Roll out cURL 8.12.1 #25
Comments
|
Ah forgot: if we roll 8.11.0 out with Websocket support, we need to apply the following patch to php-src: ext/curl/tests/check_win_config.phpt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/curl/tests/check_win_config.phpt b/ext/curl/tests/check_win_config.phpt
index b3beb044a7..8330a95564 100644
--- a/ext/curl/tests/check_win_config.phpt
+++ b/ext/curl/tests/check_win_config.phpt
@@ -54,7 +54,7 @@
ZSTD => No
HSTS => Yes
GSASL => No
-Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
+Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp%r(, ws, wss)?%r
Host => %s-pc-win32
SSL Version => OpenSSL/%s
ZLib Version => %s |
|
Let's wait until after GA and then make sure the next release uses the update.
This likely needs to happen anyway for the Linux users who receive the update via their distro. |
Fine. I'll keep an eye on it.
The test is Windows only. :) |
Thanks!
Ah oops, I missed that. EDIT: duh, it even says win in the title... 🤦 |
|
I guess we want to wait for cURL 8.11.1: https://curl.se/mail/lib-2024-11/0019.html |
|
I've pushed cURL 8.11.1 (which fixes another low severity vulnerability) to master. Test build showed no further issues. I suggest to wait with rolling out until PHP GA's have been released (scheduled for Dec 19th), and then first push staging to stable (we're behind with this for a couple of months). Afterwards we can roll out new releases. |
|
Hmm, that fell through the cracks. :( Anyway, cURL 8.12.0 has now been released, fixing 3 low severity security issues. We should update to this version right away (well, after the stable PHP versions have been rolled out on 2025-02-13). Besides the test case fix we would possibly have needed to fix (#25 (comment)), we now also need php/php-src#17709 (or something like that). I've pushed and tagged the update, made test builds (requires https://github.com/winlibs/winlib-builder/tree/curl/winbuild-deprecation; need to check whether this can be used for older cURL versions; need to update to the CMake build chain soonish anyway), and didn't find any further issues when testing locally. |
Yep. https://github.com/winlibs/winlib-builder/actions/runs/13160583314. I've pushed the fix. |
A start: winlibs/winlib-builder#40 |
|
Hi @here, |
|
@nono303, please don't ping random people. :) Anyway, I've seen your cURL bug report, but for now that is not an issue for "official" PHP builds, since we don't use c-ares (maybe we should in the future). |
|
(Ooops for here 😬) |
|
sleeping on the issue and coming to the right conclusion 😉
This being so (in point point of view), it would be interesting to provide curl lib with c-ares implemented (and thread resolver disabled) to enable |
|
Curl 8.12.1 will be released on Thursday Feb 13th. |
Right, that's the plan. |
|
I've updated to cURL 8.12.1 and tagged it. A test build for PHP 8.4 didn't show any issues for me locally (besides #25 (comment)). @shivammathur, can you please roll out the new version? |
|
@cmb69 Done. |
Same for me for curl 8.12.1 since yesterday. |
cURL 8.11.0 has been released, fixing CVE-2024-9681. Given that is a low severity issue, it might not be necessary to update stable branches right away (should wait after GA at least). I've already pushed the update to master, and did quick testing as usual, and found that now Websocket support is enabled by default. Probably not a problem, since that seems to require special support in ext/curl; otherwise I'd be wary to roll it out to stable versions.
Note that nghttp2 1.64.0 is available to be built as prerequisite for the cURL update.
@nielsdos, any thoughts about the update?
The text was updated successfully, but these errors were encountered: