curl-8.7.1

[Douglas R. Reno]

New minor version

8.7.0 was released this morning with a small fix in 8.7.1 for some other architectures.

It contains fixes for CVE-2024-2004, CVE-2024-2479, CVE-2024-2398, and CVE-2024-2466, as well as a variety of other bugfixes.

[Xi Ruoyao]

TESTDONE: 1686 tests were considered during 429 seconds.
TESTDONE: 1432 tests out of 1432 reported OK: 100%

(configured --with-libssh2 --with-gssapi)

[Tim Tassonis]

Changes:

• configure: add --disable-docs flag
• CURLINFO_USED_PROXY: return bool whether the proxy was used
• digest: support SHA-512/256
• DoH: add trace configuration
• write-out: add '%{proxy_used}'

Bugfixes:

• Fixed empty tool_hugehelp.c file
• ALTSVC.md: correct a typo
• asyn-ares: fix data race warning
• asyn-thread: use wakeup_close to close the read descriptor
• badwords: use hostname, not host name
• BINDINGS: add mcurl, the python binding
• bufq: writing into a softlimit queue cannot be partial
• c-hyper: add header collection writer in hyper builds
• cd2nroff: gen: make \> in input to render as plain '>' in output
• cd2nroff: remove backticks from titles
• checksrc.pl: fix handling .checksrc with CRLF
• cmake: add USE_OPENSSL_QUIC support
• cmake: add warning for using TLS libraries without 1.3 support
• cmake: enable ENABLE_CURL_MANUAL by default
• cmake: fix CURL_WINDOWS_SSPI=ON with Schannel disabled
• cmake: fix function description in comment
• cmake: fix install for older CMake versions
• cmake: fix libcurl.pc and curl-config library specifications
• cmdline-docs/Makefile: avoid using a fixed temp file name
• cmdline-docs: quote and angle bracket cleanup
• cmdline-opts/_EXITCODES: sync with libcurl-errors
• cmdline-opts/_VARIABLES.md: improve the description
• cmdline-opts/_VERSION: provide %VERSION correctly
• cmdline-opts: shorter help texts
• configure: add pkg-config support to rustls detection
• configure: add warning for using TLS libraries without 1.3 support
• configure: build & install shell completions when enabled
• configure: do not link with nghttp3 unless necessary
• configure: Don't build shell completions when disabled
• configure: Don't make shell completions without perl
• configure: find libpsl with pkg-config
• connect.c: fix typo
• CONTRIBUTE: update the section on documentation format
• cookie.md: provide an example sending a fixed cookie
• cookie: if psl fails, reject the cookie
• curl: exit on config file parser errors
• curl: make --libcurl output better CURLOPT_*SSLVERSION
• curl: when allocating variables, add the name into the struct
• curl_setup.h: add curl_uint64_t internal type
• curldown: fix email address in Copyright
• CURLMOPT_MAX*: mention what happens if changed mid-transfer
• CURLOPT_INTERFACE.md: remove spurious amp, add see-also
• CURLOPT_POSTQUOTE.md: fix typo
• CURLOPT_SSL_CTX_FUNCTION.md: no promises of lifetime after return
• CURLOPT_WRITEFUNCTION.md: typo fix
• digest: add check for hashing error
• dist: make sure the http tests are in the tarball
• DISTROS: add document with distro pointers
• docs/libcurl: add TLS backend info for all TLS options
• docs/libcurl: generate PROTOCOLS from meta-data
• docs: add missing slashes to SChannel client certificate documentation
• docs: add necessary setup for nghttp3
• docs: ascii version of manpage without nroff
• docs: dist curl*.1 and install without perl
• docs: make curldown do angle brackets like markdown
• docs: make each libcurl man specify protocol(s)
• docs: make sure curl.1 is included in dist tarballs
• docs: update minimal binary size in INSTALL.md
• docs: use present tense
• examples: use present tense in comments
• file: use xfer buf for ​file:// transfers
• fopen: fix narrowing conversion warning on 32-bit Android
• form-string.md: correct the example
• ftp: do lineend conversions in client writer
• ftp: fix socket wait activity in ftp_domore_getsock
• ftp: tracing improvements
• ftp: treat a 226 arriving before data as a signal to read data
• gen.pl: make the "manpageification" faster
• gen: make \> in input to render as plain '>' in output
• getparam: make --ftp-ssl work again
• GHA/linux: add sysctl trick to work-around GitHub runner issue
• GIT-INFO: convert to markdown
• GOVERNANCE: document the core team
• header.md: remove backslash, make nicer markdown
• HTTP/2: write response directly
• http2, http3: return CURLE_PARTIAL_FILE when bytes were received
• http2: fix push discard
• http2: memory errors in the push callbacks are fatal
• http2: minor tweaks to optimize two struct sizes
• http2: push headers better cleanup
• http2: remove the third (unused) argument from http2_data_done()
• HTTP3.md: adjust the OpenSSL QUIC install instructions
• http: better error message for HTTP/1.x response without status line
• http: improve response header handling, save cpu cycles
• http: move headers collecting to writer
• http: remove stale comment about rewindbeforesend
• http: separate response parsing from response action
• http_chunks: fix the accounting of consumed bytes
• http_chunks: remove unused 'endptr' variable
• https-proxy: use IP address and cert with ip in alt names
• hyper: implement unpausing via client reader
• ipv6.md: mention IPv4 mapped addresses
• KNOWN_BUGS: POP3 issue when reading small chunks
• lib1598: fix CURLOPT_POSTFIELDSIZE usage
• lib582: remove code causing warning that is never run
• lib: add void *ctx to reader/writer instances
• lib: convert Curl_get_line to use dynbuf
• lib: Curl_read/Curl_write clarifications
• lib: enhance client reader resume + rewind
• lib: initialize output pointers to NULL before calling strto[ff,l,ul]
• lib: keep conn IP information together
• lib: move 'done' parameter to SingleRequests
• lib: remove curl_mimepart object when CURL_DISABLE_MIME
• libcurl-docs: cleanups
• libcurl-security.md: Active FTP passes on the local IP address
• libssh/libssh2: return error on too big range
• MANUAL.md: fix typo
• mbedtls: fix building when MBEDTLS_X509_REMOVE_INFO flag is defined
• mbedtls: fix pytest for newer versions
• mbedtls: properly cleanup the thread-shared entropy
• mbedtls: use mbedtls_ssl_conf_{min|max}_tls_version
• md4: include strdup.h for the memdup proto
• mime: add client reader
• misc: fix typos in docs and lib
• mkhelp: simplify the generated hugehelp program
• mprintf: fix format prefix I32/I64 for windows compilers
• multi: add xfer_buf to multi handle
• multi: fix multi_sock handling of select_bits
• multi: make add_handle free any multi_easy
• ngtcp2: no recvbuf for stream
• ntml_wb: fix buffer type typo
• OpenSSL QUIC: adapt to v3.3.x
• openssl-quic: check on Windows that socket conv to int is possible
• openssl-quic: fix BIO leak and Windows warning
• openssl-quic: fix unity build, casing, indentation
• OS400: avoid using awk in the build scripts
• paramhlp: fix CRLF-stripping files with "-d @file"
• proxy1.0.md: fix example
• pytest: adapt to API change
• request: clarify message when request has been sent off
• rustls: make curl compile with 0.12.0
• schannel: fix hang on unexpected server close
• scripts: fix cijobs.pl for Azure and GHA
• sendf: ignore response body to HEAD
• setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
• setopt: fix disabling all protocols
• sha512_256: add support for GnuTLS and OpenSSL
• smtp: fix STARTTLS
• SPONSORS: describe the basics
• strtoofft: fix the overflow check
• test 1541: verify getinfo values on first header callback
• test1165: improve pattern matching
• tests: support setting/using blank content env variables
• TIMER_STARTTRANSFER: set the same for everyone
• TLS: start shutdown only when peer did not already close
• TODO: update 13.11 with more information
• tool_cb_hdr: only parse etag + content-disposition for 2xx
• tool_getparam: accept a blank -w ""
• tool_getparam: handle non-existing (out of range) short-options
• tool_operate: change precedence of server Retry-After time
• tool_operate: do not set CURLOPT_QUICK_EXIT in debug builds
• trace-config.md: remove the mutexed options list
• transfer.c: break receive loop in speed limited transfers
• transfer: improve Windows SO_SNDBUF update limit
• urldata: move authneg bit from conn to Curl_easy
• version: allow building with ancient libpsl
• vquic-tls: fix the error code returned for bad CA file
• vtls: fix tls proxy peer verification
• vtls: revert "receive max buffer" + add test case
• VULN-DISCLOSURE-POLICY.md: update detail about CVE requests
• websocket: fix curl_ws_recv()
• wolfSSL: do not call the stub function wolfSSL_BIO_set_init()
• write-out.md: clarify error handling details

