* [bsc#1211230, CVE-2023-28319] use-after-free in SSH sha256
fingerprint check.
- Add curl-CVE-2023-28319.patch
* [bsc#1211231, CVE-2023-28320] siglongjmp race condition
- Add curl-CVE-2023-28320.patch
* [bsc#1211232, CVE-2023-28321] IDN wildcard matching
- Add curl-CVE-2023-28321.patch
* [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
- Add curl-CVE-2023-28322.patch
- Update to 8.0.1: [jsc#PED-2580]
* Rebase curl-secure-getenv.patch
* Remove patches fixed in the update:
- curl-CVE-2022-22576.patch curl-CVE-2022-27776.patch
- curl-CVE-2022-27781.patch curl-CVE-2022-27782.patch
- curl-CVE-2022-32206.patch curl-CVE-2022-32208.patch
- curl-CVE-2022-32221.patch curl-CVE-2022-35252.patch
- curl-CVE-2022-43552.patch curl-CVE-2023-23916.patch
- curl-CVE-2022-27774.patch curl-CVE-2022-27774-2.patch
- curl-CVE-2022-27774-disabletest-1568.patch
- curl-CVE-2022-27775.patch curl-CVE-2022-32205.patch
- curl-CVE-2022-32207.patch curl-CVE-2022-42916.patch
- curl-CVE-2022-43551.patch curl-CVE-2023-23914-23915.patch
- curl-CVE-2023-27533.patch curl-CVE-2023-27533-no-sscanf.patch
- curl-CVE-2023-27534.patch curl-CVE-2023-27535.patch
- curl-CVE-2023-27536.patch curl-CVE-2023-27538.patch
- Update to 8.0.1:
* Bugfixes:
- fix crash in curl_easy_cleanup
- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
- url: only reuse connections with same GSS delegation
- urlapi: '%' is illegal in host names
- ws: keep the socket non-blocking
* Rebase libcurl-ocloexec.patch
- Security fixes:
- Update to 7.88.1:
* Bugfix release
- Drop upstreamed patch:
* curl-fix-uninitialized-value-in-tests.patch
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
- http_proxy: do not assign data->req.p.http use local copy
- lib: connect/h2/h3 refactor
- libssh2: try sha2 algos for hostkey methods
- md4: fix build with GnuTLS + OpenSSL v1
- ngtcp2: replace removed define and stop using removed function
- noproxy: support for space-separated names is deprecated
- nss: implement data_pending method
- openldap: fix missing sasl symbols at build in specific configs
- openssl: adapt to boringssl's error code type
- openssl: don't ignore CA paths when using Windows CA store (redux)
- openssl: don't log raw record headers
- openssl: make the BIO_METHOD a local variable in the connection filter
- openssl: only use CA_BLOB if verifying peer
- openssl: remove attached easy handles from SSL instances
- openssl: store the CA after first send (ClientHello)
- setopt: use >, not >=, when checking if uarg is larger than uint-max
- smb: return error on upload without size
- socketpair: allow localhost MITM sniffers
- strdup: name it Curl_strdup
- tool_getparam: fix hiding of command line secrets
- tool_operate: fix error codes on bad URL & OOM
- tool_operate: repair --rate
- transfer: break the read loop when RECV is cleared
- typecheck: accept expressions for option/info parameters
- urlapi: avoid Curl_dyn_addf() for hex outputs
- urlapi: skip path checks if path is just "//"/
- urlapi: skip the extra dedotdot alloc if no dot in path
- urldata: cease storing TLS auth type
- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
- urldata: make set.http200aliases conditional on HTTP being present
- urldata: move the cookefilelist to the 'set' struct
- urldata: remove unused struct fields, made more conditional
- vquic: stabilization and improvements
- vtls: fix hostname handling in filters
- vtls: manage current easy handle in nested cfilter calls
- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* Rebase libcurl-ocloexec.patch
* Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
- runtests: fix "/uninitialized value $port"/
- Add curl-fix-uninitialized-value-in-tests.patch
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
- config-mac: define HAVE_SYS_IOCTL_H
- config-mac: fix typo: size_T -> size_t
- config-mac: remove HAVE_SYS_SELECT_H
- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
- configure: require fork for NTLM-WB
- contributors.sh: actually use $CURLWWW instead of just setting it
