cURL Changelog

What's new in cURL 7.68.0

Jan 8, 2020
  • Changes:
  • TLS: add BearSSL vtls implementation
  • XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
  • curl: add --etag-compare and --etag-save
  • curl: add --parallel-immediate
  • multi: add curl_multi_wakeup()
  • openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
  • Bugfixes:
  • CVE-2019-15601: file: on Windows, refuse paths that start with \
  • Azure Pipelines: add several builds
  • CMake: add support for building with the NSS vtls backend
  • CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
  • CURLOPT_HEADERFUNCTION.3: Document that size is always 1
  • CURLOPT_QUOTE.3: fix typos
  • CURLOPT_READFUNCTION.3: fix the example
  • CURLOPT_URL.3: "curl supports SMB version 1 (only)"
  • CURLOPT_VERBOSE.3: see also ERRORBUFFER
  • HISTORY: added cmake, HTTP/3 and parallel downloads with curl
  • HISTORY: the SMB(S) support landed in 2014
  • INSTALL.md: provide Android build instructions
  • KNOWN_BUGS: Connection information when using TCP Fast Open
  • KNOWN_BUGS: LDAP on Windows doesn't work correctly
  • KNOWN_BUGS: TLS session cache doesn't work with TFO
  • OPENSOCKETFUNCTION.3: correct the purpose description
  • TrackMemory tests: always remove CR before LF
  • altsvc: bump to h3-24
  • altsvc: make the save function ignore NULL filenames
  • build: Disable Visual Studio warning "conditional expression is constant"
  • build: fix for CURL_DISABLE_DOH
  • checksrc.bat: Add a check for vquic and vssh directories
  • checksrc: repair the copyrightyear check
  • cirrus-ci: enable clang sanitizers on freebsd 13
  • cirrus: Drop the FreeBSD 10.4 build
  • config-win32: cpu-machine-OS for Windows on ARM
  • configure: avoid unportable `==' test(1) operator
  • configure: enable IPv6 support without `getaddrinfo`
  • configure: fix typo in help text
  • conncache: CONNECT_ONLY connections assumed always in-use
  • conncache: fix multi-thread use of shared connection cache
  • copyrights: fix copyright year range
  • create_conn: prefer multiplexing to using new connections
  • curl -w: handle a blank input file correctly
  • curl.h: add two missing defines for "pre ISO C" compilers
  • curl/parseconfig: fix mem-leak
  • curl/parseconfig: use curl_free() to free memory allocated by libcurl
  • curl: cleanup multi handle on failure
  • curl: fix --upload-file . hangs if delay in STDIN
  • curl: fix -T globbing
  • curl: improved cleanup in upload error path
  • curl: make a few char pointers point to const char instead
  • curl: properly free mimepost data
  • curl: show better error message when no homedir is found
  • curl: show error for --http3 if libcurl lacks support
  • curl_setup_once: consistently use WHILE_FALSE in macros
  • define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
  • docs: Change 'experiemental' to 'experimental'
  • docs: TLS SRP doesn't work with TLS 1.3
  • docs: fix several typos
  • docs: mention CURL_MAX_INPUT_LENGTH restrictions
  • doh: improved both encoding and decoding
  • doh: make it behave when built without proxy support
  • examples/postinmemory.c: Call curl_global_cleanup always
  • examples/url2file.c: corrected erroneous comment
  • examples: add multi-poll.c
  • global_init: undo the "intialized" bump in case of failure
  • hostip: suppress compiler warning
  • http_ntlm: Remove duplicate NSS initialisation
  • lib: Move lib/ssh.h -> lib/vssh/ssh.h
  • lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
  • lib: fix warnings found when porting to NuttX
  • lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
  • lib: remove erroneous +x file permission on some c files
  • libssh2: add support for ECDSA and ed25519 knownhost keys
  • multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
  • multi: free sockhash on OOM
  • multi_poll: avoid busy-loop when called without easy handles attached
  • ngtcp2: Support the latest update key callback type
  • ngtcp2: fix thread-safety bug in error-handling
  • ngtcp2: free used resources on disconnect
  • ngtcp2: handle key updates as ngtcp2 master branch tells us
  • ngtcp2: increase QUIC window size when data is consumed
  • ngtcp2: use overflow buffer for extra HTTP/3 data
  • ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
  • ntlm_wb: fix double-free in OOM
  • openssl: Revert to less sensitivity for SYSCALL errors
  • openssl: improve error message for SYSCALL during connect
  • openssl: prevent recursive function calls from ctx callbacks
  • openssl: retrieve reported LibreSSL version at runtime
  • openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
  • parsedate: offer a getdate_capped() alternative
  • pause: avoid updating socket if done was already called
  • projects: Fix Visual Studio projects SSH builds
  • projects: Fix Visual Studio wolfSSL configurations
  • quiche: reject HTTP/3 headers in the wrong order
  • remove_handle: clear expire timers after multi_done()
  • runtests: --repeat=[num] to repeat tests
  • runtests: introduce --shallow to reduce huge torture tests
  • schannel: fix --tls-max for when min is --tlsv1 or default
  • setopt: Fix ALPN / NPN user option when built without HTTP2
  • strerror: Add Curl_winapi_strerror for Win API specific errors
  • strerror: Fix an error looking up some Windows error strings
  • strerror: Fix compiler warning "empty expression"
  • system.h: fix for MCST lcc compiler
  • test/sws: search for "Testno:" header unconditionally if no testno
  • test1175: verify symbols-in-versions and libcurl-errors.3 in sync
  • test1270: a basic -w redirect_url test
  • test1456: remove the use of a fixed local port number
  • test1558: use double slash after file:
  • test1560: require IPv6 for IPv6 aware URL parsing
  • tests/lib1557: fix mem-leak in OOM
  • tests/lib1559: fix mem-leak in OOM
  • tests/lib1591: free memory properly on OOM, in the trailers callback
  • tests/unit1607: fix mem-leak in OOM
  • tests/unit1609: fix mem-leak in OOM
  • tests/unit1620: fix bad free in OOM
  • tests: Change NTLM tests to require SSL
  • tests: Fix bounce requests with truncated writes
  • tests: fix build with `CURL_DISABLE_DOH`
  • tests: fix permissions of ssh keys in WSL
  • tests: make it possible to set executable extensions
  • tests: make sure checksrc runs on header files too
  • tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
  • tests: use DoH feature for DoH tests
  • tests: use rn for log messages in WSL
  • tool_operate: fix mem leak when failed config parse
  • travis: Fix error detection
  • travis: abandon coveralls, it is not reliable
  • travis: build ngtcp2 with --enable-lib-only
  • travis: export the CC/CXX variables when set
  • vtls: make BearSSL possible to set with CURL_SSL_BACKEND
  • winbuild: Define CARES_STATICLIB when WITH_CARES=static
  • winbuild: Document CURL_STATICLIB requirement for static libcurl

New in cURL 7.67.0 (Nov 6, 2019)

  • Changes:
  • curl: added --no-progress-meter
  • setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
  • urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
  • Bugfixes:
  • BINDINGS: five new bindings addded
  • CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
  • CURLOPT_TIMEOUT.3: remove the mention of "minutes"
  • ESNI: initial build/setup support
  • FTP: FTPFILE_NOCWD: avoid redundant CWDs
  • FTP: allow "rubbish" prepended to the SIZE response
  • FTP: remove trailing slash from path for LIST/MLSD
  • FTP: skip CWD to entry dir when target is absolute
  • FTP: url-decode path before evaluation
  • HTTP3.md: move -p for mkdir, remove -j for make
  • HTTP3: fix invalid use of sendto for connected UDP socket
  • HTTP3: fix ngtcp2 Windows build
  • HTTP3: fix prefix parameter for ngtcp2 build
  • HTTP3: fix typo somehere1 > somewhere1
  • HTTP3: show an --alt-svc using example too
  • INSTALL: add missing space for configure commands
  • INSTALL: add vcpkg installation instructions
  • README: minor grammar fix
  • altsvc: accept quoted ma and persist values
  • altsvc: both backends run h3-23 now
  • appveyor: Add MSVC ARM64 build
  • appveyor: Use two parallel compilation on appveyor with CMake
  • appveyor: add --disable-proxy autotools build
  • appveyor: add 32-bit MinGW-w64 build
  • appveyor: add a winbuild
  • appveyor: add a winbuild that uses VS2017
  • appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
  • appveyor: publish artifacts on appveyor
  • appveyor: upgrade VS2017 to VS2019
  • asyn-thread: make use of Curl_socketpair() where available
  • asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
  • build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
  • checksrc: fix uninitialized variable warning
  • chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
  • cirrus: Increase the git clone depth
  • cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
  • cirrus: switch off blackhole status on the freebsd CI machines
  • cleanups: 21 various PVS-Studio warnings
  • configure: only say ipv6 enabled when the variable is set
  • configure: remove all cyassl references
  • conn-reuse: requests wanting NTLM can reuse non-NTLM connections
  • connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
  • connect: silence sign-compare warning
  • cookie: avoid harmless use after free
  • cookie: pass in the correct cookie amount to qsort()
  • cookies: change argument type for Curl_flush_cookies
  • cookies: using a share with cookies shouldn't enable the cookie engine
  • copyrights: update copyright notices to 2019
  • curl: create easy handles on-demand and not ahead of time
  • curl: ensure HTTP 429 triggers --retry
  • curl: exit the create_transfers loop on errors
  • curl: fix memory leaked by parse_metalink()
  • curl: load large files with -d @ much faster
  • docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
  • docs: added multi-event.c example
  • docs: disambiguate CURLUPART_HOST is for host name (ie no port)
  • docs: note on failed handles not being counted by curl_multi_perform
  • doh: allow only http and https in debug mode
  • doh: avoid truncating DNS QTYPE to lower octet
  • doh: clean up dangling DOH memory on easy close
  • doh: fix (harmless) buffer overrun
  • doh: fix undefined behaviour and open up for gcc and clang optimization
  • doh: return early if there is no time left
  • examples/sslbackend: fix -Wchar-subscripts warning
  • examples: remove the "this exact code has not been verified"
  • git: add tests/server/disabled to .gitignore
  • gnutls: make gnutls_bye() not wait for response on shutdown
  • http2: expire a timeout at end of stream
  • http2: prevent dup'ed handles to send dummy PRIORITY frames
  • http2: relax verification of :authority in push promise requests
  • http2_recv: a closed stream trumps pause state
  • http: lowercase headernames for HTTP/2 and HTTP/3
  • ldap: Stop using wide char version of ldapp_err2string
  • ldap: fix OOM error on missing query string
  • mbedtls: add error message for cert validity starting in the future
  • mime: when disabled, avoid C99 macro
  • ngtcp2: adapt to API change
  • ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
  • ngtcp2: remove fprintf() calls
  • openssl: close_notify on the FTP data connection doesn't mean closure
  • openssl: fix compiler warning with LibreSSL
  • openssl: use strerror on SSL_ERROR_SYSCALL
  • os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
  • parsedate: fix date parsing disabled builds
  • quiche: don't close connection at end of stream
  • quiche: persist connection details (fixes -I with --http3)
  • quiche: set 'drain' when returning without having drained the queues
  • quiche: update HTTP/3 config creation to new API
  • redirect: handle redirects to absolute URLs containing spaces
  • runtests: get textaware info from curl instead of perl
  • schannel: reverse the order of certinfo insertions
  • schannel_verify: Fix concurrent openings of CA file
  • security: silence conversion warning
  • setopt: handle ALTSVC set to NULL
  • setopt: make it easier to add new enum values
  • setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
  • smb: check for full size message before reading message details
  • smbserver: fix Python 3 compatibility
  • socks: Fix destination host shown on SOCKS5 error
  • test1162: disable MSYS2's POSIX path conversion
  • test1591: fix spelling of http feature
  • tests: add `connect to non-listen` keywords
  • tests: fix narrowing conversion warnings
  • tests: fix the test 3001 cert failures
  • tests: makes tests succeed when using --disable-proxy
  • tests: use %FILE_PWD for file:// URLs
  • tests: use port 2 instead of 60000 for a safer non-listening port
  • tool_operate: Fix retry sleep time shown to user when Retry-After
  • travis: Add an ARM64 build
  • url: Curl_free_request_state() should also free doh handles
  • url: don't set appconnect time for non-ssl/non-ssh connections
  • url: fix the NULL hostname compiler warning
  • url: normalize CURLINFO_EFFECTIVE_URL
  • url: only reuse TLS connections with matching pinning
  • urlapi: avoid index underflow for short ipv6 hostnames
  • urlapi: fix URL encoding when setting a full URL
  • urlapi: fix unused variable warning
  • urlapi: question mark within fragment is still fragment
  • urldata: use 'bool' for the bit type on MSVC compilers
  • vtls: Fix comment typo about macosx-version-min compiler flag
  • vtls: fix narrowing conversion warnings
  • winbuild/MakefileBuild.vc: Add vssh
  • winbuild/MakefileBuild.vc: Fix line endings
  • winbuild: Add manifest to curl.exe for proper OS version detection
  • winbuild: add ENABLE_UNICODE option

New in cURL 7.66.0 (Sep 13, 2019)

  • Changes:
  • CURLINFO_RETRY_AFTER: parse the Retry-After header value
  • HTTP3: initial (experimental still not working) support
  • curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
  • curl: support parallel transfers with -Z
  • curl_multi_poll: a sister to curl_multi_wait() that waits more
  • sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
  • Bugfixes:
  • CVE-2019-5481: FTP-KRB double-free
  • CVE-2019-5482: TFTP small blocksize heap buffer overflow
  • CI: remove duplicate configure flag for LGTM.com
  • CMake: remove needless newlines at end of gss variables
  • CMake: use platform dependent name for dlopen() library
  • CURLINFO docs: mention that in redirects times are added
  • CURLOPT_ALTSVC.3: use a "" file name to not load from a file
  • CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
  • CURLOPT_HEADERFUNCTION.3: clarify
  • CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
  • CURLOPT_READFUNCTION.3: provide inline example
  • CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
  • Curl_addr2string: take an addrlen argument too
  • Curl_fillreadbuffer: avoid double-free trailer buf on error
  • HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
  • alt-svc: add protocol version selection masking
  • alt-svc: fix removal of expired cache entry
  • alt-svc: make it use h3-22 with ngtcp2 as well
  • alt-svc: more liberal ALPN name parsing
  • alt-svc: send Alt-Used: in redirected requests
  • alt-svc: with quiche, use the quiche h3 alpn string
  • appveyor: pass on -k to make
  • asyn-thread: create a socketpair to wait on
  • build-openssl: fix build with Visual Studio 2019
  • cleanup: move functions out of url.c and make them static
  • cleanup: remove the 'numsocks' argument used in many places
  • configure: avoid undefined check_for_ca_bundle
  • curl.h: add CURL_HTTP_VERSION_3 to the version enum
  • curl.h: fix outdated comment
  • curl: cap the maximum allowed values for retry time arguments
  • curl: handle a libcurl build without netrc support
  • curl: make use of CURLINFO_RETRY_AFTER when retrying
  • curl: remove outdated comment
  • curl: use .curlrc (with a dot) on Windows
  • curl: use CURLINFO_PROTOCOL to check for HTTP(s)
  • curl_global_init_mem.3: mention it was added in 7.12.0
  • curl_version: bump string buffer size to 250
  • curl_version_info.3: mentioned ALTSVC and HTTP3
  • curl_version_info: offer quic (and h3) library info
  • curl_version_info: provide nghttp2 details
  • defines: avoid underscore-prefixed defines
  • docs/ALTSVC: remove what works and the experimental explanation
  • docs/EXPERIMENTAL: explain what it means and what's experimental now
  • docs/MANUAL.md: converted to markdown from plain text
  • docs/examples/curlx: fix errors
  • docs: s/curl_debug/curl_dbg_debug in comments and docs
  • easy: resize receive buffer on easy handle reset
  • examples: Avoid reserved names in hiperfifo examples
  • examples: add http3.c, altsvc.c and http3-present.c
  • getenv: support up to 4K environment variable contents on windows
  • http09: disable HTTP/0.9 by default in both tool and library
  • http2: when marked for closure and wanted to close == OK
  • http2_recv: trigger another read when the last data is returned
  • http: fix use of credentials from URL when using HTTP proxy
  • http_negotiate: improve handling of gss_init_sec_context() failures
  • md4: Use our own MD4 when no crypto libraries are available
  • multi: call detach_connection before Curl_disconnect
  • netrc: make the code try ".netrc" on Windows
  • nss: use TLSv1.3 as default if supported
  • openssl: build warning free with boringssl
  • openssl: use SSL_CTX_set__proto_version() when available
  • plan9: add support for running on Plan 9
  • progress: reset download/uploaded counter between transfers
  • readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
  • scp: fix directory name length used in memcpy
  • smb: init *msg to NULL in smb_send_and_recv()
  • smtp: check for and bail out on too short EHLO response
  • source: remove names from source comments
  • spnego_sspi: add typecast to fix build warning
  • src/makefile: fix uncompressed hugehelp.c generation
  • ssh-libssh: do not specify O_APPEND when not in append mode
  • ssh: move code into vssh for SSH backends
  • sspi: fix memory leaks
  • tests: Replace outdated test case numbering documentation
  • tftp: return error when packet is too small for options
  • timediff: make it 64 bit (if possible) even with 32 bit time_t
  • travis: reduce number of torture tests in 'coverage'
  • url: make use of new HTTP version if alt-svc has one
  • urlapi: verify the IPv6 numerical address
  • urldata: avoid 'generic', use dedicated pointers
  • vauth: Use CURLE_AUTH_ERROR for auth function errors

New in cURL 7.65.3 (Jul 23, 2019)

  • Bugfixes:
  • progress: make the progress meter appear again

New in cURL 7.65.1 (Jun 5, 2019)

  • Bugfixes:
  • CURLOPT_LOW_SPEED_* repaired
  • NTLM: reset proxy "multipass" state when CONNECT request is done
  • PolarSSL: deprecate support step 1. Removed from configure
  • appveyor: add Visual Studio solution build
  • cmake: check for if_nametoindex()
  • cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
  • config-win32: add support for if_nametoindex and getsockname
  • conncache: Remove the DEBUGASSERT on length check
  • conncache: make "bundles" per host name when doing proxy tunnels
  • curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
  • curl_share_setopt.3: improve wording
  • dump-header.d: spell out that no headers == empty file
  • example/http2-download: fix format specifier
  • examples: cleanups and compiler warning fixes
  • http2: Stop drain from being permanently set
  • http: don't parse body-related headers in bodyless responses
  • md4: build correctly with openssl without MD4
  • md4: include the mbedtls config.h to get the MD4 info
  • multi: track users of a socket better
  • nss: allow to specify TLS 1.3 ciphers if supported by NSS
  • parse_proxy: make sure portptr is initialized
  • parse_proxy: use the IPv6 zone id if given
  • sectransp: handle errSSLPeerAuthCompleted from SSLRead()
  • singlesocket: use separate variable for inner loop
  • ssl: Update outdated "openssl-only" comments for supported backends
  • tests: add HAProxy keywords
  • tests: add support to test against OpenSSH for Windows
  • tests: make test 1420 and 1406 work with rtsp-disabled libcurl
  • tls13-docs: mention it is only for OpenSSL >= 1.1.1
  • tool_parse_cfg: Avoid 2 fopen() for WIN32
  • tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
  • url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
  • url: fix bad feature-disable #ifdef
  • url: use correct port in ConnectionExists()
  • winbuild: Use two space indentation

New in cURL 7.64.1 (Mar 28, 2019)