[Tim Tassonis]

Fixed in commit 6bd5fae243

[Xi Ruoyao]

Reopen for SA.

[Tim Tassonis]

Ah yeah, have to do those too, I guess...

[Xi Ruoyao]

Replying to Tim Tassonis:

Ah yeah, have to do those too, I guess...

I reassigned it to blfs-book in case you don't want to do the text work :).

[Tim Tassonis]

No, it's ok.

But regarding the CVE's; Do I have to describe the "low" ones? For instance, CVE-2024-2004 is really,really low.

[Tim Tassonis]

Also: CVE-2024-2479 is not a curl CVE, but for MHA Sistemas arMHAzena 9.6.0.0. Is that a typo?

[Xi Ruoyao]

It should be 2379. And it's not affecting BLFS because we don't have wolfSSL.

Likewise for CVE-2024-2466 (we don't have mbedTLS).

[Tim Tassonis]

CVE-2024-2466 does not affect us, as it is mbed

[Tim Tassonis]

Yeah..

[Tim Tassonis]

So that leaves CVE-2024-2398. This is medium, a HTTP/2 server push memory leak. If it's ok, I will just mention this one.

[Xi Ruoyao]

There's also CVE-2024-2004 (Usage of disabled protocol), it's LOW though.

[Tim Tassonis]

Yeah, very low...you have to specify "disable insecure protols" and then specify an insecure protocol...

[Tim Tassonis]

Issued sa-12.1-015