[RELEASE] curl 7.78.0

2021-07-21 Thread Daniel Stenberg via curl-library
Hi friends! I'm happy to announce another curl release. This time we bring a few changes and no less than FIVE security advisories (see subsequent mails about the specifics). Get curl as always from: https://curl.se/ curl and libcurl 7.78.0 Public curl releases: 201 Command line

[SECURITY ADVISORY] curl: Wrong content via metalink not discarded

2021-07-21 Thread Daniel Stenberg via curl-library
Wrong content via metalink not discarded Project curl Security Advisory, July 21th 2021 - [Permalink](https://curl.se/docs/CVE-2021-22922.html) VULNERABILITY - When curl is instructed to download content using the metalink feature, the conten

[SECURITY ADVISORY] curl: Metalink download sends credentials

2021-07-21 Thread Daniel Stenberg via curl-library
Metalink download sends credentials === Project curl Security Advisory, July 21th 2021 - [Permalink](https://curl.se/docs/CVE-2021-22923.html) VULNERABILITY - When curl is instructed to get content using the metalink feature, and a user name and passw

[SECURITY ADVISORY] curl: Bad connection reuse due to flawed path name checks

2021-07-21 Thread Daniel Stenberg via curl-library
Bad connection reuse due to flawed path name checks === Project curl Security Advisory, July 21st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22924.html) VULNERABILITY - libcurl keeps previously used connections in a connection po

[SECURITY ADVISORY] curl: TELNET stack contents disclosure again

2021-07-21 Thread Daniel Stenberg via curl-library
TELNET stack contents disclosure again == Project curl Security Advisory, July 21st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22925.html) VULNERABILITY - curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcur

[SECURITY ADVISORY] curl: CURLOPT_SSLCERT mixup with Secure Transport

2021-07-21 Thread Daniel Stenberg via curl-library
CURLOPT_SSLCERT mixup with Secure Transport === Project curl Security Advisory, July 21st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22926.html) VULNERABILITY - libcurl-using applications can ask for a specific client certificate to be u

13.5 Export SSL session ids

2021-07-21 Thread Catalin Raceanu via curl-library
Hello, This is an attempt to implement 13.5 Export session ids feature from the TODO list. It only works for OpenSSL, but adding support for other back-ends should be rather straightforward. See PR#7467

7.78.0: configure: tweak nghttp2 library name fix

2021-07-21 Thread Christian Weisgerber via curl-library
This commit for curl 7.78.0... configure: fix nghttp2 library name for static builds https://github.com/curl/curl/commit/29c7cf79e8b44cfe98306a41a766d10e98c13d2b ... introduced a problem by assuming that LIB_H2 does not have any leading whitespace. At least OpenBSD's native pkg-config can produc

Re: 7.78.0: configure: tweak nghttp2 library name fix

2021-07-21 Thread Daniel Stenberg via curl-library
On Wed, 21 Jul 2021, Christian Weisgerber via curl-library wrote: Similar variable manipulation elsewhere in configure.ac uses sed, so I suggest to use the same idiom here: Thanks, I made a PR out of your patch: https://github.com/curl/curl/pull/7472 -- / daniel.haxx.se | Commercial curl s