Changelog
Fixed in 7.49.1 - May 30 2016
Bugfixes:
- Windows: prevent DLL hijacking, CVE-2016-4802
- dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
- schannel: fix compile break with MSVC XP toolset
- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- dist: include curl_multi_socket_all.3
- http2: use HTTP/2 in the HTTP/1.1-alike response
- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- libcurl.m4: Avoid obsolete warning
- winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- curl_multibyte: fix compiler error
- openssl: cleanup must free compression methods (memory leak)
- mbedtls: fix includes so snprintf() works
- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- contributors.sh: better grep pattern and show GitHub username
- ssh: fix build for libssh2 before 1.2.6
- curl_share_setopt.3: Add min ver needed for ssl session lock
Fixed in 7.49.0 - May 18 2016
Changes:
- schannel: Add ALPN support
- SSH: support CURLINFO_FILETIME
- SSH: new CURLOPT_QUOTE command "statvfs"
- wolfssl: Add ALPN support
- http2: added --http2-prior-knowledge
- http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
- libcurl: added CURLOPT_CONNECT_TO
- curl: added --connect-to
- libcurl: added CURLOPT_TCP_FASTOPEN
- curl: added --tcp-fastopen
- curl: remove support for --ftpport, -http-request and --socks
Bugfixes:
- CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
- checksrc.bat: Updated the help to be consistent with generate.bat
- checksrc.bat: Added support for scanning the tests and examples
- openssl: fix ERR_remove_thread_state() for boringssl/libressl
- openssl: boringssl provides the same numbering as openssl
- multi: fix "Operation timed out after" timer
- url: don't use bad offset in tld_check_name to show error
- sshserver.pl: use quotes for given options
- Makefile.am: skip the scripts dir
- curl: warn for --capath use if not supported by libcurl
- http2: fix connection reuse
- GSS: make Curl_gss_log_error more verbose
- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
- wolfssl: Use ECC supported curves extension
- openssl: Fix compilation warnings
- Curl_add_buffer_send: avoid possible NULL dereference
- SOCKS5_gssapi_negotiate: don't assume little-endian ints
- strerror: don't bit shift a signed integer
- url: Corrected get protocol family for FTP and LDAP
- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- upload: missing rewind call could make libcurl hang
- IMAP: check pointer before dereferencing it
- build: Changed the Visual Studio projects warning level from 3 to 4
- checksrc: now stricter, wider checks, code cleaned up
- checksrc: added docs/CHECKSRC.md
- curl_sasl: Fixed potential null pointer utilisation
- krb5: Fixed missing client response when mutual authentication enabled
- krb5: Only process challenge when present
- krb5: Only generate a SPN when its not known
- formdata: use appropriate fopen() macros
- curl.1: -w filename_effective was introduced in 7.26.0
- http2: make use of the nghttp2 error callback
- http2: fix connection reuse when PING comes after last DATA
- curl.1: change example for -F
- HTTP2: Add a space character after the status code
- curl.1: use example.com more
- mbedtls.c: changed private prefix to mbed_
- mbedtls: implement and provide *_data_pending() to avoid hang
- mbedtls: fix MBEDTLS_DEBUG builds
- ftp/imap/pop3/smtp: Allow the service name to be overridden
- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- build: include scripts/ in the dist
- http2: Add handling stream level error
- http2: Improve header parsing
- makefile.vc6: use d suffix on debug object
- configure: remove check for libresolve
- scripts/make: use $(EXEEXT) for executables
- checksrc: got rid of the whitelist files
- sendf: added ability to call recv() before send() as workaround
- NTLM: check for NULL pointer before dereferencing
- openssl: builds with OpenSSL 1.1.0-pre5
- configure: ac_cv_ -> curl_cv_ for all cached vars
- winbuild: add mbedtls support
- curl: make --ftp-create-dirs retry on failure
- PolarSSL: implement public key pinning
- multi: accidentally used resolved host name instead of proxy
- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
- CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- opts: Fix some syntax errors in example code fragments
- mbedtls: Fix session resume
- test1139: verifies libcurl option man page presence
- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- curl: make --disable work as long form of -q
- curl: use --telnet-option as documented
- curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
- curl: -h output lacked --proxy-header and --ntlm-wb
- curl -J: make it work even without http:// scheme on URL
- lib: include curl_printf.h as one of the last headers
- tests: handle path properly on Msys/Cygwin
- curl.1: --mail-rcpt can be used multiple times
- CURLOPT_ACCEPT_ENCODING.3: clarified
- docs: fixed lots of broken man page references
- tls: make setting pinnedkey option fail if not supported
- test1140: run nroff-scan to verify man pages
- http: make sure a blank header overrides accept_decoding
- connections: do not reuse non-HTTP proxies on different ports
- connect: fix invalid "Network is unreachable" errors
- TLS: move the ALPN/NPN enable bits to the connection
- TLS: SSL_peek is not a const operation
- http2: Add space between colon and header value
- darwinssl: fix certificate verification disable on OS X 10.8
- mprintf: Fix processing of width and prec args
- ftp wildcard: segfault due to init only in multi_perform
Fixed in 7.48.0 - March 23 2016
Changes:
- configure: --with-ca-fallback: use built-in TLS CA fallback
- TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS
- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- added CODE_STYLE.md
Bugfixes:
- Proxy-Connection: stop sending this header by default
- os400: sync ILE/RPG definitions with latest public header files
- cookies: allow spaces in cookie names, cut of trailing spaces
- tool_urlglob: Allow reserved dos device names (Windows)
- openssl: remove most BoringSSL #ifdefs
- tool_doswin: Support for literal path prefix \\?
- mbedtls: fix ALPN usage segfault
- mbedtls: fix memory leak when destroying SSL connection data
- nss: do not count enabled cipher-suites
- examples/cookie_interface.c: add cleanup call
- examples: adhere to curl code style
- curlx_tvdiff: handle 32bit time_t overflows
- dist: ship buildconf.bat too
- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- generate.bat: Fix comment bug by removing old comments
- test1604: Add to Makefile.inc so it gets run
- gtls: fix for builds lacking encrypted key file support
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- cookie: do not refuse cookies to localhost
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
- http: Don't break the header into chunks if HTTP/2
- http2: don't decompress gzip decoding automatically
- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- curl.1: add a missing dash
- curl.1: HTTP headers for --cookie must be Set-Cookie style
- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- curl_sasl: Fix memory leak in digest parser
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- CURLOPT_DEBUGFUNCTION.3: Fix example
- runtests: Fixed usage of %PWD on MinGW64
- tests/sshserver.pl: use RSA instead of DSA for host auth
- multi_remove_handle: keep the timeout list until after disconnect
- Curl_read: check for activated HTTP/1 pipelining, not only requested
- configure: warn on invalid ca bundle or path
- file: try reading from files with no size
- getinfo: Add support for mbedTLS TLS session info
- formpost: fix memory leaks in AddFormData error branches
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- url: if Curl_done is premature then pipeline not in use
- cookie: remove redundant check
- cookie: Don't expire session cookies in remove_expired
- makefile.m32: fix to allow -ssh2-winssl combination
- checksrc.bat: Fixed cannot find perl if installed but not in path
- build-openssl.bat: Fixed cannot find perl if installed but not in path
- mbedtls: fix user-specified SSL protocol version
- makefile.m32: add missing libs for static -winssl-ssh2 builds
- test46: change cookie expiry date
- pipeline: Sanity check pipeline pointer before accessing it
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
- ftp_done: clear tunnel_state when secondary socket closes
- opt-docs: fix heading macros
- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- curl_multi_wait: never return -1 in 'numfds'
- url.c: fix clang warning: no newline at end of file
- krb5: improved type handling to avoid clang compiler warnings
- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
- multi hash: ensure modulo performed on curl_socket_t
- curl: glob_range: no need to check unsigned variable for negative
- easy: add check to malloc() when running event-based
- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- version: thread safety
- openssl: verbose: show matching SAN pattern
- openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
- formdata.c: Fixed compilation warning
- configure: use cpp -P when needed
- imap.c: Fixed compilation warning with /Wall enabled
- config-w32.h: Fixed compilation warning when /Wall enabled
- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
- build: Added missing Visual Studio filter files for VC10 onwards
- easy: Remove poll failure check in easy_transfer
- mbedtls: fix compiler warning
- build-wolfssl: Update VS properties for wolfSSL v3.9.0
- Fixed various compilation warnings when verbose strings disabled
- sshserver: remove use of AuthorizedKeysFile2
Fixed in 7.47.1 - February 8 2016
Bugfixes:
- getredirect.c: fix variable name
- tool_doswin: silence unused function warning
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
- curl.1: Explain remote-name behavior if file already exists
- tool_operate: Don't sanitize --output path (Windows)
- URLs: change all http:// URLs to https:// in documentation & comments
- sasl_sspi: Fix memory leak in domain populate
- COPYING: clarify that Daniel is not the sole author
- examples/htmltitle: Use _stricmp on Windows
- examples/asiohiper: Avoid function name collision on Windows
- idn_win32: Better error checking
- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- curl save files: check for backslashes on cygwin
Fixed in 7.47.0 - January 27 2016
Changes:
- version: Add flag CURL_VERSION_PSL for libpsl
- http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
- curl: use 2TLS by default
- curl --expect100-timeout: added
- Add .dir-locals and set c-basic-offset to 2 (for emacs)
Bugfixes:
- curl: avoid local drive traversal when saving file on Windows
- NTLM: do not resuse proxy connections without diff proxy credentials
- tests: Disable the OAUTHBEARER tests when using a non-default port number
- curl: remove keepalive #ifdef checks done on libcurl's behalf
- formdata: Check if length is too large for memory
- lwip: Fix compatibility issues with later versions
- openssl: BoringSSL doesn't have CONF_modules_free
- config-win32: Fix warning HAVE_WINSOCK2_H undefined
- build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
- http2: Fix hanging paused stream
- scripts/Makefile: fix GNUism and survive no perl
- openssl: adapt to 1.1.0+ name changes
- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- HTTP2.md: spell fix and remove TODO now implemented
- setstropt: const-correctness
- cyassl: fix compiler warning on type conversion
- gskit: Fix host subject altname verification
- http2: Support trailer fields
- wolfssl: handle builds without SSLv3 support
- cyassl: deal with lack of *get_peer_certificate
- sockfilt: do not wait on unreliable file or pipe handle
- make: build zsh script even in an out-of-tree build
- test 1326: fix getting stuck on Windows
- test 87: fix file check on Windows
- configure: allow static builds on mingw
- configure: detect IPv6 support on Windows
- ConnectionExists: with *PIPEWAIT, wait for connections
- Makefile.inc: s/curl_SOURCES/CURL_FILES
- test 16: fixed for Windows
- test 252-255: use datacheck mode text for ASCII-mode LISTings
- tftpd server: add Windows support by writing files in binary mode
- ftplistparser: fix handling of file LISTings using Windows EOL
- tests first.c: fix calculation of sleep timeout on Windows
- tests (several): use datacheck mode text for ASCII-mode LISTings
- CURLOPT_RANGE.3: for HTTP servers, range support is optional
- test 1515: add MSYS support by passing a relative path
- curl_global_init.3: Add Windows-specific info for init via DLL
- http2: Fix client write for trailers on stream close
- mbedtls: Fix ALPN support
- connection reuse: IDN host names fixed
- http2: Fix PUSH_PROMISE headers being treated as trailers
- http2: handle the received SETTINGS frame
- http2: Ensure that http2_handle_stream_close is called
- mbedtls: implement CURLOPT_PINNEDPUBLICKEY
- runtests: Add mbedTLS to the SSL backends
- IDN host names: Remove the port number before converting to ACE
- zsh.pl: fail if no curl is found
- scripts: fix zsh completion generation
- scripts: don't generate and install zsh completion when cross-compiling
- lib: Prefix URLs with lower-case protocol names/schemes
- ConnectionExists: only do pipelining/multiplexing when asked
- configure: assume IPv6 works when cross-compiled
- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
- openssl: improved error detection/reporting
- ssh: CURLOPT_SSH_PUBLIC_KEYFILE now treats "" as NULL again
- mbedtls: Fix pinned key return value on fail
- maketgz: generate date stamp with LC_TIME=C
Fixed in 7.46.0 - December 2 2015
Changes:
- configure: build silently by default
- cookies: Add support for Publix Suffix List with libpsl
- vtls: added support for mbedTLS
- Added CURLOPT_STREAM_DEPENDS
- Added CURLOPT_STREAM_DEPENDS_E
- Added CURLOPT_STREAM_WEIGHT
- Added CURLFORM_CONTENTLEN
- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
Bugfixes:
- des: Fix header conditional for Curl_des_set_odd_parity
- ntlm: get rid of unconditional use of long long
- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
- docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
- http2: Fix http2_recv to return -1 if recv returned -1
- curl_global_init_mem: set function pointers before doing init
- ntlm: error out without 64bit support as the code needs it
- openssl: Fix set up of pkcs12 certificate verification chain
- acinclude: remove PKGCONFIG override
- test1531: case the size to fix the test on non-largefile builds
- fread_func: move callback pointer from set to state struct
- test1601: fix compilation with --enable-debug and --disable-crypto-auth
- http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
- curlbuild.h: Fix non-configure compiling to mips and sh4 targets
- tool: Generate easysrc with last cache linked-list
- cmake: Fix for add_subdirectory(curl) use-case
- vtls: fix compiler warning for TLS backends without sha256
- build: fix for MSDOS/djgpp
- checksrc: add crude // detection
- http2: on_frame_recv: trust the conn/data input
- ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
- polarssl/mbedtls: fix name space pollution
- build: Fix mingw ssl gdi32 order
- build: Fix support for PKG_CONFIG
- MacOSX-Framework: sdk regex fix for sdk 10.10 and later
- socks: Fix incorrect port numbers in failed connect messages
- curl.1: -E: s/private certificate/client certificate
- curl.h: s/HTTPPOST_/CURL_HTTPOST_
- curl_formadd: support >2GB files on windows
- http redirects: %-encode bytes outside of ascii range
- rawstr: Speed up Curl_raw_toupper by 40%
- curl_ntlm_core: fix 2 curl_off_t constant overflows.
- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
- tftp tests: verify sent options too
- imap: Don't call imap_atom() when no mailbox specified in LIST command
- imap: Fixed double quote in LIST command when mailbox contains spaces
- imap: Don't check for continuation when executing a CUSTOMREQUEST
- acinclude: Remove check for 16-bit curl_off_t
- BoringSSL: Work with stricter BIO_get_mem_data()
- cmake: Add missing feature macros in config header
- sasl_sspi: fixed unicode build for digest authentication
- sasl_sspi: fix identity memory leak in digest authentication
- unit1602: Fixed failure in torture test
- unit1603: Added unit tests for hash functions
- vtls/openssl: remove unused traces of yassl ifdefs
- openssl: remove #ifdefs for < 0.9.7 support
- typecheck-gcc.h: add some missing options
- curl: mark two more options strings for --libcurl output
- openssl: Free modules on cleanup
- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
- getconnectinfo: Don't call recv(2) if socket == -1
- http2: http_done: don't free already-freed push headers
- zsh completion: Preserve single quotes in output
- os400: Provide options for libssh2 use in compile scripts.
- build: Fix theoretical infinite loops
- pop3: Differentiate between success and continuation responses
- examples: Fixed compilation warnings
- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- CURLOPT_HEADERFUNCTION.3: fix typo
- curl: expanded the -XHEAD warning text
- done: make sure the final progress update is made
- build: Install zsh completion
- RTSP: do not add if-modified-since without timecondition
- curl: Fixed display of URL index in password prompt for --next
- nonblock: fix setting non-blocking mode for Amiga
- http2 push: add missing inits of new stream
- http2: convert some verbose output into debug-only output
- Curl_read_plain: clean up ifdefs that break statements
Fixed in 7.45.0 - October 7 2015
Changes:
- added CURLOPT_DEFAULT_PROTOCOL
- added new tool option --proto-default
- getinfo: added CURLINFO_ACTIVESOCKET
- turned CURLINFO_* option docs as stand-alone man pages
- curl: point out unnecessary uses of -X in verbose mode
Bugfixes:
- curl_global_init_mem.3: Stronger thread safety warning
- buildconf.bat: Fixed issues when ran in directories with special chars
- cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
- generate.bat: Fixed issues when ran in directories with special chars
- generate.bat: Only call buildconf.bat if it exists
- generate.bat: Added support for generating only the prerequisite files
- curl.1: Document weaknesses in SSLv2 and SSLv3
- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
- docs: Update the redirect protocols disabled by default
- inet_pton.c: Fix MSVC run-time check failure
- CURLMOPT_PUSHFUNCTION.3: fix argument types
- rtsp: support basic/digest authentication
- rtsp: stop reading empty DESCRIBE responses
- travis: Upgrading to container based build
- travis.yml: Add OS X testbot
- FTP: make state machine not get stuck in state
- openssl: handle lack of server cert when strict checking disabled
- configure: change functions to detect openssl (clones)
- configure: detect latest boringssl
- runtests: Allow for spaces in server-verify curl custom path
- http2: on_frame_recv: get a proper 'conn' for the debug logging
- ntlm: mark deliberate switch case fall-through
- http2: remove dead code
- curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
- curl: point out the conflicting HTTP methods if used
- cmake: added Windows SSL support
- curl_easy_{escape,setopt}.3: fix example
- curl_easy_escape.3: escape '\n'
- libcurl.m4: Put braces around empty if body
- buildconf.bat: Fixed double blank line in 'curl manual' warning output
- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
- inet_pton.c: Fix MSVC run-time check failure
- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
- http2: don't pass on Connection: headers
- nss: do not directly access SSL_ImplementedCiphers
- docs: numerous cleanups and spelling fixes
- FTP: do_more: add check for wait_data_conn in upload case
- parse_proxy: reject illegal port numbers
- cmake: IPv6 : disable Unix header check on Windows platform
- winbuild: run buildconf.bat if necessary
- buildconf.bat: fix syntax error
- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
- nss: prevent NSS from incorrectly re-using a session
- libcurl-errors.3: add two missing error codes
- openssl: fix build with < 0.9.8
- openssl: refactor certificate parsing to use OpenSSL memory BIO
- openldap: only part of LDAP query results received
- ssl: add server cert's "sha256//" hash to verbose
- NTLM: Reset auth-done when using a fresh connection
- curl: generate easysrc only on --libcurl
- tests: disable 1801 until fixed
- CURLINFO_TLS_SESSION: always return backend info
- gnutls: Support CURLOPT_KEYPASSWD
- gnutls: Report actual GnuTLS error message for certificate errors
- tests: disable 1510 due to CI-problems on github
- cmake: Put "winsock2.h" before "windows.h" during configure checks
- cmake: Ensure discovered include dirs are considered
- configure: Add missing ')' for CURL_CHECK_OPTION_RT
- build: fix failures with -Wcast-align and -Werror
- FTP: fix uploading ASCII with unknown size
- readwrite_data: set a max number of loops
- http2: avoid superfluous Curl_expire() calls
- http2: set TCP_NODELAY unconditionally
- docs: fix unescaped '\n' in man pages
- openssl: Fix algorithm init to make (gost) engines work
- win32: make recent Borland compilers use long long
- runtests: Fix pid check in checkdied
- gopher: don't send NUL byte
- tool_setopt: fix c_escape truncated octal
- hiperfifo: fix the pointer passed to WRITEDATA
- getinfo: Fix return code for unknown CURLINFO options
Fixed in 7.44.0 - August 12 2015
Changes:
- http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
- examples: added http2-serverpush.c
- http2: added curl_pushheader_byname() and curl_pushheader_bynum()
- docs: added CODE_OF_CONDUCT.md
- curl: Add --ssl-no-revoke to disable certificate revocation checks
- libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
- makefile: Added support for VC14
- build: Added Visual Studio 2015 (VC14) project files
- build: Added wolfSSL configurations to VC10+ project files
Bugfixes:
- FTP: fix HTTP CONNECT logic regression
- openssl: Fix build with openssl < ~ 0.9.8f
- openssl: fix build with BoringSSL
- curl_easy_setopt.3: option order doesn't matter
- openssl: fix use of uninitialized buffer
- RTSP: removed dead code
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
- curl: always provide negotiate/kerberos options
- cookie: Fix bug in export if any-domain cookie is present
- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
- INSTALL: Advise use of non-native SSL for Windows <= XP
- tool_help: fix --tlsv1 help text to use >= for TLSv1
- HTTP: POSTFIELDSIZE set after added to multi handle
- SSL-PROBLEMS: mention WinSSL problems in WinXP
- setup-vms.h: Symbol case fixups
- SSL: Pinned public key hash support
- libtest: call PR_Cleanup() on exit if NSPR is used
- ntlm_wb: Fix theoretical memory leak
- runtests: Allow for spaces in curl custom path
- http2: add stream != NULL checks for reliability
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
- http2: verify success of strchr() in http2_send()
- configure: add --disable-rt option
- openssl: work around MSVC warning
- HTTP: ignore "Content-Encoding: compress"
- configure: check if OpenSSL linking wants -ldl
- build-openssl.bat: Show syntax if required args are missing
- test1902: attempt to make the test more reliable
- libcurl-thread.3: Consolidate thread safety info
- maketgz: Fixed some VC makefiles missing from the release tarball
- libcurl-multi.3: mention curl_multi_wait
- ABI doc: use secure URL
- http: move HTTP/2 cleanup code off http_disconnect()
- libcurl-thread.3: Warn memory functions must be thread safe
- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
- docs: formpost needs the full size at start of upload
- curl_gssapi: remove 'const' to fix compiler warnings
- SSH: three state machine fixups
- libcurl.3: fix a single typo
- generate.bat: Only clean prerequisite files when in ALL mode
- curl_slist_append.3: add error checking to the example
- buildconf.bat: Added support for file clean-up via -clean
- generate.bat: Use buildconf.bat for prerequisite file clean-up
- NTLM: handle auth for only a single request
- curl_multi_remove_handle.3: fix formatting
- checksrc.bat: Fixed error when [directory] isn't a curl source directory
- checksrc.bat: Fixed error when missing *.c and *.h files
- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
- test46: update cookie expire time
- SFTP: fix range request off-by-one in size check
- CMake: fix GSSAPI builds
- build: refer to fixed libidn versions
- http2: discard frames with no SessionHandle
- curl_easy_recv.3: fix formatting
- libcurl-tutorial.3: fix formatting
- curl_formget.3: correct return code
Fixed in 7.43.0 - June 17 2015
Changes:
- Added CURLOPT_PROXY_SERVICE_NAME
- Added CURLOPT_SERVICE_NAME
- New curl option: --proxy-service-name
- New curl option: --service-name
- New curl option: --data-raw
- Added CURLOPT_PIPEWAIT
- Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
- HTTP/2: requires nghttp2 1.0.0 or later
- scripts: add zsh.pl for generating zsh completion
- curl.h: add CURL_HTTP_VERSION_2
Bugfixes:
- CVE-2015-3236: lingering HTTP credentials in connection re-use
- CVE-2015-3237: SMB send off unrelated memory contents
- nss: fix compilation failure with old versions of NSS
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
- Curl_ossl_init: load builtin modules
- configure: follow-up fix for krb5-config
- sasl_sspi: Populate domain from the realm in the challenge
- netrc: support 'default' token
- README: convert to UTF-8
- cyassl: Implement public key pinning
- nss: implement public key pinning for NSS backend
- mingw build: add arch -m32/-m64 to LDFLAGS
- schannel: Fix out of bounds array
- configure: remove autogenerated files by autoconf
- configure: remove --automake from libtoolize call
- acinclude.m4: fix shell test for default CA cert bundle/path
- schannel: fix regression in schannel_recv
- openssl: skip trace outputs for ssl_ver == 0
- gnutls: properly retrieve certificate status
- netrc: Read in text mode when cygwin
- winbuild: Document the option used to statically link the CRT
- FTP: Make EPSV use the control IP address rather than the original host
- FTP: fix dangling conn->ip_addr dereference on verbose EPSV
- conncache: keep bundles on host+port bases, not only host names
- runtests.pl: use 'h2c' now, no -14 anymore
- curlver: introducing new version number (checking) macros
- openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
- CURLOPT_POSTFIELDS.3: correct variable names
- curl_easy_unescape.3: update RFC reference
- gnutls: don't fail on non-fatal alerts during handshake
- testcurl.pl: allow source to be in an arbitrary directory
- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
- SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
- parse_proxy: switch off tunneling if non-HTTP proxy
- share_init: fix OOM crash
- perl: remove subdir, not touched in 9 years
- CURLOPT_COOKIELIST.3: Add example
- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
- FAQ: How do I port libcurl to my OS?
- openssl: Use TLS_client_method for OpenSSL 1.1.0+
- HTTP-NTLM: fail auth on connection close instead of looping
- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
- curl_getdate.3: update RFC reference
- curl_multi_info_read.3: added example
- curl_multi_perform.3: added example
- curl_multi_timeout.3: added example
- cookie: Stop exporting any-domain cookies
- openssl: remove dummy callback use from SSL_CTX_set_verify()
- openssl: remove SSL_get_session()-using code
- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
- openssl: removed error string #ifdef
- openssl: Fix verification of server-sent legacy intermediates
- docs: man page indentation and syntax fixes
- docs: Spelling fixes
- fopen.c: fix a few compiler warnings
- CURLOPT_OPENSOCKETFUNCTION: return error at once
- schannel: Add support for optional client certificates
- build: Properly detect OpenSSL 1.0.2 when using configure
- urldata: store POST size in state.infilesize too
- security:choose_mech remove dead code
- rtsp_do: remove dead code
- docs: many HTTP URIs changed to HTTPS
- schannel: schannel_recv overhaul
Fixed in 7.42.1 - April 29 2015
Bugfixes:
- CURLOPT_HEADEROPT: default to separate
- dist: include {src,lib}/checksrc.whitelist
- connectionexists: fix build without NTLM
- docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
- curl -z: do not write empty file on unmet condition
- openssl: fix serial number output
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- sws: init http2 state properly
- curl.1: fix typo
Fixed in 7.42.0 - April 22 2015
Changes:
- openssl: show the cipher selection to use in verbose text
- gtls: implement CURLOPT_CERTINFO
- add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
- curl: add --false-start option
- add CURLOPT_PATH_AS_IS
- curl: add --path-as-is option
- curl: create output file on successful download of an empty file
Bugfixes:
- ConnectionExists: for NTLM re-use, require credentials to match
- cookie: cookie parser out of boundary memory access
- fix_hostname: zero length host name caused -1 index offset
- http_done: close Negotiate connections when done
- sws: timeout idle CONNECT connections
- nss: improve error handling in Curl_nss_random()
- nss: do not skip Curl_nss_seed() if data is NULL
- curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
- http2: move lots of verbose output to be debug-only
- dist: add extern-scan.pl to the tarball
- http2: return recv error on unexpected EOF
- build: Use default RandomizedBaseAddress directive in VC9+ project files
- build: Removed DataExecutionPrevention directive from VC9+ project files
- tool: Updated the warnf() function to use the GlobalConfig structure
- http2: Return error if stream was closed with other than NO_ERROR
- mprintf.h: remove #ifdef CURLDEBUG
- libtest: fixed linker errors on msvc
- tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
- curl.1: fix "The the" typo
- cmake: handle build definitions CURLDEBUG/DEBUGBUILD
- openssl: remove all uses of USE_SSLEAY
- multi: fix memory-leak on timeout (regression)
- curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
- metalink: add some error checks
- TLS: make it possible to enable ALPN/NPN without HTTP/2
- http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
- conncontrol: only log changes to the connection bit
- multi: fix *getsock() with CONNECT
- symbols.pl: handle '-' in the deprecated field
- MacOSX-Framework: use @rpath instead of @executable_path
- GnuTLS: add support for CURLOPT_CAPATH
- GnuTLS: print negotiated TLS version and full cipher suite name
- GnuTLS: don't print double newline after certificate dates
- memanalyze.pl: handle free(NULL)
- proxy: re-use proxy connections (regression)
- mk-ca-bundle: Don't report SHA1 numbers with "-q"
- http: always send Host: header as first header
- openssl: sort ciphers to use based on strength
- openssl: use colons properly in the ciphers list
- http2: detect premature close without data transfered
- hostip: Fix signal race in Curl_resolv_timeout
- closesocket: call multi socket cb on close even with custom close
- mksymbolsmanpage.pl: use std header and generate better nroff header
- connect: Fix happy eyeballs logic for IPv4-only builds
- curl_easy_perform.3: remove superfluous close brace from example
- HTTP: don't use Expect: headers when on HTTP/2
- Curl_sh_entry: remove unused 'timestamp'
- docs/libcurl: makefile portability fix
- mkhelp: Remove trailing carriage return from every line of input
- nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
- curl_easy_setopt.3: added a few missing options
- metalink: fix resource leak in OOM
- axtls: version 1.5.2 now requires that config.h be manually included
- HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
- cyassl: detect the library as renamed wolfssl
- CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
- CURLOPT_URL.3: Added "SECURITY CONCERNS
- openssl: try to avoid accessing OCSP structs when possible
- test938: added missing closing tags
- testcurl: Allow '=' in values given on command line
- tests/certs: added make target to rebuild certificates
- tests/certs: rebuild certificates with modified key usage bits
- gtls: avoid uninitialized variable
- gtls: dereferencing NULL pointer
- gtls: add check of return code
- test1513: eliminated race condition in test run
- dict: rename byte to avoid compiler shadowed declaration warning
- curl_easy_recv/send: make them work with the multi interface
- vtls: fix compile with --disable-crypto-auth but with SSL
- openssl: adapt to ASN1/X509 things gone opaque in 1.1
- openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
- curl_memory: make curl_memory.h the second-last header file loaded
- testcurl.pl: add the --notes option to supply more info about a build
- cyassl: If wolfSSL then identify as such in version string
- cyassl: Check for invalid length parameter in Curl_cyassl_random
- cyassl: default to highest possible TLS version
- Curl_ssl_md5sum: return CURLcode (fixes OOM)
- polarssl: remove dead code
- polarssl: called mbedTLS in 1.3.10 and later
- globbing: fix step parsing for character globbing ranges
- globbing: fix url number calculation when using range with step
- multi: on a request completion, check all CONNECT_PEND transfers
- build: link curl to openssl libraries when openssl support is enabled
- url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
- vtls: Don't accept unknown CURLOPT_SSLVERSION values
- build: Fix libcurl.sln erroneous mixed configurations
- cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
- cyassl: add SSL context callback support for CyaSSL
- tool: only set SSL options if SSL is enabled
- multi: remove_handle: move pending connections
- configure: Use KRB5CONFIG for krb5-config
- axtls: add timeout within Curl_axtls_connect
- CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
- cyassl: Fix library initialization return value
- cookie: handle spaces after the name in Set-Cookie
- http2: Fix missing nghttp2_session_send call in Curl_http2_switched
- cyassl: Fix certificate load check
- build-openssl.bat: Fix mixed line endings
- checksrc.bat: Check lib\vtls source
- DNS: fix refreshing of obsolete dns cache entries
- CURLOPT_RESOLVE: actually implement removals
- checksrc.bat: quotes to support an SRC_DIR with spaces
- cyassl: Remove 'Connecting to' message from cyassl_connect_step2
- cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
- lib/transfer.c: Remove factor of 8 from sleep time calculation
- lib/makefile.m32: add missing libs to build libcurl.dll
- build: Generate source prerequisites for Visual Studio in generate.bat
- cyassl: Include the CyaSSL build config
- firefox-db2pem: fix wildcard to find Firefox default profile
- BUGS: refer to the github issue tracker now as primary
- vtls_openssl: improve several certificate error messages
- cyassl: Add support for TLS extension SNI
- parsecfg: do not continue past a zero termination
- configure --with-nss=PATH: query pkg-config if available
- configure --with-nss: drop redundant if statement
- cyassl: Fix include order
- HTTP: fix PUT regression with Negotiate
- curl_version_info.3: fixed the 'protocols' variable type
Fixed in 7.41.0 - February 25 2015
Changes:
- NetWare build: added TLS-SRP enabled build
- winbuild: Added option to build with c-ares
- Added --cert-status
- Added CURLOPT_SSL_VERIFYSTATUS
- sasl: implement EXTERNAL authentication mechanism
Bugfixes:
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
- FTP: fix IPv6 host using link-local address
- FTP: if EPSV fails on IPV6 connections, bail out
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
- NSS: fix compiler error when built http2-enabled
- mingw build: allow to pass custom CFLAGS
- add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
- curl_schannel.c: mark session as removed from cache if not freed
- Curl_pretransfer: reset expected transfer sizes
- curl.h: remove extra space
- curl_endian: Fixed build when 64-bit integers are not supported
- checksrc.bat: Better detection of Perl installation
- build-openssl.bat: Added check for Perl installation
- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
- http_negotiate: Added empty decoded challenge message info text
- vtls: Removed unimplemented overrides of curlssl_close_all()
- sasl_gssapi: Fixed memory leak with local SPN variable
- http_negotiate: Use dynamic buffer for SPN generation
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
- openssl: do public key pinning check independently
- timeval: typecast for better type (on Amiga)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
- SASL: common URL option and auth capabilities decoders for all protocols
- BoringSSL: fix build
- BoringSSL: detected by configure, switches off NTLM
- openvms: Handle openssl/0.8.9zb version parsing
- configure: detect libresssl
- configure: remove detection of the old yassl emulation API
- curl_setup: Disable SMB/CIFS support when HTTP only
- imap: remove automatic password setting: it breaks external sasl authentication
- sasl: remove XOAUTH2 from default enabled authentication mechanism
- runtests: identify BoringSSL and libressl
- security: avoid compiler warning
- ldap: build with BoringSSL
- des: Added Curl_des_set_odd_parity()
- CURLOPT_SEEKFUNCTION.3: also when server closes a connection
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
- build: Removed unused Visual Studio bscmake settings
- build: Enabled DEBUGBUILD in Visual Studio debug builds
- build: Renamed top level Visual Studio solution files
- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
- libcurl-symbols: first basic shot for autogenerated docs
- Makefile.am: fix 'make distcheck'
- getpass_r: read from stdin, not stdout!
- getpass: protect include with proper #ifdef
- opts: CURLOPT_CAINFO availability depends on SSL engine
- more cleanup of 'CURLcode result' return code
- MD4: replace implementation
- MD5: replace implementation
- openssl: SSL_SESSION->ssl_version no longer exist
- md5: use axTLS's own MD5 functions when available
- schannel: Removed curl_ prefix from source files
- curl.1: add warning when using -H and redirects
- curl.1: clarify that -X is used for all requests
- gskit: Fix exclusive SSLv3 option
- polarssl: Fix exclusive SSL protocol version options
- http2: Fix bug that associated stream canceled on PUSH_PROMISE
- ftp: accept all 2xx responses to the PORT command
- configure: allow both --with-ca-bundle and --with-ca-path
- cmake: install the dll file to the correct directory
- nss: fix NPN/ALPN protocol negotiation
- polarssl: fix ALPN protocol negotiation
- cmake: Fix generation of tool_hugehelp.c on windows
- cmake: fix winsock2 detection on windows
- gnutls: fix build with HTTP2
- connect: fix a spurious connect failure on dual-stacked hosts
- test: test 530 is now less timing dependent
- telnet: invalid use of custom read function if not set
Fixed in 7.40.0 - January 8 2015
Changes:
- http_digest: Added support for Windows SSPI based authentication
- version info: Added Kerberos V5 to the supported features
- Makefile: Added VC targets for WinIDN
- config-win32: Introduce build targets for VS2012+
- SSL: Add PEM format support for public key pinning
- smtp: Added support for the conversion of Unix newlines during mail send
- smb: Added initial support for the SMB/CIFS protocol
- Added support for HTTP over unix domain sockets, via CURLOPT_UNIX_SOCKET_PATH and --unix-socket
- sasl: Added support for GSS-API based Kerberos V5 authentication
Bugfixes:
- darwinssl: fix session ID keys to only reuse identical sessions
- url-parsing: reject CRLFs within URLs
- OS400: Adjust specific support to last release
- THANKS: Remove duplicate names
- url.c: Fixed compilation warning
- ssh: Fixed build on platforms where R_OK is not defined
- tool_strdup.c: include the tool strdup.h
- build: Fixed Visual Studio project file generation of strdup.[c|h]
- curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
- curl.1: show zone index use in a URL
- mk-ca-bundle.vbs: switch to new certdata.txt url
- Makefile.dist: Added some missing SSPI configurations
- build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
- SSH: use the port number as well for known_known checks
- libssh2: detect features based on version, not configure checks
- http2: Deal with HTTP/2 data inside Upgrade response header buffer
- multi: removed Curl_multi_set_easy_connection
- symbol-scan.pl: do not require autotools
- cmake: add ENABLE_THREADED_RESOLVER, rename ARES
- cmake: build libhostname for test suite
- cmake: fix HAVE_GETHOSTNAME definition
- tests: fix libhostname visibility
- tests: fix memleak in server/resolve.c
- vtls.h: Fixed compiler warning when compiled without SSL
- CMake: Restore order-dependent header checks
- CMake: Restore order-dependent library checks
- tool: Removed krb4 from the supported features
- http2: Don't send Upgrade headers when we already do HTTP/2
- examples: Don't call select() to sleep on windows
- win32: Updated some legacy APIs to use the newer extended versions
- easy.c: Fixed compilation warning when no verbose string support
- connect.c: Fixed compilation warning when no verbose string support
- build: in Makefile.m32 pass -F flag to windres
- build: in Makefile.m32 add -m32 flag for 32bit
- multi: when leaving for timeout, close accordingly
- CMake: Simplify if() conditions on check result variables
- build: in Makefile.m32 try to detect 64bit target
- multi: inform about closed sockets before they are closed
- multi-uv.c: close the file handle after download
- examples: Wait recommended 100ms when no file descriptors are ready
- ntlm: Split the SSPI based messaging code from the native messaging code
- cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
- cmake: add Kerberos to the supported feature
- CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
- http: Disable pipelining for HTTP/2 and upgraded connections
- ntlm: Fixed static'ness of local decode function
- sasl: Reduced the need for two sets of NTLM messaging functions
- multi.c: Fixed compilation warnings when no verbose string support
- select.c: fix compilation for VxWorks
- multi-single.c: switch to use curl_multi_wait
- curl_multi_wait.3: clarify numfds being used if not NULL
- http.c: Fixed compilation warnings from features being disabled
- NSS: enable the CAPATH option
- docs: Fix FAILONERROR typos
- HTTP: don't abort connections with pending Negotiate authentication
- HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
- http_perhapsrewind: don't abort CONNECT requests
- build: updated dependencies in makefiles
- multi.c: Fixed compilation warning
- ftp.c: Fixed compilation warnings when proxy support disabled
- get_url_file_name: Fixed crash on OOM on debug build
- cookie.c: Refactored cleanup code to simplify
- OS400: enable NTLM authentication
- ntlm: Use Windows Crypt API
- http2: avoid logging neg "failure" if h2 was not requested
- schannel_recv: return the correct code
- VC build: added sspi define for winssl-zlib builds
- Curl_client_write(): chop long data, convert data only once
- openldap: do not ignore Curl_client_write() return code
- ldap: check Curl_client_write() return codes
- parsedate.c: Fixed compilation warning
- url.c: Fixed compilation warning when USE_NTLM is not defined
- ntlm_wb_response: fix "statement not reached"
- telnet: fix "cast increases required alignment of target type"
- smtp: Fixed dot stuffing when EOL characters at end of input buffers
- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
- ntlm: Disable NTLM v2 when 64-bit integers are not supported
- ntlm: Use short integer when decoding 16-bit values
- ftp.c: Fixed compilation warning when no verbose string support
- synctime.c: fixed timeserver URLs
- mk-ca-bundle.pl: restored forced run again
- ntlm: Fixed return code for bad type-2 Target Info
- curl_schannel.c: Data may be available before connection shutdown
- curl_schannel: Improvements to memory re-allocation strategy
- darwinssl: aprintf() to allocate the session key
- tool_util.c: Use GetTickCount64 if it is available
- lib: Fixed multiple code analysis warnings if SAL are available
- tool_binmode.c: Explicitly ignore the return code of setmode
- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
- opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
- SFTP: work-around servers that return zero size on STAT
- connect: singleipconnect(): properly try other address families after failure
- IPV6: address scope != scope id
- parseurlandfillconn(): fix improper non-numeric scope_id stripping
- secureserver.pl: make OpenSSL CApath and cert absolute path values
- secureserver.pl: update Windows detection and fix path conversion
- secureserver.pl: clean up formatting of config and fix verbose output
- tests: Added Windows support using Cygwin-based OpenSSH
- sockfilt.c: use non-Ex functions that are available before WinXP
- VMS: Updates for 0740-0D1220
- openssl: warn for SRP set if SSLv3 is used, not for TLS version
- openssl: make it compile against openssl 1.1.0-DEV master branch
- openssl: fix SSL/TLS versions in verbose output
- curl: show size of inhibited data when using -v
- build: Removed WIN32 definition from the Visual Studio projects
- build: Removed WIN64 definition from the libcurl Visual Studio projects
- vtls: Use bool for Curl_ssl_getsessionid() return type
- sockfilt.c: Replace 100ms sleep with thread throttle
- sockfilt.c: Reduce the number of individual memory allocations
- vtls: Don't set cert info count until memory allocation is successful
- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
- nss: Don't ignore Curl_extract_certinfo() OOM failure
- vtls: Fixed compilation warning and an ignored return code
- sockfilt.c: Fixed compilation warnings
- darwinssl: Fixed compilation warning
- vtls: Use '(void) arg' for unused parameters
- sepheaders.c: Fixed resource leak on failure
- lib1900.c: Fixed cppcheck error
- ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
- ldap: Fixed Unicode DN, attributes and filter in Win32 search calls
Fixed in 7.39.0 - November 5 2014
Changes:
- SSLv3 is disabled by default
- CURLOPT_COOKIELIST: Added "RELOAD" command
- build: Added WinIDN build configuration options to Visual Studio projects
- ssh: improve key file search
- SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
- vtls: remove QsoSSL support, use gskit!
- mk-ca-bundle: added SHA-384 signature algorithm
- docs: added many examples for libcurl opts and other doc improvements
- build: Added VC ssh2 target to main Makefile
- MinGW: Added support to build with nghttp2
- NetWare: Added support to build with nghttp2
- build: added Watcom support to build with WinSSL
- build: Added optional specific version generation of VC project files
Bugfixes:
- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
- openssl: build fix for versions < 0.9.8e
- newlines: fix mixed newlines to LF-only
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
- sasl_sspi: Fixed Unicode build
- file: reject paths using embedded %00
- threaded-resolver: revert Curl_expire_latest() switch
- configure: allow --with-ca-path with PolarSSL too
- HTTP/2: Fix busy loop when EOF is encountered
- CURLOPT_CAPATH: return failure if set without backend support
- nss: do not fail if a CRL is already cached
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
- fixed 20+ nits/memory leaks identified by Coverity scans
- curl_schannel.c: Fixed possible memory or handle leak
- multi-uv.c: call curl_multi_info_read() better
- cmake: Check for OpenSSL before OpenLDAP
- cmake: Fix library list provided to cURL tests
- cmake: Avoid cycle directory dependencies
- cmake: Build with GSS-API libraries (MIT or Heimdal)
- vtls: provide backend defines for internal source code
- nss: fix a connection failure when FTPS handle is reused
- tests/http_pipe.py: Python 3 support
- cmake: build tool_hugehelp (ENABLE_MANUAL)
- cmake: enable IPv6 by default if available
- tests: move TESTCASES to Makefile.inc, add show for cmake
- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
- ntlm: Fixed empty/bad base-64 decoded buffer return codes
- ntlm: Fixed empty type-2 decoded message info text
- cmake: add CMake/Macros.cmake to the release tarball
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
- cmake: use LIBCURL_VERSION from curlver.h
- cmake: generate pkg-config and curl-config
- fixed several superfluous variable assignements identified by cppcheck
- cleanup of 'CURLcode result' return code
- pipelining: only output "is not blacklisted" in debug builds
- SSL: Remove SSLv3 from SSL default due to POODLE attack
- gskit.c: remove SSLv3 from SSL default
- darwinssl: detect possible future removal of SSLv3 from the framework
- ntlm: Only define ntlm data structure when USE_NTLM is defined
- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
- sspi: Only call CompleteAuthToken() when complete is needed
- http_negotiate: Fixed missing check for USE_SPNEGO
- HTTP: return larger than 3 digit response codes too
- openssl: Check for NPN / ALPN via OpenSSL version number
- openssl: enable NPN separately from ALPN
- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
- resume: consider a resume from
- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
- build-openssl.bat: Fix x64 release build
- cmake: drop _BSD_SOURCE macro usage
- cmake: fix gethostby{addr,name}_r in CurlTests
- cmake: clean OtherTests, fixing -Werror
- cmake: fix struct sockaddr_storage check
- Curl_single_getsock: fix hold/pause sock handling
- SSL: PolarSSL default min SSL version TLS 1.0
- cmake: fix ZLIB_INCLUDE_DIRS use
- buildconf: stop checking for libtool
Fixed in 7.38.0 - September 10 2014
Changes:
- supports HTTP/2 draft-14
- CURLE_HTTP2 is a new error code
- CURLAUTH_NEGOTIATE is a new auth define
- CURL_VERSION_GSSAPI is a new capability bit
- no longer use fbopenssl for anything
- schannel: use CryptGenRandom for random numbers
- axtls: define curlssl_random using axTLS's PRNG
- cyassl: use RNG_GenerateBlock to generate a good random number
- findprotocol: show unsupported protocol within quotes
- version: detect and show LibreSSL
- version: detect and show BoringSSL
- imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
- http2: requires nghttp2 0.6.0 or later
Bugfixes:
- SECURITY ADVISORY: cookie leak with IP address as domain
- SECURITY ADVISORY: cookie leak for TLDs
- fix a build failure on Debian when NSS support is enabled
- HTTP/2: fixed compiler warnings when built disabled
- cyassl: return the correct error code on no CA cert
- http: Deprecate GSS-Negotiate macros due to bad naming
- http: Fixed Negotiate: authentication
- multi: Improve proxy CONNECT performance (regression)
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
- url.c: use the preferred symbol name: *READDATA
- smtp: fixed a segfault during test 1320 torture test
- cyassl: made it compile with version 2.0.6 again
- nss: do not check the version of NSS at run time
- c-ares: fix build without IPv6 support
- HTTP/2: use base64url encoding
- SSPI Negotiate: Fix 3 memory leaks
- libtest: fixed duplicated line in Makefile
- conncache: fix compiler warning
- openssl: make ossl_send return CURLE_OK better
- HTTP/2: Support expect: 100-continue
- HTTP/2: Fix infinite loop in readwrite_data()
- parsedate: fix the return code for an overflow edge condition
- darwinssl: don't use strtok()
- http_negotiate_sspi: Fixed specific username and password not working
- openssl: replace call to OPENSSL_config
- http2: show the received header for better debugging
- HTTP/2: Move :authority before non-pseudo header fields
- HTTP/2: Reset promised stream, not its associated stream
- HTTP/2: added some more logging for debugging stream problems
- ntlm: Added support for SSPI package info query
- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
- sasl_sspi: Fixed memory leak with not releasing Package Info struct
- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
- sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
- http_negotiate_sspi: Use a dynamic buffer for SPN generation
- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
- sasl_sspi: Fixed hard coded buffer for response generation
- Curl_poll + Curl_wait_ms: fix timeout return value
- docs/SSLCERTS: update the section about NSS database
- create_conn: prune dead connections
- openssl: fix version report for the 0.9.8 branch
- mk-ca-bundle.pl: switched to using hg.mozilla.org
- http: fix the Content-Range: parser
- Curl_disconnect: don't free the URL
- win32: Fixed WinSock 2 #if
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
- curl.1: clarify --limit-rate's effect on both directions
- disconnect: don't touch easy-related state on disconnects
- cmake: big cleanup and numerous fixes
- HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
- HTTP/2: Reset promised stream, not its associated stream
- configure.ac: Add support for recent GSS-API implementations for HP-UX
- CONNECT: close proxy connections that fail
- CURLOPT_NOBODY.3: clarify this option is for downloads
- darwinssl: fix CA certificate checking using PEM format
- resolve: cache lookup for async resolvers
- low-speed-limit: avoid timeout flood
- polarssl: implement CURLOPT_SSLVERSION
- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
- curl_multi_cleanup: remove superfluous NULL assigns
- polarssl: support CURLOPT_CAPATH / --capath
- progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly
Fixed in 7.37.1 - July 16 2014
Changes:
- bits.close: introduce connection close tracking
- darwinssl: Add support for --cacert
- polarssl: add ALPN support
- docs: Added new option man pages
Bugfixes:
- build: Fixed incorrect reference to curl_setup.h in Visual Studio files
- build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
- curl.1: clarify that -u can't specify a user with colon
- openssl: Fix uninitialized variable use in NPN callback
- curl_easy_reset: reset the URL
- curl_version_info.3: returns a pointer to a static struct
- url-parser: only use if_nametoindex if detected by configure
- select: with winsock, avoid passing unsupported arguments to select()
- gnutls: don't use deprecated type names anymore
- gnutls: allow building with nghttp2 but without ALPN support
- tests: Fix portability issue with the tftpd server
- curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
- curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
- random: use Curl_rand() for proper random data
- Curl_ossl_init: call OPENSSL_config for initing engines
- config-win32.h: Updated for VC12
- winbuild: Don't USE_WINSSL when WITH_SSL is being used
- getinfo: HTTP CONNECT code not reset between transfers
- Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
- http2: avoid segfault when using the plain-text http2
- conncache: move the connection counter to the cache struct
- http2: better return code error checking
- curlbuild: fix GCC build on SPARC systems without configure script
- tool_metalink: Support polarssl as digest provider
- curl.h: reverse the enum/define setup for old symbols
- curl.h: moved two really old deprecated symbols
- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
- buildconf: do not search tools in current directory.
- OS400: make it compilable again. Make RPG binding up to date
- nss: do not abort on connection failure (failing tests 305 and 404)
- nss: make the fallback to SSLv3 work again
- tool: prevent valgrind from reporting possibly lost memory (nss only)
- progress callback: skip last callback update on errors
- nss: fix a memory leak when CURLOPT_CRLFILE is used
- compiler warnings: potentially uninitialized variables
- url.c: Fixed memory leak on OOM
- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
- gnutls: fix SRP support with versions of GnuTLS from 2.99.0
- gnutls: fixed a couple of uninitialized variable references
- gnutls: fixed compilation against versions < 2.12.0
- build: Fixed overridden compiler PDB settings in VC7 to VC12
- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
- netrc: don't abort if home dir cannot be found
- netrc: fixed thread safety problem by using getpwuid_r if available
- cookie: avoid mutex deadlock
- configure: respect host tool prefix for krb5-config
- gnutls: handle IP address in cert name check
Fixed in 7.37.0 - May 21 2014
Changes:
- URL parser: IPv6 zone identifiers are now supported
- CURLOPT_PROXYHEADER: set headers for proxy-only
- CURLOPT_HEADEROPT: added
- curl: add --proxy-header
- sasl: Added support for DIGEST-MD5 via Windows SSPI
- sasl: Added DIGEST-MD5 qop-option validation in native challange handling
- imap: Expanded mailbox SEARCH support to use URL query strings
- imap: Extended FETCH support to include PARTIAL URL specifier
- nss: implement non-blocking SSL handshake
- build: Reworked Visual Studio project files
- poll: enable poll on darwin13
- mk-ca-bundle: added -p
- libtests: add a wait_ms() function
Bugfixes:
- mkhelp: generate code for --disable-manual as well
- hostcheck: added a system include to define struct in_addr
- winbuild: added warnless.c to fix build
- Makefile.vc6: added warnless.c to fix build
- smtp: Fixed login denied when server doesn't support AUTH capability
- smtp: Fixed login denied with a RFC-821 based server
- curl: stop interpreting IPv6 literals as glob patterns
- http2: remove _DRAFT09 from the NPN_HTTP2 enum
- http2: let openssl mention the exact protocol negotiated
- http2+openssl: fix compiler warnings in ALPN using code
- ftp: in passive data connect wait for happy eyeballs sockets
- HTTP: don't send Content-Length: 0 _and_ Expect: 100-continue
- http2: Compile with current nghttp2, which supports h2-11
- http_negotiate_sspi: Fixed compilation when USE_HTTP_NEGOTIATE not defined
- strerror: fix comment about vxworks' strerror_r buffer size
- url: only use if_nametoindex() if IFNAMSIZ is available
- imap: Fixed untagged response detection when no data after command
- various: fix possible dereference of null pointer
- various: fix use of uninitialized variable
- various: fix use of non-null terminated strings
- telnet.c: check sscanf results before passing them to snprintf
- parsedate.c: check sscanf result before passing it to strlen
- sockfilt.c: free memory in case of memory allocation errors
- sockfilt.c: ignore non-key-events and continue waiting for input
- sockfilt.c: properly handle disk files, pipes and character input
- sockfilt.c: fixed getting stuck waiting for MinGW stdin pipe
- sockfilt.c: clean up threaded approach and add documentation
- configure: use the nghttp2 path correctly with pkg-config
- curl_global_init_mem: bump initialized even if already initialized
- gtls: fix NULL pointer dereference
- cyassl: Use error-ssl.h when available
- handler: make 'protocol' always specified as a single bit
- INFILESIZE: fields in UserDefined must not be changed run-time
- openssl: biomem->data is not zero terminated
- config-win32.h: Fixed HAVE_LONGLONG for Visual Studio .NET 2003 and up
- curl_ntlm_core: Fixed use of long long for VC6 and VC7
- SNI: strip off a single trailing dot from host name
- curl: bail on cookie use when built with disabled cookies
- curl_easy_setopt.3: added the proto for CURLOPT_SSH_KNOWNHOSTS
- curl_multi_cleanup: ignore SIGPIPE better
- schannel: don't use the connect-timeout during send
- mprintf: allow %.s with data not being zero terminated
- tool_help: Fixed missing --login-options option
- configure: Don't set LD_LIBRARY_PATH when cross-compiling
- http: auth failure on duplicated 'WWW-Authenticate: Negotiate' header
- cacertinmem: fix memory leak
- lib1506: make sure the transfers are not within the same ms
- Makefile.b32: Fixed for vtls changes
- sasl: Fixed missing qop in the client's challenge-response message
- openssl: unbreak PKCS12 support
- darwinssl: fix potential crash with a P12 file
- timers: fix timer regression involving redirects / reconnects
- CURLINFO_SSL_VERIFYRESULT: made more reliable
- HTTP: fixed connection re-use
- configure: add SPNEGO to supported features
- configure: add GSS-API to supported features
- ALPN: fix typo in http/1.1 identifier
- http2: make connection re-use work
Fixed in 7.36.0 - March 26 2014

