1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
|
curl and libcurl 8.18.0
Public curl releases: 272
Command line options: 273
curl_easy_setopt() options: 308
Public functions in libcurl: 100
Contributors: 3571
This release includes the following changes:
o build: drop support for VS2008 (Windows) [62]
o build: drop Windows CE / CeGCC support [69]
o gnutls: drop support for GnuTLS < 3.6.5 [167]
o gnutls: implement CURLOPT_CAINFO_BLOB [168]
o openssl: bump minimum OpenSSL version to 3.0.0 [60]
This release includes the following bugfixes:
o _PROGRESS.md: add the E unit, mention kibibyte [24]
o alt-svc: more flexibility on same destination [298]
o altsvc: accept ma/persist per alternative entry [287]
o altsvc: make it one malloc instead of three per entry [266]
o AmigaOS: increase minimum stack size for tool_main [137]
o apple sectrust: fix ancient evaluation [327]
o apple-sectrust: always ask when `native_ca_store` is in use [162]
o asyn-ares: handle Curl_dnscache_mk_entry() OOM error [199]
o asyn-ares: remove hostname free on OOM [122]
o asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo [265]
o asyn-thrdd: release rrname if ares_init_options fails [41]
o auth: always treat Curl_auth_ntlm_get() returning NULL as OOM [186]
o autotools: add nettle library detection via pkg-config (for GnuTLS) [178]
o autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr) [70]
o autotools: fix LargeFile feature display on Windows (after prev patch) [276]
o autotools: tidy-up `if` expressions [275]
o badwords: add fist -> first, fix fallouts [388]
o badwords: catch and fix threading-related words [320]
o badwords: fix issues found in scripts and other files [142]
o badwords: fix issues found in tests [156]
o build: add build-level `CURL_DISABLE_TYPECHECK` options [163]
o build: exclude clang prereleases from compiler warning options [154]
o build: replace `-pedantic` with `-Wpedantic` when supported [306]
o build: set `-Wno-format-signedness` [288]
o build: tidy-up MSVC CRT warning suppression macros [140]
o ccsidcurl: make curl_mime_data_ccsid() use the converted size [74]
o cf-h1-proxy: support folded headers in CONNECT responses [296]
o cf-https-connect: allocate ctx at first in cf_hc_create() [79]
o cf-socket: drop feature check for `IPV6_V6ONLY` on Windows [210]
o cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs [323]
o cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime [157]
o cf-socket: return OOM error if socket() fails due to OOM [341]
o cf-socket: trace ignored errors [97]
o cfilters: make conn_forget_socket a private libssh function [109]
o checksrc.pl: detect assign followed by more than one space [26]
o cmake: adjust defaults for target platforms not supporting shared libs [35]
o cmake: define dependencies as `IMPORTED` interface targets [223]
o cmake: delete unused file `CMake/CMakeConfigurableFile.in` [363]
o cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` [16]
o cmake: fix `ws2_32` reference in `curl-config.cmake` [201]
o cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET` [106]
o cmake: replace deprecated `OPENSSL_FOUND` with `OpenSSL_FOUND` [310]
o cmake: replace deprecated `PERL_FOUND` with `Perl_FOUND` [312]
o cmake: save and restore `CMAKE_MODULE_PATH` in `curl-config.cmake` [222]
o cmake: set found status to OFF when not found (for compression deps) [359]
o code: minor indent fixes before closing braces [107]
o CODE_STYLE.md: sync banned function list with checksrc.pl [243]
o compressed.md: might generate a huge amount of bytes [227]
o config-win32.h: delete obsolete, non-Windows comments [295]
o config-win32.h: drop unused/obsolete `CURL_HAS_OPENLDAP_LDAPSDK` [278]
o config2setopts: add space in cookie header with multiple -b [344]
o config2setopts: bail out if curl_url_get() returns OOM [102]
o config2setopts: exit if curl_url_set() fails on OOM [105]
o configure: delete unused variable [294]
o conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64 [17]
o conncontrol: reuse handling [170]
o connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' [100]
o connection: attached transfer count [228]
o content_encoding: avoid strcpy [331]
o cookie. return proper error on OOM [330]
o cookie: allocate the main struct once cookie is fine [259]
o cookie: flush better [218]
o cookie: only keep and use the canonical cleaned up path [256]
o cookie: propagate errors better, cleanup the internal API [118]
o cookie: return error on OOM [131]
o cookie: when parsing a cookie header, delay all allocations until okay [258]
o cshutdn: acknowledge FD_SETSIZE for shutdown descriptors [25]
o curl: fix progress meter in parallel mode [15]
o curl_fopen: do not pass invalid mode flags to `open()` on Windows [84]
o curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer [257]
o curl_ntlm_core: fix DES_* symbols for some wolfSSL builds [281]
o curl_quiche: refuse headers with CR, LF or null bytes [333]
o curl_sasl: if redirected, require permission to use bearer [250]
o curl_sasl: make Curl_sasl_decode_mech compare case insensitively [160]
o curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS` [124]
o curl_setup.h: drop stray `#undef stat` (Windows) [103]
o curl_setup.h: drop superfluous parenthesis from `Curl_safefree` macro [242]
o curl_threads: don't do another malloc if the first fails [345]
o curl_trc: delete unused DoH remains [272]
o CURLINFO: remove 'get' and 'get the' from each short desc [50]
o CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer" [48]
o CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text [49]
o CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use [206]
o CURLOPT_ACCEPT_ENCODING.md: warn about the expansion [224]
o CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/ [283]
o CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use [328]
o CURLOPT_READFUNCTION.md: clarify the size of the buffer [47]
o CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
o curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) [204]
o curlx/multibyte: stop setting macros for non-Windows [226]
o curlx/strerr: use `strerror_s()` on Windows [75]
o curlx: add `curlx_rename()`, fix to support long filenames on Windows [354]
o curlx: curlx_strcopy() instead of strcpy() [326]
o curlx: limit use of system allocators to the minimum possible [169]
o curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) [143]
o curlx: replace `sprintf` with `snprintf` [194]
o curlx: use curl alloc in `curlx_win32_stat()` (Windows) [360]
o curlx: use curlx allocators in non-memdebug builds (Windows) [155]
o DEPRECATE: add CMake <3.18 deprecation for April 2026 [291]
o digest: fix OWS and escaped quote handling [391]
o digest_sspi: fix a memory leak on error path [149]
o digest_sspi: properly free sspi identity [12]
o DISTROS.md: add OpenBSD [126]
o DISTROS: fix a Mageia URL
o DISTROS: remove broken URLs for buildroot
o doc: some returned in-memory data may not be altered [196]
o Dockerfile: update debian:bookworm-slim digest to e899040 [305]
o docs/libcurl: fix C formatting nits [207]
o docs: add a note about --compressed to note about binary output [381]
o docs: clarify how to do unix domain sockets with SOCKS proxy [240]
o docs: fix checksrc `EQUALSPACE` warnings [21]
o docs: fix time_posttransfer output unit as seconds [335]
o docs: mention umask need when curl creates files [56]
o docs: remove dead URLs
o docs: rename CURLcode variables to 'result'
o docs: spell it Rustls with a capital R [181]
o docs: switch more URLs to https:// [229]
o docs: use .example URLs for proxies
o docs: use mresult as variable name for CURLMcode
o escape: add a length check in curl_easy_escape [284]
o example: fix formatting nits [232]
o examples/crawler: fix variable [92]
o examples/multi-uv: fix invalid req->data access [177]
o examples/threaded-ssl: delete in favor of `examples/threaded` [318]
o examples/threaded: fix race condition [101]
o examples: fix minor typo [203]
o examples: make functions/data static where missing [139]
o examples: tidy-up headers and includes [138]
o examples: use 64-bit `fstat` on Windows [301]
o FAQ/TODO/KNOWN_BUGS: convert to markdown [307]
o FAQ: fix hackerone URL
o file: do not pass invalid mode flags to `open()` on upload (Windows) [83]
o formdata: validate callback is non-NULL before use [267]
o ftp: make EPRT connections non-blocking [268]
o ftp: refactor a piece of code by merging the repeated part [40]
o ftp: remove #ifdef for define that is always defined [76]
o ftp: return better on OOM in two places [343]
o ftp: return from ftp_state_use_port immediately on OOM [338]
o getenv: drop internal 1-to-1 wrapper [334]
o getinfo: improve perf in debug mode [99]
o gnutls: add PROFILE_MEDIUM as default [233]
o gnutls: report accurate error when TLS-SRP is not built-in [18]
o gtls: add return checks and optimize the code [2]
o gtls: Call keylog_close in cleanup
o gtls: skip session resumption when verifystatus is set
o h2/h3: handle methods with spaces [146]
o headers: add length argument to Curl_headers_push() [309]
o hostcheck: fail wildcard match if host starts with a dot [235]
o hostip.h: drop redundant `setjmp.h` include [380]
o hostip: don't store negative lookup on OOM [61]
o hostip: make more functions return CURLcode [202]
o hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST [183]
o hsts: propagate and error out correctly on OOM [130]
o hsts: use one malloc instead of two per entry [263]
o http: acknowledge OOM errors from Curl_input_ntlm [185]
o http: avoid two strdup()s and do minor simplifications [144]
