Public functions in libcurl:  91
* Contributors:                 2818

The next release is planned and intended to become version 8.

Planned upcoming removals include:

* gskit
* NSS
* support for space-separated NOPROXY patterns
* support for systems without 64 bit data types

See https://curl.se/dev/deprecate.html for details

This release includes the following known bugs:

* see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

This release includes the following bugfixes:

* build-openssl.bat: keep OpenSSL 3 engine binaries
* cmake: fix Windows check for CryptAcquireContext
* connnect: fix timeout handling to use full duration
* curl: make --silent work stand-alone
* curl_setup: Suppress OpenSSL 3 deprecation warnings
* CURLOPT_WS_OPTIONS.3: fix the availability version
* GHA: update rustls dependency to 0.9.2
* http2: buffer/pausedata and output flush fix.
* http2: set drain on stream end
* http: include stdint.h more readily
* krb5: silence cast-align warning
* lib1560: add IPv6 canonicalization tests
* os400: correct Curl_os400_sendto()
* remote-header-name.d: mention that filename* is not supported
* runtests: fix "uninitialized value $port"
* setopt: allow HTTP3 when HTTP2 is not defined
* socketpair: allow EWOULDBLOCK when reading the pair check bytes
* socks: allow using DoH to resolve host names
* tests-httpd: add proxy tests
* tests: make sure gnuserv-tls has SRP support before using it
* tests: make the telnet server shut down a socket gracefully
* tool_getparam: make --get a true boolean
* tool_operate: allow debug builds to set buffersize
* urlapi: do the port number extraction without using sscanf()
* urldata: remove `now` from struct SingleRequest - not needed


curl and libcurl 7.88.0		2023-02-15 

Numbers
the 213th release
5 changes
56 days				(total:  9,098)
173 bug-fixes			(total:  8,665)
250 commits			(total: 29,821)
0 new public libcurl function	(total:     91)
0 new curl_easy_setopt() option	(total:    302)
1 new curl command line option	(total:    250)
78 contributors, 41 new		(total:  2,812)
42 authors, 18 new		(total:  1,119)
3 security fixes		(total:    135)

Security

This time we bring you three security fixes.
All of them covering cases for which we have had problems reported and
fixed before, but these are new subtle variations.

* CVE-2023-23914: HSTS ignored on multiple requests
* CVE-2023-23915: HSTS amnesia with –parallel
* CVE-2023-23916: HTTP multi-header compression denial of service

Changes

* curl.h: add CURL_HTTP_VERSION_3ONLY
* share: add sharing of HSTS cache among handles
* src: add --http3-only
* tool_operate: share HSTS between handles
* urlapi: add CURLU_PUNYCODE
* writeout: add %{certs} and %{num_certs}

