This release includes the following bugfixes:
+ o CVE-2019-5435: Integer overflows in curl_url_set [87]
+ o CVE-2019-5436: tftp: use the current blksize for recvfrom() [82]
o --config: clarify that initial : and = might need quoting [17]
o AppVeyor: enable testing for WinSSL build [23]
o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [52]
o altsvc: Fix building with cookies disabled [38]
o auth: Rename the various authentication clean up functions [61]
o base64: build conditionally if there are users
- o build-openssl.bat: lots of improvements and polish
+ o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
o build: fix "clarify calculation precedence" warnings [63]
o checksrc.bat: ignore snprintf warnings in docs/examples [67]
o cirrus: Customize the disabled tests per FreeBSD version
+ o cleanup: remove FIXME and TODO comments [81]
o cmake: avoid linking executable for some tests with cmake 3.6+ [18]
o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use [19]
o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP [46]
o configure: error out if OpenSSL wasn't detected when asked for [74]
o configure: fix default location for fish completions [13]
o cookie: Guard against possible NULL ptr deref [42]
+ o curl: make code work with protocol-disabled libcurl [78]
+ o curl: report error for "--no-" on non-boolean options [86]
o curl_easy_getinfo.3: fix minor formatting mistake
o curlver.h: use parenthesis in CURL_VERSION_BITS macro [45]
o docs/BUG-BOUNTY: bug bounty time [48]
o docs/INSTALL: fix broken link [62]
+ o docs/RELEASE-PROCEDURE: link to live iCalendar [79]
o documentation: Fix several typos [7]
o doh: acknowledge CURL_DISABLE_DOH
o doh: disable DOH for the cases it doesn't work [66]
+ o examples: remove unused variables [88]
o ftplistparser: fix LGTM alert "Empty block without comment" [14]
+ o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS [78]
o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies [54]
o http: acknowledge CURL_DISABLE_HTTP_AUTH
o http: mark bundle as not for multiuse on < HTTP/2 response [41]
o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled [65]
o http_negotiate: do not treat failure of gss_init_sec_context() as fatal [53]
o http_ntlm: Corrected the name of the include guard [64]
+ o http_ntlm_wb: Handle auth for only a single request [77]
+ o http_ntlm_wb: Return the correct error on receiving an empty auth message [77]
o lib509: add missing include for strdup [22]
o lib557: initialize variables [22]
o makedebug: Fix ERRORLEVEL detection after running where.exe [58]
+ o mbedtls: enable use of EC keys [85]
o mime: acknowledge CURL_DISABLE_MIME
o multi: improved HTTP_1_1_REQUIRED handling [2]
+ o netrc: acknowledge CURL_DISABLE_NETRC [78]
o nss: allow fifos and character devices for certificates [56]
o nss: provide more specific error messages on failed init [43]
o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup [70]
o parsedate: disabled on CURL_DISABLE_PARSEDATE
o pingpong: disable more when no pingpong protocols are enabled
o polarssl_threadlock: remove conditionally unused code [22]
+ o progress: acknowledge CURL_DISABLE_PROGRESS_METER [78]
o proxy: acknowledge DISABLE_PROXY more
o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries [3]
o revert "multi: support verbose conncache closure handle" [69]
o socks: fix error message
o socksd: new SOCKS 4+5 server for tests [31]
o spnego_gssapi: fix return code on gss_init_sec_context() failure [53]
+ o ssh-libssh: remove unused variable [83]
