curl and libcurl 8.18.0

 Public curl releases:         272
 Command line options:         273
 curl_easy_setopt() options:   308
 Public functions in libcurl:  100
 Contributors:                 3553

This release includes the following changes:

 o build: drop support for VS2008 (Windows) [62]
 o build: drop Windows CE / CeGCC support [69]
 o gnutls: drop support for GnuTLS < 3.6.5 [167]
 o gnutls: implement CURLOPT_CAINFO_BLOB [168]
 o openssl: bump minimum OpenSSL version to 3.0.0 [60]

This release includes the following bugfixes:

 o _PROGRESS.md: add the E unit, mention kibibyte [24]
 o AmigaOS: increase minimum stack size for tool_main [137]
 o apple-sectrust: always ask when `native_ca_store` is in use [162]
 o asyn-ares: handle Curl_dnscache_mk_entry() OOM error [199]
 o asyn-ares: remove hostname free on OOM [122]
 o asyn-thrdd: release rrname if ares_init_options fails [41]
 o autotools: add nettle library detection via pkg-config (for GnuTLS) [178]
 o autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr) [70]
 o badwords: fix issues found in scripts and other files [142]
 o badwords: fix issues found in tests [156]
 o build: add build-level `CURL_DISABLE_TYPECHECK` options [163]
 o build: exclude clang prereleases from compiler warning options [154]
 o build: tidy-up MSVC CRT warning suppression macros [140]
 o ccsidcurl: make curl_mime_data_ccsid() use the converted size [74]
 o cf-https-connect: allocate ctx at first in cf_hc_create() [79]
 o cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime [157]
 o cf-socket: trace ignored errors [97]
 o cfilters: make conn_forget_socket a private libssh function [109]
 o checksrc.pl: detect assign followed by more than one space [26]
 o cmake: adjust defaults for target platforms not supporting shared libs [35]
 o cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` [16]
 o cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET` [106]
 o code: minor indent fixes before closing braces [107]
 o config2setopts: bail out if curl_url_get() returns OOM [102]
 o config2setopts: exit if curl_url_set() fails on OOM [105]
 o conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64 [17]
 o conncontrol: reuse handling [170]
 o connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' [100]
 o cookie: propagate errors better, cleanup the internal API [118]
 o cookie: return error on OOM [131]
 o cshutdn: acknowledge FD_SETSIZE for shutdown descriptors [25]
 o curl: fix progress meter in parallel mode [15]
 o curl_fopen: do not pass invalid mode flags to `open()` on Windows [84]
 o curl_sasl: make Curl_sasl_decode_mech compare case insensitively [160]
 o curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS` [124]
 o curl_setup.h: drop stray `#undef stat` (Windows) [103]
 o CURLINFO: remove 'get' and 'get the' from each short desc [50]
 o CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer" [48]
 o CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text [49]
 o CURLOPT_READFUNCTION.md: clarify the size of the buffer [47]
 o CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
 o curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) [204]
 o curlx/strerr: use `strerror_s()` on Windows [75]
 o curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) [143]
 o curlx: replace `sprintf` with `snprintf` [194]
 o digest_sspi: fix a memory leak on error path [149]
 o digest_sspi: properly free sspi identity [12]
 o DISTROS.md: add OpenBSD [126]
 o doc: some returned in-memory data may not be altered [196]
 o docs: fix checksrc `EQUALSPACE` warnings [21]
 o docs: mention umask need when curl creates files [56]