  • Changes:
  • alt-svc: experiemental support added
  • configure: add --with-amissl
  • Bugfixes:
  • AppVeyor: add MinGW-w64 and classic Mingw builds
  • AppVeyor: switch VS 2015 builds to VS 2017 image
  • CURLU: fix NULL dereference when used over proxy
  • Curl_easy: remove req.maxfd - never used!
  • Curl_now: figure out windows version in win32_init:
  • Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
  • DoH: inherit some SSL options from user's easy handle
  • Secure Transport: no more "darwinssl"
  • Secure Transport: tvOS 11 is required for ALPN support
  • cirrus: Added FreeBSD builds using Cirrus CI
  • cleanup: make local functions static
  • cli tool: do not use mime.h private structures
  • cmdline-opts/proxytunnel.d: the option tunnnels all protocols
  • configure: add additional libraries to check for LDAP support
  • configure: remove the unused fdopen macro
  • configure: show features as well in the final summary
  • conncache: use conn->data to know if a transfer owns it
  • connection: never reuse CONNECT_ONLY connections
  • connection_check: restore original conn->data after the check
  • connection_check: set ->data to the transfer doing the check
  • cookie: Add support for cookie prefixes
  • cookies: dotless names can set cookies again
  • cookies: fix NULL dereference if flushing cookies with no CookieInfo set
  • curl.1: --user and --proxy-user are hidden from ps output
  • curl.1: mark the argument to --cookie as
  • curl.h: use __has_declspec_attribute for shared builds
  • curl: display --version features sorted alphabetically
  • curl: fix FreeBSD compiler warning in the --xattr code
  • curl: remove MANUAL from -M output
  • curl_easy_duphandle.3: clarify that a duped handle has no shares
  • curl_multi_remove_handle.3: use at any time, just not from within callbacks
  • curl_url.3: this API is not experimental anymore
  • dns: release sharelock as soon as possible
  • docs: update max-redirs.d phrasing
  • easy: fix win32 init to work without CURL_GLOBAL_WIN32
  • examples/10-at-a-time.c: improve readability and simplify
  • examples/cacertinmem.c: use multiple certificates for loading CA-chain
  • examples/crawler: Fix the Accept-Encoding setting
  • examples/ephiperfifo.c: various fixes
  • examples/externalsocket: add missing close socket calls
  • examples/http2-download: cleaned up
  • examples/http2-serverpush: add some sensible error checks
  • examples/http2-upload: cleaned up
  • examples/httpcustomheader: Value stored to 'res' is never read
  • examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
  • examples/sftpuploadresume: Value stored to 'result' is never read
  • examples: only include
  • examples: remove recursive calls to curl_multi_socket_action
  • examples: remove superfluous null-pointer checks
  • file: fix "Checking if unsigned variable 'readcount' is less than zero."
  • fnmatch: disable if FTP is disabled
  • gnutls: remove call to deprecated gnutls_compression_get_name
  • gopher: remove check for path == NULL
  • gssapi: fix deprecated header warnings
  • hostip: make create_hostcache_id avoid alloc + free
  • http2: multi_connchanged() moved from multi.c, only used for h2
  • http2: verify :athority in push promise requests
  • http: make adding a blank header thread-safe
  • http: send payload when (proxy) authentication is done
  • http: set state.infilesize when sending multipart formposts
  • makefile: make checksrc and hugefile commands "silent"
  • mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
  • mbedtls: release sessionid resources on error
  • memdebug: log pointer before freeing its data
  • memdebug: make debug-specific functions use curl_dbg_ prefix
  • mime: put the boundary buffer into the curl_mime struct
  • multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME
  • multi: remove verbose "Expire in" ... messages
  • multi: removed unused code for request retries
  • multi: support verbose conncache closure handle
  • negotiate: fix for HTTP POST with Negotiate
  • openssl: add support for TLS ASYNC state
  • openssl: if cert type is ENG and no key specified, key is ENG too
  • pretransfer: don't strlen() POSTFIELDS set for GET requests
  • rand: Fix a mismatch between comments in source and header
  • runtests: detect "schannel" as an alias for "winssl"
  • schannel: be quiet - remove verbose output
  • schannel: close TLS before removing conn from cache
  • schannel: support CALG_ECDH_EPHEM algorithm
  • scripts/completion.pl: also generate fish completion file
  • singlesocket: fix the 'sincebefore' placement
  • source: fix two 'nread' may be used uninitialized warnings
  • ssh: fix Condition '!status' is always true
  • ssh: loop the state machine if not done and not blocking
  • strerror: make the strerror function use local buffers
  • system_win32: move win32_init here from easy.c
  • test578: make it read data from the correct test
  • tests: Fixed XML validation errors in some test files
  • tests: add stderr comparison to the test suite
  • tests: fix multiple may be used uninitialized warnings
  • threaded-resolver: shutdown the resolver thread without error message
  • tool_cb_wrt: fix writing to Windows null device NUL
  • tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
  • tool_operate: build on AmigaOS
  • tool_operate: fix typecheck warning
  • transfer.c: do not compute length of undefined hex buffer
  • travis: add build using gnutls
  • travis: add scan-build
  • travis: bump the used wolfSSL version to 4.0.0
  • travis: enable valgrind for the iconv tests
  • travis: use updated compiler versions: clang 7 and gcc 8
  • unit1307: require FTP support
  • unit1651: survive curl_easy_init() fails
  • url/idnconvert: remove scan for

New in cURL 7.64.0 (Feb 6, 2019)

  • Changes:
  • cookies: leave secure cookies alone
  • hostip: support wildcard hosts
  • http: Implement trailing headers for chunked transfers
  • http: added options for allowing HTTP/0.9 responses
  • timeval: Use high resolution timestamps on Windows
  • Bugfixes:
  • CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
  • CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
  • CVE-2019-3823: SMTP end-of-response out-of-bounds read
  • FAQ: remove mention of sourceforge for github
  • OS400: handle memory error in list conversion
  • OS400: upgrade ILE/RPG binding.
  • README: add codacy code quality badge
  • Revert http_negotiate: do not close connection
  • THANKS: added several missing names from year

New in cURL 7.63.0 (Dec 12, 2018)

  • Changes:
  • curl: add %{stderr} and %{stdout} for --write-out
  • curl: add undocumented option --dump-module-paths for win32
  • setopt: add CURLOPT_CURLU
  • Bugfixes:
  • (lib)curl.rc: fixup for minor bugs
  • CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
  • CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
  • CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
  • Curl_follow: accept non-supported schemes for "fake" redirects
  • KNOWN_BUGS: add --proxy-any connection issue
  • NTLM: Remove redundant ifdef USE_OPENSSL
  • NTLM: force the connection to HTTP/1.1
  • OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
  • SECURITY-PROCESS: bountygraph shuts down again
  • TODO: Have the URL API offer IDN decoding
  • ares: remove fd from multi fd set when ares is about to close the fd
  • axtls: removed
  • checksrc: add COPYRIGHTYEAR check
  • cmake: fix MIT/Heimdal Kerberos detection
  • configure: include all libraries in ssl-libs fetch
  • configure: show CFLAGS, LDFLAGS etc in summary
  • connect: fix building for recent versions of Minix
  • cookies: create the cookiejar even if no cookies to save
  • cookies: expire "Max-Age=0" immediately
  • curl: --local-port range was not "including"
  • curl: fix --local-port integer overflow
  • curl: fix memory leak reading --writeout from file
  • curl: fixed UTF-8 in current console code page (Windows)
  • curl_easy_perform: fix timeout handling
  • curl_global_sslset(): id == -1 is not necessarily an error
  • curl_multibyte: fix a malloc overcalculation
  • curle: move deprecated error code to ifndef block
  • docs: curl_formadd field and file names are now escaped
  • docs: escape "n" codes
  • doh: fix memory leak in OOM situation
  • doh: make it work for h2-disabled builds too
  • examples/ephiperfifo: report error when epoll_ctl fails
  • ftp: avoid two unsigned int overflows in FTP listing parser
  • host names: allow trailing dot in name resolve, then strip it
  • http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
  • http: don't set CURLINFO_CONDITION_UNMET for http status code 204
  • http: fix HTTP Digest auth to include query in URI
  • http_negotiate: do not close connection until negotiation is completed
  • impacket: add LICENSE
  • infof: clearly indicate truncation
  • ldap: fix LDAP URL parsing regressions
  • libcurl: stop reading from paused transfers
  • mprintf: avoid unsigned integer overflow warning
  • netrc: don't ignore the login name specified with "--user"
  • nss: Fall back to latest supported SSL version
  • nss: Fix compatibility with nss versions 3.14 to 3.15
  • nss: fix fallthrough comment to fix picky compiler warning
  • nss: remove version selecting dead code
  • nss: set default max-tls to 1.3/1.2
  • openssl: Remove SSLEAY leftovers
  • openssl: do not log excess "TLS app data" lines for TLS 1.3
  • openssl: do not use file BIOs if not requested
  • openssl: fix unused variable compiler warning with old openssl
  • openssl: support session resume with TLS 1.3
  • openvms: fix example name
  • os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
  • os400: add CURLOPT_CURLU to ILE/RPG binding
  • os400: fix return type of curl_easy_pause() in ILE/RPG binding
  • packages: remove old leftover files and dirs
  • pop3: only do APOP with a valid timestamp
  • runtests: use the local curl for verifying
  • schannel: be consistent in Schannel capitalization
  • schannel: better CURLOPT_CERTINFO support
  • schannel: use Curl_ prefix for global private symbols
  • snprintf: renamed and we now only use msnprintf()
  • ssl: fix compilation with OpenSSL 0.9.7
  • ssl: replace all internal uses of CURLE_SSL_CACERT
  • symbols-in-versions: add missing CURLU_ symbols
  • test328: verify Content-Encoding: none
  • tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
  • tests: drop http_pipe.py script no longer used
  • tool_cb_wrt: Silence function cast compiler warning
  • tool_doswin: Fix uninitialized field warning
  • travis: build with clang sanitizers
  • travis: remove curl before a normal build
  • url: a short host name + port is not a scheme
  • url: fix IPv6 numeral address parser
  • urlapi: only skip encoding the first '=' with APPENDQUERY set

New in cURL 7.62.0 (Oct 31, 2018)

  • Changes:
  • multiplex: enable by default
  • url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
  • setopt: add CURLOPT_DOH_URL
  • curl: --doh-url added
  • setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
  • imap: change from "FETCH" to "UID FETCH"
  • configure: add option to disable automatic OpenSSL config loading
  • upkeep: add a connection upkeep API: curl_easy_upkeep()
  • URL-API: added five new functions
  • vtls: MesaLink is a new TLS backend
  • Bugfixes:
  • CVE-2018-16839: SASL password overflow via integer overflow
  • CVE-2018-16840: use-after-free in handle close
  • CVE-2018-16842: warning message out-of-buffer read
  • CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
  • Curl_dedotdotify(): always nul terminate returned string
  • Curl_follow: Always free the passed new URL
  • Curl_http2_done: fix memleak in error path
  • Curl_retry_request: fix memory leak
  • Curl_saferealloc: Fixed typo in docblock
  • FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
  • GnutTLS: TLS 1.3 support
  • SECURITY-PROCESS: mention the bountygraph program
  • VS projects: add USE_IPV6:
  • Windows: fixes for MinGW targeting Windows Vista
  • anyauthput: fix compiler warning on 64-bit Windows
  • appveyor: add WinSSL builds
  • appveyor: run test suite (on Windows!)
  • certs: generate tests certs with sha256 digest algorithm
  • checksrc: enable strict mode and warnings
  • checksrc: handle zero scoped ignore commands
  • cmake: Backport to work with CMake 3.0 again
  • cmake: Improve config installation
  • cmake: add support for transitive ZLIB target
  • cmake: disable -Wpedantic-ms-format
  • cmake: don't require OpenSSL if USE_OPENSSL=OFF
  • cmake: fixed path used in generation of docs/tests
  • cmake: remove unused *SOCKLEN_T variables
  • cmake: suppress MSVC warning C4127 for libtest
  • cmake: test and set missed defines during configuration
  • comment: Fix multiple typos in function parameters
  • config: Remove unused SIZEOF_VOIDP
  • config_win32: enable LDAPS
  • configure: force-use -lpthreads on HPUX
  • configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
  • configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
  • cookies: Remove redundant expired check
  • cookies: fix leak when writing cookies to file
  • curl-config.in: remove dependency on bc
  • curl.1: --ipv6 mutexes ipv4 (fixed typo)
  • curl: enabled Windows VT Support and UTF-8 output
  • curl: update the documentation of --tlsv1.0
  • curl_multi_wait: call getsock before figuring out timeout
  • curl_ntlm_wb: check aprintf() return codes
  • curl_threads: fix classic MinGW compile break
  • darwinssl: Fix realloc memleak
  • darwinssl: more specific and unified error codes
  • data-binary.d: clarify default content-type is x-www-form-urlencoded
  • docs/BUG-BOUNTY: explain the bounty program
  • docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
  • docs/CIPHERS: fix the TLS 1.3 cipher names
  • docs/CIPHERS: mention the colon separation for OpenSSL
  • docs/examples: URL updates
  • docs: add "see also" links for SSL options
  • example/asiohiper: insert warning comment about its status
  • example/htmltidy: fix include paths of tidy libraries
  • examples/Makefile.m32: sync with core
  • examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
  • examples/parseurl.c: show off the URL API
  • examples: Fix memory leaks from realloc errors
  • examples: do not wait when no transfers are running
  • ftp: include command in Curl_ftpsend sendbuffer
  • gskit: make sure to terminate version string
  • gtls: Values stored to but never read
  • hostip: fix check on Curl_shuffle_addr return value
  • http2: fix memory leaks on error-path
  • http: fix memleak in rewind error path
  • krb5: fix memory leak in krb_auth
  • ldap: show precise LDAP call in error message on Windows
  • lib: fix gcc8 warning on Windows
  • memory: add missing curl_printf header
  • memory: ensure to check allocation results
  • multi: Fix error handling in the SENDPROTOCONNECT state
  • multi: fix memory leak in content encoding related error path
  • multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
  • netrc: free temporary strings if memory allocation fails
  • nss: fix nssckbi module loading on Windows
  • nss: try to connect even if libnssckbi.so fails to load
  • ntlm_wb: Fix memory leaks in ntlm_wb_response
  • ntlm_wb: bail out if the response gets overly large
  • openssl: assume engine support in 0.9.8 or later
  • openssl: enable TLS 1.3 post-handshake auth
  • openssl: fix gcc8 warning
  • openssl: load built-in engines too
  • openssl: make 'done' a proper boolean
  • openssl: output the correct cipher list on TLS 1.3 error
  • openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
  • openssl: show "proper" version number for libressl builds
  • pipelining: deprecated
  • rand: add comment to skip a clang-tidy false positive
  • rtmp: fix for compiling with lwIP
  • runtests: ignore disabled even when ranges are given
  • runtests: skip ld_preload tests on macOS
  • runtests: use Windows paths for Windows curl
  • schannel: unified error code handling
  • sendf: Fix whitespace in infof/failf concatenation
  • ssh: free the session on init failures
  • ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
  • system.h: use proper setting with Sun C++ as well
  • test1299: use single quotes around asterisk
  • test1452: mark as flaky
  • test1651: unit test Curl_extract_certinfo()
  • test320: strip out more HTML when comparing
  • tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
  • tests: add unit tests for url.c
  • timeval: fix use of weak symbol clock_gettime() on Apple platforms
  • tool_cb_hdr: handle failure of rename()
  • travis: add a "make tidy" build that runs clang-tidy
  • travis: add build for "configure --disable-verbose"
  • travis: bump the Secure Transport build to use xcode
  • travis: make distcheck scan for BOM markers
  • unit1300: fix stack-use-after-scope AddressSanitizer warning
  • urldata: Fix "connecting" comment
  • urlglob: improve error message on bad globs
  • vtls: fix ssl version "or later" behavior change for many backends
  • x509asn1: Fix SAN IP address verification
  • x509asn1: always check return code from getASN1Element()
  • x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
  • x509asn1: suppress left shift on signed value

New in cURL 7.61.1 (Sep 6, 2018)

  • Bugfixes:
  • security advisory (CVE-2018-14618): NTLM password overflow via integer overflow
  • CURLINFO_SIZE_UPLOAD: fix missing counter update
  • CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
  • CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
  • Curl_getoff_all_pipelines: improved for multiplexed
  • DEPRECATE: remove release date from 7.62.0
  • HTTP: Don't attempt to needlessly decompress redirect body
  • INTERNALS: require GnuTLS >= 2.11.3
  • README.md: add LGTM.com code quality grade for C/C++
  • SSLCERTS: improve the openssl command line
  • Silence GCC 8 cast-function-type warnings
  • ares: check for NULL in completed-callback
  • asyn-thread: Remove unused macro
  • auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
  • auth: pick Bearer authentication whenever a token is available
  • cmake: CMake config files are defining CURL_STATICLIB for static builds
  • cmake: Respect BUILD_SHARED_LIBS
  • cmake: Update scripts to use consistent style
  • cmake: bumped minimum version to 3.4
  • cmake: link curl to the OpenSSL targets instead of lib absolute paths
  • configure: conditionally enable pedantic-errors
  • configure: fix for -lpthread detection with OpenSSL and pkg-config
  • conn: remove the boolean 'inuse' field
  • content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
  • cookie tests: treat files as text
  • cookies: support creation-time attribute for cookies
  • curl: Fix segfault when -H @headerfile is empty
  • curl: add http code 408 to transient list for --retry
  • curl: fix time-of-check, time-of-use race in dir creation
  • curl: use Content-Disposition before the "URL end" for -OJ
  • curl: warn the user if a given file name looks like an option
  • curl_threads: silence bad-function-cast warning
  • darwinssl: add support for ALPN negotiation
  • docs/CURLOPT_URL: fix indentation
  • docs/CURLOPT_WRITEFUNCTION: size is always 1
  • docs/SECURITY-PROCESS: mention bounty, drop pre-notify
  • docs/examples: add hiperfifo example using linux epoll/timerfd
  • docs: add disallow-username-in-url.d and haproxy-protocol.d to dist
  • docs: clarify NO_PROXY env variable functionality
  • docs: improved the manual pages of some callbacks
  • docs: mention NULL is fine input to several functions
  • formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
  • gopher: Do not translate `?' to ` '
  • header output: switch off all styles, not just unbold
  • hostip: fix unused variable warning
  • http2: Use correct format identifier for stream_id
  • http2: abort the send_callback if not setup yet
  • http2: avoid set_stream_user_data() before stream is assigned
  • http2: check nghttp2_session_set_stream_user_data return code
  • http2: clear the drain counter in Curl_http2_done
  • http2: make sure to send after RST_STREAM
  • http2: separate easy handle from connections better
  • http: fix for tiny "HTTP/0.9" response
  • http_proxy: Remove unused macro SELECT_TIMEOUT
  • lib/Makefile: only do symbol hiding if told to
  • lib1502: fix memory leak in torture test
  • lib1522: fix curl_easy_setopt argument type
  • libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
  • mime: check Curl_rand_hex's return code
  • multi: always do the COMPLETED procedure/state
  • openssl: assume engine support in 1.0.0 or later
  • openssl: fix debug messages
  • projects: Improve Windows perl detection in batch scripts
  • retry: return error if rewind was necessary but didn't happen
  • reuse_conn(): memory leak - free old_conn->options
  • schannel: client certificate store opening fix
  • schannel: enable CALG_TLS1PRF for w32api >= 5.1
  • schannel: fix MinGW compile break
  • sftp: don't send post-quote sequence when retrying a connection
  • smb: fix memory leak on early failure
  • smb: fix memory-leak in URL parse error path
  • smb_getsock: always wait for write socket too
  • ssh-libssh: fix infinite connect loop on invalid private key
  • ssh-libssh: reduce excessive verbose output about pubkey auth
  • ssh-libssh: use FALLTHROUGH to silence gcc8
  • ssl: set engine implicitly when a PKCS#11 URI is provided
  • sws: handle EINTR when calling select()
  • system_win32: fix version checking
  • telnet: Remove unused macros TELOPTS and TELCMDS
  • test1143: disable MSYS2's POSIX path conversion
  • test1148: disable if decimal separator is not point
  • test1307: (fnmatch testing) disabled
  • test1422: add required file feature
  • test1531: Add timeout
  • test1540: Remove unused macro TEST_HANG_TIMEOUT
  • test214: disable MSYS2's POSIX path conversion for URL
  • test320: treat curl320.out file as binary
  • tests/http_pipe.py: Use /usr/bin/env to find python
  • tests: Don't use Windows path %PWD for SSH tests
  • tests: fixes for Windows line endlings
  • tool_operate: Fix setting proxy TLS 1.3 ciphers
  • travis: build darwinssl on macos 10.12 to fix linker errors
  • travis: execute "set -eo pipefail" for coverage build
  • travis: run a 'make checksrc' too
  • travis: update to GCC-8
  • travis: verify that man pages can be regenerated
  • upload: allocate upload buffer on-demand
  • upload: change default UPLOAD_BUFSIZE to 64KB
  • urldata: remove unused pipe_broke struct field
  • vtls: reinstantiate engine on duplicated handles
  • windows: implement send buffer tuning
  • wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random

New in cURL 7.61.0 (Jul 11, 2018)

