#17656 closed enhancement (fixed)
curl-7.88.1
| Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version
Sending an email to the lists for a freeze break request due to security issues
Change History (8)
comment:1 by , 2 years ago
| Summary: | curl-7.88.0 → curl-7.88.1 |
|---|
comment:3 by , 2 years ago
I think Bruce plans on bringing this back to 11.3 along with a couple other packages
comment:4 by , 2 years ago
| Milestone: | 11.4 → 11.3 |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:5 by , 2 years ago
curl and libcurl 7.88.1
This release includes the following changes:- build-openssl.bat: keep OpenSSL 3 engine binaries [20]
- cmake: fix Windows check for CryptAcquireContext
- connnect: fix timeout handling to use full duration
- curl: make --silent work stand-alone
- curl_setup: Suppress OpenSSL 3 deprecation warnings
- CURLOPT_WS_OPTIONS.3: fix the availability version
- GHA: update rustls dependency to 0.9.2
- http2: buffer/pausedata and output flush fix.
- http2: set drain on stream end
- http: include stdint.h more readily
- krb5: silence cast-align warning
- lib1560: add IPv6 canonicalization tests
- os400: correct Curl_os400_sendto()
- remote-header-name.d: mention that filename* is not supported
- runtests: fix "uninitialized value $port"
- setopt: allow HTTP3 when HTTP2 is not defined
- socketpair: allow EWOULDBLOCK when reading the pair check bytes
- socks: allow using DoH to resolve host names
- tests-httpd: add proxy tests
- tests: make sure gnuserv-tls has SRP support before using it
- tests: make the telnet server shut down a socket gracefully
- tool_getparam: make --get a true boolean
- tool_operate: allow debug builds to set buffersize
- urlapi: do the port number extraction without using sscanf()
- urldata: remove
nowfrom struct SingleRequest - not needed
comment:6 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit 9c85c9a55d33e3b1ed448eb921bc1b39ae33fc6e
comment:7 by , 2 years ago
Release notes for 7.88.0:
Changes:
curl.h: add CURL_HTTP_VERSION_3ONLY
share: add sharing of HSTS cache among handles
src: add --http3-only
tool_operate: share HSTS between handles
urlapi: add CURLU_PUNYCODE
writeout: add %{certs} and %{num_certs}
Bugfixes:
cf-socket: fix build when not HAVE_GETPEERNAME
cf-socket: keep sockaddr local in the socket filters
cfilters:Curl_conn_get_select_socks: use the first non-connected filter
CI: add a workflow to automatically label pull requests
CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
CI: Retry failed downloads to reduce spurious failures
CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
cmake: bump requirement to 3.7
cmake: check for sendmsg
cmake: delete redundant macro definition `SECURITY_WIN32`
cmake: fix dev warning due to mismatched arg
cmake: fix the snprintf detection
cmake: remove deprecated symbols check
cmake: set SOVERSION also for macOS
cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
cmdline-opts/Makefile: on error, do not leave a partial
CODEOWNERS: remove the peeps mentioned as CI owners
connect: fix access of pointer before NULL check
connect: fix build when not ENABLE_IPV6
connect: fix strategy testing for attempts, timeouts and happy-eyeball
connections: introduce http/3 happy eyeballs
content_encoding: do not reset stage counter for each header
CONTRIBUTE: More formally specify the commit description
cookies: fp is always not NULL
copyright.pl: cease doing year verifications
copyright: update all copyright lines and remove year ranges
curl.1: make help, version and manual sections "custom"
curl.h: allow up to 10M buffer size
curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
curl/websockets.h: extend the websocket frame struct
curl: output warning at --verbose output for debug-enabled version
curl_free.3: fix return type of `curl_free`
curl_global_sslset.3: clarify the openssl situation
curl_log: for failf/infof and debug logging implementations
curl_setup: Disable by default recv-before-send in Windows
curl_version_info.3: fix typo
curl_ws_send.3: clarify how to send multi-frame messages
CURLOPT_HEADERDATA.3: warn DLL users must set write function
CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
CURLOPT_WRITEFUNCTION.3: fix memory leak in example
dict: URL decode the entire path always
docs/DEPRECATE.md: deprecate gskit
docs: add link to GitHub Discussions
docs: mention indirect effects of --insecure
docs: POSTFIELDSIZE must be set to -1 with read function
doh: ifdef IPv6 code
easyoptions: fix header printing in generation script
escape: hex decode with a lookup-table
escape: use table lookup when adding %-codes to output
examples: remove the curlgtk.c example
fopen: remove unnecessary assignment
ftpserver: lower the DATA connect timeout to speed up torture tests
GHA/macos.yml: bump to gcc-12
GHA/macos: use Xcode_14.0.1 for cmake builds
GHA: add job on Slackware 15.0
GHA: bump ngtcp2 workflow dependencies
GHA: enable websockets in the torture job
GHA: move the quiche job here from zuul
GHA: use designated ngtcp2 and its dependencies versions
haxproxy: send before TLS handhshake
header.d: add a header file example
hsts.d: explain hsts more
hsts: handle adding the same host name again
HTTP/[23]: continue upload when state.drain is set
http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
