ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 work around libtool --as-needed reordering bug

tests/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 always disable valgrind tests

m4/curl-compilers.m4 | 11 0 + 11 - 0 !
1 file changed, 11 deletions(-)

 do not disable debug symbols without --enable-debug

Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 enable zsh completion generation

curl-config.in | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 in order to (partially) multi-arch-ify curl-config, remove all
 mention of @includedir@ and @libdir@ from the script.  On Debian, the actual
 header and library directories are architecture-dependent, but will always be
 in the C compiler's default search path, so -I and -L options are not
 necessary (and may be harmful in multi-arch environments.)

tests/data/test1451 | 2 1 + 1 - 0 !
tests/dictserver.py | 2 1 + 1 - 0 !
tests/negtelnetserver.py | 2 1 + 1 - 0 !
tests/smbserver.py | 2 1 + 1 - 0 !
tests/util.py | 2 1 + 1 - 0 !
5 files changed, 5 insertions(+), 5 deletions(-)

 use python3 executable in tests

docs/libcurl/curl_getdate.3 | 5 2 + 3 - 0 !
docs/libcurl/curl_global_init_mem.3 | 7 4 + 3 - 0 !
docs/libcurl/curl_unescape.3 | 2 1 + 1 - 0 !
docs/libcurl/curl_url_cleanup.3 | 6 3 + 3 - 0 !
docs/libcurl/curl_url_dup.3 | 6 3 + 3 - 0 !
docs/libcurl/curl_url_set.3 | 5 2 + 3 - 0 !
6 files changed, 15 insertions(+), 16 deletions(-)

 [patch] curl/docs/libcurl/*: fix some formatting of man pages
To: 

  Fix some fomatting issues in man pages.

Details:

  From "mandoc -Tlint":

mandoc: curl_getdate.3:64:2: WARNING: skipping paragraph macro: PP empty
mandoc: curl_global_init_mem.3:56:2: ERROR: skipping end of block that is not open: RE
mandoc: curl_unescape.3:48:5: ERROR: skipping all arguments: br curl_easy_escape "(3)," curl_easy_unescape "(3)," curl_free "(3)," RFC 2396
mandoc: curl_unescape.3:48:2: WARNING: skipping paragraph macro: br after SH
mandoc: curl_url_cleanup.3:29:2: STYLE: fill mode already enabled, skipping: fi
mandoc: curl_url_dup.3:29:2: STYLE: fill mode already enabled, skipping: fi
mandoc: curl_url_set.3:32:2: STYLE: fill mode already enabled, skipping: fi

  From "test-groff -b -mandoc -T utf8 -rF0 -t -w w -z":

  [ "test-groff" is a developmental version of "groff" ]

troff: <curl_getdate.3>:108: warning: trailing space
troff: <curl_getdate.3>:109: warning: trailing space

Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>

lib/transfer.c | 25 23 + 2 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test2081 | 66 66 + 0 - 0 !
3 files changed, 90 insertions(+), 3 deletions(-)

 transfer: strip credentials from the auto-referer header field

lib/vtls/bearssl.c | 11 8 + 3 - 0 !
lib/vtls/gtls.c | 13 9 + 4 - 0 !
lib/vtls/mbedtls.c | 11 8 + 3 - 0 !
lib/vtls/mesalink.c | 12 8 + 4 - 0 !
lib/vtls/openssl.c | 53 40 + 13 - 0 !
lib/vtls/schannel.c | 11 7 + 4 - 0 !
lib/vtls/sectransp.c | 12 7 + 5 - 0 !
lib/vtls/vtls.c | 12 9 + 3 - 0 !
lib/vtls/vtls.h | 2 2 + 0 - 0 !
lib/vtls/wolfssl.c | 13 9 + 4 - 0 !
10 files changed, 107 insertions(+), 43 deletions(-)

 vtls: add 'isproxy' argument to curl_ssl_get/addsessionid()

src/tool_writeout.c | 22 15 + 7 - 0 !
1 file changed, 15 insertions(+), 7 deletions(-)

 [patch] =?utf-8?q?too=c4=ba=5fwriteout:=20fix=20the=20-w=20time?=
 =?UTF-8?q?=20output=20units?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix regression from commit fc813f80e1bcac (#6248) that changed the unit
to microseconds instead of seconds with fractions

Reported-by: 
Fixes #6321
Closes #6322

lib/telnet.c | 17 11 + 6 - 0 !
1 file changed, 11 insertions(+), 6 deletions(-)

 cve-2021-22898

Bug-Debian: https://bugs.debian.org/989228

lib/mqtt.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 cve-2021-22945

lib/ftp.c | 9 6 + 3 - 0 !
lib/imap.c | 24 10 + 14 - 0 !
lib/pop3.c | 34 14 + 20 - 0 !
tests/data/Makefile.inc | 2 2 + 0 - 0 !
tests/data/test984 | 56 56 + 0 - 0 !
tests/data/test985 | 54 54 + 0 - 0 !
tests/data/test986 | 53 53 + 0 - 0 !
7 files changed, 195 insertions(+), 37 deletions(-)

 cve-2021-22946

lib/ftp.c | 3 3 + 0 - 0 !
lib/imap.c | 4 4 + 0 - 0 !
lib/pop3.c | 4 4 + 0 - 0 !
lib/smtp.c | 4 4 + 0 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test980 | 52 52 + 0 - 0 !
tests/data/test981 | 59 59 + 0 - 0 !
tests/data/test982 | 57 57 + 0 - 0 !
tests/data/test983 | 52 52 + 0 - 0 !
9 files changed, 236 insertions(+), 1 deletion(-)

 cve-2021-22947

lib/url.c | 9 6 + 3 - 0 !
lib/urldata.h | 4 2 + 2 - 0 !
lib/vtls/gtls.c | 10 5 + 5 - 0 !
lib/vtls/nss.c | 4 2 + 2 - 0 !
lib/vtls/openssl.c | 18 9 + 9 - 0 !
lib/vtls/vtls.c | 26 21 + 5 - 0 !
6 files changed, 45 insertions(+), 26 deletions(-)

 cve-2021-22924

Bug-Debian: https://bugs.debian.org/991492

lib/strcase.c | 10 10 + 0 - 0 !
lib/strcase.h | 2 2 + 0 - 0 !
lib/url.c | 13 12 + 1 - 0 !
lib/urldata.h | 1 1 + 0 - 0 !
lib/vtls/vtls.c | 21 6 + 15 - 0 !
5 files changed, 31 insertions(+), 16 deletions(-)

 cve-2022-22576

Bug-Debian: https://bugs.debian.org/1010295

lib/conncache.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 cve-2022-27775

Bug-Debian: https://bugs.debian.org/1010253

lib/http.c | 34 22 + 12 - 0 !
lib/urldata.h | 16 9 + 7 - 0 !
2 files changed, 31 insertions(+), 19 deletions(-)

 cve-2022-27776

Bug-Debian: https://bugs.debian.org/1010252

lib/vtls/nss.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 cve-2022-27781

lib/setopt.c | 28 16 + 12 - 0 !
lib/url.c | 23 16 + 7 - 0 !
lib/urldata.h | 13 7 + 6 - 0 !
lib/vtls/gtls.c | 56 29 + 27 - 0 !
lib/vtls/mbedtls.c | 2 1 + 1 - 0 !
lib/vtls/nss.c | 6 3 + 3 - 0 !
lib/vtls/openssl.c | 9 5 + 4 - 0 !
lib/vtls/vtls.c | 21 21 + 0 - 0 !
8 files changed, 98 insertions(+), 60 deletions(-)

 cve-2022-27782_part1

lib/url.c | 11 11 + 0 - 0 !
lib/vssh/ssh.h | 4 2 + 2 - 0 !
2 files changed, 13 insertions(+), 2 deletions(-)

 cve-2022-27782_part2

lib/cookie.c | 14 12 + 2 - 0 !
lib/cookie.h | 21 19 + 2 - 0 !
lib/http.c | 12 10 + 2 - 0 !
lib/urldata.h | 1 1 + 0 - 0 !
4 files changed, 42 insertions(+), 6 deletions(-)

 cve-2022-32205

lib/content_encoding.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 cve-2022-32206

CMakeLists.txt | 1 1 + 0 - 0 !
configure.ac | 1 1 + 0 - 0 !
lib/Makefile.inc | 4 2 + 2 - 0 !
lib/cookie.c | 19 5 + 14 - 0 !
lib/curl_config.h.cmake | 3 3 + 0 - 0 !
lib/fopen.c | 113 113 + 0 - 0 !
lib/fopen.h | 30 30 + 0 - 0 !
7 files changed, 155 insertions(+), 16 deletions(-)

 cve-2022-32207

lib/krb5.c | 18 11 + 7 - 0 !
1 file changed, 11 insertions(+), 7 deletions(-)

 cve-2022-32208

lib/connect.c | 1 1 + 0 - 0 !
lib/urldata.h | 6 5 + 1 - 0 !
2 files changed, 6 insertions(+), 1 deletion(-)

 [patch] connect: store "conn_remote_port" in the info struct

To make it available after the connection ended.

lib/transfer.c | 48 47 + 1 - 0 !
lib/url.c | 35 21 + 14 - 0 !
lib/urldata.h | 1 1 + 0 - 0 !
3 files changed, 69 insertions(+), 15 deletions(-)

 [patch] transfer: redirects to other protocols or ports clear auth

... unless explicitly permitted.

Bug: https://curl.se/docs/CVE-2022-27774.html
Reported-by: Harry Sintonen
Closes #8748

tests/data/Makefile.inc | 1 1 + 0 - 0 !
tests/data/test973 | 88 88 + 0 - 0 !
tests/data/test974 | 87 87 + 0 - 0 !
tests/data/test975 | 88 88 + 0 - 0 !
tests/data/test976 | 88 88 + 0 - 0 !
5 files changed, 352 insertions(+)

 [patch] tests: verify the fix for cve-2022-27774

 - Test 973 redirects from HTTP to FTP, clear auth

lib/http.c | 10 5 + 5 - 0 !
lib/http.h | 6 6 + 0 - 0 !
lib/vtls/openssl.c | 3 2 + 1 - 0 !
3 files changed, 13 insertions(+), 6 deletions(-)

 [patch] openssl: don't leak the srp credentials in redirects either

Follow-up to 620ea21410030

Reported-by: Harry Sintonen
Closes #8751

lib/cookie.c | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 cookie: reject cookies with "control bytes"

tests/data/test8 | 32 31 + 1 - 0 !
1 file changed, 31 insertions(+), 1 deletion(-)

 test8: verify that "ctrl-byte cookies" are ignored

lib/setopt.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 setopt: when post is set, reset the 'upload' field (cve-2022-32221)

lib/smb.c | 14 2 + 12 - 0 !
lib/telnet.c | 2 0 + 2 - 0 !
2 files changed, 2 insertions(+), 14 deletions(-)

 smb/telnet: do not free the protocol struct in *_done() (cve-2022-43552)

lib/content_encoding.c | 7 3 + 4 - 0 !
lib/urldata.h | 1 1 + 0 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test418 | 152 152 + 0 - 0 !
4 files changed, 157 insertions(+), 5 deletions(-)

 [patch] content_encoding: do not reset stage counter for each header

lib/telnet.c | 16 16 + 0 - 0 !
1 file changed, 16 insertions(+)

 [patch] telnet: only accept option arguments in ascii

To avoid embedded telnet negotiation commands etc.

Reported-by: Harry Sintonen
Closes #10728

Backported to Debian by Samuel Henrique <samueloph@debian.org>

lib/curl_path.c | 70 35 + 35 - 0 !
1 file changed, 35 insertions(+), 35 deletions(-)

 [patch] curl_path: create the new path with dynbuf

Closes #10729

Backported to Debian by Samuel Henrique <samueloph@debian.org>

lib/url.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] url: fix the ssh connection reuse check

Reported-by: Harry Sintonen
Closes #10735

Backported to Debian by Samuel Henrique <samueloph@debian.org>

lib/strcase.c | 22 22 + 0 - 0 !
lib/strcase.h | 1 1 + 0 - 0 !
2 files changed, 23 insertions(+)

 backport curl_timestrcmp in lib/strcase.(c|h)
 This patch was backported by Samuel Henrique <samueloph@debian.org> and it
 only has the changes required to backport other patches, so we are not
 converting the whole codebase to make use of the new function (yet).

lib/ftp.c | 28 26 + 2 - 0 !
lib/ftp.h | 5 5 + 0 - 0 !
lib/setopt.c | 2 1 + 1 - 0 !
lib/url.c | 16 15 + 1 - 0 !
lib/urldata.h | 4 2 + 2 - 0 !
5 files changed, 49 insertions(+), 6 deletions(-)

 [patch] ftp: add more conditions for connection reuse

Reported-by: Harry Sintonen
Closes #10730

Backported to Debian by Samuel Henrique <samueloph@debian.org>

lib/url.c | 6 6 + 0 - 0 !
lib/urldata.h | 1 1 + 0 - 0 !
2 files changed, 7 insertions(+)

 [patch] url: only reuse connections with same gss delegation

Reported-by: Harry Sintonen
Closes #10731

Backported to Debian by Samuel Henrique <samueloph@debian.org>

lib/hostcheck.c | 76 37 + 39 - 0 !
tests/data/test1397 | 9 4 + 5 - 0 !
tests/unit/unit1397.c | 123 82 + 41 - 0 !
3 files changed, 123 insertions(+), 85 deletions(-)