- cookie: compare cookie prefixes case insensitively
- cookie: expire cookies at once when max-age is negative
- cookie: open cookie jar as a binary file
- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
- curl-rustls.m4: on macOS, rustls also needs the Security framework
- curl.h: include <sys/select.h> on SerenityOS
- curl.h: name all public function parameters
- curl.h: reword comment to not use deprecated option
- curl: override the numeric locale and set "/C"/ by force
- curl: timeout in the read callback
- curl_endian: remove Curl_write64_le from header
- curl_get_line: allow last line without newline char
- curl_path: do not add '/' if homedir ends with one
- curl_url_get.3: remove spurious backtick
- curl_url_set.3: document CURLU_DISALLOW_USER
- curl_url_set.3: fix typo
- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
- CURLOPT_COOKIEFILE.3: advice => advise
- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "/raw"/
- CURLOPT_POST.3: Explain setting to 0 changes request type
- docs/curl_ws_send: Fixed typo in websocket docs
- docs/EARLY-RELEASE.md: how to determine an early release
- docs/examples: spell correction ('Retrieve')
- docs/INSTALL.md: expand on static builds
- docs/WEBSOCKET.md: explain the URL use
- docs: add missing parameters for --retry flag
- docs: add more "/SEE ALSO"/ links to CA related pages
- docs: explain the noproxy CIDR notation support
- docs: extend the dump-header documentation
- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
- examples/10-at-a-time: fix possible skipped final transfers
- examples: update descriptions
- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
- GHA: clarify workflows permissions, set least possible privilege
- GHA: NSS use clang instead of clang-9
- gnutls: use common gnutls init and verify code for ngtcp2
- headers: add endif comments
- HTTP-COOKIES.md: mention that http://localhost is a secure context
- HTTP-COOKIES.md: update the 6265bis link to draft-11
- http: do not send PROXY more than once
- http: fix the ::1 comparison for IPv6 localhost for cookies
- http: set 'this_is_a_follow' in the Location: logic
- http: use the IDN decoded name in HSTS checks
- hyper: classify headers as CONNECT and 1XX
- hyper: fix handling of hyper_task's when reusing the same address
- idn: remove Curl_win32_ascii_to_idn
- INSTALL: update operating systems and CPU archs
- KNOWN_BUGS: remove eight entries
- lib1560: add some basic IDN host name tests
- lib: connection filters (cfilter) addition to curl:
- lib: feature deprecation warnings in gcc >= 4.3
- lib: fix some type mismatches and remove unneeded typecasts
- lib: parse numbers with fixed known base 10
- lib: remove bad set.opt_no_body assignments
- lib: rewind BEFORE request instead of AFTER previous
- lib: sync guard for Curl_getaddrinfo_ex() definition and use
- lib: use size_t or int etc instead of longs
- libcurl-errors.3: remove duplicate word
- libssh2: return error when ssh_hostkeyfunc returns error
- limit-rate.d: see also --rate
- log2changes.pl: wrap long lines at 80 columns
- Makefile.mk: address minor issues
- Makefile.mk: improve a GNU Make hack
- Makefile.mk: portable Makefile.m32
- maketgz: set the right version in lib/libcurl.plist
- mime: relax easy/mime structures binding
- misc: Fix incorrect spelling
- misc: remove duplicated include files
- misc: typo and grammar fixes
- negtelnetserver.py: have it call its close() method
- netrc.d: provide mutext info
- netware: remove leftover traces
- noproxy: also match with adjacent comma
- noproxy: guard against empty hostnames in noproxy check
- noproxy: tailmatch like in 7.85.0 and earlier
- nroff-scan.pl: detect double highlights
- ntlm: improve comment for encrypt_des
- ntlm: silence ubsan warning about copying from null target_info pointer
- openssl/mbedtls: use %d for outputing port with failf (int)
- openssl: prefix errors with '[lib]/[version]: '
- os400: use platform socklen_t in Curl_getnameinfo_a
- page-header: grammar improvement (display transfer rate)
