mirror of
https://github.com/curl/curl.git
synced 2026-06-03 21:04:16 +03:00
382 lines
17 KiB
Text
382 lines
17 KiB
Text
curl and libcurl 8.21.0
|
|
|
|
Public curl releases: 275
|
|
Command line options: 274
|
|
curl_easy_setopt() options: 308
|
|
Public functions in libcurl: 100
|
|
Authors: 1482
|
|
Contributors: 3706
|
|
|
|
This release includes the following changes:
|
|
|
|
o curl: named globs in output file name for upload glob references [77]
|
|
o HTTP/3: add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC) [53]
|
|
o http2: remove stream dependency tracking [40]
|
|
o lib: drop support for CURLAUTH_DIGEST_IE [4]
|
|
o libssh: add support for SHA256 host public keys [57]
|
|
o tool_urlglob: add named globs [92]
|
|
|
|
This release includes the following bugfixes:
|
|
|
|
o asyn-thrdd: fix result processing without wakeup socketpair [2]
|
|
o autotools: mbedtls detection fixes [163]
|
|
o BUFQ.md: re-sync with source code [111]
|
|
o build: omit zlib pkg-config reference for Android [130]
|
|
o cf-h2-prox: fix peer leak [132]
|
|
o cf-h2-proxy: drop interim responses [47]
|
|
o cf-socket: set scope_id for IPv6 link-local addresses [150]
|
|
o cfilters: fix busy loop on blocked transfers [72]
|
|
o CIPHERS.md: fix the example that uses only TLS 1.3 [137]
|
|
o cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config [8]
|
|
o cmake: export/forward `NGTCP2_CRYPTO_BACKEND` [99]
|
|
o cmake: fix three issues generating lib options in config files [126]
|
|
o cmake: fix zstd CMake config name [5]
|
|
o cmake: opt in `MSVC_VERSION` 1951 to picky warnings [55]
|
|
o cmake: quote `COMPONENTS` string in `curl-config.in.cmake` [80]
|
|
o connect: remove deref of freed pointer in trace call [128]
|
|
o content_encoding: fix limit failure message [171]
|
|
o content_encoding: timeout during slow decoding [170]
|
|
o cookie: compare path case sensitively [52]
|
|
o cookie: simplify strstore(), remove outdated comment [12]
|
|
o cookie: trim trailing dots when checking PSL [39]
|
|
o creds: add sasl service name [75]
|
|
o creds: mask OAuth bearer token in trace logs [117]
|
|
o creds: remove two unused functions [158]
|
|
o curl_easy_pause.md: rephrase the stream cache when pause clause [120]
|
|
o curl_easy_setopt.md: change options when no transfer runs [122]
|
|
o curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos [87]
|
|
o curl_ntlm_core: propagate DES `CryptEncrypt()` error [84]
|
|
o curl_sha512_256: fix result code on error [166]
|
|
o CURLOPT_ECH.md: simplify the description language [18]
|
|
o CURLOPT_HAPROXYPROTOCOL.md: only sent for newly setup connections [32]
|
|
o CURLOPT_MAXFILESIZE: clarify this also works for on-going transfers [78]
|
|
o CURLOPT_SHARE: warn about early remove [51]
|
|
o CURLOPT_SSH_HOSTKEYFUNCTION.md: for new connections only [48]
|
|
o delta: harden external command invocations [98]
|
|
o dnscache: remove Curl_dns_entry_link [160]
|
|
o docs/libcurl: fix the version for curl_multi_socket_action
|
|
o docs: end "...can be used several times..." sentences with period [34]
