Re: SIGINT vs. SIGTERM?
On Sun, 25 Aug 2024, Paul Gilmartin via curl-users wrote: Running curl from a script I attempt to terminate a long download. kill -INT curl has no effect kill -TERM curl terminates curl. Does curl trap SIGINT for some special behavior, leaving the default SIGTERM? SIGINT is the signal that hitting ctrl-c in a terminal sends to the application like when aborting a slow transfer. I use that frequently with curl and I have never seen or experienced a problem with that. So no, curl does not ignore SIGINT. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
"webinar: mastering the curl command line"
Hello! I just wanted to mention that I am again running a little webinar about curl this Thursday. All details here: https://daniel.haxx.se/blog/2024/09/02/webinar-mastering-the-curl-command-line/ -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Upload of new mail via IMAP
On Mon, 9 Sep 2024, Nicolas George via curl-users wrote: Can I submit a feature wish to have an option to choose the presence or absence of this “(\\Seen)” flag? What would you say the ideal way would be to set such an option on the command line? Assuming we keep the current way the default for backwards compatibility. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.10.0
Hello friends! I'm happy to announce another curl release. Get it as always from https://curl.se. Pay special attention to the security advisory that follows this email. curl and libcurl 8.10.0 Public curl releases: 260 Command line options: 265 curl_easy_setopt() options: 306 Public functions in libcurl: 94 Contributors: 3239 This release includes the following changes: o autotools: add `--enable-windows-unicode` option [103] o curl: --help [option] displays documentation for given cmdline option [19] o curl: add --skip-existing [54] o curl: for -O, use "default" as filename when the URL has none [34] o curl: make --rate accept "number of units" [4] o curl: make --show-headers the same as --include [6] o curl: support --dump-header % to direct to stderr [31] o curl: support embedding a CA bundle and --dump-ca-embed [20] o curl: support repeated use of the verbose option; -vv etc [35] o curl: use libuv for parallel transfers with --test-event [82] o getinfo: add CURLINFO_POSTTRANSFER_TIME_T [87] o mbedtls: add CURLOPT_TLS13_CIPHERS support [78] o rustls: add support for setting TLS version and ciphers [113] o vtls: stop offering alpn http/1.1 for http2-prior-knowledge [53] o wolfssl: add CURLOPT_TLS13_CIPHERS support [76] o wolfssl: add support for ssl cert blob / ssl key blob options [50] This release includes the following bugfixes: o asyn-thread: stop using GetAddrInfoExW on Windows [241] o autotools: fix MS-DOS builds [249] o autotools: fix typo in tests/data target [30] o aws_sigv4: fix canon order for headers with same prefix [74] o bearssl: fix setting tls version [203] o bearssl: improve shutdown handling [45] o BINDINGS: add zig binding [100] o build: add `iphlpapi` lib for libssh on Windows [166] o build: add `poll()` detection for cross-builds [244] o build: add options to disable SHA-512/256 hash algo [239] o build: check OS-native IDN first, then libidn2 [223] o build: delete unused `REQUIRE_LIB_DEPS` [226] o build: drop unused `NROFF` reference [253] o build: drop unused feature-detection code for Apple `poll()` [227] o build: generate `buildinfo.txt` for test logs [256] o build: improve compiler version detection portability o build: make `CURL_FORMAT_CURL_OFF_T[U]` work with mingw-w64 <=7.0.0 [207] o build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds [137] o build: use -Wno-format-overflow [195] o buildconf.bat: fix tool_hugehelp.c generation [173] o cf-socket: fix pollset for listening [179] o cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows [185] o cfilters: send flush [13] o CHANGES: rename to CHANGES.md, no longer generated [40] o CI: enable parallel testing in CI builds [18] o ci: Update actions/upload-artifact digest to 89ef406 [24] o cmake: `Libs.private` improvements [215] o cmake: add `CURL_USE_PKGCONFIG` option [138] o cmake: add Linux CI job, fix pytest with cmake [71] o cmake: add math library when using wolfssl and ngtcp2 [66] o cmake: add missing `pkg-config` hints to Find modules [158] o cmake: add missing version detection to Find modules [170] o cmake: add rustls [116] o cmake: add support for versioned symbols option [51] o cmake: add wolfSSH support [117] o cmake: allow `pkg-config` in more envs [147] o cmake: cleanup header paths [59] o cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP` [231] o cmake: delete MSVC warning suppression for tests/server [101] o cmake: detect `nghttp2` via `pkg-config`, enable by default [21] o cmake: detect and show VCPKG in platform flags [84] o cmake: distcheck for files in CMake subdir [9] o cmake: drop custom `CMakeOutput.log`/`CMakeError.log` logs [27] o cmake: drop libssh CONFIG-style detection [167] o cmake: drop no-op `tests/data/CMakeLists.txt` [26] o cmake: drop reference to undefined variable [25] o cmake: drop unused `HAVE_IDNA_STRERROR` [62] o cmake: drop unused internal variable [22] o cmake: exclude tests/http/clients builds by default [110] o cmake: fix `GSS_VERSION` for Heimdal found via pkg-config [77] o cmake: fix `pkg-config`-based detection in `FindGSS.cmake` [94] o cmake: fix and tidy up c-ares builds, enable in more CI jobs [156] o cmake: fix find rustls [148] o cmake: fixup linking libgsasl when detected via CMake-native o cmake: honor custom `CMAKE_UNITY_BUILD_BATCH_SIZE` [163] o cmake: limit `pkg-config` to UNIX and MSVC+vcpkg by default [188] o cmake: limit libidn2 `pkg-config` detection to `UNIX` [109] o cmake: migrate dependency detections to Find modules [183] o cmake: more small tidy-ups and fixes [80] o cmake: rename wolfSSL and zstd config variables to uppercase [151] o cmake: respect cflags/libdirs of native pkg-config detections [175] o cmake: show CMake platform/compiler flags [63] o cmake: show warning if libpsl is not found [154] o cmake: sync code between test/example targets [234] o cmake: sync up formatting in Find modules [129
[SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS
OCSP stapling bypass with GnuTLS Project curl Security Advisory, September 11th 2024 - [Permalink](https://curl.se/docs/CVE-2024-8096.html) VULNERABILITY - When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than "revoked" (like for example "unauthorized") it is not treated as a bad certficate. INFO This issue only exists when curl is built to use the GnuTLS library. curl can be made to use a large variety of TLS libraries and GnuTLS is not the most common choice. OCSP stapling is not a widely used feature on the open web, perhaps partly because so many big name sites do not support it. This bug is **not** considered a *C mistake* (likely to have been avoided had we not been using C). This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-8096 to this issue. CWE-295: Improper Certificate Validation Severity: Medium AFFECTED VERSIONS - The vulnerable code can only be reached when curl is built to use GnuTLS. - Affected versions: curl 7.41.0 to and including 8.9.1 - Not affected versions: curl < 7.41.0 and >= 8.10.0 - Introduced-in: https://github.com/curl/curl/commit/f13669a375f libcurl is used by many applications, but not always advertised as such! SOLUTION - Fixed-in: https://github.com/curl/curl/commit/aeb1a281cab13c7ba RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.10.0 B - Apply the patch to your version and rebuild C - Build your curl with an unaffected TLS backend TIMELINE - This issue was reported to the curl project on August 19, 2024. We contacted distros@openwall on September 3, 2024. curl 8.10.0 was released on September 11 2024 around 06:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: Hiroki Kurosawa - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: %{filename_effective but not transmit file?
On Wed, 11 Sep 2024, Paul Gilmartin via curl-users wrote: curl: showing headers and --remote-header-name cannot be combined Since --head implies that the body is not saved, we can actually make this work fairly easy... -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: %{filename_effective but not transmit file?
On Thu, 12 Sep 2024, Daniel Stenberg via curl-users wrote: Since --head implies that the body is not saved, we can actually make this work fairly easy... Eh, no. I was not thinking right. It still needs to save the headers in that final name that it will not know until several headers have already arrived. So not *that* simple. Basically what we need to do is to make the tool keep the initial set of headers in memory first before it has decided what file name to use, then save all the headers in the file name once it knows. That would fix this limitation. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Any way to set connect-timeout per-IP, not global?
On Fri, 11 Oct 2024, ValdikSS via curl-users wrote: Currently curl, when used with --connect-timeout option, uses it as a global timeout for the whole connection set, decreasing the timeout for each IP address in half every connection attempt. When you use curl 8.3.0 or later, curl stops the timeout halving when there is less than 600 milliseconds left. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Capture the cURL (https://curl.se/) request (header and body) initiated by Postman REST API client
On Tue, 24 Sep 2024, Kaushal Shriyan via curl-users wrote: I am using a postman to invoke a REST API call. Is there a way to capture the cURL (https://curl.se/) request (header and body) initiated by Postman REST API client to the Application server which is running RHEL 8.10 OS to the backend server/system? I don't think postman uses curl natively. But I think I have seen people mention as "copy as curl" option? If not, I propose you just tell it to send its request to a http server + port where you run nc -l which when will display the full request. Then you can copy that full request into "h2c" that converts it to a curl command line for you: https://curl.se/h2c/ -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Help on : CURL header -> Authorization: Negotiate
On Mon, 23 Sep 2024, Jason Qian via curl-users wrote: When Kerberos is enabled, sometimes the server ticket of Negotiate is too large that the server has problems handling it. My question is in the curl, is there a way to control the size of the ticket which will be sent to the server? No. There is no way to send a shorter auth header. It sounds like a broken server to me. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Upload of new mail via IMAP
On Fri, 13 Sep 2024, Nicolas George via curl-users wrote: I created a PR for adding this proposal to the TODO document: https://github.com/curl/curl/pull/14964 "someone" just has to work on it. -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.10.1
Hello friends! I'm happy to announce another curl release. Get it as always from https://curl.se curl and libcurl 8.10.1 Public curl releases: 261 Command line options: 265 curl_easy_setopt() options: 306 Public functions in libcurl: 94 Contributors: 3246 This release includes the following bugfixes: o autotools: fix `--with-ca-embed` build rule [3] o cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync [8] o cmake: fix MSH3 to appear on the feature list [20] o connect: store connection info when really done [9] o CURLMOPT_TIMERFUNCTION.md: emphasize that only a single timer should run [5] o FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a [34] o http2: when uploading data from stdin, fix eos forwarding [7] o http: make max-filesize check not count ignored bodies [33] o lib: fix AF_INET6 use outside of USE_IPV6 [13] o libcurl-docs: CURLINFO_LOCAL_* work for QUIC as well as TCP [1] o multi: check that the multi handle is valid in curl_multi_assign [14] o QUIC: on connect, keep on trying on draining server [11] o request: correctly reset the eos_sent flag [21] o runtests: accecpt 'quictls' as OpenSSL compatible [2] o rustls: fixed minor logic bug in default cipher selection [12] o rustls: rustls-ffi 0.14.0 update [18] o rustls: support strong CSRNG data [16] o setopt: remove superfluous use of ternary expressions [4] o singleuse: drop `Curl_memrchr()` for no-HTTP builds [24] o test537: cap the rlimit max this test runs [10] o tests: tweak lock file handling and timers [22] o tool_cb_wrt: use "curl_response" if no file name in URL [19] o transfer: fix sendrecv() without interim poll [15] o vtls: fix `Curl_ssl_conn_config_match` doc param [6] This release includes the following known bugs: See docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html) For all changes ever done in curl: See https://curl.se/changes.html Planned upcoming removals include: o Hyper support after February 2025 [89] o TLS libraries not supporting TLS 1.3 See https://curl.se/dev/deprecate.html for details This release would not have looked like this without help, code, reports and advice from friends like these: Brian Inglis, Carlo Cabrera, Daniel McCarney, Daniel Stenberg, dependabot[bot], finkjsc on github, Gabriel Marin, Harry Sintonen, Jan Venekamp, Julian K., MasterInQuestion on github, Michael Osipov, nekopsykose on github, Patrick Steinhardt, rampageX on github, Stefan Eissing, Tal Regev, Victor Kislov, Viktor Szakats (19 contributors) References to bug reports and discussions on issues: [1] = https://curl.se/bug/?i=14852 [2] = https://curl.se/bug/?i=14850 [3] = https://curl.se/bug/?i=14879 [4] = https://curl.se/bug/?i=14884 [5] = https://curl.se/bug/?i=14886 [6] = https://curl.se/bug/?i=14887 [7] = https://curl.se/bug/?i=14870 [8] = https://curl.se/bug/?i=14872 [9] = https://curl.se/bug/?i=14897 [10] = https://curl.se/bug/?i=14857 [11] = https://curl.se/bug/?i=14863 [12] = https://curl.se/bug/?i=14840 [13] = https://curl.se/bug/?i=14858 [14] = https://curl.se/bug/?i=14860 [15] = https://curl.se/bug/?i=14898 [16] = https://curl.se/bug/?i=14889 [18] = https://curl.se/bug/?i=14889 [19] = https://curl.se/bug/?i=14939 [20] = https://curl.se/bug/?i=14927 [21] = https://marc.info/?l=git&m=172620452502747&w=2 [22] = https://curl.se/bug/?i=14835 [24] = https://curl.se/bug/?i=14919 [33] = https://curl.se/bug/?i=14899 [34] = https://curl.se/bug/?i=14873 -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.11.0
Hi friends,
Here's another release for you. As always, get it from https://curl.se/
curl and libcurl 8.11.0
Public curl releases: 262
Command line options: 266
curl_easy_setopt() options: 306
Public functions in libcurl: 94
Contributors: 3267
This release includes the following changes:
o curl: --create-dirs works for --dump-header as well [4]
o gtls: Add P12 format support [9]
o ipfs: add options to disable [8]
o TLS: TLSv1.3 earlydata support for curl [140]
o WebSockets: make support official (non-experimental) [106]
This release includes the following bugfixes:
o alt-svc: honor data->state.httpwant [19]
o altsvc: avoid using local buffer and memcpy [124]
o asyn-ares: remove typecast, fix expire [113]
o autotools: add support for 'unity' builds, enable in CI [15]
o bearssl: avoid strpcy() when generating TLS version log message [120]
o bearssl: improved session handling, test exceptions [233]
o bufq: unwrite fix [121]
o build: add `ldap` to `libcurl.pc` `Requires:` [139]
o build: add pytest targets [71]
o build: clarify CA embed is for curl tool, mark default, improve summary [72]
o build: detect and use `_setmode()` with Cygwin/MSYS, also use on Windows
[136]
o build: disable warning `-Wunreachable-code-break` [195]
o build: fix clang-cl builds, add CI job [254]
o build: fix cross-compile check for poll with bionic [70]
o build: fix possible `-Wformat-overflow` in lib557 [85]
o build: limit arc4random detection to no-SSL configs [43]
o build: show if CA bundle to embed was found [83]
o build: tidy up and improve versioned-symbols options [5]
o build: tidy up deprecation suppression, enable warnings for clang [12]
o certs: add missing `-CAcreateserial` option for LibreSSL [247]
o checksrc: add check for spaces around logical AND operators [220]
o checksrc: Added checks for colon operator in ternary expressions [77]
o checksrc: check for spaces around '?', '>' and '<' [46]
o ci: dump `curl_config.h` to log in all jobs [199]
o CI: run with standard mod_http2 [214]
o cmake, Makefile.mk: use -isystem for headers, silence BearSSL issues [37]
o cmake/FindCares: fix version detection for c-ares 1.34.1 [209]
o cmake/FindNGTCP2: use library path as hint for finding crypto module [40]
o cmake: add missed variable to comment
o cmake: add native `pkg-config` detection for mbedTLS, MSH3, Quiche, Rustls,
wolfSSL [149]
o cmake: allow building tests in unity mode [31]
o cmake: apply `WIN32_LEAN_AND_MEAN` to all feature checks
o cmake: avoid setting `BUILD_TESTING` [179]
o cmake: clear package version after `pkg-config` detection [207]
o cmake: delete unused NEED_LBER_H, HAVE_LDAP_H [38]
o cmake: detect `HAVE_NETINET_IN6_H`, `HAVE_CLOSESOCKET_CAMEL`,
`HAVE_PROTO_BSDSOCKET_H` [132]
o cmake: detect GNU GSS [127]
o cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled [44]
o cmake: do not propagate unused `HAVE_GSSAPI_GSSAPI_KRB5_H` to C [131]
o cmake: document `-D` and env build options [208]
o cmake: drop obsolete items from `TODO` and `INSTALL-CMAKE` [228]
o cmake: drop redundant assignments [49]
o cmake: drop redundant zlib var, rename function (internals) [50]
o cmake: expand CURL_USE_PKGCONFIG to non-cross MINGW [13]
o cmake: fix broken dependency chain for cmdline-opts, tidy-ups [11]
o cmake: fix compile warnings for clang-cl [218]
o cmake: fix missing spacing in log message [205]
o cmake: limit `CURL_STATIC_CRT` to MSVC [217]
o cmake: make `test-ci` target skip building dependencies [88]
o cmake: mark as advanced some internal Find* variables [212]
o cmake: readd `generate-curl.1` dependency for `src` just in case [86]
o cmake: rename LDAP dependency config variables to match Find modules [144]
o cmake: replace `check_include_file_concat()` for LDAP and GSS detection [143]
o cmake: replace `CURL_*_DIR` with `{PROJECT,CMAKE_CURRENT}_*_DIR` [211]
o cmake: require quictls (or fork) when using msh3 on non-Windows [14]
o cmake: separate target for examples, optimize CI, fix fallouts [16]
o cmake: set version for `project()` and add CPack support [123]
o cmake: stop adding dependency headers to global `CMAKE_REQUIRED_INCLUDES`
[146]
o cmake: sync torture test parallelism with autotools [35]
o cmake: tidy up `CURL_DISABLE_FORM_API` initialization [225]
o cmake: tidy up and shorten symbol hiding initialization [213]
o cmake: tidy up line order
o cmake: tidy up picky warning initialization [215]
o cmake: tidy-ups and rebase fixups [191]
o cmake: tweaks around debug mode and hidden symbols [194]
o cmake: untangle feature detection interdependencies [198]
o cmake: use `list(APPEND)` on `CURL_INCLUDES` [223]
o cmake: use OpenSSL for LDAP detection only if available [102]
o cmake: use the `BSD` variable [210]
o config: rename the OS define to CURL_OS to reduce collision risk [256]
o configure: add GSS to `libcurl.pc` `Depends:` [126]
o configure: catch Apple in more target triplets [6]
[SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry
HSTS subdomain overwrites parent cache entry Project curl Security Advisory, November 6th 2024 - [Permalink](https://curl.se/docs/CVE-2024-9681.html) VULNERABILITY - When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. INFO When triggered, this is a potential minor DoS security problem when trying to use HTTPS when that no longer works or a cleartext transmission of data that was otherwise intended to *possibly* be protected. But: `example.com` as per above is deliberately setup for HSTS, and servers should probably expect that clients will try upgrading to HTTPS for a while outside of the time range set in its headers. The access that fails in this scenario tries to use plain HTTP to the domain. Clear text, unprotected, vulnerable. HTTP is an insecure protocol and as such applications should **not** rely on nor trust such responses, which reduces the severity of this issue. Even without this problem, servers occasionally set HSTS headers but have problems with their HTTPS offering so this is a scenario that an application ends up in now and then completely without involving curl issues and therefore needs to have logic for. An application can for example work around the situation by simply toggling off HSTS. This bug is **not** considered a *C mistake* (ie not likely to have been avoided had we not been using C). This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-9681 to this issue. CWE-1025: Comparison Using Wrong Factors Severity: Low AFFECTED VERSIONS - The vulnerable code can only be reached when curl is told to use HSTS. - Affected versions: curl 7.74.0 to and including 8.10.1 - Not affected versions: curl < 7.74.0 and >= 8.11.0 - Introduced-in: https://github.com/curl/curl/commit/7385610d0c74c6a25 libcurl is used by many applications, but not always advertised as such! SOLUTION - Fixed-in: https://github.com/curl/curl/commit/a94973805df96269bf RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.11.0 B - Apply the patch to your version and rebuild C - Avoid relying on HSTS TIMELINE - This issue was reported to the curl project on October 7, 2024. We contacted distros@openwall on October 29, 2024. curl 8.11.0 was released on November 6 2024 around 06:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: newfunction - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow
gzip integer overflow = Project curl Security Advisory, February 5th 2025 - [Permalink](https://curl.se/docs/CVE-2025-0725.html) VULNERABILITY - When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. INFO This problem can only trigger when using a run-time zlib version 1.2.0.3 or older. zlib 1.2.0.4 was relased on August 10, 2003. This means zlib versions that do not trigger this problem have been available and used for more than twenty-one years already. A zlib version 1.2.0.3 or earlier still in use is vulnerable to a wide range of security problems and a user using this is already in a spectacularly bad position. libcurl featured code that at run-time takes a different code path for zlib versions before 1.0.2.4 because of lack of functionality in those old versions, and this rarely used piece of code contained the vulnerable code path. This bug is considered a *C mistake*. It is likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0725 to this issue. CWE-680: Integer Overflow to Buffer Overflow Severity: Low While the impact of this problem is potentially huge, we struggled with setting a severity combined with the knowledge that a user vulnerable to this is using **an over twenty years old and vulnerable zlib** and has practially "given up" all security. If there actually exist users vulnerable to this flaw in the world, they most likely already have worse problems than this to deal with. AFFECTED VERSIONS - - Affected versions: curl 7.10.5 to and including 8.11.1 - Not affected versions: curl < 7.10.5 and >= 8.12.0 - Introduced-in: https://github.com/curl/curl/commit/019c4088cfcca0d2b7c5cc4f libcurl is used by many applications, but not always advertised as such! SOLUTION Starting in version 8.12.0, libcurl no longer supports zlib < 1.2.0.4. Using such a version will now instead cause a run-time error. - Fixed-in: https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7 RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.12.0 B - Apply the patch to your version and rebuild C - Use a modern zlib D - Avoid using the `CURLOPT_ACCEPT_ENCODING` option TIMELINE - This issue was reported to the curl project on January 23, 2025. We contacted distros@openwall on January 28, 2025. curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: z2_ - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.12.0
Hi friends, I'm happy to announce a brand new curl release. This time in association with three separate security advisories that will follow shortly. Get this curl version as always from https://curl.se/ curl and libcurl 8.12.0 Public curl releases: 264 Command line options: 267 curl_easy_setopt() options: 306 Public functions in libcurl: 96 Contributors: 3332 This release includes the following changes: o curl: add byte range support to --variable reading from file [56] o curl: make --etag-save acknowledge --create-dirs [31] o getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var [55] o getinfo: provide info which auth was used for HTTP and proxy [40] o hyper: drop support [57] o openssl: add support to use keys and certificates from PKCS#11 provider [77] o QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA [61] o vtls: feature ssls-export for SSL session im-/export [141] This release includes the following bugfixes: o altsvc: avoid integer overflow in expire calculation [16] o altsvc: return error on dot-only name [178] o android: add CI jobs, buildinfo, cmake docs, disable `CURL_USE_PKGCONFIG` by default [185] o asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL [190] o asyn-ares: fix memory leak [233] o asyn-ares: initial HTTPS resolve support [166] o asyn-thread: use c-ares to resolve HTTPS RR [205] o async-thread: avoid closing eventfd twice [9] o autotools: add support for mingw UWP builds [192] o autotools: silence gcc warnings in libtool code [96] o binmode: convert to macro and use it from tests [44] o build: delete `-Wsign-conversion` related FIXMEs [137] o build: drop `-Winline` picky warning [53] o build: drop `tool_hugehelp.c.cvs`, tidy up macros, drop `buildconf.bat` [200] o build: drop macro used to enable `-Wsign-conversion` warnings in CI [224] o build: drop unused feature macros, update exception list [51] o build: fix `-Wtrampolines` picky warning for gcc 4.x versions [156] o build: fix compiling with GCC 4.x versions [214] o build: fix the tidy targets for autotools [52] o build: fix unsigned `time_t` detection for cmake, MS-DOS, AmigaOS [104] o build: replace configure check with PP condition (Android <21) [97] o build: stop detecting `sched_yield()` on Windows [176] o c-ares: fix/tidy-up macro initializations, avoid a deprecated function [209] o cd2nroff: do not insist on quoted <> within backticks [222] o cd2nroff: support "none" as a TLS backend [29] o cf-https-connect: look into httpsrr alpns when available [152] o cf-socket: error if address can't be copied [72] o cfilters: kill connection filter events attach+detach [217] o checksrc.bat: remove explicit SNPRINTF bypass [174] o checksrc: ban use of sscanf() [7] o checksrc: check for return with parens around a value/name [130] o checksrc: exclude generated bundle files to avoid race condition [235] o checksrc: fix the return() checker [35] o checksrc: introduce 'banfunc' to ban specific functions [117] o cmake/Find: add `iphlpapi` for c-ares, omit syslibs if dep not found [203] o cmake/FindLDAP: avoid empty 'Requires' item when omitting `pkg-config` module [90] o cmake/FindLDAP: avoid framework locations for libs too (Apple) [122] o cmake/FindLibpsl: protect against `pkg-config` "half-detection" [89] o cmake/FindLibssh: sync header comment with other modules o cmake/FindMbedTLS: drop lib duplicates early [17] o cmake: add `librtmp` Find module [86] o cmake: add LDAP Find module [46] o cmake: add native `pkg-config` detection for remaining Find modules [37] o cmake: allow `CURL_LTO` regardless of `CURL_BUILD_TYPE`, enable in CI [88] o cmake: clang-cl improvements [42] o cmake: delete accidental debug message o cmake: deprecate winbuild, add migration guide from legacy build methods [157] o cmake: detect mingw-w64 version, pre-fill `HAVE_STRTOK_R` [179] o cmake: do not store `MINGW64_VERSION` in cache [175] o cmake: drop `CURL_USE_PKGCONFIG` from `curl-config.cmake.in` [208] o cmake: drop `fseeko()` pre-fill and check for Windows [201] o cmake: drop duplicate Windows cache value [81] o cmake: drop redundant FOUND checks (libgsasl, libssh, libuv) [49] o cmake: drop redundant opening/closing `.*` from `MATCH` expressions [64] o cmake: drop unused `HAVE_SYS_XATTR_H` detection [79] o cmake: drop VS2010 "Dialog Hell" workaround added in 2013 [136] o cmake: extend zlib's `AUTO` option to brotli, zstd and enable if found [36] o cmake: fix `net/in.h` detection for MS-DOS [103] o cmake: improve `curl_dumpvars()` and move to `Utilities.cmake` [50] o cmake: make libpsl required by default [45] o cmake: make system libraries `dl`, `m`, `pthread` customizable [123] o cmake: move `pkg-config` names to Find modules [87] o cmake: move GSS init before feature detections [93] o cmake: move mingw UWP workaround from GHA to `CMakeLists.txt` [194] o cmake: namespace functions and macros [41] o cmake: optimize out 4 pick
[SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close
eventfd double close Project curl Security Advisory, February 5th 2025 - [Permalink](https://curl.se/docs/CVE-2025-0665.html) VULNERABILITY - libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. INFO This flaw requires libcurl to get built with the threaded resolver It requires that *eventfd* is used in the curl build. This feature is only used on 64-bit architectures. The eventfd socket is used for inter-thread messaging and since the communication was originally written to use `socketpair()` only, there was two `close()` calls done and the superfluous one was left accidentally used because of an `#ifdef` mistake. This bug was reported (and fixed) immediately after the 8.11.1 release, but the security impact was not considered until later. This bug causes libcurl to act unreliably which many users will have noticed and either avoided eventfd or the vulnerable version, thus somewhat reducing the impact of this problem. It can also be worth noting that both `close()` calls are typically called within a few dozens of instructions, severely limiting the ability for an external party to control which other file descriptor this can be made to affect. This bug is **not** considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0665 to this issue. CWE-1341: Multiple Releases of Same Resource or Handle Severity: Low AFFECTED VERSIONS - - Affected version: curl 8.11.1 - Not affected versions: curl < 8.11.1 and >= 8.12.0 - Introduced-in: https://github.com/curl/curl/commit/92124838c6b7e09e3f35f libcurl is used by many applications, but not always advertised as such! SOLUTION - Fixed-in: https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.12.0 B - Apply the patch to your version and rebuild C - Disable eventfd use in your build D - Use the c-ares resolver backend TIMELINE - This issue was reported to the curl project on January 22, 2025. We contacted distros@openwall on January 28, 2025. curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: Ankom Coper - Patched-by: Andy Pan The [original bug](https://github.com/curl/curl/issues/15725) was first reported as a "normal" bug, by: - Reported-by: Christian Heusel Thanks a lot! -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak
netrc and default credential leak == Project curl Security Advisory, February 5th 2025 - [Permalink](https://curl.se/docs/CVE-2025-0167.html) VULNERABILITY - When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. INFO A curl transfer with `nn.tld` that redirects to `zz.tld`, using a `.netrc` file with an *empty* `default` entry like below, would make curl pass on `maryspassword` as password even in the transfer to the second and separate host `zz.tld`. ~~~ machine nn.tld login mary password maryspassword default ~~~ This bug is **not** considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. This flaw is similar, but not identical, to [CVE-2024-11053](https://curl.se/docs/CVE-2024-11053.html). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0167 to this issue. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS - - Affected versions: curl 7.76.0 to and including 8.11.1 - Not affected versions: curl < 7.76.0 and >= 8.12.0 - Introduced-in: https://github.com/curl/curl/commit/46620b97431e19c53ce82e5 libcurl is used by many applications, but not always advertised as such! SOLUTION - Fixed-in: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.12.0 B - Apply the patch to your version and rebuild C - Avoid using netrc together with redirects TIMELINE - This issue was reported to the curl project on December 30, 2024. We contacted distros@openwall on January 28, 2025. curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: Yihang Zhou - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[SECURITY ADVISORY] curl: CVE-2024-11053: netrc and redirect credential leak
netrc and redirect credential leak == Project curl Security Advisory, December 11th 2024 - [Permalink](https://curl.se/docs/CVE-2024-11053.html) VULNERABILITY - When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. INFO A curl transfer with `a.tld` that redirects to `b.tld` that uses a `.netrc` like below (with a match, but no password specified for the second host), would make curl pass on `alicespassword` as password even in the second transfer to the separate host `b.tld`. ~~~ machine a.tld login alice password alicespassword default login bob ~~~ This bug is **not** considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-11053 to this issue. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS - - Affected versions: curl 6.5 to and including 8.11.0 - Not affected versions: curl < 6.5 and >= 8.11.1 - Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514 libcurl is used by many applications, but not always advertised as such! SOLUTION - Fixed-in: https://github.com/curl/curl/commit/e9b9bbac22c26cf6731 The fix also addresses a few other .netrc related issues. RECOMMENDATIONS --- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.11.1 B - Apply the patch to your version and rebuild C - Avoid using netrc together with redirects TIMELINE - This issue was reported to the curl project on November 8, 2024. We contacted distros@openwall on December 3, 2024. curl 8.11.1 was released on December 11 2024 around 06:00 UTC, coordinated with the publication of this advisory. CREDITS --- - Reported-by: Harry Sintonen - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.11.1
Hello! I'm happy to announce a brand new curl release. Get it as always from https://curl.se/ curl and libcurl 8.11.1 Public curl releases: 263 Command line options: 266 curl_easy_setopt() options: 306 Public functions in libcurl: 94 Contributors: 3298 This release includes the following changes: This release includes the following bugfixes: o build: fix ECH to always enable HTTPS RR [35] o build: fix MSVC UWP builds [32] o build: omit certain deps from `libcurl.pc` unless found via `pkg-config` [27] o build: use `_fseeki64()` on Windows, drop detections [41] o cmake: do not echo most inherited `LDFLAGS` to config files [55] o cmake: drop cmake args list from `buildinfo.txt` [8] o cmake: include `wolfssl/options.h` first [53] o cmake: remove legacy unused IMMEDIATE keyword [21] o cmake: restore cmake args list in `buildinfo.txt` [26] o cmake: set `CURL_STATICLIB` for static lib when `SHARE_LIB_OBJECT=OFF` [64] o cmake: sync GSS config code with other deps [28] o cmake: typo in comment o cmake: work around `ios.toolchain.cmake` breaking feature-detections [37] o cmakelint: fix to check root `CMakeLists.txt` [36] o cmdline/ech.md: formatting cleanups [13] o configure: add FIXMEs for disabled pkg-config references o configure: do not echo most inherited `LDFLAGS` to config files [31] o configure: replace `$#` shell syntax [25] o cookie: treat cookie name case sensitively [4] o curl-rustls.m4: keep existing `CPPFLAGS`/`LDFLAGS` when detected [40] o curl.h: mark two error codes as obsolete [19] o curl: --continue-at is mutually exclusive with --no-clobber [51] o curl: --continue-at is mutually exclusive with --range [61] o curl: --continue-at is mutually exclusive with --remove-on-error [50] o curl: --test-duphandle in debug builds runs "duphandled" [6] o curl: do more command line parsing in sub functions [71] o curl: rename struct var to fix AIX build [24] o curl: use realtime in trace timestamps [52] o curl_multi_socket_all.md: soften the deprecation warning [56] o CURLOPT_PREREQFUNCTION.md: add result code on failure [23] o digest: produce a shorter cnonce in Digest headers [70] o DISTROS: update Alt Linux links o dmaketgz: use --no-cache when building docker image [66] o docs: bring back ALTSVC.md and HSTS.md [76] o docs: document default `User-Agent` [57] o docs: suggest --ssl-reqd instead of --ftp-ssl [62] o duphandle: also init netrc [3] o ECH: enable support for the AWS-LC backend [5] o hostip: don't use the resolver for FQDN localhost [45] o http_negotiate: allow for a one byte larger channel binding buffer [63] o http_proxy: move dynhds_add_custom here from http.c [18] o KNOWN_BUGS: setting a disabled option should return CURLE_NOT_BUILT_IN [74] o krb5: fix socket/sockindex confusion, MSVC compiler warnings [22] o lib: fixes for wolfSSL OPENSSL_COEXIST [73] o libssh: use libssh sftp_aio to upload file [47] o libssh: when using IPv6 numerical address, add brackets [43] o macos: disable gcc `availability` workaround as needed [7] o mbedtls: call psa_crypt_init() in global init [2] o mime: fix reader stall on small read lengths [65] o mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions [39] o mprintf: fix the integer overflow checks [44] o multi: add clarifying comment for wakeup_write() [9] o multi: fix callback for `CURLMOPT_TIMERFUNCTION` not being called again when... [48] o netrc: address several netrc parser flaws [17] o netrc: support large file, longer lines, longer tokens [14] o nghttp2: use custom memory functions [1] o OpenSSL: improvde error message on expired certificate [59] o openssl: remove three "Useless Assignments" [72] o openssl: stop using SSL_CTX_ function prefix for our functions [20] o os400: Fix IBMi builds [33] o os400: Fix IBMi EBCDIC conversion of arguments [34] o pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS [60] o rtsp: check EOS in the RTSP receive and return an error code [49] o schannel: remove TLS 1.3 ciphersuite-list support [54] o setopt: fix CURLOPT_HTTP_CONTENT_DECODING [15] o setopt: fix missing options for builds without HTTP & MQTT [10] o show-headers.md: clarify the headers are saved with the data [58] o socket: handle binding to "host!" [16] o socketpair: fix enabling `USE_EVENTFD` [30] o strtok: use namespaced `strtok_r` macro instead of redefining it [29] o tests: add the ending time stamp in testcurl.pl o tests: re-enable 2086, and 472, 1299, 1613 for Windows [38] o TODO: consider OCSP stapling by default [11] o tool_formparse: remove use of sscanf() [68] o tool_getparam: parse --localport without using sscanf [67] o tool_getpass: fix UWP `-Wnull-dereference` [46] o tool_getpass: replace `getch()` call with `_getch()` on Windows [42] o tool_urlglob: parse character globbing range without sscanf [69] o vtls: fix compile warning when ALPN is not available [12] This release includes the following known bugs:
Re: [Feature Request] Use checksum to verify download
On Fri, 17 Jan 2025, Falk via curl-users wrote: I would like to propose a feature, where one can specify a checksum (e.g. md5 or sha256) on command line which is checked by curl during download. Example: curl -sha256 $SHA256_HASH -o- https://fnm.vercel.app/install | bash Problem one: Imagine that the file you download in that command line is several gigabytes - because it might be and we need to make it work even when it is enormous. The hash is only valid for the entire thing, so it would need to download every single byte before it can check the hash. That's not how that curl command line works today and would mean a significant difference to implement it that way: it would have to download the entire thing in a temporary place and after having validated the hash, send the entire thing to stdout and then delete the file again. Problem two: Where would users get the hash to use in the command line? In most cases users would download their stuff from https://example.com and the hash would be mentioned on https://example.com - meaning that since the download is already protected with TLS, checking the data with a hash from the same site adds extremely little. If the site is breached and the download is replaced with malware without breaking the server TLS certificate, then surely the attacker can also update the hash mentioned on the site? -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
make --url support a file with URLs
Hey, Over the years, people have requested an easier way to provide a list of URLs to curl and have it download them all. With my new PR [*], you can write "curl --url @file" and curl will download all the URLs in the provided file as if -O was used for each one of them. It can also get the list from stdin if you do "--url @-" in style with how other curl options work. If you add -Z, it will do them in parallel. Thoughts? What did I forget? [*] = https://github.com/curl/curl/pull/16099 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
RE: make --url support a file with URLs
On Mon, 27 Jan 2025, Dick Brooks wrote: This is great news. Will Basic Auth info also be supported for each URL? Sure that works as expected pretty much already: 1. You can add the username + password on a per URL basis in the file or 2. You provide the credentials separately on the command line: curl --url @urls.txt -u mrsmith:password123 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: make --url support a file with URLs
On Mon, 27 Jan 2025, Paul Gilmartin via curl-users wrote: Will the URL list support individual --time-cond or --ETag values for selective update of outdated packages? Not really. Those are already options that are ticky to use when there are more than one URL involved so I don't know how you would do it conveniently for a whole list of URLs. Also, the etag options for curl only supports single URL so far. The URL list is meant to be rather "simple". Somone who wants fancy and more advanced features per URL can always just generate a config file using a wrapper script and pass that to curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.12.1
Hello! Due to a number of annoying bugs in the previous release, this follow-up 8.12.1 release is here only eight days later. As always, get it from https://curl.se curl and libcurl 8.12.1 Public curl releases: 265 Command line options: 267 curl_easy_setopt() options: 306 Public functions in libcurl: 96 Contributors: 3344 This release includes the following changes: This release includes the following bugfixes: o all: remove FIXME and TODO comments [55] o asyn-thread: fix build with `CURL_DISABLE_SOCKETPAIR` [47] o asyn-thread: fix HTTPS RR crash [10] o asyn-thread: fix the returned bitmask from Curl_resolver_getsock [18] o asyn-thread: survive a c-ares channel set to NULL [52] o build: add tool_hugehelp.c into IBMi build [40] o checksrc.pl: warn on FIXME/TODO comments o cmake/Find: set `_FOUND` for compatibility when found via `pkg-config` [22] o cmake: add integration tests, run them in CI [21] o cmake: always reference OpenSSL and ZLIB via imported targets [24] o cmake: avoid unnecessary `-L` for implicit link dirs [11] o cmake: drop `LDAP_DEPRECATED=1` macro, to sync with autotools [23] o cmake: fix `HAVE_GETHOSTBYNAME_R_*` detections with `CURL_WERROR=ON` [57] o cmake: fix to detect `HAVE_OPENSSL_SRP` in MSVC UWP builds [62] o cmake: fix/add missing feature detections for Windows/MS-DOS [58] o cmake: initialize variables where missing [27] o cmake: lib order fixes for picky linkers (e.g. binutils `ld`) [26] o cmake: normalize before matching paths with syspaths [30] o cmake: respect `GNUTLS_CFLAGS` when detected via `pkg-config` [38] o cmake: respect `GNUTLS_LIBRARY_DIRS` in `libcurl.pc` and `curl-config` [39] o cmake: save a line with `CMAKE_C_IMPLICIT_LINK_DIRECTORIES` exclusion [32] o cmake: tidy up string append and list prepend syntax [28] o configure/cmake: check for realpath [19] o configure/cmake: set asyn-rr a feature only if httpsrr is enabled [42] o content_encoding: #error on too old zlib [2] o curl_global_sslset.md: Add SSL backend names [50] o CURLOPT_SSH_KNOWNHOSTS.md: strongly recommend using this [41] o CURLSHOPT_SHARE.md: adjust for the new SSL session cache [6] o docs: better explain multi-part byte range behavior [4] o docs: use valid example domain names [54] o generate.bat: remove curl_get_line.c from the curlx file list [20] o header.md: mention `Authorization:` and `Cookie:` special treatment [43] o imap: TLS upgrade fix [14] o INTERNALS: fix c-ares, as we actually support 1.6.0 or later [37] o ldap: drop support for legacy Novell LDAP SDK [25] o lib: include necessary headers for `inet_ntop`/`inet_pton` [8] o lib: silence LibreSSL collision warning on non-MSVC Windows [51] o libssh2: comparison is always true because rc <= -1 [56] o libssh2: raise lowest supported version to 1.2.8 [3] o libssh: drop support for libssh older than 0.9.0 [33] o libssh: silence `-Wconversion` with a cast (Windows 32-bit) [7] o netrc: return code cleanup, fix missing file error [45] o openssl-quic: ignore ciphers for h3 [1] o openssl: fix out of scope variables in goto [12] o pop3: TLS upgrade fix [15] o runtests: fix the disabling of the memory tracking [29] o runtests: quote commands to support paths with spaces [35] o scache: add magic checks [31] o smb: silence `-Warray-bounds` with gcc 13+ [9] o smtp: TLS upgrade fix [16] o SPONSORS.md: clarify that we don't promise goods or services [5] o test1516: avoid failure due to spaces in path [36] o test2080: simplify, avoid the null byte o tests: fix test 558, 1330 for MSVC, allow TrackMemory with MSVC in cmake [53] o tidy-up: make per-file `ARRAYSIZE` macros global as `CURL_ARRAYSIZE` [48] o tool_cfgable: sort struct fields by size, use bitfields for booleans [17] o tool_getparam: add "TLS required" flag for each such option [44] o tool_progress: fix percent output of large parallel transfers [61] o tool_ssls: switch to tool-specific get_line function [34] o verbose.md: mention how carriage-return might occur in headers [49] o vquic: make the "disable GSO" use infof, not failf [65] o vtls: fix multissl-init [60] o vtsl: eliminate 'data->state.ssl_scache' [59] o wakeup_write: make sure the eventfd write sends eight bytes [46] o wolfssl: silence compiler warning (MSVC 2019), simplify existing [13] This release includes the following known bugs: See https://curl.se/docs/knownbugs.html For all changes ever done in curl: See https://curl.se/changes.html Planned upcoming removals include: o Support for the msh3 HTTP/3 backend o The winbuild build system o TLS libraries not supporting TLS 1.3 See https://curl.se/dev/deprecate.html This release would not have looked like this without help, code, reports and advice from friends like these: Aaron Deadman, Andrei Korshikov, Andrew Kirillov, arlt on github, Christian Schmitz, CueXXIII on Github, Dan Fandrich, Daniel Stenberg, deliciouslytyped on github, Fay Stegerman, Jan Eng
mascot?
Hello, In a break from the debugging and thinking of patch releases, a less serious question to ponder about: Should we get ourselves a mascot for the curl project? The poll is here: https://github.com/curl/curl/discussions/16276 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 2: curl 8.13.0-rc2
Hello friends! Welcome to the second 8.13.0 release candidate: rc2. Please try this release candidate in your use cases and products and verify that everything works as intended. Please try the new features and options and verify that they work the way they are documented, and maybe also the way you think they should. Features that have not shipped in a release yet can still be marginally tweaked if deemed desirable. Download your curl release candidates from https://curl.se/rc/ -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Anyone using --raw?
On Sun, 6 Apr 2025, Daniel Stenberg via curl-users wrote: Hm, sorry, I might have been mostly wrong in my explanation of this bug. I'll rethink and come back with a new PR soon. In my great wisdom I confused CURLOPT_HTTP_TRANSFER_DECODING with CURLOPT_TRANSFER_ENCODING. Maybe not the most cleverly named options we have. Anyway, I think the outcome is that the fix is much simpler than what I first thought: https://github.com/curl/curl/pull/16984 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: [RELEASE] curl 8.13.0
On Wed, 2 Apr 2025, Dagobert Michelsen wrote: I have a regression on Solaris 10 Sparc: It is puzzling that CloseSocket suddenly is deemed fine by configure. I made https://github.com/curl/curl/issues/16915 for it -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Anyone using --raw?
On Sat, 5 Apr 2025, Fabian Keil via curl-users wrote: Privoxy has tests for the handling of chunk-encoded content Thanks! That's even the "worst" kind of use - the most complicated for us to provide. This, because when curl doesn't handle the chunking itself it doesn't know when the content ends. This particular use case works because the server decides to close the connection after use, but that's sort of contrary to the point of having chunked encoding to begin with. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Anyone using --raw?
Hello, If there is anyone around who uses --raw with a decent use case? I would not mind learning how/why because I'm about to break it: https://github.com/curl/curl/issues/16974 ... and I'd like to figure out what we should to do fix it again. If at all... -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Anyone using --raw?
On Sat, 5 Apr 2025, Dan Fandrich via curl-users wrote: Debian codesearch shows a number of projects using it: Thanks! My plan to keep --raw working in the next release now looks like this: https://github.com/curl/curl/pull/16982 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: Anyone using --raw?
On Sat, 5 Apr 2025, Daniel Stenberg via curl-users wrote: My plan to keep --raw working in the next release now looks like this: Hm, sorry, I might have been mostly wrong in my explanation of this bug. I'll rethink and come back with a new PR soon. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 3: curl 8.13.0-rc3
Hello friends! Welcome to the third and last 8.13.0 release candidate: rc3. Now only a week left until the actual release. Please try this release candidate in your use cases and products and verify that everything works as intended. Please try the new features and options and verify that they work the way they are documented, and maybe also the way you think they should. Features that have not shipped in a release yet can still be marginally tweaked if deemed desirable. Download your curl release candidates from https://curl.se/rc/ -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.13.0
Hello team! Welcome to a new release. Get it as always from https://curl.se/ curl and libcurl 8.13.0 Public curl releases: 266 Command line options: 268 curl_easy_setopt() options: 307 Public functions in libcurl: 96 Contributors: 3378 This release includes the following changes: o curl: add write-out variable 'tls_earlydata' [79] o curl: make --url support a file with URLs [104] o gnutls: set priority via --ciphers [167] o IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags [124] o lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY [147] o OpenSSL/quictls: add support for TLSv1.3 early data [150] o rustls: add support for CERTINFO [106] o rustls: add support for SSLKEYLOGFILE [282] o rustls: support ECH w/ DoH lookup for config [280] o rustls: support native platform verifier o var: add a '64dec' function that can base64 decode a string [78] o wolfssl: tls early data support [50] This release includes the following bugfixes: o addrinfo: add curl macro to avoid redefining foreign symbols [29] o asyn-thread: avoid the separate 'struct resdata' alloc [20] o asyn-thread: avoid the separate curl_mutex_t alloc [6] o asyn-thread: do not allocate thread_data separately [21] o asyn-thread: remove 'status' from struct Curl_async [36] o autotools: fix `dllmain.c` in unity builds [257] o autotools: fix `libtest` bundle to depend on `FIRSTFILES` [240] o autotools: use `CURLDEBUG` to exclude TrackMemory code from unity [253] o aws_sigv4: cannot be used for proxy [171] o aws_sigv4: merge repeated headers in canonical request [272] o aws_sigv4: use strparse more for parsing [55] o base64: drop `BUILDING_CURL` macro, always include in tests/server [234] o build: add Windows CE / CeGCC support, with CI jobs [87] o build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls) [192] o build: do not apply curl debug macros to `tests/server` by default [254] o build: drop unused `getpart` tool [107] o build: enable -Wjump-misses-init for GCC 4.5+ [62] o build: enable `-Wcast-qual`, fix or silence compiler warnings [208] o build: fix compiler warnings in feature detections [39] o build: replace Curl_ prefix with curlx_ for functions used in servers [236] o build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts [137] o build: set `HAVE_STDINT_H` if `stdint.h` is available [155] o build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds [8] o build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4 [68] o build: silence mingw32ce C99 format warnings, simplify CI [143] o build: tidy-ups around `inet_pton` [180] o c-ares httpsrr: fix ifdef [223] o c-ares: error out for unsupported versions, drop unused macros [85] o ca-native.md: sync with CURLSSLOPT_NATIVE_CA [72] o cf-socket: deduplicate Windows Vista detection [11] o cf-socket: remove empty switch [75] o client writer: handle pause before decoding [61] o cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg) [191] o cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer [46] o cmake: add custom command scripts as dependencies where missing [298] o cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills [42] o cmake: add shell completion support [261] o cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe [123] o cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds [134] o cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection [41] o cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection [81] o cmake: disable HTTPS-proxy as a feature if proxy is disabled [77] o cmake: drop `CURL_DISABLE_TESTS` option [94] o cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc [126] o cmake: drop `HAVE_IN_ADDR_T` from pre-fill too o cmake: drop two stray TLS feature checks for wolfSSL [9] o cmake: exclude `-MP` for `clang-cl` again [132] o cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl [28] o cmake: fix clang-tidy builds to verify tests, fix fallouts [289] o cmake: fix detection pre-fills for iOS [153] o cmake: fix ECH detection in custom-patched OpenSSL [32] o cmake: fix typo in ECH config error msg [246] o cmake: hide empty `MINGW64_VERSION` output for mingw32ce [114] o cmake: improve httpd detection for pytest [127] o cmake: mention 'insecure' in the debug build warning [15] o cmake: misc tidy-ups [38] o cmake: pre-fill known type sizes for Windows OSes [100] o cmake: replace CMAKE_COMPILER_IS_GNUCC with CMAKE_C_COMPILER_ID [232] o cmake: replace exec_program() with execute_process() [239] o cmake: restrict static CRT builds to static curl exe, test in CI [113] o cmake: sync cutoff version with autotools for picky option `-ftree-vrp` [99] o cmake: sync OpenSSL(-fork) feature checks with `./configure` [49] o cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets [231] o CODE_STYLE: readability and banned functions [35] o
location-mode ?
Hi friends, In an attempt to improve -X and to perhaps support the future QUERY method better, I recently made a PR that introduces a --location-mode option. It has received very little attention and feedback so here I am. I would like some more eyes and thoughts on this before I proceed. This new option can make -X start working the way most people assume it already does... https://github.com/curl/curl/pull/16543 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: [RFE] Improve etag handling with --etag-compare-update
On Mon, 28 Apr 2025, Aleksei via curl-users wrote: I'm trying to implement a "download only if updated on a remote resource" functionality with a curl script using etags. Currently the etag file saved with --etag-save becomes useless after a single update on a remote resource. I don't understand. Can you elaborate? If the remote resource is indeed updated, surely it should download again and update the etag file? -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: [RFE] Improve etag handling with --etag-compare-update
On Tue, 29 Apr 2025, Aleksei wrote: If they work together in a single invocation then great, no enhancement needed. Man page describes ETag usage in separate requests: Use the option --etag-save to first save the ETag from a response, and then use this option to compare against the saved ETag in a **subsequent request**. It saves the etag from this transfer for the purpose of using in the next command line. The compare option however uses the existing file contents for *this* command line. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: [RFE] Improve etag handling with --etag-compare-update
On Tue, 29 Apr 2025, Aleksei wrote: I'm asking for "and update the etag file" part to be done by curl. Scenario: 1) curl downloads a webpage, saving etag file in file0.etag Something like this: curl --etag-save file0.etag $URL 2) website updates a webpage (update 1) 3) curl uses "--etag-compare file0.etag" and re-downloads the page - so far so good Download the file if changed, update the etag file: curl --etag-compare file0.etag --etag-save file0.etag $URL 4) website updates a webpage (update 2) 5) How do I check that webpage is updated now? "--etag-compare file0.etag" will re-download even if update 2 has been downloaded You repeat the command above: curl --etag-compare file0.etag --etag-save file0.etag $URL ... which only downloads the URL again if it is different than the last download. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: [RFE] Improve etag handling with --etag-compare-update
On Tue, 29 Apr 2025, Aleksei wrote: Thanks for explanations Daniel, all clear now. Perhaps these things should be mentioned in the man page, the current --etag-save and --etag-compare sections gave me a clear impression these options are to be used in separate curl invocations. How about adding this paragraph to the --etag-save documentation? In many situations you want to use an existing etag in the request to avoid downloading the same resource again but also save the new etag if it has indeed changed, by using both etag options --etag-save and --etag-compare, in the same command line. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 1: curl 8.14.0-rc1
Hello friends! As per our new tradition, we have an rc1 build of the coming curl release uploaded and made available for testing on https://curl.se/rc/. Please consider taking this for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc1 release is tagged as rc-8_14_0-1. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: On QUERY and -X
On Tue, 25 Feb 2025, Daniel Stenberg wrote: This new functionality that opens up the opportunity to make curl do QUERY better by using this new flag. But how? My plan is now to merge the libcurl part necessary for this functionality in this feature window, then write up a proposal for the curl tool to ideally get merged in the *next* pending release window. I have not yet figured out exactly which of the approaches I prefer... -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: On QUERY and -X
On Sun, 2 Mar 2025, Bastian Jesuiter wrote: I personally like the idea of adding a flag specifically for this new -L behavior. Here's a first take that introduces a --request-mode option for this purpose: https://github.com/curl/curl/pull/16543 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 1: curl 8.13.0-rc1
Hello friends! Welcome to the first 8.13.0 release candidate: rc1. Today is the first day of the feature freeze, meaning that all changes and new features that are introduced in the pending release have been merged already and should work. Please try this release candidate in your use cases and products and verify that everything works as intended. Please try the new features and options and verify that they work the way they are documented, and maybe also the way you think they should. Features that have not shipped in a release yet can still be marginally tweaked if deemed desirable. Download your curl release candidates from https://curl.se/rc/ -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: On QUERY and -X
On Tue, 25 Feb 2025, Daniel Stenberg via curl-users wrote: 4. Another way? I thought of another way: 4. Add a new option --location-code that just changes how -L works, so that users can opt to add this in their .curlrc and magically have all existing command lines using -L switch over to the new way. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: On QUERY and -X
On Tue, 25 Feb 2025, Stefan Eissing wrote: AFAICT, this is to make QUERY requests working correctly? Would it be clearer to have a separate option to do a QUERY, which then would have the "correct" redirect behaviour? So, user would not have to -X this? While the primary purpose right now is for QUERY is, I was thinking that it could be a good oppurtunity to clean this up so that users would have a better experience independently of what custom method they use. Hence me not trying to push for --query specifically. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 2: curl 8.14.0-rc2
Hello friends! In preparing for the actual release, rc2 has been uploaded and made available for testing on https://curl.se/rc/. Please consider taking this for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc2 release is tagged as rc-8_14_0-2. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 3: curl 8.14.0-rc3
Hello friends! In preparing for the actual release, rc3 has been uploaded and made available for testing on https://curl.se/rc/. Please consider taking this for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc3 release is tagged as rc-8_14_0-3. This is exactly one week before the actual pending 8.14.0 release is planned to ship. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
The curl user survey 2025 is up
Hello! The time has come for you to once again do your curl community duty. Run over and fill in the curl user survey and tell us about how you use curl etc. This is the only proper way we get user feedback on a wide scale so please use this opportunity to tell us what you really think. This is the 12th time the survey runs. It is generally similar to last year’s but with some details updated and refreshed. https://forms.gle/mtoVC4AfEer8L8CK6 Also available through the blog post announcing this: https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/ Thanks! -- / daniel.haxx.se || https://rock-solid.curl.dev-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[reminder] The curl user survey 2025
Hello! Just a quick reminder: if you haven't already, please head over and fill in this year's curl survey: https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/ Thanks! -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Help out in the curl project!
Hello, What YOU can do to help out in the curl project. Things we would appreciate help and assistance with at the moment. Some things that are current. For general tips on how to get started helping out, start at [1]. ## survey Fill in the annual curl user survey [3] and make your friends do it as well. This is the best way we have to solicit user feedback and will guide us going forward. ## known bugs If you have been looking for somewhere to start contributing, one way is to find an entry in the known bugs document [2] that sounds like something you would like to fix and then go do it. It is a good idea to check early if the issue is still around and to bounce potential solutions with the team. ## reproduce bugs A great way to help out is to join the issues tracker on GitHub [4] and help us figure out what the issues are about. Can we reproduce them? Can we figure out the reason for them? Write a PR to fix them? ## test rc builds While basically over for this release cycle as we shipped the third and last rc build last week for this time, building and testing release candidates in your environment and use cases *before* the actual release helps us greatly to catch regressions and makes for a better and more solid release. ## experimental features Build curl with one or more of these features enabled, use them and make sure that they work the way you want to work and how the documentation says they work: - SSL session import/export - HTTPS RR - ECH Submit issues when you find something wrong! ## Links [1] = https://curl.se/docs/help-us.html [2] = https://curl.se/docs/knownbugs.html [3] = https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/ [4] = https://github.com/curl/curl/issues -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl and libcurl 8.14.0
Hello, I'm happy to once again announce that we have shipped a new curl release. curl 8.14.0 is uploaded and is as always available at https://curl.se Enjoy! curl and libcurl 8.14.0 Public curl releases: 267 Command line options: 269 curl_easy_setopt() options: 308 Public functions in libcurl: 96 Contributors: 3427 This release includes the following changes: o mqtt: send ping at upkeep interval [49] o schannel: handle pkcs12 client certificates containing CA certificates [58] o TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs [113] o vquic: ngtcp2 + openssl support [96] o wcurl: import v2025.04.20 script + docs [97] o websocket: add option to disable auto-pong reply [52] This release includes the following bugfixes: o _SEEALSO.md: remove spaces around command and man page section [166] o asny-thrdd: fix detach from running thread [191] o asnyc-thrdd: explain how this is okay with a comment [200] o asyn resolver code improvements [50] o async-threaded resolver: use ref counter [10] o async: DoH improvements [99] o autotools: detect `wolfSSL_set_quic_use_legacy_code` like cmake does [104] o autotools: install shell completion files on cross build [119] o aws-sigv4: allow a blank string [86] o build: check required rustls-ffi version [46] o build: enable gcc-12/13+, clang-10+ picky warnings [147] o build: enable gcc-15 picky warnings [133] o certs: drop unused `default_bits` from `.prm` files [45] o cf-https-connect: use the passed in dns struct pointer [64] o cf-socket: fix FTP accept connect [153] o cfilters: remove assert [120] o cmake/FindNGTCP2: simplify multi-pkg-config detection [27] o cmake: append picky warnings to `CMAKE_REQUIRED_FLAGS` as string [68] o cmake: avoid 'target is imported but not globally visible' when consuming libcurl with old cmake [125] o cmake: do not install `mk-ca-bundle` script and manpage [101] o cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON` [100] o cmake: extend integration tests [139] o cmake: fix `fish` install directory detection via `pkg-config` [123] o cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` [79] o cmake: fix option() and mark_as_advanced() mixed order [111] o cmake: fix shell completion install when just one flavor is enabled [73] o cmake: honor individual picky option overrides found in `CMAKE_C_FLAGS` [146] o cmake: install shell completions for cross-builds [112] o cmake: link `crypt32` for OpenSSL feature detection [105] o cmake: merge `CURL_WERROR` logic into `PickyWarnings.cmake` [66] o cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options [72] o cmake: quotes, whitespace, use `VERSION_GREATER_EQUAL` [33] o cmake: revert `CURL_LTO` behavior for multi-config generators [74] o cmake: set `BUILDING_LIBCURL` directly for unit test targets [174] o cmake: stop deleting `-W` from `CMAKE_C_FLAGS` (MSVC) [155] o cmake: tidy up and document feature detections in dependencies [107] o cmake: use `CMAKE_COMPILE_WARNING_AS_ERROR` if available [154] o cmake: use `INCLUDE_DIRECTORIES` prop to specify local header dirs [47] o cmake: use `LIB_NAME` in `curl-config.cmake.in` [148] o cmake: use absolute paths for completion targets [40] o cmake: use the `LINK_OPTIONS` property with CMake 3.13+ [78] o configure: catch asking for double resolver without https-rr [82] o configure: fix --disable-rt [20] o configure: restore link checks [25] o configure: suppress command not found for brew [235] o conncache: make Curl_cpool_init return void [15] o connect: shutdown timer fix [132] o content_encoding: Transfer-Encoding parser improvements [31] o CONTRIBUTE: add project guidelines for AI use [76] o contrithanks.sh: drop set -e [6] o cpool/cshutdown: force close connections under pressure [80] o curl: fix memory leak when -h is used in config file [161] o curl: only warn once for --manual in manual-disabled build [205] o curl_get_line: handle lines ending on the buffer boundary [62] o curl_krb5: only use functions if FTP is still enabled [21] o curl_multibyte: fixup low-level calls, include in unity builds [55] o curl_osslq: remove a leftover debug fprintf() call [140] o curl_url_get.md: don't call it normalized [212] o curl_version_info.md: clarify ssl_version for MultiSSL [145] o CURLMOPT_TIMERFUNCTION.md: correct the example [162] o CURLOPT_ERRORBUFFER.md: buffer is read only after curl takes ownership [93] o CURLOPT_FOLLOWLOCATION.md: switch to GET => no body [208] o CURLOPT_READFUNCTION.md: mention the seek callback [209] o CURLOPT_XFERINFOFUNCTION.md: fix the callback return type in example [122] o curlx: move the docs to docs/internals/ [184] o DEPRECATE.md: drop support for VS2008 [214] o DEPRECATE.md: drop Windows CE support [216] o dist: drop duplicate entry from `CMAKE_DIST` [88] o dns_entry: move from conn to data->state [178] o Dockerfile: update debian:bookworm-slim Docker digest to 90522ee [2
[SECURITY ADVISORY] curl: QUIC certificate check skip with wolfSSL
QUIC certificate check skip with wolfSSL Project curl Security Advisory, May 28 2025 - [Permalink](https://curl.se/docs/CVE-2025-4947.html) VULNERABILITY - libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. INFO curl can get built to use one out of twelve different TLS libraries. The selection is done both at build-time and also optionallt at run-time. This vulnerability only affects curl made to use this specific TLS backend. This flaw requires wolfSSL to be used as the TLS backend for QUIC to trigger. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-4947 to this issue. CWE-295: Improper Certificate Validation Severity: Medium AFFECTED VERSIONS - - Affected versions: curl 8.8.0 to and including 8.13.0 - Not affected versions: curl < 8.8.0 and >= 8.14.0 - Introduced-in: https://github.com/curl/curl/commit/4c46e277b2a0c0489 Beware that while curl versions before 8.8.0 are not considered vulnerable to this flaw, certificate verification still did not work correctly then and was documented to not work. libcurl is used by many applications, but not always advertised as such! This bug is **not** considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. SOLUTION Starting in curl 8.14.0, this mistake is fixed. - Fixed-in: https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125 RECOMMENDATIONS -- A - Upgrade curl to version 8.14.0 B - Apply the patch to your local version C - Avoid using HTTP/3 with curl built to use wolfSSL TIMELINE This issue was reported to the curl project on May 17, 2025. We contacted distros@openwall on May 20, 2025. curl 8.14.0 was released on May 28 2025 around 07:00 UTC, coordinated with the publication of this advisory. The curl security team is not aware of any active exploits using this vulnerability. CREDITS --- - Reported-by: Hiroki Kurosawa - Patched-by: Stefan Eissing Thanks a lot! -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[SECURITY ADVISORY] curl: No QUIC certificate pinning with wolfSSL
No QUIC certificate pinning with wolfSSL Project curl Security Advisory, May 28 2025 - [Permalink](https://curl.se/docs/CVE-2025-5025.html) VULNERABILITY - libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. INFO curl can get built to use one out of twelve different TLS libraries. The selection is done both at build-time and also optionallt at run-time. This vulnerability only affects curl made to use this specific TLS backend. This flaw requires wolfSSL to be used as the TLS backend for QUIC to trigger. The pinning option still works fine with wolfSSL for TCP-based TLS, meaning for HTTP/1 and HTTP/2. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-5025 to this issue. CWE-295: Improper Certificate Validation Severity: Medium AFFECTED VERSIONS - - Affected versions: curl 8.5.0 to and including 8.13.0 - Not affected versions: curl < 8.5.0 and >= 8.14.0 - Introduced-in: https://github.com/curl/curl/commit/5f78cf503c786a1d48d1352 Beware that while curl versions before 8.5.0 are not strictly considered vulnerable to this flaw, certificate pinning for QUIC with wolfSSL did not work correctly then either but before then HTTP/3 support was labeled experimental and not presumed to work 100%. libcurl is used by many applications, but not always advertised as such! This bug is **not** considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. SOLUTION Starting in curl 8.14.0, this mistake is fixed. - Fixed-in: https://github.com/curl/curl/commit/e1f65937a96a451292e92313396 RECOMMENDATIONS -- A - Upgrade curl to version 8.14.0 B - Apply the patch to your local version C - Avoid using HTTP/3 or certificate pinning with curl built to use wolfSSL TIMELINE This issue was reported to the curl project on May 19, 2025. We contacted distros@openwall on May 22, 2025. curl 8.14.0 was released on May 28 2025 around 07:00 UTC, coordinated with the publication of this advisory. The curl security team is not aware of any active exploits using this vulnerability. CREDITS --- - Reported-by: Hiroki Kurosawa - Patched-by: Stefan Eissing Thanks a lot! -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 1: curl 8.15.0-rc1
Hello friends! There is a fresh rc1 build of the coming curl 8.15.0 release uploaded and made available for testing on https://curl.se/rc/. Please consider taking this for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc1 release is tagged as rc-8_15_0-1. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl and libcurl 8.14.1
Hello! Another curl release has been packaged, signed and uploaded. Get it as always from https://curl.se/ curl and libcurl 8.14.1 Public curl releases: 268 Command line options: 269 curl_easy_setopt() options: 308 Public functions in libcurl: 96 Contributors: 3431 This release includes the following bugfixes: o asyn-thrdd: fix cleanup when RR fails due to OOM [20] o autotools: recognize more Linux targets when setting `-D_GNU_SOURCE` [35] o BUG-BOUNTY.md. mention the medium bounty amount in 2025 [5] o cmake: fix missed version number for multi-pkg-config detections [14] o cmdline-docs: mention HTTP resumed uploads to be shaky [21] o curl: make -N handled correctly [34] o curl: upload from '.' fix [9] o dllmain: exclude from Cygwin builds [32] o docs/tests: remove mention of hyper [23] o docs: fix typos [12] o ftp: fix teardown of DATA connection in done [31] o http: fail early when rewind of input failed when following redirects [2] o license: update some copyright links to curl.se [24] o memanalyze.pl: fix getaddrinfo/freeaddrinfo checks [25] o misc: fix spelling [15] o misc: we write *an* IPv6 address [10] o multi: fix add_handle resizing [3] o spelling: 'a' vs 'an' [8] o spelling: call it null-terminate consistently [6] o test1510: fix expectation [19] o tests: await portfile to be complete [1] o tests: fix checks for https-mtls proto [30] o tests: improve server start reliability [18] o tests: move test docs into /docs [16] o tests: re-enable 1510, document heimdal memleak [22] o tests: test mtls also w/ clientAuth EKU only [28] o tests: test mtls with --insecure [29] o tls BIOs: handle BIO_CTRL_EOF correctly [33] o tool_getparam: make --no-anyauth not be accepted [13] o tool_getparam: refactored, simplified [4] o tool_getparam: remove two nextarg NULL checks [11] o VULN-DISCLOSURE-POLICY.md: the distros list wants <= 7 days embargo [26] o wolfssl: fix sending of early data [7] o ws: handle blocked sends better [27] o ws: tests and fixes [17] This release includes the following known bugs: See https://curl.se/docs/knownbugs.html For all changes ever done in curl: See https://curl.se/changes.html Planned upcoming removals include: o Support for the msh3 HTTP/3 backend o Supporting curl builds using VS2008 o The Secure Transport and BearSSL TLS backends o The winbuild build system o Windows CE support See https://curl.se/dev/deprecate.html This release would not have looked like this without help, code, reports and advice from friends like these: Calvin Ruocco, Dan Fandrich, Daniel Stenberg, denandz on github, Ethan Everett, Jacob Mealey, Jeremy Drake, Jeroen Ooms, John Bampton, Kadambini Nema, Michael Kaufmann, Rasmus Melchior Jacobsen, Ray Satiro, Samuel Henrique, Stefan Eissing, Viktor Szakats, x-xiang on github, Yedaya Katsman, Yuyi Wang, z2_ (20 contributors) References to bug reports and discussions on issues: [1] = https://curl.se/bug/?i=17492 [2] = https://curl.se/bug/?i=17472 [3] = https://curl.se/bug/?i=17473 [4] = https://curl.se/bug/?i=17448 [5] = https://curl.se/bug/?i=17470 [6] = https://curl.se/bug/?i=17489 [7] = https://curl.se/bug/?i=17481 [8] = https://curl.se/bug/?i=17487 [9] = https://curl.se/bug/?i=17513 [10] = https://curl.se/bug/?i=17484 [11] = https://curl.se/bug/?i=17483 [12] = https://curl.se/bug/?i=17480 [13] = https://curl.se/bug/?i=17508 [14] = https://curl.se/bug/?i=16980 [15] = https://curl.se/bug/?i=17478 [16] = https://curl.se/bug/?i=17463 [17] = https://curl.se/bug/?i=17136 [18] = https://curl.se/bug/?i=17516 [19] = https://curl.se/bug/?i=17515 [20] = https://curl.se/bug/?i=17507 [21] = https://curl.se/bug/?i=17521 [22] = https://curl.se/bug/?i=17462 [23] = https://curl.se/bug/?i=17500 [24] = https://curl.se/bug/?i=17502 [25] = https://curl.se/bug/?i=17503 [26] = https://curl.se/bug/?i=17497 [27] = https://curl.se/bug/?i=17496 [28] = https://curl.se/bug/?i=17493 [29] = https://curl.se/bug/?i=17493 [30] = https://curl.se/bug/?i=17493 [31] = https://curl.se/bug/?i=17482 [32] = https://curl.se/bug/?i=17262 [33] = https://curl.se/bug/?i=17471 [34] = https://curl.se/bug/?i=17527 [35] = https://curl.se/bug/?i=17512 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[SECURITY AVISORY] curl: CVE-2025-5399: WebSocket endless loop
WebSocket endless loop
==
Project curl Security Advisory, June 4 2025 -
[Permalink](https://curl.se/docs/CVE-2025-5399.html)
VULNERABILITY
-
Due to a mistake in libcurl's WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.
There is no other way for the application to escape or exit this loop other
than killing the thread/process.
This might be used to DoS libcurl-using application.
INFO
The problem does not occur if "auto-pong" is disabled with the
`CURLWS_NOAUTOPONG` option.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-5399 to this issue.
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Severity: Low
AFFECTED VERSIONS
-
- Affected versions: curl 8.13.0 to and including 8.14.0
- Not affected versions: curl < 8.13.0 and >= 8.14.1
- Introduced-in: https://github.com/curl/curl/commit/3588df9478d7c270
libcurl is used by many applications, but not always advertised as such!
This bug is **not** considered a *C mistake*. It is not likely to have been
avoided had we not been using C.
This flaw does not affect the curl command line tool.
SOLUTION
Starting in curl 8.14.1, this mistake is fixed.
- Fixed-in: https://github.com/curl/curl/commit/d1145df24de8f80e6b16
RECOMMENDATIONS
--
A - Upgrade curl to version 8.14.1
B - Apply the patch to your local version
C - Avoid using WebSocket
TIMELINE
This issue was reported to the curl project on May 30, 2025. We contacted
distros@openwall on June 2, 2025.
curl 8.14.1 was released on June 4 2025 around 07:00 UTC, coordinated with the
publication of this advisory.
The curl security team is not aware of any active exploits using this
vulnerability.
CREDITS
---
- Reported-by: z2_ on hackerone
- Patched-by: z2_ on hackerone
Thanks a lot!
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html
The #curl user survey 2025 analysis
Hi friends, I managed to chew through all the data, I ran the numbers and I generated the output. Enjoy: https://daniel.haxx.se/blog/2025/07/03/curl-user-survey-2025-analysis/ -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 2: curl 8.15.0-rc2
Hello again! I just uploaded the rc2 build of the coming curl 8.15.0 release uploaded and made it available for testing on https://curl.se/rc/. Please take this one for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc2 release is tagged as rc-8_15_0-2. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
supporting --longopt=value
Hello friends, The curl command line parser is a custom parser that acts slightly different than many other command line tools. One particular difference is how arguments to long options are provided: space-separated from the option itself. Like this when setting the user agent: curl --user-agent curl-2000 https://example.com/ Many other command line tools instead uses the equals-sign-approach, where the argument is instead specified immediately next to the flag like this: curl --user-agent=curl-2000 https://example.com/ I am now proposing a PR for curl that makes it add support for the latter syntax in addition to the previous, which then perhaps makes curl a bit more aligned with the rest of the world: https://github.com/curl/curl/pull/17789 If we deem this fine, it might be merged for the 8.16.0 release (Sep 2025). Since this would introduce support for a syntax that is not supported by older curl versions, I would expect that not too many users will actually use this command line style for the first few years until the new parser is in more widespread use. Thoughts? -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Re: supporting --longopt=value
On Tue, 1 Jul 2025, Paul Gilmartin via curl-users wrote: Does this introduce any incompatibility? I have thought hard on this but I can't think of any. For example, would i change the behavior of: curl --output =x https://example.com That's a valid existing command line for which the equals sign is part of the argument to --output. The new handling does not change this and it will work exactly like before. The new parser only detects and works if the equals sign is used directly "attached" to the right side of a valid option name with no space in between, like --output=x. This syntax can be made supported without causing problems exactly because it does not work at all with the old (existing) parser -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
curl, new long option '--out-null'
Hello, Feel free to join in the name-shedding over on GitHub where this new option proposal is being discussed: https://github.com/curl/curl/pull/17800 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Release candidate 3: curl 8.15.0-rc3
Hello, The third and last release candidate of the coming curl 8.15.0 release is now uploaded and available for testing on https://curl.se/rc/. Please take this one for a spin and verify that everything seems to work as they should. All the new features for the pending release have been merged and should work as documented. Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production. This rc3 release is tagged as rc-8_15_0-3. Thanks for flying curl. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
RE: Release candidate 3: curl 8.15.0-rc3
On Wed, 9 Jul 2025, Dick Brooks wrote: Congratulations. Any chance we will see an SBOM for curl in the future? The "normal" curl release does not need an SBOM. It is just one thing and this one thing comes only from us: the curl release. curl releases are done as source code tarballs with no third party code included. There are some additional things we ship, like windows binaries at https://curl.se/windows/ and they contain 3rd party components. All the details for those are provided there, which should allow users to make an SBOM out of it in the preferred format of the day. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
Sponsor my laptop
Hello, We're running a small crowd-source program to give everyone a chance to help sponsor a new laptop for curl development: https://daniel.haxx.se/blog/2025/07/12/sponsor-my-laptop/ -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
[RELEASE] curl 8.15.0
Hello team, I'm happy to announce that we have yet again put together a little curl release. Get it as always from https://curl.se Enjoy! curl and libcurl 8.15.0 Public curl releases: 269 Command line options: 269 curl_easy_setopt() options: 308 Public functions in libcurl: 96 Contributors: 3460 This release includes the following changes: o TLS: remove support for Secure Transport and BearSSL [19] This release includes the following bugfixes: o altsvc: accept 'clear' without semicolon as well [190] o asyn-ares: remove redundant NULL check [152] o asyn-thrdd: free the previous name before strdup'ing the new [84] o autotools: detect and link `brotlicommon` library for brotli [130] o autotools: drop `$top_builddir/src` from src header path [23] o autotools: drop headers from src mk-unity rules (fixup) [136] o autotools: drop no longer necessary `--srcdir` unity options [66] o autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src [127] o autotools: simplify configuration in tests, examples [47] o bufq: change read/write signatures [120] o bufq: remove the unused Curl_bufq_unwrite function [143] o build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in `curl/curl.h`) [21] o build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros [69] o build: drop explicit curlx from hdr paths, refer headers with `curlx/` prefix [150] o build: drop unused variables in tests o build: fix libcurltool with cmake and tunits, related tidy-ups [138] o build: split `.c` and `.h` file lists in tests [128] o build: stop checking for `sys/stat.h` [146] o build: stubgss tidy-ups (in tests) [137] o build: sync build scripts between client/libtest [49] o build: tidy up `Makefile.inc` use in lib and src [116] o build: tidy up header paths, use srcdir where possible [42] o cf-socket: make socket data_pending a nop [175] o checksrc-all: rewrite in Perl, remove `checksrc.bat` [217] o checksrc: reduce exceptions, apply again to curlx [114] o cmake/FindGSS: fix processing C header path options [160] o cmake/FindGSS: initialize result variables [159] o cmake: `curl_add_clang_tidy_test_target` tidy-ups [185] o cmake: build `stubgss` library for libtests to match autotools [34] o cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS [144] o cmake: configure c-ares header directory in project root (was: lib) [106] o cmake: document OpenSSL and ngtcp2 crypto lib custom variables [29] o cmake: drop never propagated C macros [22] o cmake: drop passing redundant `CURL_STATICLIB` in examples and clients [52] o cmake: drop redundant macro from test clients [51] o cmake: drop reference to future variable o cmake: enable soversion by default for OpenHarmony OS [131] o cmake: fix `curl_add_clang_tidy_test_target` when no `-D` option [155] o cmake: fix generator expression in docs/examples [109] o cmake: gather options recursively in `curl_add_clang_tidy_test_target` [156] o cmake: make docs depend on support files [80] o cmake: move `OUTPUT` argument in the `add_custom_command()` line [50] o cmake: omit clang-tidy on internal libs curlu and curltool [64] o cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues [20] o cmake: replace the way clang-tidy verifies tests, fix issues found [101] o cmake: simplify handling generated `lib1521.c` in libtests [24] o cmake: sync `target_link_libraries()` order in tests more [44] o cmake: sync tests scripts by using the variable `BUNDLE` [46] o cmake: sync tests scripts with each other and autotools (more) [100] o cmake: use `target_link_options()` when available [43] o config-win32: fix default targets, shorten macro logic [227] o configure: order LDAP after the SSL libraries o connect: drop unused struct member [209] o connection: clarify `transport` [197] o connection: eliminate member `remote_addr` [10] o curl-config: fix whitespace in usage text [122] o curl.h: make CURL_IPRESOLVE_* symbols defined as longs [206] o curl.h: make CURLSSLOPT_* symbols defined as longs [3] o curl.h: remove the "RESERVED" error codes [2] o curl: implement non-blocking STDIN read on Windows [28] o curl: improve non-blocking STDIN performance [129] o curl: remove the global argument from many functions [218] o curl: unify pointer names to global config [219] o curl_get_line: make sure lines end with newline [110] o curl_memory.h: fix to undefine `accept4` [180] o curl_path: make SFTP handle a path like /~ properly. [11] o curlinfo: provide the 'digest' feature [168] o CURLSHOPT_SHARE.md: mention multi-threading requires callbacks [161] o DEPRECATE.md: add VS2005 removal to the list [214] o digest: fix build with disabled digest auth [72] o DISTROS: update NixOS link o docs,tests: fix english grammar "allow to" -> "allow to" [158] o docs/CONTRIBUTE: fix broken link [173] o docs/examples: add ftp-delete.c [5] o docs: beef up examples/websocket.c [189] o docs:
