RELEASE-NOTES: synced

2026-06-18 07:05:38 +03:00 · 2026-06-16 23:22:58 +02:00 · 2026-06-16 23:22:58 +02:00 · 7806fb36c5
commit 7806fb36c5
parent 92db819714
1 changed files with 82 additions and 20 deletions
--- a/102
+++ b/102
@ -4,8 +4,8 @@ curl and libcurl 8.21.0
 Command line options:         274
 curl_easy_setopt() options:   308
 Public functions in libcurl:  100
- Authors:                      1486
- Contributors:                 3719
+ Authors:                      1489
+ Contributors:                 3728

 This release includes the following changes:

@ -19,14 +19,19 @@ This release includes the following changes:
 This release includes the following bugfixes:

 o _ENVIRONMENT.md. Windows does case insensitive env variables [214]
+ o _URL.md: remove the zone-id mention [227]
+ o AmigaOS: curl_setup.h avoid explicit_bzero with clib2 [283]
+ o AmigaOS: fix build fallouts, re-add to CI [279]
 o asyn-thrdd: add IPv6 guards [195]
 o asyn-thrdd: fix result processing without wakeup socketpair [2]
 o autotools: mbedtls detection fixes [163]
 o BINDINGS: Update Hollywood link [181]
 o BUFQ.md: re-sync with source code [111]
+ o build: enable `-Wlogical-op` picky warning for GCC 4.4+ [277]
 o build: omit zlib pkg-config reference for Android [130]
 o cf-h2-prox: fix peer leak [132]
 o cf-h2-proxy: drop interim responses [47]
+ o cf-https-connect: do not engage on proxy origin [236]
 o cf-ip-happy.c: minor comment typo
 o cf-ip-happy: update documentation [223]
 o cf-socket: make Curl_addr2string static [224]
@ -35,12 +40,15 @@ This release includes the following bugfixes:
 o cfilters: fix busy loop on blocked transfers [72]
 o chunked: reject invalid bytes in trailer [210]
 o CIPHERS.md: fix the example that uses only TLS 1.3 [137]
+ o cmake/FindGSS: fix comment, adjust custom flavor property name [261]
+ o cmake/FindGSS: prioritize MIT over GNU in pkg-config detection [196]
 o cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config [8]
 o cmake: export/forward `NGTCP2_CRYPTO_BACKEND` [99]
 o cmake: fix three issues generating lib options in config files [126]
 o cmake: fix zstd CMake config name [5]
 o cmake: opt in `MSVC_VERSION` 1951 to picky warnings [55]
 o cmake: quote `COMPONENTS` string in `curl-config.in.cmake` [80]
+ o config2setopts: use default protocol properly [286]
 o connect: remove deref of freed pointer in trace call [128]
 o content_encoding: fix limit failure message [171]
 o content_encoding: fix non-last chunked rejection [209]
@ -54,6 +62,7 @@ This release includes the following bugfixes:
 o creds: remove two unused functions [158]
 o curl_easy_pause.md: rephrase the stream cache when pause clause [120]
 o curl_easy_setopt.md: change options when no transfer runs [122]
+ o curl_formdata: fix to pass long where missing, document `CURLFORM_NAMELENGTH` [243]
 o curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos [87]
 o curl_ntlm_core: propagate DES `CryptEncrypt()` error [84]
 o curl_sha512_256: fix result code on error [166]
@ -91,7 +100,7 @@ This release includes the following bugfixes:
 o ftplistparser: clear strings.target if not symlink [148]
 o gnutls: allow building with nettle 4.0 [96]
 o gnutls: fix more nettle 4+ compatibility issues [94]
- o GnuTLS: require 3.7.2 for earlydata [103]
+ o gnutls: require 3.7.2 for earlydata [103]
 o gsasl: fix potential double free [56]
 o gtls: fix ignored return and uninitialized status in OCSP check [49]
 o gtls: fix some typos [15]
@ -110,11 +119,14 @@ This release includes the following bugfixes:
 o idn: replace header guards with forward declaration [100]
 o KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug [41]
 o KNOWN_BUGS: remove stale Threads::Threads entry [135]
+ o krb5_sspi: fix error message on `DecryptMessage()` fail [269]
+ o ldap: base64 encode binary LDIF values with WinLDAP [273]
 o ldap: fix minor leak on write callback error [24]
 o ldap: fix to not leak `attribute` on OOM (WinLDAP) [79]
 o ldap: switch off chasing referrals [114]
 o lib678: fix to not be perma-skipped [10]
 o lib: make `__STDC_VERSION__` literals `L` (where missing)
+ o lib: transfer origin and proxy handling [276]
 o lib: two minor typos [16]
 o libcurl-easy.md: minor clarifications [19]
 o libssh2: do not use deprecated macros when unavailable [177]
@ -144,6 +156,7 @@ This release includes the following bugfixes:
 o pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+ [154]
 o pythonlint.sh: make it fail on error, fix ruff warnings in pytest [67]