|
|
o docs: fix --follow doc typo [97]
|
|
o docs: fix a couple of typos [62]
|
|
o docs: fix grammar and wording in FAQ [66]
|
|
o docs: fix odd wording in CONTRIBUTE.md [107]
|
|
o docs: note CURLOPT_PINNEDPUBLICKEY has no effect on legacy LDAP backend [65]
|
|
o ECH: cleanups [20]
|
|
o event: fix wakeup consumption [93]
|
|
o ftp: avoid accessing EPSV response one byte past the NULL [9]
|
|
o ftp: remove 2 Curl_resolv_blocking() calls [30]
|
|
o ftp: remove bits.ftp_use_control_ssl [28]
|
|
o gnutls: allow building with nettle 4.0 [96]
|
|
o gnutls: fix more nettle 4+ compatibility issues [94]
|
|
o GnuTLS: require 3.7.2 for earlydata [103]
|
|
o gsasl: fix potential double free [56]
|
|
o gtls: fix ignored return and uninitialized status in OCSP check [49]
|
|
o gtls: fix some typos [15]
|
|
o gtls: use the correct return code in trace output [173]
|
|
o gtls: verify OCSP response signature in gtls_verify_ocsp_status [86]
|
|
o h3-proxy: fix callback return values, and a typo in tests [139]
|
|
o hostip: remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE [101]
|
|
o http: don't pass on set cookies to new origins [140]
|
|
o http: prefer chunked encoding over Content-Length: 0 [146]
|
|
o idn: replace header guards with forward declaration [100]
|
|
o KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug [41]
|
|
o KNOWN_BUGS: remove stale Threads::Threads entry [135]
|
|
o ldap: fix minor leak on write callback error [24]
|
|
o ldap: fix to not leak `attribute` on OOM (WinLDAP) [79]
|
|
o ldap: switch off chasing referrals [114]
|
|
o lib678: fix to not be perma-skipped [10]
|
|
o lib: make `__STDC_VERSION__` literals `L` (where missing)
|
|
o lib: two minor typos [16]
|
|
o libcurl-easy.md: minor clarifications [19]
|
|
o libssh: map SSH_KNOWN_HOSTS_OTHER to CURLKHMATCH_MISMATCH [125]
|
|
o m4: drop redundant conditions in TLS library detections [155]
|
|
o Makefile.am: drop test1190 listed twice [144]
|
|
o managen: apply minor fixes and improvements [115]
|
|
o mbedtls: null-terminate the private key blob [36]
|
|
o mk-unity.pl: `#include`, and not concatenate input headers [124]
|
|
o mqtt: validate PINGRESP and DISCONNECT have remaining_length == 0 [7]
|
|
o multi: handle pause in multi socket callback [109]
|
|
o multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test [54]
|
|
o netrc: scanner refactor [121]
|
|
o ngtcp2: fail handshake directly [138]
|
|
o os400sys: fix theoretical length overflows [141]
|
|
o pytest: pass `--disable` to curl [175]
|
|
o pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+ [154]
|
|
o pythonlint.sh: make it fail on error, fix ruff warnings in pytest [67]
|
|
o rtsp: bump buf after rtsp_filter_rtp() [88]
|
|
o runner.pm: apply minor correctness fix [105]
|
|
o runner.pm: set `CURL_TESTNUM` for `precheck` commands [13]
|
|
o rustls: error on CURLOPT_CRLFILE with native CA store [59]
|
|
o schannel: check `schannel_sha256sum()` success, and more [165]
|
|
o schannel: enforce Extended Key Usage for custom CA roots [29]
|
|