Bugfixes

* cf-socket: fix build when not HAVE_GETPEERNAME
* cf-socket: keep sockaddr local in the socket filters
* cfilters:Curl_conn_get_select_socks: use the first non-connected
filter
* CI: add a workflow to automatically label pull requests
* CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
* CI: Retry failed downloads to reduce spurious failures
* CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
* cmake: bump requirement to 3.7
* cmake: check for sendmsg
* cmake: delete redundant macro definition `SECURITY_WIN32`
* cmake: fix dev warning due to mismatched arg
* cmake: fix the snprintf detection
* cmake: remove deprecated symbols check
* cmake: set SOVERSION also for macOS
* cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
* cmdline-opts/Makefile: on error, do not leave a partial
* CODEOWNERS: remove the peeps mentioned as CI owners
* connect: fix access of pointer before NULL check
* connect: fix build when not ENABLE_IPV6
* connect: fix strategy testing for attempts, timeouts and
happy-eyeball
* connections: introduce http/3 happy eyeballs
* content_encoding: do not reset stage counter for each header
* CONTRIBUTE: More formally specify the commit description
* cookies: fp is always not NULL
* copyright.pl: cease doing year verifications
* copyright: update all copyright lines and remove year ranges
* curl.1: make help, version and manual sections "custom"
* curl.h: allow up to 10M buffer size
* curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
* curl/websockets.h: extend the websocket frame struct
* curl: output warning at --verbose output for debug-enabled version
* curl_free.3: fix return type of `curl_free`
* curl_global_sslset.3: clarify the openssl situation
* curl_log: for failf/infof and debug logging implementations
* curl_setup: Disable by default recv-before-send in Windows
* curl_version_info.3: fix typo
* curl_ws_send.3: clarify how to send multi-frame messages
* CURLOPT_HEADERDATA.3: warn DLL users must set write function
* CURLOPT_READFUNCTION.3: the callback ʼsizeʼ arg is always 1
* CURLOPT_WRITEFUNCTION.3: fix memory leak in example
* dict: URL decode the entire path always
* docs/DEPRECATE.md: deprecate gskit
* docs: add link to GitHub Discussions
* docs: mention indirect effects of --insecure
* docs: POSTFIELDSIZE must be set to -1 with read function
* doh: ifdef IPv6 code
* easyoptions: fix header printing in generation script
* escape: hex decode with a lookup-table
* escape: use table lookup when adding %-codes to output
* examples: remove the curlgtk.c example
* fopen: remove unnecessary assignment
* ftpserver: lower the DATA connect timeout to speed up torture tests
* GHA/macos.yml: bump to gcc-12
* GHA/macos: use Xcode_14.0.1 for cmake builds
* GHA: add job on Slackware 15.0
* GHA: bump ngtcp2 workflow dependencies
* GHA: enable websockets in the torture job
* GHA: move the quiche job here from zuul
* GHA: use designated ngtcp2 and its dependencies versions
* haxproxy: send before TLS handhshake
* header.d: add a header file example
* hsts.d: explain hsts more
* hsts: handle adding the same host name again
* HTTP/[23]: continue upload when state.drain is set
* http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
* http2: fix compiler warning due to uninitialized variable
* http2: minor buffer and error path fixes
* http2: when using printf %.*s, the length arg must be ʼintʼ
* HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
* http: add additional condition for including stdint.h
* http: decode transfer encoding first
* http: fix "part of conditional expression is always false"
* http: remove the trace message "Mark bundle... multiuse"
* http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
* http_proxy: do not assign data->req.p.http use local copy
* INSTALL: document how to use multiple TLS backends
* lib670: make test.h the first include
* lib: connect/h2/h3 refactor
* lib: fix typos
* lib: fix typos in comments which repeat a word
* libssh2: try sha2 algos for hostkey methods
* libtest: add a sleep macro for Windows
* Linux CI: update some dependecies to latest tag
* Makefile.mk: fix wolfssl and mbedtls default paths
* man pages: call the custom user pointer ʼclientpʼ consistently
* md4: fix build with GnuTLS + OpenSSL v1
* misc: fix grammar and spelling
* misc: fix spelling
* misc: reduce struct and struct field sizes
* msh3: add support for request payload
* msh3: update to v0.5 Release
* msh3: update to v0.6
* multi: stop sending empty HTTP/3 UDP datagrams on Windows
* multihandle: turn bool struct fields into bits
* ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
* ngtcp2: fix the build without ʼsendmsgʼ
* ngtcp2: replace removed define and stop using removed function
* no-clobber.d: only use long form options in man page text
* noproxy: support for space-separated names is deprecated
* nss: implement data_pending method
* openldap: fix missing sasl symbols at build in specific configs
* openssl: adapt to boringsslʼs error code type
* openssl: donʼt ignore CA paths when using Windows CA store (redux)
* openssl: donʼt log raw record headers
* openssl: make the BIO_METHOD a local variable in the connection filter
* openssl: only use CA_BLOB if verifying peer
* openssl: remove attached easy handles from SSL instances
* openssl: store the CA after first send (ClientHello)
* os400: fixes to make-lib.sh and initscript.sh
* packages: remove Android, update README
* release-notes.pl: check fixes/closes lines better
* Revert "x509asn1: avoid freeing unallocated pointers"
* runtest.pl: add expected fourth return value
* runtests: tear down http2/http3 servers when https server is stopped
* runtests: consider warnings fatal and error on them
* runtests: fix detection of TLS backends
* runtests: make ʼmbedtlsʼ a testable feature
* rustls: improve error messages
* scripts/delta: show percent of number of files changed since last tag
* scripts: fix Appveyor job detection in cijobs.pl
* scripts: set file mode +x on all perl and shell scripts
* sectransp: fix for incomplete read/writes
* SECURITY-PROCESS.md: document severity levels
* setopt: Address undefined behaviour by checking for null
* setopt: move the SHA256 opt within #ifdef libssh2
* setopt: use >, not >=, when checking if uarg is larger than uint-max
* smb: return error on upload without size
* socketpair: allow localhost MITM sniffers
* strdup: name it Curl_strdup
* system.h: assume OS400 is always built with ILEC compiler
* test1560: use a UTF8-using locale when run
* test2304: remove stdout verification
* tests-httpd: basic infra to run curl against an apache httpd
* tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
* tests: add tests for HTTP/2 and HTTP/3 to verify the header API
* tests: avoid use of sha1 in certificates
* tls: fixes for wolfssl + openssl combo builds
* tool_getparam: fix hiding of command line secrets
* tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
* tool_operate: fix error codes during DOS filename sanitize
* tool_operate: fix error codes on bad URL & OOM
* tool_operate: fix headerfile writing
* tool_operate: repair --rate
* transfer: break the read loop when RECV is cleared
* typecheck: accept expressions for option/info parameters
* url: fix part of conditional expression is always true
* urlapi: avoid Curl_dyn_addf() for hex outputs
* urlapi: fix part of conditional expression is always true: qlen
* urlapi: skip path checks if path is just "/"
* urlapi: skip the extra dedotdot alloc if no dot in path
* urldata: cease storing TLS auth type
* urldata: make ʼftp_create_missing_dirsʼ depend on FTP || SFTP
* urldata: make set.http200aliases conditional on HTTP being present
* urldata: move the cookefilelist to the ʼsetʼ struct
* urldata: remove unused struct fields, made more conditional
* vquic: stabilization and improvements
* vtls: fix hostname handling in filters
* vtls: manage current easy handle in nested cfilter calls
* vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* winbuild: document that arm64 is supported
* windows: always use curlʼs basename() implementation
* wolfssl: remove deprecated post-quantum algorithms
* workflows/linux.yml: merge 3 common packages
* write-out.d: add ʼsince versionʼ to %{header_json} documentation
* write-out.d: clarify Windows % symbol escaping
* ws: fix autoping handling
* ws: fix multiframe send handling
* ws: fix recv of larger frames
* ws: remove bad assert
* ws: unstick connect-only shutdown
* ws: use %Ou for outputting curl_off_t with info()
* x509asn1: fix compile errors and warnings
* zuul: stop using this CI service



More information about the Cygwin mailing list