- Update from version 8.16.0 to 8.17.0
- Update of rootfile
- Changelog
8.17.0
Changes:
build: drop Heimdal support
build: drop the winbuild build system
krb5: drop support for Kerberos FTP
libssh2: up the minimum requirement to 1.9.0
multi: add notifications API
progress: expand to use 6 characters per size
ssl: support Apple SecTrust configurations
tool_getparam: add --knownhosts
vssh: drop support for wolfSSH
wcurl: import v2025.11.04
write-out: make %header{} able to output *all* occurrences of a header
Bugfixes:
ares: fix leak in tracing
asyn-ares: remove wrong comment about the callback argument
asyn-ares: use the duped hostname pointer for all calls
asyn-thrdd resolver: clear timeout when done
asyn-thrdd: drop pthread_cancel
autotools: add support for libgsasl auto-detection via pkg-config
autotools: capitalize Rustls in the log output
autotools: drop detection of ancient OpenSSL libs RSAglue and rsaref
autotools: fix duplicate UNIX and BSD flags in buildinfo.txt
autotools: fix silly mistake in clang detection for buildinfo.txt
autotools: make --enable-code-coverage support llvm/clang
autotools: merge `if`s in GnuTLS/OpenSSL feature detection
aws-lc: re-enable large read-ahead with v1.61.0 again
base64: accept zero length argument to base64_encode
build: address some -Weverything warnings, update picky warnings
build: avoid overriding system open and stat symbols
build: avoid overriding system symbols for fopen functions
build: avoid overriding system symbols for socket functions
build: show llvm/clang in platform flags and buildinfo.txt
c-ares: when resolving failed, persist error
cf-h2-proxy: break loop on edge case
cf-ip-happy: mention unix domain path, not port number
cf-socket: always check Curl_cf_socket_peek() return code
cf-socket: check params and remove accept procondition
cf-socket: make set_local_ip void, and remove failf()
cf-socket: set FD_CLOEXEC on all sockets opened
cf-socket: tweak a memcpy() to read better
cf-socket: use the right byte order for ports in bindlocal
cfilter: unlink and discard
cfilters: check return code from Curl_pollset_set_out_only()
checksrc: allow disabling warnings on FIXME/TODO comments
checksrc: catch banned functions when preceded by (
checksrc: fix possible endless loop when detecting BANNEDFUNC
checksrc: fix possible endless loops in the banned function logic
checksrc: fix to handle ) predecing a banned function
checksrc: reduce directory-specific exceptions
CI.md: refresh
cmake/FindGSS: dedupe pkg-config module strings
cmake/FindGSS: drop wrong header check for GNU GSS
cmake/FindGSS: fix pkg-config fallback logic for CMake <3.16
cmake/FindGSS: simplify/de-dupe lib setup
cmake/FindGSS: whitespace/formatting
cmake: add and use local FindGnuTLS module
cmake: add CURL_CODE_COVERAGE option
cmake: build the "all" examples source list dynamically
cmake: clang detection tidy-ups
cmake: drop exclamation in comment looking like a name
cmake: fix `HAVE_GNUTLS_SRP` detection after adding local FindGnuTLS module
cmake: fix building docs when the base directory contains .3
cmake: fix Linux pre-fill `HAVE_POSIX_STRERROR_R` (when `_CURL_PREFILL=ON`)
cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`)
cmake: minor Heimdal flavour detection fix
cmake: pre-fill three more type sizes on Windows
cmake: say 'absolute path' in option descriptions and docs
cmake: support building some complicated examples, build them in CI
cmake: use modern alternatives for get_filename_component()
cmake: use more COMPILER_OPTIONS, LINK_OPTIONS / LINK_FLAGS
cmdline-docs: extended, clarified, refreshed
cmdline-opts/_PROGRESS.md: explain the suffixes
configure: add "-mt" for pthread support on HP-UX
conn: fix hostname move on connection reuse
conncache: prevent integer overflow in maxconnects calculation
connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
connect: remove redundant condition in shutdown start
cookie: avoid saving a cookie file if no transfer was done
cookie: only count accepted cookies in Curl_cookie_add
cookie: remove the temporary file on (all) errors
cpool: make bundle->dest an array; fix UB
curl.h: remove incorrect comment about CURLOPT_PINNEDPUBLICKEY
curl_easy_getinfo: error code on NULL arg
curl_easy_setopt.md: add missing CURLOPT_POSTFIELDS
curl_mem_undef.h: limit to CURLDEBUG for non-memalloc overrides
curl_ngtcp2: fix `-Wunreachable-code` with H3 !verbose !unity clang
curl_osslq: error out properly if BIO_ADDR_rawmake() fails
curl_path: make sure just whitespace is illegal
Curl_resolv: fix comment. 'entry' argument is not optional
curl_slist_append.md: clarify that a NULL pointer is not acceptable
curl_threads: delete WinCE fallback branch
CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well
CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded
CURLOPT_COPYPOSTFIELDS.md: used with MQTT and RTSP as well
CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1
CURLOPT_MAXLIFETIME_CONN: make default 24 hours
CURLOPT_POSTFIELDSIZE*: these also work for MQTT and RTSP
CURLOPT_SERVER_RESPONSE_TIMEOUT*: add default and see-also
CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options
CURLOPT_TIMECONDITION.md: works for FILE and FTP as well
cw-out: fix EAGAIN handling on pause
cw-out: unify the error handling pattern in cw_out_do_write
digest_sspi: fix two memory leaks in error branches
dist: do not distribute CI.md
docs/cmdline-opts: drop double quotes from GLOBBING and URL examples
docs/libcurl: clarify some timeout option behavior
docs/libcurl: remove ancient version references
docs/libcurl: use lowercase must
docs: expand on quoting rules for file names in SFTP quote
docs: fix/tidy code fences
doh: cleanup resources on error paths
doswin: CloseHandle the thread on shutdown
easy_getinfo: check magic, Curl_close safety
ECH.md: make OpenSSL branch clone instructions work
examples/chkspeed: portable printing when outputting curl_off_t values
examples/http2-serverpush: fix file handle leaks
examples/sessioninfo: cast printf string mask length to int
examples/sessioninfo: do not disable security
examples/synctime: fix null termination assumptions
examples/synctime: make the sscanf not overflow the local buffer
examples/usercertinmem: avoid stripping const
examples/websocket: fix use of uninitialized rlen
examples: call curl_global_cleanup() where missing
examples: check more errors, fix cleanups, scope variables
examples: drop unused curl/mprintf.h includes
examples: fix build issues in 'complicated' examples
examples: fix more potential resource leaks, and more
examples: fix two build issues surfaced with WinCE
examples: fix two issues found by CodeQL
examples: fix two more cases of stat() TOCTOU
examples: improve global init, error checks and returning errors
examples: replace casts with `curl_off_t` printf masks
examples: return curl_easy_perform() results
firefox-db2pem.sh: add macOS support, tidy-ups
form.md: drop reference to MANUAL
ftp: add extra buffer length check
ftp: check errors on remote ip for data connection
ftp: fix ftp_do_more returning with *completep unset
ftp: fix port number range loop for PORT commands
ftp: fix the 213 scanner memchr buffer limit argument
ftp: improve fragile check for first digit > 3
ftp: reduce size of some struct fields
ftp: remove 'newhost' and 'newport' from the ftp_conn struct
ftp: remove misleading comments
ftp: remove the retr_size_saved struct field
ftp: remove the state_saved struct field
ftp: replace strstr() in ;type= handling
ftp: simplify the 150/126 size scanner
gnutls: check conversion of peer cert chain
gnutls: fix re-handshake comments
gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
gtls: avoid potential use of uninitialized variable in trace output
gtls: check the return value of gnutls_pubkey_init()
header.md: see-also --proxy-header and vice versa
hmac: free memory properly on errors
hostip: don't store negative resolves due unrelated errors
hostip: fix infof() output for non-ipv6 builds using IPv6 address
hostip: remove leftover INT_MAX check in Curl_dnscache_prune
http2: check push header names by length first
http2: cleanup pushed newhandle on fail
http2: ingress handling edge cases
HTTP3: clarify the status for "old" OpenSSL, not current
http: check the return value of strdup
http: fix `-Wunreachable-code` in !websockets !unity builds
http: fix `-Wunused-variable` in !alt-svc !proxy !ws builds
http: handle user-defined connection headers
http: look for trailing 'type=' in ftp:// without strstr
http: make Content-Length parser more WHATWG
http: only accept ';' as a separator for custom headers
http: return error for a second Location: header
http_aws_sigv4: check the return value of curl_maprintf()
http_proxy: fix adding custom proxy headers
httpsrr: free old pointers when storing new
httpsrr: send HTTPS query to the right target
imap: fix custom FETCH commands to handle literal responses
imap: parse and use UIDVALIDITY as a number
imap: treat capabilities case insensitively
INSTALL-CMAKE.md: add manual configuration examples
INSTALL-CMAKE.md: document useful build targets
INSTALL-CMAKE.md: fix descriptions for LDAP dependency options
INSTALL: update the list of known operating systems
INTERNALS: drop Winsock 2.2 from the dependency list
ip-happy: do not set unnecessary timeout
ip-happy: prevent event-based stall on retry
kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
kerberos: drop logic for MIT Kerberos <1.2.3 (pre-2002) versions
kerberos: stop including gssapi/gssapi_generic.h
krb5: fix output_token allocators in the GSS debug stub (Windows)
krb5: return appropriate error on send failures