 [patch] resolves: cve-2023-28321 - fix host name wildcard checking

lib/curl_rtmp.c | 4 2 + 2 - 0 !
lib/file.c | 4 2 + 2 - 0 !
lib/ftp.c | 8 4 + 4 - 0 !
lib/http.c | 4 2 + 2 - 0 !
lib/imap.c | 6 3 + 3 - 0 !
lib/rtsp.c | 4 2 + 2 - 0 !
lib/setopt.c | 6 2 + 4 - 0 !
lib/smb.c | 4 2 + 2 - 0 !
lib/smtp.c | 4 2 + 2 - 0 !
lib/tftp.c | 8 4 + 4 - 0 !
lib/transfer.c | 4 2 + 2 - 0 !
lib/urldata.h | 2 1 + 1 - 0 !
lib/vssh/libssh.c | 6 3 + 3 - 0 !
lib/vssh/libssh2.c | 6 3 + 3 - 0 !
lib/vssh/wolfssh.c | 2 1 + 1 - 0 !
15 files changed, 35 insertions(+), 37 deletions(-)

 [patch] lib: unify the upload/method handling

By making sure we set state.upload based on the set.method value and not
independently as set.upload, we reduce confusion and mixup risks, both
internally and externally.

Closes #11017

lib/socks.c | 10 5 + 5 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test728 | 64 64 + 0 - 0 !
3 files changed, 70 insertions(+), 6 deletions(-)

 [patch] socks: return error if hostname too long for remote resolve

Prior to this change the state machine attempted to change the remote
resolve to a local resolve if the hostname was longer than 255
characters. Unfortunately that did not work as intended and caused a
security issue.

Name resolvers cannot resolve hostnames longer than 255 characters.

Bug: https://curl.se/docs/CVE-2023-38545.html

Backported by: Samuel Henrique <samueloph@debian.org>

lib/cookie.c | 13 1 + 12 - 0 !
lib/cookie.h | 7 2 + 5 - 0 !
lib/easy.c | 4 1 + 3 - 0 !
3 files changed, 4 insertions(+), 20 deletions(-)

 [patch] cookie: remove unnecessary struct fields

Plus: reduce the hash table size from 256 to 63. It seems unlikely to

lib/cookie.c | 24 16 + 8 - 0 !
1 file changed, 16 insertions(+), 8 deletions(-)

 [patch] cookie: lowercase the domain names before psl checks

Reported-by: Harry Sintonen

Closes #12387

Backported by: Samuel Henrique <samueloph@debian.org>:
 * Update signature of function "bad_domain"
 * Refresh patch context

lib/http2.c | 31 14 + 17 - 0 !
1 file changed, 14 insertions(+), 17 deletions(-)

 [patch] http2: push headers better cleanup

- provide common cleanup method for push headers

Closes #13054

Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>:
  * Changed h2_stream_ctx to HTTP in free_push_headers.
  * Dropped unnaplicable hunk in push_promise, since it changed some code
    that does not yet exist.

lib/x509asn1.c | 23 14 + 9 - 0 !
1 file changed, 14 insertions(+), 9 deletions(-)

 x509asn1: clean up gtime2str

Co-authored-by: Stefan Eissing
Reported-by: Dov Murik

Closes #14307

Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>.

Changes:
- In this version, GTime2str doesn't return CURLcode, so change that to NULL.

lib/x509asn1.c | 31 23 + 8 - 0 !
lib/x509asn1.h | 10 10 + 0 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test1656 | 22 22 + 0 - 0 !
tests/unit/Makefile.inc | 4 3 + 1 - 0 !
tests/unit/unit1656.c | 133 133 + 0 - 0 !
6 files changed, 192 insertions(+), 10 deletions(-)

 x509asn1: unittests and fixes for gtime2str

Fix issues in GTime2str() and add unit test cases to verify correct
behaviour.

Follow-up to 3c914bc6801

Closes #14316

Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>.

Changes:
- In this version, GTime2str doesn't return CURLcode, so change that to NULL.
- Also change test helper function to match the correct type and pass the
  correct arguments. In this version, GTime2str doesn't take struct dynbuf *.
  It's aimed to not FTBFS if someone build the package with --enable-debug.

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
lib/libcurl.vers.in | 2 1 + 1 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
5 files changed, 25 insertions(+), 25 deletions(-)

 build with gnutls.

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
4 files changed, 24 insertions(+), 24 deletions(-)

 build with nss.