Update curl from 7.66.0 to 7.67.0

[patrikjuvonen]

Summary

• Contains bug fixes
• 7.67.0: curl-users mailing list archive, maintainer's blog post, changelog

Tests

• fetchRemote
  • Download test script (v1.0.1): test_fetchRemote.zip
    • Preferable not to run client and server simultaneously
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote-auth
• callRemote
  • Download test script (v1.0.2): test_callRemote.zip
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-callRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-callRemote-auth
• Please flush all your requests from ptsv2.com after testing!

Validation

To help validate the integrity of the update I have created the following bash script that diffs between my PR branch and the official package provided from the curl website.

#!/bin/bash

CURL_UPDATE_VERSION=7.67.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-$CURL_UPDATE_VERSION
GIT_REPO_URL=git@github.com:patrikjuvonen/mtasa-blue.git
GIT_DEST_DIR=mtasa-blue
GIT_REPO_CURL_PATH=$GIT_DEST_DIR/vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.haxx.se/download/$CURL_PATH_NAME.tar.xz | tar -xJ

echo 2. Clone the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL into $GIT_DEST_DIR...
git clone --depth 1 -b $GIT_REPO_BRANCH $GIT_REPO_URL $GIT_DEST_DIR

echo 3. Start checking integrity...
diff -r $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.

Past curl updates in MTA

Date	From	To	Link
September 2019	7.65.3	7.66.0 (current)	#1099
July 2019	7.65.1	7.65.3	#1027
July 2019	7.64.1	7.65.1	#1018
April 2019	7.64.0	7.64.1	#898
February 2019	7.63.0	7.64.0	#819
January 2019	7.61.1	7.63.0	#744
September 2018	7.61.0	7.61.1	#428
August 2018	7.59.0	7.61.0	#271
March 2018	7.54.0	7.59.0	b99e343
June 2017	7.32.0	7.54.0	c15d999
August 2013	7.19.4	7.32.0	aaf3e21

Copy of curl changelogs

Fixed in 7.67.0 - November 6 2019

Changes:

curl: added --no-progress-meter
setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
urlapi: CURLU_NO_AUTHORITY allows empty authority/host part

Bugfixes:

BINDINGS: five new bindings addded
CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
CURLOPT_TIMEOUT.3: remove the mention of "minutes"
ESNI: initial build/setup support
FTP: FTPFILE_NOCWD: avoid redundant CWDs
FTP: allow "rubbish" prepended to the SIZE response
FTP: remove trailing slash from path for LIST/MLSD
FTP: skip CWD to entry dir when target is absolute
FTP: url-decode path before evaluation
HTTP3.md: move -p for mkdir, remove -j for make
HTTP3: fix invalid use of sendto for connected UDP socket
HTTP3: fix ngtcp2 Windows build
HTTP3: fix prefix parameter for ngtcp2 build
HTTP3: fix typo somehere1 > somewhere1
HTTP3: show an --alt-svc using example too
INSTALL: add missing space for configure commands
INSTALL: add vcpkg installation instructions
README: minor grammar fix
altsvc: accept quoted ma and persist values
altsvc: both backends run h3-23 now
appveyor: Add MSVC ARM64 build
appveyor: Use two parallel compilation on appveyor with CMake
appveyor: add --disable-proxy autotools build
appveyor: add 32-bit MinGW-w64 build
appveyor: add a winbuild
appveyor: add a winbuild that uses VS2017
appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
appveyor: publish artifacts on appveyor
appveyor: upgrade VS2017 to VS2019
asyn-thread: make use of Curl_socketpair() where available
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
checksrc: fix uninitialized variable warning
chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
cirrus: Increase the git clone depth
cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
cirrus: switch off blackhole status on the freebsd CI machines
cleanups: 21 various PVS-Studio warnings
configure: only say ipv6 enabled when the variable is set
configure: remove all cyassl references
conn-reuse: requests wanting NTLM can reuse non-NTLM connections
connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
connect: silence sign-compare warning
cookie: avoid harmless use after free
cookie: pass in the correct cookie amount to qsort()
cookies: change argument type for Curl_flush_cookies
cookies: using a share with cookies shouldn't enable the cookie engine
copyrights: update copyright notices to 2019
curl: create easy handles on-demand and not ahead of time
curl: ensure HTTP 429 triggers --retry
curl: exit the create_transfers loop on errors
curl: fix memory leaked by parse_metalink()
curl: load large files with -d @ much faster
docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
docs: added multi-event.c example
docs: disambiguate CURLUPART_HOST is for host name (ie no port)
docs: note on failed handles not being counted by curl_multi_perform
doh: allow only http and https in debug mode
doh: avoid truncating DNS QTYPE to lower octet
doh: clean up dangling DOH memory on easy close
doh: fix (harmless) buffer overrun
doh: fix undefined behaviour and open up for gcc and clang optimization
doh: return early if there is no time left
examples/sslbackend: fix -Wchar-subscripts warning
examples: remove the "this exact code has not been verified"
git: add tests/server/disabled to .gitignore
gnutls: make gnutls_bye() not wait for response on shutdown
http2: expire a timeout at end of stream
http2: prevent dup'ed handles to send dummy PRIORITY frames
http2: relax verification of :authority in push promise requests
http2_recv: a closed stream trumps pause state
http: lowercase headernames for HTTP/2 and HTTP/3
ldap: Stop using wide char version of ldapp_err2string
ldap: fix OOM error on missing query string
mbedtls: add error message for cert validity starting in the future
mime: when disabled, avoid C99 macro
ngtcp2: adapt to API change
ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
ngtcp2: remove fprintf() calls
openssl: close_notify on the FTP data connection doesn't mean closure
openssl: fix compiler warning with LibreSSL
openssl: use strerror on SSL_ERROR_SYSCALL
os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
parsedate: fix date parsing disabled builds
quiche: don't close connection at end of stream
quiche: persist connection details (fixes -I with --http3)
quiche: set 'drain' when returning without having drained the queues
quiche: update HTTP/3 config creation to new API
redirect: handle redirects to absolute URLs containing spaces
runtests: get textaware info from curl instead of perl
schannel: reverse the order of certinfo insertions
schannel_verify: Fix concurrent openings of CA file
security: silence conversion warning
setopt: handle ALTSVC set to NULL
setopt: make it easier to add new enum values
setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
smb: check for full size message before reading message details
smbserver: fix Python 3 compatibility
socks: Fix destination host shown on SOCKS5 error
test1162: disable MSYS2's POSIX path conversion
test1591: fix spelling of http feature
tests: add `connect to non-listen` keywords
tests: fix narrowing conversion warnings
tests: fix the test 3001 cert failures
tests: makes tests succeed when using --disable-proxy
tests: use %FILE_PWD for file:// URLs
tests: use port 2 instead of 60000 for a safer non-listening port
tool_operate: Fix retry sleep time shown to user when Retry-After
travis: Add an ARM64 build
url: Curl_free_request_state() should also free doh handles
url: don't set appconnect time for non-ssl/non-ssh connections
url: fix the NULL hostname compiler warning
url: normalize CURLINFO_EFFECTIVE_URL
url: only reuse TLS connections with matching pinning
urlapi: avoid index underflow for short ipv6 hostnames
urlapi: fix URL encoding when setting a full URL
urlapi: fix unused variable warning
urlapi: question mark within fragment is still fragment
urldata: use 'bool' for the bit type on MSVC compilers
vtls: Fix comment typo about macosx-version-min compiler flag
vtls: fix narrowing conversion warnings
winbuild/MakefileBuild.vc: Add vssh
winbuild/MakefileBuild.vc: Fix line endings
winbuild: Add manifest to curl.exe for proper OS version detection
winbuild: add ENABLE_UNICODE option

[Woovie]

There's a bug with this version of cURL.

curl/curl#4624

I'd say we should wait.

[patrikjuvonen]

There's a bug with this version of cURL.

curl/curl#4624

I'd say we should wait.

Good catch! They have released a fix 4 hours ago, which we could cherry-pick for this update curl/curl@78cef06

[qaisjp]

which we could cherry-pick for this update curl/curl@78cef06

Is this update to 7.67.0 urgent / strictly necessary? I'd suggest just waiting for the next release.

[patrikjuvonen]

which we could cherry-pick for this update curl/curl@78cef06

Is this update to 7.67.0 urgent / strictly necessary? I'd suggest just waiting for the next release.

Hard to say, there are various miscellaneous bug fixes that improve the stability of curl.
I don't mind waiting until we get a CVE related release. Just that 7.67.0 seems stable, despite that single issue.

[qaisjp]

Verified. Whether or not to wait is up to you!