  • Changes:
  • getinfo: add microsecond precise timers for seven intervals
  • curl: show headers in bold, switch off with --no-styled-output
  • httpauth: add support for Bearer tokens
  • Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
  • curl: --tls13-ciphers and --proxy-tls13-ciphers
  • Add CURLOPT_DISALLOW_USERNAME_IN_URL
  • curl: --disallow-username-in-url
  • Bugfixes:
  • CVE-2018-0500: smtp: fix SMTP send buffer overflow
  • schannel: disable client cert option if APIs not available
  • schannel: disable manual verify if APIs not available
  • tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
  • openssl: acknowledge --tls-max for default version too
  • stub_gssapi: fix 'unused parameter' warnings
  • examples/progressfunc: make it build on both new and old libcurls
  • docs: mention it is HA Proxy protocol "version 1"
  • curl_fnmatch: only allow two asterisks for matching
  • docs: clarify CURLOPT_HTTPGET
  • configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
  • configure: do compile-time SIZEOF checks instead of run-time
  • checksrc: make sure sizeof() is used *with* parentheses
  • CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
  • schannel: make CAinfo parsing resilient to CR/LF
  • tftp: make sure error is zero terminated before printfing it
  • http resume: skip body if http code 416 (range error) is ignored
  • configure: add basic test of --with-ssl prefix
  • cmake: set -d postfix for debug builds
  • multi: provide a socket to wait for in Curl_protocol_getsock
  • content_encoding: handle zlib versions too old for Z_BLOCK
  • winbuild: only delete OUTFILE if it exists
  • winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
  • schannel: add failf calls for client certificate failures
  • cmake: Fix the test for fsetxattr and strerror_r
  • curl.1: Fix cmdline-opts reference errors
  • cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
  • cmake: check for getpwuid_r
  • configure: fix ssh2 linking when built with a static mbedtls
  • psl: use latest psl and refresh it periodically
  • fnmatch: insist on escaped bracket to match
  • KNOWN_BUGS: restore text regarding #2101
  • INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
  • configure: override AR_FLAGS to silence warning
  • os400: implement mime api EBCDIC wrappers
  • curl.rc: embed manifest for correct Windows version detection
  • strictness: correct {infof, failf} format specifiers
  • tests: update .gitignore for libtests
  • configure: check for declaration of getpwuid_r
  • fnmatch: use the system one if available
  • CURLOPT_RESOLVE: always purge old entry first
  • multi: remove a potentially bad DEBUGF()
  • curl_addrinfo: use same #ifdef conditions in source as header
  • build: remove the Borland specific makefiles
  • axTLS: not considered fit for use
  • cmdline-opts/cert-type.d: mention "p12" as a recognized type
  • system.h: add support for IBM xlc C compiler
  • tests/libtest: Add lib1521 to nodist_SOURCES
  • mk-ca-bundle.pl: leave certificate name untouched
  • boringssl + schannel: undef X509_NAME in lib/schannel.h
  • openssl: assume engine support in 1.0.1 or later
  • cppcheck: fix warnings
  • test 46: make test pass after year 2025
  • schannel: support selecting ciphers
  • Curl_debug: remove dead printhost code
  • test 1455: unflakified
  • Curl_init_do: handle NULL connection pointer passed in
  • progress: remove a set of unused defines
  • mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
  • GOVERNANCE.md: explains how this project is run
  • configure: use pkg-config for c-ares detection
  • configure: enhance ability to build with static openssl
  • maketgz: fix sed issues on OSX
  • multi: fix memory leak when stopped during name resolve
  • CURLOPT_INTERFACE.3: interface names not supported on Windows
  • url: fix dangling conn->data pointer
  • cmake: allow multiple SSL backends
  • system.h: fix for gcc on 32 bit OpenServer
  • ConnectionExists: make sure conn->data is set when "taking" a connection
  • multi: fix crash due to dangling entry in connect-pending list
  • CURLOPT_SSL_VERIFYPEER.3: Add performance note
  • netrc: use a larger buffer to support longer passwords
  • url: check Curl_conncache_add_conn return code
  • configure: Add dependent libraries after crypto
  • easy_perform: faster local name resolves by using *multi_timeout()
  • getnameinfo: not used, removed all configure checks
  • travis: add a build using the synchronous name resolver
  • CURLINFO_TLS_SSL_PTR.3: improve the example
  • openssl: allow TLS 1.3 by default
  • openssl: make the requested TLS version the *minimum* wanted
  • openssl: Remove some dead code
  • telnet: fix clang warnings
  • DEPRECATE: new doc describing planned item removals
  • example/crawler.c: simple crawler based on libxml2
  • libssh: goto DISCONNECT state on error, not SESSION_FREE
  • CMake: Remove unused functions
  • darwinssl: allow High Sierra users to build the code using GCC
  • scripts: include _curl as part of CLEANFILES

New in cURL 7.60.0 (May 16, 2018)

  • Changes:
  • Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
  • Add --haproxy-protocol for the command line tool
  • Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
  • Bugfixes:
  • FTP: shutdown response buffer overflow CVE-2018-1000300
  • RTSP: bad headers buffer over-read CVE-2018-1000301
  • FTP: fix typo in recursive callback detection for seeking
  • test1208: marked flaky
  • HTTP: make header-less responses still count correct body size
  • user-agent.d:: mention --proxy-header as well
  • http2: fixes typo
  • cleanup: misc typos in strings and comments
  • rate-limit: use three second window to better handle high speeds
  • examples/hiperfifo.c: improved
  • pause: when changing pause state, update socket state
  • multi: improved pending transfers handling => improved performance
  • curl_version_info.3: fix ssl_version description
  • add_handle/easy_perform: clear errorbuffer on start if set
  • darwinssl: fix iOS build
  • cmake: add support for brotli
  • parsedate: support UT timezone
  • vauth/ntlm.h: fix the #ifdef header guard
  • lib/curl_path.h: added #ifdef header guard
  • vauth/cleartext: fix integer overflow check
  • CURLINFO_COOKIELIST.3: made the example not leak memory
  • cookie.d: mention that "-" as filename means stdin
  • CURLINFO_SSL_VERIFYRESULT.3: fixed the example
  • http2: read pending frames (including GOAWAY) in connection-check
  • timeval: remove compilation warning by casting
  • cmake: avoid warn-as-error during config checks
  • travis-ci: enable -Werror for CMake builds
  • openldap: fix for NULL return from ldap_get_attribute_ber()
  • threaded resolver: track resolver time and set suitable timeout values
  • cmake: Add advapi32 as explicit link library for win32
  • docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
  • test1148: set a fixed locale for the test
  • cookies: when reading from a file, only remove_expired once
  • cookie: store cookies per top-level-domain-specific hash table
  • openssl: fix build with LibreSSL 2.7
  • tls: fix mbedTLS 2.7.0 build + handle sha256 failures
  • openssl: RESTORED verify locations when verifypeer==0
  • file: restore old behavior for file:////foo/bar URLs
  • FTP: allow PASV on IPv6 connections when a proxy is being used
  • build-openssl.bat: allow custom paths for VS and perl
  • winbuild: make the clean target work without build-type
  • build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
  • curl: retry on FTP 4xx, ignore other protocols
  • configure: detect (and use) sa_family_t
  • examples/sftpuploadresume: Fix Windows large file seek
  • build: cleanup to fix clang warnings/errors
  • winbuild: updated the documentation
  • lib: silence null-dereference warnings
  • travis: bump to clang 6 and gcc 7
  • travis: build libpsl and make builds use it
  • proxy: show getenv proxy use in verbose output
  • duphandle: make sure CURLOPT_RESOLVE is duplicated
  • all: Refactor malloc+memset to use calloc
  • checksrc: Fix typo
  • system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
  • vauth: Fix typo
  • ssh: show libSSH2 error code when closing fails
  • test1148: tolerate progress updates better
  • urldata: make service names unconditional
  • configure: keep LD_LIBRARY_PATH changes local
  • ntlm_sspi: fix authentication using Credential Manager
  • schannel: add client certificate authentication
  • winbuild: Support custom devel paths for each dependency
  • schannel: add support for CURLOPT_CAINFO
  • http2: handle on_begin_headers() called more than once
  • openssl: support OpenSSL 1.1.1 verbose-mode trace messages
  • openssl: fix subjectAltName check on non-ASCII platforms
  • http2: avoid strstr() on data not zero terminated
  • http2: clear the "drain counter" when a stream is closed
  • http2: handle GOAWAY properly
  • tool_help: clarify --max-time unit of time is seconds
  • curl.1: clarify that options and URLs can be mixed
  • http2: convert an assert to run-time check
  • curl_global_sslset: always provide available backends
  • ftplistparser: keep state between invokes
  • Curl_memchr: zero length input can't match
  • examples/sftpuploadresume: typecast fseek argument to long
  • examples/http2-upload: expand buffer to avoid silly warning
  • ctype: restore character classification for non-ASCII platforms
  • mime: avoid NULL pointer dereference risk
  • cookies: ensure that we have cookies before writing jar
  • os400.c: fix checksrc warnings
  • configure: provide --with-wolfssl as an alias for --with-cyassl
  • cyassl: adapt to libraries without TLS 1.0 support built-in
  • http2: get rid of another strstr
  • checksrc: force indentation of lines after an else
  • cookies: remove unused macro
  • CURLINFO_PROTOCOL.3: mention the existing defined names
  • tests: provide 'manual' as a feature to optionally require
  • travis: enable libssh2 on both macos and Linux
  • CURLOPT_URL.3: added ENCODING section
  • wolfssl: Fix non-blocking connect
  • vtls: don't define MD5_DIGEST_LENGTH for wolfssl
  • docs: remove extraneous commas in man pages
  • URL: fix ASCII dependency in strcpy_url and strlen_url
  • ssh-libssh.c: fix left shift compiler warning
  • configure: only check for CA bundle for file-using SSL backends
  • travis: add an mbedtls build
  • http: don't set the "rewind" flag when not uploading anything
  • configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
  • transfer: don't unset writesockfd on setup of multiplexed conns
  • vtls: use unified "supports" bitfield member in backends
  • URLs: fix one more http url
  • travis: add a build using WolfSSL
  • openssl: change FILE ops to BIO ops
  • travis: add build using NSS
  • smb: reject negative file sizes
  • cookies: accept parameter names as cookie name
  • http2: getsock fix for uploads
  • all over: fixed format specifiers
  • http2: use the correct function pointer typedef

New in cURL 7.59.0 (Mar 14, 2018)

  • Changes:
  • curl: add --proxy-pinnedpubkey
  • added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
  • CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
  • Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
  • Add new tool option --happy-eyeballs-timeout-ms
  • Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
  • Bugfixes:
  • openldap: check ldap_get_attribute_ber() results for NULL before using
  • FTP: reject path components with control codes
  • readwrite: make sure excess reads don't go beyond buffer end
  • lib555: drop text conversion and encode data as ascii codes
  • lib517: make variable static to avoid compiler warning
  • lib544: sync ascii code data with textual data
  • GSKit: restore pinnedpubkey functionality
  • darwinssl: Don't import client certificates into Keychain on macOS
  • parsedate: fix date parsing for systems with 32 bit long
  • openssl: fix pinned public key build error in FIPS mode
  • SChannel/WinSSL: Implement public key pinning
  • cookies: remove verbose "cookie size:" output
  • progress-bar: don't use stderr explicitly, use bar->out
  • Fixes for MSDOS
  • build: open VC15 projects with VS 2017
  • curl_ctype: private is*() type macros and functions
  • configure: set PATH_SEPARATOR to colon for PATH w/o separator
  • winbuild: make linker generate proper PDB
  • curl_easy_reset: clear digest auth state
  • curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
  • range: commonize FTP and FILE range handling
  • progress-bar docs: update to match implementation
  • fnmatch: do not match the empty string with a character set
  • fnmatch: accept an alphanum to be followed by a non-alphanum in char set
  • build: fix termios issue on android cross-compile
  • getdate: return -1 for out of range
  • formdata: use the mime-content type function
  • time-cond: fix reading the file modification time on Windows
  • build-openssl.bat: Extend VC15 support to include Enterprise and Professional
  • build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
  • openssl: Don't add verify locations when verifypeer==0
  • fnmatch: optimize processing of consecutive *s and ?s pattern characters
  • schannel: fix compiler warnings
  • content_encoding: Add "none" alias to "identity"
  • get_posix_time: only check for overflows if they can happen
  • http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
  • README: language fix
  • sha256: build with OpenSSL < 0.9.8
  • smtp: fix processing of initial dot in data
  • --tlsauthtype: works only if libcurl is built with TLS-SRP support
  • tests: new tests for http raw mode
  • libcurl-security.3: man page discussion security concerns when using libcurl
  • curl_gssapi: make sure this file too uses our *printf()
  • BINDINGS: fix curb link (and remove ruby-curl-multi)
  • nss: use PK11_CreateManagedGenericObject() if available
  • travis: add build with iconv enabled
  • ssh: add two missing state names
  • CURLOPT_HEADERFUNCTION.3: mention folded headers
  • http: fix the max header length detection logic
  • header callback: don't chop headers into smaller pieces
  • CURLOPT_HEADER.3: clarify problems with different data sizes
  • curl --version: show PSL if the run-time lib has it enabled
  • examples/sftpuploadresume: resume upload via CURLOPT_APPEND
  • Return error if called recursively from within callbacks
  • sasl: prefer PLAIN mechanism over LOGIN
  • winbuild: Use CALL to run batch scripts
  • curl_share_setopt.3: connection cache is shared within multi handles
  • winbuild: Use macros for the names of some build utilities
  • projects/README: remove reference to dead IDN link/package
  • lib655: silence compiler warning
  • configure: Fix version check for OpenSSL 1.1.1
  • docs/MANUAL: formfind.pl is not accessible on the site anymore
  • unit1309: fix warning on Windows x64
  • unit1307: proper cleanup on OOM to fix torture tests
  • curl_ctype: fix macro redefinition warnings
  • build: get CFLAGS (including -werror) used for examples and tests
  • NO_PROXY: fix for IPv6 numericals in the URL
  • krb5: use nondeprecated functions
  • winbuild: prefer documented zlib library names
  • http2: mark the connection for close on GOAWAY
  • limit-rate: kick in even before "limit" data has been received
  • HTTP: allow "header;" to replace an internal header with a blank one
  • http2: verbose output new MAX_CONCURRENT_STREAMS values
  • SECURITY: distros' max embargo time is 14 days
  • curl tool: accept --compressed also if Brotli is enabled and zlib is not
  • WolfSSL: adding TLSv1.3
  • checksrc.pl: add -i and -m options
  • CURLOPT_COOKIEFILE.3: "-" as file name means stdin

New in cURL 7.58.0 (Jan 25, 2018)

  • Changes:
  • new libssh-powered SSH SCP/SFTP back-end
  • curl-config: add --ssl-backends
  • Bugfixes:
  • http2: fix incorrect trailer buffer size
  • http: prevent custom Authorization headers in redirects
  • travis: add boringssl build
  • examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
  • SSL: Avoid magic allocation of SSL backend specific data
  • lib: don't export all symbols, just everything curl_*
  • libssh2: send the correct CURLE error code on scp file not found
  • libssh2: return CURLE_UPLOAD_FAILED on failure to upload
  • openssl: enable pkcs12 in boringssl builds
  • libssh2: remove dead code from SSH_SFTP_QUOTE
  • sasl_getmesssage: make sure we have a long enough string to pass
  • conncache: fix several lock issues
  • threaded-shared-conn.c: new example
  • conncache: only allow multiplexing within same multi handle
  • configure: check for netinet/in6.h
  • URL: tolerate backslash after drive letter for FILE:
  • openldap: add commented out debug possibilities
  • include: get netinet/in.h before linux/tcp.h
  • CONNECT: keep close connection flag in http_connect_state struct
  • BINDINGS: another PostgreSQL client
  • curl: limit -# update frequency for unknown total size
  • configure: add AX_CODE_COVERAGE only if using gcc
  • curl.h: remove incorrect comment about ERRORBUFFER
  • openssl: improve data-pending check for https proxy
  • curl: remove __EMX__ #ifdefs
  • CURLOPT_PRIVATE.3: fix grammar
  • sftp: allow quoted commands to use relative paths
  • CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
  • RESOLVE: output verbose text when trying to set a duplicate name
  • openssl: Disable file buffering for Win32 SSLKEYLOGFILE
  • multi_done: prune DNS cache
  • tests: update .gitignore for libtests
  • tests: mark data files as non-executable in git
  • CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference
  • curl.1: documented two missing valid exit codes
  • curl.1: mention http:// and https:// as valid proxy prefixes
  • vtls: replaced getenv() with curl_getenv()
  • setopt: less *or equal* than INT_MAX/1000 should be fine
  • examples/smtp-mail.c: use separate defines for options and mail
  • curl: support >256 bytes warning messsages
  • conncache: fix a return code
  • krb5: fix a potential access of uninitialized memory
  • rand: add a clang-analyzer work-around
  • CURLOPT_READFUNCTION.3: refer to argument with correct name
  • brotli: allow compiling with version 0.6.0
  • content_encoding: rework zlib_inflate
  • curl_easy_reset: release mime-related data
  • examples/rtsp: fix error handling macros
  • build-openssl.bat: Added support for VC15
  • build-wolfssl.bat: Added support for VC15
  • build: Added Visual Studio 2017 project files
  • winbuild: Added support for VC15
  • curl: Support size modifiers for --max-filesize
  • examples/cacertinmem: ignore cert-already-exists error
  • brotli: data at the end of content can be lost
  • curl_version_info.3: call the argument 'age'
  • openssl: fix memory leak of SSLKEYLOGFILE filename
  • build: remove HAVE_LIMITS_H check
  • --mail-rcpt: fix short-text description
  • scripts: allow all perl scripts to be run directly
  • progress: calculate transfer speed on milliseconds if possible
  • system.h: check __LONG_MAX__ for defining curl_off_t
  • easy: fix connection ownership in curl_easy_pause
  • setopt: reintroduce non-static Curl_vsetopt() for OS400 support
  • setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
  • configure.ac: append extra linker flags instead of prepending them
  • HTTP: bail out on negative Content-Length: values
  • docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
  • mime: clone mime tree upon easy handle duplication
  • openssl: enable SSLKEYLOGFILE support by default
  • smtp/pop3/imap_get_message: decrease the data length too...
  • CURLOPT_TCP_NODELAY.3: fix typo
  • SMB: fix numeric constant suffix and variable types
  • ftp-wildcard: fix matching an empty string with "*[^a]"
  • curl_fnmatch: only allow 5 '*' sections in a single pattern
  • openssl: fix potential memory leak in SSLKEYLOGFILE logic
  • SSH: Fix state machine for ssh-agent authentication
  • examples/url2file.c: add missing curl_global_cleanup() call
  • http2: don't close connection when single transfer is stopped
  • libcurl-env.3: first version
  • curl: progress bar refresh, get width using ioctl()
  • CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support

New in cURL 7.57.0 (Nov 29, 2017)

  • Changes:
  • auth: add support for RFC7616 - HTTP Digest access authentication
  • share: add support for sharing the connection cache
  • HTTP: implement Brotli content encoding
  • Bugfixes:
  • CVE-2017-8816: NTLM buffer overflow via integer overflow
  • CVE-2017-8817: FTP wildcard out of bounds read
  • CVE-2017-8818: SSL out of buffer access
  • curl_mime_filedata.3: fix typos
  • libtest: Add required test libraries for lib1552 and lib1553
  • fix time diffs for systems using unsigned time_t
  • ftplistparser: memory leak fix: free temporary memory always
  • multi: allow table handle sizes to be overridden
  • wildcards: don't use with non-supported protocols
  • curl_fnmatch: return error on illegal wildcard pattern
  • transfer: Fix chunked-encoding upload too early exit
  • curl_setup: Improve detection of CURL_WINDOWS_APP
  • resolvers: only include anything if needed
  • setopt: fix CURLOPT_SSH_AUTH_TYPES option read
  • appveyor: add a win32 build
  • Curl_timeleft: change return type to timediff_t
  • cmake: Export libcurl and curl targets to use by other cmake projects
  • curl: in -F option arg, comma is a delimiter for files only
  • curl: improved ";type=" handling in -F option arguments
  • timeval: use mach_absolute_time() on MacOS
  • curlx: the timeval functions are no longer provided as curlx_*
  • mkhelp.pl: do not generate comment with current date
  • memdebug: use send/recv signature for curl_dosend/curl_dorecv
  • cookie: avoid NULL dereference
  • url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
  • include: remove conncache.h inclusion from where its not needed
  • CURLOPT_MAXREDIRS: allow -1 as a value
  • tests: Fixed torture tests on tests 556 and 650
  • http2: Fixed OOM handling in upgrade request
  • url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
  • CURLOPT_INFILESIZE: accept -1
  • curl: pass through [] in URLs instead of calling globbing error
  • curl: speed up handling of many URLs
  • ntlm: avoid malloc(0) for zero length passwords
  • url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES
  • HTTP: support multiple Content-Encodings
  • travis: add a job with brotli enabled
  • url: remove unncessary NULL-check
  • fnmatch: remove dead code
  • connect: store IPv6 connection status after valid connection
  • imap: deal with commands case insensitively
  • --interface: add support for Linux VRF
  • content_encoding: fix inflate_stream for no bytes available
  • cmake: Correctly include curl.rc in Windows builds
  • cmake: Add missing setmode check
  • connect.c: remove executable bit on file
  • SMB: fix uninitialized local variable
  • zlib/brotli: only include header files in modules needing them
  • URL: return error on malformed URLs with junk after IPv6 bracket
  • openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
  • macOS: Fix missing connectx function with Xcode version older than 9.0
  • --resolve: allow IP address within [] brackets
  • examples/curlx: Fix code style
  • ntlm: remove unnecessary NULL-check to please scan-build
  • Curl_llist_remove: fix potential NULL pointer deref
  • mime: fix "Value stored to 'sz' is never read" scan-build error
  • openssl: fix "Value stored to 'rc' is never read" scan-build error
  • http2: fix "Value stored to 'hdbuf' is never read" scan-build error
  • http2: fix "Value stored to 'end' is never read" scan-build error
  • Curl_open: fix OOM return error correctly
  • url: reject ASCII control characters and space in host names
  • examples/rtsp: clear RANGE again after use
  • connect: improve the bind error message
  • make: fix "make distclean"
  • connect: add support for new TCP Fast Open API on Linux
  • metalink: fix memory-leak and NULL pointer dereference
  • URL: update "file:" URL handling
  • ssh: remove check for a NULL pointer
  • global_init: ignore CURL_GLOBAL_SSL's absense

New in cURL 7.56.1 (Oct 29, 2017)

