{"id":17032,"date":"2021-07-21T09:32:03","date_gmt":"2021-07-21T07:32:03","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=17032"},"modified":"2021-07-21T12:13:59","modified_gmt":"2021-07-21T10:13:59","slug":"curl-7-78-0-five-in-one","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2021\/07\/21\/curl-7-78-0-five-in-one\/","title":{"rendered":"curl 7.78.0 five in one"},"content":{"rendered":"\n<p>Welcome to another release! We did more bug-fixes than in any previous release (176). We paid more in bug-bounties than during any previous release cycle (4,200 USD) and we thank more contributors in the RELEASE-NOTES than ever before (83). <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 7.78.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/XHaJGFj6wVg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 201st release<br>6 changes<br>56 days (total: 8,524)<\/strong><br><strong>176 bug-fixes (total: 7,142)<\/strong><br><strong>263 commits (total: 27,465)<br>0 new public libcurl function (total: 85)<br>0 new curl_easy_setopt() option (total: 290)<\/strong><br><strong>0 new curl command line option (total: 242)<\/strong><br><strong>83 contributors, 49 new (total: 2,459)<\/strong><br><strong>56 authors, 32 new (total: 933)<\/strong><br><strong>5 security fixes (total: 108)<\/strong><br><strong>4,200 USD paid in Bug Bounties (total: 13,200 USD)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>This time we announce no less than <strong>5<\/strong> separate security advisories and we are once again setting a new bug-bounty record. This release cycle we spent <strong>4,200 USD<\/strong> on rewarding security researchers.<\/p>\n\n\n\n<p>Let&#8217;s do them in numerical order. Click the CVE links to get to the full and much more detailed advisories.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/docs\/CVE-2021-22922.html\">CVE-2021-22922<\/a>: Wrong content via metalink not discarded<\/h3>\n\n\n\n<p>This was one of the problems we found that that all together made us take the drastic decision to completely <a href=\"https:\/\/daniel.haxx.se\/blog\/2021\/06\/07\/bye-bye-metalink-in-curl\/\" data-type=\"post\" data-id=\"16870\">remove metalink support<\/a>.<\/p>\n\n\n\n<p>The metalink format has a hash for the content so that a client can detect faulty contents. curl didn&#8217;t act properly if the has mismatched and it could easily make users not realize the bad content.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/docs\/CVE-2021-22923.html\">CVE-2021-22923<\/a>: Metalink download sends credentials<\/h3>\n\n\n\n<p>If you download the metalink file using credentials, the subsequent download(s) of the file mentioned in that XML file will also get <em>the same credentials<\/em> passed to those servers, unexpectedly, thus potentially leaking sensitive information to other parties!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/docs\/CVE-2021-22924.html\">CVE-2021-22924<\/a>: Bad connection reuse due to flawed path name checks<\/h3>\n\n\n\n<p>libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup.<\/p>\n\n\n\n<p>Due to errors in the logic, the config matching function did not take &#8216;issuer cert&#8217; into account and it compared the involved paths <em>case insensitively<\/em>, which could lead to libcurl reusing wrong connections!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/docs\/CVE-2021-22925.html\">CVE-2021-22925<\/a>: TELNET stack contents disclosure again<\/h3>\n\n\n\n<p>Possibly the most embarrassing security flaw in a long time.<\/p>\n\n\n\n<p>When we shipped 7.77.0 we announced <a href=\"https:\/\/curl.se\/docs\/CVE-2021-22898.html\">CVE-2021-22898<\/a>, which was a flaw in the telnet code and an associated fix. Know what? The fix was incomplete and plain wrong so the original problem actually remained for a certain set of input.<\/p>\n\n\n\n<p>This is thus the <strong>second<\/strong> advisory for the same problem and now we fix this <strong>again<\/strong>. Hopefully for real and for good this time&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/docs\/CVE-2021-22926.html\">CVE-2021-22926<\/a>: CURLOPT_SSLCERT mixup with Secure Transport<\/h2>\n\n\n\n<p>When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name &#8211; using the same option. If the name exists as a file, it will be used instead of by name. This could be exploited in rare circumstances.