curl and libcurl 8.17.0 Public curl releases: 271 Command line options: 272 curl_easy_setopt() options: 308 Public functions in libcurl: 98 Contributors: 3509 This release includes the following changes: o build: drop the winbuild build system [81] o krb5: drop support for Kerberos FTP [43] o libssh2: up the minimum requirement to 1.9.0 [85] o vssh: drop support for wolfSSH [58] o write-out: make %header{} able to output *all* occurrences of a header [25] This release includes the following bugfixes: o ares: fix leak in tracing [91] o asyn-thrdd: drop pthread_cancel [30] o autotools: add support for libgsasl auto-detection via pkg-config [112] o autotools: capitalize 'Rustls' in the log output [106] o autotools: fix duplicate `UNIX` and `BSD` flags in `buildinfo.txt` [113] o autotools: fix silly mistake in clang detection for `buildinfo.txt` [114] o autotools: make `--enable-code-coverage` support llvm/clang [79] o aws-lc: re-enable large read-ahead with v1.61.0 again [16] o base64: accept zero length argument to base64_encode [82] o build: address some `-Weverything` warnings, update picky warnings [74] o build: avoid overriding system symbols for socket functions [68] o build: show llvm/clang in platform flags and `buildinfo.txt` [126] o cf-h2-proxy: break loop on edge case [140] o cf-socket: use the right byte order for ports in bindlocal [61] o cfilter: unlink and discard [46] o cmake: add `CURL_CODE_COVERAGE` option [78] o cmake: clang detection tidy-ups [116] o cmake: fix building docs when the base directory contains `.3` [18] o cmake: use modern alternatives for `get_filename_component()` [102] o cmdline-docs: extended, clarified, refreshed [28] o configure: add "-mt" for pthread support on HP-UX [52] o cookie: avoid saving a cookie file if no transfer was done [11] o curl_easy_getinfo: error code on NULL arg [2] o curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides [19] o curl_slist_append.md: clarify that a NULL pointer is not acceptable [72] o CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well [8] o CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1 [63] o CURLOPT_MAXLIFETIME_CONN: make default 24 hours [10] o CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options [32] o CURLOPT_TIMECONDITION.md: works for FILE and FTP as well [27] o digest_sspi: fix two memory leaks in error branches [77] o dist: do not distribute `CI.md` [29] o docs/libcurl: clarify some timeout option behavior [15] o docs/libcurl: remove ancient version references [7] o docs/libcurl: use lowercase must [5] o docs: fix/tidy code fences [87] o easy_getinfo: check magic, Curl_close safety [3] o examples: fix two issues found by CodeQL [35] o ftp: fix ftp_do_more returning with *completep unset [122] o ftp: fix port number range loop for PORT commands [66] o gtls: avoid potential use of uninitialized variable in trace output [83] o hostip: remove leftover INT_MAX check in Curl_dnscache_prune [88] o httpsrr: free old pointers when storing new [57] o krb5: return appropriate error on send failures [22] o ldap: do not base64 encode zero length string [42] o lib: upgrade/multiplex handling [136] o libcurl-multi.md: added curl_multi_get_offt mention [53] o libcurl-security.md: mention long-running connections [6] o libssh2: drop two redundant null-terminations [26] o libssh2: error check and null-terminate in ssh_state_sftp_readdir_link() [34] o libssh: acknowledge SSH_AGAIN in the SFTP state machine [89] o libssh: clarify myssh_block2waitfor [92] o libssh: drop two unused assignments [104] o libssh: error on bad chgrp number [71] o libssh: error on bad chown number and store the value [64] o libssh: fix range parsing error handling mistake [120] o libssh: react on errors from ssh_scp_read [24] o libssh: return out of memory correctly if aprintf fails [60] o Makefile.example: simplify and make it configurable [20] o managen: ignore version mentions < 7.66.0 [55] o managen: render better manpage references/links [54] o managen: strict protocol check [109] o mbedtls: check result of setting ALPN [127] o mbedtls: handle WANT_WRITE from mbedtls_ssl_read() [145] o multi.h: add CURLMINFO_LASTENTRY [51] o ngtcp2: check error code on connect failure [13] o ngtcp2: fix early return [131] o openldap: avoid indexing the result at -1 for blank responses [44] o openldap: check ldap_get_option() return codes [119] o openssl-quic: check results better [132] o openssl-quic: handle error in SSL_get_stream_read_error_code [129] o openssl: clear retry flag on x509 error [130] o openssl: fail the transfer if ossl_certchain() fails [23] o openssl: make the asn1_object_dump name null terminated [56] o openssl: set io_need always [99] o OS400: fix a use-after-free/double-free case [142] o quic: fix min TLS version handling [14] o quic: ignore EMSGSIZE on receive [4] o quiche: fix verbose message when ip quadruple cannot be obtained. [128] o quiche: when ingress processing fails, return that error code [103] o rustls: fix clang-tidy warning [107] o rustls: fix comment describing cr_recv() [117] o rustls: typecast variable for safer trace output [69] o rustls: use %zu for size_t in failf() format string [121] o sasl: clear canceled mechanism instead of toggling it [41] o schannel: assign result before using it [62] o schannel_verify: use more human friendly error messages [96] o setopt: accept *_SSL_VERIFYHOST set to 2L [31] o setopt: make CURLOPT_MAXREDIRS accept -1 (again) [1] o smb: adjust buffer size checks [45] o smtp: check EHLO responses case insensitively [50] o socks: handle error in verbose trace gracefully [94] o socks: make Curl_blockread_all return CURLcode [67] o socks: rewwork, cleaning up socks state handling [135] o socks_gssapi: make the gss_context a local variable [144] o socks_gssapi: reject too long tokens [90] o socks_gssapi: remove superfluous releases of the gss_recv_token [139] o socks_gssapi: remove the forced "no protection" [143] o socks_sspi: bail out on too long fields [137] o socks_sspi: fix memory cleanup calls [40] o socks_sspi: restore non-blocking socket on error paths [48] o ssl-sessions.md: mark option experimental [12] o sws: fix checking `sscanf()` return value [17] o telnet: make printsub require another byte input [21] o telnet: refuse IAC codes in content [111] o telnet: return error on crazy TTYPE or XDISPLOC lengths [123] o tftp: check and act on tftp_set_timeouts() returning error [38] o tftp: handle tftp_multi_statemach() return code [65] o tftp: pin the first used address [110] o tftp: propagate expired timer from tftp_state_timeout() [39] o tftp: return error when sendto() fails [59] o tidy-up: assortment of small fixes [115] o tidy-up: avoid using the reserved macro namespace [76] o tidy-up: update MS links, allow long URLs via `checksrc` [73] o tidy-up: URLs [101] o TODO: remove already implemented or bad items [36] o tool: fix exponential retry delay [47] o