curl-8.2.1

[Bruce Dubbs]

New minor version.

[Douglas R. Reno]

8.2.1 is scheduled for July 26th due to regressions.

The two regressions in question:

The two primary regressions that made me take this decision are:

 - "Basic authentication does not follow with -L"
   https://github.com/curl/curl/issues/11486

and

 - "HTTP/2 POST gives timeout/protocol error"
   https://github.com/curl/curl/issues/11485

[Douglas R. Reno]

Now 8.2.1

[Douglas R. Reno]

8.2.0

Changes:

    curl: add --ca-native and --proxy-ca-native
    curl: add --trace-ids
    CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
    haproxy: add --haproxy-clientip flag to set client IPs
    lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID 

Bugfixes:

    bufq: make write/pass methods more robust
    build: drop unused/redundant `HAVE_WINLDAP_H`
    cf-socket: don't bypass fclosesocket callback if cancelled before connect
    cf-socket: move ctx declaration under HAVE_GETPEERNAME
    cf-socket: skip getpeername()/getsockname for TFTP
    checksrc: modernise perl file open
    checksrc: quote the file name to work with "funny" letters
    CI: brew fix for openssl in default path
    CI: don't install impacket if tests are not run
    CI: enable parallel make in more builds
    circleci: install impacket & wolfssl 5.6.0
    cmake: add support for "unity" builds
    cmake: make use of snprintf
    cmake: stop CMake from quietly ignoring missing Brotli
    configure: add check for ldap_init_fd
    configure: fix run-compiler for old /bin/sh
    configure: the --without forms of the options are also gone
    connect-timeout.d: mention that the DNS lookup is included
    curl.h: include <sys/select.h> for vxworks
    curl: count uploaded data to stop at the originally given size
    curl: return error when asked to use an unsupported HTTP version
    curl_easy_nextheader.3: add missing open parenthesis examples
    curl_log: evaluate log statement only when transfer is verbose
    curl_mprintf.3: minor fix of the example
    curl_pushheader_byname/bynum.3: document in their own man pages
    curl_url_set: enforce the max string length check for all parts
    CURLOPT_AWS_SIGV4.3: remove unused variable from example
    CURLOPT_INFILESIZE.3: mention -1 triggers chunked
    CURLOPT_MIMEPOST.3: clarify what setting to NULL means
    CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search
    docs/libcurl/libcurl.3: cleanups and improvements
    docs: add more .IP after .RE to fix indentation of generate paragraphs
    docs: fix missing parameter names in examples
    docs: update CURLOPT_UPLOAD.3
    docs: update HTTP3.md for newer ngtcp2 and nghttp3
    docs: use a space after RFC when spelling out RFC numbers
    example/connect-to: show CURLOPT_CONNECT_TO
    example/crawler: also set CURLOPT_AUTOREFERER
    example/crawler: make it use a few more options
    example/default-scheme: set the default scheme for schemeless URLs
    example/hsts-preload: show one way to HSTS preload
    example/http2-download: set CURLOPT_BUFFERSIZE
    example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use
    example/maxconnects: set maxconnect example
    example/opensslthreadlock: remove
    examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS
    examples/http-options: show how to send "OPTIONS *"
    examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT
    examples/multi-debugcallback.c: avoid the bool typedef
    examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS
    examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH
    examples/websocket.c: websocket example using CONNECT_ONLY
    examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR
    fopen: fix conversion warning on 32-bit Android
    fopen: optimize
    hostip.c: Move macOS-specific calls into global init call
    HTTP/2: upload handling fixes
    http2: better support for --limit-rate
    http2: error stream resets with code CURLE_HTTP2_STREAM
    http2: fix crash in handling stream weights
    http2: fix variable type
    http2: h2 and h2-PROXY connection alive check fixes
    http2: raise header limitations above and beyond
    http2: send HEADER & DATA together if possible
    http2: treat initial SETTINGS as a WINDOW_UPDATE
    HTTP3.md: update openssl version
    http3/ngtcp2: upload EAGAIN handling
    http: rectify the outgoing Cookie: header field size check
    hyper: fix EOF handling on input
    hyper: unslow
    imap-append.c: update to make it more likely to work
    imap: Provide method to disable SASL if it is advertised
    krb5: add typecast to please Coverity
    libcurl-url.3: also mention CURLUPART_ZONEID
    libcurl-ws.3. WebSocket API overview
    libssh2: provide error message when setting host key type fails
    libssh2: use custom memory functions
    ngtcp2: assigning timeout, but value is overwritten before used
    ngtcp2: build with 0.17.0 and nghttp3 0.13.0
    ngtcp2: use ever increasing timestamp in io
    quiche: avoid NULL deref in debug logging
    quiche: fix defects found in latest coverity report
    quote.d: fix indentation of generated paragraphs
    runtests: abort test run after failure without -a
    runtests: better handle ^C during slow tests
    runtests: consistently write the test check summary block
    runtests: create multiple test runners when requested
    runtests: include missing valgrind package
    runtests: make test file directories in log/N
    runtests: rename server command file
    runtests: use more consistent failure lines
    runtests: work around a perl without SIGUSR1
    runtests; give each server a unique log lock file
    scripts: Fix GHA matrix job detection in cijobs.pl
    sectransp: fix EOF handling
    system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
    test2600: fix the description
    test427: verify sending more cookies than fit in a 8190 bytes line
    tests/http: Add mod_h2 directive `H2ProxyRequests`
    tests/servers.pm: pick unused port number with a server socket
    tests/servers: generate temp names in /tmp for unix domain sockets
    tests: fix error messages & handling around sockets
    tests: improve reliability of TFTP tests
    testutil: allow multiple %-operators on the same line
    timeval: use CLOCK_MONOTONIC_RAW if available
    tls13-ciphers.d: include Schannel
    tool: remove exclamation marks from error/warning messages
    tool: remove newlines from all helpf/notef/warnf/errorf calls
    tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
    tool_getparam: fix comment
    tool_operate: allow cookie lines up to 8200 bytes
    tool_parsecfg: accept line lengths up to 10M
    tool_urlglob: use curl_off_t instead of longs
    tool_writeout_json: fix encoding of control characters
    transfer: clear credentials when redirecting to absolute URL
    urlapi: have *set(PATH) prepend a slash if one is missing
    urlapi: scheme must start with alpha
    vtls: avoid memory leak if sha256 call fails
    websocket-cb: example doing WebSocket download using callback
    wolfssl: detect when TLS 1.2 support is not built into wolfssl
    wolfssl: support setting CA certificates as blob
    ws: make the curl_ws_meta() return pointer a const 