o schannel: error on TLS 1.3-only with cipher list [136]
|
|
o schannel: fix revoke_best_effort setting for proxy [70]
|
|
o schannel_verify: avoid out of blob access [11]
|
|
o scripts: catch Credits-to contributors [127]
|
|
o setopt: changing the proxy port is also a proxy change [23]
|
|
o setopt: clear proxy auth properly on NULL [81]
|
|
o setopt: CURLOPT_MAXCONNECTS set to 0 restores default value [161]
|
|
o setopt: defref the old referer when setting a new [168]
|
|
o setopt: fix to honor `CURLOPT_PROXY_CAINFO_BLOB` over Native CA [26]
|
|
o setopt: gate a few proxy TLS options by checking backend support [35]
|
|
o setopt: more careful cleanup of the HSTS cache [45]
|
|
o show-headers.md: mention bold headers and --no-styled-output [17]
|
|
o spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI [89]
|
|
o spnego_sspi: preserve distinction btw policy-only and uncond delegation [74]
|
|
o src: fix comment typos [83]
|
|
o SSLCERTS: document 8.19.0 default Native CA builds (Windows) [14]
|
|
o sspi: clear SSPI credentials on AcquireCredentialsHandle failure [76]
|
|
o telnet: honor CURLOPT_TIMEOUT in send_telnet_data() [104]
|
|
o test1588: use %TESTNUMBER, not hard-coded number [118]
|
|
o test1981: explicitly set the locale [85]
|
|
o tests: add an assert to avoid IPC blocking [69]
|
|
o tests: fix unit1636 with --disable-progress-meter [37]
|
|
o tftp: avoid the timeout calc if the timeout is crazy [151]
|
|
o tftp: stricter option name checks [90]
|
|
o tidy-up: add space around operators, where missing [147]
|
|
o tidy-up: apply clang-format fixes [153]
|
|
o tidy-up: miscellaneous [106]
|
|
o tls: fix incomplete mTLS config in conn reuse and session cache [108]
|
|
o tool_formparse.c: fix two minor comment typos [25]
|
|
o tool_formparse: polish error message + make two functions static [1]
|
|
o tool_formparse: tool2curlparts is no longer recursive [33]
|
|
o tool_help: rectify a bad assert [143]
|
|
o tool_operhlp: avoid NULL to %s [142]
|
|
o tool_urlglob: avoid overflow at end of range [22]
|
|
o tool_urlglob: better 'Duplicate glob name' position [82]
|
|
o tool_urlglob: make globbing error reported for correct position [91]
|
|
o transfer: clear referer when set to NULL [112]
|
|
o unix-sockets: ignore proxy settings [6]
|
|
o URL-SYNTAX: document more URL parsing details [134]
|
|
o url: compare full origin when setting credentials [42]
|
|
o url: connection reuse fixes for starttls [68]
|
|
o url: detect proxy changes read from environment [110]
|
|
o url: fix connection reuse for starttls protocols [27]
|
|
o url: keep the question mark for empty queries [73]
|
|
o url: remove ssh_config_matches [31]
|
|
o url: remove superfluous check [131]
|
|
o url: url_match_destination fix [43]
|
|
o urlapi: accept 0X prefix in IPv4 address as well [63]
|
|
o urlapi: change more lowercase percent-encoded to uppercase [71]
|
|
o urlapi: compare zone-id in Curl_url_same_origin() [95]
|
|
o urlapi: consume trailing dots after IPv4 numerical addresses [50]
|
|
o urlapi: deny hostnames with more than one trailing dot [58]
|
|
o urlapi: drop base fragment on empty redirect [64]
|
|
o urlapi: fix an issue parsing file URLs [149]
|
|
o urlapi: fix redirect handling if CURLU_NO_GUESS_SCHEME is set [46]
|
|
o urlapi: forbid '|' in host [172]
|
|
o urlapi: handle redirect without set scheme with default-scheme [38]
|
|
o user-agent.md: mention double quotes too [3]
|
|
o vtls: more large buffer support and error checks for SHA-256 [164]
|
|
o vtls: use Curl_safecmp for CRLfile and pinned_key comparison [116]
|
|
o vtls_scache: include signature_algorithms in the SSL peer cache key [123]
|
|
o vtls_spack: drop redundant macro fallbacks [167]
|
|
o VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part [113]
|
|
o VULN-DISCLOSURE-POLICY.md: test code is not secure [119]
|
|
o websockets: auto-tunnel through http proxy [102]
|
|
o windows: update MS SDK versions in comments [60]
|
|
o x509asn1: fix DH public key parameter extraction [44]
|
|
o x509asn1: fix operator order in do_pubkey [21]
|
|
|
|
This release includes the following known bugs:
|
|
|
|
See https://curl.se/docs/knownbugs.html
|
|
|
|
For all changes ever done in curl:
|
|
|
|
See https://curl.se/changes.html
|
|
|
|
Planned upcoming removals include:
|
|
|
|
o local crypto implementations
|
|
o NTLM
|
|
o SMB
|
|
o TLS-SRP support
|
|
|
|
See https://curl.se/dev/deprecate.html
|
|
|
|
This release would not have looked like this without help, code, reports and
|
|
advice from friends like these:
|
|
|
|
0xN3R3K3, 11soda11, Ady Elouej, Alan De Smet, ambikeesshh, amitbidlan,
|
|
Andrei Rybak, Andrew Nesbitt, Aritra Basu, azraelxuemo on hackerone,
|
|
Bartel Sielski, Bastian Jesuiter, Bill Mill, chrizilla on github,
|
|
co-authors in libssh2, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
|
|
Dario Vinella, dependabot[bot], Earnestly on github, Elise Vance,
|
|
Emanuel Krollmann, Eunsoo Kim, Fabian Keil, Gao Liyou, Guancheng Li,
|
|
Guannan Wang, Harry Sintonen, htasta, jeffhuang, Jeremy Nicoll,
|
|
Jiashuo Liang, Johannes Schlatow, Josef Cejka, Joshua Rogers, Kai Pastor,
|
|
Mark Esler, Max Dymond, mik, Mike-menny on github, Muhamad Arga Reksapati,
|
|
mulan_dh on hackerone, parasol-aser, penpal, Peter Krefting,
|
|
Randall S. Becker, Raymond Steen, Ray Satiro, renjian on hackerone,
|
|
renovate[bot], Ross Burton, Sergio Correia, sfan5 on github,
|
|
Shintomon Mathew, Sollace on github, Song X. Gao, Stefan Eissing, Tim Martin,
|
|
tiymat, vegagent on hackerone, Viktor Szakats, Will Cosgrove, Xi Ruoyao,
|
|
x-xiang on github, Zhanpeng Liu
|
|
(66 contributors)
|
|
|
|
References to bug reports and discussions on issues:
|
|
|
|
[1] = https://curl.se/bug/?i=21510
|
|
[2] = https://curl.se/bug/?i=21476
|
|
[3] = https://curl.se/mail/archive-2026-04/0029.html
|
|
[4] = https://curl.se/bug/?i=21486
|
|
[5] = https://curl.se/bug/?i=21538
|
|
[6] = https://curl.se/bug/?i=21630
|
|
[7] = https://hackerone.com/reports/3702718
|
|
[8] = https://curl.se/bug/?i=21470
|
|
[9] = https://curl.se/bug/?i=21545
|
|
[10] = https://curl.se/bug/?i=21641
|
|
[11] = https://curl.se/bug/?i=21543
|
|
[12] = https://curl.se/bug/?i=21541
|
|
[13] = https://curl.se/bug/?i=21640
|
|
[14] = https://curl.se/bug/?i=21634
|
|
[15] = https://curl.se/bug/?i=21498
|
|
[16] = https://curl.se/bug/?i=21496
|
|
[17] = https://curl.se/bug/?i=21495
|
|
[18] = https://curl.se/bug/?i=21536
|
|
[19] = https://curl.se/bug/?i=21491
|
|
[20] = https://curl.se/bug/?i=21532
|
|
[21] = https://curl.se/bug/?i=21533
|
|
[22] = https://curl.se/bug/?i=21529
|
|
[23] = https://curl.se/bug/?i=21485
|
|
[24] = https://curl.se/bug/?i=21530
|
|
[25] = https://curl.se/bug/?i=21480
|
|
[26] = https://curl.se/bug/?i=21631
|
|
[27] = https://curl.se/bug/?i=21522
|
|
[28] = https://curl.se/bug/?i=21521
|
|
[29] = https://curl.se/bug/?i=21629
|
|
[30] = https://curl.se/bug/?i=21512
|
|
[31] = https://curl.se/bug/?i=21519
|
|
[32] = https://curl.se/bug/?i=21517
|
|
[33] = https://curl.se/bug/?i=21518
|
|
[34] = https://curl.se/bug/?i=21644
|
|
[35] = https://curl.se/bug/?i=21514
|
|
[36] = https://curl.se/bug/?i=21515
|
|
[37] = https://curl.se/bug/?i=21500
|
|
[38] = https://curl.se/bug/?i=21632
|
|
[39] = https://curl.se/bug/?i=21636
|
|
[40] = https://curl.se/bug/?i=21723
|
|
[41] = https://curl.se/bug/?i=21720
|
|
[42] = https://curl.se/bug/?i=21575
|
|
[43] = https://curl.se/bug/?i=21573
|
|
[44] = https://curl.se/bug/?i=21595
|
|
[45] = https://curl.se/bug/?i=21615
|
|
[46] = https://curl.se/bug/?i=21721
|
|
[47] = https://curl.se/bug/?i=21626
|
|
[48] = https://curl.se/bug/?i=21606
|
|
[49] = https://curl.se/bug/?i=21679
|
|
[50] = https://curl.se/bug/?i=21635
|
|
[51] = https://curl.se/bug/?i=21633
|
|
[52] = https://curl.se/bug/?i=21616
|
|
[53] = https://curl.se/bug/?i=21153
|
|
[54] = https://curl.se/bug/?i=21707
|
|
[55] = https://curl.se/bug/?i=21714
|
|
[56] = https://curl.se/bug/?i=21609
|
|
[57] = https://curl.se/bug/?i=21605
|
|
[58] = https://curl.se/bug/?i=21622
|
|
[59] = https://curl.se/bug/?i=21614
|
|
[60] = https://curl.se/bug/?i=21621
|
|
[62] = https://curl.se/bug/?i=21617
|
|
[63] = https://curl.se/bug/?i=21820
|
|
[64] = https://curl.se/bug/?i=21745
|
|
[65] = https://curl.se/bug/?i=21682
|
|
[66] = https://curl.se/bug/?i=21593
|
|
[67] = https://curl.se/bug/?i=21597
|
|
[68] = https://curl.se/bug/?i=21665
|
|
[69] = https://curl.se/bug/?i=21688
|
|
[70] = https://curl.se/bug/?i=21683
|
|
[71] = https://curl.se/bug/?i=21592
|
|
[72] = https://curl.se/bug/?i=21671
|
|
[73] = https://curl.se/bug/?i=21544
|
|
[74] = https://curl.se/bug/?i=21583
|
|
[75] = https://curl.se/bug/?i=21585
|
|
[76] = https://curl.se/bug/?i=21642
|
|
[77] = https://curl.se/bug/?i=21407
|
|
[78] = https://curl.se/bug/?i=21582
|
|
[79] = https://curl.se/bug/?i=21576
|
|
[80] = https://curl.se/bug/?i=21699
|
|
[81] = https://curl.se/bug/?i=21696
|
|
[82] = https://curl.se/bug/?i=21567
|
|
[83] = https://curl.se/bug/?i=21570
|
|
[84] = https://curl.se/bug/?i=21569
|
|
[85] = https://curl.se/bug/?i=21749
|
|
[86] = https://curl.se/bug/?i=21677
|
|
[87] = https://curl.se/bug/?i=21562
|
|
[88] = https://curl.se/bug/?i=21563
|
|
[89] = https://curl.se/bug/?i=21528