Changes:
- ntlm: Added support for NTLMv2
- tool: Added support for URL specific options
- openssl: add ALPN support
- gtls: add ALPN support
- nss: add ALPN and NPN support
- added CURLOPT_EXPECT_100_TIMEOUT_MS
- tool: add --no-alpn and --no-npn
- added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
- winssl: enable TLSv1.1 and TLSv1.2 by default
- winssl: TLSv1.2 disables certificate signatures using MD5 hash
- winssl: enable hostname verification of IP address using SAN or CN
- darwinssl: Don't omit CN verification when an IP address is used
- http2: build with current nghttp2 version
- polarssl: dropped support for PolarSSL < 1.3.0
- openssl: info message with SSL version used
Bugfixes:
- SECURITY ADVISORY: wrong re-use of connections
- SECURITY ADVISORY: IP address wildcard certificate validation
- SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
- SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
- nss: allow to use ECC ciphers if NSS implements them
- netrc: Fixed a memory leak in an OOM condition
- ftp: fixed a memory leak on wildcard error path
- pipeline: Fixed a NULL pointer dereference on OOM
- nss: prefer highest available TLS version
- 100-continue: fix timeout condition
- ssh: Fixed a NULL pointer dereference on OOM condition
- formpost: use semicolon in multipart/mixaed
- --help: add missing --tlsv1.x options
- formdata: Fixed memory leak on OOM condition
- ConnectionExists: reusing possible HTTP+NTLM connections better
- mingw32: fix compilation
- chunked decoder: track overflows correctly
- curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
- dict: fix memory leak in OOM exit path
- valgrind: added suppression on optimized code
- curl: output protocol headers using binary mode
- tool: Added URL index to password prompt for multiple operations
- ConnectionExists: re-use non-NTLM connections better
- axtls: call ssl_read repeatedly
- multi: make MAXCONNECTS default 4 x number of easy handles function
- configure: Fix the --disable-crypto-auth option
- multi: ignore SIGPIPE internally
- curl.1: update the description of --tlsv1
- SFTP: skip reading the dir when NOBODY=1
- easy: Fixed a memory leak on OOM condition
- tool: Fixed incorrect return code when setting HTTP request fails
- configure: Tiny fix to honor POSIX
- tool: Do not output libcurl source for the information only parameters
- Rework Open Watcom make files to use standard Wmake features
- x509asn: moved out Curl_verifyhost from NSS builds
- configure: call it GSS-API
- hostcheck: Curl_cert_hostcheck is not used by NSS builds
- multi_runsingle: move timestamp into INIT
- remote_port: allow connect to port 0
- parse_remote_port: error out on illegal port numbers better
- ssh: Pass errors from libssh2_sftp_read up the stack
- docs: remove documentation on setting up krb4 support
- polarssl: build fixes to work with PolarSSL 1.3.x
- polarssl: fix possible handshake timeout issue in multi
- nss: allow to enable/disable cipher-suites better
- ssh: prevent a logic error that could result in an infinite loop
- http2: free resources on disconnect
- polarssl: avoid extra newlines in debug messages
- rtsp: parse "Session:" header properly
- trynextip: don't store 'ai' on failed connects
- Curl_cert_hostcheck: strip trailing dots in host name and wildcard
Fixed in 7.35.0 - January 29 2014

Changes:
- imap/pop3/smtp: Added support for SASL authentication downgrades
- imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
- TheArtOfHttpScripting: major update, converted layout and more
- mprintf: Added support for I, I32 and I64 size specifiers
- makefile: Added support for VC7, VC11 and VC12
Bugfixes:
- SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
- curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
- pop3: Fixed APOP being determined by CAPA response rather than by timestamp
- Curl_pp_readresp: zero terminate line
- FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
- docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
- pop3: Fixed auth preference not being honored when CAPA not supported
- imap: Fixed auth preference not being honored when CAPABILITY not supported
- threaded resolver: Use pthread_t * for curl_thread_t
- FILE: we don't support paused transfers using this protocol
- connect: Try all addresses in first connection attempt
- curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
- OpenSSL: Fix forcing SSLv3 connections
- openssl: allow explicit sslv2 selection
- FTP parselist: fix "total" parser
- conncache: fix possible dereference of null pointer
- multi.c: fix possible dereference of null pointer
- mk-ca-bundle: introduces -d and warns about using this script
- ConnectionExists: fix NTLM check for new connection
- trynextip: fix build for non-IPV6 capable systems
- Curl_updateconninfo: don't do anything for UDP "connections"
- darwinssl: un-break Leopard build after PKCS#12 change
- threaded-resolver: never use NULL hints with getaddrinf
- multi_socket: remind app if timeout didn't run
- OpenSSL: deselect weak ciphers by default
- error message: Sensible message on timeout when transfer size unknown
- curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
- win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
- configure: fix gssapi linking on HP-UX
- chunked-parser: abort on overflows, allow 64 bit chunks
- chunked parsing: relax the CR strictness
- cookie: max-age fixes
- progress bar: always update when at 100%
- progress bar: increase update frequency to 10Hz
- tool: Fixed incorrect return code if command line parser runs out of memory
- tool: Fixed incorrect return code if password prompting runs out of memory
- HTTP POST: omit Content-Length if data size is unknown
- GnuTLS: disable insecure ciphers
- GnuTLS: honor --slv2 and the --tlsv1[.N] switches
- multi: Fixed a memory leak on OOM condition
- netrc: Fixed a memory and file descriptor leak on OOM
- getpass: fix password parsing from console
- TFTP: fix crash on time-out
- hostip: don't remove DNS entries that are in use
- tests: lots of tests fixed to pass the OOM torture tests
Fixed in 7.34.0 - December 17 2013

Changes:
- SSL: protocol version can be specified more precisely
- imap/pop3/smtp: Added graceful cancellation of SASL authentication
- Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
- base64: Added validation of base64 input strings when decoding
- curl_easy_setopt: Added the ability to set the login options separately
- smtp: Added support for additional SMTP commands
- curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
- nss: allow to use TLS > 1.0 if built against recent NSS
- SECURITY: added this document to describe our security processes
- parseconfig: warn if unquoted white spaces are detected
Bugfixes:
- SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
- darwinssl: un-break iOS build after PKCS#12 feature added
- tool: use XFERFUNCTION to save some casts
- usercertinmem: fix memory leaks
- ssh: Handle successful SSH_USERAUTH_NONE
- NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
- test906: Fixed failing test on some platforms
- sasl: initialize NSS before using NTLM crypto
- sasl: Fixed memory leak in OAUTH2 message creation
- imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
- cmake: unbreak for non-Windows platforms
- ssh: initialize per-handle data in ssh_connect()
- glob: fix broken URLs
- configure: check for long long when building with cyassl
- CURLOPT_RESOLVE: mention they don't time-out
- docs/examples/httpput.c: fix build for MSVC
- FTP: make the data connection work when going through proxy
- NSS: support for CERTINFO feature
- curl_multi_wait: accept 0 from multi_timeout() as valid timeout
- glob_range: pass the closing bracket for a-z ranges
- tool_help: Updated --list-only description to include POP3
- Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
- cmake: fix Windows build with IPv6 support
- ares: Fixed compilation under Visual Studio 2012
- curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
- curl.1: mention that -O does no URL decoding
- darwinssl: PKCS#12 import feature now requires Lion or later
- darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
- configure: Fix test with -Werror=implicit-function-declaration
- sigpipe: factor out sigpipe_reset from easy.c
- curl_multi_cleanup: ignore SIGPIPE
- globbing: curl glob counter mismatch with {} list use
- parseconfig: dash options can't specified with colon or equals
- digest: fix CURLAUTH_DIGEST_IE
- curl.h:
for OpenBSD - darwinssl: Fix #if 10.6.0 for SecKeychainSearch
- TFTP: fix return codes for connect timeout
- login options: remove the ;[options] support from CURLOPT_USERPWD
- imap: Fixed incorrect fallback to clear text authentication
- parsedate: avoid integer overflow
- curl.1: document -J doesn't %-decode
- multi: add timer inaccuracy margin to timeout/connecttimeout
Fixed in 7.33.0 - October 14 2013
Changes:
- test code for testing the event based API
- CURLM_ADDED_ALREADY: new error code
- test TFTP server: support "writedelay" within
- krb4 support has been removed
- imap/pop3/smtp: added basic SASL XOAUTH2 support
- darwinssl: add support for PKCS#12 files for client authentication
- darwinssl: enable BEAST workaround on iOS 7 & later
- Pass password to OpenSSL engine by user interface
- c-ares: Add support for various DNS binding options
- cookies: add expiration
- curl: added --oauth2-bearer option
Bugfixes:
- nss: make sure that NSS is initialized
- curl: make --no-[option] work properly for several options
- FTP: with socket_action send better socket updates in active mode
- curl: fix the --sasl-ir in the --help output
- tests 2032, 2033: Don't hardcode port in expected output
- urlglob: better detect unclosed braces, empty lists and overflows
- urlglob: error out on range overflow
- imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
- handle arbitrary-length username and password
- TFTP: make the CURLOPT_LOW_SPEED* options work
- curl.h: name space pollution by "enum type"
- multi: move on from STATE_DONE faster
- FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
- multi_socket: improved 100-continue timeout handling
- curl_multi_remove_handle: allow multiple removes
- FTP: fix getsock during DO_MORE state
- -x: rephrased the --proxy section somewhat
- acinclude: fix --without-ca-path when cross-compiling
- LDAP: fix bad free() when URL parsing failed
- --data: mention CRLF treatment when reading from file
- curl_easy_pause: suggest one way to unpause
- imap: Fixed calculation of transfer when partial FETCH received
- pingpong: Check SSL library buffers for already read data
- imap/pop3/smtp: Speed up SSL connection initialization
- libcurl.3: for multi interface connections are held in the multi handle
- curl_easy_setopt.3: mention RTMP URL quirks
- curl.1: detail how short/long options work
- curl.1: Added information about optional login options to --user option
- curl: Added clarification to the --mail options in the --help output
- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
- openssl: use correct port number in error message
- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
- xattr: add support for FreeBSD xattr API
- win32: fix Visual Studio 2010 build with WINVER >= 0x600
- configure: use icc options without space
- test1112: Increase the timeout from 7s to 16s
- SCP: upload speed on a fast connection limited to 16384 B/s
- curl_setup_once: fix errno access for lwip on Windows
- HTTP: Output http response 304 when modified time is too old
Fixed in 7.32.0 - August 12 2013
Changes:
- curl: allow timeouts to accept decimal values
- OS400: add slist and certinfo EBCDIC support
- OS400: new SSL backend GSKit
- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
- LIBCURL-STRUCTS: new document
Bugfixes:
- dotdot: introducing dot file path cleanup
- docs: fix typo in curl_easy_getinfo manpage
- test1230: avoid using hard-wired port number
- test1396: invoke the correct test tool
- SIGPIPE: ignored while inside the library
- darwinssl: fix crash that started happening in Lion
- OpenSSL: check for read errors, don't assume
- c-ares: improve error message on failed resolve
- printf: make sure %x are treated unsigned
- formpost: better random boundaries
- url: restore the functionality of 'curl -u :'
- curl.1: fix typo in --xattr description
- digest: improve nonce generation
- configure: automake 1.14 compatibility tweak
- curl.1: document the --post303 option in the man page
- curl.1: document the --sasl-ir option in the man page
- setup-vms.h: sk_pop symbol tweak
- tool_paramhlp: try harder to catch negatives
- cmake: Fix for MSVC2010 project generation
- asyn-ares: Don't blank ares servers if none configured
- curl_multi_wait: set revents for extra fds
- Reinstate WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
- ftp_do_more: consider DO_MORE complete when server connects back
- curl_easy_perform: gradually increase the delay time
- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
- curl: fix upload of a zip file in OpenVMS
- build: fix linking on Solaris 10
- curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
- curl_formadd: fix file upload on VMS
- curl_easy_pause: on unpause, trigger mulit-socket handling
- md5 & metalink: use better build macros on Apple operating systems
- darwinssl: fix build error in crypto authentication under Snow Leopard
- curl: make --progress-bar update the line less frequently
- configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
- mk-ca-bundle: skip more untrusted certificates
- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
- FTP: when EPSV gets a 229 but fails to connect, retry with PASV
- mk-ca-bundle.1: don't install on make install
- VMS: lots of updates and fixes of the build procedure
- global dns cache: didn't work (regression)
- global dns cache: fix memory leak
Fixed in 7.31.0 - June 22 2013

Changes:
- darwinssl: add TLS session resumption
- darwinssl: add TLS crypto authentication
- imap/pop3/smtp: Added support for ;auth=
in the URL - imap/pop3/smtp: Added support for ;auth=
to CURLOPT_USERPWD - usercertinmem.c: add example showing user cert in memory
- url: Added smtp and pop3 hostnames to the protocol detection list
- imap/pop3/smtp: Added support for enabling the SASL initial response
- curl -E: allow to use ':' in certificate nicknames
- imap/pop3/smtp: Added support for ;auth=
Bugfixes:
- SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer
- FTP: access files in root dir correctly
- configure: try pthread_create without -lpthread
- FTP: handle a 230 welcome response
- curl-config: don't output static libs when they are disabled
- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
- Various documentation updates
- getinfo.c: reset timecond when clearing session-info variables
- FILE: prevent an artificial timeout event due to stale speed-check data
- ftp_state_pasv_resp: connect through proxy also when set by env
- sshserver: disable StrictHostKeyChecking
- ftpserver: Fixed imap logout confirmation data
- curl_easy_init: use less mallocs
- smtp: Fixed unknown percentage complete in progress bar
- smtp: Fixed sending of double CRLF caused by first in EOB
- bindlocal: move brace out of #ifdef
- winssl: Fixed invalid memory access during SSL shutdown
- OS X framework: fix invalid symbolic link
- OpenSSL: allow empty server certificate subject
- axtls: prevent memleaks on SSL handshake failures
- cookies: only consider full path matches
- Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
- Curl_cookie_add: handle IPv6 hosts
- ossl_send: SSL_write() returning 0 is an error too
- ossl_recv: SSL_read() returning 0 is an error too
- Digest auth: escape user names with backslash or " in them
- curl_formadd.3: fixed wrong "end-marker" syntax
- libcurl-tutorial.3: fix incorrect backslash
- curl_multi_wait: reduce timeout if the multi handle wants to
- tests/Makefile: typo in the perlcheck target
- axtls: honor disabled VERIFYHOST
- OpenSSL: avoid double free in the PKCS12 certificate code
- multi_socket: reduce timeout inaccuracy margin
- digest: support auth-int for empty entity body
- axtls: now done non-blocking
- lib1900: use tutil_tvnow instead of gettimeofday
- curl_easy_perform: avoid busy-looping
- CURLOPT_COOKIELIST: take cookie share lock
- multi_socket: react on socket close immediately
Fixed in 7.30.0 - April 12 2013

Changes:
- imap: Changed response tag generation to be completely unique
- imap: Added support for SASL-IR extension
- imap: Added support for the list command
- imap: Added support for the append command
- imap: Added custom request parsing
- imap: Added support to the fetch command for UID and SECTION properties
- imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
- darwinssl: Make certificate errors less techy
- imap/pop3/smtp: Added support for the STARTTLS capability
- checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
- Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
- Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
Bugfixes:
- SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
- darwinssl: Fix build under Leopard
- DONE: consider callback-aborted transfers premature
- ntlm: Fixed memory leaks
- smtp: Fixed an issue when processing EHLO failure responses
- pop3: Fixed incorrect return value from pop3_endofresp()
- pop3: Fixed SASL authentication capability detection
- pop3: Fixed blocking SSL connect when connecting via POP3S
- imap: Fixed memory leak when performing multiple selects
- nss: fix misplaced code enabling non-blocking socket mode
- AddFormData: prevent only directories from being posted
- darwinssl: fix infinite loop if server disconnected abruptly
- metalink: fix improbable crash parsing metalink filename
- show proper host name on failed resolve
- MacOSX-Framework: Make script work in Xcode 4.0 and later
- strlcat: remove function
- darwinssl: Fix send glitchiness with data > 32 or so KB
- polarssl: better 1.1.x and 1.2.x support
- various documentation improvements
- multi: NULL pointer reference when closing an unused multi handle
- SOCKS: fix socks proxy when noproxy matched
- install-sh: updated to support multiple source files as arguments
- PolarSSL: added human readable error strings
- resolver_error: remove wrong error message output
- docs: updates HTML index and general improvements
- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
- sasl: Fixed null pointer reference when decoding empty digest challenge
- easy: do not ignore poll() failures other than EINTR
- darwinssl: disable ECC ciphers under Mountain Lion by default
- CONNECT: count received headers
- build: fixes for VMS
- CONNECT: clear 'rewindaftersend' on success
- HTTP proxy: insert slash in URL if missing
- hiperfifo: updated to use current libevent API
- getinmemory.c: abort the transfer nicely if not enough memory
- improved win32 memorytracking
- corrected proxy header response headers count
- FTP quote operations on re-used connection
- tcpkeepalive on win32
- tcpkeepalive on Mac OS X
- easy: acknowledge the CURLOPT_MAXCONNECTS option properly
- easy interface: restore default MAXCONNECTS to 5
- win32: don't set SO_SNDBUF for windows vista or later versions
- HTTP: made cookie sort function more deterministic
- winssl: Fixed memory leak if connection was not successful
- FTP: wait on both connections during active STOR state
- connect: treat a failed local bind of an interface as a non-fatal error
- darwinssl: disable insecure ciphers by default
- FTP: handle "rubbish" in front of directory name in 257 responses
- mk-ca-bundle: Fixed lost OpenSSL output with "-t"
Fixed in 7.29.0 - February 6 2013

Changes:
- test: offer "automake" output and check for perl better
- always-multi: always use non-blocking internals
- imap: Added support for sasl digest-md5 authentication
- imap: Added support for sasl cram-md5 authentication
- imap: Added support for sasl ntlm authentication
- imap: Added support for sasl login authentication
- imap: Added support for sasl plain text authentication
- imap: Added support for login disabled server capability
- mk-ca-bundle: add -f, support passing to stdout and more
- writeout: -w now supports remote_ip/port and local_ip/port
Bugfixes:
- SECURITY ADVISORY: SASL buffer overflow vulnerability
- nss: prevent NSS from crashing on client auth hook failure
- darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
- SCP: relative path didn't work as documented
- setup_once.h: HP-UX
issue workaround - configure: fix cross pkg-config detection
- runtests: Do not add undefined values to @INC
- build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
- multi: fix re-sending request on early connection close
- HTTP: remove stray CRLF in chunk-encoded content-free request bodies
- build: fix AIX compilation and usage of events/revents
- VC Makefiles: add missing hostcheck
- nss: clear session cache if a client certificate from file is used
- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
- fix HTTP CONNECT tunnel establishment upon delayed response
- --libcurl: fix for non-zero default options
- FTP: reject illegal port numbers in EPSV 229 responses
- build: use per-target '_CPPFLAGS' for those currently using default
- configure: fix automake 1.13 compatibility
- curl: ignore SIGPIPE
- pop3: Added support for non-blocking SSL upgrade
- pop3: Fixed default authentication detection
- imap: Fixed usernames and passwords that contain escape characters
- packages/DOS/common.dj: remove COFF debug info generation
- imap/pop3/smtp: Fixed failure detection during TLS upgrade
- pop3: Fixed no known authentication mechanism when fallback is required
- formadd: reject trying to read a directory where a file is expected
- formpost: support quotes, commas and semicolon in file names
- docs: update the comments about loading CA certs with NSS
- docs: fix typos in man pages
- darwinssl: Fix bug where packets were sometimes transmitted twice
- winbuild: include version info for .dll .exe
- schannel: Removed extended error connection setup flag
- VMS: fix and generate the VMS build config
Fixed in 7.28.1 - November 20 2012
Changes:
- metalink/md5: Use CommonCrypto on Apple operating systems
- href_extractor: new example code extracting href elements
- NSS can be used for metalink hashing
Bugfixes:
- Fix broken libmetalink-aware OpenSSL build
- gnutls: fix the error is fatal logic
- darwinssl: un-broke iOS build, fix error on server disconnect
- asyn-ares: restore functionality with c-ares < 1.6.1
- tlsauthtype: deal with the string case insensitively
- Fixed MSVC libssh2 static build
- evhiperfifo: fix the pointer passed to WRITEDATA
- BUGS: fix the bug tracker URL
- winbuild: Use machine type of development environment
- FTP: prevent the multi interface from blocking
- uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
- httpcustomheader.c: free the headers after use
- fix >2000 bytes POST over NTLM-using proxy
- redirects to URLs with fragments
- don't send '#' fragments when using proxy
- OpenSSL: show full issuer string
- fix HTTP auth regression
- CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
- ftp: EPSV-disable fix over SOCKS
- Digest: Add microseconds into nounce calculation
- SCP/SFTP: improve error code used for send failures
- SSL: Several SSL-backend related fixes
- removed the notorious "additional stuff not fine" debug output
- OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
- FILE: Make upload-writes unbuffered
- custom memory callbacks failure with HTTP proxy (and more)
- TFTP: handle resends
- autoconf: don't force-disable compiler debug option
- winbuild: Fix PDB file output
- test2032: spurious failure caused by premature termination
- memory leak: CURLOPT_RESOLVE with multi interface
Fixed in 7.28.0 - October 10 2012
Changes:
- SSH: added agent based authentication
- ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
- multi: add curl_multi_wait()
- metalink: Added support for Microsoft Windows CryptoAPI
- md5: Added support for Microsoft Windows CryptoAPI
- parse_proxy: treat "socks://x" as a socks4 proxy
- socks: Added support for IPv6 connections through SOCKSv5 proxy
Bugfixes:
- WSAPoll disabled on Windows builds due to its bugs
- segfault on request retries
- curl-config: parentheses fix
- VC build: add define for openssl
- globbing: fix segfault when >9 globs were used
- fixed a few clang-analyzer warnings
- metalink: change code order to build with gnutls-nettle
- gtls: fix build failure by including nettle-specific headers
- change preferred HTTP auth on a handle previously used for another auth
- file: use fdopen() to avoid race condition
- Added DWANT_IDN_PROTOTYPES define for MSVC too
- verbose: fixed (nil) output of hostnames in re-used connections
- metalink: Un-broke the build when building --with-darwinssl
- curl man page cleanup
- Avoid leak of local device string when reusing connection
- Curl_socket_check: fix return code for timeout
- nss: do not print misleading NSS error codes
- configure: remove the --enable/disable-nonblocking options
- darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
- NTLM: re-use existing connection better
- schannel crash on multi and easy handle cleanup
- SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
- mk-ca-bundle: detect start of trust section better
- gnutls: do not fail on non-fatal handshake errors
- SMTP: only send SIZE if supported
- ftpserver: respond with a 250 to SMTP EHLO
- ssh: do not crash if MD5 fingerprint is not provided by libssh2
- winbuild: Added support for building with SPNEGO enabled
- metalink: Fixed validation of binary files containing EOF
- setup.h: fixed for MS VC10 build
- cmake: use standard findxxx modules for cmake v2.8+
- HTTP_ONLY: disable more protocols
- Curl_reconnect_request: clear pointer on failure
- https.c example: remember to call curl_global_init()
- metalink: Filter resource URLs by type
- multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
- curl_schannel: Removed buffer limit and optimized buffer strategy
Fixed in 7.27.0 - July 27 2012
Changes:
- nss: use human-readable error messages provided by NSS
- added --metalink for metalink download support
- pop3: Added support for sasl plain text authentication
- pop3: Added support for sasl login authentication
- pop3: Added support for sasl ntlm authentication
- pop3: Added support for sasl cram-md5 authentication
- pop3: Added support for sasl digest-md5 authentication
- pop3: Added support for apop authentication
- Added support for Schannel (Native Windows) SSL/TLS encryption
- Added support for Darwin SSL (Native Mac OS X and iOS)
- http: print reason phrase from HTTP status line on error
Bugfixes:
- pop3: Fixed the issue of having to supply the user name for all requests
- configure: fix LDAPS disabling related misplaced closing parenthesis
- cmdline: made -D option work with -O and -J
- configure: Fix libcurl.pc and curl-config generation for static MingW* cross builds
- ssl: fix duplicated SSL handshake with multi interface and proxy
- winbuild: Fix Makefile.vc ignoring USE_IPV6 and USE_IDN flags
- OpenSSL: support longer certificate subject names
- openldap: OOM fixes
- log2changes.pl: fix the Version output
- lib554.c: use curl_formadd() properly
- urldata.h: fix cyassl build clash with wincrypt.h
- cookies: changed the URL in the cookiejar headers
- http-proxy: keep CONNECT connections alive (for NTLM)
- NTLM SSPI: fixed to work with unicode user names and passwords
- OOM fix in the curl tool when cloning cmdline options
- fixed some examples to use curl_global_init() properly
- cmdline: stricter numerical option parser
- HTTP HEAD: don't force-close after response-headers
- test231: fix wrong -C use
- docs: switch to proper UTF-8 for text file encoding
- keepalive: DragonFly uses milliseconds
- HTTP Digest: Client's "qop" value should not be quoted
- make distclean works again
Fixed in 7.26.0 - May 24 2012
Changes:
- nss: the minimal supported version of NSS bumped to 3.12.x
- nss: human-readable names are now provided for NSS errors if available
- add a manual page for mk-ca-bundle
- added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
- smtp: Add support for DIGEST-MD5 authentication
- pop3: Added support for additional pop3 commands
- curl: -w now supports 'filename_effective'
Bugfixes:
- nss: libcurl now uses NSS_InitContext() to prevent collisions if available
- URL parse: reject numerical IPv6 addresses outside brackets
- MD5: fix OOM memory leak
- OpenSSL cert: provide more details when cert check fails
- HTTP: empty chunked POST ended up in two zero size chunks
- fixed a regression when curl resolved to multiple addresses and the first isn't supported [7]
- -# progress meter: avoid superfluous updates and duplicate lines
- headers: surround GCC attribute names with double underscores
- PolarSSL: correct return code for CRL matches
- PolarSSL: include version number in version string
- PolarSSL: add support for asynchronous connect
- mk-ca-bundle: revert the LWP usage
- IPv6 cookie domain: get rid of the first bracket before the second
- connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
- OpenSSL: Made cert hostname check conform to RFC 6125
- HTTP: reset expected DL/UL sizes on redirects
- CMake: fix Windows LDAP/LDAPS option handling
- CMake: fix MS Visual Studio x64 unsigned long long literal suffix
- configure: update detection logic of getaddrinfo() thread-safeness
- configure: check for gethostbyname in the watt lib
- curl-config.1: fix curl-config usage in example
- smtp: Fixed non-escaping of dot character at beginning of line
- MakefileBuild.vc: use the correct IDN variable
- autoconf: improve handling of versioned symbols
- curl.1: clarify -x usage
- curl: shorten user-agent
- smtp: issue with the multi-interface always sending postdata
- compile error with GnuTLS+Nettle fixed
- winbuild: fix IPv6 enabled build
Fixed in 7.25.0 - March 22 2012
Changes:
- configure: add option disable --libcurl output
- --ssl-allow-beast and CURLOPT_SSL_OPTIONS added
- Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, CURLOPT_TCP_KEEPINTVL
- curl: use new library-side TCP_KEEPALIVE options
- Added a new CURLOPT_MAIL_AUTH option
- Added support for --mail-auth
- --libcurl now also works with -F and more!
Bugfixes:
- --max-redirs: allow negative numbers as option value
- parse_proxy: bail out on zero-length proxy names
- configure: don't modify LD_LIBRARY_PATH for cross compiles
- curl_easy_reset: reset the referer string
- curl tool: don't abort glob-loop due to failures
- CONNECT: send correct Host: with IPv6 numerical address
- Explicitly link to the nettle/gcrypt libraries
- more resilient connection times among IP addresses
- winbuild: fix IPV6 and IDN options
- SMTP: Fixed error when using CURLOPT_CONNECT_ONLY
- cyassl: update to CyaSSL 2.0.x API
- smtp: Fixed an issue with the EOB checking
- pop3: Fixed drop of final CRLF in EOB checking
- smtp: Fixed an issue with writing postdata
- smtp: Added support for returning SMTP response codes
- CONNECT: fix ipv6 address in the Request-Line
- curl-config: only provide libraries with --libs
- LWIP: don't consider HAVE_ERRNO_H to be winsock
- ssh: tunnel through HTTP proxy if requested
- cookies: strip off [brackets] from numerical ipv6 host names
- libcurl docs: version corrections
- cmake: list_spaces_append_once failure
- resolve with c-ares: don't resolve IPv6 when not working
- smtp: changed error code for EHLO and HELO responses
- parsedate: fix a numeric overflow
Fixed in 7.24.0 - January 24 2012

Changes:
- CURLOPT_QUOTE: SFTP supports the '*'-prefix now
- CURLOPT_DNS_SERVERS: set name servers if possible
- Add support for using nettle instead of gcrypt as gnutls backend
- CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
- Added CURLOPT_ACCEPTTIMEOUT_MS
- configure: add symbols versioning option --enable-versioned-symbols
Bugfixes:
- curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
- curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
- SSL session share: move the age counter to the share object
- -J -O: use -O name if no Content-Disposition header comes!
- protocol_connect: show verbose connect and set connect time
- query-part: ignore the URI part for given protocols
- gnutls: only translate winsock errors for old versions
- POP3: fix end of body detection
- POP3: detect when LIST returns no mails
- TELNET: improved treatment of options
- configure: add support for pkg-config detection of libidn
- CyaSSL 2.0+ library initialization adjustment
- multi interface: only use non-NULL socker function pointer
- call opensocket callback properly for active FTP
- don't call close socket callback for sockets created with accept()
- differentiate better between host/proxy errors
- SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
- multi: handle timeouts on DNS servers by checking for new sockets
- CURLOPT_DNS_SERVERS: fix return code
- POP3: fixed escaped dot not being stripped out
- OpenSSL: check for the SSLv2 function in configure
- MakefileBuild: fix the static build
- create_conn: don't switch to HTTP protocol if tunneling is enabled
- multi interface: fix block when CONNECT_ONLY option is used
- Fix connection reuse for TLS upgraded connections
- multiple file upload with -F and custom type
- multi interface: active FTP connections are no longer blocking
- Android build fix
- timer: restore PRETRANSFER timing
- libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
- appconnect time fixed for non-blocking connect ssl backends
- do not include SSL handshake into time spent waiting for 100-continue
- handle dns cache case insensitive
- use new host name casing for subsequent HTTP requests
- CURLOPT_RESOLVE: avoid adding already present host names
- SFTP mkdir: use correct permission
- resolve: don't leak pre-populated dns entries
- --retry: Retry transfers on timeout and DNS errors
- negotiate with SSPI backend: use the correct buffer for input
- SFTP dir: increase buffer size counter to avoid cut off file names
- TFTP: fix resending (again)
- c-ares: don't include getaddrinfo-using code
- FTP: CURLE_PARTIAL_FILE will not close the control channel
- win32-threaded-resolver: stop using a dummy socket
- OpenSSL: remove reference to openssl internal struct
- OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
- OpenSSL: fix PKCS#12 certificate parsing related memory leak
- OpenLDAP: fix LDAP connection phase memory leak
- Telnet: Use correct file descriptor for telnet upload
- Telnet: Remove bogus optimisation of telnet upload
- URL parse: user name with ipv6 numerical address
- polarssl: show cipher suite name correctly with 1.1.0
- polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure
- gnutls: enforced use of SSLv3
Fixed in 7.23.1 - November 17 2011
Bugfixes:
- Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used
Fixed in 7.23.0 - November 15 2011
Changes:
- Empty headers can be sent in HTTP requests by terminating with a semicolon
- SSL session sharing support added to curl_share_setopt()
- Added support to MAIL FROM for the optional SIZE parameter
- smtp: Added support for NTLM authentication
- curl tool: code split into tool_*.[ch] files
Bugfixes:
- handle HTTP redirects to "//hostname/path"
- SMTP without --mail-from caused segfault
- prevent extra progress meter headers between multiple files
- allow Content-Length to be replaced when sending HTTP requests
- curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
- curl_multi_fdset: avoid FD_SET out of bounds
- lots of MinGW build tweaks
- Curl_gethostname: return un-qualified machine name
- fixed the openssl version number configure check
- nss: certificates from files are no longer looked up by file base names
- returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
- fix libcurl.m4 to not fail with modern gcc versions
- ftp: improved the failed PORT host name resolved error message
- TFTP timeout and unexpected block adjustments
- HTTP and GOPHER test server-side connection closing adjustments
- fix endless loop upon transport connection timeout
- don't clobber errno on failed connect
- typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
- formdata: ack read callback abort
- make --show-error properly position independent
- set the ipv6-connection boolean correctly on connect
- SMTP: fix end-of-body string escaping
- gtls: only call gnutls_transport_set_lowat with
HTTP: handle multiple auths in a single WWW-Authenticate line - curl_multi_fdset: correct fdset with FTP PORT use
- windbuild: fix the static build
- fix builds with GnuTLS version 3
- fix calling of OpenSSL's ERR_remove_state(0)
- HTTP auth: fix proxy Negotiate bug when Negotiate not requested
- ftp PORT: don't hang if bind() fails
- -# would crash on terminals wider than 256 columns
Fixed in 7.22.0 - September 13 2011
Changes:
- Added CURLOPT_GSSAPI_DELEGATION
- Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
- Display notes from setup file in testcurl.pl
- BSD-style lwIP TCP/IP stack experimental support on Windows
- OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
- --delegation was added to set CURLOPT_GSSAPI_DELEGATION
- nss: start with no database if the selected database is broken
- telnet: allow programatic use on Windows
Bugfixes:
- curl_getdate: detect some illegal dates better
- when sending a request and an error is received before the (entire) request body is sent, stop sending the request and close the connection after having received the entire response. This is equally true if an Expect: 100-continue header was used.
- When using both -J and a single -O with multiple URLs, a missing init could cause a segfault
- -J fixed for escaped quotes
- -J fixed for file names with semicolons
- progress: reset flags at transfer start to avoid wrong CURLINFO_CONTENT_LENGTH_DOWNLOAD
- curl_gssapi: Guard files with HAVE_GSSAPI and rename private header
- silence picky compilers: mark unused parameters
- help output: more gnu like output
- libtests: stop checking for CURLM_CALL_MULTI_PERFORM
- setting a non-HTTP proxy with an environment variable or with CURLOPT_PROXY / --proxy (without specifying CURLOPT_PROXYTYPE) would still make it do proxy-like HTTP requests
- CURLFORM_BUFFER: insert filename as documented (regression)
- SOCKS: fix the connect timeout
- ftp_doing: bail out on error properly while multi interfacing
- improved Content-Encoded decoding error message
- asyn-thread: check for dotted addresses before thread starts
- cmake: find winsock when building on windows
- Curl_retry_request: check return code
- cookies: handle 'secure=' as if it was 'secure'
- tests: break busy loops in tests 502, 555, and 573
- FTP: fix proxy connect race condition with multi interface and SOCKS proxy
- RTSP: GET_PARAMETER requests have a body
- fixed several memory leaks in OOM situations
- bad expire(0) caused multi_socket API to hang
- Avoid ftruncate() static define with mingw64
- mk-ca-bundle.pl: ignore untrusted certs
- builds with PolarSSL 1.0.0
Fixed in 7.21.7 - June 23 2011

Changes:
- recognize the [protocol]:// prefix in proxy hosts where the protocol is one of socks4, socks4a, socks5 or socks5h.
- Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA
Bugfixes:
- SECURITY ADVISORY: inappropriate GSSAPI delegation
- NTLM: work with unicode
- fix connect with SOCKS proxy when using the multi interface
- anyauthput.c: stdint.h must not be included unconditionally
- CMake: improved build
- SCP/SFTP enable non-blocking earlier
- GnuTLS handshake: fix timeout
- cyassl: build without filesystem
- HTTPS over HTTP proxy using the multi interface
- speedcheck: invalid timeout event on a reused handle
- Force connection close for HTTP 200 OK when time condition matched
- curl_formget: fix FILE * leak
- configure: improved OpenSSL detection
- Android build: support gingerbread
- CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
- windows build: use correct MS CRT
- pop3: remove extra space in LIST command
Fixed in 7.21.6 - April 22 2011
Changes:
- Added --tr-encoding and CURLOPT_TRANSFER_ENCODING
Bugfixes:
- curl-config: fix --version
- curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
- use HTTPS properly after CONNECT
- SFTP: close file before post quote operations
Fixed in 7.21.5 - April 17 2011
Changes:
- SOCKOPTFUNCTION: callback can say already-connected
- Added --netrc-file
- Added (new) support for cyassl
- TSL-SRP: enabled with OpenSSL
- Added CURLE_NOT_BUILT_IN and CURLE_UNKNOWN_OPTION
Bugfixes:
- nss: avoid memory leak on SSL connection failure
- nss: do not ignore failure of SSL handshake
- multi: better failed connect handling when using FTP, SMTP, POP3 and IMAP
- runtests.pl: fix pid number concatenation that prevented it from killing the correct process at times
- PolarSSL: Return 0 on receiving TLS CLOSE_NOTIFY alert
- curl_easy_setopt.3: Removed wrong reference to CURLOPT_USERPASSWORD
- multi: close connection on timeout
- IMAP in multi mode does SSL connections non-blocking
- honours the --disable-ldaps configure option
- Force setopt constants written by --libcurl to be long
- ssh_connect: treat libssh2 return code better
- SFTP upload could stall the state machine when the multi_socket API was used
- SFTP and SCP could leak memory when used with the multi interface and the connection was closed
- Added missing file to repair the MSVC makefiles
- Fixed detection of recvfrom arguments on Android/bionic
- GSS: handle reuse fix
- transfer: avoid insane conversion of time_t
- nss: do not ignore value of CURLOPT_SSL_VERIFYPEER in certain cases
- SMTP-multi: non-blocking connect
- SFTP-multi: set cselect for sftp and scp to fix "stall" risk
- configure: removed wrongly claimed default paths
- pop3: fixed torture tests to succeed
- symbols-in-versions: many corrections
- if a HTTP request gets retried because the connection was dead, rewind if any data was sent as part of it
- only probe for working ipv6 once and then re-use that info for further requests
- requests that are asked to bound to a local interface/port will no longer wrongly re-use connections that aren't
- libcurl.m4: Add missing quotes in AC_LINK_IFELSE
- progress output: don't print the last update on a separate line
- POP3: the command to send is STLS, not STARTTLS
- POP3: PASS command was not sent after upgrade to TLS
- configure: fix libtool warning
- nss: allow to use multiple client certificates for a single host
- HTTP pipelining: Fix handling of zero-length responses
- Don't list NTLM in curl-config when HTTP is disabled
- curl_easy_setopt.3: CURLOPT_RESOLVE typo version
- OpenSSL: build fine with no-sslv2 versions
- checkconnection: don't call with NULL pointer with RTSP and multi interface
- Borland makefile updates
- configure: libssh2 link fix without pkg-config
- certinfo crash
- CCC crash
Fixed in 7.21.4 - February 17 2011
Changes:
- CURLINFO_FTP_ENTRY_PATH now supports SFTP
- introduced new framework for unit-testing
- IDN: use win32 API if told to
- ares: ask for both IPv4 and IPv6 addresses
- HTTP: do Negotiate authentication using SSPI on windows
- Windows build: alternative makefile
- TLS-SRP: support added when using GnuTLS
- added support for axTLS
Bugfixes:
- SMTP: add brackets for MAIL FROM
- ossl_seed: no more RAND_screen (on Windows)
- multi: connect fail => use next IP address
- use the timeout when using multiple IP addresses similar to how the easy interface does it
- cookies: tricked dotcounter fixed
- pubkey_show: allocate buffer to fit any-size result
- Curl_nss_connect: avoid PATH_MAX
- Curl_do: avoid using stale conn pointer
- tftpd test server: avoid buffer overflow report from glibc
- nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
- nss: fix a bug in handling of CURLOPT_CAPATH
- CMake: Use upstream CheckTypeSize module
- OpenSSL get_cert_chain: support larger data sets
- SCP/SFTP transfers: acknowledge speedcheck
- GnuTLS builds: fix memory leak
- connect problem: use UDP correctly
- Borland C++ makefile tweaks
- OpenSSL: improved error message on SSL_CTX_new failures
- HTTP: memory leak on multiple Location:
- ares_query_completed_cb: don't touch invalid data
- ares: memory leak fix
- mk-ca-bundle: use new cacert url
- Curl_gmtime: added a portable gmtime and check for NULL
- curl.1: typo in -v description
- CURLOPT_SOCKOPTFUNCTION: return proper error code
- --keepalive-time: warn if not supported properly
- file: add support for CURLOPT_TIMECONDITION
- nss: avoid memory leaks and failure of NSS shutdown
- multi: fix CURLM_STATE_TOOFAST for multi_socket
Fixed in 7.21.3 - December 15 2010
Changes:
- Added --noconfigure switch to testcurl.pl
- Added --xattr option
- Added CURLOPT_RESOLVE and --resolve
- Added CURLAUTH_ONLY
- Added version-check.pl to the examples dir
Bugfixes:
- check for libcurl features for some command line options
- Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
- http_chunks: remove debug output
- URL-parsing: consider ? a divider
- SSH: avoid using the libssh2_ prefix
- SSH: use libssh2_session_handshake() to work on win64
- ftp: prevent server from hanging on closed data connection when stopping a transfer before the end of the full transfer (ranges)
- LDAP: detect non-binary attributes properly
- ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
- gnutls->handshake: improved timeout handling
- security: Pass the right parameter to init
- krb5: Use GSS_ERROR to check for error
- TFTP: resend the correct data
- configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
- GnuTLS: now detects socket errors on Windows
- symbols-in-versions: updated en masse
- added a couple examples that were missing from the tar ball
- Curl_send/recv_plain: return errno on failure
- Curl_wait_for_resolv (for c-ares): correct timeout
- ossl_connect_common: detect connection re-use
- configure: Prevent link errors with --librtmp
- openldap: use remote port in URL passed to ldap_init_fd()
- url: provide dead_connection flag in Curl_handler::disconnect
- lots of compiler warning fixes
- ssh: fix a download resume point calculation
- fix getinfo CURLINFO_LOCAL* for reused connections
- multi: the returned running handles conuter could turn negative
- multi: only ever consider pipelining for connections doing HTTP(S)
Fixed in 7.21.2 - October 13 2010

Changes:
- curl -T: ignore file size of special files
- Added GOPHER protocol support
- Added mk-ca-bundle.vbs script
- c-ares build now requires c-ares >= 1.6.0
Bugfixes:
- --remote-header-name security vulnerability fixed
- multi: support the timeouts correctly, fixes known bug #62
- multi: use timeouts properly for MAX_RECV/SEND_SPEED
- negotiation: Wrong proxy authorization
- multi: avoid sending multiple complete messages
- cmdline: make -F type= accept ;charset=
- RESUME_FROM: clarify what ftp uploads do
- http: handle trailer headers in all chunked responses
- Curl_is_connected: use correct errno
- Added SSPI build to Watcom makefile
- progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
- linking problem on Fedora 13
- Link curl and the test apps with -lrt explicitly when necessary
- chunky parser: only rewind stream internally if needed
- remote-header-name: don't output filename when NULL
- Curl_timeleft: avoid returning "no timeout" by mistake
- timeout: use the correct start value as offset
- FTP: fix wrong timeout trigger
- buildconf got better output on failures
- rtsp: avoid SIGSEGV on malformed header
- LDAP: Support for tunnelling queries through HTTP proxy
- configure's --enable-werror had a bashism
- test565: Don't hardcode IP:PORT
- configure: check for gcrypt if using GnuTLS
- configure: don't enable RTMP if the lib detect fails
- curl_easy_duphandle: clone the c-ares handle correctly
- MacOSX-Framework: updates for Snowleopard
- support URL containing colon without trailing port number
- parsedate: allow time specified without seconds
- curl_easy_escape: don't escape "unreserved" characters
- SFTP: avoid downloading negative sizes
- Lots of GSS/KRB FTP fixes
- TFTP: Work around tftpd-hpa upload bug
- libcurl.m4: several fixes
- HTTP: remove special case for 416
- examples: use example.com in example URLs
- globbing: fix crash on unballanced open brace
- cmake: build fixed
Fixed in 7.21.1 - August 11 2010
Changes:
- maketgz: produce CHANGES automatically
- added support for NTLM authentication when compiled with NSS
- build: Enable configure --enable-werror
- curl-config: --built-shared returns shared info
Bugfixes:
- configure: spell --disable-threaded-resolver correctly
- multi: call the progress callback in all states
- multi: unmark handle as used when no longer head of pipeline
- sendrecv: treat all negative values from send/recv as errors
- ftp-wildcard: avoid tight loop when used without any pattern
- multi_socket: re-use of same socket without notifying app
- ftp wildcard: FTP LIST parser FIX
- urlglobbing backslash escaping bug
- build: add enable IPV6 option for the VC makefiles
- multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
- --libcurl: use *_LARGE options with typecasted constants
- --libcurl: hide setopt() calls setting default options
- curl: avoid setting libcurl options to its default
- --libcurl: list the tricky options instead of using [REMARK]
- http: don't enable chunked during authentication negotiations
- upload: warn users trying to upload from stdin with anyauth
- configure: allow environments variable to override internals
- threaded resolver: fix timeout issue
- multi: fix condition that remove timers before trigger
- examples: add curl_multi_timeout
- --retry: access violation with URL part sets continued
- ssh: Fix compile error on 64-bit systems.
- remote-header-name: chop filename at next semicolon
- ftp: response timeout bug in "quote" sending
- CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
- Watcom makefiles overhaul.
- NTLM tests: boost coverage by forcing the hostname
- multi: fix FTPS connecting the data connection with OpenSSL
- retry: consider retrying even if -f is used
- fix SOCKS problem when using multi interface
- typecheck-gcc: add checks for recently added options
- SCP: send large files properly with new enough libssh2
- multi_socket: set timeout for 100-continue
- ";type=" URL suffix over HTTP proxy
- acknowledge progress callback error returns during connect
- Watcom makefile fixes
- runtests: clear old setenv remainders before test
Fixed in 7.21.0 - June 16 2010
Changes:
- added the --proto and -proto-redir options
- new configure option --enable-threaded-resolver
- improve TELNET ability with libcurl
- added support for PolarSSL
- added support for FTP wildcard matching and downloads
- added support for RTMP
- introducing new LDAP code for new enough OpenLDAP
- OpenLDAP support enabled for cygwin builds
- added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
Bugfixes:
- prevent needless reverse name lookups
- detect GSS on ancient Linux distros
- GnuTLS: EOF caused error when it wasn't
- GnuTLS: SSL handshake phase is non-blocking
- -J/--remote-header-name strips CRLF
- MSVC makefiles now use ws2_32.lib instead of wsock32.lib
- -O crash on windows
- SSL handshake timeout underflow in libcurl-NSS
- multi interface missed storing connection time
- broken CRL support in libcurl-NSS
- ignore response-body on redirect even if compressed
- OpenSSL handshake state-machine for multi interface
- TFTP timeout option sent correctly
- TFTP block id wrap
- curl_multi_socket_action() timeout handles inaccuracy in timers better
- SCP/SFTP failure to respect the timeout
- spurious SSL connection aborts with OpenSSL
Fixed in 7.20.1 - April 14 2010
Changes:
- The 'ares' subtree has been removed from the source repository
- smoother rate limiting
- allow user+password in the URL for all protocols
- POP3: Get message listing if no mailbox in URL
Bugfixes:
- VMS builder bad behavior when used in a batch job
- multiple recepients with SMTP
- fixed the CURL_FORMAT_* defines when building with cmake
- missing quote in libcurl.m4
- SMTP: now waits for 250 after the DATA transfer
- SMTP: use angle brackets in RCPT TO
- curl --trace-time not using local time
- off-by-one in the chunked encoding trailer parser
- superfluous blocking for OpenSSL-based SSL connects and multi interface
- TFTP upload
- FTP timeouts after file transferred completely
- skip poll() on Interix
- CURLOPT_CERTINFO memory leak
- sub-second timeouts improvements
- configure fixes for GSSAPI
- threaded resolver double free when closing curl handle
- configure fixes for building with the clang compiler
- easy interix rate limiting logic
- curl_multi_remove_handle() caused use after free
- TFTP improved error codes
- TFTP fixed TSIZE handling for uploads
- SSL possible double free when reusing curl handle
- alarm()-based DNS timeout bug
- re-used FTP connection multi interface crash
- chunked-encoding with Content-Length: header problem
- multi interface HTTP POST over a proxy using PROXYTUNNEL
- RTSP GET_PARAMETER
- timeout after last data chunk was handled
- SFTP download hang
- FTP quote commands prefixed with '*' now can fail without aborting
Fixed in 7.20.0 - February 9 2010

Changes:
- support SSL_FILETYPE_ENGINE for client certificate
- curl-config can now show the arguments used when building curl
- non-blocking TFTP
- send Expect: 100-continue for POSTs with unknown sizes
- added support for IMAP(S), POP3(S), SMTP(S) and RTSP
- added new curl_easy_setopt() options for SMTP and RTSP
- added --mail-from and --mail-rcpt for SMTP
- VMS build system enhancements
- added support for the PRET ftp command
- curl supports --ssl and --ssl-reqd
- added -J/--remote-header-name for using server-provided filename with -O
- enhanced asynchronous DNS lookups
- symbol CURL_FORMAT_OFF_T is obsoleted
Bugfixes:
- progress meter percentage and transfer time estimates fixes
- portability enhancement for OS's without orthogonal directory tree structure
- progress meter/callback during FTP connection
- DNS cache timeout while transfer in progress
- compilation when configured --with-gssapi having GNU GSS installed
- SSL connection reused with mismatched protection level
- configure --with-nss is set but not "yes"
- don't store LDFLAGS in pkg-config file
- never-pruned DNS cached entries
- HTTP proxy tunnel re-used connection even if tunnel got disabled
- SSL lib post-close write
- curl failed to report write errors for tiny failed downloads
- TFTP BLKSIZE
- Expect: 100-continue handling when set by the application
- multi interface with OpenSSL read already freed memory when closing down
- --retry didn't do right for FTP transient errors
- some *_proxy environment variables didn't function
- libcurl-OpenSSL engine cleanup
- header include fix for FreeBSD versions before v8
- fragment part of URLs are no longer sent to the server
- progress callback called repeatedly with c-ares for resolving
- OpenSSL session id ref count leak
- progress callback called repeatedly during slow connects
- curl_multi_fdset() would return -1 too often during SCP/SFTP transfers
- FTP file size checks with ASCII transfers
- HTTP Cookie: headers sort cookies based on specified path lengths
- CURLM_CALL_MULTI_PERFORM fix for multi socket timeout calls
- libcurl data callback excessive length
Fixed in 7.19.7 - November 4 2009
Changes:
- -T. is now for non-blocking uploading from stdin
- SYST handling on FTP for OS/400 FTP server cases
- libcurl refuses to read a single HTTP header longer than 100K
- added the --crlfile option to curl
Bugfixes:
- The windows makefiles work again
- libcurl-NSS acknowledges verifyhost
- SIGSEGV when pipelined pipe unexpectedly breaks
- data corruption issue with re-connected transfers
- use after free if we're completed but easy_conn not NULL (pipelined)
- missing strdup() return code check
- CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
- configure --with-gnutls=PATH fixed
- ftp response reader bug on failed control connections
- improved NSS error message on failed host name verifications
- ftp NOBODY on re-used connection hang
- configure uses pkg-config for cross-compiles as well
- improved NSS detection in configure
- cookie expiry date at 1970-jan-1 00:00:00
- libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
- libcurl-OpenSSL can load CRL files with more than one certificate inside
- received cookies without explicit path got saved wrong if the URL had a query part
- don't shrink SO_SNDBUF on windows for those who have it set large already
- connect next bug
- invalid file name characters handling on Windows
- double close() on the primary socket with libcurl-NSS
- GSS negotiate infinite loop on bad credentials
- memory leak in SCP/SFTP connections
- use pkg-config to find out libssh2 installation details in configure
- unparsable cookie expire dates make cookies get treated as session coookies
- POST with Digest authentication and "Transfer-Encoding: chunked"
- SCP connection re-use with wrong auth
- CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
- CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)
Fixed in 7.19.6 - August 12 2009

Changes:
- CURLOPT_FTPPORT (and curl's -P/--ftpport) support port ranges
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA
- CURLOPT_QUOTE, CURLOPT_POSTQUOTE and CURLOPT_PREQUOTE can be told to ignore error responses when used with FTP
Bugfixes:
- crash on bad socket close with FTP
- leaking cookie memory when duplicate domains or paths were used
- build fix for Symbian
- CURLOPT_USERPWD set to NULL clears auth credentials
- libcurl-NSS build fixes
- configure script fixed for VMS
- set Content-Length: with POST and PUT failed with NTLM auth
- allow building libcurl for VxWorks
- curl tool exit codes fixed for VMS
- --no-buffer treated correctly
- djgpp build fix
- configure detection of GnuTLS now based on pkg-config as well
- libcurl-NSS client cert handling segfaults
- curl uploading from stdin/pipes now works in non-blocking way so that it continues the downloading even when the read stalls
- ftp credentials are added to the url if needed for http proxies
- curl -o - sends data to stdout using binary mode on windows
- fixed the separators for "array" style string that CURLINFO_CERTINFO returns
- auth problem over several hosts with re-used connection
- improved the support for client certificates in libcurl+NSS
- fix leak in gtls code
- missing algorithms in libcurl+OpenSSL
- with noproxy set you could still get a proxy if a proxy env was set
- rand seeding on libcurl on windows built with OpenSSL was not thread-safe
- fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
- don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
- libcurl+OpenSSL would wrongly acknowledge a cert if CN matched but subjectAltName didn't
- TFTP upload sent illegal TSIZE packets
Fixed in 7.19.5 - May 18 2009
Changes:
- libcurl now closes all dead connections whenever you attempt to open a new connection
- libssh2's version number can now be figured out run-time instead of using the build-time fixed number
- CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK
- curl can now upload with resume even when reading from a pipe
- a build-time configured curl_socklen_t is now used instead of socklen_t
Bugfixes:
- NTLM authentication memory leak on SSPI enabled Windows builds
- fixed the GnuTLS-using code to do correct return code checks
- an alloc-related call in the OpenSSL-using code didn't check the return value
- curl_easy_duphandle() failed to duplicate cookies at times
- missing TELNET timeout support in Windows builds
- missing Curl_read() and write callback result checking in TELNET transfers
- more ciphers enabled in libcurl built to use NSS
- properly return an error code in curl_easy_recv
- Sun compilers specific preprocessor block removed from curlbuild.h.dist
- allow creation of four way fat libcurl Mac OS X Framework
- several memory leaks in libcurl+NSS
- improved the CURLOPT_NOBODY set to 0 confusions
- persistent connections when doing FTP over a HTTP proxy
- --libcurl bogus strings where other data was pointed to
- crash related to FTP and "Re-used connection seems dead, get a new one"
- CURLINFO_APPCONNECT_TIME with the multi interface
- Enhanced upload speeds on Windows
- TFTP problems after a failed transfer to the same host
- improved out of the box TPF compatibility
- HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
- Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
- Deal with the TFTP OACK packet
- fixed roff mistakes in man pages
- use SOCKS proxy with the multi interface
- fixed the Curl_getoff_all_pipelines SIGSEGV
- POST, NTLM and following a redirect hang
- libcurl+NSS endless loop on incorrect password for private key
- gzip decompression memory leak
- no_proxy flaw with user name in URL
Fixed in 7.19.4 - March 3 2009

Changes:
- Added CURLOPT_NOPROXY and the corresponding --noproxy
- the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default in openssl 0.9.8j
- Added CURLOPT_TFTP_BLKSIZE
- Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options --socks5-gssapi-service and --socks5-gssapi-nec
- Improved IPv6 support when built with with c-ares >= 1.6.1
- Added CURLPROXY_HTTP_1_0 and --proxy1.0
- Added docs/libcurl/symbols-in-versions
- Added CURLINFO_CONDITION_UNMET
- Added support for Digest and NTLM authentication using GnuTLS
- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails
- GnuTLS initing moved to curl_global_init()
- Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS, see also the security advisory
Bugfixes:
- missing ssh.obj in VS makefiles
- FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish locale
- realms with quoted quotation marks in HTTP Digest headers
- VC9 makefiles are now really included
- multi interface memory leak with CURLMOPT_MAXCONNECTS set
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true
- memory leak on some libz errors for content encodings
- NSS-enabled build is repaired
- superfluous wait in SFTP downloads removed
- FTP with the multi interface no longer kills the control connection as easily on transfer failures
- compilation halting when using VS2008 to build a Windows 2000 target
- ease creation of libcurl Mac OS X Framework
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1 if unknown
- Negotiate proxy authentication
- CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together
Fixed in 7.19.3 - January 19 2009
Changes:
- CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH
- VC9 Makefiles were added to the release package
Bugfixes:
- build failure when disabling FTP but enabling GSS
- fixed several calls to memory functions that didn't check return codes
- memory leak for SSL connects with libcurl/NSS when CURLOPT_ISSUERCERT was used
- re-use of connections with the multi interface when multiple handles used the same server
- memory leak with HTTP GSS/kerberos authentication
- removed the default use of "Pragma: no-cache"
- fix SCP/SFTP busyloop by using a new libssh2 1.0 function
- bad fclose() after a fatal error in cookie code
- curl_multi_remove_handle() when the handle was in use in a HTTP pipeline
- GSS authentication infinite loop problem
- 550 response from SIZE no longer treated as missing file
- ftps:// control connections now use explicit protection level
- dotted IPv6 addresses longer than 39 bytes failed
- curl_easy_duphandle() doesn't try to duplicate the connection cache pointer
- build failure on OS/400 when enabling IPv6
- better detection of SFTP failures
- improved connection re-use for subsequent SCP and SFTP transfers
- multi interface does less busy-loops for SCP and SFTP transfers with libssh2 1.0 or later
- curl_multi_timeout() no longer returns timeout 0 when there's still more than 0 but less than 999 microseconds left
- the multi_socket API and HTTP pipelining now work a lot better when combined
- SFTP seek/resume beyond 32bit file sizes
- fixed breakage with --with-ssl --disable-verbose
- TTL "leak" in the DNS cache
- improved NSS initing
- curl_easy_reset now resets more options
- rare Location: follow bug with the multi interface
- the configure script can now detect gnutls with pkg-config
- curlbuild.h was adjusted for SunPro compilers
- CURLOPT_COOKIELIST set to "SESS" on an easy handle with no cookies data
- fixed timeouts for TFTP
- fixed PPC builds
Fixed in 7.19.2 - November 13 2008
Bugfixes:
- build failure when using MSVC 6 makefile and on four platforms more
- crash when using --interface name on Linux systems with a TEQL device
- using the multi interface to download a HTTPS page with libcurl built powered by OpenSSL could download "rubbish" instead of actual content
Fixed in 7.19.1 - November 5 2008
Changes:
- pkg-config can now show supported_protocols and supported_features
- Added CURLOPT_CERTINFO and CURLINFO_CERTINFO
- Added CURLOPT_POSTREDIR
- Better detect HTTP 1.0 servers and don't do HTTP 1.1 requests on them
- configure --disable-proxy disables proxy support
- Added CURLOPT_USERNAME and CURLOPT_PASSWORD
- --interface now works with IPv6 connections on glibc systems
- Added CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD
Bugfixes:
- MingW32 non-configure builds are now largefile feature enabled by default
- NetWare LIBC builds are now largefile feature enabled by default
- curl_easy_pause() could behave wrongly on unpause
- cookies with invalid expire dates are now considered expired
- HTTP pipelining over proxy
- fix regression in configure script which affected OpenSSL builds on MSYS
- GnuTLS-based multi interface doing HTTPS over proxy failed
- recv() failures cause CURLE_RECV_ERROR
- SFTP over SOCKS crash fixed
- thread-safety issues addressed for NSS-powered libcurls
- removed the use of mktime() and gmtime(_r)() in date parsing and conversions
- HTTP Digest with a blank realm did wrong
- CURLINFO_REDIRECT_URL didn't work with the multi interface
- CURLOPT_RANGE now works for SFTP downloads
- FTP SIZE response 550 now causes CURLE_REMOTE_FILE_NOT_FOUND
- CURLINFO_PRIMARY_IP fixed for persistent connection re-use cases
- remove_handle/add_handle multi interface timer callback flaw
- CURLINFO_REDIRECT_URL memory leak and wrong-doing
- case insensitive string matching works in Turkish too
- Solaris builds get _REENTRANT defined properly and work again
- Garbage sent on chunky upload after curl_easy_pause()
- ipv4 name resolves when libcurl is built with ipv6-enabled c-ares
- undersized IPv6 address internal buffer truncated long IPv6 addresses
- CURLINFO_FILETIME works for file:// transfers as well
Fixed in 7.19.0 - September 1 2008
Changes:
- curl_off_t gets its size/typedef somewhat differently than before. This _may_ cause an ABI change for you. See lib/README.curl_off_t for a full explanation.
- Added CURLINFO_PRIMARY_IP
- Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE
- Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR
- curl's option parser for boolean options reworked
- Added --remote-name-all
- Now builds for the INTEGRITY operating system
- Added CURLINFO_APPCONNECT_TIME
- Added test selection by key word in runtests.pl
- the curl tool's -w option support the %{ssl_verify_result} variable
- Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL according to RFC4007
- Support --append on SFTP uploads (not with OpenSSH, though)
- Added curlbuild.h and curlrules.h to the external library interface
Bugfixes:
- Fixed curl-config --ca
- Fixed the multi interface connection re-use with NSS-built libcurl
- connection re-use when using the multi interface with pipelining enabled
- curl_multi_socket() socket callback fix for close/re-create sockets case
- SCP or SFTP over socks proxy crashed
- RC4-MD5 cipher now works with NSS-built libcurl
- range requests with --head are now done correctly
- fallback to gettimeofday when monotonic clock is unavailable at run-time
- range numbers could be made to wrongly get output as signed
- unexpected 1xx responses hung transfers
- FTP transfers segfault when using different CURLOPT_FTP_FILEMETHOD
- c-ares powered libcurls can resolve/use IPv6 addresses
- poll not working on Windows Vista due to POLLPRI being incorrectly used
- user-agent in CONNECT with non-HTTP protocols
- CURL_READFUNC_PAUSE problems fixed
- --use-ascii now works on Symbian OS, MS-DOS and OS/2
- CURLINFO_SSL_VERIFYRESULT is fixed
- FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
- a user name in a proxy URL without a password was parsed incorrectly
- library will now be built with _REENTRANT symbol defined only if needed
- no longer link with gdi32 on Windows cross-compiled targets
- HTTP PUT with -C - sent bad Content-Range: header
- HTTP PUT or POST with redirect could lead to hang
- re-use of connections with failed SSL connects in the multi interface
- NTLM over proxy state was wrongly cleared when host connection was closed
- Windows SSPI DLL loading is now done in curl_global_init()
- runtests.pl has an improved find-stunnel-and-invoke
- FTP sessions could go out of sync on a long header boundary condition
- potential buffer overflows in the MS-DOS command-line port fixed
- --stderr is now honoured with the -v option
- memory leak in libcurl on Windows built with OpenSSL
- improved curl_m*printf() integral data type size and signedness handling
- error when --dump-header - used with more than one URL
- proxy closing connect during CONNECT with auth with the multi interface
- CURLOPT_UPLOAD sets HTTP method back to GET or HEAD when passed in a 0
- shared cookies could get locked twice
- deal with closed connection while doing POST/PUT
Fixed in 7.18.2 - June 4 2008
Changes:
- CURLFORM_STREAM was added
- CURLOPT_NOBODY is now supported over SFTP
- curl can now run on Symbian OS
- curl -w redirect_url and CURLINFO_REDIRECT_URL
- added curl_easy_send() and curl_easy_recv()
Bugfixes:
- CURLOPT_NOBODY first set to TRUE and then FALSE for HTTP no longer causes the confusion that could lead to a hung transfer
- curl_easy_reset() resets the max redirect limit properly
- configure now correctly recognizes Heimdal and MIT gssapi libraries
- malloc() failure check in Negotiate
- -i and -I together now work the same no matter what order they're used
- the typechecker can be bypassed by defining CURL_DISABLE_TYPECHECK
- a pointer mixup could make the FTP code send bad user+password under rare circumstances (found when using curlftpfs)
- CURLOPT_OPENSOCKETFUNCTION can now be used to create a unix domain socket
- CURLOPT_TCP_NODELAY crash due to getprotobyname() use
- libcurl sometimes sent body twice when using CURLAUTH_ANY
- configure detecting debug-enabled c-ares
- microsecond resolution keys for internal splay trees
- krb4 and krb5 ftp segfault
- multi interface busy loop for CONNECT requests
- internal time differences now use monotonic time source if available
- several curl_multi_socket() fixes
- builds fine for Haiku OS
- follow redirect with only a new query string
- SCP and SFTP memory leaks on aborted transfers
- curl_multi_socket() and HTTP pipelining transfer stalls
- lost telnet data on an EWOULDBLOCK condition
Fixed in 7.18.1 - March 30 2008
Changes:
- added support for HttpOnly cookies
- 'make ca-bundle' downloads and generates an updated ca bundle file
- we no longer distribute or install a ca cert bundle
- SSLv2 is now disabled by default for SSL operations
- the test509-style setting URL in callback is officially no longer supported
- support a full chain of certificates in a given PKCS12 certificate
- resumed transfers work with SFTP
- added type checking macros for curl_easy_setopt() and curl_easy_getinfo(), watch out for new warnings in code using libcurl (needs gcc-4.3 and currently only works in C mode)
- curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments
- --with-ca-path=DIR configure option allows to set an openSSL CApath instead of a default ca bundle.
- supports server name indication (RFC 4366), aka SNI
Bugfixes:
- improved pipelining
- improved strdup replacement
- GnuTLS-built libcurl failed when doing global cleanup and reinit
- error message problem when unable to resolve a host on Windows
- Accept: header replacing
- not verifying server certs with GnuTLS still failed if gnutls had problems with the cert
- when using the multi interface and a handle is removed while still having a transfer going on, the connection is now closed by force
- bad re-use of SSL connections in non-complete state
- test case 405 failures with GnuTLS builds
- crash when connection cache size is 1 and Curl_do() failed
- GnuTLS-built libcurl can now be forced to prefer SSLv3
- crash when doing Negotiate again on a re-used connection
- select/poll regression
- better MIT kerberos configure check
- curl_easy_reset() + SFTP re-used connection download crash
- SFTP non-existing file + SFTP existing file error
- sharing DNS cache between easy handles running in multiple threads could lead to crash
- SFTP upload with CURLOPT_FTP_CREATE_MISSING_DIRS on re-used connection
- SFTP infinite loop when given an invalid quote command
- curl-config erroneously reported LDAPS support with missing LDAP libraries
- SCP infinite loop when downloading a zero byte file
- setting the CURLOPT_SSL_CTX_FUNCTION with libcurl built without OpenSSL now makes curl_easy_setopt() properly return failure
- configure --with-libssh2 (with no given path)
Fixed in 7.18.0 - January 28 2008
Changes:
- --data-urlencode
- CURLOPT_PROXY_TRANSFER_MODE
- --no-keepalive - now curl does connections with keep-alive enabled by default
- --socks4a added (proxy type CURLPROXY_SOCKS4A for libcurl)
- --socks5-hostname added (CURLPROXY_SOCKS5_HOSTNAME for libcurl)
- curl_easy_pause()
- CURLOPT_SEEKFUNCTION and CURLOPT_SEEKDATA
- --keepalive-time
- curl --help output was re-ordered
Bugfixes:
- curl-config --features and --protocols show the correct output when built with NSS, and also when SCP, SFTP and libz are not available
- free problem in the curl tool for users with empty home dir
- curl.h version 7.17.1 problem when building C++ apps with MSVC
- SFTP and SCP use persistent connections
- segfault on bad URL
- variable wrapping when using absolutely huge send buffer sizes
- variable wrapping when using debug callback and the HTTP request wasn't sent in one go
- SSL connections with NSS done with the multi-interface
- setting a share no longer activates cookies
- Negotiate now works on auth and proxy simultanouesly
- support HTTP Digest nonces up to 1023 letters
- resumed ftp upload no longer requires the read callback to return full buffers
- no longer default-appends ;type= on FTP URLs thru proxies
- SSL session id caching
- POST with callback over proxy requiring NTLM or Digest
- Expect: 100-continue flaw on re-used connection with POSTs
- build fix for MSVC 9.0 (VS2008)
- Windows curl builds failed file truncation when retry downloading
- SSL session ID cache memory leak
- bad connection re-use check with environment variable-activated proxy use
- --libcurl now generates a return statement as well
- socklen_t is no longer used in the public includes
- time zone offsets from -1400 to +1400 are now accepted by the date parser
- allows more spaces in WWW/Proxy-Authenticate: headers
- curl-config --libs skips /usr/lib64
- range support for file:// transfers
- libcurl hang with huge POST request and request-body read from callback
- removed extra newlines from many error messages
- improved pipelining
- improved OOM handling for data url encoded HTTP POSTs when read from a file
- test suite could pick wrong tool(s) if more than one existed in the PATH
- curl_multi_fdset() failed to return socket while doing CONNECT over proxy
- curl_multi_remove_handle() on a handle that is in used for a pipeline now break that pipeline
- CURLOPT_COOKIELIST memory leaks
- progress meter/callback during http proxy CONNECT requests
- auth for http proxy when the proxy closes connection after first response
Fixed in 7.17.1 - October 29 2007
Changes:
Bugfixes:
- curl-config --protocols now properly reports LDAPS, SCP and SFTP
- ldapv3 support on Windows
- ldap builds with the MSVC makefiles
- no HOME and no key given caused SSH auth failure
- Negotiate authentication over proxy
- --ftp-method nocwd on directory listings
- FTP, CURLOPT_NOBODY enabled and CURLOPT_HEADER disabled now does TYPE before SIZE
- re-used handle transfers with SFTP
- curl_easy_escape() problem with byte values >= 128
- handles chunked-encoded CONNECT responses
- misuse of ares_timeout() result
- --local-port on TFTP transfers
- CURLOPT_POSTFIELDS could fail to send binary data
- specifying a proxy with a trailing slash didn't work (unless it also contained a port number)
- redirect from HTTP to FTP or TFTP memory problems and leaks
- re-used connections a bit too much when using non-SSL protocols tunneled over a HTTP proxy
- embed the manifest in VC8 builds
- use valgrind in the tests even when the lib is built shared with libtool
- libcurl built with NSS can now ignore the peer verification even when the ca cert bundle is absent
Fixed in 7.17.0 - September 13 2007
Changes:
- support for OS/400 Secure Sockets Layer library
- curl_easy_setopt() now allocates strings passed to it
- SCP and SFTP support now requires libssh2 0.16 or later
- LDAP libraries are now linked "regularly" and not with dlopen
- HTTP transfers have the download size info "available" earlier
- FTP transfers have the download size info "available" earlier
- builds and runs on OS/400
- several error codes and options were marked as obsolete and subject to future removal (set CURL_NO_OLDIES to see if your application is using them)
- SFTP errors can return more specific error codes
Bugfixes:
- test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds
- problem with closed proxy connection during HTTP CONNECT auth negotiation
- transfer-encoding skipping didn't ignore the 407 response bodies properly
- CURLOPT_SSL_VERIFYHOST set to 1
- CONNECT endless loop
- krb5 support builds with Heimdal
- added returned error string for connection refused case
- re-use of dead FTP control connections
- login to FTP servers that don't require (nor understand) PASS after the USER command
- bad free of memory from libssh2
- the SFTP PWD command works
- HTTP Digest auth on a re-used connection
- FTPS data connection close
- AIX 4 and 5 get to use non-blocking sockets
- small POST with NTLM
- resumed file:// transfers
- CURLOPT_DNS_CACHE_TIMEOUT and CURLOPT_DNS_USE_GLOBAL_CACHE are 64 bit "clean"
- memory leak when handling compressed data streams from broken servers
- no NTLM unicode response
- resume HTTP PUT using Digest authentication
- FTP NOBODY requests on directories sent "SIZE (null)"
- FTP NOBODY request on file crash
- excessively long FTP server responses and response lines
- file:// upload then FTP:// upload crash
- TFTP error 0 is no longer treated as success
- uploading empty file over FTP on re-used connection
- superfluous CWD command on re-used FTP connections without subdirs used
Fixed in 7.16.4 - July 10 2007

Changes:
- added CURLOPT_NEW_FILE_PERMS and CURLOPT_NEW_DIRECTORY_PERMS
- improved hashing of sockets for the multi_socket API
- ftp kerberos5 support added
Bugfixes:
- adjusted how libcurl treats HTTP 1.1 responses without content-lenth or chunked encoding
- fixed the 10-at-a-time.c example
- FTP over SOCKS proxy
- improved error messages on SCP upload failures
- security flaw in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS
Fixed in 7.16.3 - June 25 2007
Changes:
- added curl_multi_socket_action()
- deprecated curl_multi_socket()
- uses less memory in non-pipelined use cases
- CURLOPT_HTTP200ALIASES matched transfers assume HTTP 1.0 compliance
- more than one test harness can run at the same time without conflict
- SFTP now supports quote commands before a transfer
- CURLMOPT_MAXCONNECTS added to curl_multi_setopt()
- upload resume works for file:// URLs
- asynchronous name resolves now require c-ares 1.4.0 or later
- added SOCKS test cases
- CURLOPT_FTP_CREATE_MISSING_DIRS and --ftp-create-dirs now work for SFTP operations as well
Bugfixes:
- if2up too long interface name memory leak
- test case 534 started to fail 2007-04-13 due to the existance of a new host on the net with the same silly domain the test was using for a host which was supposed not to exist.
- test suite SSL certificate works better with newer stunnel
- internal progress meter update frequency back to once per second
- avoid some unnecessary calls to function gettimeofday
- a double-free in the SSL-layer
- GnuTLS free of NULL credentials
- NSS-fix for closing down SSL
- bad warning from configure when gnutls was selected
- compilation on VMS 64-bit mode
- SCP/SFTP downloads could hang on the last bytes of a transfer
- curl_easy_duphandle() crash
- curl -V / curl_version*() works even when GnuTLS is used on a system without a good random source
- curl_multi_socket() not "noticing" newly added handles
- lack of Content-Length and chunked encoding now requires HTTP 1.1 as well to be treated as without response body
- connection cache growth in multi handles
- better handling of out of memory conditions
- overwriting an uploaded file with sftp now truncates it first
- SFTP quote commands chmod, chown, chgrp can now set a value of 0
- TFTP connect timouts less than 5 seconds
- improved curl -w for TFTP transfers
- memory leak when failed OpenSSL certificate CN field checking
- memory leak when OpenSSL failed PKCS #12 parsing
- FTP-SSL when built with NSS
- out-of-boundary write in Curl_select()
- -s/--silent can now be used to toggle off the silence again
- builds fine on 64bit HP-UX
- multi interface HTTP CONNECT glitch
- list FTP root directories when login dir is not root
- no longer slows down when getting very many URLs on the same command line
- lock share before decreasing dirty counter
- no-body FTP requests on re-used connections
Fixed in 7.16.2 - April 11 2007
Changes:
- added CURLOPT_TIMEOUT_MS and CURLOPT_CONNECTTIMEOUT_MS
- added CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING and --raw
- added support for using the NSS library for TLS/SSL
- changed default anonymous FTP password
- changed the CURLOPT_FTP_SSL_CCC option to handle active and passive CCC shutdown
- added the --ftp-ssl-ccc-mode command line option
- includes VC8 Makefiles in the release archive
- --ftp-ssl-control is now honoured on ftps:// URLs
- added experimental CURL_ACKNOWLEDGE_EINTR symbol definition check
- --key and new --pubkey options for SSH public key file logins
- --pass now works for a SSH public key file, too
- select (2) support no longer needed to build the library if poll() used
- CURLOPT_POSTQUOTE works for SFTP
Bugfixes:
- in testsuite, update test cookies expiration from 2007-Feb-1 to year 2035
- socks5 works
- builds fine with VC2005
- CURLOPT_RANGE set to NULL resets the range for FTP
- curl_multi_remove_handle() rare crash
- passive FTP transfers work with SOCKS
- multi interface HTTPS connection re-use memory leak
- libcurl.m4's --with-libcurl is improved
- curl-config --libs and libcurl.pc no longer list unnecessary dependencies
- fixed an issue with CCC not working on some servers
- several HTTP pipelining problems
- HTTP CONNECT thru a proxy is now less blocking when the multi interface is used
- HTTP Digest header parsing fix for unquoted last word ending with CRLF
- CURLOPT_PORT, HTTP proxy, re-using connections and non-HTTP protocols
- CURLOPT_INTERFACE for ipv6
- use-after-free issue with HTTP transfers with the multi interface
- the progress callback can get called more frequently
- timeout would restart when signal caught while awaiting socket events
- curl -f with user+password embedded in the URL
- 26 flaws identified by coverity.com
- builds on QNX 6 again
Fixed in 7.16.1 - January 29 2007
Changes:
- Support for SCP and SFTP were added (powered by libssh2)
- CURLOPT_CLOSEPOLICY is now deprecated
- --ftp-ssl-ccc and CURLOPT_FTP_SSL_CCC were added
- HTTP support for non-ASCII platforms
- --libcurl was added
Bugfixes:
- proxy close during CONNECT authentication is now dealt with nicely
- the CURLOPT_DEBUGFUNCTION was sometimes called even when CURLOPT_VERBOSE was not enabled
- multiple TFTP transfers on the same (easy or multi) handle could cause a crash
- SIGSEGV when disconnecting on a transfer on a re-used handle when the host name didn't resolve
- stack overwrite on 64bit Windows in the chunked decoding department
- HTTP responses on persistent connections without Content-Length nor chunked encoding are now considered to be without response body
- Content-Range: header parsing improved
- CPU 100% load when HTTP upload connection broke
- active FTP didn't work with multi interface
- curl_getdate() could be off one hour for TZ time zones with DST, on windows
- CURLOPT_FORBID_REUSE works again
- CURLOPT_MAXCONNECTS set to zero caused libcurl to SIGSEGV
- rate limiting works better
- getting FTP response code errors when using the multi-interface caused libcurl to leak memory
- no more SIGPIPE when GnuTLS is used
- FTP downloading 2 zero byte files in a row
- using proxy and URLs without protocol prefixes
- first using a proxy and then accessing a site that 'no_proxy' matched, would still make libcurl use the proxy...
- curl_easy_duphandle() now makes a handle that is valid for the multi interface since the magic number is set fine
- libcurl.pc now uses Libs.private for "private" libs
- --limit-rate (CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE) now work on windows again
- improved download performance by avoiding the unconditional "double copying"
- base64 encoding/decoding works on non-ASCII platforms
- large file downloads
- CURLOPT_COOKIELIST set to "ALL" crash
- easy handle removal from multi handle before completion
- TFTP upload memory leak
- curl_easy_reset() now resets the CA bundle path correctly
- two User-Agent headers in CONNECT requests with custom User-Agent
Fixed in 7.16.0 - October 30 2006
Changes:
- the SONAME on the shared library was bumped from 3 to 4
- Added CURLE_SSL_CACERT_BADFILE
- Added CURLMOPT_TIMERFUNCTION and CURLMOPT_TIMERDATA
- (FTP) the CURLOPT_SOURCE_* options are removed and so are the --3p* command line options
- curl_multi_socket() and family are suitable to start using
- uses WSAPoll() on Windows Vista
- (FTP) --ftp-ssl-control was added
- CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid added
- CURLMOPT_PIPELINING added for enabling HTTP pipelined transfers
- multi handles now have a shared connection cache
- Added support for other MS-DOS compilers (besides djgpp)
- CURLOPT_SOCKOPTFUNCTION and CURLOPT_SOCKOPTDATA were added
- (FTP) libcurl avoids sending TYPE if the desired type was already set
- (FTP) CURLOPT_PREQUOTE works even when CURLOPT_NOBODY is set true
Bugfixes:
- (HTTP) CURLOPT_FAILONERROR (curl -f) covers a few more reponse cases
- curl_multi_socket() and the LOW_SPEED options
- curl_multi_socket() expire timer during c-ares name resolves
- curl_multi_add_handle on an already added handle now fails gracefully
- multi interface crash if bad function call order was used for cleanup
- put a new URL in saved cookie jar files
- configure --with-gssapi-libs
- SOCKS proxy connection fixes
- (FTP) a failed upload does not invalidate the control connection
- proxy URL with user name and empty password or no password at all now work
- fixed a socket state problem with *multi_socket()
- (HTTP) NTLM hostname fix
- getsockname usage fixes
- SOCKS5 proxy connects can now time-out
- SOCKS5 connects that require auth no longer segfaults when auth not given
- multi interface using asynch resolves could get stuck in wrong state
- the 'running_handles' counter wasn't always updated properly when curl_multi_remove_handle() was used
- (FTP) EPRT transfers with IPv6 didn't work properly
- (FTP) SINGLECWD mode and using files in the root dir
- (HTTP) Expect: header disabling work better
- (HTTP) "Expect: 100-continue" disable on second POST on re-used connection
- src/config.h.in is fixed
- (HTTP) POST data logged to the debug callback function is now correctly tagged as data, not header
Fixed in 7.15.5 - August 7 2006
Changes:
- added --ftp-ssl-reqd
- modified the prototype for the socket callback set with CURLMOPT_SOCKETFUNCTION
- added curl_multi_assign()
- added CURLOPT_FTP_ALTERNATIVE_TO_USER and --ftp-alternative-to-user
- added a vcproj file for building libcurl
- added curl_formget()
- added CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE
- added configure --enable-hidden-symbols
- Made -K on a file that couldn't be read cause a warning to be displayed
Bugfixes:
- chunked encoding when custom header "Transfer-Encoding: chunked" is set
- Curl_strerror() crash on unknown errors
- changing Content-Type when doing formposts
- added CURL_EXTERN to a few recent multi functions that lacked them
- splay-tree related problems for internal expire time handling
- FTP ASCII CRLF counter reset
- cookie parser now compares paths case sensitive
- an easy handle with shared DNS cache added to a multi handle caused a crash
- couldn't override the Proxy-Connection: header for non-CONNECT requests
- curl_multi_fdset() could wrongly return -1 as max_fd value
Fixed in 7.15.4 - June 12 2006
Changes:
- NTLM2 session response support
- CURLOPT_COOKIELIST set to "SESS" clears all session cookies
- CURLINFO_LASTSOCKET returned sockets are now checked more before returned
- curl-config got a --checkfor option to compare version numbers
- line end conversions for FTP ASCII transfers
- curl_multi_socket() API added (still mostly untested)
- conversion callback options for EBCDIC <=> ASCII conversions
- added CURLINFO_FTP_ENTRY_PATH
- less blocking for the multi interface during (Open)SSL connect negotiation
Bugfixes:
- builds fine on cygwin
- md5-sess with Digest authentication
- dict with letters such as space in a word
- dict with url-encoded words in the URL
- libcurl.m4 when default=yes but no libcurl was found
- numerous bugs fixed in the TFTP code
- possible memory leak when adding easy handles to multi stack
- TFTP works in a more portable fashion (== on more platforms)
- WSAGetLastError() is now used (better) on Windows
- GnuTLS non-block case that could cause data trashing
- deflate code survives lack of zlib header
- CURLOPT_INTERFACE works with hostname
- configure runs fine with ICC
- closed control connection with FTP when easy handle was removed from multi
- curl --trace crash when built with VS2005
- SSL connect time-out
- improved NTLM functionality
- following redirects with more than one question mark in source URL
- fixed debug build crash with -d
- generates a fine AIX Toolbox RPM spec
- treat FTP AUTH failures properly
- TFTP transfers could trash data
- -d + -G combo crash
Fixed in 7.15.3 - March 20 2006

Changes:
- added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD
Bugfixes:
- TFTP Packet Buffer Overflow Vulnerability
- properly detecting problems with sending the FTP command USER
- wrong error message shown when certificate verification failed
- multi-part formpost with multi interface crash
- the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- "SSL: couldn't set callback" is now treated as a less serious problem
- Interix build fix
- fixed curl "hang" when out of file handles at start
- prevent FTP uploads to URLs with trailing slash
Fixed in 7.15.2 - February 27 2006
Changes:
- Support for SOCKS4 proxies (added --socks4)
- CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET added
- CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE (--local-port) added
- Dropped support for the LPRT ftp command
- Gopher is now officially abandoned as a protocol (lib)curl tries to support
- curl_global_init() and curl_global_cleanup() are now using a refcount so that it is now legal to call them multiple times. See updated info for details
Bugfixes:
- two bugs concerning using curl_multi_remove_handle() before the transfer was complete
- multi-pass authentication and compressed content
- minor format string mistake in the GSS/Negotiate code
- cached DNS entries could remain in the cache too long
- improved GnuTLS check in configure
- re-used FTP connections when the second request didn't do a transfer
- plain --limit-rate [num] means bytes
- re-creating a dead connection is no longer counted internally as a followed redirect and thus prevents a weird error that would occur if a FTP connection died on an attempted re-use
- Try PASV after failing to connect to the port the EPSV response contained
- -P [IP] with non-local address with ipv6-enabled curl
- -P [hostname] with ipv6-disabled curl
- libcurl.m4 was updated
- configure no longer warns if the current path contains a space
- test suite kill race condition
- FTP_SKIP_PASV_IP and FTP_USE_EPSV when doing FTP over HTTP proxy
- Doing a second request with FTP on the same bath path, would make libcurl confuse what current working directory it had
- FTP over HTTP proxy now sends the second CONNECT properly
- numerous compiler warnings and build quirks for various compilers have been addressed
- supports name and passwords up to 255 bytes long, embedded in URLs
- the HTTP_ONLY define disables the TFTP support
Fixed in 7.15.1 - December 7 2005

Changes:
- the libcurl.pc pkgconfig file now gets installed on make install
- URL globbing now offers "range steps": [1-100:10]
- LDAPv3 is now the preferred LDAP protocol version
- --max-redirs and CURLOPT_MAXREDIRS set to 0 limits redirects
- improved MSVC makefile
Bugfixes:
- URL buffer overflow problem
- using file:// on non-existing files are properly handled
- builds fine on DJGPP
- CURLOPT_ERRORBUFFER is now always filled in on errors
- curl outputs error on bad --limit-rate units
- fixed libcurl's use of poll() on cygwin
- the GnuTLS code didn't support client certificates
- TFTP over IPv6 works
- no reverse lookups on IP addresses when ipv6-enabled
- SSPI compatibility fix: using the proper DLLs
- binary LDAP properties are now shown base64 encoded
- Windows uploads from stdin using curl can now contain ctrl-Z bytes
- -r [num] would produce an invalid HTTP Range: header
- multi interface with multi IP hosts could leak socket descriptors
- the GnuTLS code didn't handle rehandshakes
- re-use of a dead FTP connection
- name resolve error codes fixed for Windows builds
- double WWW-Authenticate Digest headers are now handled
- curl-config --vernum fixed
Fixed in 7.15.0 - October 13 2005

Changes:
- --ftp-skip-pasv-ip / CURLOPT_FTP_SKIP_PASV_IP (sponsored by CU*Answers)
- TFTP support added
Bugfixes:
- user+domain name buffer overflow in the NTLM code (security flaw)
- -z over FTP now considers equal timestamps "not modified since"
- Weird characters removed from the configure script
- Fixed time zone offsets for MEST and CEST for the time parser
- HTTP Content-Range header parser crash
- FTPS negotiation timeouts/errors
- SSPI works even for Windows 9x
- crash in --dump-header on FTP
- test 56 runs better
Fixed in 7.14.1 - September 1 2005
Changes:
- GNU GSS support
- --ignore-content-length and CURLOPT_IGNORE_CONTENT_LENGTH added
- negotiates data connection SSL earlier when doing FTPS with PASV
- CURLOPT_COOKIELIST and CURLINFO_COOKIELIST
- trailer support for chunked encoded data streams
- -x/CURL_PROXY strings may now contain user+password
- --trace-time now outputs the full microsecond, all 6 digits
Bugfixes:
- MSVC build problem with the DSP file
- windows threaded resolver access violation with multi interface
- test suite works with valgrind 3
- CA cert verification with GnuTLS builds
- handles expiry times in cookie files that go beyond 32 bits in size
- several client problems with files, such as doing -d @file when the file isn't readable now gets a warning displayed
- write callback abort didn't always "take"
- the curl -z "bad syntax" warning is now hidden when -s is used
- curl -d @nonexisting no longer makes a GET
- minor debug callback data size
- date parsing of dates including daylight savings time zone names
- using NTLM over proxy with an FTP URL
- curl-config --features now displays SSL when built with GnuTLS too
- CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST reset CURLOPT_NOBODY
- builds fine on AmigaOS again
- corrected date parsing on Windows with auto-DST-adjust enabled
- treats CONNECT 407 responses with bodies better during Digest/NTLM auth
- improved strerror_r() API guessing when cross-compiling
- debug builds work on Tru64
- improved libcurl.m4
- possible memory leak in windows name resolves
- c-ares enabled build with mingw
- proxy host set with numerical IPv6 address
- better treatment of binary zeroes in HTTP response headers
- fixed the notorious FTP server failure in the test suite
- better checking of text output in the test suite on windows
- FTP servers' TYPE command response check made less strict
- URL-without-slash as in http://example?data
- strerror_r() configure check for HP-UX 10.20 (and others)
- time parse work-around on HP-UX 10.20 since its gmtime_r() is broken
Fixed in 7.14.0 - May 16 2005
Changes:
- modified default HTTP request headers
- curl --trace-time added for time stamping trace logs
- curl now respects the SSL_CERT_DIR and SSL_CERT_PATH environment variables
- more search paths for curl's default .curlrc config file check
- GnuTLS support, use configure --with-gnutls. Work on this was sponsored by The Written Word.
Bugfixes:
- uses select() instead of poll() even on Mac OS X 10.4
- reconnected proxy use with NTLM auth on the same handle
- warns about bad -z date syntax
- docs/THANKS now contains all known contributors
- builds out-of-the-box on (presumably ipv6-enabled) AIX 4.3 hosts
- curl --head could wrongly complain on bad chunked-encoding
- --interface SIGSEGVed on a bad address
- kill the HTTPS server better when stopping the test suite
- builds fine with VS2005 on x64
- auth fix for HTTP redirects and .netrc usage
- FTP uploads show the progress meter easier
- MSVC makefile fixes for static libcurl builds
- configure fix for static libcurl build on Windows
- --retry-delay
- POST with read callback now uses Expect: 100-continue
- CURLOPT_PORT didn't actually use the set port number
- HTTP 304 response with Content-Length: header
- time-conditioned FTP uploads
Fixed in 7.13.2 - April 4 2005
Changes:
- Added --form-string
- libcurl can be built with SSPI support. curl_version_info() then returns a new feature bit: CURL_VERSION_SSPI. configure --enable-sspi added
- Added --proxy-anyauth
- Added runtests.1 and testcurl.1 man pages
Bugfixes:
- the MSVC libcurl Makefile was fixed
- libcurl on Windows crash if resolver was active when easy handle was killed
- HTTP POST with auth and an initial 100 response before the 401/407
- configure's SSL-detection for msys/mingw
- better connection keep-alive when POSTing with HTTP Digest
- FTP-SSL
- reading FTP server response in multiple reads
- picking one out of multiple proxy auth methods
- inet_ntoa_r() when built with uClibc
- the so name issue for the LDAP library dynamic load
- crash when using SOCKS4 proxy
- a debug printf() was removed
- CURLOPT_FILETIME when downloading FTP corrupted data
- FTP upload resume now works even if no file is present on the site
- SSL seeding no longer attempts to read the whole random file
Fixed in 7.13.1 - March 4 2005

Changes:
- CURLOPT_COOKIEFILE set to "" is now activating the cookie engine
- FTP code overhaul => multi interface much less blocking
- Added CURLE_LOGIN_DENIED to be returned when curl is denied login to FTP servers
Bugfixes:
- -# crash when more data than expected was retrieved
- NTLM/krb4 buffer overflow fixed
- proxy auth bug when following redirects to another host
- socket leak when local bind failed
- HTTP POST with --anyauth picking NTLM
- SSL problems when downloading exactly 16KB data
- out of memory conditions preserve error codes better
- a few crashes at out of memory
- inflate buffer usage bugfix
- better DICT protocol adherence
- disable valgrind-checking while testing if libcurl is built shared
- locale names in some date strings
Fixed in 7.13.0 - February 1 2005
Changes:
- added --ftp-account and CURLOPT_FTP_ACCOUNT
- added CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE
- obsoleted CURLOPT_SOURCE_HOST, CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT and CURLOPT_PASV_HOST
- added --3p-url, --3p-user and --3p-quote
- -Q "+[command]" was added
- src/getpass.c license issue sorted (code was rewritten)
- curl -w now supports 'http_connect' for the proxy's response to CONNECT
- introducing "curl-config --protocols"
Bugfixes:
- re-sending a request when retrying on a fresh connection with multi interface
- improved valgrind report parser in the test suite
- several valgrind reports
- CURLOPT_FTPPORT and -P work when built ipv6-enabled
- FTP third party transfers was much improved
- proxy environment variables are now ignored when built HTTP-disabled
- CURLOPT_PROXY can now disable HTTP proxy even when built HTTP-disabled
- "curl dictionary.com" no longer assumes DICT protocol
- re-invoke some system calls on EINTR
- duplicate Host: when failed connection re-use
- SOCKS5 version check
- memory problem with cleaning up multi interface
- SSL certificate name memory leak
- -d with -G to multiple URLs crashed
- double va_list access crash fixed
- minor memory leak when "version" is set in a cookie header
- builds fine on BeOS and NetBSD
- builds and runs fine on FreeBSD
Fixed in 7.12.3 - December 20 2004
Changes:
- PKCS12 certificate support added
- added CURLINFO_SSL_ENGINES (and "--engine list")
- new configure options: --disable-cookies, --disable-crypto-auth and --disable-verbose
- persistent ftp request improvements
- CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA added. If your app uses HTTP Digest, NTLM or Negotiate authentication, you will most likely want to use these
- -w time_redirect and num_redirects
- no longer uses libcurl.def for building on Windows, OS/2 and Netware
- builds on Windows CE
- request retrying, --retry and family added
- FTP 3rd party transfers with source and dest on the same host now works
- added CURLINFO_NUM_CONNECTS
Bugfixes:
- curl -E on windows accepts "c:/path" with forward-slash
- several improvements for large file support on windows
- file handle leak in aborted multipart formpost file upload
- -T upload multiple files with backslashes in file names
- modified credentials between two requests on a persistent http connection
- large file file:// resumes on Windows
- URLs with username and IPv6 numerical addresses
- configure works better with SSL libs in a "non-standard ld.so dir"
- curl-config --vernum zero prefixed
- bad memory access in the NTLM code
- EPSV on multi-homed servers now works correctly
- chunked-encoded transfers could get closed pre-maturely without error
- proxy CONNECT now default timeouts after 3600 seconds
- disabling EPSV or EPRT is ignored when connecting to an IPv6 FTP server
- no extra progress meter newline output after each Location: followed
- HTTP PUT/POST with Digest, NTLM or Negotiate no longer uses HEAD
- works with or gracefully bails out when exceeding FD_SETSIZE file descriptors
- CURLINFO_REDIRECT_TIME works
- building with gssapi libs and hdeaders in the default dirs
- curl_getdate() parsing of dates later than year 2037 with 32 bit time_t
- curl -v when stderr is closed wrote debug messages to the network socket
- build failure with libidn 0.3.X or older
- huge POSTs on VMS
- configure no longer uses pkg-config on cross-compiles
- potential gzip decompress memory leak
- "-C - --fail" on a HTTP page already downloaded
- formposting a zero byte file
- use setlocale() for better IDN functionality by default
Fixed in 7.12.2 - October 18 2004
Changes:
- the IDN code now verifies that only TLD-legitmate letters are used in the name or a warning is displayed (when verbose is enabled)
- provides error texts for IDN errors
- file upload parts in formposts now get their directory names cut off
- added CURLINFO_OS_ERRNO
- added CURLOPT_FTPSSLAUTH to allow ftp connects to attempt "AUTH TLS" instead before "AUTH SSL"
- curl_getdate() completely rewritten: may affect rare curl -z use cases
Bugfixes:
- CURLOPT_FTP_CREATE_MISSING_DIRS works for third party transfers
- memory leak for cookies received with max-age set
- potential memory leaks in the window name resolver
- URLs with ?-letters in the user name or password fields
- libcurl error message is now provided when send() fails
- no more SIGPIPE on Mac OS X and other SO_NOSIGPIPE-supporting platforms
- HTTP resume was refused if redirected
- configure's gethostbyname check when both nsl and socket libs are required
- configure --with-libidn now checks the given path before defaults
- a race condition sometimes resulting in CURLE_COULDNT_RESOLVE_HOST in the windows threaded name resolver code
- isspace() invokes with negative values in the cookie code
- a case of read-already-freed-data when CURLOPT_VERBOSE is used and a (very) persistent connection
- now includes descriptive error messages for IDN errors
- more forgivning PASS response code check for better working with proftpd
- curl/multi.h works better included in winsock-using apps
- curl_easy_reset() no longer enables the progress meter
- build fix for SSL disabled curl with SSL Engine support present
- configure --with-ssl=PATH now ignores pkg-config path info
- CURLOPT_SSLENGINE can be set to NULL even if no engine support is available
- LDAP crash when more than one record was received
- connect failures properly stores an error message in the errorbuffer
- Rare Location:-following problem with bad original URL
- -F can now add Content-Type on non-file sections
- double Host: header when following Location: with replaced Host:
- curl_multi_add_handle() return code
- "Proxy-Connection: close" is now understood and properly dealt with
- curl_getdate() crash
- downloading empty files now calls the write callback properly
- no reverse DNS lookups for ip-only addresses with ipv6-enabled libcurl
- file handler leak when getting an empty file:// URL
- libcurl works better multi-threaded on AIX (when built with xlc)
- cookies over proxy didn't match the path properly
- MSVC makefile fixes to build better
- FTP response 530 on 'PASS' now sends back a better error message
Fixed in 7.12.1 - August 10 2004
Changes:
- the version string now only contains info about (sub) package versions, while for example krb4 and ipv6 now only are available as 'features'
- added curl_easy_reset()
- socks proxy support even when libcurl is built ipv6-enabled
- read callbacks can stop the transfer by returning CURL_READFUNC_ABORT
- libcurl-tutorial.3 is the new man page formerly known as libcurl-the-guide
- additional SSL trace data might be sent to the debug callback using two new types: CURLINFO_SSL_DATA_IN and CURLINFO_SSL_DATA_OUT
- multipart formposts can upload files larger than system memory
- the curl tool continues with the next URL even if one transfer fails
- FTP 3rd party transfer support - seven new setopt() options
Bugfixes:
- UTF-8 encoded certificate names can now be verified properly
- krb4 link problem
- HTTP Negotiate service name now provided in uppercase
- no longer accepts any cookies with domain set to just a TLD
- HTTP Digest properties without quotes in the header
- bad Host: header case on re-used connections over proxy
- duplicate Host: header case on re-used connections
- curl -o name#[num] now works when no globbing for [num] exists
- test suite runs fine with valgrind 2.1.x
- negative Content-Length is ignored
- test 505 runs fine on windows
- curl_share_cleanup() crash
- --trace files now get the final info lines too
- multi interface connects fine to multi-IP resolving hosts
- --limit-rate works on Mac OS X (and other systems with bad poll()s)
- cookies can now hold 4999 bytes of content
- HTTP POST/PUT with NTLM/Digest/Negotiate to a URL returning 3XX
- HTTPS POST/PUT over a proxy requiring NTLM/Digest/Negotiate
- less restrictive libidn requirements, 0.4.1 or later is fine
- HTTP POST or PUT with Digest/Negotiate/NTLM selected but the server didn't require any authentication
- win32 file:// transfer free memory bug
- configure --disable-http builds a libcurl without HTTP support
- CURLOPT_FILETIME had wrong type in curl.h, it expects a long argument
- builds fine with Borland on Windows
- the msvc curllib.dsp now builds the libcurl.lib file
- builds fine on VMS
- builds fine on NetWare
- HTTP Digest authentication with proxies uses correct user name + password
- builds fine with lcc-win32
Fixed in 7.12.0 - June 2 2004
Changes:
- added ability to "upload" to file:// URLs
- added curl_global_init_mem()
- removed curl_formparse()
- the MSVC project file in the release archive is automatically built
- curl --proxy-digest is a new command line option
- the Windows version of libcurl can use wldap32.dll for LDAP
- added curl_easy_strerror(), curl_multi_strerror() and curl_share_strerror()
- IPv6-enabled Windows hosts now resolves names threaded/asynch as well
- configure --with-libidn can be used to point out the root dir of a libidn installation (version 0.4.5 or later) for curl to use, then libcurl can resolve and use IDNA names (domain names with "international" letters)
Bugfixes:
- incoming cookies with domains set with a prefixed dot now works better
- CURLOPT_COOKIEFILE and CURLOPT_COOKIE can be used in the same request
- improved peer certificate name verification
- allocation failures cause no leaks nor crashes
- the progress meter display now handles file sizes up to full 8 exabytes (which is as high a signed 64 bit number can reach)
- general HTTP authentication improvements
- HTTP Digest authentication with the proxy works
- mulipart formposting with -F and file names with spaces work again
- curl_easy_duphandle() now works when ares-enabled
- HTTP Digest authentication works a lot more like the RFC says
- curl works with telnet and stdin properly on Windows
- configure --without-ssl works even when pkg-config has OpenSSL details
- src/hugehelp.c builds correct again in non-configure build environments
Fixed in 7.11.2 - April 26 2004
Changes:
- removed maximum user+password+hostname size limit
- removed maximum dir depth limit for FTP
- the ares build now requires c-ares 1.2.0 or later
- --tcp-nodelay and CURLOPT_TCP_NODELAY were added
- curl/curlver.h contains the libcurl version info now
Bugfixes:
- configure --disable-manual works better
- removed a memory leak when doing a windows threaded resolve and it failed
- --proxy-ntlm now checks if libcurl supports NTLM before using it
- minor --fail with authentication bugfix
- CURLOPT_IPRESOLVE set to CURL_IPRESOLVE_V6 will now cause a returned error if the host only can resolve ipv4 addresses
- curl -4/-6 now actually sets the requested option in libcurl
- multi interface on Windows without ares works again
- improved resolution for the CURLINFO_*_TIME info variables
- getting only a 100 Continue response and nothing else, when talking HTTP, is now treated as an error by libcurl
- fixed minor memory leak in libcurl for Windows when statically linked
- POST/PUT using Digest/NTLM/Negotiate (including anyauth) now work better
- --limit-rate with high speed rates is a lot more accurate now, and supports limiting to speeds >2GB/sec on systems with Large File support.
- curl_strnqual.3 "refer-to" man page fix
- fixed a minor very old progress meter final update bug
- added checks for a working NI_WITHSCOPEID before that is used
- fixed a flaw that prevented ares name resolve timeouts to occur
- getting user name from http_proxy env variable works now
- fixed too early name resolve timeouts with ares
- HTTP Digest "re-negotiation" works now
- CURLOPT_FAILONERROR (-f/--fail) works with all kinds of authentication
- better thread-safety thanks to the internal strerror() replacement
- better thread-safety on AIX thanks to better function detection
- minor ipv6 build fix for windows
- the test suite runs fine with mingw-built curl
- the postit2.c example works now
- better error message when --interface fails on windows
- the progress meter now displays very long times better
- CURLINFO_CONTENT_LENGTH_DOWNLOAD with CURLOPT_NOBODY set TRUE now works
- passwords longer than 14 letters work with NTLM
- 'make netware' in the root dir works now
- builds fine on VMS again and even nicer than before
Fixed in 7.11.1 - March 19 2004
Changes:
- CURLOPT_POSTFIELDSIZE_LARGE added to offer POSTs larger than 2GB
- CURL_VERSION_LARGEFILE is a feature bit returned by libcurls that feature large file support
- libcurl only requires winsock 1.1 on windows now
- when doing FTP, curl now sends QUIT before disconnecting
- name resolves can now timeout on windows too
- $HOME is now recognized better when looking for .netrc files
- now re-uses the ares handle when re-using curl handles
- SO_BINDTODEVICE is used for network interface binding
- configure --disable-manual disables the built-in huge manual from the command line tool
- the default Accept: header used in HTTP requests changed
- asynch dns lookups now require the c-ares library
- curl --socks can be used to set a SOCKS5 proxy to use
- response-headers received after a (proxy) CONNECT request are now passed to the header callback just like other headers
Bugfixes:
- builds and runs on Novell NetWare
- Windows builds now report OS as "i386-pc-win32"
- received signals during SSL connect is handled better
- improved PUT/POST with NTLM/Digest authentication
- following redirects and doing NTLM/Digest (where the first connection gets closed) with the multi interface work better now
- file: progress meter and getinfo variables work now
- CURLOPT_FRESH_CONNECT and CURLAUTH_NTLM now work when set together
- share interface usage without (un)lock functions segfaulted
- --limit-rate no longer cripples the --speed-limit feature
- fixed verbose output problem with ipv6-enabled re-used connections
- fixed the socks5 code to check version in the socks response properly
- dns cache bug - fixed the 'inuse' counter
- large file fix for Content-Length
- better docs for the share interface
- several configure fixes for mingw/msys
- setting a Host: header is no longer affecting the Host: header used when libcurl follows a Location:
- fixed numerous compiler warnings on several operating systems and compilers
- PUTing from stdin couldn't disable chunked transfer-encoding
- corrected the mingw makefiles
- improved the configure libz detection
- fixed EPRT/PORT use when doing FTP on ipv6-enabled AIX hosts
- *nroff commands that only support -mandoc and not -man are now supported (for the built-in manual text in the command line tool)
- fixed the unconditional #include of config.h in hugehelp.c
- builds fine on MPE/iX
- upload using chunked transfer-encoding now sends the last chunk properly teriminated with an extra CRLF
- Fixed the progress meter display for files >2GB
- persistant connections over a proxy messed up the proxy name/password
- the socks5 code segfaulted if no username/password was set
- the *_LARGE options now take curl_off_t types as parameters and this will make it possible to handle large files on windows too
- builds with large file support even on systems without strtoll()
Fixed in 7.11.0 - January 22 2004
Changes:
- allows the URL to be set by a callback when using the multi interface
- large file support was added. Use one of the new options: INFILESIZE_LARGE, RESUME_FROM_LARGE and MAXFILESIZE_LARGE
- the new --ftp-pasv overrides a previous --ftpport
- CURLOPT_FTPSSL and ftps:// now do ssl over FTP "The Right Way" (the curl tool now features the --ftp-ssl option)
- The Windows DLLs are built with an added "resource file"
- New LIBCURL_VERSION_* defines for easier checking version number
- Included Mac OS X 'framework' makefile in the release archive
- Removed the TRUE and FALSE #defines from the public curl header file
- Added CURLOPT_NETRC_FILE
Bugfixes:
- improved config file parsing for options with required parameters
- using --trace with a bad file name could crash
- release archive contains compressed help text
- the win32 password prompting supports backspace
- builds natively on AmigaOS (without unix emulation)
- ftps:// now uses port 990 by default
- the "configure --with-spnego" action was improved
- fixed a rare follow-redirect problem
- curl-config --feature now outputs AsynchDNS if enabled
- occational re-use of freed-memory problem fixed
- curl-config --libs now include the ares link directory
- configure --enable-ares now accepts a given path
- -lz no longer appear twice on the link line
- more descriptive error message if the FTP response reader fails
- curl-config --feature now shows 'AsynchDNS' when built with ares
- VMS build up-to-date and clarified source code
- resolve bug caused socks5 to fail
- Content-Length: is ignored when getting chunked Transfer-Encoding
- POST over proxy to https server failed
- improved how libcurl deals with persistant connections over FTP when a transfer fails
- accessing a proxy that requires Basic auth without password caused a hang
- a free free-twice problem in the server certificate code
- minor memory leak when using ranges on persistant connections
- formpost parts sending files with .html extensions now use "Content-Type: text/html"
- formpost parts now default to "Content-Type: application/octet-stream"
- --progress-bar was slightly improved
- Failing to connect to localhost, using the multi interface on Solaris showed a connect problem now fixed.
- The generated ca-bundle.h file is now generated in the build dir, not the source dir
- The FTP-EPSV response parser for the 229 code was fixed
- curl finds the user's home dir slightly different and hopefully better on Windows
- testcurl.sh can now be used to autotest daily tarballs
- a couple of command line options now check that the underlying library actually supports the features before trying to enable them
- uninitialized variable fix
- better html versions of the man pages
Fixed in 7.10.8 - November 1 2003
Changes:
- --head now works on file:// URLs too
- file: URLs with only one initial slash now works too
- RELEASE-NOTES document added to the release archive to summarize the big and visible changes and bugfixes
- CURLOPT_MAXFILESIZE was added, and --max-filesize
- CURLOPT_PASSWDFUNCTION and CURLOPT_PASSWDDATA are no longer supported
- IPv6 is now supported on Windows builds too
- CURLOPT_IPRESOLVE lets you select pure IPv6 or IPv4 resolved addresses (curl offers the command line options -4/--ipv4 and -6/--ipv6)
- GSS-Negotiate works fine with the MIT kerberos library
- SPNEGO support added, if libcurl is built with the FBopenssl libraries, curl_version_info() can return a feature bit for it and curl -V displays SPNEGO as a feature if libcurl is built with it enabled
- easy handles added to a multi handle now share DNS cache automaticly
- CURLINFO_HTTPAUTH_AVAIL and CURLINFO_PROXYAUTH_AVAIL were added
- CURLOPT_FTP_RESPONSE_TIMEOUT was added
- NTLM, Digest and GSS-Negotiate authentications also work for HTTPS over proxies
- curl supports multiple -T flags to allow serveral uploaded files using a single command line
- CURLINFO_RESPONSE_CODE can return the last FTP response code
Bugfixes:
- added work-around for a name resolve problem on some glibc versions
- a rare ERRORBUFFER single-byte overflow was fixed
- HTTP-resuming an already downloaded file works better
- builds better on Solaris 8+ with gcc
- --disable-eprt works now
- improved CA cert verification
- --anyauth could bug when the first response had no body contents
- double password prompting when doing NTLM fixed
- improved performance when used multi-threaded on windows
- share-locking during DNS lookups was modified
- resume was not possible to switch off properly once enabled
- fixed the ipv4 connect code when a DNS entry has multiple IPs
- now checks subjectAltNames when matching certs
- HTTP POST using read callback works again
- builds fine on BeOS now
- CURLOPT_COOKIE set to NULL no longer sends the previously set cookie
- if an FTP transfer used a bad path, the next transfer could fail too
- ares-built libcurl resolves IP-only names properly
- changed the curl_lock_function proto to prevent warnings on some compilers
- builds fine on QNX 6.2.x now
- PUT with --digest works now
- --anyauth that picks NTLM and then follows a redirect (and does NTLM again) works now
- asynch resolves now work on NT4 too
- a DNS cache trash (possible segfault) was fixed
- runtests.pl clears all proxy environment variables before the test is run
- Microsoft's "Negotiate" authentication is now supported by the existing GSSNEGOTIATE option
- A set zero-length proxy name confused libcurl
- Digest authentication works again without OpenSSL on 64bit architectures
- configure --enable-thread works now
- buffer problems in the test suite's web server were fixed
- improved proxy password handling
- LDAP is again working nicely with the current OpenLDAP
- asynch name lookup for non-resolving hosts now return a proper error message
- CURLOPT_SSL_VERIFYHOST set to 1 no longer aborts if no CN field is obtainable, it will merely warn about it
- name resolve segfault with uClibc fixed
- multi interface and multi-part/formpost could end in segfault
- curl_multi_info_read() sets the msgs_in_queue to 0 when returning NULL
- multi interface, ares and non-resolving host caused a segfault
- minor single SSL memory leak fixed
- Setting CURLOPT_WRITEFUNCTION or CURLOPT_READFUNCTION to NULL resets them to default
Fixed in 7.10.7 - August 15 2003
Changes:
- CURLOPT_PROXYAUTH was added to allow different authentication methods on proxies (--proxy-ntlm was added to the curl tool).
- --ftp-create-dirs and CURLOPT_FTP_CREATE_MISSING_DIRS were added
- optional and still experimetal asynch name resolve support
- getting headers-only and no-body from FTP can now reply "Accept-Ranges" if the server seems to suppport REST.
Bugfixes:
- fixed a memory leak on re-used connections with proxy-authentication
- cookies with no contents are sent off too now
- 64bit-related bugfix for uploads
- file:// URLs with drive letters now work on windows and OS/2
- The output numbering (#[num]) on url globbing didn't work due to a bug in curl_msprintf()
- FTP persitent download directory re-use problem fixed
- cookie parser now only requires two dots in cookie domain
- FOLLOWLOCATION (or -L) did not always ignore the redirect page properly
- information leak fixed. When proxy authentication is used in a CONNECT request (as used for all SSL connects and otherwise enforced tunnel-thru-proxy requests), the same authentication header was also wrongly sent to the remote host.
- the VC++ Makefiles were updated
- builds better on VMS
- src/hugehelp.c is now distributed uncompressed in the source package
- the mkhelp script now compresses properly on DOS/Windows
Fixed in 7.10.6 - July 28 2003
Changes:
- CURLOPT_SSL_CTX_FUNCTION allows a custom callback for SSL connections
- multiple patches lets curl build and run on DOS
- libcurl now deals with spaces in Location: redirects and URLifies them
- curl --version shows more detailed info
- curl_version_info() now returns info on NTLM, GSS-Negotiate and Debug
- curl_version() includes "GSS" in the string if built with GSSAPI available
- Pick-best-authentication option added (--anyauth, using the CURLOPT_HTTPAUTH set to CURLAUTH_ANY)
- NTLM authentication support (--ntlm and CURLAUTH_NTLM)
- GSS-Negotiate authentication support (--negotiate and CURLAUTH_GSSNEGOTIATE)
- Digest authentication support added (--digest and CURLAUTH_DIGEST)
- Allow curl to switch (back to) to Basic authentication (--basic)
- libcurl supports name and password in proxy environment variables
Bugfixes:
- double slash after the host name on a FTP URL again points out the root dir
- obscure and rare DNS cache problem was fixed
- multiple FTP connections to the same host with different user names didn't work properly
- no more CWD commands without arguments for ftp connections
- curl no longer uses setvbuf() due to portability problems
- VMS build fixes
- the curl tool has the -M manual compressed internally if built with libz
- url globbing syntax error could cause segfault
- Huge (>40-60KB) GET requests over HTTPS failed.
- Content-Length now overrides socket-closed as a means of knowing when the response body is complete.
- --progress-bar takes the initial size into account when doing resumed downloads
- work around SSL bugs better
- libcurl typically issues POST requests with less send() calls
- better main makefile
- external headers improved portability
- Listing FTP directories without contents could leak a socket
- Getting HTTP contents in one line without headers failed
- bugfixed the socks5-proxy usage (twice)
- h_aliases name-lookup rare crash fixed
- improved curl -M output
- curl_unescape() now only unescapes valid %HH codes
Fixed in 7.10.5 - May 19 2003
Changes:
- support for Content-Encoding: gzip was added
- test cases modified to include server requirement in each test case file
- CURLOPT_FTP_USE_EPRT was added, --disable-eprt with the tool
- setting CURLOPT_ENCODING to "" automaticly enables all supported encodings
Bugfixes:
- libcurl now calls the progress meter during slow ftp responses as well
- a write loop resulting in badly updated progress meter was fixed
- non-blocking sockets fix for PORT ftp downloads
- CURLOPT_INTERFACE performance fix on Linux
- EAGAIN-fix improves HPUX (at least) functionality
- configure script fix for the writable argv check and cross-compiles
- features more verbose error message when some OpenSSL read errors occur
- improved ftp compliance with RFC1738, now performs individual CWD commands for each path part in the URL
- cookie overhaul: fixed jarsaving, improved path treatment and stricter cookie receiving, adjusts to Hosts: headers
- CURLINFO_CONNECT_TIME works with the multi interface too
- curl_easy_setopt() now returns correct error codes
- formposting .html files set Content-Type text/html now
- curl reports a new huge and verbose error message on CA cert problems
- libcurl now returns CURLE_SSL_CACERT on CA cert problems
- chunked-transfer deflate downloads work
- FTP-server responses to CWD are now more liberally treated
- fixed url parsing when '?' is used after the host name without '/'.
- curl -I on ftp files outputs the date with correct time zone (GMT)
- curl -z now works for FTP files (CURLOPT_TIMECONDITION)
- the default DEBUGFUNCTION outputs incoming headers as well
- Content-Type extraction did wrong if there was no space after the colon
- the MSVC project file was fixed
- no longer installs the ca bundle when built --without-ssl
- the boundary strings in formposts now look very similar to the ones IE uses
- test suite runs on cygwin
Fixed in 7.10.4 - April 2 2003
Changes:
- the curl tool now "clears" sensitive commands line args
- no more emacs local variables in the source files
- script for distributed, automatic, multi-platform testing added. Please join up and help us test the bleeding edge curl on various platforms!
- the "scratch buffer" is now only allocated when actually needed
- removed the strequal and strnequal macros from curl/curl.h
- added CURLOPT_UNRESTRICTED_AUTH / --location-trusted
Bugfixes:
- "curl -O" only, now outputs an error message accordingly
- builds fine on Redhat Linux 9 (configure fix)
- the CA cert bundle included a demo cert now removed
- changing some attributes between two transfers when re-using a connection did not "take effect" properly
- the test suite runs faster and hopefully a bit more reliably
- improved configure check for presence of functions, needed for HPUX
- the curl tool now makes a correct URL escaping when appending to the URL when using -T and the file name is appended to the URL.
- configure --enable-libgcc now explicitly add -lgcc to the linker
- better configure checks for headers (since some platforms got nasty warnings output previously)
- configure --help looks nicer
- data transfer bug on HP-UX systems
- improved random seeding for systems without a reliable random source
- 64bit Sparc compiler warnings removed
- a case where a connect failure didn't return an error string
- DNS cache problem in AIX 4.3 and later was fixed
- a POST-then-GET problem when re-using the same handle in libcurl
- extra precaution added for FTP servers returning 0 bytes to SIZE commands
- looping issue in the receive function (i.e badly updated progress meter)
- Fixed the 'Expect: 100-continue' behavior
- CURLOPT_MAXCONNECTS segfault fixed
- multi-interface connecting on Windows to non-listening ports fixed
- Curl_base64_encode() now encodes zero-bytes too properly
- fixed the infamous SSL error:00000000 outputs
- zlib build fix in the mingw makefile
- don't check for ca cert env variable if --insecure is used
- always use strict cert name check unless --insecure is used
- content-type extracting fixed
- DEBUGFUNCTION could be called with wrong arguments in uploads
- ftp downloads could wrongly return CURLE_PARTIAL_FILE in some conditions
- the fopen.c example code didn't work
- content-type extracting memory leak fixed
- curl/multi.h was fixed for C++ compiles
- .netrc file scanning for names+passwored fixed
- curl-config --cflags works even when include dirs isn't /usr/include
- CURLINFO_PRIVATE can return NULL properly
Fixed in 7.10.3 - January 14 2003
Changes:
- Added CURLOPT_PRIVATE and CURLINFO_PRIVATE
- Added CURLOPT_HTTP200ALIASES
- Added --create-dirs
- libcurl test cases have been added
- configure --enable-maintainer-mode was added
Bugfixes:
- Transfer-Encoding: chunked for uploads works
- Test cases 306 and 402 now run fine
- configure script bug related to CONTENT_ENCODING fixed
- Borland Makefiles up-to-date
- Name resolve fix to correct the 7.10.2-fix!
- curl/curl.h now has a more proper extern "C" for C++
- CURL_MAX_WRITE_SIZE lowered to 16KB: improves performance on Windows
- configure --enable-debug now cuts off -O* options to the compiler
- Using multi interface and proxy to non-listening port caused a hang
- CURLOPT_USERPWD-imposed memory leak removed
- Verbose connect message crash removed
- curl-config --cflags
- better SSL-reading with no CPU-eating loop left
- A base64 decoding bug was fixed (affected kerberos4)
- The MSVC++ Makefile for debug targets was improved
- Initing the global DNS cache is now done better
- "curl -I ftp://domain/non-existing-file" was flawed
- fixed wildcard name checks in server certificates
Fixed in 7.10.2 - November 18 2002
Changes:
- PDF versions of much documentation are included in the tarball
- Transfer-Encoding: chunked for uploads are now supported
Bugfixes:
- builds fine on MSVC again
- CURLOPT_CONNECTTIMEOUT works better
- name resolving failed with glibc 2.2.93
- libtool build fix for -no-undefined
- the follow location code could crash occasionally
- multi interface and FOLLOWLOCATION didn't work properly
- curl -j (CURLOPT_COOKIESESSION) didn't work properly
- config file parser could crash on the presense of CRLF newlines
- downloading HTTP without headers sometimes corrupted the data
- connecting to a bad port number with the multi interface did wrong
Fixed in 7.10.1 - October 11 2002
Changes:
- configure --without-zlib explicitly disables zlib in builds
Bugfixes:
- junk data could get inserted when saving HTTP headers
- telnet connections timeout properly
- make install when built outside source tree works again
- FOLLOW_LOCATION works for the multi interface too
- HTTP Location following now deals with ./ and ../ cases
- The OpenSSL ENGINE check was improved in the configure script
Fixed in 7.10 - October 1 2002
Changes:
- curl -x "" now disables proxy-usage completely
- The libcurl and thus the curl version string too are modified slightly
- added curl_version_info() for various runtime version info
- added curl_free() that allows freeing data libcurl malloced()
- CURLOPT_ENCODING added, supports decompression of compressed downloaded data This is used with 'curl --compressed'. This feature uses the libz library, if present.
- MIT-licensed only, no dual-stuff. That is history. Old. Gone. Forgotten.
- libcurl does peer certificate verification by default. This needs to be disabled if you need to talk to SSL servers in an insecure way! (curl -k does this). See further details in the UPGRADE document.
- SOCKS5-proxy support was added (somewhat flawed, see CHANGES for details)
- More SSL error codes was added
- CURLOPT_NOSIGNAL was added for multi-threaded programs to use
- --limit-rate is now supported
- CURLOPT_BUFFERSIZE sets a desired read buffer size
- The FTP PORT command uses a better default IP address
Bugfixes:
- transfer after a failed connect when using the multi interface
- headerless HTTP downloads
- "-C -" on multiple file downloads
- resume on file:// downloads
- memory leak in libcurl on repeated resume http downloads
- crashes on 64bit machines solved
- IPv6 IP-address only URLs sent bad Host: headers
- --silent is more silent when doing URL globbing fetches
- *multi_perform() now returns control properly when waiting for connect
- curl_formadd man page was corrected
- curl_escape() and curl_unescape() no longer deals with '+'
- improved performance on persistent transfers on windows
- no longer closes ftp connections unncessarily often
- -N works again
- the windows DLL now builds with the multi interface enabled
- the internal password prompt now uses stderr instead of stdout
- minor cookie parsing bug when no space came after the header colon
- better #ifdef conditions in the global curl header files
- the curl tool didn't allow POST of zero contents
- literal RFC2732-style IPv6 addresses didn't work
Fixed in 7.9.8 - June 13 2002
Changes:
- curl_formadd() can do file upload parts from buffer
- libcurl can be built with specific protocols disabled
- should build nicely with modified OpenSSL 0.9.7 API
- win32 timers now use higher resolution
- CURLOPT_CAPATH was added (--capath on the command line)
- CURLOPT_NETRC now supports optional or required netrc mode
- curl_formadd() now returns a CURLFORMcode type, not a plain int.
Bugfixes:
- name resolves can now time-out properly (on unix-like systems)
- an empty connect failure error message was filled in
- when curl_easy_perform() failed on an ftp transfer, it could leak a socket
- a curl_multi_remove_handle() crash was removed
- windows versions will no longer complain on "weak seeding"
- 64bit architectures could crash in the resolve code
- CURLINFO_REQUEST_SIZE now works as documented
- CURLINFO_REDIRECT_TIME returns a correct time now
- getting an empty FTP file does not cause an error anymore
- curl_multi_perform() works without curl_multi_fdset()
- re-using a connection over a proxy could do bad Host: headers
- CURLOPT_POST with a "" string could lead to a crash.
- better certificate loading
- Name resolve crash on platforms without *_r() functions removed
- minor compiler problems on FreeBSD fixed
Fixed in 7.9.7 - May 10 2002
Changes:
- CURLOPT_COOKIESESSION (-j with the client) starts a new cookie session
- --trace or --trace-ascii dump a full network/debug dump to a given file
- Added: curl_multi_info_read() is now implemented as documented
- Added CURLINFO_REDIRECT_TIME and CURLINFO_REDIRECT_COUNT
- CURLOPT_DEBUGFUNCTION gets called as documented
- -D with multiple URLs will append all headers in the same file
- multi interface transfers work better
- multiple transfers reset download counters better in between
- Pruning now prevents the DNS cache from growing out of proportions
- no_proxy didn't work when URL contained port numbers
- --interface didn't work for IPv6 enabled libcurls
- the TIMECOND defines are now using CURL_ prefixes
- Now uses less memory for name resolves on most operating systems
- pack_hostent works with 64 bit pointers
- Prunes old DNS cache entries
- HTTP 301 response after a POST now treated differently
- rfc1867-formposting a non-existent file now causes a failure
Fixed in 7.9.6 - April 14 2002
Changes:
- Added CURLOPT_DEBUGFUNCTION
- Added multi interface man pages, examples and public header files.
- All CURLFORM_* options can now be given in an array
- Added: -F supports filename= (using the new CURLFORM_FILENAME)
Bugfixes:
- libcurl skips preceeding white spaces in cookie contents
- CURLINFO_CONNECT_TIME is now set even when connect fails
- -x didn't use the documented default port
- RISC OS version now offers --environment
- HTTP/1.0 304-replies are dealt with better
- .curlrc is read from current directory if HOME isn't set
- The include file curl/curl.h compiles on pre-ISO compilers
- getting http headers-only could "hang" during 1 second extra
- verbose passive ftp transfers on AIX could crash
- improved re-use of dead proxy connections
- binary HTTP POSTs on Windows did not work (client-code problem)
- CRLF replacing in uploads was not working
- -G and -d work together again
- using verbose when doing ftp passive transfers could core dump
- IPv6 name lookups work again
- HTTP POST with data passed in with the read callback now works
- curl -O segfault
- --progress-bar
- Bugfixed a missing newline after --progress-bar output
Fixed in 7.9.5 - March 7 2002
Changes:
- Added CURLOPT_PREQUOTE
- -w now supports %{content_type}
Bugfixes:
- fixed the client-side backslash treatment in URLs
- Mofied the file hierarchy in the archive somewhat
- fixed the dowloaded header size counter
- fixed the cookie parser
- Replaced the former test HTTP server with a new one written in C
- fixed the total time counter that could end up blank at times
- Minor portability changes
- Tweaked name resolves with getaddrinfo() to run faster on Linux
- fixed big HTTP requests (such as big POSTs)
- fixed connection timeouts
- fixed Host: lines on multiple requests over proxy
- fixed 64bit archtitecture builds.
- fixed Expect: header disabling
- Improved the Windows makefiles and install documentation
- fixed multipart formposts
- fixed CURLINFO_CONTENT_TYPE
- fixed another SSL download problem
Fixed in 7.9.4 - March 4 2002
Changes:
- Introduced CURLINFO_CONTENT_TYPE
- CURLOPT_CUSTOMREQUEST can now be used with CURLOPT_POSTFIELDS
Bugfixes:
- Improved the gethostbyname_r configure check for HP-UX 11.00
- Bugfixed the DNS cache
- Bugfixed SSL download (due to the non-blocking sockets)
- Only seed SSL once for a program's life time
- IPv4-only Linux machines could crash on name resolves
- curl_getdate() is now fully reentrant
- The header length counter is now reset in each curl_easy_perform()
- Normal HTTP POSTs no longer append an extra set of CRLF
- Location: following on persistant connections work
- No longer installs the multi examples on make install.
Fixed in 7.9.3 - January 23 2002
Changes:
- introduced a DNS lookup cache
- OpenSSL ENGINE support (read CHANGES for full details)
- CURLFORM_CONTENTHEADER let's you add headers in form posts
Bugfixes:
- fixed multipart formposts with non-existing files
- builds with OpenSSL versions prior to 0.9.5 again
- SSL session cache crashed when filled
- improved timeouts with HTTPS
- bugfixed the cookie engine and parser
- HTTP code 204 is now treated properly
- libcurl now provides the FTP response lines to the header callback
- 64bit-architecture fixes
- bugfixed using proxy specified in an environment variable
- made libcurl support FTP operations without any transfer
- error messages are now stored without newlines
- -T file names get the path stripped before used remotely
- minor compiling problems fixed for some platforms
Fixed in 7.9.2 - December 5 2001
Changes:
- --disable-epsv is a new option to the curl command line tool
- added CURLOPT_FTP_USE_EPSV
- added CURLINFO_STARTTRANSFER_TIME
- added the -1/--TLSv1 option
Bugfixes:
- compiles and builds on the good old Mac OS (in addition to Mac OS X)
- bugfixed persistant connections over proxy with multiple protocols
- bugfixed verbose ftp output on Tru64 unix
- passive ftp download works with IPv6
- always return proper error code on failed connects
- bugfixed FTP response reader
- bugfixed verbose telnet
- bugfixed conditional HTTP fetches based on time
- multiple calls to curl_global_init() is now treated better
- bugfixed multiple ftp requests
- made -p/--proxytunnel work for plain HTTP as well
- "current speed" progress meter bugfix
- improved the name resolver configure check
- libcurl now restores signal handlers and timeouts properly
- improved SSL over HTTP-proxy when using weird proxies(!)
- bugfixed LDAP transfers
Fixed in 7.9.1 - November 4 2001
Changes:
- CURLE_GOT_NOTHING is a new possible error code
- -0/--http1.0 can now be used to set HTTP 1.0 operations
- 'curl' no longer uses curl_formparse()
- non-blocking connects
Bugfixes:
- much better connection re-use validity check
- bugfixed connection re-use for FTP urls containing name and password
- LDAP transfers no longer "hang"
- a memory leak in the cookie engine was removed
- curl_easy_duphandle() now duplicates cookie parser status too
- --fail now only returns error if HTTP code is >= 400
- a possible memory leak when a transfer failed was removed
- builds better in cygwin
- "current speed" meter more accurate
- -c without -b saves the cookies now
- bugfixed libcurl for "thread-hopping" on Windows
- removed memory leak in IPv6-enabled libcurl
- bugfixed curl_formadd()
- bugfixed CURLINFO_FILETIME
- bugfixed cookiejar
Fixed in 7.9 - September 23 2001
Changes:
- -R sets the timestamp of a downloaded file to the same as the remote file
- -c writes all cookies to a specified file (based on the new libcurl option CURLOPT_COOKIEJAR)
- SSL session ID caching is being done for multiple requests to the same hosts
- displays certificate expire date with SSL and verbose output
- curl_formadd() is a new function to replace the now deprecated curl_formparse() one, for building rfc1867 form posts.
- release archive now includes all docs as HTML pages too
Bugfixes:
- now properly returns an error code when connection to an SSL server with a non-legitimate certificate.
- CURLOPT_COOKIEFILE can now be specified any number of times
- fixed portability issue in the SSL code
- -G improvements, now works with -I and on URLs including question mark.
- various windows compile, build and makefile fixes
- multiple curl_easy_perform() invokes when a previous invoke followed a Location: could lead to a crash
- rfc1867-posts are now done including the Expect: 100-continue header.
- flushes the progress meter stream to improve look on windows
- fixed the configure script --with-ssl problem
Fixed in 7.8.1 - August 20 2001
Changes:
- added CURLOPT_HTTPGET
Bugfixes:
- the configure script now sets up socklen_t properly
- added the -G option that converts -d posts to use GET requests
- bugfix: CURLOPT_POST without postfields caused libcurl crash
- bugfixed the URL parser for IPv6 IP addresses (RFC 2732)
- corrected some minor size_t mixups in the code
- rfc1867-style form posts no longer has any size-limit
- bugfixed the redirected stderr feature
- more test cases added
- libcurl now verifies the CN name of server certificates when SSLing
- curl -E supports file names with driver letters now on windows
- curl-config --libs now includes the path to the installed libcurl
- file:// with "relative" paths now work like other tools/libs
- curl builds under RISC OS and OpenVMS now
- libcurl groks the NCSA httpd 1.5.x weirdo (non-standard) replies
- curl_escape() no longer tries to skip already encoded data
- progress callback minor bugfix
- bugfixed the main transfer select() loop!
- corrected FTP range downloads
- better treatment of cut off FTP transfers
- corrected the libcurl shared library version number
- improved configure --with-ssl handling
- multiple file download with resume works better
- formpost with field names containing space works now
- the ftp tests now run OK on IPv6 enabled hosts
- verifying certificates bugfixed
Fixed in 7.8 - June 7 2001
Changes:
- 'curl-config --vernum' shows version number as a hexadecimal number
- libcurl's got two new functions (for global init/cleanup)
Bugfixes:
- SSL memory leak fixed
- new file format for the tests in the test suite
- netscape/mozilla cookie file parser bugfix
- everything is now built with autoconf 2.50, libtool 1.4 and automake 1.4-p1
- libcurl's own version of 'strlcat' no longer pollutes the name space
- libcurl now treats an already completed resumed download as a successful operation, and not as an error like before
- https and ftps test cases added to the test suite (depend on stunnel)
- better white space awareness when parsing HTTP headers
- curl -I now plays ball even if the ftp server doesn't grok SIZE
- corrected resumed transfers on re-used persistent connections
- FTP PORT works again when libcurl is IPv6-enabled
- corrected path usage when doing multiple FTP transfers
- several Location: header related bugs corrected
Fixed in 7.7.3 - May 4 2001
Bugfixes:
- we've discovered that TELNET does not work under win32
- HTTP Content-Length: 0 works better
- HTTP 304-replies are better treated
- persistent connections with mixed chunked and non-chunked transfers work now
- connection re-use for non-proxy connections on non-default ports work
- corrected the OpenSSL version string output
Fixed in 7.7.2 - April 22 2001
Changes:
- 'curl-config' was added to help applications use libcurl
- A Tcl interface has been written
- A Java interface has been written
- A Ruby interface was announced
Bugfixes:
- The Perl interface is improved a lot
- Fixed download resumes on persistent connections
- connection timeouts work in windows
- HTTP_PROXY in uppercase is no longer used
- curl_escape() with a 0 length argument works now
- the MSVC projects files were updated
- the Borland makefiles were updated
- displays OpenSSL 0.9.6a properly in the version string
- The Host: headers could get wrong on persistent connections
Fixed in 7.7.1 - April 3 2001
Bugfixes:
- location:-fix
- two crash reasons removed
- ftps:// support added
- the perl interface corrected to work with 7.7
- bugfixed the HTTP/1.0 persistent connection support
- Passing a read-only URL to libcurl could make it crash on http redirects
- HEAD responses are now always headers-only
- curl could re-use connections a little too much
- different treatment of HTTP error 302
- following http redirects on persistent connections could reach the maxredirs amount accidentally
- curl_escape() don't re-encode already encoded letters anymore
Fixed in 7.7 - March 22 2001
Changes:
- supports HTTP proxy with IPv6
- curl_escape and curl_unescape are now part of the official libcurl interface
- libcurl speaks HTTP/1.1 lingo now
- persistent connection support
Bugfixes:
- the .netrc parser finds the home directory better
- fixed a crash that could happen with redirects and authentication
- improved random seeding for SSL connections
- improved TELNET functionality
Fixed in 7.6.1 - February 9 2001
Changes:
- partial IPv6 support (HTTP without proxy and only "active" FTP so far)
- two new options to curl_easy_getinfo() for file sizes were added
Bugfixes:
- following Location: when using Range: requests work
- telnet works again (7.6 crashed)
- Corrected the HTTP PUT resume
- Better Location: and HTTP return code (3xx) treatment
- Resumed transfer status is displayed in progress meter (though simple)
- HTTP download resume again complains if Range isn't supported
Fixed in 7.6 - January 26 2001
Changes:
- -g/--globoff was added to disable the URL globbing
- command line options can be written "merged" -ofile equals -o file
- initial but still basic IPv6 adjustments
Bugfixes:
- fixed 'total time' counter to be more accurate
- possible SSL-read problem fixed (which could make curl return empty HTML)
- no length restrictions on URLs anywhere in the libcurl code
- supports building outside the source-tree
- includes make-target for 'automatic' RPM package creation
- added multiple URL support on the command line
- krb4-ftp fixed
- massive symbol renaming of libcurl internals to decrease name pollution
Fixed in 7.5.2 - January 4 2001
Changes:
- new licensing, MPL or MIT/X
Bugfixes:
- updated man page
- FTP commands are now sent in single write()s
- removed a file descriptor leak when doing PORT ftp
- improved quote command error checks (FTP)
- misaligned free() crash removed (patch)
Fixed in 7.5.1 - December 11 2000
Changes:
- added Borland makefiles
Bugfixes:
- portability fixes for SCO and HPUX
- using an -o file name that is longer than the URL works (patch)
- multiple URLs and -o or -O works better! (patch)
Fixed in 7.5 - December 1 2000
Changes:
- new --max-redirs option and corrresponding CURLOPT_MAXREDIRS libcurl option.
- libcurl now supports getting the time of a remote file
- --head on a ftp file shows the modification time if available
- --cacert lets you specify a CA certificate to verify peer certificates against when doing HTTPS connections
- curl_formfree() added to libcurl
- added --url to allow URLs to be specified easier in the config file
Bugfixes:
- the shared libcurl library gets a proper version number now
- the MSVC++ makefiles are updated to work
- the test suite is much extened and enhanced
- supports any URL lengths
- ftp CWD could use wrong directory name (with trailing slash)
- ftp transfer failure could leak memory
- curl_unescape() could return a too long string
- deals with lowercase environment variables for proxy settings
- corrected spelling in a few error messages
- memory leaks removed
- improved config file parser
- config file parser crash fixed
- ยง in HTTP usernames or passwords made bad authorization headers.
Fixed in 7.4.2 - November 15 2000
Changes:
- an initial attempt to make a test suite is included
- binary/custom package information is added
- possibility to verify the peer's certificate for HTTPS connections (libcurl)
Bugfixes:
- configure now attempts to find openssl libs better
- the Host: port number could be wrong on HTTPS requests
- -T and -o can be used on the same command line (bugfix)
- file:// bugfix (free() twice)
- ftp --head now sets type first, as some servers report different sizes for different types
- ftp upload resume could hang if the whole file was already uploaded
- another cookie parser fix
- added possibilty to replace the internal 'enter password' function (libcurl)
- encoded username/password in URL is now supported
- username in http-URL bugfix
- fixed the timers when location: headers were followed
- timeouts are now working as supposed (under unix)!
- the interactive password input on win32 no longer echoes the password
- config file parser bugfix
- multiple -d options are now concatenated
- the memory debug system compiles on more systems
- passwords specified with -u can now properly contain @!
- The Host: header no longer sets port number for default ports (HTTP) (as suggested)
- -Y/-y bug fix (bug report)
- more informative error message when https has not been built-in
Fixed in 7.4.1 - October 16 2000
Bugfixes:
- Corrected the makefiles in the release archive!
Fixed in 7.4 - October 16 2000
Bugfixes:
- possible buffer overflow by an evil ftp server fixed
- removed typedef bool from the public include file
- more PHP-friendly multi-part posts (no more Content-Transfer-Encoding header)
- FTP forced ASCII transfers fixed
- memory leaks removed
- the --longoption parser was corrected
- HTTP download resume bugfix
- more information available with -w and curl_easy_getinfo()
- the HTTP request is now sent in one shot (single write())
- -w stuff moved out from the libcurl, the information is now served with the new library function curl_easy_getinfo()
- uploading with curl uses a smaller buffer to start with, to make a better progress meter
Fixed in 7.3 - September 28 2000
Changes:
- --proxytunnel, non-HTTP tunneled through a http proxy is added
- --interface allows you to specify outgoing interface
- --krb4 enables kerberos for ftp transfers
Bugfixes:
- file:// was fixed
- cookie parser bugfixed
- OpenSSL 0.9.6 usage fixed
- multiple downloaded files bugfix
- more resolver fixes
Fixed in 7.2.1 - August 31 2000
Bugfixes:
- Linux name resolve check in the configure script is fixed
- -I on ftp was fixed
- ftp files with + in the file name was corrected.
Fixed in 7.2 - August 30 2000
Changes:
- --data-binary was added to allow fully binary -d style posts.
Bugfixes:
- Name resolving problems fixed for AIX, HPUX, Digital Unix/Tru64...
- Updated the VC++ makefile
Fixed in 7.1.1 - August 21 2000
Bugfixes:
- No user but password in a URL is now working properly
- curl now allows replacing of the Content-Type: and Content-Length: headers when doing -d posts
- fixed a name resolving problem that appeared at times
- rearranged the gethostbyname_r() configure test
- -w did not do well when used with multiple URLs
Fixed in 7.1 - August 7 2000
Changes:
- CURLOPT_PROXYPORT added to curl_easy_setopt() in the lib
- Now features an 'auto referer' so that curl can set the "correct" referer when following location:
- removed CURLOPT_PROGRESSMODE from the lib
- libcurl offers a progress meter callback
- Lots of symbol renamings in the libcurl public stuff.
Bugfixes:
- builds libcurl as a shared library with libtool
- JavaWebServer's incorrect Content-Range headers are supported
- localtime_r() is now used if available instead of localtime()
- 'make install' installs the include files properly
- Replacing an internal HTTP header with one that has no content removes the header
- user+password is now restricted and sent only to the first host when Location: is followed to another host
- FTP command response reading now times out properly, even on win32
- rfc1867 form-posting was extended for use with large text posts
- FTP transfering (converted) ASCII could make curl wrongly believe the transfer was only partial, there is no way can tell the expected size of a file downloaded in FTP ASCII
- various manual corrections
- FTP transfers now accept 250 as well as 226 as a positive end-of-transfer result
- The configure check for requiring the nsl and socket lib at once was re-added
- Host: was not displaying the port number as supposed on non-standard ports
- HTTPS connection failures could slip through and make curl attempt reading at a dead socket
- Using -F, -I or -d in any weird mix now causes the curl client to alert
- FTP PORT command bug fixed
- HTTP POST and then following Location: now causes all except the first requests to become GET.
- win32 now sends data binary to stdout unless -B / --use-ascii is specified
- added a README.win32 file
- Custom headers when doing location: works again
- libcurl is much more threadsafe
- Many portability issues have been smoothened out
- The FTP range support were buggy and is now corrected
- Major re-organisation of all library internals to allow for a new library interface.
- A buffer overflow (with URLs larger than 4096 characters) was fixed
- The FTP sessions are slightly modified and now they're using CWD to change to the directory where the operation is requested.
- FTP URLs are now treated more like the RFC specifies (minor change)
- now sends user agent string when talking ftp through a http proxy
- made the progress meter nicer for sizes between 10 and 100 megabytes
- no longer checks for install twice in the configure script
- improved win32 headers for VC++ compiling
- minor fix when using libcurl in a multi-threaded program
- the OS/2 port was slightly adjusted
- location following through a http proxy on a specified non-default port didn't work
- location following to an absolute URL on a different port didn't work
Fixed in 6.5.2 - March 21 2000
Bugfixes:
- corrected the -D mockup that caused 6.5.1 to crash
Fixed in 6.5.1 - March 20 2000
Bugfixes:
- curl_unescape() buffer overrun removed
- -w 'http_code' works!
- OS/2 port
- adjusted to compile smoothly with MS VC++
- -D/--dump-header now only writes the file when needed, and not before
Fixed in 6.5 - March 13 2000
Changes:
- -N now disables output buffering
- the new -w/--write-out allows for script writers to specify what curl should output after a successful request
Bugfixes:
- now sends cookies space separated
- Corrected OpenSSL 0.9.5 compliance problems
- the perl scripts are moved out from the distribution
- Ultrix port
- -K config files no longer have a max line length
- new progress meter to better show both upload and download
- MacOS X port
- upload and download now performs simultaneously in case of need. This will make posting of big forms that are "echoed back" to finally work.
- the cookie parser shouldn't crash on empty cookie names, nor should it send empty cookies to the server anymore.
- -b now supports both @[filename] and @- for stdin
- unlimited line lengths in the config file
- Compiles on sunos4 again
- Corrected the removed possibility to chose the progress bar
- Made the max display width with progress bar 79 when the COLUMNS variable isn't set.
Fixed in 6.4 - January 17 2000
Changes:
- Ability to run --quote commands after ftp transfers now, as well as before
Bugfixes:
- Improved progress meter
- Getting files with URL syntax codes (%-stuff) from a ftp server was not dealt with nicely
- -b corrupted the cookie header lines when they were read off a server
- Cleaned up the interface between the lib and the curl tool.
- Made the -X's long option change name to --request and now you can specify full request command for ftp listings (like "LIST -l").
- Improved the --stderr workings for win32.
- BeOS port by Lars J. Aas!
Fixed in 6.3.1 - November 23 1999
Bugfixes:
- posting an empty variable with -F, like "name=" did cause curl to hang
- when the download from a http server gets cut off curl now warns about it
- better error checks when fwrite()ing the output
- minor fix that may correct the amiga-port problem
- A lethal cookie bug was fixed.
Fixed in 6.3 - November 10 1999
Changes:
- -b/--cookie is now capable of parsing and understanding the cookies saved in a netscape cookie file. This is useful when you want your script to better inherit the properties of your previous browser session.
- -H/--header now is capable of replacing internal headers. If you add a header that would've been used internally, the added will be used instead.
Bugfixes:
- -z (date-dependent HTTP fetches) now works better since we're doing a date comparison in the client as well.
- Corrected several mistakes in the man page.
- -I now works for ftp-files too. It merely shows the file size now.
- Simple range support added for ftp downloads.
- Following location: in a https:// header could lead to a crash.
Fixed in 6.2 - October 21 1999
Changes:
- --stderr now supports redirecting the stderr stream to stdout or a file now. This is mainly for victims of Windows.
- the configure script understands --without-ssl now!
Bugfixes:
- another bug in loction: following with proxies when the protocol part isn't specified was fixed
- fixed the lib Makefile to not include getpass twice when linking
- removed core-dump due to bad free after download was complete in src/main.c
- removed double text output when ftp-downloading
- config.guess recognizes Mac OS X
- HTTP headers are now parsed case insensitive!
Fixed in 6.1 - October 17 1999
Bugfixes:
- zlib proved not to be as easy to add as I had anticipated. I'll keep it on hold for now.
- moved the libcurl include files into a subdir named curl
- #include zlib.h fixes
- adjusted the maketgz script to reduce reruns of the configure when building
Fixed in 6.1 beta
Bugfixes:
- -d now can get data from a file or stdin
- HTTP: "Accept-Encoding: gzip,compress,deflate" - experiments
- Misc: Multiple URL download capacity
- HTTP: Made the -F form posting accept files from stdin as well.
Fixed in 6.0 - September 13 1999
Changes:
- ldap:// with openldap
- file:// works, for unix and win32
Bugfixes:
- cookie matching when using HTTP proxy
- better cookie sending (single line)
- QUOT fix for ftp
- ftp upload through http proxy is now allowed using HTTP PUT
- improved configure openssl path specifier
- enabled "custom" http requests (like DELETE or TRACE)
Earlier changes elsewhere