Test 1477 fails with 8.5.0 release tarball because it lacks curl-8.5.0/tests/errorcodes.pl #12462
Comments
|
I think |
|
We have |
|
I haven't investigated whether there's an issue specific to the Debian packaging yet, but even with the patch from da8c1d1 we get a failure: It looks like something very simple but I'll only be able to look at this on the weekend and someone might figure it out before me. |
|
If you're patching the 8.5.0 tarball, then you'll need to include errorcodes.pl
as an extra source file as well. The da8c1d1 patch only makes sure that file is
included in future tar balls; it doesn't contain the file itself.
|
I was confused by this since I had checked and the file was there... until I realized there are two files: Thank you. |
Oh, I didn't realize that. I should maybe rename one of them for better clarity... |
bagder
added a commit
that referenced
this issue
Dec 11, 2023
To be able to detect missing files better, this now runs the full CI test suite. If done before, it would have detected #12462 before release.
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 15, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 0d6acf313496d56067fcfd677795bb57ae3fa578) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 16, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 0d6acf313496d56067fcfd677795bb57ae3fa578) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 16, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 0d6acf313496d56067fcfd677795bb57ae3fa578) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 16, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 21f2aa05fabd02c9cf9c584b30e2e2b229b82e8c) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 18, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 21f2aa05fabd02c9cf9c584b30e2e2b229b82e8c) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 18, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 2abe8f64db1c1f2be4f9cb94fd8db64571d43703) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 19, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: f6668a019e6b201e2273c48737d8755ec54bd3dc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 4292699db2a9bd86d2fc76e6d311bda51664f9a2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 4292699db2a9bd86d2fc76e6d311bda51664f9a2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 20, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Dec 21, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 4292699db2a9bd86d2fc76e6d311bda51664f9a2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 21, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 879b4183c4fb379d70cf1b43e7ecbd51cf91ad99) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 21, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 44f4e93d25f208d0be4c53d02113b7d0ebfffa4a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Dec 21, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this issue
Dec 21, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] (From OE-Core rev: 44f4e93d25f208d0be4c53d02113b7d0ebfffa4a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Dec 22, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Dec 22, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Dec 22, 2023
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Jan 8, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Jan 10, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Jan 24, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Feb 2, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Feb 23, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Mar 9, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
armcc
pushed a commit
to lgirdk/openembedded-core
that referenced
this issue
Apr 24, 2024
update include fix for CVE-2023-46218. skip test 1477 which check that libcurl-errors.3 and the public header files have the same set of error codes. Notes: This test is not included in the source tarball. curl/curl#12462 Release Notes: curl and libcurl 8.5.0 Public curl releases: 253 Command line options: 258 curl_easy_setopt() options: 303 Public functions in libcurl: 93 Contributors: 3039 This release includes the following changes: o gnutls: support CURLSSLOPT_NATIVE_CA [31] o HTTP3: ngtcp2 builds are no longer experimental [77] This release includes the following bugfixes: o appveyor: make VS2008-built curl tool runnable [93] o asyn-thread: use pipe instead of socketpair for IPC when available [4] o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128] o autotools: avoid passing `LDFLAGS` twice to libcurl [127] o autotools: delete LCC compiler support bits [137] o autotools: fix/improve gcc and Apple clang version detection [136] o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135] o autotools: update references to deleted `crypt-auth` option [46] o BINDINGS: add V binding [54] o build: add `src/.checksrc` to source tarball [1] o build: add more picky warnings and fix them [172] o build: always revert `#pragma GCC diagnostic` after use [143] o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107] o build: delete support bits for