curl/RELEASE-NOTES

Curl and libcurl 7.55.0

 Public curl releases:         167
 Command line options:         210
 curl_easy_setopt() options:   247
 Public functions in libcurl:  61
 Contributors:                 1571

This release includes the following changes:

 o curl: allow --header and --proxy-header read from file [7]
 o getinfo: provide sizes as curl_off_t [6]
 o curl: prevent binary output spewed to terminal [16]
 o curl: added --request-target [22]
 o libcurl: added CURLOPT_REQUEST_TARGET [22]
 o curl: added --socks5-{basic,gssapi}: control socks5 auth [30]
 o libcurl: added CURLOPT_SOCKS5_AUTH [30]

This release includes the following bugfixes:

 o glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) [85]
 o tftp: reject file name lengths that don't fit (CVE-2017-1000100) [84]
 o file: output the correct buffer to the user (CVE-2017-1000099) [83]
 o includes: remove curl/curlbuild.h and curl/curlrules.h [1]
 o dist: make the hugehelp.c not get regenerated unnecessarily [2]
 o timers: store internal time stamps as time_t instead of doubles [3]
 o progress: let "current speed" be UL + DL speeds combined [4]
 o http-proxy: do the HTTP CONNECT process entirely non-blocking [5]
 o lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV [8]
 o fuzz: bring oss-fuzz initial code converted to C89 [10]
 o configure: disable nghttp2 too if HTTP has been disabled
 o mk-ca-bundle.pl: Check curl's exit code after certdata download [11]
 o test1148: verify the -# progressbar [12]
 o tests: stabilize test 2032 and 2033 [13]
 o HTTPS-Proxy: don't offer h2 for https proxy connections [14]
 o http-proxy: only attempt FTP over HTTP proxy [9]
 o curl-compilers.m4: enable vla warning for clang [15]
 o curl-compilers.m4: enable double-promotion warning [15]
 o curl-compilers.m4: enable missing-variable-declarations clang warning [15]
 o curl-compilers.m4: enable comma clang warning [15]
 o Makefile.m32: enable -W for MinGW32 build [15]
 o CURLOPT_PREQUOTE: not supported for SFTP [17]
 o http2: fix OOM crash
 o PIPELINING_SERVER_BL: cleanup the internal list use [18]
 o mkhelp.pl: fix script name in usage text
 o lib1521: add curl_easy_getinfo calls to the test set
 o travis: do the distcheck test build out-of-tree as well
 o if2ip: fix compiler warning in ISO C90 mode
 o lib: fix the djgpp build [19]
 o typecheck-gcc: add support for CURLINFO_OFF_T [20]
 o travis: enable typecheck-gcc warnings [21]
 o maketgz: switch to xz instead of lzma [23]
 o CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
 o curl-compilers.m4: fix unknown-warning-option on Apple clang [24]
 o winbuild: fix boringssl build [25]
 o curl/system.h: add check for XTENSA for 32bit gcc [26]
 o test1537: fixed memory leak on OOM
 o test1521: fix compiler warnings [27]
 o curl: fix memory leak on test 1147 OOM [28]
 o libtest/make: generate lib1521.c dynamically at build-time [29]
 o curl_strequal.3: fix typo in SYNOPSIS [31]
 o progress: prevent resetting t_starttransfer [32]
 o openssl: improve fallback seed of PRNG with a time based hash [33]
 o http2: improved PING frame handling [34]
 o test1450: add simple testing for DICT [35]
 o make: build the docs subdir only from within src [36]
 o cmake: Added compatibility options for older Windows versions [37]
 o gtls: fix build when sizeof(long) < sizeof(void *) [38]
 o url: make the original string get used on subsequent transfers [39]
 o timeval.c: Use long long constant type for timeval assignment [40]
 o tool_sleep: typecast to avoid macos compiler warning
 o travis.yml: use --enable-werror on debug builds [41]
 o test1451: add SMB support to the testbed [42]
 o configure: remove checks for 5 functions never used [43]
 o configure: try ldap/lber in reversed order first [44]
 o smb: fix build for djgpp/MSDOS [45]
 o travis: install nghttp2 on linux builds [46]
 o smb: add support for CURLOPT_FILETIME [47]
 o cmake: fix send/recv argument scanner for windows [48]
 o inet_pton: fix include on windows to get prototype [49]
 o select.h: avoid macro redefinition harder
 o cmake: if inet_pton is used, bump _WIN32_WINNT
 o asyn-thread.c: fix unused variable warnings on macOS
 o runtests: support "threaded-resolver" as a feature
 o test506: skip if threaded-resolver
 o cmake: remove spurious "-l" from linker flags [50]
 o cmake: add CURL_WERROR for enabling "warning as errors"
 o memdebug: don't setbuf() if the file open failed [51]
 o curl_easy_escape.3: mention the (lack of) encoding [52]
 o test1452: add telnet negotiation [53]
 o CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
 o cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC [54]
 o tests/valgrind.supp: supress OpenSSL false positive seen on travis [55]
 o curl_setup_once: Remove ERRNO/SET_ERRNO macros [56]
 o curl-compilers.m4: disable warning spam with Cygwin's clang [57]
 o ldap: fix MinGW compiler warning [58]
 o make: fix docs build on OpenBSD [59]
 o curl_setup: always define WIN32_LEAN_AND_MEAN on Windows [60]
 o system.h: include winsock2.h before windows.h
 o winbuild: build with warning level 4 [61]
 o rtspd: fix MSVC level 4 warning
 o sockfilt: suppress conversion warning with explicit cast
 o libtest: fix MSVC warning C4706
 o darwinssl: fix pinnedpubkey build error [62]
 o tests/server/resolve.c: fix deprecation warning [63]
 o nss: fix a possible use-after-free in SelectClientCert() [64]
 o checksrc: escape open brace in regex
 o multi: mention integer overflow risk if using > 500 million sockets [65]
 o darwinssl: fix --tlsv1.2 regression [66]
 o timeval: struct curltime is a struct timeval replacement [67]
 o curl_rtmp: fix a compiler warning [68]
 o include.d: clarify that it concerns the response headers [69]
 o cmake: support make uninstall [70]
 o include.d: clarify --include is only for response headers [71]
 o libcurl: Stop using error codes defined under CURL_NO_OLDIES [72]
 o http: fix response code parser to avoid integer overflow [73]
 o configure: fix the check for IdnToUnicode [74]
 o multi: fix request timer management [75]
 o curl_threads: fix MSVC compiler warning [76]
 o travis: build on osx with openssl
 o travis: build on osx with libressl
 o CURLOPT_NETRC.3: mention the file name on windows
 o cmake: set MSVC warning level to 4 [77]
 o netrc: skip lines starting with '#' [78]
 o darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
 o BUILD.WINDOWS: mention buildconf.bat for builds off git
 o darwinssl: silence compiler warnings [79]
 o travis: build on osx with darwinssl
 o FTP: skip unnecessary CWD when in nocwd mode [80]
 o gssapi: fix memory leak of output token in multi round context [81]
 o getparameter: avoid returning uninitialized 'usedarg' [82]
 o curl (debug build) easy_events: make event data static
 o curl: detect and bail out early on parameter integer overflows [86]
 o configure: fix recv/send/select detection on Android [87]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Brad Spencer, Brian Carpenter, Dan Fandrich, Daniel Stenberg,
  David E. Narváez, destman at github, Dmitry Kostjuchenko,
  Dwarakanath Yadavalli, Even Rouault, Evert Pot, Frederik B, Gisle Vanem,
  Hannes Magnusson, Henrik Gaßmann, Isaac Boukris, Jakub Wilk, Jeremy Tan,
  Jeroen Ooms, Jesse Chisholm, Johannes Schindelin, Kamil Dudka, Marcel Raad,
  Martin Kepplinger, Matteo B., Max Dymond, Michael Kaufmann, Neil Kolban,
  Nick Miyake, olesteban at github, ovidiu-benea on github, Pascal Terjan,
  Paul Harris, Pavel Rochnyak, Per Malmberg, Ray Satiro, Rob Sanders,
  Ryan Winograd, Sergei Nikulov, Simon Warta, Timothe Litt, Viktor Szakáts,
  (41 contributors)