krb5_gssapi: fix memory leak on error path
krb5_sspi: the chlg argument is NOT optional
ldap: avoid null ptr deref on failure
ldap: do not base64 encode zero length string
ldap: do not pass a \n to failf()
ldap: tidy-up types, fix error code confusion
lib1514: fix return code mixup
lib: delete unused crypto header includes
lib: drop unused include and duplicate guards
lib: fix build error with verbose strings disabled
lib: remove newlines from failf() calls
lib: remove personal names from comments
lib: SSL connection reuse
lib: stop NULL-checking conn->passwd and ->user
lib: upgrade/multiplex handling
libcurl-multi.md: added curl_multi_get_offt mention
libcurl-security.md: mention long-running connections
libssh/libssh2: reject quote command lines with too much data
libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume
libssh2/sftp_realpath: change state consistently
libssh2: avoid risking using an uninitialized local struct field
libssh2: bail out on chgrp and chown number parsing errors
libssh2: clarify that sshp->path is always at least one byte
libssh2: drop two redundant null-terminations
libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()
libssh2: fix EAGAIN return in ssh_state_auth_agent
libssh2: fix return code for EAGAIN
libssh2: use sockindex consistently
libssh: acknowledge SSH_AGAIN in the SFTP state machine
libssh: catch a resume point larger than the size
libssh: clarify myssh_block2waitfor
libssh: drop two unused assignments
libssh: error on bad chgrp number
libssh: error on bad chown number and store the value
libssh: fix range parsing error handling mistake
libssh: make atime and mtime cap the timestamp instead of wrap
libssh: react on errors from ssh_scp_read
libssh: return out of memory correctly if aprintf fails
libssh: return the proper error for readdir problems
Makefile.example: bump default example from FTP to HTTPS
Makefile.example: fix option order
Makefile.example: make default options more likely to work
Makefile.example: simplify and make it configurable
managen: ignore version mentions < 7.66.0
managen: render better manpage references/links
managen: strict protocol check
managen: verify the options used in example lines
mbedtls: add support for 4.0.0
mbedtls: check result of setting ALPN
mbedtls: fix building with <3.6.1
mbedtls: fix building with sha-256 missing from PSA
mbedtls: handle WANT_WRITE from mbedtls_ssl_read()
md4: drop mbedtls implementation (not available in mbedtls v3+)
mdlinkcheck: reject URLs containing quotes
memdup0: handle edge case
mime: fix unpausing of readers
mime: fix use of fseek()
multi.h: add CURLMINFO_LASTENTRY
multi: check the return value of strdup()
multi_ev: remove unnecessary data check that confuses analysers
netrc: when the cached file is discarded, unmark it as loaded
nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
ngtcp2: add a comment explaining write result handling
ngtcp2: adopt ngtcp2_conn_get_stream_user_data if available
ngtcp2: check error code on connect failure
ngtcp2: close just-opened QUIC stream when submit_request fails
ngtcp2: compare idle timeout in ms to avoid overflow
ngtcp2: fix early return
ngtcp2: fix handling of blocked stream data
ngtcp2: fix returns when TLS verify failed
ngtcp2: overwrite rate-limits defaults
noproxy: fix the IPV6 network mask pattern match
NTLM: disable if DES support missing from OpenSSL or mbedTLS
ntlm: improved error path on bad incoming NTLM TYPE3 message
openldap/ldap; check for binary attribute case insensitively
openldap: avoid indexing the result at -1 for blank responses
openldap: check ber_sockbuf_add_io() return code
openldap: check ldap_get_option() return codes
openldap: do not pass newline to infof()
openldap: fix memory-leak in error path
openldap: fix memory-leak on oldap_do's exit path
openldap: limit max incoming size
openssl-quic: check results better
openssl-quic: handle error in SSL_get_stream_read_error_code
openssl-quic: ignore unexpected streams opened by server
openssl: better return code checks when logging cert data
openssl: call SSL_get_error() with proper error
openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
openssl: clear retry flag on x509 error
openssl: combine all the x509-store flags
openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
openssl: fail the transfer if ossl_certchain() fails
openssl: fix build for v1.0.2
openssl: fix peer certificate leak in channel binding
openssl: fix resource leak in provider error path
openssl: fix unable do typo in failf() calls
openssl: free UI_METHOD on exit path
openssl: make the asn1_object_dump name null terminated
openssl: only try engine/provider if a cert file/name is provided
openssl: set io_need always
openssl: skip session resumption when verifystatus is set
os400: document threads handling in code.
