Update to vanilla curl 8.9.0 #21
Conversation
|
Sounds good, nghttp2 may need an update as well before building. I always updated and built nghttp2 first and then did it for curl. |
|
Nghttp2 is the only dependency that I always give an update before rebuilding Curl |
|
Hmm, is nghttp2's API so unstable nowadays, that there are issues with the dynamic linking? Or this about new features in new minor releases which can be used by curl if available? Anyway, @shivammathur provided winlibs/nghttp2@f7b724e, and is currently building. |
The latter, making sure it's aware of the potentially new features. |
|
It just has been announced that cURL 8.9.1 ("a patch release to fix a few regressions in the recent release") will be released on Wednesday, so we probably want to wait for that anyway. |
|
That probably is a regression when building curl on iOS: curl/curl#14269 Edit. And a fix for the cmdline tool: curl/curl#14304 |
|
Good news: https://curl.se/docs/CVE-2024-7264.html does not affect the OpenSSL backend, so our builds are not affected. The question is: do we want to merge this PR, or just skip 8.9.0, and go with 8.9.1 right away? |
I would skip 8.9.0 and go to 8.9.1: vulnerability scanners are stupid and will just check the version number and claim that the CVE applies (even if it doesn't affect our configuration). |
|
Okay, fine for me. I'll provide a PR for 8.9.1 within the next days (probably tomorrow). |
I've downloaded the curl-8.9.0.zip from https://curl.se/download/, checked the signature, and replaced all existing files with the new ones. Then I built for PHP 8.3 staging, put the new build in my deps folder, built PHP-8.3 (both x64 and x86), and ran the curl test. Same results as with the original curl.
I suggest to merge this PR, but not to upload the builds yet, because the dependencies might not be up-to-date with those for
master.@shivammathur, @nielsdos, what do you think?