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = https://daniel.haxx.se/blog/2017/06/15/target-independent-libcurl-headers/
 [2] = https://curl.haxx.se/bug/?i=1565
 [3] = https://curl.haxx.se/bug/?i=1531
 [4] = https://curl.haxx.se/bug/?i=1556
 [5] = https://curl.haxx.se/bug/?i=1547
 [6] = https://curl.haxx.se/bug/?i=1511
 [7] = https://curl.haxx.se/bug/?i=1486
 [8] = https://curl.haxx.se/bug/?i=1538
 [9] = https://curl.haxx.se/bug/?i=1505
 [10] = https://curl.haxx.se/bug/?i=1476
 [11] = https://curl.haxx.se/bug/?i=1577
 [12] = https://curl.haxx.se/bug/?i=1569
 [13] = https://curl.haxx.se/bug/?i=1576
 [14] = https://curl.haxx.se/bug/?i=1546
 [15] = https://curl.haxx.se/bug/?i=1578
 [16] = https://curl.haxx.se/bug/?i=1512
 [17] = https://curl.haxx.se/bug/?i=1514
 [18] = https://curl.haxx.se/bug/?i=1584
 [19] = https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
 [20] = https://curl.haxx.se/bug/?i=1592
 [21] = https://curl.haxx.se/bug/?i=1595
 [22] = https://curl.haxx.se/bug/?i=1593
 [23] = https://curl.haxx.se/bug/?i=1604
 [24] = https://curl.haxx.se/bug/?i=1606
 [25] = https://curl.haxx.se/bug/?i=1610
 [26] = https://curl.haxx.se/bug/?i=1598
 [27] = https://curl.haxx.se/bug/?i=1611
 [28] = https://github.com/curl/curl/pull/1486#issuecomment-310926872
 [29] = https://curl.haxx.se/bug/?i=1614
 [30] = https://curl.haxx.se/bug/?i=1454
 [31] = https://curl.haxx.se/bug/?i=1623
 [32] = https://curl.haxx.se/bug/?i=1616
 [33] = https://curl.haxx.se/bug/?i=1620
 [34] = https://curl.haxx.se/bug/?i=1521
 [35] = https://curl.haxx.se/bug/?i=1615
 [36] = https://curl.haxx.se/bug/?i=1591
 [37] = https://curl.haxx.se/bug/?i=1621
 [38] = https://curl.haxx.se/bug/?i=1617
 [39] = https://curl.haxx.se/bug/?i=1631
 [40] = https://curl.haxx.se/mail/lib-2017-07/0003.html
 [41] = https://curl.haxx.se/bug/?i=1637
 [42] = https://curl.haxx.se/bug/?i=1630
 [43] = https://curl.haxx.se/bug/?i=1638
 [44] = https://curl.haxx.se/bug/?i=1619
 [45] = https://curl.haxx.se/mail/lib-2017-07/0005.html
 [46] = https://curl.haxx.se/bug/?i=1642
 [47] = https://curl.haxx.se/mail/lib-2017-07/0005.html
 [48] = https://curl.haxx.se/bug/?i=1640
 [49] = https://curl.haxx.se/bug/?i=1639
 [50] = https://curl.haxx.se/bug/?i=1552
 [51] = https://github.com/curl/curl/issues/828#issuecomment-313475151
 [52] = https://curl.haxx.se/bug/?i=1612
 [53] = https://curl.haxx.se/bug/?i=1645
 [54] = https://curl.haxx.se/bug/?i=1649
 [55] = https://curl.haxx.se/bug/?i=1653
 [56] = https://curl.haxx.se/bug/?i=1589
 [57] = https://curl.haxx.se/bug/?i=1665
 [58] = https://curl.haxx.se/bug/?i=1664
 [59] = https://curl.haxx.se/bug/?i=1591
 [60] = https://curl.haxx.se/bug/?i=1672
 [61] = https://curl.haxx.se/bug/?i=1667
 [62] = https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
 [63] = https://curl.haxx.se/bug/?i=1682
 [64] = https://bugzilla.redhat.com/1436158
 [65] = https://curl.haxx.se/bug/?i=1683
 [66] = https://curl.haxx.se/bug/?i=1703
 [67] = https://curl.haxx.se/bug/?i=1693
 [68] = https://curl.haxx.se/bug/?i=1652
 [69] = https://curl.haxx.se/bug/?i=1704
 [70] = https://curl.haxx.se/bug/?i=1674
 [71] = https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
 [72] = https://curl.haxx.se/bug/?i=1688
 [73] = https://curl.haxx.se/bug/?i=1714
 [74] = https://curl.haxx.se/bug/?i=1669
 [75] = https://curl.haxx.se/mail/lib-2017-07/0033.html
 [76] = https://curl.haxx.se/bug/?i=1717
 [77] = https://curl.haxx.se/bug/?i=1711
 [78] = https://curl.haxx.se/mail/lib-2017-08/0008.html
 [79] = https://curl.haxx.se/bug/?i=1722
 [80] = https://curl.haxx.se/bug/?i=1718
 [81] = https://curl.haxx.se/bug/?i=1733
 [82] = https://curl.haxx.se/bug/?i=1728
 [83] = https://curl.haxx.se/docs/adv_20170809C.html
 [84] = https://curl.haxx.se/docs/adv_20170809B.html
 [85] = https://curl.haxx.se/docs/adv_20170809A.html
 [86] = https://curl.haxx.se/bug/?i=1730
 [87] = https://curl.haxx.se/bug/?i=1738