 o docs: spell it Rustls with a capital R [181]
 o examples/crawler: fix variable [92]
 o examples/multi-uv: fix invalid req->data access [177]
 o examples/multithread: fix race condition [101]
 o examples: fix minor typo [203]
 o examples: make functions/data static where missing [139]
 o examples: tidy-up headers and includes [138]
 o file: do not pass invalid mode flags to `open()` on upload (Windows) [83]
 o ftp: refactor a piece of code by merging the repeated part [40]
 o ftp: remove #ifdef for define that is always defined [76]
 o getinfo: improve perf in debug mode [99]
 o gnutls: report accurate error when TLS-SRP is not built-in [18]
 o gtls: add return checks and optimize the code [2]
 o gtls: skip session resumption when verifystatus is set
 o h2/h3: handle methods with spaces [146]
 o hostip: don't store negative lookup on OOM [61]
 o hostip: make more functions return CURLcode [202]
 o hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST [183]
 o hsts: propagate and error out correctly on OOM [130]
 o http: avoid two strdup()s and do minor simplifications [144]
 o http: error on OOM when creating range header [59]
 o http: fix OOM exit in Curl_http_follow [179]
 o http: replace atoi use in Curl_http_follow with curlx_str_number [65]
 o http: the :authority header should never contain user+password [147]
 o INSTALL-CMAKE.md: document static option defaults more [37]
 o krb5_sspi: unify a part of error handling [80]
 o lib: cleanup for some typos about spaces and code style [3]
 o lib: eliminate size_t casts [112]
 o lib: error for OOM when extracting URL query [127]
 o lib: fix gssapi.h include on IBMi [55]
 o lib: refactor the type of funcs which have useless return and checks [1]
 o lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) [164]
 o lib: timer stats improvements [190]
 o libssh2: add paths to error messages for quote commands [114]
 o libssh2: cleanup ssh_force_knownhost_key_type [64]
 o libssh2: replace atoi() in ssh_force_knownhost_key_type [63]
 o libssh: properly free sftp_attributes [153]
 o libtests: replace `atoi()` with `curlx_str_number()` [120]
 o limit-rate: add example using --limit-rate and --max-time together [89]
 o m4/sectrust: fix test(1) operator [4]
 o manage: expand the 'libcurl support required' message [208]
 o mbedtls: fix potential use of uninitialized `nread` [8]
 o mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option [73]
 o mk-ca-bundle.pl: use `open()` with argument list to replace backticks [71]
 o mqtt: reject overly big messages [39]
 o multi: make max_total_* members size_t [158]
 o multi: simplify admin handle processing [189]
 o ngtcp2+openssl: fix leak of session [172]
 o ngtcp2: remove the unused Curl_conn_is_ngtcp2 function [85]
 o noproxy: replace atoi with curlx_str_number [67]
 o openssl: exit properly on OOM when getting certchain [133]
 o openssl: fix a potential memory leak of bio_out [150]
 o openssl: fix a potential memory leak of params.cert [151]
 o openssl: no verify failf message unless strict [166]
 o openssl: release ssl_session if sess_reuse_cb fails [43]
 o openssl: remove code handling default version [28]
 o OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs [94]
 o OS400/makefile.sh: fix shellcheck warning SC2038 [86]
 o osslq: code readability [5]
 o progress: show fewer digits [78]
 o projects/README.md: Markdown fixes [148]
 o pytest fixes and improvements [159]
 o pytest: disable two H3 earlydata tests for all platforms (was: macOS) [116]
 o pytest: skip H2 tests if feature missing from curl [46]
 o ratelimit: redesign [209]
 o rtmp: fix double-free on URL parse errors [27]
 o rtmp: precaution for a potential integer truncation [54]
 o runtests: detect bad libssh differently for test 1459 [11]
 o runtests: drop Python 2 support remains [45]
 o rustls: fix a potential memory issue [81]
 o rustls: minor adjustment of sizeof() [38]
 o schannel: fix memory leak of cert_store_path on four error paths [23]
 o schannel: replace atoi() with curlx_str_number() [119]
 o schannel_verify: fix a memory leak of cert_context [152]
 o scripts: fix shellcheck SC2046 warnings [90]
 o scripts: use end-of-options marker in `find -exec` commands [87]
 o setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL [30]
 o setopt: when setting bad protocols, don't store them [9]
 o sftp: fix range downloads in both SSH backends [82]
 o slist: constify Curl_slist_append_nodup() string argument [195]
 o smb: fix a size check to be overflow safe [161]
 o socks_sspi: use free() not FreeContextBuffer() [93]
 o speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE [113]
 o speedlimit: also reset on send unpausing [197]
 o telnet: replace atoi for BINARY handling with curlx_str_number [66]
 o TEST-SUITE.md: correct the man page's path [136]
 o test07_22: fix flakiness [95]
 o test2045: replace HTML multi-line comment markup with `#` comments [36]
 o test363: delete stray character (typo) from a section tag [52]
 o tests/data: replace hard-coded test numbers with `%TESTNUMBER` [33]
 o tests/data: support using native newlines on disk, drop `.gitattributes` [91]
 o tests/server: do not fall back to original data file in `test2fopen()` [32]
 o tests/server: replace `atoi()` and `atol()` with `curlx_str_number()` [110]
 o tests: allow 2500-2503 to use ~2MB malloc [31]
 o tftp: release filename if conn_get_remote_addr fails [42]
 o tftpd: fix/tidy up `open()` mode flags [57]
 o tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()` [121]
 o tool: consider (some) curl_easy_setopt errors fatal [7]
 o tool: log when loading .curlrc in verbose mode [191]
 o tool_cfgable: free ssl-sessions at exit [123]
 o tool_doswin: clear pointer when thread takes ownership [198]
 o tool_getparam: verify that a file exists for some options [134]
 o tool_help: add checks to avoid unsigned wrap around [14]
 o tool_ipfs: check return codes better [20]
 o tool_msgs: make voutf() use stack instead of heap [125]
 o tool_operate: exit on curl_share_setopt errors [108]
 o tool_operate: fix a case of ignoring return code in operate() [128]
 o tool_operate: fix case of ignoring return code in single_transfer [129]
 o tool_operate: remove redundant condition [19]
 o tool_operate: use curlx_str_number instead of atoi [68]
 o tool_paramhlp: refuse --proto remove all protocols [10]
 o tool_urlglob: clean up used memory on errors better [44]
 o tool_writeout: bail out proper on OOM [104]
 o url: if OOM in parse_proxy() return error [132]
 o urlapi: fix mem-leaks in curl_url_get error paths [22]
 o urlapi: handle OOM properly when setting URL [180]
 o verify-release: update to avoid shellcheck warning SC2034 [88]
 o vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally [96]
 o vquic: do not pass invalid mode flags to `open()` (Windows) [58]
 o vquic: do_sendmsg full init [171]
 o vtls: fix CURLOPT_CAPATH use [51]
 o vtls: handle possible malicious certs_num from peer [53]
 o vtls: pinned key check [98]
 o wcurl: import v2025.11.09 [29]
 o wolfSSL: able to differentiate between IP and DNS in alt names [13]
 o wolfssl: avoid NULL dereference in OOM situation [77]
 o wolfssl: fix a potential memory leak of session [6]
 o wolfssl: fix cipher list, skip 5.8.4 regression [117]
 o wolfssl: simplify wssl_send_earlydata [111]

This release includes the following known bugs:

 See https://curl.se/docs/knownbugs.html

For all changes ever done in curl:

 See https://curl.se/changes.html

Planned upcoming removals include:

 o OpenSSL-QUIC
 o RTMP support
 o Support for c-ares versions before 1.16.0
 o Support for Windows XP/2003

 See https://curl.se/dev/deprecate.html

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Aleksandr Sergeev, Aleksei Bavshin, Andrew Kirillov, BANADDA, boingball,
  Brad King, bttrfl on github, Christian Schmitz, Dan Fandrich,
  Daniel McCarney, Daniel Stenberg, Fd929c2CE5fA on github, ffath-vo on github,
  Gisle Vanem, Jiyong Yang, Juliusz Sosinowicz, Leonardo Taccari,
  letshack9707 on hackerone, Marc Aldorasi, Marcel Raad, nait-furry,
  ncaklovic on github, Nick Korepanov, Omdahake on github, Patrick Monnerat,
  pelioro on hackerone, Ray Satiro, renovate[bot], Samuel Henrique,
  st751228051 on github, Stanislav Fort, Stefan Eissing, Sunny,
  Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang, Yedaya Katsman
  (38 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=19386
 [2] = https://curl.se/bug/?i=19366
 [3] = https://curl.se/bug/?i=19370
 [4] = https://curl.se/bug/?i=19371
 [5] = https://curl.se/bug/?i=19394
 [6] = https://curl.se/bug/?i=19555
 [7] = https://curl.se/bug/?i=19385
 [8] = https://curl.se/bug/?i=19393
 [9] = https://curl.se/bug/?i=19389
 [10] = https://curl.se/bug/?i=19388
 [11] = https://curl.se/bug/?i=19557
 [12] = https://curl.se/bug/?i=19426
 [13] = https://curl.se/bug/?i=19364
 [14] = https://curl.se/bug/?i=19377
 [15] = https://curl.se/bug/?i=19383
 [16] = https://curl.se/bug/?i=19380
 [17] = https://curl.se/bug/?i=19378
 [18] = https://curl.se/bug/?i=19365
 [19] = https://curl.se/bug/?i=19381
 [20] = https://curl.se/bug/?i=19382
 [21] = https://curl.se/bug/?i=19379
 [22] = https://curl.se/bug/?i=19440
 [23] = https://curl.se/bug/?i=19423
 [24] = https://curl.se/bug/?i=19502
 [25] = https://curl.se/bug/?i=19439
 [26] = https://curl.se/bug/?i=19375
 [27] = https://curl.se/bug/?i=19438
 [28] = https://curl.se/bug/?i=19354
 [29] = https://curl.se/bug/?i=19430
 [30] = https://curl.se/bug/?i=19434
 [31] = https://curl.se/bug/?i=19716
 [32] = https://curl.se/bug/?i=19429
 [33] = https://curl.se/bug/?i=19427
 [35] = https://curl.se/bug/?i=19420
 [36] = https://curl.se/bug/?i=19498
 [37] = https://curl.se/bug/?i=19419
 [38] = https://hackerone.com/reports/3427460
 [39] = https://curl.se/bug/?i=19415
 [40] = https://curl.se/bug/?i=19411
 [41] = https://curl.se/bug/?i=19410
 [42] = https://curl.se/bug/?i=19409
 [43] = https://curl.se/bug/?i=19405
 [44] = https://curl.se/bug/?i=19614
 [45] = https://curl.se/bug/?i=19544
 [46] = https://curl.se/bug/?i=19412
 [47] = https://curl.se/bug/?i=19402
 [48] = https://curl.se/bug/?i=19403
 [49] = https://curl.se/bug/?i=19404
 [50] = https://curl.se/bug/?i=19406
 [51] = https://curl.se/bug/?i=19401
 [52] = https://curl.se/bug/?i=19490
 [53] = https://curl.se/bug/?i=19397
 [54] = https://curl.se/bug/?i=19399
 [55] = https://curl.se/bug/?i=19336
 [56] = https://curl.se/bug/?i=19396
 [57] = https://curl.se/bug/?i=19671
 [58] = https://curl.se/bug/?i=19670
 [59] = https://curl.se/bug/?i=19630
 [60] = https://curl.se/bug/?i=18330
 [61] = https://curl.se/bug/?i=19484
 [62] = https://curl.se/bug/?i=17931
 [63] = https://curl.se/bug/?i=19479
 [64] = https://curl.se/bug/?i=19479
 [65] = https://curl.se/bug/?i=19478
 [66] = https://curl.se/bug/?i=19477
 [67] = https://curl.se/bug/?i=19475
 [68] = https://curl.se/bug/?i=19480
 [69] = https://curl.se/bug/?i=17927
 [70] = https://curl.se/bug/?i=19464
 [71] = https://curl.se/bug/?i=19461
 [73] = https://curl.se/bug/?i=19359
 [74] = https://curl.se/bug/?i=19465
 [75] = https://curl.se/bug/?i=19646
 [76] = https://curl.se/bug/?i=19463
 [77] = https://curl.se/bug/?i=19459
 [78] = https://curl.se/bug/?i=19431
 [79] = https://curl.se/bug/?i=19454
 [80] = https://curl.se/bug/?i=19452