- proxy: refactor haproxy protocol handling as connection filter
- README.md: remove badges and xmas-tree garnish
- rtsp: fix RTSP auth
- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
- runtests: do CRLF replacements per section only
- scripts/checksrc.pl: detect duplicated include files
- sendf: change Curl_read_plain to wrap Curl_recv_plain
- sendf: remove unnecessary if condition
- setup: do not require __MRC__ defined for Mac OS 9 builds
- smb/telnet: do not free the protocol struct in *_done()
- socks: fix username max size is 255 (0xFF)
- spellcheck.words: remove 'github' as an accepted word
- ssl-reqd.d: clarify that this is for upgrading connections only
- strcase: use curl_str(n)equal for case insensitive matches
- styled-output.d: this option does not work on Windows
- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
- system.h: support 64-bit curl_off_t for NonStop 32-bit
- test1421: fix typo
- test3026: reduce runtime in legacy mingw builds
- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
- tests: add authorityInfoAccess to generated certs
- tests: add HTTP/3 test case, custom location for proper nghttpx
- tls: backends use connection filters for IO, enabling HTTPS-proxy
- tool: determine the correct fopen option for -D
- tool_cfgable: free the ssl_ec_curves on exit
- tool_cfgable: make socks5_gssapi_nec a boolean
- tool_formparse: avoid clobbering on function params
- tool_getparam: make --no-get work as the opposite of --get
- tool_operate: provide better errmsg for -G with bad URL
- tool_operate: when aborting, make sure there is a non-NULL error buffer
- tool_paramhlp: free the proto strings on exit
- url: move back the IDN conversion of proxy names
- urlapi: reject more bad letters from the host name: &+()
- urldata: change port num storage to int and unsigned short
- vms: remove SIZEOF_SHORT
- vtls: fix build without proxy support
- vtls: localization of state data in filters
- WEBSOCKET.md: fix broken link
- Websocket: fixes for partial frames and buffer updates
- websockets: fix handling of partial frames
- windows: fail early with a missing windres in autotools
- windows: fix linking .rc to shared curl with autotools
- winidn: drop WANT_IDN_PROTOTYPES
- ws: if no connection is around, return error
- ws: return CURLE_NOT_BUILT_IN when websockets not built in
- x509asn1: avoid freeing unallocated pointers
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
a bandaid. Curl's 7.86.0 release introduces the use of
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
introduced by nghttp2 1.50.0 release, without introducing a check
for the function/right version in their build scripts. This will
make Zypper/cURL unusable in some corner cases where users
installing something that requires libcurl4 before doing full
system upgrade, thus updating the cURL stack, but not
libnghttp2's. Background: boo#1204983, Factory mailing list
threadd:
"/? broken dependency in curl and/or *zyp* ?"/, and forums thread:
Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- lib: add missing limits.h includes
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- libssh: if sftp_init fails, don't get the sftp error code
- mprintf: reject two kinds of precision for the same argument
- mqtt: return error for too long topic
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- resolve: make forced IPv4 resolve only use A queries
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool_main: exit at once if out of file descriptors
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_xattr: save the original URL, not the final redirected one
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: reject more bad characters from the host name field
* Remove patch upstream:
- connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Update connection info when using UNIX socket as endpoint
connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Change the deprecated configure option --enable-hidden-symbols
to the new --enable-symbol-hiding.
