curl and libcurl 8.22.0 Public curl releases: 276 Command line options: 274 curl_easy_setopt() options: 308 Public functions in libcurl: 100 Authors: 1494 Contributors: 3745 This release includes the following changes: o gssapi: add support for Apple GSS Framework [72] o TLS: drop support for TLS-SRP [71] This release includes the following bugfixes: o autotools: minor fixes and improvements [33] o build: always use local `inet_pton()`/`inet_ntop()` implementations [56] o build: drop superfluous `STDC_HEADERS` macro [51] o build: enable thread-safe `getaddrinfo()` for OpenBSD [35] o cd2nroff: stricter checks for asterisks for italics [73] o cf-ngtcp2-cmn: initialize new callback ptr for ngtcp2 1.24.0+ [52] o cmake: dedupe expressions into local vars in `cmake_uninstall.in.cmake` [9] o cmake: fix not to build `tunits` when `BUILD_CURL_EXE=OFF` [7] o cmake: flatten build tree, tidy up base dir variables [12] o cmake: minor improvements to `cmake_uninstall.in.cmake` [54] o cmake: replace `remove` command with `rm` and pass arg safely [11] o cmake: robustify base path in local file reference [15] o cmake: stop probing unused `float.h` for `STDC_HEADERS` [10] o configure: fix misleading error messages [42] o configure: link `-lcrypt32` instead of `-lm` for wolfSSL on Windows [79] o configure: remove double check for GnuTLS [21] o configure: set ldap lib to no by default for non-finds [18] o conncache: apply multi limits to transfers using a shared pool [41] o conncache: connection alive checks intervals [20] o content_encoding: give a clear error on multi-member gzip [46] o CREDENTIALS.md: remove comment about empty user/pass [50] o curl_ws_meta.md: polish and better vocabulary [19] o CURLOPT_HEADERFUNCTION.md: document folded header unfolding [53] o CURLOPT_SSH_*_KEYFILE: used for setting up, then no more [48] o CURLOPT_UNRESTRICTED_AUTH.md: 'Authorization' instead of 'Authentication' [74] o CURLSHOPT_(UN)SHARE.md: do not modify shares while in use [44] o FTP: fix TLS session reuse on the data connection [80] o ftp: reject control bytes in ACCT and alternative-to-user [26] o gopher: reject CR and LF in the selector [1] o hostip: only cache negative resolves for authoritative answers [16] o http: trim custom header name before the Authorization drop [17] o INSTALL.md: add building-from-source overview section [29] o ldap: support insecure mode for Windows native LDAP [3] o lib1587: fix gcc `-Wconversion` with LibreSSL on Windows, test in CI [6] o lib: add "Curl_" prefix to two global functions [84] o lib: fix 'ns' -> 'us' in trace messages [57] o lib: ratelimit timestamps [14] o mbedtls: replace `memset()` with `psa_hash_operation_init()` [28] o mime: reject CR and LF in mail part name and filename [30] o mod_curltest: fix compiler warnings [49] o mqtt: reject control bytes in the topic [43] o multi: forbid curl_easy_pause from within multi socket callback [22] o openldap: handle Curl_sasl_continue() returns better [45] o openssl+sectrust: fix session reuse [4] o openssl+sectrust: move session verified set into result check [82] o openssl: drop unused pre-OpenSSL3 `ctx_option_t` typedef [8] o openssl: prefer modern API flavors for `EVP_MD_CTX` new/free [47] o openssl: replace stray legacy API variant with `EVP_DigestInit_ex()` [27] o runtests: restore `-k` option and actively process as no-op [32] o sasl: fix zero-length response encoding [36] o schannel: shut off experimental TLS 1.3 support for Win 10 [25] o scripts: use end-of-options marker in `cd`, `mkdir`, `mv`, `sha256sum` commands [34] o setopt: error for CURLOPT_SHARE when easy handle is used [68] o setopt: return OK earlier for the deprecated h2 dep options [77] o smtp: reject CR and LF in the envelope address [37] o sws: allow connection-monitor to log all disconnects [2] o test 1560: test RFC4291 style IPv6 IPv4-mapped addresses [40] o tests: remove test1701 [58] o tests: skip test 311 for wolfSSL 5.9.2 [63] o tidy-up: typos, comment nits [60] o tool: do not flush on out-null [38] o tool: fix memory use in parallel mode [59] o tool: init progress bar