From ea392e6b36d875056cf9e28f841bdc8cdc2efbb6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 1 May 2026 11:34:15 +0200
Subject: [PATCH] RELEASE-NOTES: synced

Also bump the curlver to tenative 8.20.1
---
 RELEASE-NOTES          | 603 +----------------------------------------
 include/curl/curlver.h |   6 +-
 2 files changed, 14 insertions(+), 595 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index fcf392d822..11e2a62d83 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,6 +1,6 @@
-curl and libcurl 8.20.0
+curl and libcurl 8.20.1
 
- Public curl releases:         274
+ Public curl releases:         275
  Command line options:         273
  curl_easy_setopt() options:   308
  Public functions in libcurl:  100
@@ -9,299 +9,12 @@ curl and libcurl 8.20.0
 
 This release includes the following changes:
 
- o async-thrdd: use thread queue for resolving [144]
- o build: make NTLM disabled by default [90]
- o cmake: drop support for CMake 3.17 and older [108]
- o lib: add thread pool and queue [74]
- o lib: drop support for < c-ares 1.16.0 [64]
- o lib: make SMB support opt-in [18]
- o multi.h: add CURLMNWC_CLEAR_ALL [127]
- o rtmp: drop support [91]
 
 This release includes the following bugfixes:
 
- o altsvc: cap the list at 5,000 entries [183]
- o altsvc: drop the prio field from the struct [185]
- o altsvc: skip expired entries read from file [187]
- o asyn-ares: connect async [220]
- o asyn-ares: drop orphaned variable references [86]
- o asyn-ares: fix HTTPS-lookup when not on port 443 [100]
- o asyn-thrdd: drop redundant `result` check [291]
- o asyn-thrdd: fix clang-tidy unused value warning [125]
- o async-ares: fix query counter handling [195]
- o autotools: limit checksrc target to ignore non-repo test sources [12]
- o badwords-all: exit with correct code on errors [50]
- o badwords: combine the whitelisting into a single regex [1]
- o badwords: detect the the and with with [51]
- o badwords: only check comments and strings in source code [61]
- o badwords: rework exceptions, fix many of them [15]
- o boringssl: fix more coexist cases with Schannel/WinCrypt [170]
- o build: adjust/add casts to fix `-Wformat-signedness` [218]
- o build: assume `snprintf()` in `mprintf`, drop feature check [107]
- o build: compiler warning silencing tidy-ups [4]
- o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33]
- o build: drop duplicate `pthread.h` includes [158]
- o build: drop redundant `USE_QUICHE` guards [159]
- o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84]
- o build: fix `-Wformat-signedness` by adjusting printf masks [226]
- o build: link `bcrypt.lib` via vcxproj files [239]
- o build: skip detecting `pipe2()` for Apple targets [227]
- o build: stop building and installing `runtests.1` and `testcurl.1` [235]
- o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132]
- o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63]
- o cf-ip-happy: limit concurrent attempts [191]
- o cf-socket: avoid low risk integer overflow on ancient Solaris [56]
- o cfilters: fix Curl_pollset_poll() return code mixup [206]
- o clang-tidy: avoid assignments in `if` expressions [175]
- o clang-tidy: enable more checks, fix fallouts [254]
- o cmake: add CMake Config-based dependency detection [87]
- o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134]
- o cmake: do not install `wcurl` when `BUILD_CURL_EXE=OFF` [265]
- o cmake: do not install shell completions when `BUILD_CURL_EXE=OFF` [263]
- o cmake: document functions used from Windows system DLLs [103]
- o cmake: enable pthreads for BoringSSL/AWS-LC [196]
- o cmake: resolve targets recursively when generating `libcurl.pc` [45]
- o cmake: rework binutils ld hack to not read `LOCATION` property [41]
- o cmake: silence bad library `Threads::Threads` warning [131]
- o cmake: use `AIX` built-in variable (with CMake 4.0+) [163]
- o config2setopts: make --capath work in proxy disabled builds [113]
- o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26]
- o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3]
- o configure: prefer dependency-specific variables over `$withval` [35]
- o configure: remove superfluous experimental warning for HTTP/3 [169]
- o configure: silence useless clang warnings in C89 builds [156]
- o configure: tidy up comments [202]
- o connect: fix typo on error message
- o cookie: fix rejection when tabs in value [189]
- o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36]
- o curl.h: replace macros with C++-friendly method to enforce 3 args [110]
- o curl_ctype.h: fix spelling in a couple of locally used macros [28]
- o curl_get_line: error out on read errors [9]
- o curl_get_line: fix potential infinite loop when filename is a directory [46]
- o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165]
- o curl_ntlm_core: drop redundant PP condition [140]
- o curl_ntlm_core: use wolfCrypt DES API with wolfSSL [200]
- o curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard [210]
- o curl_sha512_256: support delegating to wolfSSL API [149]
- o curl_version_info.md: clarify age details [69]
- o CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format [96]
- o CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers" [270]
- o CURLOPT_RTSP_SESSION_ID.md: expand the comment [267]
- o CURLOPT_RTSP_SESSION_ID.md: minor language fix
- o CURLOPT_SOCKS5_AUTH.md: an access property [212]
- o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105]
- o CURLOPT_UPLOAD_FLAGS.md: expand [223]
- o curlx_now(), prevent zero timestamp [93]
- o DEPRECATE: fix minor release number typo
- o digest: pass in the user name quoted (as well) [34]
- o dns: https-eyeballing async [229]
- o dnscache: own source file, improvements [116]
- o docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
- o docs/cmdline-opts: tidy up retry-connrefused [190]
- o docs/lib: fix typos [53]
- o docs/libcurl: improve easy setopt examples [266]
- o docs: clarify retry-max-time timing [294]
- o docs: CURLOPT_LOGIN_OPTIONS is a login property [228]
- o docs: enable more compiler warnings for C snippets, fix 3 finds [71]
- o docs: list more dependencies for running Python HTTP tests [123]
- o docs: mention more zip bomb precautions [166]
- o docs: minor wording tweaks
- o docs: noproxy wants the punycoded hostname version [214]
- o docs: SSH host verification is done at connect time [197]
- o docs: use the correct CURLOPT_WRITEFUNCTION signature [142]
- o doh: fix memory-leak when doing a second DoH resolve [55]
- o doh: remove superfluous doh_req check [222]
- o examples/websocket: fix to sleep more on Windows [92]
- o examples: drop warning silencers no longer hit [14]
- o examples: fix typo in comment [75]
- o file: init fd to -1 to prevent close fd 0 on early failure [40]
- o fopen: for temp files, inherit permissions only for owner [146]
- o ftp: do not strdup DATA hostname [29]
- o ftp: make the MDTM date parser stricter (again) [115]
- o ftp: reject PWD responses containing control characters [95]
- o gcc: guard `#pragma diagnostic` in core code for <4.6 [94]
- o generate.bat: remove extra % from VC11 and VC12 runs
- o genserv.pl: make external calls safe [119]
- o getinfo: initialize `PureInfo` field `used_proxy` [43]
- o getinfo: repair CURLINFO_TLS_SESSION [193]
- o gnutls: fix clang-tidy warning with !verbose [126]
- o gtls: fail for large files in `load_file()` [174]
- o h3: HTTPS-RR use in HTTP/3 [221]
- o Happy Eyeballs: add resolution time delay [238]
- o haproxy: use correct ip version on client supplied address [275]
- o hostip: clear the sockaddr_in6 structure before use [20]
- o hostip: init the curl_jmpenv_lock appropriately [278]
- o hostip: resolve user supplied ip addresses [259]
- o HSTS: cap the list [177]
- o hsts: make the HSTS read callback handle name dupes [141]
- o hsts: skip expired HSTS entries read from file [188]
- o hsts: when a dupe host adds subdomains, use that [130]
- o http2: clear the h2 session at delete [99]
- o http2: prevent secure schemes pushed over insecure connections [181]
- o http2: return error on OOM in push headers [65]
- o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2]
- o http: clear credentials better on redirect [204]
- o http: clear digest nonce on cross-orgin redirect [269]
- o http: clear the proxy credentials as well on port or scheme change [246]
- o http: fix auth_used and auth_avail [154]
- o http: fix Curl_compareheader for multi value headers [11]
- o http: make Curl_compareheader handle multiple commas in header
- o http: on 303, switch to GET [208]
- o http: use header_has_value() instead of duplicate code [251]
- o imap: reset the UIDVALIDITY state between transfers [7]
- o include: drop 'will' from public headers [73]
- o INSTALL.md: update Cygwin instructions [198]
- o keylog.h: replace literal number with macro in declaration [171]
- o keylog: drop unused/redundant includes and guards [172]
- o ldap: drop duplicate `ldap_set_option()` on Windows [42]
- o ldap: fix to initialize cleartext connection on Windows [49]
- o lib1560: fix comment typo
- o lib1960: fix test failure [255]
- o lib: accept larger input to md5/hmac/sha256/sha512 functions [194]
- o lib: always use Curl_1st_fatal instead of Curl_1st_err [89]
- o lib: fix typos in comments [240]
- o lib: make resolving HTTPS DNS records reliable: [176]
- o lib: minor comment typos [237]
- o lib: move request specific allocations to the request struct [256]
- o lib: replace `PRI*32` printf masks with C89 ones [201]
- o libssh2: allocate libssh2-friendly memory in kbd_callback [225]
- o libssh2: fix error handling on quote errors [21]
- o libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 [215]
- o libssh: fix `-Wsign-compare` in 32-bit builds [217]
- o libssh: path length precaution [164]
- o libssh: propagate error back in SFTP function [178]
- o libtest: drop duplicate include [111]
- o location/follow: mention netrc [138]
- o man: fix argument type for `CURLSHOPT_[UN]SHARE` options [211]
- o mbedtls: cleanup more without care for 'initialized' [262]
- o mbedtls: fix ECJPAKE matching [135]
- o mbedtls: remove failf() call with first argument as NULL [249]
- o md4, md5: switch to wolfCrypt API in wolfSSL builds [139]
- o mime: only allow 40 levels of calls [241]
- o misc: fix code quality findings [209]
- o mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s [44]
- o multi: enhance pending handles fairness [284]
- o multi: fix connection retry for non-http [180]
- o multi: improve wakeup and wait code [118]
- o netrc: find login-less password when user is given in URL [6]
- o netrc: remove unused parsenetrc() macro for netrc-disabled [121]
- o netrc: skip malformed macdef lines [67]
- o openssl channel_binding: lookup digest algorithm without NID [117]
- o openssl: drop obsolete SSLv2 logic [27]
- o openssl: fix build with 4.0.0-beta1 no-deprecated [184]
- o openssl: fix memory leaks in ECH code (OpenSSL 3) [78]
- o openssl: fix unused variable warnings in !verbose builds [252]
- o openssl: trace count of found / imported Windows native CA roots [8]
- o OS400: add new definitions to the ILE/RPG binding. [153]
- o os400sys: fix typo in comment (symetry -> symmetry) [58]
- o parsedate: bsearch the time zones [232]
- o parsedate: fix wrong treatment of "military time zones" [182]
- o parsedate: refactor [230]
- o perl: harden external command invocations [133]
- o progress: count amount of data "delivered" to application [66]
- o protocol.h: fix the CURLPROTO_MASK [31]
- o protocol: disable connection reuse for SMB(S) [199]
- o protocol: use scheme names lowercase [38]
- o proxy: chunked response, error code [143]
- o pytest: add additional quiche check for flaky test_05_01 [22]
- o pytest: check 429 handling [268]
- o rand: use `BCryptGenRandom()` in UWP builds [88]
- o ratelimit: reset on start [150]
- o request: reset resp_trailer in new requests [186]
- o runtests: skip setting ed25519 SSH key format [264]
- o rustls: fix memory leak on repeated SSLKEYLOGFILE fails [280]
- o rustls: handle EOF during initial handshake [203]
- o schannel: increase renegotiation timeout to 60 seconds [261]
- o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) [109]
- o scripts: harden / tidy up more Perl `system()` calls [70]
- o sectrust: fail on missing OCSP stapling [250]
- o sendf: fix CR detection if no LF is in the chunk [219]
- o setopt: clear proxy auth properties when switching [192]
- o setopt: fix typos in comments [257]
- o setopt: move CURLOPT_CURLU [260]
- o setup connection filter: mark as setup [234]
- o sha256, sha512_256: switch to wolfCrypt API [147]
- o sha256: support delegating to wolfSSL API [148]
- o share: concurrency handling, easy updates [104]
- o share: do bitshifts after the type is checked to be valid [216]
- o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157]
- o socks: use dns filter for resolving [244]
- o spelling: fix typos [173]
- o src: use ftruncate() unconditionally [128]
- o sshserver.pl: harden more `system()` calls [81]
- o sshserver.pl: pass command-line to `system()` safely [82]
- o strerr: correct the strerror_s() return code condition [25]
- o sws: fix potential OOB write [80]
- o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85]
- o test 766: flag as timing-dependent [136]
- o test1675: unit tests for URL API helper functions [248]
- o test459: switch to mode="warn" for stderr check [5]
- o testcurl.pl: replace shell commands with Perl `rmtree()` [76]
- o tests/unit/README: describe how to unit test static functions [60]
- o tests: avoid infinite recursion for `make check` [253]
- o tests: use %b64[] instead of "raw" base64 [245]
- o tool: check for curlinfo->age when determining if ssh backend [77]
- o tool: fix memory mixups [106]
- o tool: fix retries in parallel mode [137]
- o tool: fix two more allocator mismatches [155]
- o tool_cb_hdr: only truncate etags output when regular file [129]
- o tool_cb_rea: make waitfd() return void [168]
- o tool_cb_wrt: fix no-clobber error handling [39]
- o tool_cfgable: free the SSL signature algorithms [62]
- o tool_dirhie: fix to create drive-relative directory [276]
- o tool_formparse: propagate my_get_line errors when reading headers [102]
- o tool_getparam: use correct free function for libcurl memory [68]
- o tool_ipfs: accept IPFS gateway URL without set port number [13]
- o tool_msgs: avoid null pointer deref for early errors [98]
- o tool_operate: actually apply the --parallel-max-host limit [167]
- o tool_operate: drop the scheme-guessing in the -G handling [54]
- o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79]
- o tool_operate: fix memory-leak on failed uploads [124]
- o tool_operate: fix minor memory-leak on early error [23]
- o tool_operate: reset the upload glob counter for next URL [162]
- o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32]
- o tool_operhlp: iterate through all slashes to find name [114]
- o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112]
- o tool_setopt: return error on OOM correctly [152]
- o tool_urlglob: fix memory-leak on glob range overflow [19]
- o top-complexity: prevent filename-based shell injection risk [101]
- o transfer: clear the old autoreferer [236]
- o transfer: clear the URL pointer in OOM to avoid UAF [179]
- o transfer: enable custom methods again on next transfer [30]
- o transfer: enhance secure check [10]
- o unit1675: fix `-Wformat-signedness` [274]
- o url: do not reuse a non-tls starttls connection if new requires TLS [145]
- o url: improve connection reuse on negotiate [160]
- o url: init req.no_body in DO so that it works for h2 push [161]
- o url: set default upload flags to CURLULFLAG_SEEN [224]
- o url: use the socks type for socks proxy [47]
- o url: use URL for url even in comments [52]
- o urlapi: fix handling of "file:///" [122]
- o urlapi: make dedotdotify handle leading dots correctly [97]
- o urlapi: same origin tests [213]
- o urlapi: stop extracting hostname from file:// URLs on Windows [247]
- o urlapi: verify the last letter of a scheme when set explicitly [16]
- o urldata.h: fix typo and lingering backtick [279]
- o urldata: connection bit ipv6_ip is wrong [59]
- o urldata: import port types and conn destination format [57]
- o urldata: make hstslist only present in HSTS builds [120]
- o urldata: make speeder_c uint32 [37]
- o urldata: move cookiehost to struct SingleRequest [242]
- o urldata: remove trailers_state [17]
- o vquic: fix variable name in fallback code [207]
- o vtls: fix comment typos and tidy up a type [285]
- o vtls: log when key logging is enabled. [288]
- o vtls_scache: check reentrancy [243]
- o vtls_scache: include cert_blob independently of verifypeer [231]
- o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151]
- o wolfssl: fix `-Wmissing-prototypes` [233]
- o wolfssl: fix handling of abrupt connection close [24]
- o write-out.md: minor language fix [273]
- o write-out.md: tls_earlydata was adeded in 8.13.0
- o ws: fix a blocking curl_ws_send() to report written length correctly [258]
- o x509asn1: fix to return error in an error case from `encodeOID()` [83]
- o x509asn1: fixed and adapted for ASN1tostr unit testing [48]
- o x509asn1: improve encodeOID [72]
+ o asyn-thrdd: fix result processing without wakeup socketpair [2]
+ o mqtt: validate PINGRESP and DISCONNECT have remaining_length == 0 [7]
+ o user-agent.md: mention double quotes too [3]
 
 This release includes the following known bugs:
 
@@ -323,306 +36,12 @@ Planned upcoming removals include:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Alex Hamilton, am-perip on hackerone, Arkadi Vainbrand, bird on github,
-  BlackFuffey on github, Carlos Carrillo, Carlos Henrique Lima Melara,
-  crawfordxx, Cutiapreta on hackerone, Dag-Erling Smørgrav, Dan Arnfield,
-  Dan Fandrich, Daniel McCarney, Daniel Schulte, Daniel Stenberg,
-  dependabot[bot], Dexter Gerig, Dio Putra, Dwij Mehta, Ercan Ermis,
-  fds242 on github, finkjsc on github, Fiona Klute, Flavio Amieiro,
-  Geeknik Labs, Greg Kroah-Hartman, Harry Sintonen, Henrique Pereira,
-  herbenderbler on github, Ian Spence, Izan on hackerone, James Fuller,
-  Jason Stangroome, John Haugabook, Juan Belón, Kai Pastor, Kaixuan Li, kpcyrd,
-  lg_oled77c5pua on hackerone, M42kL33 on hackerone, m777m0 on hackerone,
-  Marcel Raad, Martin Dürrmeier, Mehtab Zafar, Michael Hendricks,
-  Michael Kaufmann, Muhamad Arga Reksapati, Ngoc Hieu, nitrogene on github,
-  Orgad Shaneh, Osama Hamad, Otis Cui Lei, Patrick Monnerat, Quac Tran,
-  Ray Satiro, renovate[bot], Richard Tollerton, Rob Crittenden,
-  Samuel Henrique, Scott Boudreaux, Sergey Fedorov, sergio-nsk on github,
-  Stefan Eissing, Ted Lyngmo, Terrance Wong, Tim Omta, Viktor Szakats,
-  Vladimír Marek, xkilua on hackerone, Yalguun Tumenkhuu, Yedaya Katsman,
-  Yiwei Hou, Yoshiro Yoneya
-  (73 contributors)
+  Daniel Stenberg, Jeremy Nicoll, Raymond Steen, Stefan Eissing,
+  Viktor Szakats
+  (5 contributors)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.se/bug/?i=20880
- [2] = https://curl.se/bug/?i=20914
- [3] = https://curl.se/bug/?i=20889
- [4] = https://curl.se/bug/?i=20908
- [5] = https://curl.se/bug/?i=20910
- [6] = https://curl.se/bug/?i=20950
- [7] = https://curl.se/bug/?i=20962
- [8] = https://curl.se/bug/?i=20899
- [9] = https://curl.se/bug/?i=20958
- [10] = https://curl.se/bug/?i=20951
- [11] = https://curl.se/bug/?i=20894
- [12] = https://curl.se/bug/?i=20898
- [13] = https://curl.se/bug/?i=20957
- [14] = https://curl.se/bug/?i=20896
- [15] = https://curl.se/bug/?i=20886
- [16] = https://curl.se/bug/?i=20893
- [17] = https://curl.se/bug/?i=20960
- [18] = https://curl.se/bug/?i=20846
- [19] = https://curl.se/bug/?i=20956
- [20] = https://curl.se/bug/?i=20885
- [21] = https://curl.se/bug/?i=20883
- [22] = https://curl.se/bug/?i=20952
- [23] = https://curl.se/bug/?i=20954
- [24] = https://curl.se/bug/?i=21002
- [25] = https://curl.se/bug/?i=20955
- [26] = https://curl.se/bug/?i=18022
- [27] = https://curl.se/bug/?i=20945
- [28] = https://curl.se/bug/?i=20810
- [29] = https://curl.se/bug/?i=20953
- [30] = https://curl.se/bug/?i=21037
- [31] = https://curl.se/bug/?i=21031
- [32] = https://curl.se/bug/?i=21011
- [33] = https://curl.se/bug/?i=20926
- [34] = https://curl.se/bug/?i=20940
- [35] = https://curl.se/bug/?i=20944
- [36] = https://curl.se/bug/?i=20943
- [37] = https://curl.se/bug/?i=21036
- [38] = https://curl.se/bug/?i=21033
- [39] = https://curl.se/bug/?i=20939
- [40] = https://curl.se/bug/?i=21029
- [41] = https://curl.se/bug/?i=20839
- [42] = https://curl.se/bug/?i=20930
- [43] = https://curl.se/bug/?i=21020
- [44] = https://curl.se/bug/?i=20528
- [45] = https://curl.se/bug/?i=20840
- [46] = https://curl.se/bug/?i=20823
- [47] = https://curl.se/bug/?i=21025
- [48] = https://curl.se/bug/?i=21013
- [49] = https://curl.se/bug/?i=20927
- [50] = https://curl.se/bug/?i=20934
- [51] = https://curl.se/bug/?i=20934
- [52] = https://curl.se/bug/?i=20935
- [53] = https://curl.se/bug/?i=20933
- [54] = https://curl.se/bug/?i=20992
- [55] = https://curl.se/bug/?i=20929
- [56] = https://curl.se/bug/?i=21111
- [57] = https://curl.se/bug/?i=20918
- [58] = https://curl.se/bug/?i=20923
- [59] = https://curl.se/bug/?i=20919
- [60] = https://curl.se/bug/?i=21018
- [61] = https://curl.se/bug/?i=20909
- [62] = https://curl.se/bug/?i=20915
- [63] = https://curl.se/bug/?i=21057
- [64] = https://curl.se/bug/?i=20911
- [65] = https://hackerone.com/reports/3636044
- [66] = https://curl.se/bug/?i=20787
- [67] = https://curl.se/bug/?i=21049
- [68] = https://curl.se/bug/?i=21075
- [69] = https://curl.se/bug/?i=21052
- [70] = https://curl.se/bug/?i=21007
- [71] = https://curl.se/bug/?i=21006
- [72] = https://curl.se/bug/?i=21003
- [73] = https://curl.se/bug/?i=21005
- [74] = https://curl.se/bug/?i=20916
- [75] = https://curl.se/bug/?i=21001
- [76] = https://curl.se/bug/?i=21053
- [77] = https://curl.se/bug/?i=21050
- [78] = https://curl.se/bug/?i=20993
- [79] = https://curl.se/bug/?i=20989
- [80] = https://curl.se/bug/?i=20988
- [81] = https://curl.se/bug/?i=20997
- [82] = https://curl.se/bug/?i=20996
- [83] = https://curl.se/bug/?i=20991
- [84] = https://curl.se/bug/?i=20990
- [85] = https://curl.se/bug/?i=20987
- [86] = https://curl.se/bug/?i=20999
- [87] = https://curl.se/bug/?i=20814
- [88] = https://curl.se/bug/?i=20983
- [89] = https://curl.se/bug/?i=20980
- [90] = https://curl.se/bug/?i=20698
- [91] = https://curl.se/bug/?i=20673
- [92] = https://curl.se/bug/?i=20978
- [93] = https://curl.se/bug/?i=21034
- [94] = https://curl.se/bug/?i=20892
- [95] = https://curl.se/bug/?i=20949
- [96] = https://curl.se/bug/?i=21042
- [97] = https://curl.se/bug/?i=20974
- [98] = https://curl.se/bug/?i=20967
- [99] = https://curl.se/bug/?i=20975
- [100] = https://curl.se/bug/?i=20966
- [101] = https://curl.se/bug/?i=20969
- [102] = https://curl.se/bug/?i=20963
- [103] = https://curl.se/bug/?i=20965
- [104] = https://curl.se/bug/?i=20870
- [105] = https://curl.se/bug/?i=21164
- [106] = https://curl.se/bug/?i=21099
- [107] = https://curl.se/bug/?i=20763
- [108] = https://curl.se/bug/?i=20407
- [109] = https://curl.se/bug/?i=21009
- [110] = https://curl.se/bug/?i=20709
- [111] = https://curl.se/bug/?i=21046
- [112] = https://curl.se/bug/?i=21011
- [113] = https://curl.se/bug/?i=21063
- [114] = https://curl.se/bug/?i=21165
- [115] = https://curl.se/bug/?i=21041
- [116] = https://curl.se/bug/?i=20864
- [117] = https://curl.se/bug/?i=20590
- [118] = https://curl.se/bug/?i=20832
- [119] = https://curl.se/bug/?i=20971
- [120] = https://curl.se/bug/?i=21068
- [121] = https://curl.se/bug/?i=21067
- [122] = https://curl.se/bug/?i=21070
- [123] = https://curl.se/bug/?i=21110
- [124] = https://curl.se/bug/?i=21062
- [125] = https://curl.se/bug/?i=21061
- [126] = https://curl.se/bug/?i=21060
- [127] = https://curl.se/bug/?i=20968
- [128] = https://curl.se/bug/?i=21109
- [129] = https://curl.se/bug/?i=21103
- [130] = https://curl.se/bug/?i=21108
- [131] = https://curl.se/bug/?i=21170
- [132] = https://curl.se/bug/?i=21167
- [133] = https://curl.se/bug/?i=21097
- [134] = https://curl.se/bug/?i=21098
- [135] = https://curl.se/bug/?i=21264
- [136] = https://curl.se/bug/?i=21155
- [137] = https://curl.se/bug/?i=20669
- [138] = https://curl.se/bug/?i=21091
- [139] = https://curl.se/bug/?i=21093
- [140] = https://curl.se/bug/?i=21096
- [141] = https://curl.se/bug/?i=21201
- [142] = https://curl.se/bug/?i=21265
- [143] = https://curl.se/bug/?i=21084
- [144] = https://curl.se/bug/?i=20936
- [145] = https://curl.se/bug/?i=21082
- [146] = https://curl.se/bug/?i=21092
- [147] = https://curl.se/bug/?i=21090
- [148] = https://curl.se/bug/?i=21078
- [149] = https://curl.se/bug/?i=21077
- [150] = https://curl.se/bug/?i=21086
- [151] = https://curl.se/bug/?i=21080
- [152] = https://curl.se/bug/?i=21083
- [153] = https://curl.se/bug/?i=20672
- [154] = https://curl.se/bug/?i=21274
- [155] = https://curl.se/bug/?i=21150
- [156] = https://curl.se/bug/?i=21263
- [157] = https://curl.se/bug/?i=21159
- [158] = https://curl.se/bug/?i=21144
- [159] = https://curl.se/bug/?i=21135
- [160] = https://curl.se/bug/?i=21203
- [161] = https://curl.se/bug/?i=21194
- [162] = https://curl.se/bug/?i=21402
- [163] = https://curl.se/bug/?i=21134
- [164] = https://curl.se/bug/?i=21193
- [165] = https://curl.se/bug/?i=21152
- [166] = https://curl.se/bug/?i=21143
- [167] = https://curl.se/bug/?i=21147
- [168] = https://curl.se/bug/?i=21127
- [169] = https://curl.se/bug/?i=21139
- [170] = https://curl.se/bug/?i=21136
- [171] = https://curl.se/bug/?i=21141
- [172] = https://curl.se/bug/?i=21137
- [173] = https://curl.se/bug/?i=21198
- [174] = https://curl.se/bug/?i=21256
- [175] = https://curl.se/bug/?i=21256
- [176] = https://curl.se/bug/?i=21175
- [177] = https://curl.se/bug/?i=21190
- [178] = https://curl.se/bug/?i=21122
- [179] = https://curl.se/bug/?i=21123
- [180] = https://curl.se/bug/?i=21121
- [181] = https://curl.se/bug/?i=21113
- [182] = https://curl.se/bug/?i=21251
- [183] = https://curl.se/bug/?i=21183
- [184] = https://curl.se/bug/?i=21119
- [185] = https://curl.se/bug/?i=21188
- [186] = https://curl.se/bug/?i=21112
- [187] = https://curl.se/bug/?i=21187
- [188] = https://curl.se/bug/?i=21186
- [189] = https://curl.se/bug/?i=21185
- [190] = https://curl.se/bug/?i=21182
- [191] = https://curl.se/bug/?i=21252
- [192] = https://curl.se/bug/?i=21453
- [193] = https://curl.se/bug/?i=21290
- [194] = https://curl.se/bug/?i=21174
- [195] = https://curl.se/bug/?i=21399
- [196] = https://curl.se/bug/?i=21168
- [197] = https://curl.se/bug/?i=21173
- [198] = https://curl.se/bug/?i=20995
- [199] = https://curl.se/bug/?i=21238
- [200] = https://curl.se/bug/?i=21247
- [201] = https://curl.se/bug/?i=21234
- [202] = https://curl.se/bug/?i=21246
- [203] = https://curl.se/bug/?i=21242
- [204] = https://curl.se/bug/?i=21345
- [206] = https://curl.se/bug/?i=21231
- [207] = https://curl.se/bug/?i=21281
- [208] = https://curl.se/bug/?i=20715
- [209] = https://curl.se/bug/?i=21393
- [210] = https://curl.se/bug/?i=21235
- [211] = https://curl.se/bug/?i=21232
- [212] = https://curl.se/bug/?i=21230
- [213] = https://curl.se/bug/?i=21328
- [214] = https://curl.se/bug/?i=21228
- [215] = https://curl.se/bug/?i=21229
- [216] = https://curl.se/bug/?i=21224
- [217] = https://curl.se/bug/?i=21225
- [218] = https://curl.se/bug/?i=21339
- [219] = https://curl.se/bug/?i=21221
- [220] = https://curl.se/bug/?i=21205
- [221] = https://curl.se/bug/?i=21253
- [222] = https://curl.se/bug/?i=21216
- [223] = https://curl.se/bug/?i=21218
- [224] = https://curl.se/bug/?i=21217
- [225] = https://curl.se/bug/?i=21336
- [226] = https://curl.se/bug/?i=21335
- [227] = https://curl.se/bug/?i=21236
- [228] = https://curl.se/bug/?i=21215
- [229] = https://curl.se/bug/?i=21267
- [230] = https://curl.se/bug/?i=21394
- [231] = https://curl.se/bug/?i=21222
- [232] = https://curl.se/bug/?i=21266
- [233] = https://curl.se/bug/?i=21392
- [234] = https://curl.se/bug/?i=21437
- [235] = https://curl.se/bug/?i=21461
- [236] = https://curl.se/bug/?i=21322
- [237] = https://curl.se/bug/?i=21388
- [238] = https://curl.se/bug/?i=21354
- [239] = https://curl.se/bug/?i=21386
- [240] = https://curl.se/bug/?i=21385
- [241] = https://curl.se/bug/?i=21384
- [242] = https://curl.se/bug/?i=21312
- [243] = https://curl.se/bug/?i=21383
- [244] = https://curl.se/bug/?i=21297
- [245] = https://curl.se/bug/?i=21313
- [246] = https://curl.se/bug/?i=21304
- [247] = https://curl.se/bug/?i=21296
- [248] = https://curl.se/bug/?i=21296
- [249] = https://curl.se/bug/?i=21441
- [250] = https://curl.se/bug/?i=21444
- [251] = https://curl.se/bug/?i=21302
- [252] = https://curl.se/bug/?i=21380
- [253] = https://curl.se/bug/?i=21378
- [254] = https://curl.se/bug/?i=20794
- [255] = https://curl.se/bug/?i=21377
- [256] = https://curl.se/bug/?i=21301
- [257] = https://curl.se/bug/?i=21303
- [258] = https://curl.se/bug/?i=21372
- [259] = https://curl.se/bug/?i=21146
- [260] = https://curl.se/bug/?i=21298
- [261] = https://curl.se/bug/?i=21270
- [262] = https://curl.se/bug/?i=21440
- [263] = https://curl.se/bug/?i=21460
- [264] = https://curl.se/bug/?i=21360
- [265] = https://curl.se/bug/?i=21458
- [266] = https://curl.se/bug/?i=21364
- [267] = https://curl.se/bug/?i=21363
- [268] = https://curl.se/bug/?i=21357
- [269] = https://curl.se/bug/?i=21359
- [270] = https://curl.se/bug/?i=21358
- [273] = https://curl.se/bug/?i=21455
- [274] = https://curl.se/bug/?i=21351
- [275] = https://curl.se/bug/?i=21340
- [276] = https://curl.se/bug/?i=21449
- [278] = https://curl.se/bug/?i=21432
- [279] = https://curl.se/bug/?i=21430
- [280] = https://curl.se/bug/?i=21427
- [284] = https://curl.se/bug/?i=21396
- [285] = https://curl.se/bug/?i=21421
- [288] = https://curl.se/bug/?i=19814
- [291] = https://curl.se/bug/?i=21415
- [294] = https://curl.se/bug/?i=21411
+ [2] = https://curl.se/bug/?i=21476
+ [3] = https://curl.se/mail/archive-2026-04/0029.html
+ [7] = https://hackerone.com/reports/3702718
diff --git a/include/curl/curlver.h b/include/curl/curlver.h
index 144f5fea17..231adf743a 100644
--- a/include/curl/curlver.h
+++ b/include/curl/curlver.h
@@ -32,13 +32,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "8.20.0-DEV"
+#define LIBCURL_VERSION "8.20.1-DEV"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 8
 #define LIBCURL_VERSION_MINOR 20
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparisons by programs. The LIBCURL_VERSION_NUM define always
    follows this syntax:
@@ -58,7 +58,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x081400
+#define LIBCURL_VERSION_NUM 0x081401
 
 /*
  * This is the date and time when the full source package was created. The