  • Bugfixes:
  • imap: if a FETCH response has no size, don't call write callback
  • ftp: UBsan fixup 'pointer index expression overflowed
  • failf: skip the sprintf() if there are no consumers
  • fuzzer: move to using external curl-fuzzer
  • lib/Makefile.m32: allow customizing dll suffixes
  • docs: fix typo in curl_mime_data_cb man page
  • darwinssl: add support for TLSv1.3
  • build: fix --disable-crypto-auth
  • lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
  • openssl: fix build without HAVE_OPAQUE_EVP_PKEY
  • strtoofft: Remove extraneous null check
  • multi_cleanup: call DONE on handles that never got that
  • tests: added flaky keyword to tests 587 and 644
  • pingpong: return error when trying to send without connection
  • remove_handle: call multi_done() first, then clear dns cache pointer
  • mime: be tolerant about setting the same header list twice in a part
  • mime: improve unbinding top multipart from easy handle
  • mime: avoid resetting a part's encoder when part's contents change
  • mime: refuse to add subparts to one of their own descendants
  • RTSP: avoid integer overflow on funny RTSP responses
  • curl: don't pass semicolons when parsing Content-Disposition
  • openssl: enable PKCS12 support for !BoringSSL
  • FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
  • CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
  • CURLOPT_XFERINFODATA.3: fix duplicate see also
  • test298: verify --ftp-method nowcwd with URL encoded path
  • FTP: URL decode path for dir listing in nocwd mode
  • smtp_done: fix memory leak on send failure
  • ftpserver: support case insensitive commands
  • test950; verify SMTP with custom request
  • openssl: don't use old BORINGSSL_YYYYMM macros
  • setopt: update current connection SSL verify params
  • winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
  • curl: reimplement stdin buffering in -F option
  • mime: keep "text/plain" content type if user-specified
  • mime: fix the content reader to handle >16K data properly
  • configure: remove the C++ compiler check
  • memdebug: trace send, recv and socket
  • runtests: use valgrind for torture as well
  • ldap: silence clang warning
  • makefile.m32: allow to override gcc, ar and ranlib
  • setopt: avoid integer overflows when setting millsecond values
  • setopt: range check most long options
  • ftp: reject illegal IP/port in PASV 227 response
  • mime: do not reuse previously computed multipart size
  • vtls: change struct Curl_ssl `close' field name to `close_one'
  • os400: add missing symbols in config file
  • mime: limit bas64-encoded lines length to 76 characters
  • mk-ca-bundle: Remove URL for aurora
  • mk-ca-bundle: Fix URL for NSS

New in cURL 7.55.0 (Aug 12, 2017)

  • Changes:
  • curl: allow --header and --proxy-header read from file
  • getinfo: provide sizes as curl_off_t
  • curl: prevent binary output spewed to terminal
  • curl: added --request-target
  • libcurl: added CURLOPT_REQUEST_TARGET
  • curl: added --socks5-{basic,gssapi}: control socks5 auth
  • libcurl: added CURLOPT_SOCKS5_AUTH
  • Bugfixes:
  • glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
  • tftp: reject file name lengths that don't fit (CVE-2017-1000100)
  • file: output the correct buffer to the user (CVE-2017-1000099)
  • includes: remove curl/curlbuild.h and curl/curlrules.h
  • dist: make the hugehelp.c not get regenerated unnecessarily
  • timers: store internal time stamps as time_t instead of doubles
  • progress: let "current speed" be UL + DL speeds combined
  • http-proxy: do the HTTP CONNECT process entirely non-blocking
  • lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
  • fuzz: bring oss-fuzz initial code converted to C89
  • configure: disable nghttp2 too if HTTP has been disabled
  • mk-ca-bundle.pl: Check curl's exit code after certdata download
  • test1148: verify the -# progressbar
  • tests: stabilize test 2032 and 2033
  • HTTPS-Proxy: don't offer h2 for https proxy connections
  • http-proxy: only attempt FTP over HTTP proxy
  • curl-compilers.m4: enable vla warning for clang
  • curl-compilers.m4: enable double-promotion warning
  • curl-compilers.m4: enable missing-variable-declarations clang warning
  • curl-compilers.m4: enable comma clang warning
  • Makefile.m32: enable -W for MinGW32 build
  • CURLOPT_PREQUOTE: not supported for SFTP
  • http2: fix OOM crash
  • PIPELINING_SERVER_BL: cleanup the internal list use
  • mkhelp.pl: fix script name in usage text
  • lib1521: add curl_easy_getinfo calls to the test set
  • travis: do the distcheck test build out-of-tree as well
  • if2ip: fix compiler warning in ISO C90 mode
  • lib: fix the djgpp build
  • typecheck-gcc: add support for CURLINFO_OFF_T
  • travis: enable typecheck-gcc warnings
  • maketgz: switch to xz instead of lzma
  • CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
  • curl-compilers.m4: fix unknown-warning-option on Apple clang
  • winbuild: fix boringssl build
  • curl/system.h: add check for XTENSA for 32bit gcc
  • test1537: fixed memory leak on OOM
  • test1521: fix compiler warnings
  • curl: fix memory leak on test 1147 OOM
  • libtest/make: generate lib1521.c dynamically at build-time
  • curl_strequal.3: fix typo in SYNOPSIS
  • progress: prevent resetting t_starttransfer
  • openssl: improve fallback seed of PRNG with a time based hash
  • http2: improved PING frame handling
  • test1450: add simple testing for DICT
  • make: build the docs subdir only from within src
  • cmake: Added compatibility options for older Windows versions
  • gtls: fix build when sizeof(long) < sizeof(void *)
  • url: make the original string get used on subsequent transfers
  • timeval.c: Use long long constant type for timeval assignment
  • tool_sleep: typecast to avoid macos compiler warning
  • travis.yml: use --enable-werror on debug builds
  • test1451: add SMB support to the testbed
  • configure: remove checks for 5 functions never used
  • configure: try ldap/lber in reversed order first
  • smb: fix build for djgpp/MSDOS
  • travis: install nghttp2 on linux builds
  • smb: add support for CURLOPT_FILETIME
  • cmake: fix send/recv argument scanner for windows
  • inet_pton: fix include on windows to get prototype
  • select.h: avoid macro redefinition harder
  • cmake: if inet_pton is used, bump _WIN32_WINNT
  • asyn-thread.c: fix unused variable warnings on macOS
  • runtests: support "threaded-resolver" as a feature
  • test506: skip if threaded-resolver
  • cmake: remove spurious "-l" from linker flags
  • cmake: add CURL_WERROR for enabling "warning as errors"
  • memdebug: don't setbuf() if the file open failed
  • curl_easy_escape.3: mention the (lack of) encoding
  • test1452: add telnet negotiation
  • CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
  • cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
  • tests/valgrind.supp: supress OpenSSL false positive seen on travis
  • curl_setup_once: Remove ERRNO/SET_ERRNO macros
  • curl-compilers.m4: disable warning spam with Cygwin's clang
  • ldap: fix MinGW compiler warning
  • make: fix docs build on OpenBSD
  • curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
  • system.h: include winsock2.h before windows.h
  • winbuild: build with warning level 4
  • rtspd: fix MSVC level 4 warning
  • sockfilt: suppress conversion warning with explicit cast
  • libtest: fix MSVC warning C4706
  • darwinssl: fix pinnedpubkey build error
  • tests/server/resolve.c: fix deprecation warning
  • nss: fix a possible use-after-free in SelectClientCert()
  • checksrc: escape open brace in regex
  • multi: mention integer overflow risk if using > 500 million sockets
  • darwinssl: fix --tlsv1.2 regression
  • timeval: struct curltime is a struct timeval replacement
  • curl_rtmp: fix a compiler warning
  • include.d: clarify that it concerns the response headers
  • cmake: support make uninstall
  • include.d: clarify --include is only for response headers
  • libcurl: Stop using error codes defined under CURL_NO_OLDIES
  • http: fix response code parser to avoid integer overflow
  • configure: fix the check for IdnToUnicode
  • multi: fix request timer management
  • curl_threads: fix MSVC compiler warning
  • travis: build on osx with openssl
  • travis: build on osx with libressl
  • CURLOPT_NETRC.3: mention the file name on windows
  • cmake: set MSVC warning level to 4
  • netrc: skip lines starting with '#'
  • darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
  • BUILD.WINDOWS: mention buildconf.bat for builds off git
  • darwinssl: silence compiler warnings
  • travis: build on osx with darwinssl
  • FTP: skip unnecessary CWD when in nocwd mode
  • gssapi: fix memory leak of output token in multi round context
  • getparameter: avoid returning uninitialized 'usedarg'
  • curl (debug build) easy_events: make event data static
  • curl: detect and bail out early on parameter integer overflows
  • configure: fix recv/send/select detection on Android

New in cURL 7.54.1 (Jun 14, 2017)

  • Changes:
  • curl: show the libcurl release date in --version output
  • Bugfixes:
  • CVE-2017-9502: default protocol drive letter buffer overflow
  • openssl: fix memory leak in servercert
  • tests: remove the html and PDF versions from the tarball
  • mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable
  • typecheck-gcc: handle function pointers properly
  • llist: no longer uses malloc
  • gnutls: removed some code when --disable-verbose is configured
  • lib: fix maybe-uninitialized warnings
  • multi: clarify condition in curl_multi_wait
  • schannel: Don't treat encrypted partial record as pending data
  • configure: fix the -ldl check for openssl, add -lpthread check
  • configure: accept -Og and -Ofast GCC flags
  • Makefile: avoid use of GNU-specific form of $<
  • if2ip: fix -Wcast-align warning
  • configure: stop prepending to LDFLAGS, CPPFLAGS
  • curl: set a 100K buffer size by default
  • typecheck-gcc: fix _curl_is_slist_info
  • nss: do not leak PKCS #11 slot while loading a key
  • nss: load libnssckbi.so if no other trust is specified
  • examples: ftpuploadfrommem.c
  • url: declare get_protocol_family() static
  • examples/cookie_interface.c: changed to example.com
  • test1443: test --remote-time
  • curl: use utimes instead of obsolescent utime when available
  • url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
  • curl_rtmp: fix missing-variable-declarations warnings
  • tests: fixed OOM handling of unit tests to abort test
  • curl_setup: Ensure no more than one IDN lib is enabled
  • tool: Fix missing prototype warnings for CURL_DOES_CONVERSIONS
  • CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
  • curl: non-boolean command line args reject --no- prefixes
  • telnet: Write full buffer instead of byte-by-byte
  • typecheck-gcc: add missing string options
  • typecheck-gcc: add support for CURLINFO_SOCKET
  • opt man pages: they all have examples now
  • curl_setup_once: use SEND_QUAL_ARG2 for swrite
  • test557: set a known good numeric locale
  • schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOT
  • tests/server: make string literals const
  • runtests: use -R for random order
  • unit1305: fix compiler warning
  • curl_slist_append.3: clarify a NULL input creates a new list
  • tests/server: run checksrc by default in debug-builds
  • tests: fix -Wcast-qual warnings
  • runtests.pl: simplify the datacheck read section
  • curl: remove --environment and tool_writeenv.c
  • buildconf: fix hang on IRIX
  • tftp: silence bad-function-cast warning
  • asyn-thread: fix unused macro warnings
  • tool_parsecfg: fix -Wcast-qual warning
  • sendrecv: fix MinGW-w64 warning
  • test537: use correct variable type
  • rand: treat fake entropy the same regardless of endianness
  • curl: generate the --help output
  • tests: removed redundant --trace-ascii arguments
  • multi: assign IDs to all timers and make each timer singleton
  • multi: use a fixed array of timers instead of malloc
  • mbedtls: Support server renegotiation request
  • pipeline: fix mistakenly trying to pipeline POSTs
  • lib510: don't write past the end of the buffer if it's too small
  • CURLOPT_HTTPPROXYTUNNEL.3: clarify, add example
  • SecureTransport/DarwinSSL: Implement public key pinning
  • curl.1: clarify --config
  • curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
  • darwinssl: Fix exception when processing a client-side certificate
  • curl.1: mention --oauth2-bearer's argument
  • mkhelp.pl: do not add current time into curl binary
  • asiohiper.cpp / evhiperfifo.c: deal with negative timerfunction input
  • ssh: fix memory leak in disconnect due to timeout
  • tests: stabilize test 1034
  • cmake: auto detection of CURL_CA_BUNDLE/CURL_CA_PATH
  • assert: avoid, use DEBUGASSERT instead
  • LDAP: using ldap_bind_s on Windows with methods
  • redirect: store the "would redirect to" URL when max redirs is reached
  • winbuild: fix the nghttp2 build
  • examples: fix -Wimplicit-fallthrough warnings
  • time: fix type conversions and compiler warnings
  • mbedtls: fix variable shadow warning
  • test557: fix ubsan runtime error due to int left shift
  • transfer: init the infilesize from the postfields
  • docs: clarify NO_PROXY further
  • build-wolfssl: Sync config with wolfSSL 3.11
  • curl-compilers.m4: enable -Wshift-sign-overflow for clang
  • example/externalsocket.c: make it use CLOSESOCKETFUNCTION too
  • lib574.c: use correct callback proto
  • lib583: fix compiler warning
  • curl-compilers.m4: fix compiler_num for clang
  • typecheck-gcc.h: separate getinfo slist checks from other pointers
  • typecheck-gcc.h: check CURLINFO_TLS_SSL_PTR and CURLINFO_TLS_SESSION
  • typecheck-gcc.h: check CURLINFO_CERTINFO
  • build: provide easy code coverage measuring
  • test1537: dedicated tests of the URL (un)escape API calls
  • curl_endian: remove unused functions
  • test1538: verify the libcurl strerror API calls
  • MD(4|5): silence cast-align clang warning
  • dedotdot: fixed output for ".." and "." only input
  • cyassl: define build macros before including ssl.h
  • updatemanpages.pl: error out on too old git version
  • curl_sasl: fix unused-variable warning
  • x509asn1: fix implicit-fallthrough warning with GCC 7
  • libtest: fix implicit-fallthrough warnings with GCC 7
  • BINDINGS: add Ring binding
  • curl_ntlm_core: pass unsigned char to toupper
  • test1262: verify ftp download with -z for "if older than this"
  • test1521: test all curl_easy_setopt options
  • typecheck-gcc: allow CURLOPT_STDERR to be NULL too
  • metalink: remove unused printf() argument
  • file: make speedcheck use current time for checks
  • configure: fix link with librtmp when specifying path
  • examples/multi-uv.c: fix deprecated symbol
  • cmake: Fix inconsistency regarding mbed TLS include directory
  • setopt: check CURLOPT_ADDRESS_SCOPE option range
  • gitignore: ignore all vim swap files
  • urlglob: fix division by zero
  • libressl: OCSP and intermediate certs workaround no longer needed

New in cURL 7.54.0 (Apr 19, 2017)

  • Changes:
  • Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION
  • Add --max-tls
  • Add CURLOPT_SUPPRESS_CONNECT_HEADERS
  • Add --suppress-connect-headers
  • Bugfixes:
  • CVE-2017-7468: switch off SSL session id when client cert is used
  • cmake: Replace invalid UTF-8 byte sequence
  • tests: use consistent environment variables for setting charset
  • proxy: fixed a memory leak on OOM
  • ftp: removed an erroneous free in an OOM path
  • docs: de-duplicate file lists in the Makefiles
  • ftp: fixed a NULL pointer dereference on OOM
  • gopher: fixed detection of an error condition from Curl_urldecode
  • url: fix unix-socket support for proxy-disabled builds
  • test1139: allow for the possibility that the man page is not rebuilt
  • cyassl: get library version string at runtime
  • digest_sspi: fix compilation warning
  • tests: enable HTTP/2 tests to run with non-default port numbers
  • warnless: suppress compiler warning
  • darwinssl: Warn that disabling host verify also disables SNI
  • configure: fix for --enable-pthreads
  • checksrc.bat: Ignore curl_config.h.in, curl_config.h
  • no-keepalive.d: fix typo
  • configure: fix --with-zlib when a path is specified
  • build: fix gcc7 implicit fallthrough warnings
  • fix potential use of uninitialized variables
  • CURLOPT_SSL_CTX_FUNCTION.3: Fix EXAMPLE formatting errors
  • CMake: Reorganize SSL support, separate WinSSL and SSPI
  • CMake: Add DarwinSSL support
  • CMake: Add mbedTLS support
  • ares: return error at once if timed out before name resolve starts
  • BINDINGS: added C++, perl, go and Scilab bindings
  • URL: return error on malformed URLs with junk after port number
  • KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password
  • http2: Fix assertion error on redirect with CL=0
  • updatemanpages.pl: Update man pages to use current date and versions
  • --insecure: clarify that this option is for server connections
  • mkhelp: simplified the gzip code
  • build: fixed making man page in out-of-tree tarball builds
  • tests: disabled 1903 due to flakiness
  • openssl: add two /* FALLTHROUGH */ to satisfy coverity
  • cmdline-opts: fixed a few typos
  • authneg: clear auth.multi flag at http_done
  • curl_easy_reset: Also reset the authentication state
  • proxy: skip SSL initialization for closed connections
  • http_proxy: ignore TE and CL in CONNECT 2xx responses
  • tool_writeout: fixed a buffer read overrun on --write-out
  • make: regenerate docs/curl.1 by running make in docs
  • winbuild: add basic support for OpenSSL 1.1.x
  • build: removed redundant DEPENDENCIES from makefiles
  • CURLINFO_LOCAL_PORT.3: added example
  • curl: show HTTPS-Proxy options on CURLE_SSL_CACERT
  • tests: strip more options from non-HTTP --libcurl tests
  • tests: fixed the documented test server port numbers
  • runtests.pl: fixed display of the Gopher IPv6 port number
  • multi: fix streamclose() crash in debug mode
  • cmake: build manual pages
  • cmake: add support for building HTML and PDF docs
  • mbedtls: add support for CURLOPT_SSL_CTX_FUNCTION
  • make: introduce 'test-nonflaky' target
  • CURLINFO_PRIMARY_IP.3: add example
  • tests/README: mention nroff for --manual tests
  • mkhelp: disable compression if the perl gzip module is unavailable
  • openssl: fall back on SSL_ERROR_* string when no error detail
  • asiohiper: make sure socket is open in event_cb
  • tests/README: make "Run" section foolproof
  • curl: check for end of input in writeout backslash handling
  • .gitattributes: turn off CRLF for *.am
  • multi: fix MinGW-w64 compiler warnings
  • schannel: fix variable shadowing warning
  • openssl: exclude DSA code when OPENSSL_NO_DSA is defined
  • http: Fix proxy connection reuse with basic-auth
  • pause: handle mixed types of data when paused
  • http: do not treat FTPS over CONNECT as HTTPS
  • conncache: make hashkey avoid malloc
  • make: use the variable MAKE for recursive calls
  • curl: fix callback argument inconsistency
  • NTLM: check for features with #ifdef instead of #if
  • cmake: add several missing files to the dist
  • select: use correct SIZEOF_ constant
  • connect: fix unreferenced parameter warning
  • schannel: fix unused variable warning
  • gcc7: fix ‘*’ in boolean context
  • http2: silence unused parameter warnings
  • ssh: fix narrowing conversion warning
  • telnet: (win32) fix read callback return variable
  • docs: Explain --fail-early does not imply --fail
  • docs: added examples for CURLINFO_FILETIME.3 and CURLOPT_FILETIME.3
  • tests/server/util: remove in6addr_any for recent MinGW
  • multi: make curl_multi_wait avoid malloc in the typical case
  • include: curl/system.h is a run-time version of curlbuild.h
  • easy: silence compiler warning
  • llist: replace Curl_llist_alloc with Curl_llist_init
  • hash: move key into hash struct to reduce mallocs
  • url: don't free postponed data on connection reuse
  • curl_sasl: declare mechtable static
  • curl: fix Windows Unicode build
  • multi: fix queueing of pending easy handles
  • tool_operate: fix MinGW compiler warning
  • low_speed_limit: improved function for longer time periods
  • gtls: fix compiler warning
  • sspi: print out InitializeSecurityContext() error message
  • schannel: fix compiler warnings
  • vtls: fix unreferenced variable warnings
  • INSTALL.md: fix secure transport configure arguments
  • CURLINFO_SCHEME.3: fix variable type
  • libcurl-thread.3: also mention threaded-resolver
  • nss: load CA certificates even with --insecure
  • openssl: fix this statement may fall through
  • poll: prefer over
  • polarssl: unbreak build with versions < 1.3.8
  • Curl_expire_latest: ignore already expired timers
  • configure: turn implicit function declarations into errors
  • mbedtls: fix memory leak in error path
  • http2: fix handle leak in error path
  • .gitattributes: force shell scripts to LF
  • configure.ac: ignore CR after version numbers
  • extern-scan.pl: strip trailing CR
  • openssl: make SSL_ERROR_to_str more future-proof
  • openssl: fix thread-safety bugs in error-handling
  • openssl: don't try to print nonexistant peer private keys
  • nss: fix MinGW compiler warnings

New in cURL 7.53.1 (Feb 25, 2017)

  • Bugfixes:
  • cyassl: fix typo
  • url: Improve CURLOPT_PROXY_CAPATH error handling
  • urldata: include curl_sspi.h when Windows SSPI is enabled
  • formdata: check for EOF when reading from stdin
  • tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
  • url: Default the proxy CA bundle location to CURL_CA_BUNDLE
  • rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header

New in cURL 7.53.0 (Feb 22, 2017)

