- Vijay G filed bug report #2723236

(http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
  libcurl's TFTP code and its lack of dealing with the OACK packet.

CHANGES

@@ -6,6 +6,11 @@
 
                                   Changelog
 
+Daniel Stenberg (7 May 2009)
+- Vijay G filed bug report #2723236
+  (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
+  libcurl's TFTP code and its lack of dealing with the OACK packet.
+
 Yang Tse (5 May 2009)
 - Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
   reverted the change affecting test suite harness committed 4 May.

RELEASE-NOTES

@@ -40,6 +40,7 @@ This release includes the following bugfixes:
  o improved out of the box TPF compatibility
  o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
  o Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
+ o Deal with the TFTP OACK packet
 
 This release includes the following known bugs:
 

TODO-RELEASE

@@ -3,10 +3,6 @@ To be addressed in 7.19.5 (planned release: May 2009)
 
 221 - debian man page warnings
 
-223 - TFTP flaw, #2723236
-
-226 - Active Mode FTPS Data Port Range
-
 228 - rpath problems in linking with custom openssl
 
 232 - [PATCH] transfer.c fixes for CURL_DO_LINEEND_CONV and non-ASCII
@@ -21,3 +17,9 @@ To be addressed in 7.19.5 (planned release: May 2009)
 235 - #2784055, connect race with multi and socks proxy
 
 236 -
+
+To be addressed in 7.19.6 (planned release: July 2009)
+=========================
+
+226 - Active Mode FTPS Data Port Range
+

lib/tftp.c

@@ -695,6 +695,8 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
       }
       return res;
     }
+    /* fall-through */
+  case TFTP_EVENT_OACK:
     /* This is the expected packet.  Reset the counters and send the next
        block */
     state->block++;