obsolete Windows compilers [106] o build: fix 'threadsafe' feature detection for older gcc [19] o build: fix builds that disable protocols but not digest auth [174] o build: fix compiler warning with auths disabled [85] o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120] o build: picky warning updates [125] o build: require Windows XP or newer [86] o cfilter: provide call to tell connection to forget a socket [65] o checksrc.pl: support #line instructions o CI: add autotools, out-of-tree, debug build to distro check job [14] o CI: ignore test 286 on Appveyor gcc 9 build [6] o cmake: add `CURL_DISABLE_BINDLOCAL` option [146] o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138] o cmake: dedupe Windows system libs [114] o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2] o cmake: fix CURL_DISABLE_GETOPTIONS [12] o cmake: fix multiple include of CURL package [96] o cmake: fix OpenSSL quic detection in quiche builds [56] o cmake: option to disable install & drop `curlu` target when unused [72] o cmake: pre-fill rest of detection values for Windows [50] o cmake: replace `check_library_exists_concat()` [23] o cmake: speed up threads setup for Windows [68] o cmake: speed up zstd detection [69] o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123] o configure: better --disable-http [80] o configure: check for the fseeko declaration too [55] o conncache: use the closure handle when disconnecting surplus connections [173] o content_encoding: make Curl_all_content_encodings allocless [101] o cookie: lowercase the domain names before PSL checks [160] o curl.h: delete Symbian OS references [162] o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21] o curl.rc: switch out the copyright symbol for plain ASCII [167] o curl: improved IPFS and IPNS URL support [87] o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99] o Curl_http_body: cleanup properly when Curl_getformdata errors [152] o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57] o curl_sspi: support more revocation error names in error messages [95] o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181] o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165] o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113] o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45] o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO o docs/example/keepalive.c: show TCP keep-alive options [73] o docs/example/localport.c: show off CURLOPT_LOCALPORT [83] o docs/examples/interface.c: show CURLOPT_INTERFACE use [84] o docs/libcurl: fix three minor man page format mistakes [26] o docs/libcurl: SYNSOPSIS cleanup [150] o docs: add supported version for the json write-out [92] o docs: clarify that curl passes on input unfiltered [47] o docs: fix function typo in curl_easy_option_next.3 [36] o docs: KNOWN_BUGS cleanup o docs: make all examples in all libcurl man pages compile [175] o docs: preserve the modification date when copying the prebuilt man page [89] o docs: remove bold from some man page SYNOPSIS sections [90] o docs: use SOURCE_DATE_EPOCH for generated manpages [16] o doh: provide better return code for responses w/o addresses [133] o doh: use PIPEWAIT when HTTP/2 is attempted [63] o duphandle: also free 'outcurl->cookies' in error path [122] o duphandle: make dupset() not return with pointers to old alloced data [109] o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132] o easy: in duphandle, init the cookies for the new handle [131] o easy: remove duplicate wolfSSH init call [37] o easy_lock: add a pthread_mutex_t fallback [13] o examples/rtsp-options.c: add [157] o fopen: create new file using old file's mode [153] o fopen: create short(er) temporary file name [155] o getenv: PlayStation doesn't have getenv() [41] o GHA: move mod_h2 version in CI to v2.0.25 [43] o hostip: show the list of IPs when resolving is done [35] o hostip: silence compiler warning `-Wparentheses-equality` [62] o hsts: skip single-dot hostname [67] o HTTP/2, HTTP/3: handle detach of onoing transfers [134] o http2: header conversion tightening [33] o http2: provide an error callback and failf the message [53] o http2: safer invocation of populate_binsettings [8] o http: allow longer HTTP/2 request method names [112] o http: avoid Expect: 100-continue if Upgrade: is used [15] o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81] o http: fix `-Wunused-parameter` with no auth and no proxy [149] o http: fix `-Wunused-variable` compiler warning [115] o http: fix empty-body warning [76] o http_aws_sigv4: canonicalise valueless query params [88] o hyper: temporarily remove HTTP/2 support [139] o INSTALL: update list of ports and CPU archs o IPFS: fix IPFS_PATH and file parsing [119] o keylog: disable if unused [145] o lib: add and use Curl_strndup() [97] o lib: apache style infof and trace macros/functions [71] o lib: fix gcc warning in printf call [7] o libcurl-errors.3: sync with current public headers [156] o libcurl-thread.3: simplify the TLS section [79] o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103] o Makefile.mk: fix `-rtmp` option for non-Windows