{"id":23241,"date":"2023-10-11T08:01:17","date_gmt":"2023-10-11T06:01:17","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=23241"},"modified":"2023-10-11T13:02:59","modified_gmt":"2023-10-11T11:02:59","slug":"curl-8-4-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2023\/10\/11\/curl-8-4-0\/","title":{"rendered":"curl 8.4.0"},"content":{"rendered":"\n<p>We cut the release cycle short and decided to ship this release now rather than later because of the heap overflow issue we found.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.4.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/-j-_nKmq2aE?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 252nd release<br>3 changes<br>28 days (total: 9,336)<\/strong><br><strong>136 bug-fixes (total: 9,551)<\/strong><br><strong>216 commits (total: 31,158)<br>1 new public libcurl function (total: 93)<br>0 new curl_easy_setopt() option (total: 303)<\/strong><br><strong>1 new curl command line option (total: 258)<\/strong><br><strong>46 contributors, 20 new (total: 2,996)<\/strong><br><strong>21 authors, 7 new (total: 1,200)<\/strong><br><strong>2 security fixes (total: 148)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">SOCKS5 heap buffer overflow (HIGH)<\/h3>\n\n\n\n<p>(<a href=\"https:\/\/curl.se\/docs\/CVE-2023-38545.html\">CVE-2023-38545<\/a>) This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.<\/p>\n\n\n\n<p>See also my <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/10\/11\/how-i-made-a-heap-overflow-in-curl\/\" data-type=\"post\" data-id=\"23212\">separate detailed explainer about CVE-2023-38545<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">cookie injection with none file (LOW)<\/h3>\n\n\n\n<p>(<a href=\"https:\/\/curl.se\/docs\/CVE-2023-38546.html\">CVE-2023-38546<\/a>) This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met and the cookies are put in a file called &#8220;none&#8221; in the application&#8217;s current directory.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">IPFS protocols via HTTP gateway<\/h3>\n\n\n\n<p>The curl tool now supports IPFS URLs via gateway. I emphasize that it is the tool because this support is not libcurl. The URL needs to be a correct IPFS URL but curl only works with it if you provide an IPFS gateway, it has no actual native IPFS implementation. You want to read the <a href=\"https:\/\/curl.se\/docs\/ipfs.html\">new IPFS section on the curl website<\/a> for details.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/curl.se\/libcurl\/c\/curl_multi_get_handles.html\">curl_multi_get_handles()<\/a><\/h3>\n\n\n\n<p>This is new and very simply function added to the libcurl API: it returns all the easy handles that were previously added to it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">dropped support for legacy mingw.org toolchain<\/h3>\n\n\n\n<p>The legacy mingw version is deprecated and by dropping support for this we can simplify code a little.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>Some of the things we fixed in this release are&#8230;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">made cmake more aligned with configure<\/h3>\n\n\n\n<p>Numerous smaller and larger fixes went in this cycle to make sure the cmake and configure configs are more aligned and create more similar default builds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">expire the timeout when trying next IP<\/h3>\n\n\n\n<p>Iterating over IP addresses when connecting could accidentally do delays, making the process take longer time than necessary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">remove unnecessary cookie struct fields<\/h3>\n\n\n\n<p>curl now keeps much less data in memory per cookie<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">update curl man page references<\/h3>\n\n\n\n<p>All curl man pages got their references updated and they are now verified and checked in tests to remain accurate and well formatted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">use per-request counter to check too large http headers<\/h3>\n\n\n\n<p>The check that prevents too large accumulated HTTP response headers actually used the wrong counter so it kicked in too early.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">aws-sigv4: fix sorting with empty parts<\/h3>\n\n\n\n<p>Getting this authentication method to work in all cases turns out to be a real adventure and in this release we fix yet some minor issues.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">let the max file size option stop too big transfers<\/h3>\n\n\n\n<p>Up until now, the maximum file size option only works on stopping transfers before it even began if libcurl knew the file size was too big. Starting now, it will also stop ongoing transfers if they reach the maximum limit. This should help users avoid unwanted surprises.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">lib: use wrapper for curl_mime_data fseek callback<\/h3>\n\n\n\n<p>Rewinding files when doing multipart formbased transfers on 32 bit ARM using the legacy libcurl <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_formadd.html\">curl_formadd<\/a> API did not work because of data size incompatibilities. It took some work to find and understand as it still worked fine on x86 32 bit for example!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">libssh: cap SFTP packet size sent<\/h3>\n\n\n\n<p>The libssh library mostly passes on the data with the same size libcurl passes to it, it turns out. That is not compatible with the SFTP protocol so in order to make libcurl work better, it now caps how much data it can send in a single libssh send call. It probably makes SFTP uploads much slower.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">misc: better random boundary separators<\/h3>\n\n\n\n<p>The mime boundaries used for multipart formposts now use more random bits than before. Up from 64 to 130 bits. It now produces strings using alphanumerical characters instead of just hex.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">quic: set ciphers\/curves like for TLS<\/h3>\n\n\n\n<p>The same style of support for setting TLS 1.3 ciphers and curves as for regular TLS were added to the QUIC code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http2: retry on GOAWAY<\/h3>\n\n\n\n<p>Improved handling of GOAWAY when wanting to use use connection and then move on to use another.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">fall back to http\/https proxy env-variable if ws\/wss not set<\/h3>\n\n\n\n<p>When using one of the WebSocket schemes, curl will now fall back and try the <code>http_proxy<\/code> and <code>https_proxy<\/code> environment variables if <code>ws_proxy<\/code> or <code>wss_proxy<\/code> is not set.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">accept &#8211;expand on file names too<\/h3>\n\n\n\n<p>The variable <code>--expand<\/code> functionality did not work for command line options that accept file names, such as <code>--output<\/code>. It does now.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Next<\/h2>\n\n\n\n<p>We have synced the coming release cycles on this release. The next one is thus planned to happen in exactly eight weeks time. On December 6, 2023.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We cut the release cycle short and decided to ship this release now rather than later because of the heap overflow issue we found. Release presentation Numbers the 252nd release3 changes28 days (total: 9,336)136 bug-fixes (total: 9,551)216 commits (total: 31,158)1 new public libcurl function (total: 93)0 new curl_easy_setopt() option (total: 303)1 new curl command line &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/10\/11\/curl-8-4-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.4.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":23273,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95,428],"class_list":["post-23241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release","tag-security"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/23241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=23241"}],"version-history":[{"count":33,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/23241\/revisions"}],"predecessor-version":[{"id":23321,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/23241\/revisions\/23321"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/23273"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=23241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=23241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=23241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}