|
|
[90] = https://curl.se/bug/?i=21560
|
|
[91] = https://curl.se/bug/?i=21561
|
|
[92] = https://curl.se/bug/?i=21409
|
|
[93] = https://curl.se/bug/?i=21547
|
|
[94] = https://curl.se/bug/?i=21557
|
|
[95] = https://curl.se/bug/?i=21686
|
|
[96] = https://curl.se/bug/?i=21169
|
|
[97] = https://curl.se/bug/?i=21553
|
|
[98] = https://curl.se/bug/?i=21104
|
|
[99] = https://curl.se/bug/?i=21523
|
|
[100] = https://curl.se/bug/?i=21551
|
|
[101] = https://curl.se/bug/?i=21550
|
|
[102] = https://curl.se/bug/?i=21663
|
|
[103] = https://curl.se/bug/?i=21750
|
|
[104] = https://curl.se/bug/?i=21685
|
|
[105] = https://curl.se/bug/?i=21672
|
|
[106] = https://curl.se/bug/?i=21646
|
|
[107] = https://curl.se/bug/?i=21705
|
|
[108] = https://curl.se/bug/?i=21667
|
|
[109] = https://curl.se/bug/?i=21748
|
|
[110] = https://curl.se/bug/?i=21666
|
|
[111] = https://curl.se/bug/?i=21678
|
|
[112] = https://curl.se/bug/?i=21741
|
|
[113] = https://curl.se/bug/?i=21747
|
|
[114] = https://curl.se/bug/?i=21732
|
|
[115] = https://curl.se/bug/?i=21670
|
|
[116] = https://curl.se/bug/?i=21668
|
|
[117] = https://curl.se/bug/?i=21659
|
|
[118] = https://curl.se/bug/?i=21662
|
|
[119] = https://curl.se/bug/?i=21660
|
|
[120] = https://curl.se/bug/?i=21658
|
|
[121] = https://curl.se/bug/?i=21624
|
|
[122] = https://curl.se/bug/?i=21604
|
|
[123] = https://curl.se/bug/?i=21651
|
|
[124] = https://curl.se/bug/?i=21656
|
|
[125] = https://curl.se/bug/?i=21724
|
|
[126] = https://curl.se/bug/?i=21654
|
|
[127] = https://curl.se/bug/?i=21653
|
|
[128] = https://curl.se/bug/?i=21649
|
|
[130] = https://curl.se/bug/?i=21647
|
|
[131] = https://curl.se/bug/?i=21650
|
|
[132] = https://curl.se/bug/?i=21602
|
|
[134] = https://curl.se/bug/?i=21841
|
|
[135] = https://curl.se/bug/?i=21734
|
|
[136] = https://curl.se/bug/?i=21702
|
|
[137] = https://curl.se/bug/?i=21719
|
|
[138] = https://curl.se/bug/?i=21712
|
|
[139] = https://curl.se/bug/?i=21802
|
|
[140] = https://curl.se/bug/?i=21794
|
|
[141] = https://curl.se/bug/?i=21840
|
|
[142] = https://curl.se/bug/?i=21836
|
|
[143] = https://curl.se/bug/?i=21837
|
|
[144] = https://curl.se/bug/?i=21839
|
|
[146] = https://curl.se/bug/?i=21706
|
|
[147] = https://curl.se/bug/?i=21793
|
|
[149] = https://curl.se/bug/?i=21743
|
|
[150] = https://curl.se/bug/?i=21669
|
|
[151] = https://curl.se/bug/?i=21782
|
|
[153] = https://curl.se/bug/?i=21786
|
|
[154] = https://curl.se/bug/?i=21784
|
|
[155] = https://curl.se/bug/?i=21781
|
|
[158] = https://curl.se/bug/?i=21776
|
|
[160] = https://curl.se/bug/?i=21774
|
|
[161] = https://curl.se/bug/?i=21829
|
|
[163] = https://curl.se/bug/?i=21727
|
|
[164] = https://curl.se/bug/?i=21771
|
|
[165] = https://curl.se/bug/?i=21739
|
|
[166] = https://curl.se/bug/?i=21767
|
|
[167] = https://curl.se/bug/?i=21768
|
|
[168] = https://curl.se/bug/?i=21826
|
|
[170] = https://curl.se/bug/?i=21603
|
|
[171] = https://curl.se/bug/?i=21756
|
|
[172] = https://curl.se/bug/?i=21762
|
|
[173] = https://curl.se/bug/?i=21766
|
|
[175] = https://curl.se/bug/?i=21816
|