cURL / Mailing Lists / curl-library / Single Mail


[RELEASE] curl and libcurl 7.36.0

From: Daniel Stenberg <>
Date: Wed, 26 Mar 2014 08:03:57 +0100 (CET)


I'm happy to announce curl and libcurl 7.36.0. This time with no less than 4
security problems fixed/announced together with the release. Stand by for
further mails about them.

As usual, the release is available for download from:


Curl and libcurl 7.36.0

  Public curl releases: 138
  Command line options: 161
  curl_easy_setopt() options: 206
  Public functions in libcurl: 58
  Known libcurl bindings: 42
  Contributors: 1123

This release includes the following SECURITY ADVISORIES:

  o wrong re-use of connections [16]
  o IP address wildcard certificate validation [17]
  o not verifying certs for TLS to IP address / Darwinssl [18]
  o not verifying certs for TLS to IP address / Winssl [19]

This release includes the following changes:

  o ntlm: Added support for NTLMv2 [2]
  o tool: Added support for URL specific options [3]
  o openssl: add ALPN support
  o gtls: add ALPN support
  o nss: add ALPN and NPN support
  o tool: add --no-alpn and --no-npn
  o winssl: enable TLSv1.1 and TLSv1.2 by default
  o winssl: TLSv1.2 disables certificate signatures using MD5 hash
  o winssl: enable hostname verification of IP address using SAN or CN [11]
  o darwinssl: Don't omit CN verification when an IP address is used [12]
  o http2: build with current nghttp2 version
  o polarssl: dropped support for PolarSSL < 1.3.0
  o openssl: info message with SSL version used

This release includes the following bugfixes:

  o nss: allow to use ECC ciphers if NSS implements them [1]
  o netrc: Fixed a memory leak in an OOM condition
  o ftp: fixed a memory leak on wildcard error path
  o pipeline: Fixed a NULL pointer dereference on OOM
  o nss: prefer highest available TLS version
  o 100-continue: fix timeout condition [4]
  o ssh: Fixed a NULL pointer dereference on OOM condition
  o formpost: use semicolon in multipart/mixed [5]
  o --help: add missing --tlsv1.x options
  o formdata: Fixed memory leak on OOM condition
  o ConnectionExists: reusing possible HTTP+NTLM connections better [6]
  o mingw32: fix compilation
  o chunked decoder: track overflows correctly [8]
  o curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
  o dict: fix memory leak in OOM exit path
  o valgrind: added suppression on optimized code
  o curl: output protocol headers using binary mode
  o tool: Added URL index to password prompt for multiple operations
  o ConnectionExists: re-use non-NTLM connections better [9]
  o axtls: call ssl_read repeatedly
  o multi: make MAXCONNECTS default 4 x number of easy handles function
  o configure: Fix the --disable-crypto-auth option
  o multi: ignore SIGPIPE internally
  o curl.1: update the description of --tlsv1
  o SFTP: skip reading the dir when NOBODY=1 [10]
  o easy: Fixed a memory leak on OOM condition
  o tool: Fixed incorrect return code when setting HTTP request fails
  o configure: Tiny fix to honor POSIX
  o tool: Do not output libcurl source for the information only parameters
  o Rework Open Watcom make files to use standard Wmake features
  o x509asn: moved out Curl_verifyhost from NSS builds
  o configure: call it GSS-API
  o hostcheck: Curl_cert_hostcheck is not used by NSS builds
  o multi_runsingle: move timestamp into INIT [13]
  o remote_port: allow connect to port 0
  o parse_remote_port: error out on illegal port numbers better
  o ssh: Pass errors from libssh2_sftp_read up the stack
  o docs: remove documentation on setting up krb4 support
  o polarssl: build fixes to work with PolarSSL 1.3.x
  o polarssl: fix possible handshake timeout issue in multi
  o nss: allow to enable/disable cipher-suites better
  o ssh: prevent a logic error that could result in an infinite loop
  o http2: free resources on disconnect
  o polarssl: avoid extra newlines in debug messages
  o rtsp: parse "Session:" header properly [14]
  o trynextip: don't store 'ai' on failed connects [15]
  o Curl_cert_hostcheck: strip trailing dots in host name and wildcard

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Adam Sampson, Arvid Norberg, Brad Spencer, Colin Hogben, Dan Fandrich,
   Daniel Stenberg, David Ryskalczyk, Fabian Frank, GaŽl PORTAY, Gisle Vanem,
   Hubert Kario, Jeff King, Jiri Malak, Kamil Dudka, Maks Naumov, Marc Hoersken,
   Michael Osipov, Mike Hasselberg, Nick Zitzmann, Patrick Monnerat, Prash Dush,
   Remi Gacogne, Rob Davies, Romulo A. Ceccon, Shao Shuchao, Steve Holme,
   Tatsuhiro Tsujikawa, Thomas Braun, Tiit Pikma, Yehezkel Horowitz,

         Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

  [1] =
  [2] =
  [3] =
  [4] =
  [5] =
  [6] =
  [7] =
  [8] =
  [9] =
  [10] =
  [11] =
  [12] =
  [13] =
  [14] =
  [15] =
  [16] =
  [17] =
  [18] =
  [19] =


List admin:
Received on 2014-03-26