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<p>The six big changes this time around are:<\/p>\n\n\n\n<p><a href=\"https:\/\/curl.se\/libcurl\/c\/curl_url_set.html\">curl_url_set<\/a> now rejects spaces in the URL unless specifically asked to allow them.<\/p>\n\n\n\n<p><code>CURLE_SETOPT_OPTION_SYNTAX<\/code> is a brand new return code (name) for when libcurl detects an illegally formatted input passed to a setopt(), when it is detected later in the transfer.<\/p>\n\n\n\n<p><a href=\"https:\/\/daniel.haxx.se\/blog\/2021\/05\/31\/curl-localhost-as-a-local-host\/\" data-type=\"post\" data-id=\"16602\">localhost is now always local<\/a>!<\/p>\n\n\n\n<p>The mbedTLS backend now supports client certificate and key provided as &#8220;blob options&#8221; in memory instead of as files.<\/p>\n\n\n\n<p><a href=\"https:\/\/daniel.haxx.se\/blog\/2021\/06\/07\/bye-bye-metalink-in-curl\/\" data-type=\"post\" data-id=\"16870\">Metalink support was dropped<\/a>.<\/p>\n\n\n\n<p>Now username and password can be used for MQTT transfers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bug-fixes<\/h2>\n\n\n\n<p>I&#8217;m doing this release in the midst of my vacation so I&#8217;m doing this section a little shorter than usual. Here are some bug-fixes to highlight:<\/p>\n\n\n\n<p><strong>Lots of tiny fixes when built to use hyper for HTTP.<\/strong>  Now curl built to use hyper can run many more test cases. There&#8217;s more to do and more will be done going forward.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/daniel.haxx.se\/blog\/2021\/06\/14\/bye-bye-travis-ci\/\" data-type=\"post\" data-id=\"16901\">Travis CI is gone<\/a>. Zuul and Circle CI are in.<\/strong><\/p>\n\n\n\n<p><strong>GnuTLS: set the preferred TLS versions in correct order. <\/strong>Previously the occasional TLS connection would  fail because of the wrong way the code would instruct GnuTLS&#8230;<\/p>\n\n\n\n<p><strong>on macOs: free returned memory of SCDynamicStoreCopyProxies.<\/strong> A small memory leak on Apple operating systems, possibly as many as one per name resolve?<\/p>\n\n\n\n<p><strong>HSTS: not experimental anymore.<\/strong> It is now built and provided by default.<\/p>\n\n\n\n<p><strong>netrc: skip &#8216;macdef&#8217; definitions.<\/strong> The netrc parser is ancient but it turned out this kind of macro use could threw it off.<\/p>\n\n\n\n<p><strong>OpenSSL: don&#8217;t remove session id entry in disassociate.<\/strong> We had a regression that basically killed session-id use and made subsequent TLS handshakes to the same host much slower.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Next<\/h2>\n\n\n\n<p>The plans says we ship the next release on <strong>September 15th 2021<\/strong>. See you then!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to another release! We did more bug-fixes than in any previous release (176). We paid more in bug-bounties than during any previous release cycle (4,200 USD) and we thank more contributors in the RELEASE-NOTES than ever before (83). Release presentation Numbers the 201st release6 changes56 days (total: 8,524)176 bug-fixes (total: 7,142)263 commits (total: 27,465)0 &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2021\/07\/21\/curl-7-78-0-five-in-one\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 7.78.0 five in one<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-17032","post","type-post","status-publish","format-standard","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/17032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=17032"}],"version-history":[{"count":19,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/17032\/revisions"}],"predecessor-version":[{"id":17051,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/17032\/revisions\/17051"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=17032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=17032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=17032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}