[GNUnet-developers] [release] gnurl 7.66.0

gnunet-developers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-developers] [release] gnurl 7.66.0

From:	N
Subject:	[GNUnet-developers] [release] gnurl 7.66.0
Date:	Fri, 13 Sep 2019 15:37:41 +0000
Hi,
 
I have just released gnurl 7.66.0, following the 7.66.0 release of curl.
Due to the way gnurl is configure and build, gnurl is believed to be not
affected by
 CVE-2019-5481: FTP-KRB double-free
and
 CVE-2019-5482: TFTP small blocksize heap buffer overflow

Note that I do not explicitly force HTTP3 features off, but recommend
to not build gnurl with it if you build it for libmicrohttpd and GNUnet.
http3 support in both of them is not there yet. In my pkgsrc package the
flags are as following (paste diff from CVS):
+# We do not want HTTP3 support yet, see release announcement
+CONFIGURE_ARGS+=       --without-ngtcp2
+CONFIGURE_ARGS+=       --without-nghttp2
+CONFIGURE_ARGS+=       --without-nghttp3
+CONFIGURE_ARGS+=       --without-quiche

 
CHANGELOG
---------

Changes, gnurl specific:
 
* Almost none, mostly a merge as usual. After a chat 
  with bfix on IRC, the gnurl homepage has been extended
  to explain how to build it.
 
The usual curl Changelog applies, consult https://curl.haxx.se for the
ChangeLog.
curl Changelog:
 Changes:

    CURLINFO_RETRY_AFTER: parse the Retry-After header value
    HTTP3: initial (experimental still not working) support
    curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
    curl: support parallel transfers with -Z
    curl_multi_poll: a sister to curl_multi_wait() that waits more
    sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 

 Bugfixes:

    CVE-2019-5481: FTP-KRB double-free
    CVE-2019-5482: TFTP small blocksize heap buffer overflow
    CI: remove duplicate configure flag for LGTM.com
    CMake: remove needless newlines at end of gss variables
    CMake: use platform dependent name for dlopen() library
    CURLINFO docs: mention that in redirects times are added
    CURLOPT_ALTSVC.3: use a "" file name to not load from a file
    CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
    CURLOPT_HEADERFUNCTION.3: clarify
    CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
    CURLOPT_READFUNCTION.3: provide inline example
    CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
    Curl_addr2string: take an addrlen argument too
    Curl_fillreadbuffer: avoid double-free trailer buf on error
    HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
    alt-svc: add protocol version selection masking
    alt-svc: fix removal of expired cache entry
    alt-svc: make it use h3-22 with ngtcp2 as well
    alt-svc: more liberal ALPN name parsing
    alt-svc: send Alt-Used: in redirected requests
    alt-svc: with quiche, use the quiche h3 alpn string
    appveyor: pass on -k to make
    asyn-thread: create a socketpair to wait on
    build-openssl: fix build with Visual Studio 2019
    cleanup: move functions out of url.c and make them static
    cleanup: remove the 'numsocks' argument used in many places
    configure: avoid undefined check_for_ca_bundle
    curl.h: add CURL_HTTP_VERSION_3 to the version enum
    curl.h: fix outdated comment
    curl: cap the maximum allowed values for retry time arguments
    curl: handle a libcurl build without netrc support
    curl: make use of CURLINFO_RETRY_AFTER when retrying
    curl: remove outdated comment
    curl: use .curlrc (with a dot) on Windows
    curl: use CURLINFO_PROTOCOL to check for HTTP(s)
    curl_global_init_mem.3: mention it was added in 7.12.0
    curl_version: bump string buffer size to 250
    curl_version_info.3: mentioned ALTSVC and HTTP3
    curl_version_info: offer quic (and h3) library info
    curl_version_info: provide nghttp2 details
    defines: avoid underscore-prefixed defines
    docs/ALTSVC: remove what works and the experimental explanation
    docs/EXPERIMENTAL: explain what it means and what's experimental now
    docs/MANUAL.md: converted to markdown from plain text
    docs/examples/curlx: fix errors
    docs: s/curl_debug/curl_dbg_debug in comments and docs
    easy: resize receive buffer on easy handle reset
    examples: Avoid reserved names in hiperfifo examples
    examples: add http3.c, altsvc.c and http3-present.c
    getenv: support up to 4K environment variable contents on windows
    http09: disable HTTP/0.9 by default in both tool and library
    http2: when marked for closure and wanted to close == OK
    http2_recv: trigger another read when the last data is returned
    http: fix use of credentials from URL when using HTTP proxy
    http_negotiate: improve handling of gss_init_sec_context() failures
    md4: Use our own MD4 when no crypto libraries are available
    multi: call detach_connection before Curl_disconnect
    netrc: make the code try ".netrc" on Windows
    nss: use TLSv1.3 as default if supported
    openssl: build warning free with boringssl
    openssl: use SSL_CTX_set__proto_version() when available
    plan9: add support for running on Plan 9
    progress: reset download/uploaded counter between transfers
    readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
    scp: fix directory name length used in memcpy
    smb: init *msg to NULL in smb_send_and_recv()
    smtp: check for and bail out on too short EHLO response
    source: remove names from source comments
    spnego_sspi: add typecast to fix build warning
    src/makefile: fix uncompressed hugehelp.c generation
    ssh-libssh: do not specify O_APPEND when not in append mode
    ssh: move code into vssh for SSH backends
    sspi: fix memory leaks
    tests: Replace outdated test case numbering documentation
    tftp: return error when packet is too small for options
    timediff: make it 64 bit (if possible) even with 32 bit time_t
    travis: reduce number of torture tests in 'coverage'
    url: make use of new HTTP version if alt-svc has one
    urlapi: verify the IPv6 numerical address
    urldata: avoid 'generic', use dedicated pointers
    vauth: Use CURLE_AUTH_ERROR for auth function errors 

CHECKSUMS
---------

SHA1 (gnurl-7.66.0.tar.gz) = 40c244d3df8e3aa60464b3be933bd47506e31d65
SHA1 (gnurl-7.66.0.tar.Z) = 94b939e318bb74651dc4a35a90ca39948386d8df
SHA1 (gnurl-7.66.0.pax.Z) = 94b939e318bb74651dc4a35a90ca39948386d8df
SHA512 (gnurl-7.66.0.tar.gz) = 
ab7305433b204ce68d139898efa1a74351a73c5e5bde121bb5ce1aa76f31cd07b699c18988a78f756262f9d7566b323651012ed0790bce15ed3e77aeba2c6dd9
SHA512 (gnurl-7.66.0.tar.Z) = 
31cf2224bcb5beeae8082f7d4ab03cf61a2ddd44088bff82e3df991a61d628800d1db25bd75d67808d2403cf5df36f717c9bb3e462e9ac9d63bdd56c33f08a40
SHA512 (gnurl-7.66.0.pax.Z) = 
31cf2224bcb5beeae8082f7d4ab03cf61a2ddd44088bff82e3df991a61d628800d1db25bd75d67808d2403cf5df36f717c9bb3e462e9ac9d63bdd56c33f08a40
RMD160 (gnurl-7.66.0.tar.gz) = a4f03bb1c3924f018af10864b3761927e15d8655
RMD160 (gnurl-7.66.0.tar.Z) = 850f2efb7b06bc1e338034d5b7477e4d174b5d05
RMD160 (gnurl-7.66.0.pax.Z) = 850f2efb7b06bc1e338034d5b7477e4d174b5d05
 
DOWNLOADS
---------
 
The files can be be found as usual on the gnu ftp and ftpmirrors in
the gnunet subfolder.
signature.asc
Description: PGP signature
[Prev in Thread]
Current Thread
[Next in Thread]
[GNUnet-developers] [release] gnurl 7.66.0, N <=
Prev by Date: Re: [GNUnet-developers] removal of Apple logo
Next by Date: [GNUnet-developers] question about src/transport
Previous by thread: [GNUnet-developers] removal of Apple logo
Next by thread: [GNUnet-developers] question about src/transport
Index(es):
- Date
- Thread