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "/control bytes"/
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
- HTTP3.md: update to msh3 v0.4.0
- hyper: use wakers for curl pause/resume
- lib3026: reduce the number of threads to 100
- libssh2: make atime/mtime date overflow return error
- libssh2: provide symlink name in SFTP dir listing
- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
- multi: use larger dns hash table for multi interface
- multi_wait: fix skipping to populate revents for extra_fds
- netrc: Use the password from lines without login
- ngtcp2: Fix build error due to change in nghttp3 prototypes
- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
- openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
- openssl: add cert path in error message
- openssl: add details to "/unable to set client certificate"/ error
- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
- select: do not return fatal error on EINTR from poll()
- sendf: fix paused header writes since after the header API
- sendf: skip storing HTTP headers if HTTP disabled
- url: really use the user provided in the url when netrc entry exists
- url: reject URLs with hostnames longer than 65535 bytes
- url: treat missing usernames in netrc as empty
- urldata: reduce size of several struct fields
- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
* Remove tests-for-32bit.patch fixed in the update
* Rebase libcurl-ocloexec.patch
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
- content_encoding: return error on too many compression steps
- cookie: address secure domain overlay
- cookie: apply limits
- copyright.pl: parse and use .reuse/dep5 for skips
- copyright: make repository REUSE compliant
- curl.1: add a few see also --tls-max
- curl.1: mention exit code zero too
- curl: re-enable --no-remote-name
- curl_easy_pause.3: remove explanation of progress function
- curl_getdate.3: document that some illegal dates pass through
- Curl_parsenetrc: don't access local pwbuf outside of scope
- curl_url_set.3: clarify by default using known schemes only
- CURLOPT_ALTSVC.3: document the file format
- CURLOPT_FILETIME.3: fix the protocols this works with
- CURLOPT_HTTPHEADER.3: improve comment in example
- CURLOPT_NETRC.3: document the .netrc file format
- CURLOPT_PORT.3: We discourage using this option
- CURLOPT_RANGE.3: remove ranged upload advice
- digest: added detection of more syntax error in server headers
- digest: tolerate missing "/realm"/
- digest: unquote realm and nonce before processing
- DISABLED: disable 1021 for hyper again
- docs/cmdline-opts: add copyright and license identifier to each file
- docs/CONTRIBUTE.md: document the 'needs-votes' concept
- docs: clarify data replacement policy for MIME API
- doh: remove UNITTEST macro definition
- examples/crawler.c: use the curl license
- examples: remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
- fopen: add Curl_fopen() for better overwriting of files
- ftp: restore protocol state after http proxy CONNECT
- ftp: when failing to do a secure GSSAPI login, fail hard
- GHA/hyper: enable debug in the build
- gssapi: improve handling of errors from gss_display_status
- gssapi: initialize gss_buffer_desc strings
- headers api: remove EXPERIMENTAL tag
- http2: always debug print stream id in decimal with %u
- http2: reject overly many push-promise headers
- http: restore header folding behavior
- hyper: use 'alt-used'
- krb5: return error properly on decode errors
- lib: make more protocol specific struct fields #ifdefed
- libcurl-security.3: add "/Secrets in memory"/
- libcurl-security.3: document CRLF header injection
- libssh: skip the fake-close when libssh does the right thing
- links: update dead links to the curl-wiki
- log2changes: do not indent empty lines [ci skip]
- macos9: remove partial support
- Makefile.am: fix portability issues
- Makefile.m32: delete obsolete options, improve -On [ci skip]
- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
- max-time.d: clarify max-time sets max transfer time
- mprintf: ignore clang non-literal format string
- netrc: check %USERPROFILE% as well on Windows
- netrc: support quoted strings
- ngtcp2: allow curl to send larger UDP datagrams
- ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
- ngtcp2: enable Linux GSO
- ngtcp2: extend QUIC transport parameters buffer
- ngtcp2: fix alert_read_func return value
- ngtcp2: fix typo in preprocessor condition
- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
- ngtcp2: send appropriate connection close error code
- ngtcp2: support boringssl crypto backend
- ngtcp2: use helper funcs to simplify TLS handshake integration
- ntlm: provide a fixed fake host name
- projects: fix third-party SSL library build paths for Visual Studio
- quic: add Curl_quic_idle
- quiche: support ca-fallback
- rand: stop detecting /dev/urandom in cross-builds
- remote-name.d: mention --output-dir
- runtests.pl: add the --repeat parameter to the --help output
- runtests: fix skipping tests not done event-based
- runtests: skip starting the ssh server if user name is lacking
- scripts/copyright.pl: fix the exclusion to not ignore man pages
- sectransp: check for a function defined when __BLOCKS__ is undefined
- select: return error from "/lethal"/ poll/select errors
- server/sws: support spaces in the HTTP request path
- speed-limit/time.d: mention these affect transfers in either direction
- strcase: some optimisations
- test 2081: add a valid reply for the second request
- test 675: add missing CR so the test passes when run through Privoxy
- test414: add the '--resolve' keyword
- test681: verify --no-remote-name
- tests 266, 116 and 1540: add a small write delay
- tests/data/test1501: kill ftp server after slow LIST response
- tests/getpart: fix getpartattr to work with "/data"/ and "/data2"/
- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: add "/HTTP proxy"/ keywords
- tool_getparam: fix --parallel-max maximum value constraint
- tool_operate: make sure --fail-with-body works with --retry
- transfer: fix potential NULL pointer dereference
- transfer: maintain --path-as-is after redirects
- transfer: upload performance; avoid tiny send
- url: free old conn better on reuse
- url: remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
- urlapi: support CURLU_URLENCODE for curl_url_get()
- urldata: reduce size of a few struct fields
- urldata: remove three unused booleans from struct UserDefined
- urldata: store tcp_keepidle and tcp_keepintvl as ints
- version: allow stricmp() for sorting the feature list
- vtls: make curl_global_sslset thread-safe
- wolfssh.h: removed
- wolfssl: correct the failf() message when a handle can't be made
- wolfSSL: explicitly use compatibility layer
- x509asn1: mark msnprintf return as unchecked
- Update to 7.83.1:
* Security fixes:
- (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
- (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
- (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
- (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
- (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
- (bsc#1199220, CVE-2022-27778) removes wrong file on error
* Bugfixes:
- altsvc: fix host name matching for trailing dots
- cirrus: Update to FreeBSD 12.3
- cirrus: Use pip for Python packages on FreeBSD
- conn: fix typo 'connnection' -> 'connection' in two function names
- cookies: make bad_domain() not consider a trailing dot fine
- curl: free resource in error path
- curl: guard against size_t wraparound in no-clobber code
- CURLOPT_DOH_URL.3: mention the known bug
- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
- CURLOPT_SSH_AUTH_TYPES.3: fix the default
- data/test376: set a proper name
- GHA/mbedtls: enabled nghttp2 in the build
- gha: build msh3
- gskit: fixed bogus setsockopt calls
- gskit: remove unused function set_callback
- hsts: ignore trailing dots when comparing hosts names
- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
- http: move Curl_allow_auth_to_host()
- http_proxy/hyper: handle closed connections
- hyper: fix test 357
- Makefile: fix "/make ca-firefox"/
- mbedtls: bail out if rng init fails
- mbedtls: fix compile when h2-enabled
- mbedtls: fix some error messages
- misc: use "/autoreconf -fi"/ instead buildconf
- msh3: get msh3 version from MsH3Version
- msh3: print boolean value as text representation
- msh3: psss remote_port to MsH3ConnectionOpen
- ngtcp2: add ca-fallback support for OpenSSL backend
- nss: return error if seemingly stuck in a cert loop
- openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
- post_per_transfer: remove the updated file name
- sectransp: bail out if SSLSetPeerDomainName fails
- tests/server: declare variable 'reqlogfile' static
- tests: fix markdown formatting in README
- test{898,974,976}: add 'HTTP proxy' keywords
- tls: check more TLS details for connection reuse
- url: check SSH config match on connection reuse
- urlapi: address (harmless) UndefinedBehavior sanitizer warning
- urlapi: reject percent-decoding host name into separator bytes
- x509asn1: make do_pubkey handle EC public keys
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
- conncache: include the zone id in the "/bundle"/ hashkey
- connecache: remove duplicate connc->closure_handle check
- connect: make Curl_getconnectinfo work with conn cache from share handle
- connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
- cookie.d: clarify when cookies are sent
- cookies: improve errorhandling for reading cookiefile
- curl/system.h: update ifdef condition for MCST-LCC compiler
- curl: error out if -T and -d are used for the same URL
- curl: error out when options need features not present in libcurl
- curl: escape '?' in generated --libcurl code
- curl: fix segmentation fault for empty output file names.
- curl_easy_header: fix typos in documentation
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
- CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
- CURLOPT_PROGRESSFUNCTION.3: fix typo in example
- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
- docs/HYPER.md: updated to reflect current hyper build needs
- docs/opts: Mention Schannel client cert type is P12
- docs: Fix missing semicolon in example code
- docs: lots of minor language polish
- English: use American spelling consistently
- fail.d: tweak the description
- firefox-db2pem.sh: make the shell script safer
- ftp: fix error message for partial file upload
- gen.pl: change wording for mutexed options
- GHA: add openssl3 jobs moved over from zuul
- GHA: build hyper with nightly rustc
- GHA: move bearssl jobs over from zuul
- gha: move the event-based test over from Zuul
- gtls: fix build for disabled TLS-SRP
- http2: handle DONE called for the paused stream
- http2: RST the stream if we stop it on our own will
- http: avoid auth/cookie on redirects same host diff port
- http: close the stream (not connection) on time condition abort
- http: reject header contents with nul bytes
- http: return error on colon-less HTTP headers
- http: streamclose "/already downloaded"/
- hyper: fix status_line() return code
- hyper: fix tests 580 and 581 for hyper
- hyper: no h2c support
- infof: consistent capitalization of warning messages
- ipv4/6.d: clarify that they are about using IP addresses
- json.d: fix typo (overriden -> overridden)
- keepalive-time.d: It takes many probes to detect brokenness
- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
- lib670: avoid double check result
- lib: #ifdef on USE_HTTP2 better
- lib: fix some misuse of curlx_convert_wchar_to_UTF8
- lib: remove exclamation marks
- libssh2: compare sha256 strings case sensitively
- libssh2: make the md5 comparison fail if wrong length
- libssh: fix build with old libssh versions
- libssh: fix double close
- libssh: Improve fix for missing SSH_S_ stat macros
- libssh: unstick SFTP transfers when done event-based
- macos: set .plist version in autoconf
- mbedtls: remove 'protocols' array from backend when ALPN is not used
- mbedtls: remove server_fd from backend
- mk-ca-bundle.pl: Use stricter logic to process the certificates
- mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
- mlc_config.json: add file to ignore known troublesome URLs
- mqtt: better handling of TCP disconnect mid-message
- ngtcp2: add client certificate authentication for OpenSSL
- ngtcp2: avoid busy loop in low CWND situation
- ngtcp2: deal with sub-millisecond timeout
- ngtcp2: disconnect the QUIC connection proper
- ngtcp2: enlarge H3_SEND_SIZE
- ngtcp2: fix HTTP/3 upload stall and avoid busy loop
- ngtcp2: fix memory leak
- ngtcp2: fix QUIC_IDLE_TIMEOUT
- ngtcp2: make curl 1ms faster
- ngtcp2: remove remote_addr which is not used in a meaningful way
- ngtcp2: update to work after recent ngtcp2 updates
- ngtcp2: use token when detecting :status header field
- nonblock: restore setsockopt method to curlx_nonblock
- openssl: check SSL_get_peer_cert_chain return value
- openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
- openssl: fix CN check error code
- options: remove mistaken space before paren in prototype
- perl: removed a double semicolon at end of line
- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
- projects/README: converted to markdown
- projects: Update VC version names for VS2017, VS2022
- rtsp: don't let CSeq error override earlier errors
- runtests: add 'bearssl' as testable feature
- runtests: make 'oldlibssh' be before 0.9.4
- schannel: remove dead code that will never run
- scripts/copyright.pl: ignore the new mlc_config.json file
- scripts: move three scripts from lib/ to scripts/
- test1135: sync with recent API updates
- test1459: disable for oldlibssh
- test375: fix line endings on Windows
- test386: Fix an incorrect test markup tag
- test718: edited slightly to return better HTTP
- tests/server/util.h: align WIN32 condition with util.c
- tests: refactor server/socksd.c to support --unix-socket
- timediff.[ch]: add curlx helper functions for timeval conversions
- tls: make mbedtls and NSS check for h2, not nghttp2
- tool and tests: force flush of all buffers at end of program
- tool_cb_hdr: Turn the Location: into a terminal hyperlink
- tool_getparam: error out on missing -K file
- tool_listhelp.c: uppercase URL
- tool_operate: fix a scan-build warning
- tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
- transfer: redirects to other protocols or ports clear auth
- unit1620: call global_init before calling Curl_open
- url: check sasl additional parameters for connection reuse.
- vtls: provide a unified APLN-disagree string for all backends
- vtls: use a backend standard message for "/ALPN: offers %s"/
- vtls: use a generic "/ALPN, server accepted"/ message
- winbuild/README.md: fixup dead link
- winbuild: Add a Visual Studio example to the README
- wolfssl: fix compiler error without IPv6
- Fix: openssl: fix CN check error code
* Add curl-fix-verifyhost.patch
- Update to 7.82.0:
* curl: add --json command line option
* curl: make it so that sensitive command line arguments do not
show as easily in the output of ps(1)
* curl_multi_socket.3: remove callback and typical usage descriptions
* ftp: provide error message for control bytes in path
* ldap: return CURLE_URL_MALFORMAT for bad URL
* lib: remove support for CURL_DOES_CONVERSIONS
* mqtt: plug some memory leaks
* multi: allow user callbacks to call curl_multi_assign
* multi: remember connection_id before returning connection to pool
* multi: set in_callback for multi interface callbacks
* netware: remove support
* ngtcp2: adapt to changed end of headers callback proto
* openldap: implement SASL authentication
* openssl: return error if TLS 1.3 is requested when not supported
* sectransp: mark a 3DES cipher as weak
* smb: pass socket for writing and reading data instead of FIRSTSOCKET
* tool_getparam: DNS options that need c-ares now fail without it
* TPF: drop support
* url: given a user in the URL, find pwd for that user in netrc
* url: keep trailing dot in host name
* urlapi: handle "/redirects"/ smarter
* urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
* urldata: remove conn->bits.user_passwd
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "/w/o HTTP/SMTP/IMAP"/ build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "/see also"/ for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "/protocols: all"/
* docs/examples: workaround broken -Wno-pedantic-ms-format
* docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
* docs/INSTALL.md: typo fix : added missing "/get"/ verb
* docs/URL-SYNTAX.md: space is not fine in a given URL
* docs: add known bugs list to HTTP3.md
* docs: address proselint nits
* docs: consistent manpage SYNOPSIS
* docs: fix dead links, remove ECH.md
* docs: fix typo in OpenSSL 3 build instructions
* docs: Update the Reducing Size section
* example/progressfunc: remove code for old libcurls
* examples/multi-single.c: remove WAITMS()
* FAQ: typo fix : "/yout"/ ➤ "/your"/
* ftp: disable warning 4706 in MSVC
* gen.pl: improve example output format
* github workflow: add wolfssl (removed from zuul)
* github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
* gtls: check return code for gnutls_alpn_set_protocols
* hash: lazy-alloc the table in Curl_hash_add()
* http2:set_transfer_url() return early on OOM
* HTTP3: update quiche build instructions
* http: enable haproxy support for hyper backend
* http: Fix CURLOPT_HTTP200ALIASES
* http_proxy: don't close the socket (too early)
* insecure.d: detail its use for SFTP and SCP as well
* insecure.d: expand and clarify
* libcurl-multi.3: "/SOCKS proxy handshakes"/ are not blocking
* libcurl-security.3: mention address and URL mitigations
* libssh2: fix error message for sha256 mismatch
* libtest: avoid "/assignment within conditional expression"/
* lift: ignore is a deprecated config option, use ignoreRules
* linkcheck.yml: add CI job that checks markdown links
* m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
* Makefile.m32: rename -winssl option to -schannel and tidy up
* mbedTLS: add support for CURLOPT_CAINFO_BLOB
* mbedtls: fix CURLOPT_SSLCERT_BLOB