o http: error on OOM when creating range header [59]
o http: fix OOM exit in Curl_http_follow [179]
o http: handle oom error from Curl_input_digest() [192]
o http: replace atoi use in Curl_http_follow with curlx_str_number [65]
o http: return OOM errors from hsts properly [262]
o http: the :authority header should never contain user+password [147]
o http: unfold response headers earlier [277]
o idn: avoid allocations and wcslen on Windows [247]
o idn: clarify null-termination on Windows [324]
o idn: fix memory leak in `win32_ascii_to_idn()` [173]
o idn: use curlx allocators on Windows [165]
o imap: check buffer length before accessing it [308]
o imap: make sure Curl_pgrsSetDownloadSize() does not overflow [200]
o inet_ntop: avoid the strlen() [371]
o INSTALL-CMAKE.md: document static option defaults more [37]
o krb5: fix detecting channel binding feature [187]
o krb5_sspi: unify a part of error handling [80]
o ldap: call ldap_init() before setting the options [236]
o ldap: drop PP logic for old, unsupported, Windows SDKs [279]
o ldap: improve detection of Apple LDAP [174]
o ldap: provide version for "legacy" ldap as well [254]
o lib/sendf.h: forward declare two structs [221]
o lib: cleanup for some typos about spaces and code style [3]
o lib: create unitprotos.h in the builddir, not srcdir [322]
o lib: drop unused or duplicate `curlx/timeval.h` includes [384]
o lib: drop unused protocol headers [270]
o lib: eliminate size_t casts [112]
o lib: error for OOM when extracting URL query [127]
o lib: fix formatting nits (part 2) [253]
o lib: fix formatting nits (part 3) [248]
o lib: fix formatting nits [215]
o lib: fix gssapi.h include on IBMi [55]
o lib: name the main CURLMcode variable 'mresult' [316]
o lib: refactor the type of funcs which have useless return and checks [1]
o lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) [164]
o lib: timer stats improvements [190]
o lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible [350]
o libssh2: add paths to error messages for quote commands [114]
o libssh2: cleanup ssh_force_knownhost_key_type [64]
o libssh2: consider strdup() failures OOM and return correctly [72]
o libssh2: replace atoi() in ssh_force_knownhost_key_type [63]
o libssh: fix state machine loop to progress as it should
o libssh: properly free sftp_attributes [153]
o libssh: require private key or user-agent for public key auth [293]
o libssh: set both knownhosts options to the same file [271]
o libtests: replace `atoi()` with `curlx_str_number()` [120]
o limit-rate: add example using --limit-rate and --max-time together [89]
o localtime: detect thread-safe alternatives and use them [325]
o m4/sectrust: fix test(1) operator [4]
o manage: expand the 'libcurl support required' message [208]
o mbedTLS: cleanup insecure/deprecated code [351]
o mbedtls: fix potential use of uninitialized `nread` [8]
o mbedtls: sync format across log messages [213]
o mbedtls_threadlock: avoid calloc, use array [244]
o mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
o mdlinkcheck: only look for markdown links in markdown files [311]
o memdebug: add mutex for thread safety [184]
o memdebug: fix realloc logging [286]
o mk-ca-bundle.md: the file format docs URL is permaredirected [188]
o mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option [73]
o mk-ca-bundle.pl: use `open()` with argument list to replace backticks [71]
o mqtt: reject overly big messages [39]
o mqtt: return error when a too large packet is decoded [366]
o multi: make max_total_* members size_t [158]
o multi: remove MSTATE_TUNNELING [297]
o multi: simplify admin handle processing [189]
o multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds [135]
o ngtcp2+openssl: fix leak of session [172]
o ngtcp2: remove the unused Curl_conn_is_ngtcp2 function [85]
o ngtcp2: retune window sizes [365]
o noproxy: fix build on systems without IPv6 [264]
o noproxy: fix ipv6 handling [239]
o noproxy: replace atoi with curlx_str_number [67]
o openssl: exit properly on OOM when getting certchain [133]
o openssl: fix a potential memory leak of bio_out [150]
o openssl: fix a potential memory leak of params.cert [151]
o openssl: fix building against no-dsa openssl [386]
o openssl: fix building against no-ocsp openssl with Apple SecTrust [385]
o openssl: no verify failf message unless strict [166]
o openssl: release ssl_session if sess_reuse_cb fails [43]
o openssl: remove code handling default version [28]
o openssl: simplify `HAVE_KEYLOG_CALLBACK` guard [212]
o openssl: stop checking for `OPENSSL_NO_SHA*` macros [382]
o openssl: stop checking for `OPENSSL_NO_TLSEXT` macro [383]
o openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache [313]
o OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs [94]
o OS400/makefile.sh: fix shellcheck warning SC2038 [86]
o os400sys: replace `strcpy()` with `memcpy()` [273]
o osslq: code readability [5]
o progress: make it one column narrower [352]
o progress: narrower time display, multiple fixes [369]
o progress: show fewer digits [78]
o projects/README.md: Markdown fixes [148]
o pytest fixes and improvements [159]
o pytest: add tests using sshd [303]
o pytest: disable two H3 earlydata tests for all platforms (was: macOS) [116]
o pytest: do not ignore server issues [329]
o pytest: enable OCSP test 17_08 for LibreSSL [364]
o pytest: fix and improve reliability [251]
o pytest: improve stragglers [252]
o pytest: quiche flakiness [280]
o pytest: skip H2 tests if feature missing from curl [46]
o quiche: use client writer [255]
o ratelimit blocking: fix busy loop [290]
o ratelimit: redesign [209]
o rtmp: fix double-free on URL parse errors [27]
o rtmp: precaution for a potential integer truncation [54]
o rtmp: stop redefining `setsockopt` system symbol on Windows [211]
o runner.pm: run memanalyzer as a Perl module [260]
o runtests: add options to set minimum number of tests, use them [302]
o runtests: detect bad libssh differently for test 1459 [11]
o runtests: drop Python 2 support remains [45]
o runtests: enable torture testing with threaded resolver [176]
o runtests: improve XML prolog check, enable `-w` permanently, fix two tests [231]
o runtests: make memanalyzer a Perl module (for 1.1-2x speed-up per test run) [238]
o rustls: fix a potential memory issue [81]
o rustls: minor adjustment of sizeof() [38]
o rustls: simplify init err path [219]
o rustls: verify that verifier_builder is not NULL [220]
o schannel: cap the maximum allowed size for loading cert [274]
o schannel: fix memory leak of cert_store_path on four error paths [23]
o schannel: replace atoi() with curlx_str_number() [119]
o schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs [321]
o schannel_verify: fix a memory leak of cert_context [152]
o scripts: fix shellcheck SC2046 warnings [90]
o scripts: use end-of-options marker in `find -exec` commands [87]
o setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL [30]
o setopt: when setting bad protocols, don't store them [9]
o sftp: fix range downloads in both SSH backends [82]
o slist: constify Curl_slist_append_nodup() string argument [195]
o smb: fix a size check to be overflow safe [161]
o socketpair: drop redundant `_WIN32` branch and include [367]
o socks_sspi: use free() not FreeContextBuffer() [93]
o source: misc typos [372]
o speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE [113]
o speedlimit: also reset on send unpausing [197]
o src: drop redundant definition of `BIT()` [357]
o src: fix formatting nits [246]
o ssh: tracing and better pollset handling [230]
o sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()` [237]
o sws: fix binding to unix socket on Windows [214]
o synctime: tidy up, make it work on all platforms [269]
o telnet: abort on bad suboption sequence [300]
o telnet: replace atoi for BINARY handling with curlx_str_number [66]
o TEST-SUITE.md: correct the man page's path [136]
o test07_22: fix flakiness [95]
o test1475: consistently use %CR in headers [234]
o test1498: disable 'HTTP PUT from stdin' test on Windows [115]
o test2045: replace HTML multi-line comment markup with `#` comments [36]
o test318: tweak the name a little
o test3207: enable memdebug for this test again [249]
o test363: delete stray character (typo) from a section tag [52]
o test568: fix codespell, catch it next time early in CI [299]
o test568: remove what looks like an email and a URL [304]
o test787: fix possible typo `&` -> `%` in curl option [241]
o test96: fix to accept non-unity memdump content with MSVC [339]
o tests/data: move `--libcurl` output to external data files [34]
o tests/data: replace hard-coded test numbers with `%TESTNUMBER` [33]
o tests/data: support using native newlines on disk, drop `.gitattributes` [91]
o tests/server: do not fall back to original data file in `test2fopen()` [32]
o tests/server: fix initialization on Windows Vista+ [216]
o tests/server: replace `atoi()` and `atol()` with `curlx_str_number()` [110]
o tests: add `%AMP` macro, use it in two tests [245]
o tests: add a standard log line for alloc failures [319]
o tests: allow 2500-2503 to use ~2MB malloc [31]
o tests: drop redundant parenthesis from two macro expressions [376]
o tests: fix formatting nits [225]
o tests: rename CURLMcode variables to mresult
o tftp: release filename if conn_get_remote_addr fails [42]
o tftpd: fix/tidy up `open()` mode flags [57]
o tidy-up: avoid `(())`, clang-format fixes and more [141]
o tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()` [121]
o tidy-up: URLs (cont.) and mdlinkcheck [285]
o tidy-up: URLs [182]
o TODO: remove a mandriva.com reference
o tool: consider (some) curl_easy_setopt errors fatal [7]
o tool: log when loading .curlrc in verbose mode [191]
o tool_cfgable: free ssl-sessions at exit [123]
o tool_doswin: clear pointer when thread takes ownership [198]
o tool_doswin: increase allowable length of path sanitizer [289]
o tool_doswin: remove the max length check [374]
o tool_getparam: simplify the --rate parser [373]
o tool_getparam: use memdup0() instead of malloc + copy [390]
o tool_getparam: verify that a file exists for some options [134]
o tool_help: add checks to avoid unsigned wrap around [14]
o tool_ipfs: check return codes better [20]
o tool_msgs: make voutf() use stack instead of heap [125]
o tool_operate: exit on curl_share_setopt errors [108]
o tool_operate: fix a case of ignoring return code in operate() [128]
o tool_operate: fix case of ignoring return code in single_transfer [129]
o tool_operate: remove redundant condition [19]
o tool_operate: return error for OOM in append2query [217]
o tool_operate: use curlx_str_number instead of atoi [68]
o tool_paramhlp: refuse --proto remove all protocols [10]
o tool_paramhlp: remove a malloc+free from proto2num() [378]
o tool_paramhlp: simplify number parsing [375]
o tool_progress: fix large time outputs and decimal size display [379]
o tool_urlglob: acknowledge OOM in peek_ipv6 [175]
o tool_urlglob: clean up used memory on errors better [44]
o tool_urlglob: constify an argument [361]
o tool_urlglob: fix propagating OOM error from `sanitize_file_name()` [342]
o tool_urlglob: support globs as long as config line lengths [282]
o tool_writeout: bail out proper on OOM [104]
o url: fix return code for OOM in parse_proxy() [193]
o url: if curl_url_get() fails due to OOM, error out properly [205]
o url: if OOM in parse_proxy() return error [132]
o url: return error at once when OOM in netrc handling [332]
o urlapi: fix mem-leaks in curl_url_get error paths [22]
o urlapi: handle OOM properly when setting URL [180]
o urlapi: return OOM correctly from parse_hostname_login() [337]
o verify-release: update to avoid shellcheck warning SC2034 [88]
o vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally [96]
o vquic: do not pass invalid mode flags to `open()` (Windows) [58]
o vquic: do_sendmsg full init [171]
o vquic: ignore 0-length UDP packets [336]
o vquic: initialize new callback in nghttp3 1.14.0+ [317]
o vtls: drop unused `use_alpn` from `ssl_connect_data` struct [355]
o vtls: fix CURLOPT_CAPATH use [51]
o vtls: handle possible malicious certs_num from peer [53]
o vtls: pinned key check [98]
o VULN-DISCLOSURE-POLICY.md: CRLF in data [349]
o wcurl: import v2025.11.09 [29]
o wcurl: import v2026.01.05 [315]
o windows: assume `USE_WIN32_LARGE_FILES` [292]
o windows: fix `CreateFile()` calls to support long filenames [356]
o windows: use `_strdup()` instead of `strdup()` where missing [145]
o wolfSSL: able to differentiate between IP and DNS in alt names [13]
o wolfssl: avoid NULL dereference in OOM situation [77]
o wolfssl: fix a potential memory leak of session [6]
o wolfssl: fix cipher list, skip 5.8.4 regression [117]
o wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds [261]
o wolfssl: proof use of wolfSSL_i2d_SSL_SESSION [314]
o wolfssl: simplify wssl_send_earlydata [111]
o ws: replace a cast by matching the format string [358]
o x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes [340]
This release includes the following known bugs:
See https://curl.se/docs/knownbugs.html
For all changes ever done in curl:
See https://curl.se/changes.html
Planned upcoming removals include:
o OpenSSL-QUIC
o RTMP support
o Support for c-ares versions before 1.16.0
o Support for Windows XP/2003
See https://curl.se/dev/deprecate.html
This release would not have looked like this without help, code, reports and
advice from friends like these:
Aleksandr Sergeev, Aleksei Bavshin, Alexander Batischev, Andrew Kirillov,
anonymous237 on hackerone, BANADDA, boingball, Brad King, bttrfl on github,
Christian Schmitz, correctmost on github, Dan Fandrich, Daniel McCarney,
Daniel Pouzzner, Daniel Santos, Daniel Stenberg, Denis Goleshchikhin,
Deniz Parlak, dependabot[bot], Fabian Keil, Fd929c2CE5fA on github,
ffath-vo on github, Fizn-Ahmd on github, Gabriel Marin,
Georg Schulz-Allgaier, Gisle Vanem, Greg Hudson, Harry Sintonen,
herdiyanitdev on hackerone, Hunt Darlener, Huseyin Tintas, Jeff King,
Jiyong Yang, John Haugabook, Joshua Vandaële, Juliusz Sosinowicz, Kai Pastor,
koujaz on github, Leonardo Taccari, letshack9707 on hackerone, Marc Aldorasi,
Marcel Raad, Mathesh V, Max Faxälv, nait-furry, ncaklovic on github,
Nick Korepanov, Omdahake on github, Patrick Monnerat, pelioro on hackerone,
pojomi, Ray Satiro, renovate[bot], Robert W. Van Kirk, Samuel Henrique,
Sergey Katsubo, st751228051 on github, Stanislav Fort, Stefan Eissing,
Stuart Henderson, Sunny, Theo Buehler, Thomas Klausner, Tobias Zimmermann,
trxvorr, Viktor Szakats, Wesley Moore, Wyatt O'Day, Xiaoke Wang,
Yedaya Katsman, Yuhao Jiang, yushicheng7788 on github
(72 contributors)
References to bug reports and discussions on issues:
[1] = https://curl.se/bug/?i=19386
[2] = https://curl.se/bug/?i=19366
[3] = https://curl.se/bug/?i=19370
[4] = https://curl.se/bug/?i=19371
[5] = https://curl.se/bug/?i=19394
[6] = https://curl.se/bug/?i=19555
[7] = https://curl.se/bug/?i=19385
[8] = https://curl.se/bug/?i=19393
[9] = https://curl.se/bug/?i=19389
[10] = https://curl.se/bug/?i=19388
[11] = https://curl.se/bug/?i=19557
[12] = https://curl.se/bug/?i=19426
[13] = https://curl.se/bug/?i=19364
[14] = https://curl.se/bug/?i=19377
[15] = https://curl.se/bug/?i=19383
[16] = https://curl.se/bug/?i=19380
[17] = https://curl.se/bug/?i=19378
[18] = https://curl.se/bug/?i=19365
[19] = https://curl.se/bug/?i=19381
[20] = https://curl.se/bug/?i=19382
[21] = https://curl.se/bug/?i=19379
[22] = https://curl.se/bug/?i=19440
[23] = https://curl.se/bug/?i=19423
[24] = https://curl.se/bug/?i=19502
[25] = https://curl.se/bug/?i=19439
[26] = https://curl.se/bug/?i=19375
[27] = https://curl.se/bug/?i=19438
[28] = https://curl.se/bug/?i=19354
[29] = https://curl.se/bug/?i=19430
[30] = https://curl.se/bug/?i=19434
[31] = https://curl.se/bug/?i=19716
[32] = https://curl.se/bug/?i=19429
[33] = https://curl.se/bug/?i=19427
[34] = https://curl.se/bug/?i=19799
[35] = https://curl.se/bug/?i=19420
[36] = https://curl.se/bug/?i=19498
[37] = https://curl.se/bug/?i=19419
[38] = https://hackerone.com/reports/3427460
[39] = https://curl.se/bug/?i=19415
[40] = https://curl.se/bug/?i=19411
[41] = https://curl.se/bug/?i=19410
[42] = https://curl.se/bug/?i=19409
[43] = https://curl.se/bug/?i=19405
[44] = https://curl.se/bug/?i=19614
[45] = https://curl.se/bug/?i=19544
[46] = https://curl.se/bug/?i=19412
[47] = https://curl.se/bug/?i=19402
[48] = https://curl.se/bug/?i=19403
[49] = https://curl.se/bug/?i=19404
[50] = https://curl.se/bug/?i=19406
[51] = https://curl.se/bug/?i=19401
[52] = https://curl.se/bug/?i=19490
[53] = https://curl.se/bug/?i=19397
[54] = https://curl.se/bug/?i=19399
[55] = https://curl.se/bug/?i=19336
[56] = https://curl.se/bug/?i=19396
[57] = https://curl.se/bug/?i=19671
[58] = https://curl.se/bug/?i=19670
[59] = https://curl.se/bug/?i=19630
[60] = https://curl.se/bug/?i=18330
[61] = https://curl.se/bug/?i=19484
[62] = https://curl.se/bug/?i=17931
[63] = https://curl.se/bug/?i=19479
[64] = https://curl.se/bug/?i=19479
[65] = https://curl.se/bug/?i=19478
[66] = https://curl.se/bug/?i=19477
[67] = https://curl.se/bug/?i=19475
[68] = https://curl.se/bug/?i=19480
[69] = https://curl.se/bug/?i=17927
[70] = https://curl.se/bug/?i=19464
[71] = https://curl.se/bug/?i=19461
[72] = https://curl.se/bug/?i=19791
[73] = https://curl.se/bug/?i=19359
[74] = https://curl.se/bug/?i=19465
[75] = https://curl.se/bug/?i=19646
[76] = https://curl.se/bug/?i=19463
[77] = https://curl.se/bug/?i=19459
[78] = https://curl.se/bug/?i=19431
[79] = https://curl.se/bug/?i=19454
[80] = https://curl.se/bug/?i=19452
[81] = https://curl.se/bug/?i=19425
[82] = https://curl.se/bug/?i=19460
[83] = https://curl.se/bug/?i=19647
[84] = https://curl.se/bug/?i=19645
[85] = https://curl.se/bug/?i=19725
[86] = https://curl.se/bug/?i=19451
[87] = https://curl.se/bug/?i=19450
[88] = https://curl.se/bug/?i=19449
[89] = https://curl.se/bug/?i=19473
[90] = https://curl.se/bug/?i=19432
[91] = https://curl.se/bug/?i=19398
[92] = https://curl.se/bug/?i=19446
[93] = https://curl.se/bug/?i=19445
[94] = https://curl.se/bug/?i=19444
[95] = https://curl.se/bug/?i=19530
[96] = https://curl.se/bug/?i=19531
[97] = https://curl.se/bug/?i=19520
[98] = https://curl.se/bug/?i=19529
[99] = https://curl.se/bug/?i=19525
[100] = https://curl.se/bug/?i=19523
[101] = https://curl.se/bug/?i=19524
[102] = https://curl.se/bug/?i=19518
[103] = https://curl.se/bug/?i=19519
[104] = https://curl.se/bug/?i=19667
[105] = https://curl.se/bug/?i=19517
[106] = https://curl.se/bug/?i=19144
[107] = https://curl.se/bug/?i=19512
[108] = https://curl.se/bug/?i=19513
[109] = https://curl.se/bug/?i=19727
[110] = https://curl.se/bug/?i=19510
[111] = https://curl.se/bug/?i=19509
[112] = https://curl.se/bug/?i=19495
[113] = https://curl.se/bug/?i=19653
[114] = https://curl.se/bug/?i=19605
[115] = https://curl.se/bug/?i=19855
[116] = https://curl.se/bug/?i=19724
[117] = https://curl.se/bug/?i=19644
[118] = https://curl.se/bug/?i=19493
[119] = https://curl.se/bug/?i=19483
[120] = https://curl.se/bug/?i=19506
[121] = https://curl.se/bug/?i=19606
[122] = https://curl.se/bug/?i=19658
[123] = https://curl.se/bug/?i=19602
[124] = https://curl.se/bug/?i=19597
[125] = https://curl.se/bug/?i=19651
[126] = https://curl.se/bug/?i=19596
[127] = https://curl.se/bug/?i=19594
[128] = https://curl.se/bug/?i=19650
[129] = https://curl.se/bug/?i=19649
[130] = https://curl.se/bug/?i=19593
[131] = https://curl.se/bug/?i=19591
[132] = https://curl.se/bug/?i=19590
[133] = https://curl.se/bug/?i=19471
[134] = https://curl.se/bug/?i=19583
[135] = https://curl.se/bug/?i=19796
[136] = https://curl.se/bug/?i=19586
[137] = https://curl.se/bug/?i=19578
[138] = https://curl.se/bug/?i=19580
[139] = https://curl.se/bug/?i=19579
[140] = https://curl.se/bug/?i=19175
[141] = https://curl.se/bug/?i=19854
[142] = https://curl.se/bug/?i=19572
[143] = https://curl.se/bug/?i=19581
[144] = https://curl.se/bug/?i=19571
[145] = https://curl.se/bug/?i=19794
[146] = https://curl.se/bug/?i=19543
[147] = https://curl.se/bug/?i=19568
[148] = https://curl.se/bug/?i=19569
[149] = https://curl.se/bug/?i=19567
[150] = https://curl.se/bug/?i=19561
[151] = https://curl.se/bug/?i=19560
[152] = https://curl.se/bug/?i=19556
[153] = https://curl.se/bug/?i=19564
[154] = https://curl.se/bug/?i=19566
[155] = https://curl.se/bug/?i=19788
[156] = https://curl.se/bug/?i=19541
[157] = https://curl.se/bug/?i=19520
[158] = https://curl.se/bug/?i=19618
[159] = https://curl.se/bug/?i=19540
[160] = https://curl.se/bug/?i=19535
[161] = https://curl.se/bug/?i=19640
[162] = https://curl.se/bug/?i=19636
[163] = https://curl.se/bug/?i=19637
[164] = https://curl.se/bug/?i=19589
[165] = https://curl.se/bug/?i=19790
[166] = https://curl.se/bug/?i=19615
[167] = https://curl.se/bug/?i=19609
[168] = https://curl.se/bug/?i=19612
[169] = https://curl.se/bug/?i=19748
[170] = https://curl.se/bug/?i=19333
[171] = https://curl.se/bug/?i=19714
[172] = https://curl.se/bug/?i=19717
[173] = https://curl.se/bug/?i=19789
[174] = https://curl.se/bug/?i=19849
[175] = https://curl.se/bug/?i=19784
[176] = https://curl.se/bug/?i=19786
[177] = https://curl.se/bug/?i=19462
[178] = https://curl.se/bug/?i=19703
[179] = https://curl.se/bug/?i=19705
[180] = https://curl.se/bug/?i=19704
[181] = https://curl.se/bug/?i=19702
[182] = https://curl.se/bug/?i=19879
[183] = https://curl.se/bug/?i=19701
[184] = https://curl.se/bug/?i=19785
[185] = https://curl.se/bug/?i=19781
[186] = https://curl.se/bug/?i=19782
[187] = https://curl.se/bug/?i=19164
[188] = https://curl.se/bug/?i=19877
[189] = https://curl.se/bug/?i=19604
[190] = https://curl.se/bug/?i=19269
[191] = https://curl.se/bug/?i=19663
[192] = https://curl.se/bug/?i=19780
[193] = https://curl.se/bug/?i=19779
[194] = https://curl.se/bug/?i=19681
[195] = https://curl.se/bug/?i=19692
[196] = https://curl.se/bug/?i=19692
[197] = https://curl.se/bug/?i=19687
[198] = https://curl.se/bug/?i=19689
[199] = https://curl.se/bug/?i=19688
[200] = https://curl.se/bug/?i=19774
[201] = https://curl.se/bug/?i=19775
[202] = https://curl.se/bug/?i=19669
[203] = https://curl.se/bug/?i=19683
[204] = https://curl.se/bug/?i=19643
[205] = https://curl.se/bug/?i=19838
[206] = https://curl.se/bug/?i=19840
[207] = https://curl.se/bug/?i=19844
[208] = https://curl.se/bug/?i=19665
[209] = https://curl.se/bug/?i=19384
[210] = https://curl.se/bug/?i=19769
[211] = https://curl.se/bug/?i=19768
[212] = https://curl.se/bug/?i=19843
[213] = https://curl.se/bug/?i=19842
[214] = https://curl.se/bug/?i=19812
[215] = https://curl.se/bug/?i=19764
[216] = https://curl.se/bug/?i=18009
[217] = https://curl.se/bug/?i=19763
[218] = https://curl.se/bug/?i=20090
[219] = https://curl.se/bug/?i=19759
[220] = https://curl.se/bug/?i=19756
[221] = https://curl.se/bug/?i=19761
[222] = https://curl.se/bug/?i=16973
[223] = https://curl.se/bug/?i=16973
[224] = https://curl.se/bug/?i=20031
[225] = https://curl.se/bug/?i=19754
[226] = https://curl.se/bug/?i=19751
[227] = https://curl.se/bug/?i=20028
[228] = https://curl.se/bug/?i=19836
[229] = https://curl.se/bug/?i=19872
[230] = https://curl.se/bug/?i=19745
[231] = https://curl.se/bug/?i=19970
[232] = https://curl.se/bug/?i=19746
[233] = https://curl.se/bug/?i=19853
[234] = https://curl.se/bug/?i=19870
[235] = https://curl.se/bug/?i=19869
[236] = https://curl.se/bug/?i=19830
[237] = https://curl.se/bug/?i=19866
[238] = https://curl.se/bug/?i=19786
[239] = https://curl.se/bug/?i=19828
[240] = https://curl.se/bug/?i=19829
[241] = https://curl.se/bug/?i=19826
[242] = https://curl.se/bug/?i=19734
[243] = https://curl.se/bug/?i=19733
[244] = https://curl.se/bug/?i=19732
[245] = https://curl.se/bug/?i=19824
[246] = https://curl.se/bug/?i=19823
[247] = https://curl.se/bug/?i=19798
[248] = https://curl.se/bug/?i=19811
[249] = https://curl.se/bug/?i=19813
[250] = https://curl.se/bug/?i=19933
[251] = https://curl.se/bug/?i=19970
[252] = https://curl.se/bug/?i=19809
[253] = https://curl.se/bug/?i=19800
[254] = https://curl.se/bug/?i=19808
[255] = https://curl.se/bug/?i=19803
[256] = https://curl.se/bug/?i=19864
[257] = https://curl.se/bug/?i=19802
[258] = https://curl.se/bug/?i=19864
[259] = https://curl.se/bug/?i=19864
[260] = https://curl.se/bug/?i=19863
[261] = https://curl.se/bug/?i=19816
[262] = https://curl.se/bug/?i=19862
[263] = https://curl.se/bug/?i=19861
[264] = https://curl.se/bug/?i=19860
[265] = https://github.com/curl/curl/commit/ce06fe7771052549ff430c86173b2eaca91f8a9c#r172215567
[266] = https://curl.se/bug/?i=19857
[267] = https://curl.se/bug/?i=19858
[268] = https://curl.se/bug/?i=19753
[269] = https://curl.se/bug/?i=19965
[270] = https://curl.se/bug/?i=20093
[271] = https://curl.se/bug/?i=20092
[272] = https://curl.se/bug/?i=20026
[273] = https://curl.se/bug/?i=20089
[274] = https://curl.se/bug/?i=19964
[275] = https://curl.se/bug/?i=18189
[276] = https://curl.se/bug/?i=19922
[277] = https://curl.se/bug/?i=19949
[278] = https://curl.se/bug/?i=19920
[279] = https://curl.se/bug/?i=19918
[280] = https://curl.se/bug/?i=19770
[281] = https://curl.se/bug/?i=20083
[282] = https://curl.se/bug/?i=19960
[283] = https://curl.se/bug/?i=19915
[284] = https://curl.se/bug/?i=20086
[285] = https://curl.se/bug/?i=19911
[286] = https://curl.se/bug/?i=19900
[287] = https://curl.se/bug/?i=20160
[288] = https://curl.se/bug/?i=19907
[289] = https://curl.se/bug/?i=20044
[290] = https://curl.se/bug/?i=20091
[291] = https://curl.se/bug/?i=19902
[292] = https://curl.se/bug/?i=19888
[293] = https://curl.se/bug/?i=20110
[294] = https://curl.se/bug/?i=19901
[295] = https://curl.se/bug/?i=19899
[296] = https://curl.se/bug/?i=20080
[297] = https://curl.se/bug/?i=19894
[298] = https://curl.se/bug/?i=19740
[299] = https://curl.se/bug/?i=19945
[300] = https://curl.se/bug/?i=20108
[301] = https://curl.se/bug/?i=19896
[302] = https://curl.se/bug/?i=19942
[303] = https://curl.se/bug/?i=19934
[304] = https://curl.se/bug/?i=19944
[305] = https://curl.se/bug/?i=19891
[306] = https://curl.se/bug/?i=20010
[307] = https://curl.se/bug/?i=19875
[308] = https://curl.se/bug/?i=19887
[309] = https://curl.se/bug/?i=19886
[310] = https://curl.se/bug/?i=20012
[311] = https://curl.se/bug/?i=19938
[312] = https://curl.se/bug/?i=20011
[313] = https://curl.se/bug/?i=20009
[314] = https://curl.se/bug/?i=20008
[315] = https://curl.se/bug/?i=20194
[316] = https://curl.se/bug/?i=19997
[317] = https://curl.se/bug/?i=20077
[318] = https://curl.se/bug/?i=20002
[319] = https://curl.se/bug/?i=19995
[320] = https://curl.se/bug/?i=20001
[321] = https://curl.se/bug/?i=20000
[322] = https://curl.se/bug/?i=19966
[323] = https://curl.se/bug/?i=19999
[324] = https://curl.se/bug/?i=19980
[325] = https://curl.se/bug/?i=19957
[326] = https://curl.se/bug/?i=20067
[327] = https://curl.se/bug/?i=20074
[328] = https://curl.se/bug/?i=20075
[329] = https://curl.se/bug/?i=19996
[330] = https://curl.se/bug/?i=19992
[331] = https://curl.se/bug/?i=20072
[332] = https://curl.se/bug/?i=20103
[333] = https://curl.se/bug/?i=20101
[334] = https://curl.se/bug/?i=19984
[335] = https://curl.se/bug/?i=19986
[336] = https://curl.se/bug/?i=19978
[337] = https://curl.se/bug/?i=20100
[338] = https://curl.se/bug/?i=20100
[339] = https://curl.se/bug/?i=20064
[340] = https://curl.se/bug/?i=20063
[341] = https://curl.se/bug/?i=20100
[342] = https://curl.se/bug/?i=20198
[343] = https://curl.se/bug/?i=20099
[344] = https://curl.se/bug/?i=20184
[345] = https://curl.se/bug/?i=20095
[349] = https://curl.se/bug/?i=20157
[350] = https://curl.se/bug/?i=20052
[351] = https://curl.se/bug/?i=19983
[352] = https://curl.se/bug/?i=20122
[354] = https://curl.se/bug/?i=20042
[355] = https://curl.se/bug/?i=20154
[356] = https://curl.se/bug/?i=19286
[357] = https://curl.se/bug/?i=20152
[358] = https://curl.se/bug/?i=20151
[359] = https://curl.se/bug/?i=20147
[360] = https://curl.se/bug/?i=20043
[361] = https://curl.se/bug/?i=20045
[363] = https://curl.se/bug/?i=20038
[364] = https://curl.se/bug/?i=20149
[365] = https://curl.se/bug/?i=20030
[366] = https://curl.se/bug/?i=20148
[367] = https://curl.se/bug/?i=20032
[369] = https://curl.se/bug/?i=20122
[371] = https://curl.se/bug/?i=20139
[372] = https://curl.se/bug/?i=20138
[373] = https://curl.se/bug/?i=20119
[374] = https://curl.se/bug/?i=20143
[375] = https://curl.se/bug/?i=20134
[376] = https://curl.se/bug/?i=20136
[378] = https://curl.se/bug/?i=20120
[379] = https://curl.se/bug/?i=20177
[380] = https://curl.se/bug/?i=20132
[381] = https://curl.se/bug/?i=20168
[382] = https://curl.se/bug/?i=20130
[383] = https://curl.se/bug/?i=20129
[384] = https://curl.se/bug/?i=20126
[385] = https://curl.se/bug/?i=20128
[386] = https://curl.se/bug/?i=20127
[388] = https://curl.se/bug/?i=20066
[390] = https://curl.se/bug/?i=20118
[391] = https://curl.se/bug/?i=20102
|
