{"id":25121,"date":"2024-07-24T08:26:19","date_gmt":"2024-07-24T06:26:19","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=25121"},"modified":"2024-07-27T15:46:28","modified_gmt":"2024-07-27T13:46:28","slug":"curl-8-9-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2024\/07\/24\/curl-8-9-0\/","title":{"rendered":"curl 8.9.0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 258th release<br>11 changes<br>63 days (total: 9,623)<\/strong><br><strong>260 bugfixes (total: 10,531)<\/strong><br><strong>423 commits (total: 32,704)<br>0 new public libcurl function (total: 94)<br>1 new curl_easy_setopt() option (total: 306)<\/strong><br><strong>4 new curl command line option (total: 263)<\/strong><br><strong>80 contributors, 38 new (total: 3,209)<\/strong><br><strong>47 authors, 16 new (total: 1,288)<\/strong><br><strong>2 security fixes (total: 157)<\/strong><\/p>\n\n\n\n<p>Download the new curl release from <a href=\"https:\/\/curl.se\/\">curl.se<\/a> as always.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.9.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/85prwzeilnY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>Today we fix two security vulnerabilities and publish all details about them.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2024-6197.html\">CVE-2024-6197: freeing stack buffer in utf8asn1str<\/a>. (severity medium) libcurl&#8217;s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2024-6874.html\">CVE-2024-6874: macidn punycode buffer overread<\/a>. (severity low) libcurl&#8217;s URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly &#8211; but does not null terminate the string.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/manpage.html#--ip-tos\">&#8211;ip-tos<\/a> (IP Type of Service \/ Traffic Class). Lets users set this IP header field to a number.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/manpage.html#--mptcp\">&#8211;mptcp<\/a>. Asks curl to enable the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Multipath_TCP\">Multipath TCP<\/a> option for this connection, which if the server also allows it may make the TCP connection to go over multiple network paths.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/manpage.html#--vlan-priority\">&#8211;vlan-priority<\/a>. Makes curl set the VLAN priority field for its IP traffic. This is typically a field used in the network layer below IP (think Ethernet), so it is not likely to survive through IP routers. A local network thing.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/manpage.html#--keepalive-cnt\">&#8211;keepalive-cnt<\/a> (and <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_TCP_KEEPCNT.html\">CURLOPT_TCP_KEEPCNT<\/a>). Specify how many keeplive probes curl should send before it considers the connection to be dead.<\/li>\n\n\n\n<li>&#8211;write-out &#8216;%{<a href=\"https:\/\/everything.curl.dev\/usingcurl\/verbose\/writeout.html?highlight=write-out#available---write-out-variables\">num_retries<\/a>}&#8217; is a new <em>variable<\/em> for the info output that outputs the number of retries that were done for the previous transfer (when <a href=\"https:\/\/curl.se\/docs\/manpage.html#--retry\">&#8211;retry<\/a> was used).<\/li>\n\n\n\n<li>gnutls now supports <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_CA_CACHE_TIMEOUT.html\">CA caching<\/a>. For libcurl using applications, this can really speed up doing serial TLS connections.<\/li>\n\n\n\n<li>mbedtls supports <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_CERTINFO.html\">CURLOPT_CERTINFO<\/a>. Returns certificate information to the application.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_NOPROXY.html\">noproxy<\/a> patterns need to be comma separated. Space separation is no longer enough.<\/li>\n\n\n\n<li>Support <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_INTERFACE.html\">binding a connection<\/a> to both interface and IP, not just one of them. <\/li>\n\n\n\n<li>The URL API added <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_url_get.html\">CURLU_NO_GUESS_SCHEME<\/a>, to allow an application to figure out if the scheme for a previously parsed URL was set or <em>guessed<\/em>.<\/li>\n\n\n\n<li>wolfssl now supports <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_CA_CACHE_TIMEOUT.html\">CA caching<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>In no other release ever before in curl&#8217;s long history have there been this <a href=\"https:\/\/curl.se\/changes.html#8_9_0\">many bugfixes<\/a>: <strong>260<\/strong>. Some of my favorites are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>cmake: <strong>26<\/strong> separate bugfixes<\/li>\n\n\n\n<li>configure: <strong>10<\/strong> separate bugfixes<\/li>\n\n\n\n<li>&#8211;help category cleanup and list categories in &#8211;help<\/li>\n\n\n\n<li>allow etag and content-disposition for 3xx reply<\/li>\n\n\n\n<li>docs: countless fixes, polish and corections<\/li>\n\n\n\n<li>show name and keywords for failed tests in summary<\/li>\n\n\n\n<li>avoid using GetAddrInfoExW with impersonation<\/li>\n\n\n\n<li>URL encode the canonical path for aws-sigv4<\/li>\n\n\n\n<li>fix DoH cleanup<\/li>\n\n\n\n<li>fix memory leak and zero-length HTTPS RR crash in DoH<\/li>\n\n\n\n<li>allow DoH transfers to override max connection limit<\/li>\n\n\n\n<li>fix \u00df with AppleIDN<\/li>\n\n\n\n<li>fix compilation with OpenSSL 1.x with md4 disabled<\/li>\n\n\n\n<li>do a final progress update on connect failure<\/li>\n\n\n\n<li>multi: fix pollset during RESOLVING phase<\/li>\n\n\n\n<li>enable UDP GRO for QUIC<\/li>\n\n\n\n<li>require at least OpenSSL 3.3 for QUIC<\/li>\n\n\n\n<li>add shutdown support for HTTP\/3 (QUIC)<\/li>\n\n\n\n<li>fix CRLF conversion of input<\/li>\n\n\n\n<li>fixed starttls for SMTP<\/li>\n\n\n\n<li>change TCP keepalive from ms to seconds on DragonFly BSD<\/li>\n\n\n\n<li>support TCP keepalive parameters on Solaris &lt;11.4<\/li>\n\n\n\n<li>shutdown TLS and TCP better<\/li>\n\n\n\n<li>gnutls: pass in SNI name, not hostname when checking cert<\/li>\n\n\n\n<li>gnutls: rectify the TLS version checks for QUIC<\/li>\n\n\n\n<li>mbedtls v3.6.0 workarounds<\/li>\n\n\n\n<li>several x509 asn.1 parser fixes<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Next<\/h2>\n\n\n\n<p>Because the 8.9.0 release spent an extra week for its release cycle, the next one is going to be one week shorter. We do this by shortening the feature window to just two weeks this time, which <em>might<\/em> impact how many new features and changes we manage to merge.<\/p>\n\n\n\n<p>We have a large amount of pull requests for changes already pending merge, waiting for the release window to open.<\/p>\n\n\n\n<p>If all goes well, the next release is named 8.10.0 and eventually ships on September 11, 2024.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Numbers the 258th release11 changes63 days (total: 9,623)260 bugfixes (total: 10,531)423 commits (total: 32,704)0 new public libcurl function (total: 94)1 new curl_easy_setopt() option (total: 306)4 new curl command line option (total: 263)80 contributors, 38 new (total: 3,209)47 authors, 16 new (total: 1,288)2 security fixes (total: 157) Download the new curl release from curl.se as always. &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2024\/07\/24\/curl-8-9-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.9.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":25133,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-25121","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=25121"}],"version-history":[{"count":16,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25121\/revisions"}],"predecessor-version":[{"id":25179,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25121\/revisions\/25179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/25133"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=25121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=25121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=25121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}