curl-8.6.0

[Bruce Dubbs]

New minor version.

[Xi Ruoyao]

Contains a low severity security fix: ​https://curl.se/docs/CVE-2024-0853.html

Changes:

• add CURLE_TOO_LARGE
• add CURLINFO_QUEUE_TIME_T
• add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add
• asyn-thread: use GetAddrInfoExW on >= Windows 8
• configure: make libpsl detection failure cause error
• docs/cmdline: change to .md for cmdline docs
• docs: introduce "curldown" for libcurl man page format
• runtests: support -gl. Like -g but for lldb.

Bugfixes:

• altsvc: free 'as' when returning error
• appveyor: replace PowerShell with bash + parallel autotools
• appveyor: switch to out-of-tree builds
• asyn-ares: with modern c-ares, use its default timeout
• build: delete unused HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}
• build: delete/replace clang warning pragmas
• build: enable missing OpenSSF-recommended warnings, with fixes
• build: fix -Wconversion/-Wsign-conversion warnings
• build: fix Windows ADDRESS_FAMILY detection
• build: more -Wformat fixes
• build: remove redundant CURL_PULL_* settings
• cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper
• cf-socket: show errno in tcpkeepalive error messages
• CI/distcheck: run full tests
• cmake: add option to disable building docs
• cmake: fix generation for system name iOS
• cmake: fix typo
• cmake: freshen up docs/INSTALL.cmake
• cmake: prefill/cache HAVE_STRUCT_SOCKADDR_STORAGE
• cmake: rework options to enable curl and libcurl docs
• cmake: when USE_MANUAL=YES, build the curl.1 man page
• cmdline-opts/write-out.d: remove spurious double quotes
• cmdline-opts: update availability for the *-ca-native options
• cmdline/gen: fix the sorting of the man page options
• configure: add libngtcp2_crypto_boringssl detection
• configure: fix no default int compile error in ipv6 detection
• configure: when enabling QUIC, check that TLS supports QUIC
• connect: remove margin from eyeballer alloc
• content_encoding: change return code to typedef'ed enum
• cookie.d: document use of empty string to enable cookie engine
• cookie: avoid fopen with empty file name
• curl.h: CURLOPT_DNS_SERVERS is only available with c-ares
• curl: show ipfs and ipns as supported "protocols"
• curl_easy_getinfo.3: remove the wrong time value count
• curl_multi_fdset.3: remove mention of null pointer support
• CURLINFO_REFERER.3: clarify that it is the *request* header
• CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER
• CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example
• CURLOPT_SSH_*_KEYFILE: clarify
• dist: add tests/errorcodes.pl to the tarball
• docs: clean up Protocols: for cmdline options
• docs: describe and highlight super cookies
• docs: do not start lines/sentences with So, But nor And
• docs: install curl.1 with cmake
• docs: mention env vars not used by schannel
• doh: remove unused local variable
• examples: add four new examples
• file+ftp: use stack buffers instead of data->state.buffer
• ftp: handle the PORT parsing without allocation
• ftp: use dynbuf to store entrypath
• ftp: use memdup0 to store the OS from a SYST 215 response
• ftpserver.pl: send 213 SIZE response without spurious newline
• gen.pl: support ## for doing .IP in table-like lists
• gen: do italics/bold for a range of letters, not just single word
• GHA: add a job scanning for "bad words" in markdown
• GHA: bump ngtcp2, gnutls, mod_h2, quiche
• gnutls: fix build with --disable-verbose
• haproxy-clientip.d: document the arg
• headers: make sure the trailing newline is not stored
• headers: remove assert from Curl_headers_push
• hostip: return error immediately when Curl_ip2addr() fails
• hsts: remove assert for zero length domain
• http2: improved on_stream_close/data_done handling
• http3/quiche: fix result code on a stream reset
• http3: initial support for OpenSSL 3.2 QUIC stack
• http: adjust_pollset fix
• http: check for "Host:" case insensitively
• http: fix off-by-one error in request method length check
• http: only act on 101 responses when they are HTTP/1.1
• http: remove comment reference to a removed solution
• http: use stack scratch buffer
• http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT
• krb5: add prototype to silence clang warnings on mvsnprintf()
• lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
• lib: error out on multissl + http3
• lib: fix variable undeclared error caused by infof changes
• lib: reduce use of strncpy
• lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
• lib: replace readwrite with write_resp
• lib: strndup/memdup instead of malloc, memcpy and null-terminate
• libssh2: use libssh2_session_callback_set2() with v1.11.1
• libssh: improve the deprecation warning dismissal
• libssh: supress warnings without version check
• Makefile.am: fix the MSVC project generation
• Makefile.mk: drop Windows support
• mbedtls: fix -Wnull-dereference and -Wredundant-decls
• mbedtls: free the entropy when threaded
• mime: use memdup0 instead of malloc + memcpy
• mksymbolsmanpage.pl: provide references to where the symbol is used
• mprintf: overhaul and bugfixes
• mqtt: use stack scratch buffer for recv+publish
• multi: remove total timer reset in file_do() while fetching ​file://
• ngtcp2: put h3 at the front of alpn
• ntlm_wb: do not use data->state.buffer any longer
• openldap: fix an LDAP crash
• openldap: fix STARTTLS
• openssl: re-match LibreSSL deinit with init
• openssl: when verifystatus fails, remove session id from cache
• OS400: sync ILE/RPG binding
• pingpong: stop using the download buffer
• pop3: replace calloc + memcpy with memdup0
• pytest: scorecard tracking CPU and RSS
• quiche: return CURLE_HTTP3 on send to invalid stream
• readwrite_data: loop less
• Revert "urldata: move async resolver state from easy handle to connectdata"
• rtsp: deal with borked server responses
• runtests: for mode="text" on <stdout>, fix newlines on both parts
• sasl: make login option string override http auth
• schannel: fix -Warith-conversion gcc 13 warning
• sectransp: do verify_cert without memdup for blobs
• sectransp_ make TLSCipherNameForNumber() available in non-verbose config
• sendf: fix compiler warning with CURL_DISABLE_HEADERS_API
• setopt: clear mimepost when formp is freed
• setopt: use memdup0 when cloning COPYPOSTFIELDS
• socks: fix generic output string to say SOCKS instead of SOCKS4
• socks: use own buffer instead of data->state.buffer
• ssh: fix namespace of two local macros
• ssh: use stack scratch buffer for seeks
• strerror: repair get_winsock_error()
• system.h: sync mingw CURL_TYPEOF_CURL_SOCKLEN_T with other compilers
• system_win32: fix a function pointer assignment warning
• telnet: use dynbuf instad of malloc for escape buffer
• telnet: use stack scratch buffer for do
• tests/server: delete workaround for old-mingw
• tests: avoid int/size_t conversion size/sign warnings
• tests: respect $TMPDIR when creating unix domain sockets
• tool: make parser reject blank arguments if not supported
• tool: prepend output_dir in header callback
• tool_getparam: bsearch cmdline options
• tool_getparam: do not try to expand without an argument
• tool_getparam: stop supporting @filename style for --cookie
• tool_listhelp: regenerate after recent .d updates
• tool_operate: make --remove-on-error only remove "real" files
• tool_operate: stop setting the file comment on Amiga
• transfer: adjust_pollset improvements
• transfer: fix upload rate limiting, add test cases
• transfer: make the select_bits_paused condition check both directions
• transfer: remove warning: Value stored to 'blen' is never read
• url: don't set default CA paths for Secure Transport backend
• url: for disabled protocols, mention if found in redirect
• urlapi: remove assert
• verify-examples.pl: fail verification on unescaped backslash
• version: show only the libpsl version, not its dependencies
• vquic: extract TLS setup into own source
• vtls: fix missing multissl version info
• vtls: receive max buffer
• vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY
• websockets: check for negative payload lengths
• websockets: refactor decode chain
• windows: delete redundant headers
• windows: simplify detecting and using system headers
• wolfssl: load certificate *chain* for PEM client certs
• x509asn1: remove code for WANT_VERIFYHOST
• x509asn1: switch from malloc to dynbuf

[Bruce Dubbs]

Fixed at commits

1aa19207ee Update to curl-8.6.0.
82e9d3190b Update to pipewire-1.0.2.

[Douglas R. Reno]

SA-12.0-084 issued