cURL 7.26.0 - Changelog

What's new in cURL 7.26.0:

May 26th, 2012

Changes:
· nss: the minimal supported version of NSS bumped to 3.12.x
· nss: human-readable names are now provided for NSS errors if available
· add a manual page for mk-ca-bundle
· added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
· smtp: Add support for DIGEST-MD5 authentication
· pop3: Added support for additional pop3 commands

Bugfixes:
· nss: libcurl now uses NSS_InitContext() to prevent collisions if available [1]
· URL parse: reject numerical IPv6 addresses outside brackets
· MD5: fix OOM memory leak
· OpenSSL cert: provide more details when cert check fails
· HTTP: empty chunked POST ended up in two zero size chunks
· fixed a regression when curl resolved to multiple addresses and the first isn't supported [7]
· -# progress meter: avoid superfluous updates and duplicate lines
· headers: surround GCC attribute names with double underscores
· PolarSSL: correct return code for CRL matches
· PolarSSL: include version number in version string
· PolarSSL: add support for asynchronous connect
· mk-ca-bundle: revert the LWP usage
· IPv6 cookie domain: get rid of the first bracket before the second
· connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
· OpenSSL: Made cert hostname check conform to RFC 6125
· HTTP: reset expected DL/UL sizes on redirects
· CMake: fix Windows LDAP/LDAPS option handling
· CMake: fix MS Visual Studio x64 unsigned long long literal suffix
· configure: update detection logic of getaddrinfo() thread-safeness
· configure: check for gethostbyname in the watt lib
· curl-config.1: fix curl-config usage in example
· smtp: Fixed non-escaping of dot character at beginning of line
· MakefileBuild.vc: use the correct IDN variable
· autoconf: improve handling of versioned symbols
· curl.1: clarify -x usage
· curl: shorten user-agent
· smtp: issue with the multi-interface always sending postdata
· compile error with GnuTLS+Nettle fixed
· winbuild: fix IPv6 enabled build

What's new in cURL 7.24.0:

February 21st, 2012

Changes:
· CURLOPT_QUOTE: SFTP supports the '*'-prefix now
· CURLOPT_DNS_SERVERS: set name servers if possible
· Add support for using nettle instead of gcrypt as gnutls backend
· CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
· Added CURLOPT_ACCEPTTIMEOUT_MS
· configure: add symbols versioning option --enable-versioned-symbols

Bugfixes:
· curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
· curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
· SSL session share: move the age counter to the share object
· -J -O: use -O name if no Content-Disposition header comes!
· protocol_connect: show verbose connect and set connect time
· query-part: ignore the URI part for given protocols
· gnutls: only translate winsock errors for old versions
· POP3: fix end of body detection
· POP3: detect when LIST returns no mails
· TELNET: improved treatment of options
· configure: add support for pkg-config detection of libidn
· CyaSSL 2.0+ library initialization adjustment
· multi interface: only use non-NULL socker function pointer
· call opensocket callback properly for active FTP
· don't call close socket callback for sockets created with accept()
· differentiate better between host/proxy errors
· SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
· multi: handle timeouts on DNS servers by checking for new sockets
· CURLOPT_DNS_SERVERS: fix return code
· POP3: fixed escaped dot not being stripped out
· OpenSSL: check for the SSLv2 function in configure
· MakefileBuild: fix the static build
· create_conn: don't switch to HTTP protocol if tunneling is enabled
· multi interface: fix block when CONNECT_ONLY option is used
· Fix connection reuse for TLS upgraded connections
· multiple file upload with -F and custom type
· multi interface: active FTP connections are no longer blocking
· Android build fix
· timer: restore PRETRANSFER timing
· libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
· appconnect time fixed for non-blocking connect ssl backends
· do not include SSL handshake into time spent waiting for 100-continue
· handle dns cache case insensitive
· use new host name casing for subsequent HTTP requests
· CURLOPT_RESOLVE: avoid adding already present host names
· SFTP mkdir: use correct permission
· resolve: don't leak pre-populated dns entries
· --retry: Retry transfers on timeout and DNS errors
· negotiate with SSPI backend: use the correct buffer for input
· SFTP dir: increase buffer size counter to avoid cut off file names
· TFTP: fix resending (again)
· c-ares: don't include getaddrinfo-using code
· FTP: CURLE_PARTIAL_FILE will not close the control channel
· win32-threaded-resolver: stop using a dummy socket
· OpenSSL: remove reference to openssl internal struct
· OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
· OpenSSL: fix PKCS#12 certificate parsing related memory leak
· OpenLDAP: fix LDAP connection phase memory leak
· Telnet: Use correct file descriptor for telnet upload
· Telnet: Remove bogus optimisation of telnet upload
· URL parse: user name with ipv6 numerical address
· polarssl: show cipher suite name correctly with 1.1.0
· polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure
· gnutls: enforced use of SSLv3

What's new in cURL 7.23.1:

February 21st, 2012

Bugfixes:
· Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used

What's new in cURL 7.23.0:

February 21st, 2012

Changes:
· Empty headers can be sent in HTTP requests by terminating with a semicolon
· SSL session sharing support added to curl_share_setopt()
· Added support to MAIL FROM for the optional SIZE parameter
· smtp: Added support for NTLM authentication
· curl tool: code split into tool_*.[ch] files

Bugfixes:
· handle HTTP redirects to "//hostname/path"
· SMTP without --mail-from caused segfault
· prevent extra progress meter headers between multiple files
· allow Content-Length to be replaced when sending HTTP requests
· curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
· curl_multi_fdset: avoid FD_SET out of bounds
· lots of MinGW build tweaks
· Curl_gethostname: return un-qualified machine name
· fixed the openssl version number configure check
· nss: certificates from files are no longer looked up by file base names
· returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
· fix libcurl.m4 to not fail with modern gcc versions
· ftp: improved the failed PORT host name resolved error message
· TFTP timeout and unexpected block adjustments
· HTTP and GOPHER test server-side connection closing adjustments
· fix endless loop upon transport connection timeout
· don't clobber errno on failed connect
· typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
· formdata: ack read callback abort
· make --show-error properly position independent
· set the ipv6-connection boolean correctly on connect
· SMTP: fix end-of-body string escaping
· gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
· curl_multi_fdset: correct fdset with FTP PORT use
· windbuild: fix the static build
· fix builds with GnuTLS version 3
· fix calling of OpenSSL's ERR_remove_state(0)
· HTTP auth: fix proxy Negotiate bug when Negotiate not requested
· ftp PORT: don't hang if bind() fails
· -# would crash on terminals wider than 256 columns

What's new in cURL 7.22.0:

February 21st, 2012

Changes:
· Added CURLOPT_GSSAPI_DELEGATION
· Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
· Display notes from setup file in testcurl.pl
· BSD-style lwIP TCP/IP stack experimental support on Windows
· OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
· --delegation was added to set CURLOPT_GSSAPI_DELEGATION
· nss: start with no database if the selected database is broken
· telnet: allow programatic use on Windows

Bugfixes:
· curl_getdate: detect some illegal dates better
· when sending a request and an error is received before the (entire) request body is sent, stop sending the request and close the connection after having received the entire response. This is equally true if an Expect: 100-continue header was used.
· When using both -J and a single -O with multiple URLs, a missing init could cause a segfault
· -J fixed for escaped quotes
· -J fixed for file names with semicolons
· progress: reset flags at transfer start to avoid wrong CURLINFO_CONTENT_LENGTH_DOWNLOAD
· curl_gssapi: Guard files with HAVE_GSSAPI and rename private header
· silence picky compilers: mark unused parameters
· help output: more gnu like output
· libtests: stop checking for CURLM_CALL_MULTI_PERFORM
· setting a non-HTTP proxy with an environment variable or with CURLOPT_PROXY / --proxy (without specifying CURLOPT_PROXYTYPE) would still make it do proxy-like HTTP requests
· CURLFORM_BUFFER: insert filename as documented (regression)
· SOCKS: fix the connect timeout
· ftp_doing: bail out on error properly while multi interfacing
· improved Content-Encoded decoding error message
· asyn-thread: check for dotted addresses before thread starts
· cmake: find winsock when building on windows
· Curl_retry_request: check return code
· cookies: handle 'secure=' as if it was 'secure'
· tests: break busy loops in tests 502, 555, and 573
· FTP: fix proxy connect race condition with multi interface and SOCKS proxy
· RTSP: GET_PARAMETER requests have a body
· fixed several memory leaks in OOM situations
· bad expire(0) caused multi_socket API to hang
· Avoid ftruncate() static define with mingw64
· mk-ca-bundle.pl: ignore untrusted certs
· builds with PolarSSL 1.0.0

What's new in cURL 7.21.7:

June 24th, 2011

Changes:
· recognize the [protocol]:// prefix in proxy hosts where the protocol is one of socks4, socks4a, socks5 or socks5h.
· Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA

Bugfixes:
· SECURITY ADVISORY: inappropriate GSSAPI delegation
· NTLM: work with unicode
· fix connect with SOCKS proxy when using the multi interface
· anyauthput.c: stdint.h must not be included unconditionally
· CMake: improved build
· SCP/SFTP enable non-blocking earlier
· GnuTLS handshake: fix timeout
· cyassl: build without filesystem
· HTTPS over HTTP proxy using the multi interface
· speedcheck: invalid timeout event on a reused handle
· Force connection close for HTTP 200 OK when time condition matched
· curl_formget: fix FILE * leak
· configure: improved OpenSSL detection
· Android build: support gingerbread
· CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
· windows build: use correct MS CRT
· pop3: remove extra space in LIST command

What's new in cURL 7.21.6:

April 23rd, 2011

Changes:
· Added --tr-encoding and CURLOPT_TRANSFER_ENCODING

Bugfixes:
· curl-config: fix --version
· curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
· use HTTPS properly after CONNECT
· SFTP: close file before post quote operations

What's new in cURL 7.21.5:

April 18th, 2011

Changes:
· SOCKOPTFUNCTION: callback can say already-connected
· Added --netrc-file
· Added (new) support for cyassl
· TSL-SRP: enabled with OpenSSL
· Added CURLE_NOT_BUILT_IN and CURLE_UNKNOWN_OPTION

Bugfixes:
· nss: avoid memory leak on SSL connection failure
· nss: do not ignore failure of SSL handshake
· multi: better failed connect handling when using FTP, SMTP, POP3 and IMAP
· runtests.pl: fix pid number concatenation that prevented it from killing the correct process at times
· PolarSSL: Return 0 on receiving TLS CLOSE_NOTIFY alert
· curl_easy_setopt.3: Removed wrong reference to CURLOPT_USERPASSWORD
· multi: close connection on timeout
· IMAP in multi mode does SSL connections non-blocking
· honours the --disable-ldaps configure option
· Force setopt constants written by --libcurl to be long
· ssh_connect: treat libssh2 return code better
· SFTP upload could stall the state machine when the multi_socket API was used
· SFTP and SCP could leak memory when used with the multi interface and the connection was closed
· Added missing file to repair the MSVC makefiles
· Fixed detection of recvfrom arguments on Android/bionic
· GSS: handle reuse fix
· transfer: avoid insane conversion of time_t
· nss: do not ignore value of CURLOPT_SSL_VERIFYPEER in certain cases
· SMTP-multi: non-blocking connect
· SFTP-multi: set cselect for sftp and scp to fix "stall" risk
· configure: removed wrongly claimed default paths
· pop3: fixed torture tests to succeed
· symbols-in-versions: many corrections
· if a HTTP request gets retried because the connection was dead, rewind if any data was sent as part of it
· only probe for working ipv6 once and then re-use that info for further requests
· requests that are asked to bound to a local interface/port will no longer wrongly re-use connections that aren't
· libcurl.m4: Add missing quotes in AC_LINK_IFELSE
· progress output: don't print the last update on a separate line
· POP3: the command to send is STLS, not STARTTLS
· POP3: PASS command was not sent after upgrade to TLS
· configure: fix libtool warning
· nss: allow to use multiple client certificates for a single host
· HTTP pipelining: Fix handling of zero-length responses
· Don't list NTLM in curl-config when HTTP is disabled
· curl_easy_setopt.3: CURLOPT_RESOLVE typo version
· OpenSSL: build fine with no-sslv2 versions
· checkconnection: don't call with NULL pointer with RTSP and multi interface
· Borland makefile updates
· configure: libssh2 link fix without pkg-config
· certinfo crash
· CCC

What's new in cURL 7.21.4:

February 18th, 2011

Changes:
· CURLINFO_FTP_ENTRY_PATH now supports SFTP
· introduced new framework for unit-testing
· IDN: use win32 API if told to
· ares: ask for both IPv4 and IPv6 addresses
· HTTP: do Negotiate authentication using SSPI on windows
· Windows build: alternative makefile
· TLS-SRP: support added when using GnuTLS

Bugfixes:
· SMTP: add brackets for MAIL FROM
· ossl_seed: no more RAND_screen (on Windows)
· multi: connect fail => use next IP address
· use the timeout when using multiple IP addresses similar to how the easy interface does it
· cookies: tricked dotcounter fixed
· pubkey_show: allocate buffer to fit any-size result
· Curl_nss_connect: avoid PATH_MAX
· Curl_do: avoid using stale conn pointer
· tftpd test server: avoid buffer overflow report from glibc
· nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
· nss: fix a bug in handling of CURLOPT_CAPATH
· CMake: Use upstream CheckTypeSize module
· OpenSSL get_cert_chain: support larger data sets
· SCP/SFTP transfers: acknowledge speedcheck
· GnuTLS builds: fix memory leak
· connect problem: use UDP correctly
· Borland C++ makefile tweaks
· OpenSSL: improved error message on SSL_CTX_new failures
HTTP: memory leak on multiple Location:
· ares_query_completed_cb: don't touch invalid data
· ares: memory leak fix
· mk-ca-bundle: use new cacert url
· Curl_gmtime: added a portable gmtime and check for NULL
· curl.1: typo in -v description
· CURLOPT_SOCKOPTFUNCTION: return proper error code
· --keepalive-time: warn if not supported properly
· file: add support for CURLOPT_TIMECONDITION
· nss: avoid memory leaks and failure of NSS shutdown
· multi: fix CURLM_STATE_TOOFAST for multi_socket

What's new in cURL 7.21.3:

December 16th, 2010

Changes:
· Added --noconfigure switch to testcurl.pl
· Added --xattr option
· Added CURLOPT_RESOLVE and --resolve
· Added CURLAUTH_ONLY
· Added version-check.pl to the examples dir

Bugfixes:
· check for libcurl features for some command line options
· Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
· http_chunks: remove debug output
· URL-parsing: consider ? a divider
· SSH: avoid using the libssh2_ prefix
· SSH: use libssh2_session_handshake() to work on win64
· ftp: prevent server from hanging on closed data connection when stopping a transfer before the end of the full transfer (ranges)
· LDAP: detect non-binary attributes properly
· ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
· gnutls->handshake: improved timeout handling
· security: Pass the right parameter to init
· krb5: Use GSS_ERROR to check for error
· TFTP: resend the correct data
· configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
· GnuTLS: now detects socket errors on Windows
· symbols-in-versions: updated en masse
· added a couple examples that were missing from the tar ball
· Curl_send/recv_plain: return errno on failure
· Curl_wait_for_resolv (for c-ares): correct timeout
· ossl_connect_common: detect connection re-use
· configure: Prevent link errors with --librtmp
· openldap: use remote port in URL passed to ldap_init_fd()
· url: provide dead_connection flag in Curl_handler::disconnect
· lots of compiler warning fixes
· ssh: fix a download resume point calculation
· fix getinfo CURLINFO_LOCAL* for reused connections
· multi: the returned running handles conuter could turn negative
· multi: only ever consider pipelining for connections doing HTTP(S)

What's new in cURL 7.21.2:

October 17th, 2010

Changes:
· curl -T: ignore file size of special files
· Added GOPHER protocol support
· Added mk-ca-bundle.vbs script
· c-ares build now requires c-ares >= 1.6.0

Bugfixes:
· remote-header-name security vulnerability fixed
· multi: support the timeouts correctly, fixes known bug #62
· multi: use timeouts properly for MAX_RECV/SEND_SPEED
· negotiation: Wrong proxy authorization
· multi: avoid sending multiple complete messages
· cmdline: make -F type= accept ;charset=
· RESUME_FROM: clarify what ftp uploads do
· http: handle trailer headers in all chunked responses
· Curl_is_connected: use correct errno
· Added SSPI build to Watcom makefile
· progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
· linking problem on Fedora 13
· Link curl and the test apps with -lrt explicitly when necessary
· chunky parser: only rewind stream internally if needed
· remote-header-name: don't output filename when NULL
· Curl_timeleft: avoid returning "no timeout" by mistake
· timeout: use the correct start value as offset
· FTP: fix wrong timeout trigger
· buildconf got better output on failures
· rtsp: avoid SIGSEGV on malformed header
· LDAP: Support for tunnelling queries through HTTP proxy
· configure's --enable-werror had a bashism
· test565: Don't hardcode IP:PORT
· configure: check for gcrypt if using GnuTLS
· configure: don't enable RTMP if the lib detect fails
· curl_easy_duphandle: clone the c-ares handle correctly
· MacOSX-Framework: updates for Snowleopard
· support URL containing colon without trailing port number
· parsedate: allow time specified without seconds
· curl_easy_escape: don't escape "unreserved" characters
· SFTP: avoid downloading negative sizes
· Lots of GSS/KRB FTP fixes
· TFTP: Work around tftpd-hpa upload bug
· libcurl.m4: several fixes
· HTTP: remove special case for 416
· examples: use example.com in example URLs
· globbing: fix crash on unballanced open brace
· cmake: build fixed

What's new in cURL 7.21.1:

August 12th, 2010

Changes:
· maketgz: produce CHANGES automatically
· added support for NTLM authentication when compiled with NSS
· build: Enable configure --enable-werror
· curl-config: --built-shared returns shared info

Bugfixes:
· configure: spell --disable-threaded-resolver correctly
· multi: call the progress callback in all states
· multi: unmark handle as used when no longer head of pipeline
· sendrecv: treat all negative values from send/recv as errors
· ftp-wildcard: avoid tight loop when used without any pattern
· multi_socket: re-use of same socket without notifying app
· ftp wildcard: FTP LIST parser FIX
· urlglobbing backslash escaping bug
· build: add enable IPV6 option for the VC makefiles
· multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
· --libcurl: use *_LARGE options with typecasted constants
· --libcurl: hide setopt() calls setting default options
· curl: avoid setting libcurl options to its default
· --libcurl: list the tricky options instead of using [REMARK]
· http: don't enable chunked during authentication negotiations
· upload: warn users trying to upload from stdin with anyauth
· configure: allow environments variable to override internals
· threaded resolver: fix timeout issue
· multi: fix condition that remove timers before trigger
· examples: add curl_multi_timeout
· --retry: access violation with URL part sets continued
· ssh: Fix compile error on 64-bit systems.
· remote-header-name: chop filename at next semicolon
· ftp: response timeout bug in "quote" sending
· CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
· Watcom makefiles overhaul.
· NTLM tests: boost coverage by forcing the hostname
· multi: fix FTPS connecting the data connection with OpenSSL
· retry: consider retrying even if -f is used
· fix SOCKS problem when using multi interface
· typecheck-gcc: add checks for recently added options
· SCP: send large files properly with new enough libssh2
· multi_socket: set timeout for 100-continue
· ";type=" URL suffix over HTTP proxy
· acknowledge progress callback error returns during connect
· Watcom makefile fixes
· runtests: clear old setenv remainders before test

What's new in cURL 7.21.0:

June 19th, 2010

Changes:
· added the --proto and -proto-redir options
· new configure option --enable-threaded-resolver
· improve TELNET ability with libcurl
· added support for PolarSSL
· added support for FTP wildcard matching and downloads
· added support for RTMP
· introducing new LDAP code for new enough OpenLDAP
· OpenLDAP support enabled for cygwin builds
· added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT

Bugfixes:
· prevent needless reverse name lookups
· detect GSS on ancient Linux distros
· GnuTLS: EOF caused error when it wasn't
· GnuTLS: SSL handshake phase is non-blocking
· -J/--remote-header-name strips CRLF
· MSVC makefiles now use ws2_32.lib instead of wsock32.lib
· -O crash on windows
· SSL handshake timeout underflow in libcurl-NSS
· multi interface missed storing connection time
· broken CRL support in libcurl-NSS
· ignore response-body on redirect even if compressed
· OpenSSL handshake state-machine for multi interface
· TFTP timeout option sent correctly
· TFTP block id wrap
· curl_multi_socket_action() timeout handles inaccuracy in timers better
· SCP/SFTP failure to respect the timeout
· spurious SSL connection aborts with OpenSSL

What's new in cURL 7.20.1:

May 12th, 2010

Changes:
· The 'ares' subtree has been removed from the source repository
· smoother rate limiting
· allow user+password in the URL for all protocols
· POP3: Get message listing if no mailbox in URL

Bugfixes:
· VMS builder bad behavior when used in a batch job
· multiple recepients with SMTP
· fixed the CURL_FORMAT_* defines when building with cmake
· missing quote in libcurl.m4
· SMTP: now waits for 250 after the DATA transfer
· SMTP: use angle brackets in RCPT TO
· curl --trace-time not using local time
· off-by-one in the chunked encoding trailer parser
· superfluous blocking for OpenSSL-based SSL connects and multi interface
· TFTP upload
· FTP timeouts after file transferred completely
· skip poll() on Interix
· CURLOPT_CERTINFO memory leak
· sub-second timeouts improvements
· configure fixes for GSSAPI
· threaded resolver double free when closing curl handle
· configure fixes for building with the clang compiler
· easy interix rate limiting logic
· curl_multi_remove_handle() caused use after free
· TFTP improved error codes
· TFTP fixed TSIZE handling for uploads
· SSL possible double free when reusing curl handle
· alarm()-based DNS timeout bug
· re-used FTP connection multi interface crash
· chunked-encoding with Content-Length: header problem
· multi interface HTTP POST over a proxy using PROXYTUNNEL
· RTSP GET_PARAMETER
· timeout after last data chunk was handled
· SFTP download hang
· FTP quote commands prefixed with '*' now can fail without aborting

What's new in cURL 7.19.7:

November 7th, 2009

Changes:
· -T. is now for non-blocking uploading from stdin
· SYST handling on FTP for OS/400 FTP server cases
· libcurl refuses to read a single HTTP header longer than 100K
· added the --crlfile option to curl

Bugfixes:
· The windows makefiles work again
· libcurl-NSS acknowledges verifyhost
· SIGSEGV when pipelined pipe unexpectedly breaks
· data corruption issue with re-connected transfers
· use after free if we're completed but easy_conn not NULL (pipelined)
· missing strdup() return code check
· CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
· configure --with-gnutls=PATH fixed
· ftp response reader bug on failed control connections
· improved NSS error message on failed host name verifications
· ftp NOBODY on re-used connection hang
· configure uses pkg-config for cross-compiles as well
· improved NSS detection in configure
· cookie expiry date at 1970-jan-1 00:00:00
· libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
· libcurl-OpenSSL can load CRL files with more than one certificate inside
· received cookies without explicit path got saved wrong if the URL had a query part
· don't shrink SO_SNDBUF on windows for those who have it set large already
· connect next bug
· invalid file name characters handling on Windows
· double close() on the primary socket with libcurl-NSS
· GSS negotiate infinite loop on bad credentials
· memory leak in SCP/SFTP connections
· use pkg-config to find out libssh2 installation details in configure
· unparsable cookie expire dates make cookies get treated as session coookies
· POST with Digest authentication and "Transfer-Encoding: chunked"
· SCP connection re-use with wrong auth
· CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
· CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)

What's new in cURL 7.19.5:

June 16th, 2009

Changes:
· libcurl now closes all dead connections whenever you attempt to open a new connection
· libssh2's version number can now be figured out run-time instead of using the build-time fixed number
· CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK
· curl can now upload with resume even when reading from a pipe
· a build-time configured curl_socklen_t is now used instead of socklen_t

Bugfixes:
· NTLM authentication memory leak on SSPI enabled Windows builds
· fixed the GnuTLS-using code to do correct return code checks
· an alloc-related call in the OpenSSL-using code didn't check the return value
· curl_easy_duphandle() failed to duplicate cookies at times
· missing TELNET timeout support in Windows builds
· missing Curl_read() and write callback result checking in TELNET transfers
· more ciphers enabled in libcurl built to use NSS
· properly return an error code in curl_easy_recv
· Sun compilers specific preprocessor block removed from curlbuild.h.dist
· allow creation of four way fat libcurl Mac OS X Framework
· several memory leaks in libcurl+NSS
· improved the CURLOPT_NOBODY set to 0 confusions
· persistent connections when doing FTP over a HTTP proxy
· --libcurl bogus strings where other data was pointed to
· crash related to FTP and "Re-used connection seems dead, get a new one"
· CURLINFO_APPCONNECT_TIME with the multi interface
· Enhanced upload speeds on Windows
· TFTP problems after a failed transfer to the same host
· improved out of the box TPF compatibility
· HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
· Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
· Deal with the TFTP OACK packet
· fixed roff mistakes in man pages
· use SOCKS proxy with the multi interface
· fixed the Curl_getoff_all_pipelines SIGSEGV
· POST, NTLM and following a redirect hang
· libcurl+NSS endless loop on incorrect password for private key
· gzip decompression memory leak
· no_proxy flaw with user name in URL