tool_cb_hdr: fix fwrite check in header callback [49] o tool_cb_hdr: size is always 1 [70] o tool_doswin: fix to use curl socket functions [108] o tool_getparam/set_rate: skip the multiplication on overflow [84] o tool_operate: improve wording in retry message [37] o tool_operate: keep the progress meter for --out-null [33] o transfer: avoid busy loop with tiny speed limit [100] o urldata: FILE is not a list-only protocol [9] o vtls: alpn setting, check proto parameter [134] o vtls_int.h: clarify data_pending [124] o windows: replace `_beginthreadex()` with `CreateThread()` [80] o windows: stop passing unused, optional argument for Win9x compatibility [75] o wolfssl: check BIO read parameters [133] o wolfssl: fix error check in shutdown [105] o ws: clarify an error message [125] o ws: reject curl_ws_recv called with NULL buffer with a buflen [118] This release includes the following known bugs: See https://curl.se/docs/knownbugs.html For all changes ever done in curl: See https://curl.se/changes.html Planned upcoming removals include: o Builds using VS2008 o OpenSSL 1.x support o Support for c-ares versions before 1.16.0 o Support for Windows XP/2003 o Windows CE support See https://curl.se/dev/deprecate.html This release would not have looked like this without help, code, reports and advice from friends like these: Adam Light, Andrew Kirillov, Andrew Olsen, BobodevMm on github, Christian Schmitz, Dan Fandrich, Daniel Stenberg, dependabot[bot], divinity76 on github, Emilio Pozuelo Monfort, Ethan Everett, fds242 on github, Javier Blazquez, Jicea, jmaggard10 on github, Joseph Birr-Pixton, Joshua Rogers, kapsiR on github, Marcel Raad, Michael Osipov, MichaƂ Petryka, Nir Azkiel, Patrick Monnerat, Ray Satiro, renovate[bot], rinsuki on github, Samuel Dionne-Riel, Stanislav Fort, Stefan Eissing, Viktor Szakats (30 contributors) References to bug reports and discussions on issues: [1] = https://curl.se/bug/?i=18571 [2] = https://curl.se/bug/?i=18512 [3] = https://curl.se/bug/?i=18511 [4] = https://curl.se/bug/?i=18505 [5] = https://curl.se/bug/?i=18570 [6] = https://curl.se/bug/?i=18533 [7] = https://curl.se/bug/?i=18530 [8] = https://curl.se/bug/?i=18531 [9] = https://curl.se/bug/?i=18525 [10] = https://curl.se/bug/?i=18527 [11] = https://curl.se/bug/?i=18621 [12] = https://curl.se/bug/?i=18523 [13] = https://curl.se/bug/?i=18521 [14] = https://curl.se/bug/?i=18518 [15] = https://curl.se/bug/?i=18569 [16] = https://curl.se/bug/?i=18568 [17] = https://curl.se/bug/?i=18565 [18] = https://curl.se/bug/?i=18560 [19] = https://curl.se/bug/?i=18510 [20] = https://curl.se/bug/?i=18554 [21] = https://curl.se/bug/?i=18618 [22] = https://curl.se/bug/?i=18561 [23] = https://curl.se/bug/?i=18646 [24] = https://curl.se/bug/?i=18616 [25] = https://curl.se/bug/?i=18491 [26] = https://curl.se/bug/?i=18606 [27] = https://curl.se/bug/?i=18551 [28] = https://curl.se/bug/?i=18550 [29] = https://curl.se/bug/?i=18549 [30] = https://curl.se/bug/?i=18532 [31] = https://curl.se/mail/lib-2025-09/0031.html [32] = https://curl.se/bug/?i=18548 [33] = https://curl.se/bug/?i=18607 [34] = https://curl.se/bug/?i=18598 [35] = https://curl.se/bug/?i=18605 [36] = https://curl.se/bug/?i=18542 [37] = https://curl.se/bug/?i=18604 [38] = https://curl.se/bug/?i=18603 [39] = https://curl.se/bug/?i=18574 [40] = https://curl.se/bug/?i=18587 [41] = https://curl.se/bug/?i=18573 [42] = https://curl.se/bug/?i=18602 [43] = https://curl.se/bug/?i=18577 [44] = https://curl.se/bug/?i=18600 [45] = https://curl.se/bug/?i=18599 [46] = https://curl.se/bug/?i=18596 [47] = https://curl.se/bug/?i=18591 [48] = https://curl.se/bug/?i=18592 [49] = https://curl.se/bug/?i=18593 [50] = https://curl.se/bug/?i=18588 [51] = https://curl.se/bug/?i=18578 [52] = https://curl.se/bug/?i=18585 [53] = https://curl.se/bug/?i=18579 [54] = https://curl.se/bug/?i=18580 [55] = https://curl.se/bug/?i=18583 [56] = https://curl.se/bug/?i=18647 [57] = https://curl.se/bug/?i=18631 [58] = https://curl.se/bug/?i=18700 [59] = https://curl.se/bug/?i=18643 [60] = https://curl.se/bug/?i=18637 [61] = https://curl.se/bug/?i=18641 [62] = https://curl.se/bug/?i=18642 [63] = https://curl.se/bug/?i=18640 [64] = https://curl.se/bug/?i=18639 [65] = https://curl.se/bug/?i=18638 [66] = https://curl.se/bug/?i=18636 [67] = https://curl.se/bug/?i=18635 [68] = https://curl.se/bug/?i=18503 [69] = https://curl.se/bug/?i=18628 [70] = https://curl.se/bug/?i=18630 [71] = https://curl.se/bug/?i=18629 [72] = https://curl.se/bug/?i=18627 [73] = https://curl.se/bug/?i=18626 [74] = https://curl.se/bug/?i=18477 [75] = https://curl.se/bug/?i=18490 [76] = https://curl.se/bug/?i=18482 [77] = https://curl.se/bug/?i=18488 [78] = https://curl.se/bug/?i=18468 [79] = https://curl.se/bug/?i=18473 [80] = https://curl.se/bug/?i=18451 [81] = https://curl.se/bug/?i=18040 [82] = https://curl.se/bug/?i=18617 [83] = https://curl.se/bug/?i=18620 [84] = https://curl.se/bug/?i=18624 [85] = https://curl.se/bug/?i=18612 [87] = https://curl.se/bug/?i=18707 [88] = https://curl.se/bug/?i=18680 [89] = https://curl.se/bug/?i=18740 [90] = https://curl.se/bug/?i=18681 [91] = https://curl.se/bug/?i=18251 [92] = https://curl.se/bug/?i=18739 [94] = https://curl.se/bug/?i=18722 [96] = https://curl.se/bug/?i=18737 [99] = https://curl.se/bug/?i=18733 [100] = https://curl.se/bug/?i=18732 [101] = https://curl.se/bug/?i=18689 [102] = https://curl.se/bug/?i=18688 [103] = https://curl.se/bug/?i=18730 [104] = https://curl.se/bug/?i=18684 [105] = https://curl.se/bug/?i=18729 [106] = https://curl.se/bug/?i=18671 [107] = https://curl.se/bug/?i=18670 [108] = https://curl.se/bug/?i=18633 [109] = https://curl.se/bug/?i=18675 [110] = https://curl.se/bug/?i=18658 [111] = https://curl.se/bug/?i=18657 [112] = https://curl.se/bug/?i=18669 [113] = https://curl.se/bug/?i=18667 [114] = https://curl.se/bug/?i=18666 [115] = https://curl.se/bug/?i=18664 [116] = https://curl.se/bug/?i=18659 [117] = https://curl.se/bug/?i=18728 [118] = https://curl.se/bug/?i=18656 [119] = https://curl.se/bug/?i=18653 [120] = https://curl.se/bug/?i=18652 [121] = https://curl.se/bug/?i=18651 [122] = https://curl.se/bug/?i=18650 [123] = https://curl.se/bug/?i=18648 [124] = https://curl.se/bug/?i=18644 [125] = https://curl.se/bug/?i=18654 [126] = https://curl.se/bug/?i=18645 [127] = https://curl.se/bug/?i=18727 [128] = https://curl.se/bug/?i=18726 [129] = https://curl.se/bug/?i=18725 [130] = https://curl.se/bug/?i=18724 [131] = https://curl.se/bug/?i=18723 [132] = https://curl.se/bug/?i=18720 [133] = https://curl.se/bug/?i=18718 [134] = https://curl.se/bug/?i=18717 [135] = https://curl.se/bug/?i=18401 [136] = https://curl.se/bug/?i=18227 [137] = https://curl.se/bug/?i=18719 [139] = https://curl.se/bug/?i=18714 [140] = https://curl.se/bug/?i=18715 [142] = https://curl.se/bug/?i=18713 [143] = https://curl.se/bug/?i=18712 [144] = https://curl.se/bug/?i=18711 [145] = https://curl.se/bug/?i=18682