Update curl from 7.76.1 to 7.77.0

[patrikjuvonen]

Summary

• Contains stability and security related fixes
• 7.77.0: curl-users mailing list archive, maintainer's blog post, changelog

Tests

• fetchRemote
  • Download test script (v1.0.1): test_fetchRemote.zip
    • Preferable not to run client and server simultaneously
  • URL for unauthenticated requests: https://ptsv2.com/t/mtasa-test-fetchRemote
  • URL for authenticated requests: https://ptsv2.com/t/mtasa-test-fetchRemote-auth
• callRemote
  • Download test script (v1.0.2): test_callRemote.zip
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-callRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-callRemote-auth
• Please flush all your requests from ptsv2.com after testing!

Validation

To help validate the integrity of the update I have created the following bash script that diffs between my PR branch and the official package provided from the curl website.

#!/bin/bash

CURL_UPDATE_VERSION=7.77.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-7.77.0
GIT_REPO_URL=https://github.com/patrikjuvonen/mtasa-blue.git
GIT_REPO_CURL_PATH=vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.se/download/$CURL_PATH_NAME.tar.xz | tar -xJ

echo 2. Fetch and checkout the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL...
git fetch $GIT_REPO_URL $GIT_REPO_BRANCH:$GIT_REPO_BRANCH
git checkout $GIT_REPO_BRANCH

echo 3. Start checking integrity...
diff -r --strip-trailing-cr $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.
exec $SHELL

Past curl updates in MTA

Date	From	To	Link
April 2021	7.75.0	7.76.1 (current)	#2182
March 2021	7.74.0	7.75.0	#2081
December 2020	7.72.0	7.74.0	#1959
October 2020	7.69.1	7.72.0	#1562
March 2020	7.68.0	7.69.1	#1302
January 2020	7.67.0	7.68.0	#1216
November 2019	7.66.0	7.67.0	#1161
September 2019	7.65.3	7.66.0	#1099
July 2019	7.65.1	7.65.3	#1027
July 2019	7.64.1	7.65.1	#1018
April 2019	7.64.0	7.64.1	#898
February 2019	7.63.0	7.64.0	#819
January 2019	7.61.1	7.63.0	#744
September 2018	7.61.0	7.61.1	#428
August 2018	7.59.0	7.61.0	#271
March 2018	7.54.0	7.59.0	b99e343
June 2017	7.32.0	7.54.0	c15d999
August 2013	7.19.4	7.32.0	aaf3e21

Copy of curl changelogs

Fixed in 7.77.0 - May 26 2021

Changes:

configure: make the TLS library choice(s) explicit
curl: ignore options asking for SSLv2 or SSLv3
hsts: enable by default
SSL: support in-memory CA certs for some backends
vtls: refuse setting any SSL version

Bugfixes:

CVE-2021-22897: schannel cipher selection surprise
CVE-2021-22898: TELNET stack contents disclosure
CVE-2021-22901: TLS session caching disaster
AmigaOS: add functions definitions for SHA256
build: fix compilation for Windows UWP platform
c-hyper: don't write to set.writeheader if null
c-hyper: fix handling of zero-byte chunk from hyper
c-hyper: handle body on HYPER_TASK_EMPTY
checksrc: complain on == NULL or != 0 checks in conditions
CI/cirrus: add shared and static Windows release builds
cmake: add CURL_ENABLE_EXPORT_TARGET option
cmake: check for getppid and utimes
cmake: detect CURL_SA_FAMILY_T
cmake: fix two invokes result in different curl_config.h
cmake: make libcurl output filename configurable
cmake: Use multithreaded compilation on VS 2008+
config: remove now-unused macros
configure: if asked for, fail if ldap is not found
configure: provide --with-openssl, deprecate --with-ssl
conn: add 'attach' to protocol handler, make libssh2 use it
connect: use CURL_SA_FAMILY_T for portability
ConnectionExists: respect requests for h1 connections better
cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
curl-wolfssl.m4: without custom include path, assume /usr/include
curl: include libmetalink version in --version output
Curl_http_header: check for colon when matching Persistent-Auth
Curl_http_input_auth: require valid separator after negotiation type
Curl_input_digest: require space after Digest
curl_mprintf.3: add description
curl_setup: provide the shutdown flags wider
curl_url_set.3: add memory management information
CURLcode: add CURLE_SSL_CLIENTCERT
CURLOPT_CAPATH.3: defaults to a path, not NULL
CURLOPT_IPRESOLVE: preventing wrong IP version from being used
CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
data_pending: check only SECONDARY socket for FTP(S) transfers
docs/TheArtOfHttpScripting: fix markdown links
docs: camelcase it like GitHub everywhere
docs: cookies from HTTP headers need domain set
docs: fix typo in fail-with-body doc
docs: improve INTERNALS.md regarding getsock cb
docs: replace dots with dashes in markdown enums
easy: ignore sigpipe in curl_easy_send
FILEFORMAT: mention sectransp as a feature
GIT-INFO: suggest using autoreconf instead of buildconf
github: add a workflow with libssh2 on macOS using cmake
github: inhibit deprecated declarations for clang on macOS
GnuTLS: don't allow TLS 1.3 for versions that don't support it
gnutls: make setting only the MAX TLS allowed version work
gskit: fix CURL_DISABLE_PROXY build
gskit: fix undefined reference to 'conn'
hostip.h: remove declaration of unimplemented function
hostip: remove the debug code for LocalHost
http2: call the handle-closed function correctly on closed stream
http2: fix a resource leak in push_promise()
http2: fix resource leaks in set_transfer_url()
http2: make sure pause is done on HTTP
http2: move the stream error field to the per-transfer storage
http2: skip immediate parsing of payload following protocol switch
http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
HTTP3.md: fix nghttp2's HTTP/3 server port
HTTP3.md: make the ngtcp2 build use the quictls fork
http: deal with partial CONNECT sends
http: fix the check for 'Authorization' with Bearer
http: limit the initial send amount to used upload buffer size
http: reset the header buffer when sending the request
http: use offsets inst of integer literals for header parsing
INSTALL: add IBM i specific quirks
krb5/name_to_level: replace checkprefix with curl_strequal
krb5: don't use 'static' to store PBSZ size response
krb5: remove the unused 'overhead' function
lib/hostip6.c: make NAT64 address synthesis on macOS work
lib1564.c: enable last wakeup test part on Windows
lib: fix 0-length Curl_client_write calls
lib: fix some misuse of curlx_convert_UTF8_to_tchar
libcurl-security.3: be careful of setuid
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
libcurl.3: mention the URL API
libssh2: fix Value stored to 'sshp' is never read
libssh2: ignore timeout during disconnect
libssh: fix "empty expression statement has no effect" warnings
libtest: remove lib530.c
m4: add security frameworks on Mac when compiling rustls
multi: don't close connection HTTP_1_1_REQUIRED
multi: fix slow write/upload performance on Windows
multi: reduce Win32 API calls to improve performance
ngtcp2: fix the cb_acked_stream_data_offset proto
NSS: add ciphers to map
NSS: make colons, commas and spaces valid separators in cipher list
nss_set_blocking: avoid static for sock_opt
ntlm: precaution against super huge type2 offsets
openldap: protect SSL-specific code with proper #ifdef
openldap: replace ldap_ prefix on private functions
openssl: fix build error with OpenSSL < 1.0.2
openssl: remove unneeded cast for CertOpenSystemStore()
os400: additional support for options metadata
progress: fix scan-build-11 warnings
progress: reset limit_size variables at transfer start
progress: when possible, calculate transfer speeds with microseconds
README.md: delete Codacy UTM parameters
Revert "Revert 'multi: implement wait using winsock events'"
rustls: only return CURLE_AGAIN when TLS session is fully drained
rustls: use ALPN
sasl: use 'unsigned short' to store mechanism
schannel: Disable auto credentials; add an option to enable it
schannel: Support strong crypto option
sectransp: allow cipher name to be specified
sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
sigpipe: ignore SIGPIPE when using wolfSSL as well
sockfilt: avoid getting stuck waiting for writable socket
sockfilt: fix invalid increment of handles index variable nfd
sws: #ifdef S_IFSOCK use
sws: allow HTTP requests up to 2MB in size
test server: take care of siginterrupt() deprecation
test2100: make it run with and require IPv6
tests/disable-scan.pl: also scan all m4 files
tests/getpart: generate output URL encoded for better diffs
tests: ignore case of chunked hex numbers in tests
tls: add USE_HTTP2 define
tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
tool_operate: don't discard failed parallel transfer result
tool_writeout: fix the HTTP_CODE json output
travis: disable the failing libssh build
URL-SYNTAX: update IDNA section for WHATWG spec changes
urlapi: "normalize" numerical IPv4 host names
vauth: factor base64 conversions out of authentication procedures
version: add gsasl_version to curl_version_info_data
version: add OpenLDAP version in the output
vtls: deduplicate some DISABLE_PROXY ifdefs
vtls: reset ssl use flag upon negotiation failure
wolfssl: handle SSL_write() returns 0 for error
wolfssl: remove SSLv3 support leftovers

[Dutchman101]

Since the tests check out, and there is no reason not to keep cURL up to date here

[Dutchman101]

As discussed, merging it so the planned testing cycle can start on upcoming nightly build