o ssh: define USE_SSH if SSH is enabled (any backend) [57]
+ o ssh: move variable declaration to where it's used [83]
o test1002: correct the name
o test2100: Fix typos in test description
o tests/server/util: fix Windows Unicode build [21]
o tests: Run global cleanup at end of tests [29]
o tests: make Impacket (SMB server) Python 3 compatible [11]
o tool_cb_wrt: fix bad-function-cast warning [5]
+ o tool_formparse: remove redundant assignment [83]
o tool_help: Warn if curl and libcurl versions do not match [28]
o tool_help: include <strings.h> for strcasecmp [4]
o transfer: fix LGTM alert "Comparison is always true" [14]
+ o travis: add an osx http-only build [80]
o travis: allow builds on branches named "ci"
o travis: install dependencies only when needed [24]
o travis: update some builds do Xenial [30]
o travis: updated mesalink builds [35]
o url: always clone the CUROPT_CURLU handle [26]
+ o url: convert the zone id from a IPv6 URL to correct scope id [89]
o urlapi: add CURLUPART_ZONEID to set and get [59]
+ o urlapi: increase supported scheme length to 40 bytes [84]
o urlapi: require a non-zero host name length when parsing URL [73]
o urlapi: stricter CURLUPART_PORT parsing [33]
o urlapi: strip off zone id from numerical IPv6 addresses [49]
Aron Bergman, Brad Spencer, cclauss on github, Dan Fandrich,
Daniel Gustafsson, Daniel Stenberg, Eli Schwartz, Even Rouault,
- Frank Gevaerts, Gisle Vanem, Isaiah Norton, Jakub Zakrzewski, Jan Ehrhardt,
- Jeroen Ooms, Jonathan Cardoso Machado, Jonathan Moerman,
- Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch, l00p3r on Hackerone,
- Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu, nevv on HackerOne/curl,
- niner on github, Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh,
- Poul T Lomholt, Ray Satiro, Reed Loden, Ricardo Gomes, Ricky Leverence,
- Rikard Falkeborn, Roy Bellingan, Simon Warta, Steve Holme, Taiyu Len,
- Tim Rühsen, Tom van der Woerdt, Tseng Jun, Viktor Szakats, Wenchao Li,
- Wyatt O'Day, XmiliaH on github, Yiming Jing,
- (46 contributors)
+ Frank Gevaerts, Gisle Vanem, GitYuanQu on github, Guy Poizat, Isaiah Norton,
+ Jakub Zakrzewski, Jan Ehrhardt, Jeroen Ooms, Jonathan Cardoso Machado,
+ Jonathan Moerman, Joombalaya on github, Kamil Dudka, Kristoffer Gleditsch,
+ l00p3r on hackerone, Leonardo Taccari, Marcel Raad, Mert Yazıcıoğlu,
+ nevv on HackerOne/curl, niner on github, Olen Andoni, Omar Ramadan,
+ Paolo Mossino, Patrick Monnerat, Po-Chuan Hsieh, Poul T Lomholt, Ray Satiro,
+ Reed Loden, Ricardo Gomes, Ricky Leverence, Rikard Falkeborn, Roy Bellingan,
+ Simon Warta, Steve Holme, Taiyu Len, Tim Rühsen, Tom van der Woerdt,
+ Tseng Jun, Viktor Szakats, Wenchao Li, Wyatt O'Day, XmiliaH on github,
+ Yiming Jing,
+ (50 contributors)
Thanks! (and sorry if I forgot to mention someone)
[74] = https://curl.haxx.se/bug/?i=3824
[75] = https://curl.haxx.se/bug/?i=3711
[76] = https://curl.haxx.se/bug/?i=3863
+ [77] = https://curl.haxx.se/bug/?i=3894
+ [78] = https://curl.haxx.se/bug/?i=3844
+ [79] = https://curl.haxx.se/bug/?i=3895
+ [80] = https://curl.haxx.se/bug/?i=3887
+ [81] = https://curl.haxx.se/bug/?i=3876
+ [82] = https://curl.haxx.se/docs/CVE-2019-5436.html
+ [83] = https://curl.haxx.se/bug/?i=3873
+ [84] = https://curl.haxx.se/bug/?i=3905
+ [85] = https://curl.haxx.se/bug/?i=3892
+ [86] = https://curl.haxx.se/bug/?i=3906
+ [87] = https://curl.haxx.se/docs/CVE-2019-5435.html
+ [88] = https://curl.haxx.se/bug/?i=3908
+ [89] = https://curl.haxx.se/bug/?i=3902