 [81] = https://curl.se/bug/?i=19425
 [82] = https://curl.se/bug/?i=19460
 [83] = https://curl.se/bug/?i=19647
 [84] = https://curl.se/bug/?i=19645
 [85] = https://curl.se/bug/?i=19725
 [86] = https://curl.se/bug/?i=19451
 [87] = https://curl.se/bug/?i=19450
 [88] = https://curl.se/bug/?i=19449
 [89] = https://curl.se/bug/?i=19473
 [90] = https://curl.se/bug/?i=19432
 [91] = https://curl.se/bug/?i=19398
 [92] = https://curl.se/bug/?i=19446
 [93] = https://curl.se/bug/?i=19445
 [94] = https://curl.se/bug/?i=19444
 [95] = https://curl.se/bug/?i=19530
 [96] = https://curl.se/bug/?i=19531
 [97] = https://curl.se/bug/?i=19520
 [98] = https://curl.se/bug/?i=19529
 [99] = https://curl.se/bug/?i=19525
 [100] = https://curl.se/bug/?i=19523
 [101] = https://curl.se/bug/?i=19524
 [102] = https://curl.se/bug/?i=19518
 [103] = https://curl.se/bug/?i=19519
 [104] = https://curl.se/bug/?i=19667
 [105] = https://curl.se/bug/?i=19517
 [106] = https://curl.se/bug/?i=19144
 [107] = https://curl.se/bug/?i=19512
 [108] = https://curl.se/bug/?i=19513
 [109] = https://curl.se/bug/?i=19727
 [110] = https://curl.se/bug/?i=19510
 [111] = https://curl.se/bug/?i=19509
 [112] = https://curl.se/bug/?i=19495
 [113] = https://curl.se/bug/?i=19653
 [114] = https://curl.se/bug/?i=19605
 [116] = https://curl.se/bug/?i=19724
 [117] = https://curl.se/bug/?i=19644
 [118] = https://curl.se/bug/?i=19493
 [119] = https://curl.se/bug/?i=19483
 [120] = https://curl.se/bug/?i=19506
 [121] = https://curl.se/bug/?i=19606
 [122] = https://curl.se/bug/?i=19658
 [123] = https://curl.se/bug/?i=19602
 [124] = https://curl.se/bug/?i=19597
 [125] = https://curl.se/bug/?i=19651
 [126] = https://curl.se/bug/?i=19596
 [127] = https://curl.se/bug/?i=19594
 [128] = https://curl.se/bug/?i=19650
 [129] = https://curl.se/bug/?i=19649
 [130] = https://curl.se/bug/?i=19593
 [131] = https://curl.se/bug/?i=19591
 [132] = https://curl.se/bug/?i=19590
 [133] = https://curl.se/bug/?i=19471
 [134] = https://curl.se/bug/?i=19583
 [136] = https://curl.se/bug/?i=19586
 [137] = https://curl.se/bug/?i=19578
 [138] = https://curl.se/bug/?i=19580
 [139] = https://curl.se/bug/?i=19579
 [140] = https://curl.se/bug/?i=19175
 [142] = https://curl.se/bug/?i=19572
 [143] = https://curl.se/bug/?i=19581
 [144] = https://curl.se/bug/?i=19571
 [146] = https://curl.se/bug/?i=19543
 [147] = https://curl.se/bug/?i=19568
 [148] = https://curl.se/bug/?i=19569
 [149] = https://curl.se/bug/?i=19567
 [150] = https://curl.se/bug/?i=19561
 [151] = https://curl.se/bug/?i=19560
 [152] = https://curl.se/bug/?i=19556
 [153] = https://curl.se/bug/?i=19564
 [154] = https://curl.se/bug/?i=19566
 [156] = https://curl.se/bug/?i=19541
 [157] = https://curl.se/bug/?i=19520
 [158] = https://curl.se/bug/?i=19618
 [159] = https://curl.se/bug/?i=19540
 [160] = https://curl.se/bug/?i=19535
 [161] = https://curl.se/bug/?i=19640
 [162] = https://curl.se/bug/?i=19636
 [163] = https://curl.se/bug/?i=19637
 [164] = https://curl.se/bug/?i=19589
 [166] = https://curl.se/bug/?i=19615
 [167] = https://curl.se/bug/?i=19609
 [168] = https://curl.se/bug/?i=19612
 [170] = https://curl.se/bug/?i=19333
 [171] = https://curl.se/bug/?i=19714
 [172] = https://curl.se/bug/?i=19717
 [177] = https://curl.se/bug/?i=19462
 [178] = https://curl.se/bug/?i=19703
 [179] = https://curl.se/bug/?i=19705
 [180] = https://curl.se/bug/?i=19704
 [181] = https://curl.se/bug/?i=19702
 [183] = https://curl.se/bug/?i=19701
 [189] = https://curl.se/bug/?i=19604
 [190] = https://curl.se/bug/?i=19269
 [191] = https://curl.se/bug/?i=19663
 [194] = https://curl.se/bug/?i=19681
 [195] = https://curl.se/bug/?i=19692
 [196] = https://curl.se/bug/?i=19692
 [197] = https://curl.se/bug/?i=19687
 [198] = https://curl.se/bug/?i=19689
 [199] = https://curl.se/bug/?i=19688
 [202] = https://curl.se/bug/?i=19669
 [203] = https://curl.se/bug/?i=19683
 [204] = https://curl.se/bug/?i=19643
 [208] = https://curl.se/bug/?i=19665
 [209] = https://curl.se/bug/?i=19384