{"id":25180,"date":"2024-07-31T08:59:12","date_gmt":"2024-07-31T06:59:12","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=25180"},"modified":"2024-07-31T10:59:30","modified_gmt":"2024-07-31T08:59:30","slug":"curl-8-9-1","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2024\/07\/31\/curl-8-9-1\/","title":{"rendered":"curl 8.9.1"},"content":{"rendered":"\n<p>Some annoying regressions triggered this.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 259th release<br>0 changes<br>7 days (total: 9,630)<\/strong><br><strong>28 bugfixes (total: 10,559)<\/strong><br><strong>43 commits (total: 32,748)<br>0 new public libcurl function (total: 94)<br>0 new curl_easy_setopt() option (total: 306)<\/strong><br><strong>0 new curl command line option (total: 263)<\/strong><br><strong>19 contributors, 5 new (total: 3,211)<\/strong><br><strong>10 authors, 1 new (total: 1,288)<\/strong><br><strong>1 security fixes (total: 158)<\/strong><\/p>\n\n\n\n<p>Download the new curl release from <a href=\"https:\/\/curl.se\/\">curl.se<\/a> as always.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.9.1 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/Py9LtV6pzXw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>We decided to do a patch release. Then yesterday we got a security vulnerability reported and so now we have that fixed in here as well.<\/p>\n\n\n\n<p><a href=\"https:\/\/curl.se\/docs\/CVE-2024-7264.html\">CVE-2024-7264: ASN.1 date parser overread<\/a> (<em>severity low<\/em>) libcurl&#8217;s ASN1 parser code has the <code>GTime2str()<\/code> function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the <em>time fraction<\/em>, leading to a <code>strlen()<\/code> getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>This release is done only because we shipped a few regressions in 8.9.0 we rather let users avoid. Here are some noteworthy fixes from the past week:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>connection shutdown fix for event based processing &#8211; this would cause applications to keep monitoring sockets &#8220;too much&#8221;, easily leading to busy-loops or worse<\/li>\n\n\n\n<li>cmake builds detect libssh and nettle better<\/li>\n\n\n\n<li>several libcurl functions now survive NULL pointer inputs better<\/li>\n\n\n\n<li>fixed an Apple SDK bug workaround for non-macOS targets<\/li>\n\n\n\n<li>the curl tool builds with the manual enabled on OS400<\/li>\n\n\n\n<li>works around an IBM (OS400) ASCII run-time library bug<\/li>\n\n\n\n<li>speed limiting for 32bit systems had the wrong math<\/li>\n\n\n\n<li>allow wolfSSL&#8217;s implementation of kyber to be used<\/li>\n\n\n\n<li>wolfssl CA store caching fix<\/li>\n\n\n\n<li>more defensive and portable socket code for the curl tool&#8217;s <code>--ip-tos<\/code> logic<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Some annoying regressions triggered this. Numbers the 259th release0 changes7 days (total: 9,630)28 bugfixes (total: 10,559)43 commits (total: 32,748)0 new public libcurl function (total: 94)0 new curl_easy_setopt() option (total: 306)0 new curl command line option (total: 263)19 contributors, 5 new (total: 3,211)10 authors, 1 new (total: 1,288)1 security fixes (total: 158) Download the new curl &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2024\/07\/31\/curl-8-9-1\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.9.1<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":25183,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-25180","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=25180"}],"version-history":[{"count":9,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25180\/revisions"}],"predecessor-version":[{"id":25193,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/25180\/revisions\/25193"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/25183"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=25180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=25180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=25180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}