OS400: fix a use-after-free/double-free case
osslq: set idle timeout to 0
pingpong: remove two old leftover debug infof() calls
pop3: check for CAPA responses case insensitively
pop3: fix CAPA response termination detection
pop3: function could get the ->transfer field wrong
pytest: skip specific tests for no-verbose builds
quic: fix min TLS version handling
quic: ignore EMSGSIZE on receive
quic: improve UDP GRO receives
quic: remove data_idle handling
quiche: fix possible leaks on teardown
quiche: fix verbose message when ip quadruple cannot be obtained.
quiche: handle tls fail correctly
quiche: when ingress processing fails, return that error code
rtsp: use explicit postfieldsize if specified
runtests: tag tests that require curl verbose strings
rustls: exit on error
rustls: fix clang-tidy warning
rustls: fix comment describing cr_recv()
rustls: limit snprintf proper in cr_keylog_log_cb()
rustls: make read_file_into not reject good files
rustls: pass the correct result to rustls_failf
rustls: typecast variable for safer trace output
rustls: use %zu for size_t in failf() format string
sasl: clear canceled mechanism instead of toggling it
schannel: assign result before using it
schannel: fix memory leak
schannel: handle Curl_conn_cf_send() errors better
schannel: lower the maximum allowed time to block to 7 seconds
schannel: properly close the certfile on error
schannel_verify: do not call infof with an appended \n
schannel_verify: fix mem-leak in Curl_verify_host
schannel_verify: use more human friendly error messages
scp/sftp: fix disconnect
scripts: pass -- before passing xargs
setopt: accept *_SSL_VERIFYHOST set to 2L
setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1
setopt: fix unused variable warning in minimal build
setopt: make CURLOPT_MAXREDIRS accept -1 (again)
singleuse.pl: fix string warning
smb: adjust buffer size checks
smb: transfer debugassert to real check
smtp: check EHLO responses case insensitively
smtp: fix EOB handling
smtp: return value ignored
socks: advance iobuf instead of reset
socks: avoid UAF risk in error path
socks: deny server basic-auth if not configured
socks: handle error in verbose trace gracefully
socks: handle premature close
socks: make Curl_blockread_all return CURLcode
socks: properly maintain the status of 'done'
socks: rewwork, cleaning up socks state handling
socks_gssapi: also reset buffer length after free
socks_gssapi: make the gss_context a local variable
socks_gssapi: reject too long tokens
socks_gssapi: remove superfluous releases of the gss_recv_token
socks_gssapi: remove the forced "no protection"
socks_gssapi: replace `gss_release_buffer()` with curl free
socks_sspi: bail out on too long fields
socks_sspi: fix memory cleanup calls
socks_sspi: remove the enforced mode clearing
socks_sspi: restore non-blocking socket on error paths
socks_sspi: use the correct free function
socksd: remove --bindonly mention, there is no such option
spelling: fix new finds by typos-cli 1.39.0
src/var: remove dead code
ssl-session-cache: check use on config and availability
ssl-sessions.md: mark option experimental
strerror: drop workaround for SalfordC win32 header bug
sws: fix checking sscanf() return value
sws: pass in socket reference to allow function to close it
tcp-nodelay.md: expand the documentation
telnet: ignore empty suboptions
telnet: make bad_option() consider NULL a bad option too
telnet: make printsub require another byte input
telnet: print DISPlay LOCation in printsub without mutating buffer
telnet: refuse IAC codes in content
telnet: return error if WSAEventSelect fails
telnet: return error on crazy TTYPE or XDISPLOC lengths
telnet: send failure logged but not returned
telnet: use pointer[0] for "unknown" option instead of pointer[i]
test1100: fix missing `<protocol>` section
tests/libtest/cli*: fix init/deinit, leaks, and more
tests/server: drop pointless memory allocation overrides