o mime: store "form escape" as a single bit [170] o misc: fix -Walloc-size warnings [118] o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61] o multi: during ratelimit multi_getsock should return no sockets [182] o multi: use pipe instead of socketpair to *wakeup() [18] o ngtcp2: fix races in stream handling [178] o ngtcp2: ignore errors on unknown streams [158] o ntlm_wb: use pipe instead of socketpair when possible [44] o openldap: move the alloc of ldapconninfo to *connect() [29] o openldap: set the callback argument in oldap_do [30] o openssl: avoid BN_num_bits() NULL pointer derefs [9] o openssl: fix building with v3 `no-deprecated` + add CI test [161] o openssl: fix infof() to avoid compiler warning for %s with null [70] o openssl: identify the "quictls" backend correctly [82] o openssl: include SIG and KEM algorithms in verbose [52] o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58] o openssl: two multi pointer checks should probably rather be asserts [91] o openssl: when a session-ID is reused, skip OCSP stapling [142] o page-footer: clarify exit code 25 [51] o projects: add VC14.20 project files [104] o pytest: use lower count in repeat tests [98] o quic: make eyeballers connect retries stop at weird replies [140] o quic: manage connection idle timeouts [5] o quiche: use quiche_conn_peer_transport_params() [116] o rand: fix build error with autotools + LibreSSL [111] o resolve.d: drop a multi use-sentence [100] o RTSP: improved RTP parser [32] o rustls: implement connect_blocking [154] o sasl: fix `-Wunused-function` compiler warning [124] o schannel: add CA cache support for files and memory blobs [121] o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171] o setopt: remove outdated cookie comment [64] o setopt: remove superfluous use of ternary expressions [169] o socks: better buffer size checks for socks4a user and hostname [20] o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38] o symbols-in-versions: the CLOSEPOLICY options are deprecated o test1683: remove commented-out check alternatives o test3103: add missing quotes around a test tag attribute o test613: stop showing an error on missing output file o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48] o tests/server: add more SOCKS5 handshake error checking [27] o tests: Fix Windows test helper tool search & use it for handle64 [17] o tidy-up: casing typos, delete unused Windows version aliases [144] o tool: fix --capath when proxy support is disabled [28] o tool: support bold headers in Windows [117] o tool_cb_hdr: add an additional parsing check [129] o tool_cb_prg: make the carriage return fit for wide progress bars [159] o tool_cb_wrt: fix write output for very old Windows versions [24] o tool_getparam: limit --rate to be smaller than number of ms [3] o tool_operate: do not mix memory models [108] o tool_operate: fix links in ipfs errors [22] o tool_parsecfg: make warning output propose double-quoting [164] o tool_urlglob: fix build for old gcc versions [25] o tool_urlglob: make multiply() bail out on negative values [11] o tool_writeout_json: fix JSON encoding of non-ascii bytes [179] o transfer: abort pause send when connection is marked for closing [183] o transfer: avoid calling the read callback again after EOF [130] o transfer: only reset the FTP wildcard engine in CLEAR state [42] o url: don't touch the multi handle when closing internal handles [40] o url: find scheme with a "perfect hash" [141] o url: fix `-Wzero-length-array` with no protocols [147] o url: fix builds with `CURL_DISABLE_HTTP` [148] o url: protocol handler lookup tidy-up [66] o url: proxy ssl connection reuse fix [94] o urlapi: avoid null deref if setting blank host to url encode [75] o urlapi: skip appending NULL pointer query [74] o urlapi: when URL encoding the fragment, pass in the right length [59] o urldata: make maxconnects a 32 bit value [166] o urldata: move async resolver state from easy handle to connectdata [34] o urldata: move cookielist from UserDefined to UrlState [126] o urldata: move hstslist from 'set' to 'state' [105] o urldata: move the 'internal' boolean to the state struct [39] o vssh: remove the #ifdef for Curl_ssh_init, use empty macro o vtls: cleanup SSL config management [78] o vtls: consistently use typedef names for OpenSSL structs [176] o vtls: late clone of connection ssl config [60] o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102] o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110] o windows: use built-in `_WIN32` macro to detect Windows [163] o wolfssh: remove redundant static prototypes [168] o wolfssl: add default case for wolfssl_connect_step1 switch [49] o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10] Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44f4e93)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I did this
Download https://curl.se/download/curl-8.5.0.tar.xz, build it and run "make test".
I expected the following
All tests pass.
curl/libcurl version
curl 8.5.0
operating system
Linux From Scratch
The text was updated successfully, but these errors were encountered: