{"id":11928,"date":"2019-02-06T08:21:36","date_gmt":"2019-02-06T07:21:36","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=11928"},"modified":"2019-02-06T08:21:36","modified_gmt":"2019-02-06T07:21:36","slug":"curl-7-64-0-like-theres-no-tomorrow","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2019\/02\/06\/curl-7-64-0-like-theres-no-tomorrow\/","title":{"rendered":"curl 7.64.0 – like there’s no tomorrow"},"content":{"rendered":"\n
\"\"<\/figure><\/div>\n\n\n\n

I know, has there been eight weeks since the previous release<\/a> already? But yes it has – I double-checked! And then as the laws of nature dictates, there has been yet another fresh curl version released out into the wild.<\/p>\n\n\n\n

Numbers<\/h1>\n\n\n\n

the 179th release
5 changes
56 days (total: 7,628)<\/strong>
76 bug fixes (total: 4,913)<\/strong>
128 commits (total: 23,927)
0 new public libcurl functions (total: 80)
3 new curl_easy_setopt() options (total: 265)<\/strong>
1 new curl command line option (total: 220)<\/strong>
56 contributors, 29 new (total: 1,904)<\/strong>
32 authors, 13 new (total: 658)<\/strong>
\u00a0 3 security fixes (total: 87)<\/strong><\/p>\n\n\n\n

Security fixes<\/h2>\n\n\n\n

This release we have no less than three different security related fixes. I’ll describe them briefly here, but for the finer details I advice you to read the dedicated pages and documentation we’ve written for each one of them.<\/p>\n\n\n\n

CVE-2018-16890<\/a> is a bug where the existing range check in the NTLM code is wrong, which allows a malicious or broken NTLM server to send a header to curl that will make it read outside a buffer and possibly crash or otherwise misbehave.<\/p>\n\n\n\n

CVE-2019-3822<\/a> is related to the previous but with much worse potential effects. Another bad range check actually allows a sneaky NTLMv2 server to be able to send back crafted contents that can overflow a local stack based buffer. This is potentially in the worst case a remote code execution risk. I think this might be the worst security issue found in curl in a long time<\/strong>. A small comfort is that by disabling NTLM, you will avoid it until patched.<\/p>\n\n\n\n

CVE-2019-3823<\/a> is a potential read out of bounds of a heap based buffer in the SMTP code. It is fairly hard to trigger and it will mostly cause a crash when it does.<\/p>\n\n\n\n

Changes<\/h2>\n\n\n\n
  1. curl now supports<\/a> Mike West’s cookie update known as draft-ietf-httpbis-cookie-alone.<\/a> It basically means that cookies that are set as “secure” has to be set over HTTPS to be allow to override a previous secure cookie. Safer cookies.<\/li>
  2. The –resolve option as well as CURLOPT_RESOLVE now support specifying a wildcard as port number<\/a>.<\/li>
  3. libcurl can now send trailing headers<\/a> in chunked uploads using the new options.<\/li>
  4. curl now offers options<\/a> to enable<\/em> HTTP\/0.9 responses, The default is still enabled, but the plan is to deprecate that<\/a> and in 6 months time switch over the to default to off.<\/li>
  5. curl now uses higher resolution timer accuracy on windows<\/a>.<\/li><\/ol>\n\n\n\n

    Bug-fixes<\/h2>\n\n\n\n

    Check out the full change log to see the whole list. Here are some of the bug fixes I consider to be most noteworthy:<\/p>\n\n\n\n