tests/server: drop unsafe open() override in signal handler (Windows)
tftp: check and act on tftp_set_timeouts() returning error
tftp: check for trailing ";mode=" in URL without strstr
tftp: default timeout per block is now 15 seconds
tftp: error requests for blank filenames
tftp: handle tftp_multi_statemach() return code
tftp: pin the first used address
tftp: propagate expired timer from tftp_state_timeout()
tftp: return error if it hits an illegal state
tftp: return error when sendto() fails
thread: errno on thread creation
tidy-up: assortment of small fixes
tidy-up: avoid using the reserved macro namespace
tidy-up: fcntl.h includes
tidy-up: update MS links, allow long URLs via checksrc
tidy-up: URLs
time-cond.md: refer to the singular curl_getdate man page
TLS: IP address verification, extend test
TODO: fix a typo
TODO: remove already implemented or bad items
tool: fix exponential retry delay
tool_cb_hdr: fix fwrite check in header callback
tool_cb_hdr: size is always 1
tool_cb_rea: use poll instead of select if available
tool_cfgable: remove superfluous free calls
tool_doswin: fix to use curl socket functions
tool_filetime: cap crazy file times instead of erroring
tool_filetime: replace cast with the fitting printf mask (Windows)
tool_formparse: rewrite the headers file parser
tool_getparam/set_rate: skip the multiplication on overflow
tool_getparam: always disable "lib-ids" for tracing
tool_getparam: make --fail and --fail-with-body override each other
tool_getparam: warn if provided header looks malformed
tool_ipfs: check the return value of curl_url_get for gwpath
tool_ipfs: simplify the ipfs gateway logic
tool_msgs: make errorf() show if --show-error
tool_operate: improve wording in retry message
tool_operate: keep failed partial download for retry auto-resume
tool_operate: keep the progress meter for --out-null
tool_operate: move the checks that skip ca cert detection
tool_operate: retry on HTTP response codes 522 and 524
tool_operate: return error on strdup() failure
tool_paramhlp: remove outdated comment in str2tls_max()
tool_parsecfg: detect and error on recursive --config use
tool_progress: handle possible integer overflows
tool_progress: make max5data() use an algorithm
transfer: avoid busy loop with tiny speed limit
transfer: fix retry for empty downloads on reuse
transfer: reset retry count on each request
unit1323: sync time types and printf masks, drop casts
unit1664: drop casts, expand masks to full values
url: make Curl_init_userdefined return void
urldata: FILE is not a list-only protocol
urldata: make 'retrycount' a single byte
urldata: make redirect counter 16 bit
vauth/digest: improve the digest parser
version: add GSS backend name and version
vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout
vquic: fix recvmsg loop for max_pkts
vquic: handling of io improvements
vquic: sending non-gso packets fix for EAGAIN
vtls: alpn setting, check proto parameter
vtls: check final cfilter node in find_ssl_filter
vtls: drop duplicate `CURL_SHA256_DIGEST_LENGTH` definition
vtls: properly handle SSL shutdown timeout
vtls: remove call to PKCS12_PBE_add()
vtls: unify the error handling in ssl_cf_connect().
vtls_int.h: clarify data_pending
vtls_scache: fix race condition
wcurl: sync to +dev snapshot
windows: replace _beginthreadex() with CreateThread()
windows: stop passing unused, optional argument for Win9x compatibility
windows: use consistent format when showing error codes
windows: use native error code types more
wolfssl: check BIO read parameters
wolfssl: clear variable to avoid uninitialized use
wolfssl: fix error check in shutdown
wolfssl: fix resource leak in verify_pinned error paths
wolfssl: no double get_error() detail
ws: clarify an error message
ws: fix some edge cases
ws: fix type conversion check
ws: reject curl_ws_recv called with NULL buffer with a buflen
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / commitdiff
