curl 8.9.1

Some annoying regressions triggered this.

Numbers

the 259th release
0 changes
7 days (total: 9,630)

28 bugfixes (total: 10,559)
43 commits (total: 32,748)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)

0 new curl command line option (total: 263)
19 contributors, 5 new (total: 3,211)
10 authors, 1 new (total: 1,288)
1 security fixes (total: 158)

Download the new curl release from curl.se as always.

Release presentation

Security

We decided to do a patch release. Then yesterday we got a security vulnerability reported and so now we have that fixed in here as well.

CVE-2024-7264: ASN.1 date parser overread (severity low) libcurl’s ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

Bugfixes

This release is done only because we shipped a few regressions in 8.9.0 we rather let users avoid. Here are some noteworthy fixes from the past week:

  • connection shutdown fix for event based processing – this would cause applications to keep monitoring sockets “too much”, easily leading to busy-loops or worse
  • cmake builds detect libssh and nettle better
  • several libcurl functions now survive NULL pointer inputs better
  • fixed an Apple SDK bug workaround for non-macOS targets
  • the curl tool builds with the manual enabled on OS400
  • works around an IBM (OS400) ASCII run-time library bug
  • speed limiting for 32bit systems had the wrong math
  • allow wolfSSL’s implementation of kyber to be used
  • wolfssl CA store caching fix
  • more defensive and portable socket code for the curl tool’s --ip-tos logic