* mbedtls: fix private member designations for v3.1.0
* misc: remove unused doh flags when CURL_DISABLE_DOH is defined
* misc: s/e-mail/email
* multi: cleanup the socket hash when destroying it
* multi: handle errors returned from socket/timer callbacks
* multi: shut down CONNECT in Curl_detach_connnection
* netrc.d: edit the .netrc example to look nicer
* ngtcp2: verify the server cert on connect (quictls)
* ngtcp2: verify the server certificate for the gnutls case
* nss:set_cipher don't clobber the cipher list
* openldap: implement STARTTLS
* openldap: process search query response messages one by one
* openldap: several minor improvements
* openldap: simplify ldif generation code
* openssl: check the return value of BIO_new()
* openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
* openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
* openssl: remove usage of deprecated `SSL_get_peer_certificate`
* openssl: use non-deprecated API to read key parameters
* page-footer: add a mention of how to report bugs to the man page
* page-footer: document more environment variables
* request.d: refer to 'method' rather than 'command'
* retry-all-errors.d: make the example complete
* runtests: make the SSH library a testable feature
* rustls: read of zero bytes might be okay
* rustls: remove comment about checking handshaking
* rustls: remove incorrect EOF check
* sha256/md5: return errors when init fails
* socks5: use appropriate ATYP for numerical IP address host names
* test1156: enable for hyper
* test1156: fixup the stdout check for Windows
* test1525: tweaked for hyper
* test1526: enable for hyper
* test1527: enable for hyper
* test1528: enable for hyper
* test1554: adjust for hyper
* test1556: adjust for hyper
* test302[12]: run only with the libssh2 backend
* test661: enable for hyper
* tests/CI.md: add more information on CI environments
* tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
* tftp: mark protocol as not possible to do over CONNECT
* tool_findfile: updated search for a file in the homedir
* tool_operate: only set SSH related libcurl options for SSH URLs
* tool_operate: warn if too many output arguments were found
* url.c: fix the SIGPIPE comment for Curl_close
* url: check ssl_config when re-use proxy connection
* url: reduce ssl backend count for CURL_DISABLE_PROXY builds
* urlapi: accept port number zero
* urlapi: if possible, shorten given numerical IPv6 addresses
* urlapi: provide more detailed return codes
* urlapi: reject short file URLs
* version_win32: Check build number and platform id
* vtls/rustls: adapt to the updated rustls_version proto
* writeout: fix %{http_version} for HTTP/3
* x509asn1: return early on errors
* zuul.d: update rustls-ffi to version 0.8.2
* zuul: fix quiche build pointing to wrong Cargo
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
- openssl: if verifypeer is not requested, skip the CA loading
- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
- schannel: fix memory leak due to failed SSL connection
- sendf: accept zero-length data in Curl_client_write()
- sha256: use high-level EVP interface for OpenSSL
- sws: fix memory leak on exit
- tool_operate: a failed etag save now only fails that transfer
- url: check the return value of curl_url()
- url: set "/k->size"/ -1 at start of request
- urlapi: skip a strlen(), pass in zero
- urlapi: URL decode percent-encoded host names
- vtls: Fix a memory leak if an SSL session cannot be added to the cache
- wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
* Use --with-openssl configure option, --with-ssl is now deprecated