What's new in cURL 7.19.4:

June 16th, 2009

Changes:
· Added CURLOPT_NOPROXY and the corresponding --noproxy
· the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default in openssl 0.9.8j
· Added CURLOPT_TFTP_BLKSIZE
· Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options --socks5-gssapi-service and --socks5-gssapi-nec
· Improved IPv6 support when built with with c-ares >= 1.6.1
· Added CURLPROXY_HTTP_1_0 and --proxy1.0
· Added docs/libcurl/symbols-in-versions
· Added CURLINFO_CONDITION_UNMET
· Added support for Digest and NTLM authentication using GnuTLS
· CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails
· GnuTLS initing moved to curl_global_init()
· Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS, see also the security advisory

Bugfixes:
· missing ssh.obj in VS makefiles
· FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish locale
· realms with quoted quotation marks in HTTP Digest headers
· VC9 makefiles are now really included
· multi interface memory leak with CURLMOPT_MAXCONNECTS set
· CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true
· memory leak on some libz errors for content encodings
· NSS-enabled build is repaired
· superfluous wait in SFTP downloads removed
· FTP with the multi interface no longer kills the control connection as easily on transfer failures
· compilation halting when using VS2008 to build a Windows 2000 target
· ease creation of libcurl Mac OS X Framework
· CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1 if unknown
· Negotiate proxy authentication
· CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together

What's new in cURL 7.19.3:

June 16th, 2009

Changes:
· CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH
· VC9 Makefiles were added to the release package

Bugfixes:
· build failure when disabling FTP but enabling GSS
· fixed several calls to memory functions that didn't check return codes
· memory leak for SSL connects with libcurl/NSS when CURLOPT_ISSUERCERT was used
· re-use of connections with the multi interface when multiple handles used the same server
· memory leak with HTTP GSS/kerberos authentication
· removed the default use of "Pragma: no-cache"
· fix SCP/SFTP busyloop by using a new libssh2 1.0 function
· bad fclose() after a fatal error in cookie code
· curl_multi_remove_handle() when the handle was in use in a HTTP pipeline
· GSS authentication infinite loop problem
· 550 response from SIZE no longer treated as missing file
· ftps:// control connections now use explicit protection level
· dotted IPv6 addresses longer than 39 bytes failed
· curl_easy_duphandle() doesn't try to duplicate the connection cache pointer
· build failure on OS/400 when enabling IPv6
· better detection of SFTP failures
· improved connection re-use for subsequent SCP and SFTP transfers
· multi interface does less busy-loops for SCP and SFTP transfers with libssh2 1.0 or later
· curl_multi_timeout() no longer returns timeout 0 when there's still more than 0 but less than 999 microseconds left
· the multi_socket API and HTTP pipelining now work a lot better when combined
· SFTP seek/resume beyond 32bit file sizes
· fixed breakage with --with-ssl --disable-verbose
· TTL "leak" in the DNS cache
· improved NSS initing
· curl_easy_reset now resets more options
· rare Location: follow bug with the multi interface
· the configure script can now detect gnutls with pkg-config
· curlbuild.h was adjusted for SunPro compilers
· CURLOPT_COOKIELIST set to "SESS" on an easy handle with no cookies data
· fixed timeouts for TFTP
· fixed PPC builds

What's new in cURL 7.19.2:

January 6th, 2009

Bugfixes:
· build failure when using MSVC 6 makefile and on four platforms more
· crash when using --interface name on Linux systems with a TEQL device
· using the multi interface to download a HTTPS page with libcurl built powered by OpenSSL could download "rubbish" instead of actual content

What's new in cURL 7.19.0:

November 3rd, 2008

Changes:
· curl_off_t gets its size/typedef somewhat differently than before. This _may_ cause an ABI change for you. See lib/README.curl_off_t for a full explanation.
· Added CURLINFO_PRIMARY_IP
· Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE
· Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR
· curl's option parser for boolean options reworked
· Added --remote-name-all
· Now builds for the INTEGRITY operating system
· Added CURLINFO_APPCONNECT_TIME
· Added test selection by key word in runtests.pl
· the curl tool's -w option support the %{ssl_verify_result} variable
· Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL according to RFC4007
· Support --append on SFTP uploads (not with OpenSSH, though)
· Added curlbuild.h and curlrules.h to the external library interface
Bugfixes:
· Fixed curl-config --ca
· Fixed the multi interface connection re-use with NSS-built libcurl
· connection re-use when using the multi interface with pipelining enabled
· curl_multi_socket() socket callback fix for close/re-create sockets case
· SCP or SFTP over socks proxy crashed
· RC4-MD5 cipher now works with NSS-built libcurl
· range requests with --head are now done correctly
· fallback to gettimeofday when monotonic clock is unavailable at run-time
· range numbers could be made to wrongly get output as signed
· unexpected 1xx responses hung transfers
· FTP transfers segfault when using different CURLOPT_FTP_FILEMETHOD
· c-ares powered libcurls can resolve/use IPv6 addresses
· poll not working on Windows Vista due to POLLPRI being incorrectly used
· user-agent in CONNECT with non-HTTP protocols
· CURL_READFUNC_PAUSE problems fixed
· --use-ascii now works on Symbian OS, MS-DOS and OS/2
· CURLINFO_SSL_VERIFYRESULT is fixed
· FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
· a user name in a proxy URL without a password was parsed incorrectly
· library will now be built with _REENTRANT symbol defined only if needed
· no longer link with gdi32 on Windows cross-compiled targets
· HTTP PUT with -C - sent bad Content-Range: header
· HTTP PUT or POST with redirect could lead to hang
· re-use of connections with failed SSL connects in the multi interface
· NTLM over proxy state was wrongly cleared when host connection was closed
· Windows SSPI DLL loading is now done in curl_global_init()
· runtests.pl has an improved find-stunnel-and-invoke
· FTP sessions could go out of sync on a long header boundary condition
· potential buffer overflows in the MS-DOS command-line port fixed
· --stderr is now honoured with the -v option
· memory leak in libcurl on Windows built with OpenSSL
· improved curl_m*printf() integral data type size and signedness handling
· error when --dump-header - used with more than one URL
· proxy closing connect during CONNECT with auth with the multi interface
· CURLOPT_UPLOAD sets HTTP method back to GET or HEAD when passed in a 0
· shared cookies could get locked twice

What's new in cURL 7.17.0:

September 25th, 2007

Changes:
· support for OS/400 Secure Sockets Layer library
· curl_easy_setopt() now allocates strings passed to it
· SCP and SFTP support now requires libssh2 0.16 or later
· LDAP libraries are now linked "regularly" and not with dlopen
· HTTP transfers have the download size info "available" earlier
· FTP transfers have the download size info "available" earlier
· builds and runs on OS/400
· several error codes and options were marked as obsolete and subject to future removal (set CURL_NO_OLDIES to see if your application is using them)
· SFTP errors can return more specific error codes
Bugfixes:
· test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds
· problem with closed proxy connection during HTTP CONNECT auth negotiation
· transfer-encoding skipping didn't ignore the 407 response bodies properly
· CURLOPT_SSL_VERIFYHOST set to 1
· CONNECT endless loop
· krb5 support builds with Heimdal
· added returned error string for connection refused case
· re-use of dead FTP control connections
· login to FTP servers that don't require (nor understand) PASS after the USER command
· bad free of memory from libssh2
· the SFTP PWD command works
· HTTP Digest auth on a re-used connection
· FTPS data connection close
· AIX 4 and 5 get to use non-blocking sockets
· small POST with NTLM
· resumed file:// transfers
· CURLOPT_DNS_CACHE_TIMEOUT and CURLOPT_DNS_USE_GLOBAL_CACHE are 64 bit "clean"
· memory leak when handling compressed data streams from broken servers
· no NTLM unicode response
· resume HTTP PUT using Digest authentication
· FTP NOBODY requests on directories sent "SIZE (null)"
· FTP NOBODY request on file crash
· excessively long FTP server responses and response lines
· file:// upload then FTP:// upload crash
· TFTP error 0 is no longer treated as success
· uploading empty file over FTP on re-used connection
· superfluous CWD command on re-used FTP connections without subdirs used

What's new in cURL 7.16.3:

June 28th, 2007

Changes:
· added curl_multi_socket_action()
· deprecated curl_multi_socket()
· uses less memory in non-pipelined use cases
· CURLOPT_HTTP200ALIASES matched transfers assume HTTP 1.0 compliance
· more than one test harness can run at the same time without conflict
· SFTP now supports quote commands before a transfer
· CURLMOPT_MAXCONNECTS added to curl_multi_setopt()
· upload resume works for file:// URLs
· asynchronous name resolves now require c-ares 1.4.0 or later
· added SOCKS test cases
· CURLOPT_FTP_CREATE_MISSING_DIRS and --ftp-create-dirs now work for SFTP operations as well
Bugfixes:
· if2up too long interface name memory leak
· test case 534 started to fail 2007-04-13 due to the existance of a new host on the net with the same silly domain the test was using for a host which was supposed not to exist.
· test suite SSL certificate works better with newer stunnel
· internal progress meter update frequency back to once per second
· avoid some unnecessary calls to function gettimeofday
· a double-free in the SSL-layer
· GnuTLS free of NULL credentials
· NSS-fix for closing down SSL
· bad warning from configure when gnutls was selected
· compilation on VMS 64-bit mode
· SCP/SFTP downloads could hang on the last bytes of a transfer
· curl_easy_duphandle() crash
· curl -V / curl_version*() works even when GnuTLS is used on a system without a good random source
· curl_multi_socket() not "noticing" newly added handles
· lack of Content-Length and chunked encoding now requires HTTP 1.1 as well to be treated as without response body
· connection cache growth in multi handles
· better handling of out of memory conditions
· overwriting an uploaded file with sftp now truncates it first
· SFTP quote commands chmod, chown, chgrp can now set a value of 0
· TFTP connect timouts less than 5 seconds
· improved curl -w for TFTP transfers
· memory leak when failed OpenSSL certificate CN field checking
· memory leak when OpenSSL failed PKCS #12 parsing
· FPL-SSL when built with NSS
· out-of-boundary write in Curl_select()
· -s/--silent can now be used to toggle off the silence again
· builds fine on 64bit HP-UX
· multi interface HTTP CONNECT glitch
· list FTP root directories when login dir is not root
· no longer slows down when getting very many URLs on the same command line
· lock share before decreasing dirty counter
· no-body FTP requests on re-used connections

What's new in cURL 7.16.2:

April 14th, 2007

Changes:
· added CURLOPT_TIMEOUT_MS and CURLOPT_CONNECTTIMEOUT_MS
· added CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING and --raw
· added support for using the NSS library for TLS/SSL
· changed default anonymous FTP password
· changed the CURLOPT_FTP_SSL_CCC option to handle active and passive CCC shutdown
· added the --ftp-ssl-ccc-mode command line option
· includes VC8 Makefiles in the release archive
· --ftp-ssl-control is now honoured on ftps:// URLs
· added experimental CURL_ACKNOWLEDGE_EINTR symbol definition check
· --key and new --pubkey options for SSH public key file logins
· --pass now works for a SSH public key file, too
· select (2) support no longer needed to build the library if poll() used
· CURLOPT_POSTQUOTE works for SFTP
Bugfixes:
· in testsuite, update test cookies expiration from 2007-Feb-1 to year 2035
· socks5 works
· builds fine with VC2005
· CURLOPT_RANGE set to NULL resets the range for FTP
· curl_multi_remove_handle() rare crash
· passive FTP transfers work with SOCKS
· multi interface HTTPS connection re-use memory leak
· libcurl.m4's --with-libcurl is improved
· curl-config --libs and libcurl.pc no longer list unnecessary dependencies
· fixed an issue with CCC not working on some servers
· several HTTP pipelining problems
· HTTP CONNECT thru a proxy is now less blocking when the multi interface is used
· HTTP Digest header parsing fix for unquoted last word ending with CRLF
· CURLOPT_PORT, HTTP proxy, re-using connections and non-HTTP protocols
· CURLOPT_INTERFACE for ipv6
· use-after-free issue with HTTP transfers with the multi interface
· the progress callback can get called more frequently
· timeout would restart when signal caught while awaiting socket events
· curl -f with user password embedded in the URL
· 26 flaws identified by coverity.com
· builds on QNX 6 again

What's new in cURL 7.16.0:

November 7th, 2006

· The SONAME on the shared library was bumped from 3 to 4
· Added CURLE_SSL_CACERT_BADFILE
· Added CURLMOPT_TIMERFUNCTION and CURLMOPT_TIMERDATA
· (FTP) the CURLOPT_SOURCE_* options are removed and so are the --3p* command line options
· Curl_multi_socket() and family are suitable to start using
· Uses WSAPoll() on Windows Vista
· (FTP) --ftp-ssl-control was added
· CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid added
· CURLMOPT_PIPELINING added for enabling HTTP pipelined transfers
· Multi handles now have a shared connection cache
· Added support for other MS-DOS compilers (besides djgpp)
· CURLOPT_SOCKOPTFUNCTION and CURLOPT_SOCKOPTDATA were added
· (FTP) libcurl avoids sending TYPE if the desired type was already set
· (FTP) CURLOPT_PREQUOTE works even when CURLOPT_NOBODY is set true
· Fixed: (HTTP) CURLOPT_FAILONERROR (curl -f) covers a few more reponse cases
· Fixed: curl_multi_socket() and the LOW_SPEED options
· Fixed: curl_multi_socket() expire timer during c-ares name resolves
· Fixed: curl_multi_add_handle on an already added handle now fails gracefully
· Fixed: Multi interface crash if bad function call order was used for cleanup
· Fixed: Put a new URL in saved cookie jar files
· Fixed: configure --with-gssapi-libs
· Fixed: SOCKS proxy connection fixes
· Fixed: (FTP) a failed upload does not invalidate the control connection
· Fixed: Proxy URL with user name and empty password or no password at all now work
· Fixed: Fixed a socket state problem with *multi_socket()
· Fixed: (HTTP) NTLM hostname fix
· Fixed: getsockname usage fixes
· Fixed: SOCKS5 proxy connects can now time-out
· Fixed: SOCKS5 connects that require auth no longer segfaults when auth not given
· Fixed: Multi interface using asynch resolves could get stuck in wrong state
· Fixed: The 'running_handles' counter wasn't always updated properly when curl_multi_remove_handle() was used
· Fixed: (FTP) EPRT transfers with IPv6 didn't work properly
· Fixed: (FTP) SINGLECWD mode and using files in the root dir
· Fixed: (HTTP) Expect: header disabling work better
· Fixed: (HTTP) "Expect: 100-continue" disable on second POST on re-used connection
· Fixed: src/config.h.in is fixed
· Fixed: (HTTP) POST data logged to the debug callback function is now correctly tagged as data, not header