 o quic: count zero length packets against max [179]
+ o ratelimits: use minimal burst rate [245]
 o resolve: mention in error that IP address is expected [205]
 o rtsp: bump buf after rtsp_filter_rtp() [88]
 o runner.pm: apply minor correctness fix [105]
@ -153,6 +166,7 @@ This release includes the following bugfixes:
 o schannel: check `schannel_sha256sum()` success, and more [165]
 o schannel: enforce Extended Key Usage for custom CA roots [29]
 o schannel: error on TLS 1.3-only with cipher list [136]
+ o schannel: fix https proxy for client cert and certinfo [280]
 o schannel: fix revoke_best_effort setting for proxy [70]
 o schannel: use fopen instead CreateFile [191]
 o schannel_verify: avoid out of blob access [11]
@ -169,14 +183,23 @@ This release includes the following bugfixes:
 o setopt: more careful cleanup of the HSTS cache [45]
 o show-headers.md: mention bold headers and --no-styled-output [17]
 o sigv4: URL encode the user name in the header [193]
+ o smb: integer overflow proof a size check [263]
 o smbserver: update internal id generation for Python 3 [238]
+ o socket: introduce `SOCK_EAGAIN()` and use it [278]
+ o socket: use name `sockerr` for socket error variables [271]
+ o socks_sspi: invalid response length is a fatal error [272]
+ o socks_sspi: store socks5_gssapi_enctype [262]
 o spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI [89]
 o spnego_sspi: preserve distinction btw policy-only and uncond delegation [74]
 o src: fix comment typos [83]
 o ssl native_ca_store: always reinit [211]
 o SSLCERTS: document 8.19.0 default Native CA builds (Windows) [14]
 o sspi: clear SSPI credentials on AcquireCredentialsHandle failure [76]
+ o sspi: free libcurl allocated memory with curlx_free [274]
+ o telnet: drop an `int` cast no longer necessary [270]
+ o telnet: drop redundant interim variables [275]
 o telnet: fix error message typos [186]
+ o telnet: fix old copy-paste typo in variable name [281]
 o telnet: honor CURLOPT_TIMEOUT in send_telnet_data() [104]
 o test1588: use %TESTNUMBER, not hard-coded number [118]
 o test1981: explicitly set the locale [85]
@ -191,6 +214,7 @@ This release includes the following bugfixes:
 o tidy-up: drop stray casts for allocated pointers [174]
 o tidy-up: miscellaneous [106]
 o tls: fix incomplete mTLS config in conn reuse and session cache [108]
+ o tls: wolfssl: fixes for PQC key shares [239]
 o tool: warn when --ssl and --ftp-ssl-control override each other [129]
 o tool_formparse.c: fix two minor comment typos [25]
 o tool_formparse: polish error message + make two functions static [1]
@ -200,11 +224,13 @@ This release includes the following bugfixes:
 o tool_urlglob: avoid overflow at end of range [22]
 o tool_urlglob: better 'Duplicate glob name' position [82]
 o tool_urlglob: make globbing error reported for correct position [91]
+ o tool_writeout: fix %time{} output for %s [231]
 o transfer: clear referer when set to NULL [112]
 o unit1675: fix potential memory leak on dynbuf fail path [197]
 o unix-sockets: ignore proxy settings [6]
 o URL-SYNTAX: document more URL parsing details [134]
 o url: compare full origin when setting credentials [42]
+ o url: connection credentials origin [228]
 o url: connection reuse fixes for starttls [68]
 o url: detect proxy changes read from environment [110]
 o url: fix connection reuse for starttls protocols [27]
@ -225,6 +251,7 @@ This release includes the following bugfixes:
 o urlapi: URL decode hostname before IP address normalization [207]
 o user-agent.md: mention double quotes too [3]
 o var: use a dedicated pointer for the alloc [219]
+ o verify-release: verify more thoroughly with git [249]
 o vquic: drop stray casts for `iovec.iov_len` [162]
 o vtls: more large buffer support and error checks for SHA-256 [164]
 o vtls: use Curl_safecmp for CRLfile and pinned_key comparison [116]
@ -233,8 +260,10 @@ This release includes the following bugfixes:
 o VULN-DISCLOSURE-POLICY.md: emphasize comm as a human [180]
 o VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part [113]
 o VULN-DISCLOSURE-POLICY.md: test code is not secure [119]
+ o VULN-DISCLOSURE-POLICY: non-released code [253]
 o websockets: auto-tunnel through http proxy [102]
 o windows: update MS SDK versions in comments [60]
+ o winldap: avoid NULL pointer deref on `ldap_get_dn()` fail [242]
 o ws: make pong sending lazy [201]
 o x509asn1: fix DH public key parameter extraction [44]
 o x509asn1: fix operator order in do_pubkey [21]
@ -260,25 +289,29 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:

  0xN3R3K3, 11soda11, Ady Elouej, A Johnston, Alan De Smet, alhudz,
-  ambikeesshh, amitbidlan, Andreas Falkenhahn, Andrei Rybak, Andrew Nesbitt,
-  Aritra Basu, azraelxuemo on hackerone, Bartel Sielski, Bastian Jesuiter,
-  BazaarAcc32 on github, Bill Mill, ByteRay on hackerone, chrizilla on github,
-  co-authors in libssh2, correctmost on github, Dan Fandrich,
-  Daniel Gustafsson, Daniel Stenberg, Dario Vinella, dependabot[bot],
-  dyingc on github, Earnestly on github, Elise Vance, Emanuel Krollmann,
-  Eunsoo Kim, evergarden1123 on hackerone, Fabian Keil, Gao Liyou,
-  Guancheng Li, Guannan Wang, Harry Sintonen, Hem Parekh, htasta, jeffhuang,
-  Jeremy Nicoll, Jiashuo Liang, Johannes Schlatow, Josef Cejka, Joshua Rogers,
+  alienowo on hackerone, ambikeesshh, amitbidlan, Andreas Falkenhahn,
+  Andrei Rybak, Andrew Nesbitt, Aritra Basu, azraelxuemo on hackerone,
+  Bartel Sielski, Bastian Jesuiter, BazaarAcc32 on github, Bill Mill,
+  ByteRay on hackerone, chrizilla on github, co-authors in libssh2,
+  correctmost on github, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
+  Dario Vinella, Darren Banfi, Dave Walker, daviey on hackerone,
+  dependabot[bot], dyingc on github, Earnestly on github, Elise Vance,
+  Emanuel Krollmann, Eunsoo Kim, evergarden1123 on hackerone, Fabian Keil,
+  Filipe Casal, Gao Liyou, Guancheng Li, Guannan Wang, Harry Sintonen,
+  Hem Parekh, htasta, jeffhuang, Jeremy Nicoll, Jiashuo Liang,
+  jjchuck on hackerone, Johannes Schlatow, Josef Cejka, Joshua Rogers,
  Kai Pastor, Marcel Raad, Mark Esler, Max Dymond, mik, Mike-menny on github,
-  Muhamad Arga Reksapati, mulan_dh on hackerone, parasol-aser, penpal,
-  Peter Krefting, Philip H., Rainer Jung, Randall S. Becker, Raymond Steen,
-  Ray Satiro, renjian on hackerone, renovate[bot], Ross Burton, Sergio Correia,
-  sfan5 on github, Shintomon Mathew, Sollace on github, Song X. Gao,
-  sourceturner, Stefan Eissing, Tim Martin, tiymat, Trail of Bits, Vasiliy-Kkk,
-  vectorqueue on hackerone, vegagent on hackerone, Viktor Szakats,
-  violet12331 on hackerone, Will Cosgrove, Xi Ruoyao, x-xiang on github,
+  Muhamad Arga Reksapati, mulan_dh on hackerone, oreadvanthink on github,
+  parasol-aser, penpal, Peter Krefting, Philip H., Rainer Jung,
+  Randall S. Becker, Raymond Steen, Ray Satiro, renjian on hackerone,
+  renovate[bot], Ross Burton, Saud Alshareef, Sergio Correia, sfan5 on github,
+  Shintomon Mathew, Sollace on github, Song X. Gao, sourceturner,
+  Stefan Eissing, Tatsuhiro Tsujikawa, Tim Martin, tiymat,
+  Tobias Frauenschläger, Trail of Bits, Vasiliy-Kkk, vectorqueue on hackerone,
+  vegagent on hackerone, Viktor Szakats, violet12331 on hackerone,
+  Will Cosgrove, wulin-nudt on github, Xi Ruoyao, x-xiang on github,
  Yedaya Katsman, zhanhb on github, Zhanpeng Liu
-  (85 contributors)
+  (96 contributors)