  • Changes:
  • unix_socket: added --abstract-unix-socket and CURLOPT_ABSTRACT_UNIX_SOCKET
  • CURLOPT_BUFFERSIZE: support enlarging receive buffer
  • Bugfixes:
  • CVE-2017-2629: make SSL_VERIFYSTATUS work again
  • gnutls-random: check return code for failed random
  • openssl-random: check return code when asking for random
  • http: remove "Curl_http_done: called premature" message
  • cyassl: use time_t instead of long for timeout
  • build-wolfssl: Sync config with wolfSSL 3.10
  • ftp-gss: check for init before use
  • configure: accept --with-libidn2 instead
  • ftp: failure to resolve proxy should return that error code
  • curl.1: add three more exit codes
  • docs/ciphers: link to our own new page about ciphers
  • vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl
  • darwinssl: fix iOS build
  • darwinssl: fix CFArrayRef leak
  • cmake: use crypt32.lib when building with OpenSSL on windows
  • curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
  • digest_sspi: copy terminating NUL as well
  • curl: fix --remote-time incorrect times on Windows
  • curl.1: several updates and corrections
  • content_encoding: change return code on a failure
  • curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
  • docs: TCP_KEEPALIVE start and interval default to 60
  • darwinssl: --insecure overrides --cacert if both settings are in use
  • TheArtOfHttpScripting: grammar
  • CIPHERS.md: document GSKit ciphers
  • wolfssl: support setting cipher list
  • wolfssl: display negotiated SSL version and cipher
  • lib506: fix build for Open Watcom
  • asiohiper: improved socket handling
  • examples: make the C++ examples follow our code style too
  • tests/sws: retry send() on EWOULDBLOCK
  • cmake: Fix passing _WINSOCKAPI_ macro to compiler
  • smtp: Fix STARTTLS denied error message
  • imap/pop3: don't print response character in STARTTLS denied messages
  • rand: make it work without TLS backing
  • url: fix parsing for when 'file' is the default protocol
  • url: allow file://X:/path URLs on windows again
  • gnutls: check for alpn and ocsp in configure
  • IDN: Use TR46 'non-transitional' for toASCII translations
  • url: Fix NO_PROXY env var to work properly with --proxy option
  • CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
  • docs: Add note about libcurl copying strings to CURLOPT_* manpages
  • curl: reset the easy handle at --next
  • --next docs: --trace and --trace-ascii are also global
  • --write-out docs: 'time_total' is not always shown with ms precision
  • http: print correct HTTP string in verbose output when using HTTP/2
  • docs: improved language in README.md HISTORY.md CONTRIBUTE.md
  • http2: disable server push if not requested
  • nss: use the correct lock in nss_find_slot_by_name()
  • usercertinmem.c: improve the short description
  • CURLOPT_CONNECT_TO: Fix compile warnings
  • docs: non-blocking SSL handshake is now supported with NSS
  • *.rc: escape non-ASCII/non-UTF-8 character for clarity
  • mbedTLS: fix multi interface non-blocking handshake
  • PolarSSL: fix multi interface non-blocking handshake
  • VC: remove the makefile.vc6 build infra
  • telnet: fix windows compiler warnings
  • cookies: do not assume a valid domain has a dot
  • polarssl: fix hangs
  • gnutls: disable TLS session tickets
  • mbedtls: disable TLS session tickets
  • mbedtls: implement CTR-DRBG and HAVEGE random generators
  • openssl: Don't use certificate after transferring ownership
  • cmake: Support curl --xattr when built with cmake
  • OS400: Fix symbols
  • docs: Add more HTTPS proxy documentation
  • docs: use more HTTPS links
  • cmdline-opts: Fixed build and test in out of source tree builds
  • CHANGES.0: removed
  • schannel: Remove incorrect SNI disabled message
  • darwinssl: Avoid parsing certificates when not in verbose mode
  • test552: Fix typos
  • telnet: Fix typos
  • transfer: only retry nobody-requests for HTTP
  • http2: reset push header counter fixes crash
  • nss: make FTPS work with --proxytunnel
  • test1139: Added the --manual keyword since the manual is required
  • polarssl, mbedtls: Fix detection of pending data
  • http_proxy: Fix tiny memory leak upon edge case connecting to proxy
  • URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
  • curl.1: ftp.sunet.se is no longer an FTP mirror
  • tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
  • http2: fix memory-leak when denying push streams
  • configure: Allow disabling pthreads, fall back on Win32 threads
  • curl: fix typo in time condition warning message
  • axtls: adapt to API changes
  • tool_urlglob: Allow a glob range with the same start and stop
  • winbuild: add note on auto-detection of MACHINE in Makefile.vc
  • http: fix missing 'Content-Length: 0' while negotiating auth
  • proxy: fix hostname resolution and IDN conversion
  • docs: fix timeout handling in multi-uv example
  • digest_sspi: Fix nonce-count generation in HTTP digest
  • sftp: improved checks for create dir failures
  • smb: use getpid replacement for windows UWP builds
  • digest_sspi: Handle 'stale=TRUE' directive in HTTP digest

New in cURL 7.52.1 (Dec 29, 2016)

  • Bugfixes:
  • CVE-2016-9594: unititialized random
  • lib557: fix checksrc warnings
  • lib: fix MSVC compiler warnings
  • lib557.c: use a shorter MAXIMIZE representation
  • tests: run checksrc on debug builds

New in cURL 7.52.0 (Dec 22, 2016)

  • Changes:
  • nss: map CURL_SSLVERSION_DEFAULT to NSS default
  • vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
  • curl: introduce the --tlsv1.3 option to force TLS 1.3
  • curl: Add --retry-connrefused
  • proxy: Support HTTPS proxy and SOCKS+HTTP(s)
  • add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
  • curl: add --fail-early
  • Bugfixes:
  • CVE-2016-9586: printf floating point buffer overflow
  • CVE-2016-9952: Win CE schannel cert wildcard matches too much
  • CVE-2016-9953: Win CE schannel cert name out of buffer read
  • msvc: removed a straggling reference to strequal.c
  • winbuild: remove strcase.obj from curl build
  • examples: bugfixed multi-uv.c
  • configure: verify that compiler groks -Werror=partial-availability
  • mbedtls: fix build with mbedtls versions < 2.4.0
  • dist: add unit test CMakeLists.txt to the tarball
  • curl -w: added more decimal digits to timing counters
  • easy: Initialize info variables on easy init and duphandle
  • cmake: disable poll for macOS
  • http2: Don't send header fields prohibited by HTTP/2 spec
  • ssh: check md5 fingerprints case insensitively (regression)
  • openssl: initial TLS 1.3 adaptions
  • curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
  • printf: fix ".*f" handling
  • examples/fileupload.c: fclose the file as well
  • SPNEGO: Fix memory leak when authentication fails
  • realloc: use Curl_saferealloc to avoid common mistakes
  • openssl: make sure to fail in the unlikely event that PRNG seeding fails
  • URL-parser: for file://[host]/ URLs, the [host] must be localhost
  • timeval: prefer time_t to hold seconds instead of long
  • Curl_rand: fixed and moved to rand.c
  • glob: fix [a-c] globbing regression
  • darwinssl: fix SSL client certificate not found on MacOS Sierra
  • curl.1: Clarify --dump-header only writes received headers
  • http2: Fix address sanitizer memcpy warning
  • http2: Use huge HTTP/2 windows
  • connects: Don't mix unix domain sockets with regular ones
  • url: Fix conn reuse for local ports and interfaces
  • x509: Limit ASN.1 structure sizes to 256K
  • checksrc: add more checks
  • winbuild: add config option ENABLE_NGHTTP2
  • http2: check nghttp2_session_set_local_window_size exists
  • http2: Fix crashes when parent stream gets aborted
  • CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries
  • URL parser: reject non-numerical port numbers
  • CONNECT: reject TE or CL in 2xx responses
  • CONNECT: read responses one byte at a time
  • curl: support zero-length argument strings in config files
  • openssl: don't use OpenSSL's ERR_PACK
  • curl.1: generated with the new man page system
  • curl_easy_recv: Improve documentation and example program
  • Curl_getconnectinfo: avoid checking if the connection is closed
  • CIPHERS.md: attempt to document TLS cipher names

New in cURL 7.51.0 (Nov 2, 2016)

  • Changes:
  • nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
  • New option: CURLOPT_KEEP_SENDING_ON_ERROR
  • Bugfixes:
  • CVE-2016-8615: cookie injection for other servers
  • CVE-2016-8616: case insensitive password comparison
  • CVE-2016-8617: OOB write via unchecked multiplication
  • CVE-2016-8618: double-free in curl_maprintf
  • CVE-2016-8619: double-free in krb5 code
  • CVE-2016-8620: glob parser write/read out of bounds
  • CVE-2016-8621: curl_getdate read out of bounds
  • CVE-2016-8622: URL unescape heap overflow via integer truncation
  • CVE-2016-8623: Use-after-free via shared cookies
  • CVE-2016-8624: invalid URL parsing with '#'
  • CVE-2016-8625: IDNA 2003 makes curl use wrong host
  • openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
  • http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
  • LICENSE-MIXING.md: update with mbedTLS dual licensing
  • examples/imap-append: Set size of data to be uploaded
  • test2048: fix url
  • darwinssl: disable RC4 cipher-suite support
  • CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
  • openssl: don’t call CRYTPO_cleanup_all_ex_data
  • libressl: fix version output
  • easy: Reset all statistical session info in curl_easy_reset
  • curl_global_cleanup.3: don't unload the lib with sub threads running
  • dist: add CurlSymbolHiding.cmake to the tarball
  • docs: Remove that --proto is just used for initial retrieval
  • configure: Fixed builds with libssh2 in a custom location
  • curl.1: --trace supports % for sending to stderr!
  • cookies: same domain handling changed to match browser behavior
  • formpost: trying to attach a directory no longer crashes
  • CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
  • formpost: avoid silent snprintf() truncation
  • ftp: fix Curl_ftpsendf
  • mprintf: return error on too many arguments
  • smb: properly check incoming packet boundaries
  • GIT-INFO: remove the Mac 10.1-specific details
  • resolve: add error message when resolving using SIGALRM
  • cmake: add nghttp2 support
  • dist: remove PDF and HTML converted docs from the releases
  • configure: disable poll() in macOS builds
  • vtls: only re-use session-ids using the same scheme
  • pipelining: skip to-be-closed connections when pipelining
  • win: fix Universal Windows Platform build
  • curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
  • maketgz: make it support "only" generating version info
  • Curl_socket_check: add extra check to avoid integer overflow
  • gopher: properly return error for poll failures
  • curl: set INTERLEAVEDATA too
  • polarssl: clear thread array at init
  • polarssl: fix unaligned SSL session-id lock
  • polarssl: reduce #ifdef madness with a macro
  • curl_multi_add_handle: set timeouts in closure handles
  • configure: set min version flags for builds on mac
  • INSTALL: converted to markdown => INSTALL.md
  • curl_multi_remove_handle: fix a double-free
  • multi: fix inifinte loop in curl_multi_cleanup()
  • nss: fix tight loop in non-blocking TLS handhsake over proxy
  • mk-ca-bundle: Change URL retrieval to HTTPS-only by default
  • mbedtls: stop using deprecated include file
  • docs: fix req->data in multi-uv example
  • configure: Fix test syntax for monotonic clock_gettime
  • CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2

New in cURL 7.50.3 (Sep 20, 2016)

  • Bugfixes:
  • CVE-2016-7167: escape and unescape integer overflows
  • mk-ca-bundle.pl: use SHA256 instead of SHA1
  • checksrc: detect strtok() use
  • errors: new alias CURLE_WEIRD_SERVER_REPLY
  • http2: support > 64bit sized uploads
  • openssl: fix bad memory free (regression)
  • CMake: hide private library symbols
  • http: refuse to pass on response body when NO_NODY is set
  • cmake: fix curl-config --static-libs
  • mbedtls: switch off NTLM in build if md4 isn't available
  • curl: --create-dirs on windows groks both forward and backward slashes

New in cURL 7.50.2 (Sep 7, 2016)

  • Bugfixes:
  • mbedtls: Added support for NTLM
  • SSH: fixed SFTP/SCP transfer problems
  • multi: make Curl_expire() work with 0 ms timeouts
  • mk-ca-bundle.pl: -m keeps ca cert meta data in output
  • TFTP: Fix upload problem with piped input
  • CURLOPT_TCP_NODELAY: now enabled by default
  • mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
  • http2: always wait for readable socket
  • cmake: Enable win32 large file support by default
  • cmake: Enable win32 threaded resolver by default
  • winbuild: Avoid setting redundant CFLAGS to compile commands
  • curl.h: make CURL_NO_OLDIES define CURL_STRICTER
  • docs: make more markdown files use .md extension
  • docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
  • winbuild: Allow changing C compiler via environment variable CC
  • rtsp: accept any RTSP session id
  • HTTP: retry failed HEAD requests on reused connections too
  • configure: add zlib search with pkg-config
  • openssl: accept subjectAltName iPAddress if no dNSName match
  • MANUAL: Remove invalid link to LDAP documentation
  • socks: improved connection procedure
  • proxy: reject attempts to use unsupported proxy schemes
  • proxy: bring back use of "Proxy-Connection:"
  • curl: allow "pkcs11:" prefix for client certificates
  • spnego_sspi: fix memory leak in case *outlen is zero
  • SOCKS: improve verbose output of SOCKS5 connection sequence
  • SOCKS: display the hostname returned by the SOCKS5 proxy server
  • http/sasl: Query authentication mechanism supported by SSPI before using
  • sasl: Don't use GSSAPI authentication when domain name not specified
  • win: Basic support for Universal Windows Platform apps
  • nss: fix incorrect use of a previously loaded certificate from file
  • nss: work around race condition in PK11_FindSlotByName()
  • ftp: fix wrong poll on the secondary socket
  • openssl: build warning-free with 1.1.0 (again)
  • HTTP: stop parsing headers when switching to unknown protocols
  • test219: Add http as a required feature
  • TLS: random file/egd doesn't have to match for conn reuse
  • schannel: Disable ALPN for Wine since it is causing problems
  • http2: make sure stream errors don't needlessly close the connection
  • http2: return CURLE_HTTP2_STREAM for unexpected stream close
  • darwinssl: --cainfo is intended for backward compatibility only
  • speed caps: not based on average speeds anymore
  • configure: make the cpp -P detection not clobber CPPFLAGS
  • http2: use named define instead of magic constant in read callback
  • http2: skip the content-length parsing, detect unknown size
  • http2: return EOF when done uploading without known size
  • darwinssl: test for errSecSuccess in PKCS12 import rather than noErr
  • openssl: fix CURLINFO_SSL_VERIFYRESULT

New in cURL 7.50.1 (Aug 3, 2016)

  • Bugfixes:
  • TLS: switch off SSL session id when client cert is used
  • TLS: only reuse connections with the same client cert
  • curl_multi_cleanup: clear connection pointer for easy handles
  • include the CURLINFO_HTTP_VERSION man page into the release tarball
  • include the http2-server.pl script in the release tarball
  • test558: fix test by stripping file paths from FD lines
  • spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
  • tests: Fix for http/2 feature
  • cmake: Fix for schannel support
  • curl.h: make public types void * again
  • win32: fix a potential memory leak in Curl_load_library
  • travis: fix OSX build by re-installing libtool
  • mbedtls: Fix debug function name

New in cURL 7.50.0 (Jul 25, 2016)

  • Changes:
  • http: add CURLINFO_HTTP_VERSION and %{http_version}
  • Bugfixes:
  • memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
  • openssl: fix build with OPENSSL_NO_COMP
  • mbedtls: removed unused variables
  • cmake: Added missing mbedTLS support
  • URL parser: allow URLs to use one, two or three slashes
  • curl: fix -q [regression]
  • openssl: Use correct buffer sizes for error messages
  • curl: fix SIGSEGV while parsing URL with too many globs
  • schannel: add CURLOPT_CERTINFO support
  • vtls: fix ssl session cache race condition
  • http: Fix HTTP/2 connection reuse [regression]
  • checksrc: Add LoadLibrary to the banned functions list
  • schannel: Disable ALPN on Windows < 8.1
  • configure: occasional ignorance of --enable-symbol-hiding with GCC
  • http2: test17xx are the first real HTTP/2 tests
  • resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
  • curl_multi_socket_action.3: rewording
  • CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
  • cmake: Fix build with winldap
  • openssl: fix cert check with non-DNS name fields present
  • curl.1: mention the units for the progress meter
  • openssl: use more 'const' to fix build warnings with 1.1.0 branch
  • cmake: now using BUILD_TESTING=ON/OFF
  • vtls: Only call add/getsession if session id is enabled
  • headers: forward declare CURL, CURLM and CURLSH as structs
  • configure: improve detection of CA bundle path on FreeBSD
  • SFTP: set a generic error when no SFTP one exists
  • curl_global_init.3: expand on the SSL and WIN32 bits purpose
  • conn: don't free easy handle data in handler->disconnect
  • cookie.c: Fix misleading indentation
  • library: Fix memory leaks found during static analysis
  • CURLMOPT_SOCKETFUNCTION.3: fix typo
  • curl_global_init: moved the "IPv6 works" check here
  • connect: disable TFO on Linux when using SSL
  • vauth: Fixed memory leak due to function returning without free
  • winbuild: fix embedded manifest option

New in cURL 7.49.1 (May 30, 2016)

  • Windows: prevent DLL hijacking, CVE-2016-4802
  • dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
  • schannel: fix compile break with MSVC XP toolset
  • curlbuild.h.dist: check __LP64__ as well to fix MIPS build
  • dist: include curl_multi_socket_all.3
  • http2: use HTTP/2 in the HTTP/1.1-alike response
  • openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
  • CURLOPT_CONNECT_TO.3: user must not free the list prematurely
  • libcurl.m4: Avoid obsolete warning
  • winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
  • curl_multibyte: fix compiler error
  • openssl: cleanup must free compression methods (memory leak)
  • mbedtls: fix includes so snprintf() works
  • checksrc.pl: Added variants of strcat() & strncat() to banned function list
  • contributors.sh: better grep pattern and show GitHub username
  • ssh: fix build for libssh2 before 1.2.6
  • curl_share_setopt.3: Add min ver needed for ssl session lock

New in cURL 7.49.0 (May 18, 2016)

  • Changes:
  • schannel: Add ALPN support
  • SSH: support CURLINFO_FILETIME
  • SSH: new CURLOPT_QUOTE command "statvfs"
  • wolfssl: Add ALPN support
  • http2: added --http2-prior-knowledge
  • http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
  • libcurl: added CURLOPT_CONNECT_TO
  • curl: added --connect-to
  • libcurl: added CURLOPT_TCP_FASTOPEN
  • curl: added --tcp-fastopen
  • curl: remove support for --ftpport, -http-request and --socks
  • Bugfixes:
  • CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
  • checksrc.bat: Updated the help to be consistent with generate.bat
  • checksrc.bat: Added support for scanning the tests and examples
  • openssl: fix ERR_remove_thread_state() for boringssl/libressl
  • openssl: boringssl provides the same numbering as openssl
  • multi: fix "Operation timed out after" timer
  • url: don't use bad offset in tld_check_name to show error
  • sshserver.pl: use quotes for given options
  • Makefile.am: skip the scripts dir
  • curl: warn for --capath use if not supported by libcurl
  • http2: fix connection reuse
  • GSS: make Curl_gss_log_error more verbose
  • build-wolfssl: Allow a broader range of ciphers (Visual Studio)
  • wolfssl: Use ECC supported curves extension
  • openssl: Fix compilation warnings
  • Curl_add_buffer_send: avoid possible NULL dereference
  • SOCKS5_gssapi_negotiate: don't assume little-endian ints
  • strerror: don't bit shift a signed integer
  • url: Corrected get protocol family for FTP and LDAP
  • curl/mprintf.h: remove support for _MPRINTF_REPLACE
  • upload: missing rewind call could make libcurl hang
  • IMAP: check pointer before dereferencing it
  • build: Changed the Visual Studio projects warning level from 3 to 4
  • checksrc: now stricter, wider checks, code cleaned up
  • checksrc: added docs/CHECKSRC.md
  • curl_sasl: Fixed potential null pointer utilisation
  • krb5: Fixed missing client response when mutual authentication enabled
  • krb5: Only process challenge when present
  • krb5: Only generate a SPN when its not known
  • formdata: use appropriate fopen() macros
  • curl.1: -w filename_effective was introduced in 7.26.0
  • http2: make use of the nghttp2 error callback
  • http2: fix connection reuse when PING comes after last DATA
  • curl.1: change example for -F
  • HTTP2: Add a space character after the status code
  • curl.1: use example.com more
  • mbedtls.c: changed private prefix to mbed_
  • mbedtls: implement and provide *_data_pending() to avoid hang
  • mbedtls: fix MBEDTLS_DEBUG builds
  • ftp/imap/pop3/smtp: Allow the service name to be overridden
  • CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
  • build: include scripts/ in the dist
  • http2: Add handling stream level error
  • http2: Improve header parsing
  • makefile.vc6: use d suffix on debug object
  • configure: remove check for libresolve
  • scripts/make: use $(EXEEXT) for executables
  • checksrc: got rid of the whitelist files
  • sendf: added ability to call recv() before send() as workaround
  • NTLM: check for NULL pointer before dereferencing
  • openssl: builds with OpenSSL 1.1.0-pre5
  • configure: ac_cv_ -> curl_cv_ for all cached vars
  • winbuild: add mbedtls support
  • curl: make --ftp-create-dirs retry on failure
  • PolarSSL: implement public key pinning
  • multi: accidentally used resolved host name instead of proxy
  • CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
  • CONNECT_ONLY: don't close connection on GSS 401/407 reponses
  • opts: Fix some syntax errors in example code fragments
  • mbedtls: Fix session resume
  • test1139: verifies libcurl option man page presence
  • CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
  • curl: make --disable work as long form of -q
  • curl: use --telnet-option as documented
  • curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
  • curl: -h output lacked --proxy-header and --ntlm-wb
  • curl -J: make it work even without http:// scheme on URL
  • lib: include curl_printf.h as one of the last headers
  • tests: handle path properly on Msys/Cygwin
  • curl.1: --mail-rcpt can be used multiple times
  • CURLOPT_ACCEPT_ENCODING.3: clarified
  • docs: fixed lots of broken man page references
  • tls: make setting pinnedkey option fail if not supported
  • test1140: run nroff-scan to verify man pages
  • http: make sure a blank header overrides accept_decoding
  • connections: do not reuse non-HTTP proxies on different ports
  • connect: fix invalid "Network is unreachable" errors
  • TLS: move the ALPN/NPN enable bits to the connection
  • TLS: SSL_peek is not a const operation
  • http2: Add space between colon and header value
  • darwinssl: fix certificate verification disable on OS X 10.8
  • mprintf: Fix processing of width and prec args
  • ftp wildcard: segfault due to init only in multi_perform

New in cURL 7.48.0 (Mar 23, 2016)

  • Changes:
  • configure: --with-ca-fallback: use built-in TLS CA fallback
  • TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS
  • getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
  • added CODE_STYLE.md
  • Bugfixes:
  • Proxy-Connection: stop sending this header by default
  • os400: sync ILE/RPG definitions with latest public header files
  • cookies: allow spaces in cookie names, cut of trailing spaces
  • tool_urlglob: Allow reserved dos device names (Windows)
  • openssl: remove most BoringSSL #ifdefs
  • tool_doswin: Support for literal path prefix \\?
  • mbedtls: fix ALPN usage segfault
  • mbedtls: fix memory leak when destroying SSL connection data
  • nss: do not count enabled cipher-suites
  • examples/cookie_interface.c: add cleanup call
  • examples: adhere to curl code style
  • curlx_tvdiff: handle 32bit time_t overflows
  • dist: ship buildconf.bat too
  • curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
  • generate.bat: Fix comment bug by removing old comments
  • test1604: Add to Makefile.inc so it gets run
  • gtls: fix for builds lacking encrypted key file support
  • SCP: use libssh2_scp_recv2 to support > 2GB files on windows
  • CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
  • cookie: do not refuse cookies to localhost
  • openssl: avoid direct PKEY access with OpenSSL 1.1.0
  • http: Don't break the header into chunks if HTTP/2
  • http2: don't decompress gzip decoding automatically
  • curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
  • curl.1: add a missing dash
  • curl.1: HTTP headers for --cookie must be Set-Cookie style
  • CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
  • curl_sasl: Fix memory leak in digest parser
  • src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
  • CURLOPT_DEBUGFUNCTION.3: Fix example
  • runtests: Fixed usage of %PWD on MinGW64
  • tests/sshserver.pl: use RSA instead of DSA for host auth
  • multi_remove_handle: keep the timeout list until after disconnect
  • Curl_read: check for activated HTTP/1 pipelining, not only requested
  • configure: warn on invalid ca bundle or path
  • file: try reading from files with no size
  • getinfo: Add support for mbedTLS TLS session info
  • formpost: fix memory leaks in AddFormData error branches
  • makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
  • url: if Curl_done is premature then pipeline not in use
  • cookie: remove redundant check
  • cookie: Don't expire session cookies in remove_expired
  • makefile.m32: fix to allow -ssh2-winssl combination
  • checksrc.bat: Fixed cannot find perl if installed but not in path
  • build-openssl.bat: Fixed cannot find perl if installed but not in path
  • mbedtls: fix user-specified SSL protocol version
  • makefile.m32: add missing libs for static -winssl-ssh2 builds
  • test46: change cookie expiry date
  • pipeline: Sanity check pipeline pointer before accessing it
  • openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
  • ftp_done: clear tunnel_state when secondary socket closes
  • opt-docs: fix heading macros
  • imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
  • curl_multi_wait: never return -1 in 'numfds'
  • url.c: fix clang warning: no newline at end of file
  • krb5: improved type handling to avoid clang compiler warnings
  • cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
  • multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
  • multi hash: ensure modulo performed on curl_socket_t
  • curl: glob_range: no need to check unsigned variable for negative
  • easy: add check to malloc() when running event-based
  • CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
  • version: thread safety
  • openssl: verbose: show matching SAN pattern
  • openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
  • formdata.c: Fixed compilation warning
  • configure: use cpp -P when needed
  • imap.c: Fixed compilation warning with /Wall enabled
  • config-w32.h: Fixed compilation warning when /Wall enabled
  • ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
  • build: Added missing Visual Studio filter files for VC10 onwards
  • easy: Remove poll failure check in easy_transfer
  • mbedtls: fix compiler warning
  • build-wolfssl: Update VS properties for wolfSSL v3.9.0
  • Fixed various compilation warnings when verbose strings disabled
  • sshserver: remove use of AuthorizedKeysFile2

New in cURL 7.47.1 (Feb 10, 2016)

  • Bugfixes:
  • getredirect.c: fix variable name
  • tool_doswin: silence unused function warning
  • cmake: fixed when OpenSSL enabled on Windows and schannel detected
  • curl.1: Explain remote-name behavior if file already exists
  • tool_operate: Don't sanitize --output path (Windows)
  • URLs: change all http:// URLs to https:// in documentation & comments
  • sasl_sspi: Fix memory leak in domain populate
  • COPYING: clarify that Daniel is not the sole author
  • examples/htmltitle: Use _stricmp on Windows
  • examples/asiohiper: Avoid function name collision on Windows
  • idn_win32: Better error checking
  • openssl: Fix signed/unsigned mismatch warning in X509V3_ext
  • curl save files: check for backslashes on cygwin

New in cURL 7.46.0 (Dec 3, 2015)

  • Changes:
  • configure: build silently by default
  • cookies: Add support for Publix Suffix List with libpsl
  • vtls: added support for mbedTLS
  • Added CURLOPT_STREAM_DEPENDS
  • Added CURLOPT_STREAM_DEPENDS_E
  • Added CURLOPT_STREAM_WEIGHT
  • Added CURLFORM_CONTENTLEN
  • oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
  • Bugfixes:
  • des: Fix header conditional for Curl_des_set_odd_parity
  • ntlm: get rid of unconditional use of long long
  • CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
  • docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
  • http2: Fix http2_recv to return -1 if recv returned -1
  • curl_global_init_mem: set function pointers before doing init
  • ntlm: error out without 64bit support as the code needs it
  • openssl: Fix set up of pkcs12 certificate verification chain
  • acinclude: remove PKGCONFIG override
  • test1531: case the size to fix the test on non-largefile builds
  • fread_func: move callback pointer from set to state struct
  • test1601: fix compilation with --enable-debug and --disable-crypto-auth
  • http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
  • curlbuild.h: Fix non-configure compiling to mips and sh4 targets
  • tool: Generate easysrc with last cache linked-list
  • cmake: Fix for add_subdirectory(curl) use-case
  • vtls: fix compiler warning for TLS backends without sha256
  • build: fix for MSDOS/djgpp
  • checksrc: add crude // detection
  • http2: on_frame_recv: trust the conn/data input
  • ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
  • polarssl/mbedtls: fix name space pollution
  • build: Fix mingw ssl gdi32 order
  • build: Fix support for PKG_CONFIG
  • MacOSX-Framework: sdk regex fix for sdk 10.10 and later
  • socks: Fix incorrect port numbers in failed connect messages
  • curl.1: -E: s/private certificate/client certificate
  • curl.h: s/HTTPPOST_/CURL_HTTPOST_
  • curl_formadd: support >2GB files on windows
  • http redirects: %-encode bytes outside of ascii range
  • rawstr: Speed up Curl_raw_toupper by 40%
  • curl_ntlm_core: fix 2 curl_off_t constant overflows.
  • getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
  • tftp tests: verify sent options too
  • imap: Don't call imap_atom() when no mailbox specified in LIST command
  • imap: Fixed double quote in LIST command when mailbox contains spaces
  • imap: Don't check for continuation when executing a CUSTOMREQUEST
  • acinclude: Remove check for 16-bit curl_off_t
  • BoringSSL: Work with stricter BIO_get_mem_data()
  • cmake: Add missing feature macros in config header
  • sasl_sspi: fixed unicode build for digest authentication
  • sasl_sspi: fix identity memory leak in digest authentication
  • unit1602: Fixed failure in torture test
  • unit1603: Added unit tests for hash functions
  • vtls/openssl: remove unused traces of yassl ifdefs
  • openssl: remove #ifdefs for < 0.9.7 support
  • typecheck-gcc.h: add some missing options
  • curl: mark two more options strings for --libcurl output
  • openssl: Free modules on cleanup
  • CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
  • getconnectinfo: Don't call recv(2) if socket == -1
  • http2: http_done: don't free already-freed push headers
  • zsh completion: Preserve single quotes in output
  • os400: Provide options for libssh2 use in compile scripts.
  • build: Fix theoretical infinite loops
  • pop3: Differentiate between success and continuation responses
  • examples: Fixed compilation warnings
  • schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
  • CURLOPT_HEADERFUNCTION.3: fix typo
  • curl: expanded the -XHEAD warning text
  • done: make sure the final progress update is made
  • build: Install zsh completion
  • RTSP: do not add if-modified-since without timecondition
  • curl: Fixed display of URL index in password prompt for --next
  • nonblock: fix setting non-blocking mode for Amiga
  • http2 push: add missing inits of new stream
  • http2: convert some verbose output into debug-only output
  • Curl_read_plain: clean up ifdefs that break statements

New in cURL 7.45.0 (Oct 8, 2015)

  • Changes:
  • added CURLOPT_DEFAULT_PROTOCOL
  • added new tool option --proto-default
  • getinfo: added CURLINFO_ACTIVESOCKET
  • turned CURLINFO_* option docs as stand-alone man pages
  • curl: point out unnecessary uses of -X in verbose mode
  • Bugfixes:
  • curl_global_init_mem.3: Stronger thread safety warning
  • buildconf.bat: Fixed issues when ran in directories with special chars
  • cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
  • generate.bat: Fixed issues when ran in directories with special chars
  • generate.bat: Only call buildconf.bat if it exists
  • generate.bat: Added support for generating only the prerequisite files
  • curl.1: Document weaknesses in SSLv2 and SSLv3
  • CURLOPT_HTTP_VERSION.3: connection re-use goes before version
  • docs: Update the redirect protocols disabled by default
  • inet_pton.c: Fix MSVC run-time check failure
  • CURLMOPT_PUSHFUNCTION.3: fix argument types
  • rtsp: support basic/digest authentication
  • rtsp: stop reading empty DESCRIBE responses
  • travis: Upgrading to container based build
  • travis.yml: Add OS X testbot
  • FTP: make state machine not get stuck in state
  • openssl: handle lack of server cert when strict checking disabled
  • configure: change functions to detect openssl (clones)
  • configure: detect latest boringssl
  • runtests: Allow for spaces in server-verify curl custom path
  • http2: on_frame_recv: get a proper 'conn' for the debug logging
  • ntlm: mark deliberate switch case fall-through
  • http2: remove dead code
  • curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
  • curl: point out the conflicting HTTP methods if used
  • cmake: added Windows SSL support
  • curl_easy_{escape,setopt}.3: fix example
  • curl_easy_escape.3: escape '\n'
  • libcurl.m4: Put braces around empty if body
  • buildconf.bat: Fixed double blank line in 'curl manual' warning output
  • sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
  • inet_pton.c: Fix MSVC run-time check failure
  • CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
  • http2: don't pass on Connection: headers
  • nss: do not directly access SSL_ImplementedCiphers
  • docs: numerous cleanups and spelling fixes
  • FTP: do_more: add check for wait_data_conn in upload case
  • parse_proxy: reject illegal port numbers
  • cmake: IPv6 : disable Unix header check on Windows platform
  • winbuild: run buildconf.bat if necessary
  • buildconf.bat: fix syntax error
  • curl_sspi: fix possibly undefined CRYPT_E_REVOKED
  • nss: prevent NSS from incorrectly re-using a session
  • libcurl-errors.3: add two missing error codes
  • openssl: fix build with < 0.9.8
  • openssl: refactor certificate parsing to use OpenSSL memory BIO
  • openldap: only part of LDAP query results received
  • ssl: add server cert's "sha256//" hash to verbose
  • NTLM: Reset auth-done when using a fresh connection
  • curl: generate easysrc only on --libcurl
  • tests: disable 1801 until fixed
  • CURLINFO_TLS_SESSION: always return backend info
  • gnutls: Support CURLOPT_KEYPASSWD
  • gnutls: Report actual GnuTLS error message for certificate errors
  • tests: disable 1510 due to CI-problems on github
  • cmake: Put "winsock2.h" before "windows.h" during configure checks
  • cmake: Ensure discovered include dirs are considered
  • configure: Add missing ')' for CURL_CHECK_OPTION_RT
  • build: fix failures with -Wcast-align and -Werror
  • FTP: fix uploading ASCII with unknown size
  • readwrite_data: set a max number of loops
  • http2: avoid superfluous Curl_expire() calls
  • http2: set TCP_NODELAY unconditionally
  • docs: fix unescaped '\n' in man pages
  • openssl: Fix algorithm init to make (gost) engines work
  • win32: make recent Borland compilers use long long
  • runtests: Fix pid check in checkdied
  • gopher: don't send NUL byte
  • tool_setopt: fix c_escape truncated octal
  • hiperfifo: fix the pointer passed to WRITEDATA
  • getinfo: Fix return code for unknown CURLINFO options

New in cURL 7.44.0 (Aug 12, 2015)

  • Changes:
  • http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
  • examples: added http2-serverpush.c
  • http2: added curl_pushheader_byname() and curl_pushheader_bynum()
  • docs: added CODE_OF_CONDUCT.md
  • curl: Add --ssl-no-revoke to disable certificate revocation checks
  • libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
  • makefile: Added support for VC14
  • build: Added Visual Studio 2015 (VC14) project files
  • build: Added wolfSSL configurations to VC10+ project files
  • Bugfixes:
  • FTP: fix HTTP CONNECT logic regression
  • openssl: Fix build with openssl < ~ 0.9.8f
  • openssl: fix build with BoringSSL
  • curl_easy_setopt.3: option order doesn't matter
  • openssl: fix use of uninitialized buffer
  • RTSP: removed dead code
  • Makefile.m32: add support for CURL_LDFLAG_EXTRAS
  • curl: always provide negotiate/kerberos options
  • cookie: Fix bug in export if any-domain cookie is present
  • curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
  • INSTALL: Advise use of non-native SSL for Windows = for TLSv1
  • HTTP: POSTFIELDSIZE set after added to multi handle
  • SSL-PROBLEMS: mention WinSSL problems in WinXP
  • setup-vms.h: Symbol case fixups
  • SSL: Pinned public key hash support
  • libtest: call PR_Cleanup() on exit if NSPR is used
  • ntlm_wb: Fix theoretical memory leak
  • runtests: Allow for spaces in curl custom path
  • http2: add stream != NULL checks for reliability
  • schannel: Replace deprecated GetVersion with VerifyVersionInfo
  • http2: verify success of strchr() in http2_send()
  • configure: add --disable-rt option
  • openssl: work around MSVC warning
  • HTTP: ignore "Content-Encoding: compress"
  • configure: check if OpenSSL linking wants -ldl
  • build-openssl.bat: Show syntax if required args are missing
  • test1902: attempt to make the test more reliable
  • libcurl-thread.3: Consolidate thread safety info
  • maketgz: Fixed some VC makefiles missing from the release tarball
  • libcurl-multi.3: mention curl_multi_wait
  • ABI doc: use secure URL
  • http: move HTTP/2 cleanup code off http_disconnect()
  • libcurl-thread.3: Warn memory functions must be thread safe
  • curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
  • docs: formpost needs the full size at start of upload
  • curl_gssapi: remove 'const' to fix compiler warnings
  • SSH: three state machine fixups
  • libcurl.3: fix a single typo
  • generate.bat: Only clean prerequisite files when in ALL mode
  • curl_slist_append.3: add error checking to the example
  • buildconf.bat: Added support for file clean-up via -clean
  • generate.bat: Use buildconf.bat for prerequisite file clean-up
  • NTLM: handle auth for only a single request
  • curl_multi_remove_handle.3: fix formatting
  • checksrc.bat: Fixed error when [directory] isn't a curl source directory
  • checksrc.bat: Fixed error when missing *.c and *.h files
  • CURLOPT_RESOLVE.3: Note removal support was added in 7.42
  • test46: update cookie expire time
  • SFTP: fix range request off-by-one in size check
  • CMake: fix GSSAPI builds
  • build: refer to fixed libidn versions
  • http2: discard frames with no SessionHandle
  • curl_easy_recv.3: fix formatting
  • libcurl-tutorial.3: fix formatting
  • curl_formget.3: correct return code

New in cURL 7.43.0 (Jun 18, 2015)

  • Changes:
  • Added CURLOPT_PROXY_SERVICE_NAME
  • Added CURLOPT_SERVICE_NAME
  • New curl option: --proxy-service-name
  • New curl option: --service-name
  • New curl option: --data-raw
  • Added CURLOPT_PIPEWAIT
  • Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
  • HTTP/2: requires nghttp2 1.0.0 or later
  • scripts: add zsh.pl for generating zsh completion
  • curl.h: add CURL_HTTP_VERSION_2
  • Bugfixes:
  • CVE-2015-3236: lingering HTTP credentials in connection re-use
  • CVE-2015-3237: SMB send off unrelated memory contents
  • nss: fix compilation failure with old versions of NSS
  • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
  • schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
  • Curl_ossl_init: load builtin modules
  • configure: follow-up fix for krb5-config
  • sasl_sspi: Populate domain from the realm in the challenge
  • netrc: support 'default' token
  • README: convert to UTF-8
  • cyassl: Implement public key pinning
  • nss: implement public key pinning for NSS backend
  • mingw build: add arch -m32/-m64 to LDFLAGS
  • schannel: Fix out of bounds array
  • configure: remove autogenerated files by autoconf
  • configure: remove --automake from libtoolize call
  • acinclude.m4: fix shell test for default CA cert bundle/path
  • schannel: fix regression in schannel_recv
  • openssl: skip trace outputs for ssl_ver == 0
  • gnutls: properly retrieve certificate status
  • netrc: Read in text mode when cygwin
  • winbuild: Document the option used to statically link the CRT
  • FTP: Make EPSV use the control IP address rather than the original host
  • FTP: fix dangling conn->ip_addr dereference on verbose EPSV
  • conncache: keep bundles on host+port bases, not only host names
  • runtests.pl: use 'h2c' now, no -14 anymore
  • curlver: introducing new version number (checking) macros
  • openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
  • CURLOPT_POSTFIELDS.3: correct variable names
  • curl_easy_unescape.3: update RFC reference
  • gnutls: don't fail on non-fatal alerts during handshake
  • testcurl.pl: allow source to be in an arbitrary directory
  • CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
  • SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
  • parse_proxy: switch off tunneling if non-HTTP proxy
  • share_init: fix OOM crash
  • perl: remove subdir, not touched in 9 years
  • CURLOPT_COOKIELIST.3: Add example
  • CURLOPT_COOKIE.3: Explain that the cookies won't be modified
  • CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
  • FAQ: How do I port libcurl to my OS?
  • openssl: Use TLS_client_method for OpenSSL 1.1.0+
  • HTTP-NTLM: fail auth on connection close instead of looping
  • curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
  • curl_getdate.3: update RFC reference
  • curl_multi_info_read.3: added example
  • curl_multi_perform.3: added example
  • curl_multi_timeout.3: added example
  • cookie: Stop exporting any-domain cookies
  • openssl: remove dummy callback use from SSL_CTX_set_verify()
  • openssl: remove SSL_get_session()-using code
  • openssl: removed USERDATA_IN_PWD_CALLBACK kludge
  • openssl: removed error string #ifdef
  • openssl: Fix verification of server-sent legacy intermediates
  • docs: man page indentation and syntax fixes
  • docs: Spelling fixes
  • fopen.c: fix a few compiler warnings
  • CURLOPT_OPENSOCKETFUNCTION: return error at once
  • schannel: Add support for optional client certificates
  • build: Properly detect OpenSSL 1.0.2 when using configure
  • urldata: store POST size in state.infilesize too
  • security:choose_mech remove dead code
  • rtsp_do: remove dead code
  • docs: many HTTP URIs changed to HTTPS
  • schannel: schannel_recv overhaul

New in cURL 7.42.1 (Apr 29, 2015)

  • Bugfixes:
  • CURLOPT_HEADEROPT: default to separate
  • dist: include {src,lib}/checksrc.whitelist
  • connectionexists: fix build without NTLM
  • docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
  • curl -z: do not write empty file on unmet condition
  • openssl: fix serial number output
  • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
  • sws: init http2 state properly
  • curl.1: fix typo

New in cURL 7.42.0 (Apr 23, 2015)

  • Changes:
  • openssl: show the cipher selection to use in verbose text
  • gtls: implement CURLOPT_CERTINFO
  • add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
  • curl: add --false-start option
  • add CURLOPT_PATH_AS_IS
  • curl: add --path-as-is option
  • curl: create output file on successful download of an empty file
  • Bugfixes:
  • ConnectionExists: for NTLM re-use, require credentials to match
  • cookie: cookie parser out of boundary memory access
  • fix_hostname: zero length host name caused -1 index offset
  • http_done: close Negotiate connections when done
  • sws: timeout idle CONNECT connections
  • nss: improve error handling in Curl_nss_random()
  • nss: do not skip Curl_nss_seed() if data is NULL
  • curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
  • http2: move lots of verbose output to be debug-only
  • dist: add extern-scan.pl to the tarball
  • http2: return recv error on unexpected EOF
  • build: Use default RandomizedBaseAddress directive in VC9+ project files
  • build: Removed DataExecutionPrevention directive from VC9+ project files
  • tool: Updated the warnf() function to use the GlobalConfig structure
  • http2: Return error if stream was closed with other than NO_ERROR
  • mprintf.h: remove #ifdef CURLDEBUG
  • libtest: fixed linker errors on msvc
  • tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
  • curl.1: fix "The the" typo
  • cmake: handle build definitions CURLDEBUG/DEBUGBUILD
  • openssl: remove all uses of USE_SSLEAY
  • multi: fix memory-leak on timeout (regression)
  • curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
  • metalink: add some error checks
  • TLS: make it possible to enable ALPN/NPN without HTTP/2
  • http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
  • conncontrol: only log changes to the connection bit
  • multi: fix *getsock() with CONNECT
  • symbols.pl: handle '-' in the deprecated field
  • MacOSX-Framework: use @rpath instead of @executable_path
  • GnuTLS: add support for CURLOPT_CAPATH
  • GnuTLS: print negotiated TLS version and full cipher suite name
  • GnuTLS: don't print double newline after certificate dates
  • memanalyze.pl: handle free(NULL)
  • proxy: re-use proxy connections (regression)
  • mk-ca-bundle: Don't report SHA1 numbers with "-q"
  • http: always send Host: header as first header
  • openssl: sort ciphers to use based on strength
  • openssl: use colons properly in the ciphers list
  • http2: detect premature close without data transfered
  • hostip: Fix signal race in Curl_resolv_timeout
  • closesocket: call multi socket cb on close even with custom close
  • mksymbolsmanpage.pl: use std header and generate better nroff header
  • connect: Fix happy eyeballs logic for IPv4-only builds
  • curl_easy_perform.3: remove superfluous close brace from example
  • HTTP: don't use Expect: headers when on HTTP/2
  • Curl_sh_entry: remove unused 'timestamp'
  • docs/libcurl: makefile portability fix
  • mkhelp: Remove trailing carriage return from every line of input
  • nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
  • curl_easy_setopt.3: added a few missing options
  • metalink: fix resource leak in OOM
  • axtls: version 1.5.2 now requires that config.h be manually included
  • HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
  • cyassl: detect the library as renamed wolfssl
  • CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
  • CURLOPT_URL.3: Added "SECURITY CONCERNS
  • openssl: try to avoid accessing OCSP structs when possible
  • test938: added missing closing tags
  • testcurl: Allow '=' in values given on command line
  • tests/certs: added make target to rebuild certificates
  • tests/certs: rebuild certificates with modified key usage bits
  • gtls: avoid uninitialized variable
  • gtls: dereferencing NULL pointer
  • gtls: add check of return code
  • test1513: eliminated race condition in test run
  • dict: rename byte to avoid compiler shadowed declaration warning
  • curl_easy_recv/send: make them work with the multi interface
  • vtls: fix compile with --disable-crypto-auth but with SSL
  • openssl: adapt to ASN1/X509 things gone opaque in 1.1
  • openssl: verifystatus: only use the OCSP work-around

New in cURL 7.41.0 (Feb 25, 2015)

  • Changes:
  • NetWare build: added TLS-SRP enabled build
  • winbuild: Added option to build with c-ares
  • Added --cert-status
  • Added CURLOPT_SSL_VERIFYSTATUS
  • sasl: implement EXTERNAL authentication mechanism
  • Bugfixes:
  • sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
  • FTP: fix IPv6 host using link-local address
  • FTP: if EPSV fails on IPV6 connections, bail out
  • gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
  • NSS: fix compiler error when built http2-enabled
  • mingw build: allow to pass custom CFLAGS
  • add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
  • curl_schannel.c: mark session as removed from cache if not freed
  • Curl_pretransfer: reset expected transfer sizes
  • curl.h: remove extra space
  • curl_endian: Fixed build when 64-bit integers are not supported
  • checksrc.bat: Better detection of Perl installation
  • build-openssl.bat: Added check for Perl installation
  • http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
  • http_negotiate: Added empty decoded challenge message info text
  • vtls: Removed unimplemented overrides of curlssl_close_all()
  • sasl_gssapi: Fixed memory leak with local SPN variable
  • http_negotiate: Use dynamic buffer for SPN generation
  • ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
  • openssl: do public key pinning check independently
  • timeval: typecast for better type (on Amiga)
  • ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
  • SASL: common URL option and auth capabilities decoders for all protocols
  • BoringSSL: fix build
  • BoringSSL: detected by configure, switches off NTLM
  • openvms: Handle openssl/0.8.9zb version parsing
  • configure: detect libresssl
  • configure: remove detection of the old yassl emulation API
  • curl_setup: Disable SMB/CIFS support when HTTP only
  • imap: remove automatic password setting: it breaks external sasl authentication
  • sasl: remove XOAUTH2 from default enabled authentication mechanism
  • runtests: identify BoringSSL and libressl
  • security: avoid compiler warning
  • ldap: build with BoringSSL
  • des: Added Curl_des_set_odd_parity()
  • CURLOPT_SEEKFUNCTION.3: also when server closes a connection
  • CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
  • build: Removed unused Visual Studio bscmake settings
  • build: Enabled DEBUGBUILD in Visual Studio debug builds
  • build: Renamed top level Visual Studio solution files
  • build: Removed Visual Studio SuppressStartupBanner directive for VC8+
  • libcurl-symbols: first basic shot for autogenerated docs
  • Makefile.am: fix 'make distcheck'
  • getpass_r: read from stdin, not stdout!
  • getpass: protect include with proper #ifdef
  • opts: CURLOPT_CAINFO availability depends on SSL engine
  • more cleanup of 'CURLcode result' return code
  • MD4: replace implementation
  • MD5: replace implementation
  • openssl: SSL_SESSION->ssl_version no longer exist
  • md5: use axTLS's own MD5 functions when available
  • schannel: Removed curl_ prefix from source files
  • curl.1: add warning when using -H and redirects
  • curl.1: clarify that -X is used for all requests
  • gskit: Fix exclusive SSLv3 option
  • polarssl: Fix exclusive SSL protocol version options
  • http2: Fix bug that associated stream canceled on PUSH_PROMISE
  • ftp: accept all 2xx responses to the PORT command
  • configure: allow both --with-ca-bundle and --with-ca-path
  • cmake: install the dll file to the correct directory
  • nss: fix NPN/ALPN protocol negotiation
  • polarssl: fix ALPN protocol negotiation
  • cmake: Fix generation of tool_hugehelp.c on windows
  • cmake: fix winsock2 detection on windows
  • gnutls: fix build with HTTP2
  • connect: fix a spurious connect failure on dual-stacked hosts
  • test: test 530 is now less timing dependent
  • telnet: invalid use of custom read function if not set

New in cURL 7.40.0 (Jan 8, 2015)

  • Changes:
  • http_digest: Added support for Windows SSPI based authentication
  • version info: Added Kerberos V5 to the supported features
  • Makefile: Added VC targets for WinIDN
  • config-win32: Introduce build targets for VS2012+
  • SSL: Add PEM format support for public key pinning
  • smtp: Added support for the conversion of Unix newlines during mail send
  • smb: Added initial support for the SMB/CIFS protocol
  • Added support for HTTP over unix domain sockets, via CURLOPT_UNIX_SOCKET_PATH and --unix-socket
  • sasl: Added support for GSS-API based Kerberos V5 authentication
  • Bugfixes:
  • darwinssl: fix session ID keys to only reuse identical sessions
  • url-parsing: reject CRLFs within URLs
  • OS400: Adjust specific support to last release
  • THANKS: Remove duplicate names
  • url.c: Fixed compilation warning
  • ssh: Fixed build on platforms where R_OK is not defined
  • tool_strdup.c: include the tool strdup.h
  • build: Fixed Visual Studio project file generation of strdup.[c|h]
  • curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
  • curl.1: show zone index use in a URL
  • mk-ca-bundle.vbs: switch to new certdata.txt url
  • Makefile.dist: Added some missing SSPI configurations
  • build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
  • SSH: use the port number as well for known_known checks
  • libssh2: detect features based on version, not configure checks
  • http2: Deal with HTTP/2 data inside Upgrade response header buffer
  • multi: removed Curl_multi_set_easy_connection
  • symbol-scan.pl: do not require autotools
  • cmake: add ENABLE_THREADED_RESOLVER, rename ARES
  • cmake: build libhostname for test suite
  • cmake: fix HAVE_GETHOSTNAME definition
  • tests: fix libhostname visibility
  • tests: fix memleak in server/resolve.c
  • vtls.h: Fixed compiler warning when compiled without SSL
  • CMake: Restore order-dependent header checks
  • CMake: Restore order-dependent library checks
  • tool: Removed krb4 from the supported features
  • http2: Don't send Upgrade headers when we already do HTTP/2
  • examples: Don't call select() to sleep on windows
  • win32: Updated some legacy APIs to use the newer extended versions
  • easy.c: Fixed compilation warning when no verbose string support
  • connect.c: Fixed compilation warning when no verbose string support
  • build: in Makefile.m32 pass -F flag to windres
  • build: in Makefile.m32 add -m32 flag for 32bit
  • multi: when leaving for timeout, close accordingly
  • CMake: Simplify if() conditions on check result variables
  • build: in Makefile.m32 try to detect 64bit target
  • multi: inform about closed sockets before they are closed
  • multi-uv.c: close the file handle after download
  • examples: Wait recommended 100ms when no file descriptors are ready
  • ntlm: Split the SSPI based messaging code from the native messaging code
  • cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
  • cmake: add Kerberos to the supported feature
  • CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
  • http: Disable pipelining for HTTP/2 and upgraded connections
  • ntlm: Fixed static'ness of local decode function
  • sasl: Reduced the need for two sets of NTLM messaging functions
  • multi.c: Fixed compilation warnings when no verbose string support
  • select.c: fix compilation for VxWorks
  • multi-single.c: switch to use curl_multi_wait
  • curl_multi_wait.3: clarify numfds being used if not NULL
  • http.c: Fixed compilation warnings from features being disabled
  • NSS: enable the CAPATH option
  • docs: Fix FAILONERROR typos
  • HTTP: don't abort connections with pending Negotiate authentication
  • HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
  • http_perhapsrewind: don't abort CONNECT requests
  • build: updated dependencies in makefiles
  • multi.c: Fixed compilation warning
  • ftp.c: Fixed compilation warnings when proxy support disabled
  • get_url_file_name: Fixed crash on OOM on debug build
  • cookie.c: Refactored cleanup code to simplify
  • OS400: enable NTLM authentication
  • ntlm: Use Windows Crypt API
  • http2: avoid logging neg "failure" if h2 was not requested
  • schannel_recv: return the correct code
  • VC build: added sspi define for winssl-zlib builds
  • Curl_client_write(): chop long data, convert data only once
  • openldap: do not ignore Curl_client_write() return code
  • ldap: check Curl_client_write() return codes
  • parsedate.c: Fixed compilation warning
  • url.c: Fixed compilation warning when USE_NTLM is not defined
  • ntlm_wb_response: fix "statement not reached"
  • telnet: fix "cast increases required alignment of target type"
  • smtp: Fixed dot stuffing when EOL characters at end of input buffers
  • ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
  • ntlm: Disable NTLM v2 when 64-bit integers are not supported
  • ntlm: Use short integer when decoding 16-bit values
  • ftp.c: Fixed compilation warning when no verbose string support
  • synctime.c: fixed timeserver URLs
  • mk-ca-bundle.pl: restored forced run again
  • ntlm: Fixed return code for bad type-2 Target Info
  • curl_schannel.c: Data may be available before connection shutdown
  • curl_schannel: Improvements to memory re-allocation strategy
  • darwinssl: aprintf() to allocate the session key
  • tool_util.c: Use GetTickCount64 if it is available
  • lib: Fixed multiple code analysis warnings if SAL are available
  • tool_binmode.c: Explicitly ignore the return code of setmode
  • tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
  • opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
  • SFTP: work-around servers that return zero size on STAT
  • connect: singleipconnect(): properly try other address families after failure
  • IPV6: address scope != scope id
  • parseurlandfillconn(): fix improper non-numeric scope_id stripping
  • secureserver.pl: make OpenSSL CApath and cert absolute path values
  • secureserver.pl: update Windows detection and fix path conversion
  • secureserver.pl: clean up formatting of config and fix verbose output
  • tests: Added Windows support using Cygwin-based OpenSSH
  • sockfilt.c: use non-Ex functions that are available before WinXP
  • VMS: Updates for 0740-0D1220
  • openssl: warn for SRP set if SSLv3 is used, not for TLS version
  • openssl: make it compile against openssl 1.1.0-DEV master branch
  • openssl: fix SSL/TLS versions in verbose output
  • curl: show size of inhibited data when using -v
  • build: Removed WIN32 definition from the Visual Studio projects
  • build: Removed WIN64 definition from the libcurl Visual Studio projects
  • vtls: Use bool for Curl_ssl_getsessionid() return type
  • sockfilt.c: Replace 100ms sleep with thread throttle
  • sockfilt.c: Reduce the number of individual memory allocations
  • vtls: Don't set cert info count until memory allocation is successful
  • nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
  • nss: Don't ignore Curl_extract_certinfo() OOM failure
  • vtls: Fixed compilation warning and an ignored return code
  • sockfilt.c: Fixed compilation warnings
  • darwinssl: Fixed compilation warning
  • vtls: Use '(void) arg' for unused parameters
  • sepheaders.c: Fixed resource leak on failure
  • lib1900.c: Fixed cppcheck error
  • ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
  • ldap: Fixed Unicode DN, attributes and filter in Win32 search calls

New in cURL 7.39.0 (Nov 5, 2014)

  • Changes:
  • SSLv3 is disabled by default
  • CURLOPT_COOKIELIST: Added "RELOAD" command
  • build: Added WinIDN build configuration options to Visual Studio projects
  • ssh: improve key file search
  • SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
  • vtls: remove QsoSSL support, use gskit!
  • mk-ca-bundle: added SHA-384 signature algorithm
  • docs: added many examples for libcurl opts and other doc improvements
  • build: Added VC ssh2 target to main Makefile
  • MinGW: Added support to build with nghttp2
  • NetWare: Added support to build with nghttp2
  • build: added Watcom support to build with WinSSL
  • build: Added optional specific version generation of VC project files
  • Bugfixes:
  • curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
  • openssl: build fix for versions < 0.9.8e
  • newlines: fix mixed newlines to LF-only
  • ntlm: Fixed HTTP proxy authentication when using Windows SSPI
  • sasl_sspi: Fixed Unicode build
  • file: reject paths using embedded
  • threaded-resolver: revert Curl_expire_latest() switch
  • configure: allow --with-ca-path with PolarSSL too
  • HTTP/2: Fix busy loop when EOF is encountered
  • CURLOPT_CAPATH: return failure if set without backend support
  • nss: do not fail if a CRL is already cached
  • smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
  • fixed 20+ nits/memory leaks identified by Coverity scans
  • curl_schannel.c: Fixed possible memory or handle leak
  • multi-uv.c: call curl_multi_info_read() better
  • cmake: Check for OpenSSL before OpenLDAP
  • cmake: Fix library list provided to cURL tests
  • cmake: Avoid cycle directory dependencies
  • cmake: Build with GSS-API libraries (MIT or Heimdal)
  • vtls: provide backend defines for internal source code
  • nss: fix a connection failure when FTPS handle is reused
  • tests/http_pipe.py: Python 3 support
  • cmake: build tool_hugehelp (ENABLE_MANUAL)
  • cmake: enable IPv6 by default if available
  • tests: move TESTCASES to Makefile.inc, add show for cmake
  • ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
  • ntlm: Fixed empty/bad base-64 decoded buffer return codes
  • ntlm: Fixed empty type-2 decoded message info text
  • cmake: add CMake/Macros.cmake to the release tarball
  • cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
  • cmake: use LIBCURL_VERSION from curlver.h
  • cmake: generate pkg-config and curl-config
  • fixed several superfluous variable assignements identified by cppcheck
  • cleanup of 'CURLcode result' return code
  • pipelining: only output "is not blacklisted" in debug builds
  • SSL: Remove SSLv3 from SSL default due to POODLE attack
  • gskit.c: remove SSLv3 from SSL default
  • darwinssl: detect possible future removal of SSLv3 from the framework
  • ntlm: Only define ntlm data structure when USE_NTLM is defined
  • ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
  • ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
  • sspi: Only call CompleteAuthToken() when complete is needed
  • http_negotiate: Fixed missing check for USE_SPNEGO
  • HTTP: return larger than 3 digit response codes too
  • openssl: Check for NPN / ALPN via OpenSSL version number
  • openssl: enable NPN separately from ALPN
  • sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
  • sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
  • resume: consider a resume from
  • sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
  • build-openssl.bat: Fix x64 release build
  • cmake: drop _BSD_SOURCE macro usage
  • cmake: fix gethostby{addr,name}_r in CurlTests
  • cmake: clean OtherTests, fixing -Werror
  • cmake: fix struct sockaddr_storage check
  • Curl_single_getsock: fix hold/pause sock handling
  • SSL: PolarSSL default min SSL version TLS 1.0
  • cmake: fix ZLIB_INCLUDE_DIRS use
  • buildconf: stop checking for libtool

New in cURL 7.38.0 (Sep 10, 2014)

  • Changes:
  • supports HTTP/2 draft-14
  • CURLE_HTTP2 is a new error code
  • CURLAUTH_NEGOTIATE is a new auth define
  • CURL_VERSION_GSSAPI is a new capability bit
  • no longer use fbopenssl for anything
  • schannel: use CryptGenRandom for random numbers
  • axtls: define curlssl_random using axTLS's PRNG
  • cyassl: use RNG_GenerateBlock to generate a good random number
  • findprotocol: show unsupported protocol within quotes
  • version: detect and show LibreSSL
  • version: detect and show BoringSSL
  • imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
  • http2: requires nghttp2 0.6.0 or later
  • Bugfixes:
  • SECURITY ADVISORY: cookie leak with IP address as domain
  • SECURITY ADVISORY: cookie leak for TLDs
  • fix a build failure on Debian when NSS support is enabled
  • HTTP/2: fixed compiler warnings when built disabled
  • cyassl: return the correct error code on no CA cert
  • http: Deprecate GSS-Negotiate macros due to bad naming
  • http: Fixed Negotiate: authentication
  • multi: Improve proxy CONNECT performance (regression)
  • ntlm_wb: Avoid invoking ntlm_auth helper with empty username
  • ntlm_wb: Fix hard-coded limit on NTLM auth packet size
  • url.c: use the preferred symbol name: *READDATA
  • smtp: fixed a segfault during test 1320 torture test
  • cyassl: made it compile with version 2.0.6 again
  • nss: do not check the version of NSS at run time
  • c-ares: fix build without IPv6 support
  • HTTP/2: use base64url encoding
  • SSPI Negotiate: Fix 3 memory leaks
  • libtest: fixed duplicated line in Makefile
  • conncache: fix compiler warning
  • openssl: make ossl_send return CURLE_OK better
  • HTTP/2: Support expect: 100-continue
  • HTTP/2: Fix infinite loop in readwrite_data()
  • parsedate: fix the return code for an overflow edge condition
  • darwinssl: don't use strtok()
  • http_negotiate_sspi: Fixed specific username and password not working
  • openssl: replace call to OPENSSL_config
  • http2: show the received header for better debugging
  • HTTP/2: Move :authority before non-pseudo header fields
  • HTTP/2: Reset promised stream, not its associated stream
  • HTTP/2: added some more logging for debugging stream problems
  • ntlm: Added support for SSPI package info query
  • ntlm: Fixed hard coded buffer for SSPI based auth packet generation
  • sasl_sspi: Fixed memory leak with not releasing Package Info struct
  • sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
  • sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
  • http_negotiate_sspi: Use a dynamic buffer for SPN generation
  • sasl_sspi: Fixed missing free of challenge buffer on SPN failure
  • sasl_sspi: Fixed hard coded buffer for response generation
  • Curl_poll + Curl_wait_ms: fix timeout return value
  • docs/SSLCERTS: update the section about NSS database
  • create_conn: prune dead connections
  • openssl: fix version report for the 0.9.8 branch
  • mk-ca-bundle.pl: switched to using hg.mozilla.org
  • http: fix the Content-Range: parser
  • Curl_disconnect: don't free the URL
  • win32: Fixed WinSock 2 #if
  • NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
  • curl.1: clarify --limit-rate's effect on both directions
  • disconnect: don't touch easy-related state on disconnects
  • Cmake: big cleanup and numerous fixes
  • HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
  • HTTP/2: Reset promised stream, not its associated stream
  • configure.ac: Add support for recent GSS-API implementations for HP-UX
  • CONNECT: close proxy connections that fail
  • CURLOPT_NOBODY.3: clarify this option is for downloads
  • darwinssl: fix CA certificate checking using PEM format
  • resolve: cache lookup for async resolvers
  • low-speed-limit: avoid timeout flood
  • polarssl: implement CURLOPT_SSLVERSION
  • multi: convert CURLM_STATE_CONNECT_PEND handling to a list
  • curl_multi_cleanup: remove superfluous NULL assigns
  • polarssl: support CURLOPT_CAPATH / --capath
  • progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly

New in cURL 7.37.1 (Aug 27, 2014)

  • Changes:
  • bits.close: introduce connection close tracking
  • darwinssl: Add support for --cacert
  • polarssl: add ALPN support
  • docs: Added new option man pages
  • Bugfixes:
  • build: Fixed incorrect reference to curl_setup.h in Visual Studio files
  • build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
  • curl.1: clarify that -u can't specify a user with colon
  • openssl: Fix uninitialized variable use in NPN callback
  • curl_easy_reset: reset the URL
  • curl_version_info.3: returns a pointer to a static struct
  • url-parser: only use if_nametoindex if detected by configure
  • select: with winsock, avoid passing unsupported arguments to select()
  • gnutls: don't use deprecated type names anymore
  • gnutls: allow building with nghttp2 but without ALPN support
  • tests: Fix portability issue with the tftpd server
  • curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
  • curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
  • random: use Curl_rand() for proper random data
  • Curl_ossl_init: call OPENSSL_config for initing engines
  • config-win32.h: Updated for VC12
  • winbuild: Don't USE_WINSSL when WITH_SSL is being used
  • getinfo: HTTP CONNECT code not reset between transfers
  • Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
  • http2: avoid segfault when using the plain-text http2
  • conncache: move the connection counter to the cache struct
  • http2: better return code error checking
  • curlbuild: fix GCC build on SPARC systems without configure script
  • tool_metalink: Support polarssl as digest provider
  • curl.h: reverse the enum/define setup for old symbols
  • curl.h: moved two really old deprecated symbols
  • curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
  • buildconf: do not search tools in current directory.
  • OS400: make it compilable again. Make RPG binding up to date
  • nss: do not abort on connection failure (failing tests 305 and 404)
  • nss: make the fallback to SSLv3 work again
  • tool: prevent valgrind from reporting possibly lost memory (nss only)
  • progress callback: skip last callback update on errors
  • nss: fix a memory leak when CURLOPT_CRLFILE is used
  • compiler warnings: potentially uninitialized variables
  • url.c: Fixed memory leak on OOM
  • gnutls: ignore invalid certificate dates with VERIFYPEER disabled
  • gnutls: fix SRP support with versions of GnuTLS from 2.99.0
  • gnutls: fixed a couple of uninitialized variable references
  • gnutls: fixed compilation against versions < 2.12.0
  • build: Fixed overridden compiler PDB settings in VC7 to VC12
  • ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
  • netrc: don't abort if home dir cannot be found
  • netrc: fixed thread safety problem by using getpwuid_r if available
  • cookie: avoid mutex deadlock
  • configure: respect host tool prefix for krb5-config
  • gnutls: handle IP address in cert name check

New in cURL 7.35.0 (Jan 29, 2014)

  • Changes:
  • imap/pop3/smtp: Added support for SASL authentication downgrades
  • imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
  • TheArtOfHttpScripting: major update, converted layout and more
  • mprintf: Added support for I, I32 and I64 size specifiers
  • makefile: Added support for VC7, VC11 and VC12
  • Bugfixes:
  • SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
  • curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
  • pop3: Fixed APOP being determined by CAPA response rather than by timestamp
  • Curl_pp_readresp: zero terminate line
  • FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
  • docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
  • pop3: Fixed auth preference not being honored when CAPA not supported
  • imap: Fixed auth preference not being honored when CAPABILITY not supported
  • threaded resolver: Use pthread_t * for curl_thread_t
  • FILE: we don't support paused transfers using this protocol
  • connect: Try all addresses in first connection attempt
  • curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
  • OpenSSL: Fix forcing SSLv3 connections
  • openssl: allow explicit sslv2 selection
  • FTP parselist: fix "total" parser
  • conncache: fix possible dereference of null pointer
  • multi.c: fix possible dereference of null pointer
  • mk-ca-bundle: introduces -d and warns about using this script
  • ConnectionExists: fix NTLM check for new connection
  • trynextip: fix build for non-IPV6 capable systems
  • Curl_updateconninfo: don't do anything for UDP "connections"
  • darwinssl: un-break Leopard build after PKCS#12 change
  • threaded-resolver: never use NULL hints with getaddrinf
  • multi_socket: remind app if timeout didn't run
  • OpenSSL: deselect weak ciphers by default
  • error message: Sensible message on timeout when transfer size unknown
  • curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
  • win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
  • configure: fix gssapi linking on HP-UX
  • chunked-parser: abort on overflows, allow 64 bit chunks
  • chunked parsing: relax the CR strictness
  • cookie: max-age fixes
  • progress bar: always update when at 100%
  • progress bar: increase update frequency to 10Hz
  • tool: Fixed incorrect return code if command line parser runs out of memory
  • tool: Fixed incorrect return code if password prompting runs out of memory
  • HTTP POST: omit Content-Length if data size is unknown
  • GnuTLS: disable insecure ciphers
  • GnuTLS: honor --slv2 and the --tlsv1[.N] switches
  • multi: Fixed a memory leak on OOM condition
  • netrc: Fixed a memory and file descriptor leak on OOM
  • getpass: fix password parsing from console
  • TFTP: fix crash on time-out
  • hostip: don't remove DNS entries that are in use
  • tests: lots of tests fixed to pass the OOM torture tests

New in cURL 7.34.0 (Dec 23, 2013)

  • Changes:
  • SSL: protocol version can be specified more precisely
  • imap/pop3/smtp: Added graceful cancellation of SASL authentication
  • Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
  • base64: Added validation of base64 input strings when decoding
  • curl_easy_setopt: Added the ability to set the login options separately
  • smtp: Added support for additional SMTP commands
  • curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
  • nss: allow to use TLS > 1.0 if built against recent NSS
  • SECURITY: added this document to describe our security processes
  • parseconfig: warn if unquoted white spaces are detected
  • Bugfixes:
  • SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
  • darwinssl: un-break iOS build after PKCS#12 feature added
  • tool: use XFERFUNCTION to save some casts
  • usercertinmem: fix memory leaks
  • ssh: Handle successful SSH_USERAUTH_NONE
  • NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
  • test906: Fixed failing test on some platforms
  • sasl: initialize NSS before using NTLM crypto
  • sasl: Fixed memory leak in OAUTH2 message creation
  • imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
  • cmake: unbreak for non-Windows platforms
  • ssh: initialize per-handle data in ssh_connect()
  • glob: fix broken URLs
  • configure: check for long long when building with cyassl
  • CURLOPT_RESOLVE: mention they don't time-out
  • docs/examples/httpput.c: fix build for MSVC
  • FTP: make the data connection work when going through proxy
  • NSS: support for CERTINFO feature
  • curl_multi_wait: accept 0 from multi_timeout() as valid timeout
  • glob_range: pass the closing bracket for a-z ranges
  • tool_help: Updated --list-only description to include POP3
  • Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
  • cmake: fix Windows build with IPv6 support
  • ares: Fixed compilation under Visual Studio 2012
  • curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
  • curl.1: mention that -O does no URL decoding
  • darwinssl: PKCS#12 import feature now requires Lion or later
  • darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
  • configure: Fix test with -Werror=implicit-function-declaration
  • sigpipe: factor out sigpipe_reset from easy.c
  • curl_multi_cleanup: ignore SIGPIPE
  • globbing: curl glob counter mismatch with {} list use
  • parseconfig: dash options can't specified with colon or equals
  • digest: fix CURLAUTH_DIGEST_IE
  • curl.h: for OpenBSD
  • darwinssl: Fix #if 10.6.0 for SecKeychainSearch
  • TFTP: fix return codes for connect timeout
  • login options: remove the ;[options] support from CURLOPT_USERPWD
  • imap: Fixed incorrect fallback to clear text authentication
  • parsedate: avoid integer overflow
  • curl.1: document -J doesn't %-decode
  • multi: add timer inaccuracy margin to timeout/connecttimeout

New in cURL 7.33.0 (Oct 15, 2013)

  • Changes:
  • test code for testing the event based API
  • CURLM_ADDED_ALREADY: new error code
  • test TFTP server: support "writedelay" within
  • krb4 support has been removed
  • imap/pop3/smtp: added basic SASL XOAUTH2 support
  • darwinssl: add support for PKCS#12 files for client authentication
  • darwinssl: enable BEAST workaround on iOS 7 & later
  • Pass password to OpenSSL engine by user interface
  • c-ares: Add support for various DNS binding options
  • cookies: add expiration
  • curl: added --oauth2-bearer option
  • Bugfixes:
  • nss: make sure that NSS is initialized
  • curl: make --no-[option] work properly for several options
  • FTP: with socket_action send better socket updates in active mode
  • curl: fix the --sasl-ir in the --help output
  • tests 2032, 2033: Don't hardcode port in expected output
  • urlglob: better detect unclosed braces, empty lists and overflows
  • urlglob: error out on range overflow
  • imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
  • handle arbitrary-length username and password
  • TFTP: make the CURLOPT_LOW_SPEED* options work
  • curl.h: name space pollution by "enum type"
  • multi: move on from STATE_DONE faster
  • FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
  • multi_socket: improved 100-continue timeout handling
  • curl_multi_remove_handle: allow multiple removes
  • FTP: fix getsock during DO_MORE state
  • -x: rephrased the --proxy section somewhat
  • acinclude: fix --without-ca-path when cross-compiling
  • LDAP: fix bad free() when URL parsing failed
  • --data: mention CRLF treatment when reading from file
  • curl_easy_pause: suggest one way to unpause
  • imap: Fixed calculation of transfer when partial FETCH received
  • pingpong: Check SSL library buffers for already read data
  • imap/pop3/smtp: Speed up SSL connection initialization
  • libcurl.3: for multi interface connections are held in the multi handle
  • curl_easy_setopt.3: mention RTMP URL quirks
  • curl.1: detail how short/long options work
  • curl.1: Added information about optional login options to --user option
  • curl: Added clarification to the --mail options in the --help output
  • curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
  • openssl: use correct port number in error message
  • darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
  • OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
  • xattr: add support for FreeBSD xattr API
  • win32: fix Visual Studio 2010 build with WINVER >= 0x600
  • configure: use icc options without space
  • test1112: Increase the timeout from 7s to 16s
  • SCP: upload speed on a fast connection limited to 16384 B/s
  • curl_setup_once: fix errno access for lwip on Windows
  • HTTP: Output http response 304 when modified time is too old

New in cURL 7.32.0 (Aug 12, 2013)

  • curl: allow timeouts to accept decimal values
  • OS400: add slist and certinfo EBCDIC support
  • OS400: new SSL backend GSKit
  • CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
  • LIBCURL-STRUCTS: new document

New in cURL 7.31.0 (Jun 24, 2013)

  • Changes:
  • darwinssl: add TLS session resumption
  • darwinssl: add TLS crypto authentication
  • imap/pop3/smtp: Added support for ;auth= in the URL
  • imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
  • usercertinmem.c: add example showing user cert in memory
  • url: Added smtp and pop3 hostnames to the protocol detection list
  • imap/pop3/smtp: Added support for enabling the SASL initial response
  • curl -E: allow to use ':' in certificate nicknames
  • Bugfixes:
  • SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer [26]
  • FTP: access files in root dir correctly
  • configure: try pthread_create without -lpthread
  • FTP: handle a 230 welcome response
  • curl-config: don't output static libs when they are disabled
  • CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
  • Various documentation updates
  • getinfo.c: reset timecond when clearing session-info variables
  • FILE: prevent an artificial timeout event due to stale speed-check data
  • ftp_state_pasv_resp: connect through proxy also when set by env
  • sshserver: disable StrictHostKeyChecking
  • ftpserver: Fixed imap logout confirmation data
  • curl_easy_init: use less mallocs
  • smtp: Fixed unknown percentage complete in progress bar
  • smtp: Fixed sending of double CRLF caused by first in EOB
  • bindlocal: move brace out of #ifdef
  • winssl: Fixed invalid memory access during SSL shutdown
  • OS X framework: fix invalid symbolic link
  • OpenSSL: allow empty server certificate subject
  • axtls: prevent memleaks on SSL handshake failures
  • cookies: only consider full path matches
  • Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
  • Curl_cookie_add: handle IPv6 hosts
  • ossl_send: SSL_write() returning 0 is an error too
  • ossl_recv: SSL_read() returning 0 is an error too
  • Digest auth: escape user names with backslash or " in them
  • curl_formadd.3: fixed wrong "end-marker" syntax
  • libcurl-tutorial.3: fix incorrect backslash
  • curl_multi_wait: reduce timeout if the multi handle wants to
  • tests/Makefile: typo in the perlcheck target
  • axtls: honor disabled VERIFYHOST
  • OpenSSL: avoid double free in the PKCS12 certificate code
  • multi_socket: reduce timeout inaccuracy margin
  • digest: support auth-int for empty entity body
  • axtls: now done non-blocking
  • lib1900: use tutil_tvnow instead of gettimeofday
  • curl_easy_perform: avoid busy-looping
  • CURLOPT_COOKIELIST: take cookie share lock
  • multi_socket: react on socket close immediately

New in cURL 7.30.0 (Apr 12, 2013)

  • imap: Changed response tag generation to be completely unique
  • imap: Added support for SASL-IR extension
  • imap: Added support for the list command
  • imap: Added support for the append command
  • imap: Added custom request parsing
  • imap: Added support to the fetch command for UID and SECTION properties
  • imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
  • darwinssl: Make certificate errors less techy
  • imap/pop3/smtp: Added support for the STARTTLS capability
  • checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
  • curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
  • Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
  • Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
  • Bugfixes:
  • SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
  • darwinssl: Fix build under Leopard
  • DONE: consider callback-aborted transfers premature
  • ntlm: Fixed memory leaks
  • smtp: Fixed an issue when processing EHLO failure responses
  • pop3: Fixed incorrect return value from pop3_endofresp()
  • pop3: Fixed SASL authentication capability detection
  • pop3: Fixed blocking SSL connect when connecting via POP3S
  • imap: Fixed memory leak when performing multiple selects
  • nss: fix misplaced code enabling non-blocking socket mode
  • AddFormData: prevent only directories from being posted
  • darwinssl: fix infinite loop if server disconnected abruptly
  • metalink: fix improbable crash parsing metalink filename
  • show proper host name on failed resolve
  • MacOSX-Framework: Make script work in Xcode 4.0 and later
  • strlcat: remove function
  • darwinssl: Fix send glitchiness with data > 32 or so KB
  • polarssl: better 1.1.x and 1.2.x support
  • various documentation improvements
  • multi: NULL pointer reference when closing an unused multi handle
  • SOCKS: fix socks proxy when noproxy matched
  • install-sh: updated to support multiple source files as arguments
  • PolarSSL: added human readable error strings
  • resolver_error: remove wrong error message output
  • docs: updates HTML index and general improvements
  • curlbuild.h.dist: enhance non-configure GCC ABI detection logic
  • sasl: Fixed null pointer reference when decoding empty digest challenge
  • easy: do not ignore poll() failures other than EINTR
  • darwinssl: disable ECC ciphers under Mountain Lion by default
  • CONNECT: count received headers
  • build: fixes for VMS
  • CONNECT: clear 'rewindaftersend' on success
  • HTTP proxy: insert slash in URL if missing
  • hiperfifo: updated to use current libevent API
  • getinmemory.c: abort the transfer nicely if not enough memory
  • improved win32 memorytracking
  • corrected proxy header response headers count
  • FTP quote operations on re-used connection
  • tcpkeepalive on win32
  • tcpkeepalive on Mac OS X
  • easy: acknowledge the CURLOPT_MAXCONNECTS option properly
  • easy interface: restore default MAXCONNECTS to 5
  • win32: don't set SO_SNDBUF for windows vista or later versions
  • HTTP: made cookie sort function more deterministic
  • winssl: Fixed memory leak if connection was not successful
  • FTP: wait on both connections during active STOR state
  • connect: treat a failed local bind of an interface as a non-fatal error
  • darwinssl: disable insecure ciphers by default
  • FTP: handle "rubbish" in front of directory name in 257 responses
  • mk-ca-bundle: Fixed lost OpenSSL output with "-t"

New in cURL 7.29.0 (Feb 6, 2013)

  • Changes:
  • test: offer "automake" output and check for perl better
  • always-multi: always use non-blocking internals
  • imap: Added support for sasl digest-md5 authentication
  • imap: Added support for sasl cram-md5 authentication
  • imap: Added support for sasl ntlm authentication
  • imap: Added support for sasl login authentication
  • imap: Added support for sasl plain text authentication
  • imap: Added support for login disabled server capability
  • mk-ca-bundle: add -f, support passing to stdout and more
  • writeout: -w now supports remote_ip/port and local_ip/port
  • Bugfixes:
  • SECURITY ADVISORY: SASL buffer overflow vulnerability
  • nss: prevent NSS from crashing on client auth hook failure
  • darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
  • curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
  • SCP: relative path didn't work as documented
  • setup_once.h: HP-UX issue workaround
  • configure: fix cross pkg-config detection
  • runtests: Do not add undefined values to @INC
  • build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
  • multi: fix re-sending request on early connection close
  • HTTP: remove stray CRLF in chunk-encoded content-free request bodies
  • build: fix AIX compilation and usage of events/revents
  • VC Makefiles: add missing hostcheck
  • nss: clear session cache if a client certificate from file is used
  • nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
  • fix HTTP CONNECT tunnel establishment upon delayed response
  • --libcurl: fix for non-zero default options
  • FTP: reject illegal port numbers in EPSV 229 responses
  • build: use per-target '_CPPFLAGS' for those currently using default
  • configure: fix automake 1.13 compatibility
  • curl: ignore SIGPIPE
  • pop3: Added support for non-blocking SSL upgrade
  • pop3: Fixed default authentication detection
  • imap: Fixed usernames and passwords that contain escape characters
  • packages/DOS/common.dj: remove COFF debug info generation
  • imap/pop3/smtp: Fixed failure detection during TLS upgrade
  • pop3: Fixed no known authentication mechanism when fallback is required
  • formadd: reject trying to read a directory where a file is expected
  • formpost: support quotes, commas and semicolon in file names
  • docs: update the comments about loading CA certs with NSS
  • docs: fix typos in man pages
  • darwinssl: Fix bug where packets were sometimes transmitted twice
  • winbuild: include version info for .dll .exe
  • schannel: Removed extended error connection setup flag
  • VMS: fix and generate the VMS build config

New in cURL 7.23.1 (Nov 23, 2011)

  • Several improvements and various bugfixes were made.

New in cURL 7.21.1 (Aug 12, 2010)

  • This version supports NTLM authentication when compiled with NSS.
  • It has at least 37 documented bugfixes.

New in cURL 7.21.0 (Jun 17, 2010)

  • Changes:
  • added the --proto and -proto-redir options
  • new configure option --enable-threaded-resolver
  • improve TELNET ability with libcurl
  • added support for PolarSSL
  • added support for FTP wildcard matching and downloads
  • added support for RTMP
  • introducing new LDAP code for new enough OpenLDAP
  • OpenLDAP support enabled for cygwin builds
  • added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
  • Bugfixes:
  • prevent needless reverse name lookups
  • detect GSS on ancient Linux distros
  • GnuTLS: EOF caused error when it wasn't
  • GnuTLS: SSL handshake phase is non-blocking
  • -J/--remote-header-name strips CRLF
  • MSVC makefiles now use ws2_32.lib instead of wsock32.lib
  • -O crash on windows
  • SSL handshake timeout underflow in libcurl-NSS
  • multi interface missed storing connection time
  • broken CRL support in libcurl-NSS
  • ignore response-body on redirect even if compressed
  • OpenSSL handshake state-machine for multi interface
  • TFTP timeout option sent correctly
  • TFTP block id wrap
  • curl_multi_socket_action() timeout handles inaccuracy in timers better
  • SCP/SFTP failure to respect the timeout
  • spurious SSL connection aborts with OpenSSL

New in cURL 7.19.1 (Nov 5, 2008)

  • CURLOPT_CERTINFO, CURLINFO_CERTINFO, CURLOPT_POSTREDIR, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, and CURLOPT_PROXYPASSWORD were added. 24 bugs were fixed.

New in cURL 7.19.0 (Sep 2, 2008)

  • Some new libcurl options, new Boolean options handling in the curl tool, and around 40 bugfixes.