@@ -12,6 +12,9 @@ This release includes the following changes:
1212
1313This release includes the following bugfixes:
1414
15+ o CVE-2020-8286: Inferior OCSP verification [93]
16+ o CVE-2020-8285: FTP wildcard stack overflow [95]
17+ o CVE-2020-8284: trusting FTP PASV responses [97]
1518 o acinclude: detect manually set minimum macos/ipod version [46]
1619 o alt-svc: enable (in the build) by default [20]
1720 o alt-svc: minimize variable scope and avoid "DEAD_STORE" [51]
@@ -26,6 +29,7 @@ This release includes the following bugfixes:
2629 o cmake: check for linux/tcp.h [91]
2730 o cmake: correctly handle linker flags for static libs [52]
2831 o cmake: don't pass -fvisibility=hidden to clang-cl on Windows [53]
32+ o cmake: don't use reserved target name 'test' [79]
2933 o cmake: make BUILD_TESTING dependent option [30]
3034 o cmake: make CURL_ZLIB a tri-state variable [70]
3135 o cmake: set the unicode feature in curl-config on Windows [23]
@@ -53,6 +57,7 @@ This release includes the following bugfixes:
5357 o examples/httpput: remove use of CURLOPT_PUT [39]
5458 o FAQ: refreshed [56]
5559 o file: avoid duplicated code sequence [77]
60+ o ftp: retry getpeername for FTP with TCP_FASTOPEN [100]
5661 o gnutls: fix memory leaks (certfields memory wasn't released) [41]
5762 o header.d: mention the "Transfer-Encoding: chunked" handling [45]
5863 o HISTORY: the new domain
@@ -84,12 +89,14 @@ This release includes the following bugfixes:
8489 o quiche: remove 'static' from local buffer [71]
8590 o range.d: clarify that curl will not parse multipart responses [36]
8691 o range.d: fix typo
92+ o Revert "multi: implement wait using winsock events" [99]
8793 o rtsp: error out on empty Session ID, unified the code
8894 o rtsp: fixed Session ID comparison to refuse prefix [65]
8995 o rtsp: fixed the RTST Session ID mismatch in test 570 [64]
9096 o runtests: return error if no tests ran [16]
9197 o runtests: revert the mistaken edit of $CURL
9298 o runtests: show keywords when no tests ran [33]
99+ o scripts/completion.pl: parse all opts [101]
93100 o socks: check for DNS entries with the right port number [74]
94101 o src/tool_filetime: disable -Wformat on mingw for this file [2]
95102 o strerror: use 'const' as the string should never be modified [18]
@@ -108,6 +115,7 @@ This release includes the following bugfixes:
108115 o tool_writeout: use off_t getinfo-types instead of doubles [76]
109116 o travis: use ninja-build for CMake builds [63]
110117 o travis: use valgrind when running tests for debug builds [40]
118+ o urlapi: don't accept blank port number field without scheme [98]
111119 o urlapi: URL encode a '+' in the query part [14]
112120 o urldata: remove 'void *protop' and create the union 'p' [86]
113121 o vquic/ngtcp2.h: define local_addr as sockaddr_storage [73]
@@ -121,15 +129,17 @@ advice from friends like these:
121129
122130 Andreas Fischer, asavah on github, b9a1 on github, Baruch Siach,
123131 Basuke Suzuki, bobmitchell1956 on github, BrumBrum on hackerone,
124- Cristian Morales Vega, Daiki Ueno, Daniel Gustafsson, Daniel Stenberg,
125- Dietmar Hauser, Dirk Wetter, emanruse on github, Emil Engler,
126- hamstergene on github, Harry Sintonen, Jakub Zakrzewski, Jeroen Ooms,
127- Jon Rumsey, José Joaquín Atria, Junho Choi, Kael1117 on github,
128- Klaus Crusius, Kovalkov Dmitrii, Marcel Raad, Marc Hörsken, Marc Schlatter,
129- Niranjan Hasabnis, nosajsnikta on github, Oliver Urbann, Per Nilsson,
130- Philipp Klaus Krause, Ray Satiro, Rikard Falkeborn, Rui LIU, Sergei Nikulov,
131- Tobias Hieta, Tom G. Christensen, Viktor Szakats, Vincent Torri,
132- (41 contributors)
132+ Cristian Morales Vega, d4d on hackerone, Daiki Ueno, Daniel Gustafsson,
133+ Daniel Stenberg, Dietmar Hauser, Dirk Wetter, emanruse on github,
134+ Emil Engler, hamstergene on github, Harry Sintonen, Jacob Hoffman-Andrews,
135+ Jakub Zakrzewski, Jeroen Ooms, Jon Rumsey, José Joaquín Atria, Junho Choi,
136+ Kael1117 on github, Klaus Crusius, Kovalkov Dmitrii, Marcel Raad,
137+ Marc Hörsken, Marc Schlatter, Niranjan Hasabnis, nosajsnikta on github,
138+ Oliver Urbann, Per Nilsson, Philipp Klaus Krause, Ray Satiro,
139+ Rikard Falkeborn, Rui LIU, Sergei Nikulov, Thomas Danielsson, Tobias Hieta,
140+ Tom G. Christensen, Varnavas Papaioannou, Viktor Szakats, Vincent Torri,
141+ xnynx on github,
142+ (46 contributors)
133143
134144 Thanks! (and sorry if I forgot to mention someone)
135145
@@ -213,6 +223,7 @@ References to bug reports and discussions on issues:
213223 [76] = https://curl.se/bug/?i=6248
214224 [77] = https://curl.se/bug/?i=6249
215225 [78] = https://curl.se/bug/?i=6241
226+ [79] = https://curl.se/bug/?i=6257
216227 [80] = https://curl.se/bug/?i=6211
217228 [81] = https://curl.se/bug/?i=6058
218229 [82] = https://curl.se/bug/?i=6205
@@ -226,5 +237,12 @@ References to bug reports and discussions on issues:
226237 [90] = https://curl.se/bug/?i=6271
227238 [91] = https://curl.se/bug/?i=6252
228239 [92] = https://curl.se/bug/?i=6263
240+ [93] = https://curl.se/docs/CVE-2020-8286.html
229241 [94] = https://curl.se/bug/?i=6267
242+ [95] = https://curl.se/docs/CVE-2020-8285.html
230243 [96] = https://curl.se/bug/?i=6264
244+ [97] = https://curl.se/docs/CVE-2020-8284.html
245+ [98] = https://curl.se/bug/?i=6283
246+ [99] = https://curl.se/bug/?i=6146
247+ [100] = https://curl.se/bug/?i=6252
248+ [101] = https://curl.se/bug/?i=6280
0 commit comments