Update curl from 7.61.1 to 7.62.0

[patrikjuvonen]

Summary

• Contains various bug fixes, security patches and some other minor changes
• Removed all unnecessary curl files from our MTA repository, reducing the size of the vendor directory
• Latest changelog: https://curl.haxx.se/changes.html
• 7.62.0: maintainer's blog post, curl-users mailing list

Tests

• test_fetchRemote.zip (preferable not to run client and server simultaneously)
• fetchRemote URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote
• fetchRemote URL for authenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote-auth
• test_callRemote.zip
• callRemote URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-callRemote
• callRemote URL for authenticated requests: http://ptsv2.com/t/mtasa-test-callRemote-auth
• Please flush all your requests from ptsv2.com after testing!

Validation

To help validate the integrity of the update I have created the following bash script that diffs between my PR branch and the official package provided from the curl website.

#!/bin/bash

CURL_UPDATE_VERSION=7.62.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-$CURL_UPDATE_VERSION
GIT_REPO_URL=git@github.com:patrikjuvonen/mtasa-blue.git
GIT_DEST_DIR=mtasa-blue
GIT_REPO_CURL_PATH=$GIT_DEST_DIR/vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.haxx.se/download/$CURL_PATH_NAME.tar.bz2 -O && tar -xjvf $CURL_PATH_NAME.tar.bz2

echo 2. Clone the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL into $GIT_DEST_DIR...
git clone --depth 1 -b $GIT_REPO_BRANCH $GIT_REPO_URL $GIT_DEST_DIR

echo 3. Start checking integrity...
diff -r $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.

Past curl updates in MTA

• September 2018: 7.61.0 to 7.61.1 (Update curl from 7.61.0 to 7.61.1 #428)
• August 2018: 7.59.0 to 7.61.0 (#270: update curl from 7.59.0 to 7.61.0 #271)

Copy of curl changelogs

Fixed in 7.62.0 - October 31 2018

Changes:

multiplex: enable by default
url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
setopt: add CURLOPT_DOH_URL
curl: --doh-url added
setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
imap: change from "FETCH" to "UID FETCH"
configure: add option to disable automatic OpenSSL config loading
upkeep: add a connection upkeep API: curl_easy_upkeep()
URL-API: added five new functions
vtls: MesaLink is a new TLS backend

Bugfixes:

CVE-2018-16839: SASL password overflow via integer overflow
CVE-2018-16840: use-after-free in handle close
CVE-2018-16842: warning message out-of-buffer read
CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
Curl_dedotdotify(): always nul terminate returned string
Curl_follow: Always free the passed new URL
Curl_http2_done: fix memleak in error path
Curl_retry_request: fix memory leak
Curl_saferealloc: Fixed typo in docblock
FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
GnutTLS: TLS 1.3 support
SECURITY-PROCESS: mention the bountygraph program
VS projects: add USE_IPV6:
Windows: fixes for MinGW targeting Windows Vista
anyauthput: fix compiler warning on 64-bit Windows
appveyor: add WinSSL builds
appveyor: run test suite (on Windows!)
certs: generate tests certs with sha256 digest algorithm
checksrc: enable strict mode and warnings
checksrc: handle zero scoped ignore commands
cmake: Backport to work with CMake 3.0 again
cmake: Improve config installation
cmake: add support for transitive ZLIB target
cmake: disable -Wpedantic-ms-format
cmake: don't require OpenSSL if USE_OPENSSL=OFF
cmake: fixed path used in generation of docs/tests
cmake: remove unused *SOCKLEN_T variables
cmake: suppress MSVC warning C4127 for libtest
cmake: test and set missed defines during configuration
comment: Fix multiple typos in function parameters
config: Remove unused SIZEOF_VOIDP
config_win32: enable LDAPS
configure: force-use -lpthreads on HPUX
configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
cookies: Remove redundant expired check
cookies: fix leak when writing cookies to file
curl-config.in: remove dependency on bc
curl.1: --ipv6 mutexes ipv4 (fixed typo)
curl: enabled Windows VT Support and UTF-8 output
curl: update the documentation of --tlsv1.0
curl_multi_wait: call getsock before figuring out timeout
curl_ntlm_wb: check aprintf() return codes
curl_threads: fix classic MinGW compile break
darwinssl: Fix realloc memleak
darwinssl: more specific and unified error codes
data-binary.d: clarify default content-type is x-www-form-urlencoded
docs/BUG-BOUNTY: explain the bounty program
docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
docs/CIPHERS: fix the TLS 1.3 cipher names
docs/CIPHERS: mention the colon separation for OpenSSL
docs/examples: URL updates
docs: add "see also" links for SSL options
example/asiohiper: insert warning comment about its status
example/htmltidy: fix include paths of tidy libraries
examples/Makefile.m32: sync with core
examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
examples/parseurl.c: show off the URL API
examples: Fix memory leaks from realloc errors
examples: do not wait when no transfers are running
ftp: include command in Curl_ftpsend sendbuffer
gskit: make sure to terminate version string
gtls: Values stored to but never read
hostip: fix check on Curl_shuffle_addr return value
http2: fix memory leaks on error-path
http: fix memleak in rewind error path
krb5: fix memory leak in krb_auth
ldap: show precise LDAP call in error message on Windows
lib: fix gcc8 warning on Windows
memory: add missing curl_printf header
memory: ensure to check allocation results
multi: Fix error handling in the SENDPROTOCONNECT state
multi: fix memory leak in content encoding related error path
multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
netrc: free temporary strings if memory allocation fails
nss: fix nssckbi module loading on Windows
nss: try to connect even if libnssckbi.so fails to load
ntlm_wb: Fix memory leaks in ntlm_wb_response
ntlm_wb: bail out if the response gets overly large
openssl: assume engine support in 0.9.8 or later
openssl: enable TLS 1.3 post-handshake auth
openssl: fix gcc8 warning
openssl: load built-in engines too
openssl: make 'done' a proper boolean
openssl: output the correct cipher list on TLS 1.3 error
openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
openssl: show "proper" version number for libressl builds
pipelining: deprecated
rand: add comment to skip a clang-tidy false positive
rtmp: fix for compiling with lwIP
runtests: ignore disabled even when ranges are given
runtests: skip ld_preload tests on macOS
runtests: use Windows paths for Windows curl
schannel: unified error code handling
sendf: Fix whitespace in infof/failf concatenation
ssh: free the session on init failures
ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
system.h: use proper setting with Sun C++ as well
test1299: use single quotes around asterisk
test1452: mark as flaky
test1651: unit test Curl_extract_certinfo()
test320: strip out more HTML when comparing
tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
tests: add unit tests for url.c
timeval: fix use of weak symbol clock_gettime() on Apple platforms
tool_cb_hdr: handle failure of rename()
travis: add a "make tidy" build that runs clang-tidy
travis: add build for "configure --disable-verbose"
travis: bump the Secure Transport build to use xcode
travis: make distcheck scan for BOM markers
unit1300: fix stack-use-after-scope AddressSanitizer warning
urldata: Fix "connecting" comment
urlglob: improve error message on bad globs
vtls: fix ssl version "or later" behavior change for many backends
x509asn1: Fix SAN IP address verification
x509asn1: always check return code from getASN1Element()
x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
x509asn1: suppress left shift on signed value

[CrosRoad95]

what's the effect on this job for mta?

[patrikjuvonen]

what's the effect on this job for mta?

Security, stability and size of curl improves (fetchRemote, callRemote, some internals). Also in this update I cleaned up our curl vendor package and only included required files (include, lib, premake5.lua) whereas before we had almost all source files in there (inconsistent with our other vendor packages). Should slightly reduce vendor folder size considering curl was like easily the largest for no reason. Also makes comparing integrity much easier – less files to be worried about. This update also opens up doors for people to implement more features to the existing functions using curl.

[patrikjuvonen]

Closing this PR, new pull request opened at #744 for curl 7.63.0 vendor update.