8.2.1

Bugfixes:

    amigaos: fix sys/mbuf.h m_len macro clash
    amissl: add missing signal.h include
    amissl: fix AmiSSL v5 detection
    cfilters: rename close/connect functions to avoid clashes
    ciphers.d: put URL in first column
    cmake: add `libcurlu`/`libcurltool` for unit tests
    cmake: update ngtcp2 detection
    configure: check for nghttp2_session_get_stream_local_window_size
    CONTRIBUTE: drop mention of copyright year ranges
    CONTRIBUTE: fix syntax in commit message description
    curl_multi_wait.3: fix arg quoting to doc macro .BR
    docs: mark two TLS options for TLS, not SSL
    docs: provide more see also for cipher options
    hostip: return IPv6 first for localhost resolves
    http2: fix regression on upload EOF handling
    http: VLH, very large header test and fixes
    libcurl-errors.3: add CURLUE_OK
    os400: correct EXPECTED_STRING_LASTZEROTERMINATED
    quiche: fix lookup of transfer at multi
    quiche: fix segfault and other things
    rustls: update rustls-ffi 0.10.0
    socks: print ipv6 address within brackets
    src/mkhelp: strip off escape sequences
    tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
    transfer: do not clear the credentials on redirect to absolute URL
    unittest: remove unneeded *_LDADD
    websocket: rename arguments/variables to match docs

Security Advisory:

VULNERABILITY

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, 
it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race 
condition problem.

By exploiting this flaw, an attacker could trick the victim to create or overwrite 
protected files holding this data in ways it was not intended to.

INFO

The attacker needs permissions and rights enough to be able to create or rename 
directory entries in the directory the victim saves their files.

This race condition modifies the behavior of symbolic link files in affected 
components, they might be followed instead of being overwritten when the condition is 
met leading to undesired and potentially destructive behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2023-32001 to this issue.

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Severity: Medium

AFFECTED VERSIONS

    Affected versions: libcurl 7.84.0 to and including 8.1.2
    Not affected versions: libcurl < 7.84.0 and >= 8.2.0
    Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722

libcurl is used by many applications, but not always advertised as such!

SOLUTION

    Fixed-in: https://github.com/curl/curl/commit/0c667188e0c6cda615a0

RECOMMENDATIONS

A - Upgrade curl to version 8.2.0

B - Apply the patch to your local version

C - Do not save cookie, HSTS or alt-svc data

[Douglas R. Reno]

Fixed at f2232252460b2f9338ed1e3166924a795830ef4c

SA-11.3-066 issued

[Bruce Dubbs]

Milestone renamed