 References to bug reports and discussions on issues:

@ -474,6 +507,7 @@ References to bug reports and discussions on issues:
 [192] = https://curl.se/bug/?i=21927
 [193] = https://curl.se/bug/?i=21923
 [195] = https://curl.se/bug/?i=21881
+ [196] = https://curl.se/bug/?i=22052
 [197] = https://curl.se/bug/?i=21922
 [199] = https://curl.se/bug/?i=21914
 [200] = https://curl.se/bug/?i=21910
@ -502,6 +536,34 @@ References to bug reports and discussions on issues:
 [224] = https://curl.se/bug/?i=21946
 [225] = https://curl.se/bug/?i=21951
 [226] = https://curl.se/bug/?i=21945
+ [227] = https://curl.se/bug/?i=22048
+ [228] = https://curl.se/bug/?i=22040
 [230] = https://curl.se/bug/?i=21949
+ [231] = https://curl.se/bug/?i=22038
 [235] = https://curl.se/bug/?i=21944
+ [236] = https://curl.se/bug/?i=22033
 [238] = https://curl.se/bug/?i=21937
+ [239] = https://curl.se/bug/?i=22030
+ [242] = https://curl.se/bug/?i=22000
+ [243] = https://curl.se/bug/?i=22017
+ [245] = https://curl.se/bug/?i=22016
+ [249] = https://curl.se/bug/?i=22018
+ [253] = https://curl.se/bug/?i=22025
+ [261] = https://curl.se/bug/?i=22013
+ [262] = https://curl.se/bug/?i=22004
+ [263] = https://curl.se/bug/?i=22001
+ [269] = https://curl.se/bug/?i=22003
+ [270] = https://curl.se/bug/?i=22002
+ [271] = https://curl.se/bug/?i=21998
+ [272] = https://curl.se/bug/?i=21999
+ [273] = https://curl.se/bug/?i=21926
+ [274] = https://curl.se/bug/?i=21990
+ [275] = https://curl.se/bug/?i=21995
+ [276] = https://curl.se/bug/?i=21967
+ [277] = https://curl.se/bug/?i=21893
+ [278] = https://curl.se/bug/?i=21992
+ [279] = https://curl.se/bug/?i=21993
+ [280] = https://curl.se/bug/?i=21986
+ [281] = https://curl.se/bug/?i=21979
+ [283] = https://curl.se/bug/?i=21989
+ [286] = https://curl.se/bug/?i=21983