Security dependency updates and patches

Security

• Upgrade curl-sys to 0.4.55 to pull in libcurl 7.83.1, which contains security patches for the below vulnerabilities. (#394) @sagebind
  • CVE-2022-27778: curl removes wrong file on error
  • CVE-2022-27779: cookie for trailing dot TLD
  • CVE-2022-27780: percent-encoded path separator in URL host
  • CVE-2022-27781: CERTINFO never-ending busy-loop
  • CVE-2022-27782: TLS and SSH connection too eager reuse
  • CVE-2022-30115: HSTS bypass via trailing dot
• Fix several bugs with the auto_referer option (disabled by default) which could potentially result in sensitive headers being passed to redirect targets unintentionally. (#393) @sagebind
  • Fix multiple Referer headers being included when two or more redirects are followed in a request
  • URL fragments and userinfo parts of the URL authority should not be included in the Referer header
  • Don't include a Referer header when redirecting from an HTTPS URL to an HTTP URL, as per RFC 7231 recommendation
  • Scrub sensitive headers when redirecting to a different authority

Dependency Updates

• Update Public Suffix List to 172bbfd (#395) @teto-bot