on demand [39] o tool_cb_hdr: de-duplicate filename setter [24] o tool_operate: remove call to abort() [23] o url: reject control codes in credentials set via CURLOPT [70] o urlapi: do not keep an internal port string [31] o vquic: add Curl_ prefix to some global functions [76] o vssh: keyfile use cleanups [83] o VULN-DISCLOSURE-POLICY.md: issues that should be found by tests are LOW [5] o wolfssl: fix build for wolfssl without bio chain support [75] o ws: pause/unpause write handling [55] This release includes the following known bugs: See https://curl.se/docs/knownbugs.html For all changes ever done in curl: See https://curl.se/changes.html Planned upcoming removals include: o local crypto implementations o NTLM o SMB See https://curl.se/dev/deprecate.html This release would not have looked like this without help, code, reports and advice from friends like these: Alhuda Khan, Bigtang on hackerone, Bryan Henderson, Christian Ullrich, Christoph Reiter, Dan Fandrich, Daniel Stenberg, dependabot[bot], ed0d2b2ce19451f2 on github, Emmanuel Ugwu, Eunsoo Kim, firexinghe on github, Graham Campbell, Hendrik Hübner, HwangRock, itzTanos29, Joel Depooter, Laurent Sabourin, Memduh Çelik, Patrick Monnerat, Ray Satiro, renovate[bot], Roger Leigh, Sam James, Samuel Dainard, smaeljaish on hackerone, Stefan Eissing, stze on hackerone, Viktor Szakats (29 contributors) References to bug reports and discussions on issues: [1] = https://curl.se/bug/?i=22116 [2] = https://curl.se/bug/?i=22158 [3] = https://curl.se/bug/?i=22152 [4] = https://curl.se/bug/?i=22235 [5] = https://curl.se/bug/?i=22190 [6] = https://curl.se/bug/?i=22195 [7] = https://curl.se/bug/?i=22198 [8] = https://curl.se/bug/?i=22197 [9] = https://curl.se/bug/?i=22194 [10] = https://curl.se/bug/?i=22191 [11] = https://curl.se/bug/?i=22193 [12] = https://curl.se/bug/?i=22192 [14] = https://curl.se/bug/?i=22292 [15] = https://curl.se/bug/?i=22187 [16] = https://curl.se/bug/?i=22302 [17] = https://curl.se/bug/?i=22178 [18] = https://curl.se/bug/?i=22308 [19] = https://curl.se/bug/?i=22233 [20] = https://curl.se/bug/?i=22169 [21] = https://curl.se/bug/?i=22307 [22] = https://curl.se/bug/?i=22179 [23] = https://curl.se/bug/?i=22182 [24] = https://curl.se/bug/?i=22232 [25] = https://curl.se/bug/?i=22231 [26] = https://curl.se/bug/?i=22301 [27] = https://curl.se/bug/?i=22222 [28] = https://curl.se/bug/?i=22220 [29] = https://curl.se/bug/?i=22113 [30] = https://curl.se/bug/?i=22247 [31] = https://curl.se/bug/?i=22167 [32] = https://curl.se/bug/?i=22100 [33] = https://curl.se/bug/?i=22154 [34] = https://curl.se/bug/?i=22150 [35] = https://curl.se/bug/?i=22148 [36] = https://curl.se/bug/?i=22218 [37] = https://curl.se/bug/?i=22119 [38] = https://curl.se/bug/?i=22165 [39] = https://curl.se/bug/?i=22164 [40] = https://curl.se/bug/?i=22136 [41] = https://curl.se/bug/?i=22265 [42] = https://curl.se/bug/?i=22300 [43] = https://curl.se/bug/?i=22112 [44] = https://curl.se/bug/?i=22217 [45] = https://curl.se/bug/?i=22213 [46] = https://curl.se/bug/?i=22156 [47] = https://curl.se/bug/?i=22219 [48] = https://curl.se/bug/?i=22211 [49] = https://curl.se/bug/?i=22214 [50] = https://curl.se/bug/?i=22212 [51] = https://curl.se/bug/?i=22206 [52] = https://curl.se/bug/?i=22205 [53] = https://curl.se/bug/?i=22296 [54] = https://curl.se/bug/?i=22201 [55] = https://curl.se/bug/?i=22273 [56] = https://curl.se/bug/?i=22170 [57] = https://curl.se/bug/?i=22200 [58] = https://curl.se/bug/?i=22280 [59] = https://curl.se/bug/?i=22277 [60] = https://curl.se/bug/?i=22294 [63] = https://curl.se/bug/?i=22286 [68] = https://curl.se/bug/?i=22253 [70] = https://curl.se/bug/?i=22236 [71] = https://curl.se/bug/?i=21965 [72] = https://curl.se/bug/?i=22052 [73] = https://curl.se/bug/?i=22257 [74] = https://curl.se/bug/?i=22256 [75] = https://curl.se/bug/?i=22255 [76] = https://curl.se/bug/?i=22254 [77] = https://curl.se/bug/?i=22250 [79] = https://curl.se/bug/?i=22251 [80] = https://curl.se/bug/?i=22225 [82] = https://curl.se/bug/?i=22248 [83] = https://curl.se/bug/?i=22243 [84] = https://curl.se/bug/?i=22245