Roll out cURL 8.12.1

[cmb69]

cURL 8.11.0 has been released, fixing CVE-2024-9681. Given that is a low severity issue, it might not be necessary to update stable branches right away (should wait after GA at least). I've already pushed the update to master, and did quick testing as usual, and found that now Websocket support is enabled by default. Probably not a problem, since that seems to require special support in ext/curl; otherwise I'd be wary to roll it out to stable versions.

Note that nghttp2 1.64.0 is available to be built as prerequisite for the cURL update.

@nielsdos, any thoughts about the update?

[cmb69]

Ah forgot: if we roll 8.11.0 out with Websocket support, we need to apply the following patch to php-src:

 ext/curl/tests/check_win_config.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/curl/tests/check_win_config.phpt b/ext/curl/tests/check_win_config.phpt
index b3beb044a7..8330a95564 100644
--- a/ext/curl/tests/check_win_config.phpt
+++ b/ext/curl/tests/check_win_config.phpt
@@ -54,7 +54,7 @@
 ZSTD => No
 HSTS => Yes
 GSASL => No
-Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
+Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp%r(, ws, wss)?%r
 Host => %s-pc-win32
 SSL Version => OpenSSL/%s
 ZLib Version => %s

[nielsdos]

Let's wait until after GA and then make sure the next release uses the update.

Ah forgot: if we roll 8.11.0 out with Websocket support, we need to apply the following patch to php-src:

This likely needs to happen anyway for the Linux users who receive the update via their distro.

[cmb69]

Let's wait until after GA and then make sure the next release uses the update.

Fine. I'll keep an eye on it.

This likely needs to happen anyway for the Linux users who receive the update via their distro.

The test is Windows only. :)

[nielsdos]

Fine. I'll keep an eye on it.

Thanks!

The test is Windows only. :)

Ah oops, I missed that. EDIT: duh, it even says win in the title... 🤦

[cmb69]

I guess we want to wait for cURL 8.11.1: https://curl.se/mail/lib-2024-11/0019.html

[cmb69]

I've pushed cURL 8.11.1 (which fixes another low severity vulnerability) to master. Test build showed no further issues.

I suggest to wait with rolling out until PHP GA's have been released (scheduled for Dec 19th), and then first push staging to stable (we're behind with this for a couple of months). Afterwards we can roll out new releases.

[cmb69]

Hmm, that fell through the cracks. :(

Anyway, cURL 8.12.0 has now been released, fixing 3 low severity security issues. We should update to this version right away (well, after the stable PHP versions have been rolled out on 2025-02-13). Besides the test case fix we would possibly have needed to fix (#25 (comment)), we now also need php/php-src#17709 (or something like that).

I've pushed and tagged the update, made test builds (requires https://github.com/winlibs/winlib-builder/tree/curl/winbuild-deprecation; need to check whether this can be used for older cURL versions; need to update to the CMake build chain soonish anyway), and didn't find any further issues when testing locally.

[cmb69]

need to check whether this can be used for older cURL versions

Yep. https://github.com/winlibs/winlib-builder/actions/runs/13160583314. I've pushed the fix.

[cmb69]

need to update to the CMake build chain soonish

A start: winlibs/winlib-builder#40

[nono303]

Hi @here,
I did some test with curl 8.12 + php 8.4 and have some issue:
see. curl/curl#16216 (comment)

[cmb69]

@nono303, please don't ping random people. :)

Anyway, I've seen your cURL bug report, but for now that is not an issue for "official" PHP builds, since we don't use c-ares (maybe we should in the future).