curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.
A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148
Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa
(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Due to what looks like a copy'n'paste mistake, the environment setup script
might override 'CURL_CA_BUNDLE' from the host env instead of leaving it
untouched. Fix that.
(cherry picked from commit 545e43a7a45be02fda8fc3af69faa20e889f58c4)
CC: changqing.li@windriver.com
CC: raj.khem@gmail.com
CC: Peter.Marko@siemens.com
(From OE-Core rev: ef198b0c6063ede32cb93fe44eb89937c076a073)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In native/nativesdk builds, sysconfdir refers to a recipe sysroot
directory, which will disappear once the workdir is cleaned up, breaking
libcurl's HTTPS connections.
By simply not setting --with-ca-bundle at all in non-target builds, curl
defaults to the host system's CA certificates, which is desirable anyways
to allow builds in environments that require local CA certificates.
(From OE-Core rev: 4909a46e93ba774c960c3d3c277e2a669af3fea6)
(From OE-Core rev: 0f98fecda8a0436f760e6fd9f3b7eb510e5258b8)
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.
The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.
Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.
(From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If openssl packageconfig is enabled, set CVE_STATUS as not-applicable.
This CVE is applicable only when curl built with wolfSSL support.
Reference: https://curl.se/docs/CVE-2025-5025.html
(From OE-Core rev: 8f50b0761fc4d49fae8d174956052e3ff9024a5e)
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
(From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When asked to use a `.netrc` file for credentials *and* to
follow HTTP redirects, curl could leak the password used
for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a
`default` entry that omits both login and password. A
rare circumstance.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0167
Upstream patch:
https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
(From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-0725 can only trigger for curl when using a runtime
zlib version 1.2.0.3 or older and scarthgap supports
zlib 1.3.1 version, hence ignore cve for scarthgap
https://curl.se/docs/CVE-2025-0725.html
(From OE-Core rev: 8c3b4a604b40260e7ca9575715dd8017e17d35c0)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since commit 148de08220 [ curl: Update from 8.2.1 to 8.3.0 ],
--enable-crypto-auth option was removed and split into separate options
for basic-auth, bearer-auth, digest-auth, kerberos-auth negotiate-auth,
and aws. In this commit, --enable-crypto-auth is removed from
EXTRA_OECONF, and the separate options is added into PACKAGECONFIG for
target. But not added into PACKAGECONFIG for native/nativesdk, this make
curl/git in buildtools not works well to connect basic auth https
server.
Failed commands:
git ls-remote https://xxx(input username/passwd)
curl -u name:passwd https://xxx
Error:
Authentication failed xxx
HTTP/1.1 401 Unauthorized
(From OE-Core rev: 67b98253ea70a1e2850a78bb101c934093d30937)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It looks like something related to FTP in curl, be it the protocol itself
or the harness, is unstable under load. We've been seeing random failures
in automated QA, and Debian does too.
Until this issue is resolved, disable all of the FTP tests on the hope
that this is the underlying common factor.
(From OE-Core rev: 49ae51c05e470523d3b818aa5fe7b54c3274a17d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 28035987fad5a673e35b346e043e66d04f64ef5d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The musl-locales package provides this too, so we can depend without a
libc override.
(From OE-Core rev: 1cab8d06ce5df7a8d00cff8531965a84d90d265a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c8f1d51f4eb6df6c041707d38f60549d13ddab7f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
bitbake-selftest was failing on a github url on hosts using buildtools.
The issue was tracked down to the curl upgrade 8.6.0 -> 8.7.1. Whilst there
is a fix in upstream git to workaround the issue in this version, backport
the fix from curl upstream to ensure there are no other related issues to
the bug.
(From OE-Core rev: 28ee90b07c70cafbba9149dd4dbe26cae9e214c7)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes 4 security fixes:
CVE-2024-2466 - TLS certificate check bypass with mbedTLS
CVE-2024-2398 - HTTP/2 push headers memory-leak
CVE-2024-2379 - QUIC certificate check bypass with wolfSSL
CVE-2024-2004 - Usage of disabled protocol
Along with many other changes, mostly bugfixes: https://curl.se/changes.html
(From OE-Core rev: 8e27b472d1bc872c6da2b22f57b30d36e231d745)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The list of test labels to disable shouldn't be quoted, and this meant
that tests were running when they should not.
[ YOCTO #15268 ]
(From OE-Core rev: 97afe73e6fbd4a116ac3bf2178634d7636195e5a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We often see multiple curl tests fail during ptest runs, the actual test
varies but the output is like this:
FAIL: 337: protoc!
There was no content at all in the file log/3/server.input.
Server glitch? Total curl failure? Returned: 28
Error code 28 is CURLE_OPERATION_TIMEDOUT, so this is almost certainly
due to a loaded machine resulting in the tests running slowly.
It is notable that the test runner explicitly passes --max-time=13 to
curl, so experiment and change this to 600 to see if this solves the
problem.
[ YOCTO #15268 ]
(From OE-Core rev: e2e9ec1bf97a7e36a05a247dbc671ecca584205f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's no need to run the output of runtests.pl through a sed to get
automake-style output, as you can pass -am to get this formatting.
Don't run timing dependent tests, as the ptests can run on loaded
systems.
Add a dependency on the en_US locale because some of the tests require
this.
(From OE-Core rev: 3c3601d50ae290e7e9797eadd20c05df99bbd040)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a bug fix and feature update. Release notes are available at:
https://curl.se/changes.html#8_6_0
Disable test 1478, it's comparing help output to documentation.
License-Update: Copyright year updated
(From OE-Core rev: efebd6a8824769137a21674e2bfe1c059a41758a)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable another test that intermittently fails on the autobuilder.
(From OE-Core rev: 8d169e13f7e2eb6511f0ac98da63b060c6c0d53a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These two tests seem to fail semi-regularly so just stop running them.
(From OE-Core rev: 1bfa564f1aa8b865f6c3ae3501e6d5f6cc0542eb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
update include fix for CVE-2023-46218.
skip test 1477 which check that libcurl-errors.3 and the public
header files have the same set of error codes.
Notes: This test is not included in the source tarball.
https://github.com/curl/curl/issues/12462
Release Notes:
curl and libcurl 8.5.0
Public curl releases: 253
Command line options: 258
curl_easy_setopt() options: 303
Public functions in libcurl: 93
Contributors: 3039
This release includes the following changes:
o gnutls: support CURLSSLOPT_NATIVE_CA [31]
o HTTP3: ngtcp2 builds are no longer experimental [77]
This release includes the following bugfixes:
o appveyor: make VS2008-built curl tool runnable [93]
o asyn-thread: use pipe instead of socketpair for IPC when available [4]
o autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}` [128]
o autotools: avoid passing `LDFLAGS` twice to libcurl [127]
o autotools: delete LCC compiler support bits [137]
o autotools: fix/improve gcc and Apple clang version detection [136]
o autotools: stop setting `-std=gnu89` with `--enable-warnings` [135]
o autotools: update references to deleted `crypt-auth` option [46]
o BINDINGS: add V binding [54]
o build: add `src/.checksrc` to source tarball [1]
o build: add more picky warnings and fix them [172]
o build: always revert `#pragma GCC diagnostic` after use [143]
o build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H` [107]
o build: delete support bits for obsolete Windows compilers [106]
o build: fix 'threadsafe' feature detection for older gcc [19]
o build: fix builds that disable protocols but not digest auth [174]
o build: fix compiler warning with auths disabled [85]
o build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS` [120]
o build: picky warning updates [125]
o build: require Windows XP or newer [86]
o cfilter: provide call to tell connection to forget a socket [65]
o checksrc.pl: support #line instructions
o CI: add autotools, out-of-tree, debug build to distro check job [14]
o CI: ignore test 286 on Appveyor gcc 9 build [6]
o cmake: add `CURL_DISABLE_BINDLOCAL` option [146]
o cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API` [138]
o cmake: dedupe Windows system libs [114]
o cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection [2]
o cmake: fix CURL_DISABLE_GETOPTIONS [12]
o cmake: fix multiple include of CURL package [96]
o cmake: fix OpenSSL quic detection in quiche builds [56]
o cmake: option to disable install & drop `curlu` target when unused [72]
o cmake: pre-fill rest of detection values for Windows [50]
o cmake: replace `check_library_exists_concat()` [23]
o cmake: speed up threads setup for Windows [68]
o cmake: speed up zstd detection [69]
o config-win32: set `HAVE_SNPRINTF` for mingw-w64 [123]
o configure: better --disable-http [80]
o configure: check for the fseeko declaration too [55]
o conncache: use the closure handle when disconnecting surplus connections [173]
o content_encoding: make Curl_all_content_encodings allocless [101]
o cookie: lowercase the domain names before PSL checks [160]
o curl.h: delete Symbian OS references [162]
o curl.h: on FreeBSD include sys/param.h instead of osreldate.h [21]
o curl.rc: switch out the copyright symbol for plain ASCII [167]
o curl: improved IPFS and IPNS URL support [87]
o curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped [99]
o Curl_http_body: cleanup properly when Curl_getformdata errors [152]
o curl_setup: disallow Windows IPv6 builds missing getaddrinfo [57]
o curl_sspi: support more revocation error names in error messages [95]
o CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation [181]
o CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range [165]
o CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does [113]
o CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR [45]
o CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
o docs/example/keepalive.c: show TCP keep-alive options [73]
o docs/example/localport.c: show off CURLOPT_LOCALPORT [83]
o docs/examples/interface.c: show CURLOPT_INTERFACE use [84]
o docs/libcurl: fix three minor man page format mistakes [26]
o docs/libcurl: SYNSOPSIS cleanup [150]
o docs: add supported version for the json write-out [92]
o docs: clarify that curl passes on input unfiltered [47]
o docs: fix function typo in curl_easy_option_next.3 [36]
o docs: KNOWN_BUGS cleanup
o docs: make all examples in all libcurl man pages compile [175]
o docs: preserve the modification date when copying the prebuilt man page [89]
o docs: remove bold from some man page SYNOPSIS sections [90]
o docs: use SOURCE_DATE_EPOCH for generated manpages [16]
o doh: provide better return code for responses w/o addresses [133]
o doh: use PIPEWAIT when HTTP/2 is attempted [63]
o duphandle: also free 'outcurl->cookies' in error path [122]
o duphandle: make dupset() not return with pointers to old alloced data [109]
o duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set [132]
o easy: in duphandle, init the cookies for the new handle [131]
o easy: remove duplicate wolfSSH init call [37]
o easy_lock: add a pthread_mutex_t fallback [13]
o examples/rtsp-options.c: add [157]
o fopen: create new file using old file's mode [153]
o fopen: create short(er) temporary file name [155]
o getenv: PlayStation doesn't have getenv() [41]
o GHA: move mod_h2 version in CI to v2.0.25 [43]
o hostip: show the list of IPs when resolving is done [35]
o hostip: silence compiler warning `-Wparentheses-equality` [62]
o hsts: skip single-dot hostname [67]
o HTTP/2, HTTP/3: handle detach of onoing transfers [134]
o http2: header conversion tightening [33]
o http2: provide an error callback and failf the message [53]
o http2: safer invocation of populate_binsettings [8]
o http: allow longer HTTP/2 request method names [112]
o http: avoid Expect: 100-continue if Upgrade: is used [15]
o http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine [81]
o http: fix `-Wunused-parameter` with no auth and no proxy [149]
o http: fix `-Wunused-variable` compiler warning [115]
o http: fix empty-body warning [76]
o http_aws_sigv4: canonicalise valueless query params [88]
o hyper: temporarily remove HTTP/2 support [139]
o INSTALL: update list of ports and CPU archs
o IPFS: fix IPFS_PATH and file parsing [119]
o keylog: disable if unused [145]
o lib: add and use Curl_strndup() [97]
o lib: apache style infof and trace macros/functions [71]
o lib: fix gcc warning in printf call [7]
o libcurl-errors.3: sync with current public headers [156]
o libcurl-thread.3: simplify the TLS section [79]
o Makefile.am: drop vc10, vc11 and vc12 projects from dist [103]
o Makefile.mk: fix `-rtmp` option for non-Windows
o mime: store "form escape" as a single bit [170]
o misc: fix -Walloc-size warnings [118]
o msh3: error when built with CURL_DISABLE_SOCKETPAIR set [61]
o multi: during ratelimit multi_getsock should return no sockets [182]
o multi: use pipe instead of socketpair to *wakeup() [18]
o ngtcp2: fix races in stream handling [178]
o ngtcp2: ignore errors on unknown streams [158]
o ntlm_wb: use pipe instead of socketpair when possible [44]
o openldap: move the alloc of ldapconninfo to *connect() [29]
o openldap: set the callback argument in oldap_do [30]
o openssl: avoid BN_num_bits() NULL pointer derefs [9]
o openssl: fix building with v3 `no-deprecated` + add CI test [161]
o openssl: fix infof() to avoid compiler warning for %s with null [70]
o openssl: identify the "quictls" backend correctly [82]
o openssl: include SIG and KEM algorithms in verbose [52]
o openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs [58]
o openssl: two multi pointer checks should probably rather be asserts [91]
o openssl: when a session-ID is reused, skip OCSP stapling [142]
o page-footer: clarify exit code 25 [51]
o projects: add VC14.20 project files [104]
o pytest: use lower count in repeat tests [98]
o quic: make eyeballers connect retries stop at weird replies [140]
o quic: manage connection idle timeouts [5]
o quiche: use quiche_conn_peer_transport_params() [116]
o rand: fix build error with autotools + LibreSSL [111]
o resolve.d: drop a multi use-sentence [100]
o RTSP: improved RTP parser [32]
o rustls: implement connect_blocking [154]
o sasl: fix `-Wunused-function` compiler warning [124]
o schannel: add CA cache support for files and memory blobs [121]
o setopt: check CURLOPT_TFTP_BLKSIZE range on set [171]
o setopt: remove outdated cookie comment [64]
o setopt: remove superfluous use of ternary expressions [169]
o socks: better buffer size checks for socks4a user and hostname [20]
o socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice [38]
o symbols-in-versions: the CLOSEPOLICY options are deprecated
o test1683: remove commented-out check alternatives
o test3103: add missing quotes around a test tag attribute
o test613: stop showing an error on missing output file
o tests/README: SOCKS tests are not using OpenSSH, it has its own server [48]
o tests/server: add more SOCKS5 handshake error checking [27]
o tests: Fix Windows test helper tool search & use it for handle64 [17]
o tidy-up: casing typos, delete unused Windows version aliases [144]
o tool: fix --capath when proxy support is disabled [28]
o tool: support bold headers in Windows [117]
o tool_cb_hdr: add an additional parsing check [129]
o tool_cb_prg: make the carriage return fit for wide progress bars [159]
o tool_cb_wrt: fix write output for very old Windows versions [24]
o tool_getparam: limit --rate to be smaller than number of ms [3]
o tool_operate: do not mix memory models [108]
o tool_operate: fix links in ipfs errors [22]
o tool_parsecfg: make warning output propose double-quoting [164]
o tool_urlglob: fix build for old gcc versions [25]
o tool_urlglob: make multiply() bail out on negative values [11]
o tool_writeout_json: fix JSON encoding of non-ascii bytes [179]
o transfer: abort pause send when connection is marked for closing [183]
o transfer: avoid calling the read callback again after EOF [130]
o transfer: only reset the FTP wildcard engine in CLEAR state [42]
o url: don't touch the multi handle when closing internal handles [40]
o url: find scheme with a "perfect hash" [141]
o url: fix `-Wzero-length-array` with no protocols [147]
o url: fix builds with `CURL_DISABLE_HTTP` [148]
o url: protocol handler lookup tidy-up [66]
o url: proxy ssl connection reuse fix [94]
o urlapi: avoid null deref if setting blank host to url encode [75]
o urlapi: skip appending NULL pointer query [74]
o urlapi: when URL encoding the fragment, pass in the right length [59]
o urldata: make maxconnects a 32 bit value [166]
o urldata: move async resolver state from easy handle to connectdata [34]
o urldata: move cookielist from UserDefined to UrlState [126]
o urldata: move hstslist from 'set' to 'state' [105]
o urldata: move the 'internal' boolean to the state struct [39]
o vssh: remove the #ifdef for Curl_ssh_init, use empty macro
o vtls: cleanup SSL config management [78]
o vtls: consistently use typedef names for OpenSSL structs [176]
o vtls: late clone of connection ssl config [60]
o vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 [102]
o VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw [110]
o windows: use built-in `_WIN32` macro to detect Windows [163]
o wolfssh: remove redundant static prototypes [168]
o wolfssl: add default case for wolfssl_connect_step1 switch [49]
o wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA [10]
(From OE-Core rev: 44f4e93d25f208d0be4c53d02113b7d0ebfffa4a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl and libcurl 8.4.0
Public curl releases: 252
Command line options: 258
curl_easy_setopt() options: 303
Public functions in libcurl: 93
Contributors: 2995
This release includes the following changes:
o curl: add support for the IPFS protocols via HTTP gateway [46]
o curl_multi_get_handles: get easy handles from a multi handle [20]
o mingw: delete support for legacy mingw.org toolchain [45]
This release includes the following bugfixes:
o acinclude.m4: Document proper system truststore on FreeBSD [83]
o appveyor: fix yamlint issues, indent [67]
o appveyor: rewrite batch in PowerShell + CI improvements [109]
o autotools: adjust `CURL_CA_PATH` value to CMake [53]
o autotools: restore `HAVE_IOCTL_*` detections [111]
o base64: also build for curl [78]
o bufq: remove Curl_bufq_skip_and_shift (unused) [47]
o build: delete checks for C89 standard headers [65]
o build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros [114]
o cf-socket: simulate slow/blocked receives in debug [120]
o cmake, configure: also link with CoreServices [32]
o cmake: add check for suseconds_t [91]
o cmake: add feature checks for `memrchr` and `getifaddrs` [57]
o cmake: add missing checks [86]
o cmake: delete old `HAVE_LDAP_URL_PARSE` logic [105]
o cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW` [75]
o cmake: detect `HAVE_GETADDRINFO_THREADSAFE` [76]
o cmake: detect `sys/wait.h` and `netinet/udp.h` [61]
o cmake: detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS [93]
o cmake: disable unity mode with Windows Unicode + TrackMemory [108]
o cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows [110]
o cmake: fix `HAVE_WRITABLE_ARGV` detection [77]
o cmake: fix duplicate symbols when linking tests [73]
o cmake: fix missing `zlib.h` when compiling `libcurltool` [72]
o cmake: fix stderr initialization in unity builds [71]
o cmake: fix the help text to the static build option in CMakeLists.txt [10]
o cmake: fix unity builds for more build combinations [96]
o cmake: fix unity symbol collisions in h2 builds [48]
o cmake: fix unity with Windows Unicode + TrackMemory [107]
o cmake: improve OpenLDAP builds [92]
o cmake: lib `CURL_STATICLIB` fixes (Windows) [74]
o cmake: move global headers to specific checks [58]
o cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC [85]
o cmake: pre-cache `HAVE_POLL_FINE` on Windows [36]
o cmake: tidy-up `NOT_NEED_LBER_H` detection
o cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value [50]
o configure: check for the capath by default [63]
o configure: remove unused checks [87]
o configure: replace adhoc domain with `localhost` in tests [79]
o configure: sort AC_CHECK_FUNCS
o connect: expire the timeout when trying next [54]
o connect: only start the happy eyeballs timer when needed [95]
o cookie: do not store the expire or max-age strings [16]
o cookie: remove unnecessary struct fields [17]
o cookie: set ->running in cookie_init even if data is NULL [5]
o create-dirs.d: clarify it also uses --output-dirs [66]
o curl.h: mark CURLSSLBACKEND_NSS as deprecated since 8.3.0 [18]
o curl_easy_pause.3: mention h2/h3 buffering [113]
o curl_easy_pause.3: mention it works within callbacks [112]
o curl_easy_pause: set "in callback" true on exit if true [100]
o CURLOPT_DEBUGFUNCTION.3: warn about internal handles [122]
o docs/libcurl/opts/Makefile.inc: add missing manpage files
o docs: adapt SEE ALSO sections to new requirements [52]
o docs: explain how PINNEDPUBLICKEY is independent of VERIFYPEER [68]
o docs: replace made up domains with example.com [82]
o docs: update curl man page references [89]
o docs: use CURLSSLBACKEND_NONE [19]
o doh: inherit DEBUGFUNCTION/DATA [12]
o escape: replace Curl_isunreserved with ISUNRESERVED [2]
o FAQ: How do I upgrade curl.exe in Windows? [84]
o GHA/linux: run singleuse to detect single-use global functions [35]
o GHA: add workflow to compare configure vs cmake outputs [102]
o h2-proxy: remove left-over mistake in drain_tunnel() [7]
o h2: testcase and fix for pausing h2 streams [49]
o h3: add support for ngtcp2 with AWS-LC builds [103]
o http2: refused stream handling for retry [121]
o http: fix CURL_DISABLE_BEARER_AUTH breakage [28]
o http: h1/h2 proxy unification [21]
o http: remove wrong comment for http_should_fail [55]
o http: use per-request counter to check too large headers [6]
o http_aws_sigv4: fix sorting with empty parts [13]
o idn: fix WinIDN null ptr deref on bad host [90]
o idn: if idn2_check_version returns NULL, return error [27]
o inet_ntop: add typecast to silence Coverity [51]
o lib: disambiguate Curl_client_write flag semantics [24]
o lib: enable hmac for digest as well [26]
o lib: failf/infof compiler warnings [8]
o lib: let the max filesize option stop too big transfers too [44]
o lib: move handling of `data->req.writer_stack` into Curl_client_write() [97]
o lib: provide and use Curl_hexencode [62]
o lib: remove TIME_WITH_SYS_TIME [88]
o lib: use wrapper for curl_mime_data fseek callback [30]
o libssh2: fix error message on failed pubkey-from-file [22]
o libssh: cap SFTP packet size sent [14]
o Makefile.mk: always set `CURL_STATICLIB` for lib (Windows) [42]
o MANUAL.md: change domain to example.com [11]
o misc: better random strings [15]
o MQTT: improve receive of ACKs [125]
o multi: do CURLM_CALL_MULTI_PERFORM at two more places [99]
o multi: fix small timeouts [70]
o multi: remove Curl_multi_dump [37]
o multi: round the timeout up to prevent early wakeups [98]
o multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE [115]
o openssl: improve ssl shutdown handling [69]
o openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR [104]
o pytest: exclude test_03_goaway in CI runs due to timing dependency [23]
o quic: set ciphers/curves the same way regular TLS does [43]
o quiche: fix build error with --with-ca-fallback [1]
o RELEASE-PROCEDURE.md: updated coming release dates
o runtests: display the test status if tests appear hung [81]
o runtests: eliminate a warning on old perl versions
o socks: return error if hostname too long for remote resolve [118]
o src/mkhelp: make generated code pass `checksrc` [59]
o test1056: disable on Windows
o test1474: disable test on NetBSD, OpenBSD and Solaris 10 [31]
o test1592: greatly increase the maximum test timeout
o test1903: actually verify the cookies after the test [116]
o test1906: set a lower timeout since it's hit on Windows [117]
o test2600: remove special case handling for USE_ALARM_TIMEOUT [3]
o test650: fix an end tag typo
o test661: return from test early in case of curl error
o test: add missing <feature>s
o tests: close the shell used to start sshd [41]
o tests: fix a race condition in ftp server disconnect [101]
o tests: fix compiler warnings [38]
o tests: Fix zombie processes left behind by FTP tests. [80]
o tests: improve SLOWDOWN test reliability by reducing sent data
o tests: increase lib571 timeout from 3s to 30s [106]
o tests: log the test result code after each libtest
o tests: propagate errors in libtests
o tests: set --expect100-timeout to improve test reliability
o tests: show which curl tool `runtests.pl` is using [60]
o tests: stop overriding the lock timeout
o tftpd: always use curl's own tftp.h [25]
o tool: use our own stderr variable [94]
o tool_cb_wrt: fix debug assertion [4]
o tool_getparam: accept variable expansion on file names too [123]
o tool_setopt: remove unused function tool_setopt_flags [56]
o upload-file.d: describe the file name slash/backslash handling [9]
o url: fall back to http/https proxy env-variable if ws/wss not set [119]
o url: fix netrc info message [39]
o warnless: remove unused functions [33]
o wolfssh: do cleanup in Curl_ssh_cleanup [40]
o wolfssl: allow capath with CURLOPT_CAINFO_BLOB [29]
o wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files [34]
o wolfssl: ignore errors in CA path [64]
(From OE-Core rev: aeab27305b3f207530ad1c749f6668c0df6cbed1)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some tests can fail intermittently and upstream has marked these as
flaky so they can easily be skipped. At present there are 12 tests
marked flaky with 10 of them running in the default recipe
configuration. Skip them to avoid the failures.
(From OE-Core rev: 34f37de80928bb23a594268b0e996beb575ca51b)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
NSS support was removed, so adjust PACKAGECONFIG options.
The --enable-crypto-auth option was removed and split into separate
options for basic-auth, bearer-auth, digest-auth, kerberos-auth,
negotiate-auth, and aws. Enable these new options since upstream enables
them by default.
Disable test 1279 since this requires libcurl and hangs the tests.
(From OE-Core rev: 148de08220c0ad390ec533e452cbaad7a9338204)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Not running make in the top level tests/ directory
excluded about a third of them (those that consisted
of running small test binaries).
Also, run tests in parallel, which reduces total time
from five minutes to about 75 seconds.
(From OE-Core rev: ff88f275f5f8d52da2967726d8880cbbfdfc8f19)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
amigaos: fix sys/mbuf.h m_len macro clash
amissl: add missing signal.h include
amissl: fix AmiSSL v5 detection
cfilters: rename close/connect functions to avoid clashes
ciphers.d: put URL in first column
cmake: add `libcurlu`/`libcurltool` for unit tests
cmake: update ngtcp2 detection
configure: check for nghttp2_session_get_stream_local_window_size
CONTRIBUTE: drop mention of copyright year ranges
CONTRIBUTE: fix syntax in commit message description
curl_multi_wait.3: fix arg quoting to doc macro .BR
docs: mark two TLS options for TLS, not SSL
docs: provide more see also for cipher options
hostip: return IPv6 first for localhost resolves
http2: fix regression on upload EOF handling
http: VLH, very large header test and fixes
libcurl-errors.3: add CURLUE_OK
os400: correct EXPECTED_STRING_LASTZEROTERMINATED
quiche: fix lookup of transfer at multi
quiche: fix segfault and other things
rustls: update rustls-ffi 0.10.0
socks: print ipv6 address within brackets
src/mkhelp: strip off escape sequences
tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
transfer: do not clear the credentials on redirect to absolute URL
unittest: remove unneeded *_LDADD
websocket: rename arguments/variables to match docs
(From OE-Core rev: bc868329c4bac1d5d3831a7d86b561849ca533a3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Piping results through sed is masking failures that aren't
picked up by sed expressions.
One such failure probes the source tree, and so isn't
relevant for target testing, and can be disabled.
(From OE-Core rev: 86c96cbf68d986b44fdb45e988343ce29d6b8cc7)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- lib1560: verify more scheme guessing
- page-header: minor wording polish in the URL segment
- page-header: mention curl version and how to figure out current release
- RELEASE-NOTES: synced
- configure: without pkg-config and no custom path, use -lnghttp2
- curl: cache the --trace-time value for a second
- libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
- http3: send EOF indicator early as possible
- scripts/contri*sh: no longer grep -v ' '
- cf-socket: restore Curl_sock_assign_addr()
- libssh: when keyboard-interactive auth fails, try password
- configure: fix build with arbitrary CC and LD_LIBRARY_PATH
- urlapi: remove superfluous host name check
- http2: fix EOF handling on uploads with auth negotiation
- lib: remove unused functions, make single-use static
- scripts/singleuse.pl: add more API calls
- configure: quote the assignments for run-compiler
- misc: fix spelling mistakes
(From OE-Core rev: db5773bf9c5e78affaaf0a21422bad07560eaa86)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