http2: fix compiler warning due to uninitialized variable
http2: minor buffer and error path fixes
http2: when using printf %.*s, the length arg must be 'int'
HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
http: add additional condition for including stdint.h
http: decode transfer encoding first
http: fix "part of conditional expression is always false"
http: remove the trace message "Mark bundle... multiuse"
http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
http_proxy: do not assign data->req.p.http use local copy
INSTALL: document how to use multiple TLS backends
lib670: make test.h the first include
lib: connect/h2/h3 refactor
lib: fix typos
lib: fix typos in comments which repeat a word
libssh2: try sha2 algos for hostkey methods
libtest: add a sleep macro for Windows
Linux CI: update some dependecies to latest tag
Makefile.mk: fix wolfssl and mbedtls default paths
man pages: call the custom user pointer 'clientp' consistently
md4: fix build with GnuTLS + OpenSSL v1
misc: fix grammar and spelling
misc: fix spelling
misc: reduce struct and struct field sizes
msh3: add support for request payload
msh3: update to v0.5 Release
msh3: update to v0.6
multi: stop sending empty HTTP/3 UDP datagrams on Windows
multihandle: turn bool struct fields into bits
ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
ngtcp2: fix the build without 'sendmsg'
ngtcp2: replace removed define and stop using removed function
no-clobber.d: only use long form options in man page text
noproxy: support for space-separated names is deprecated
nss: implement data_pending method
openldap: fix missing sasl symbols at build in specific configs
openssl: adapt to boringssl's error code type
openssl: don't ignore CA paths when using Windows CA store (redux)
openssl: don't log raw record headers
openssl: make the BIO_METHOD a local variable in the connection filter
openssl: only use CA_BLOB if verifying peer
openssl: remove attached easy handles from SSL instances
openssl: store the CA after first send (ClientHello)
os400: fixes to make-lib.sh and initscript.sh
packages: remove Android, update README
release-notes.pl: check fixes/closes lines better
Revert "x509asn1: avoid freeing unallocated pointers"
runtest.pl: add expected fourth return value
runtests: tear down http2/http3 servers when https server is stopped
runtests: consider warnings fatal and error on them
runtests: fix detection of TLS backends
runtests: make 'mbedtls' a testable feature
rustls: improve error messages
scripts/delta: show percent of number of files changed since last tag
scripts: fix Appveyor job detection in cijobs.pl
scripts: set file mode +x on all perl and shell scripts
sectransp: fix for incomplete read/writes
SECURITY-PROCESS.md: document severity levels
setopt: Address undefined behaviour by checking for null
setopt: move the SHA256 opt within #ifdef libssh2
setopt: use >, not >=, when checking if uarg is larger than uint-max
smb: return error on upload without size
socketpair: allow localhost MITM sniffers
strdup: name it Curl_strdup
system.h: assume OS400 is always built with ILEC compiler
test1560: use a UTF8-using locale when run
test2304: remove stdout verification
tests-httpd: basic infra to run curl against an apache httpd
tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
tests: add tests for HTTP/2 and HTTP/3 to verify the header API
tests: avoid use of sha1 in certificates
tls: fixes for wolfssl + openssl combo builds
tool_getparam: fix hiding of command line secrets
tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
tool_operate: fix error codes during DOS filename sanitize
tool_operate: fix error codes on bad URL & OOM
tool_operate: fix headerfile writing
tool_operate: repair --rate
transfer: break the read loop when RECV is cleared
typecheck: accept expressions for option/info parameters
url: fix part of conditional expression is always true
urlapi: avoid Curl_dyn_addf() for hex outputs
urlapi: fix part of conditional expression is always true: qlen
urlapi: skip path checks if path is just "/"
urlapi: skip the extra dedotdot alloc if no dot in path
urldata: cease storing TLS auth type
urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
urldata: make set.http200aliases conditional on HTTP being present
urldata: move the cookefilelist to the 'set' struct
urldata: remove unused struct fields, made more conditional
vquic: stabilization and improvements
vtls: fix hostname handling in filters
vtls: manage current easy handle in nested cfilter calls
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
winbuild: document that arm64 is supported
windows: always use curl's basename() implementation
wolfssl: remove deprecated post-quantum algorithms
workflows/linux.yml: merge 3 common packages
write-out.d: add 'since version' to %{header_json} documentation
write-out.d: clarify Windows % symbol escaping
ws: fix autoping handling
ws: fix multiframe send handling
ws: fix recv of larger frames
ws: remove bad assert
ws: unstick connect-only shutdown
ws: use %Ou for outputting curl_off_t with info()
x509asn1: fix compile errors and warnings
zuul: stop using this CI service
CVE-2023-23916
CVE-2023-23916: HTTP multi-header compression denial of service
Project curl Security Advisory, February 15th 2023
VULNERABILITY
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers.
The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-23916 was introduced in commit dbcced8e32b50c06, shipped in curl 7.57.0.
Automatic decompression of content needs to be enabled per transfer. It is disabled by default and then nothing bad happens.
This flaw exists with one or more of the compression algorithms built-in (gzip, brotli or zstd), but the individual algorithms have different "exploding" powers.
Both Content-Encoding: and Transfer-Encoding: are affected over all HTTP versions.
This flaw is almost identical to the previous CVE-2022-32206: HTTP compression denial of service, as the fix for that earlier flaw was incomplete.
CWE-770: Allocation of Resources Without Limits or Throttling
Severity: Medium
AFFECTED VERSIONS
Affected versions: curl 7.57.0 to and including 7.87.0
Not affected versions: curl < 7.57.0 and curl > 7.87.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
The amount of accepted "chained" algorithms is now capped to 5 in total, independently of the number of headers.
A fix for CVE-2023-23916
RECOMMENDATIONS
A - Upgrade curl to version 7.88.0
B - Apply the patch to your local version
C - Do not enable automatic decompression
TIMELINE
This issue was reported to the curl project on January 8, 2023. We contacted distros@openwall on February 7, 2023.
libcurl 7.88.0 was released on February 15 2023, coordinated with the publication of this advisory.
CVE-2023-23915
CVE-2023-23915: HSTS amnesia with --parallel
Project curl Security Advisory, February 15 2023
VULNERABILITY
curl's HSTS cache saving behaves wrongly when multiple URLs are requested in parallel.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer.
A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.
Reproducible like this:
curl --hsts hsts.txt --parallel https://curl.se https://example.com
curl --hsts hsts.txt http://curl.se
We are not aware of any exploit of this flaw.
INFO
This is a curl command line issue and does not affect libcurl.
This flaw was introduced in commit 7385610d0c7, which was shipped enabled by default from commit d71ff2b9db566b3f in curl 7.77.0.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-23915 to this issue.
CWE-319: Cleartext Transmission of Sensitive Information
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.77.0 to and including 7.87.0 Not affected versions: curl < 7.77.0 and curl >= 7.88.0
curl is used by many applications, but not always advertised as such!
THE SOLUTION
7.88.0 will share the HSTS state properly between transfers, making each subsequent save store a complete state.
RECOMMENDATIONS
A - Upgrade curl to version 7.88.0
B - Apply the patch to your local version
C - Specify all URLs with HTTPS:// and not HTTP://
TIMELINE
This issue was reported to the curl project on December 21, 2022. We contacted distros@openwall on February 7, 2022.
curl 7.88.0 was released on February 15 2023, coordinated with the publication of this advisory.
CVE-2023-23914
CVE-2023-23914: HSTS ignored on multiple requests
Project curl Security Advisory, February 15 2023
VULNERABILITY
curl's HSTS functionality fail when multiple URLs are requested serially.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however suprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.
Reproducible like this:
curl --hsts "" https://curl.se http://curl.se
The first URL returns HSTS information that the second URL fails to take advantage of.
We are not aware of any exploit of this flaw.
INFO
This is a curl command line issue and does not affect libcurl.
This flaw was introduced in commit 7385610d0c7, which was shipped enabled by default from commit d71ff2b9db566b3f in curl 7.77.0.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-23914 to this issue.
CWE-319: Cleartext Transmission of Sensitive Information
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.77.0 to and including 7.87.0
Not affected versions: curl < 7.77.0 and curl >= 7.88.0
curl is used by many applications, but not always advertised as such!
THE SOLUTION
7.88.0 will share the HSTS state properly between transfers.
RECOMMENDATIONS
A - Upgrade curl to version 7.88.0
B - Apply the patch to your local version
C - Specify all URLs with HTTPS:// and not HTTP://
TIMELINE
This issue was reported to the curl project on December 21, 2022. We contacted distros@openwall on February 7, 2022.
curl 7.88.0 was released on February 15 2023, coordinated with the publication of this advisory.
Now 7.88.1! I can confirm that this release works well since I did a lot of testing for the cURL team on Windows yesterday, and a couple last minute bug fixes.