Thursday 6th November 2025
Local Packages
Updated curl to 8.17.0:
- build: Drop Heimdal support
- build: Drop the winbuild build system
- krb5: Drop support for Kerberos FTP
libssh2: Up the minimum requirement to 1.9.0
- multi: Add notifications API
- progress: Expand to use 6 characters per size
ssl: Support Apple SecTrust configurations
tool_getparam: Add --knownhosts
vssh: Drop support for wolfSSH (addresses CVE-2025-10966)
wcurl: Import v2025.11.04
write-out: Make %header{} able to output all occurrences of a header
- ares: Fix leak in tracing
asyn-ares: Remove wrong comment about the callback argument
- asyn-ares: Use the duped hostname pointer for all calls
- asyn-thrdd resolver: Clear timeout when done
asyn-thrdd: Drop pthread_cancel
autotools: Add support for libgsasl auto-detection via pkg-config
autotools: Capitalize Rustls in the log output
autotools: Drop detection of ancient OpenSSL libs RSAglue and rsaref
autotools: Fix duplicate UNIX and BSD flags in buildinfo.txt
autotools: Fix silly mistake in clang detection for buildinfo.txt
autotools: Make --enable-code-coverage support llvm/clang
autotools: Merge 'if's in GnuTLS/OpenSSL feature detection
- aws-lc: Re-enable large read-ahead with v1.61.0 again
base64: Accept zero length argument to base64_encode
build: Address some -Weverything warnings, update picky warnings
build: Avoid overriding system open and stat symbols
build: Avoid overriding system symbols for fopen functions
build: Avoid overriding system symbols for socket functions
build: Show llvm/clang in platform flags and buildinfo.txt
- c-ares: When resolving failed, persist error
- cf-h2-proxy: Break loop on edge case
- cf-ip-happy: Mention unix domain path, not port number
cf-socket: Always check Curl_cf_socket_peek() return code
- cf-socket: Check params and remove accept procondition
cf-socket: Make set_local_ip void, and remove failf()
cf-socket: Set FD_CLOEXEC on all sockets opened
cf-socket: Tweak a memcpy() to read better
cf-socket: Use the right byte order for ports in bindlocal
- cfilter: Unlink and discard
cfilters: Check return code from Curl_pollset_set_out_only()
checksrc: Allow disabling warnings on FIXME/TODO comments
checksrc: Catch banned functions when preceded by (
checksrc: Fix possible endless loop when detecting BANNEDFUNC
checksrc: Fix possible endless loops in the banned function logic
checksrc: Fix to handle ) predecing a banned function
checksrc: Reduce directory-specific exceptions
CI.md: Refresh
cmake/FindGSS: Dedupe pkg-config module strings
cmake/FindGSS: Drop wrong header check for GNU GSS
cmake/FindGSS: Fix pkg-config fallback logic for CMake <3.16
cmake/FindGSS: Simplify/de-dupe lib setup
cmake/FindGSS: Whitespace/formatting
cmake: Add and use local FindGnuTLS module
cmake: Add CURL_CODE_COVERAGE option
- cmake: Build the "all" examples source list dynamically
- cmake: Clang detection tidy-ups
- cmake: Drop exclamation in comment looking like a name
cmake: Fix 'HAVE_GNUTLS_SRP' detection after adding local FindGnuTLS module
cmake: Fix building docs when the base directory contains .3
cmake: Fix Linux pre-fill 'HAVE_POSIX_STRERROR_R' (when '_CURL_PREFILL=ON')
cmake: Fix Linux pre-fills for non-glibc (when '_CURL_PREFILL=ON')
- cmake: Minor Heimdal flavour detection fix
- cmake: Pre-fill three more type sizes on Windows
- cmake: Say 'absolute path' in option descriptions and docs
- cmake: Support building some complicated examples, build them in CI
cmake: Use modern alternatives for get_filename_component()
cmake: Use more COMPILER_OPTIONS, LINK_OPTIONS / LINK_FLAGS
- cmdline-docs: Extended, clarified, refreshed
cmdline-opts/_PROGRESS.md: Explain the suffixes
configure: Add "-mt" for pthread support on HP-UX
- conn: Fix hostname move on connection reuse
conncache: Prevent integer overflow in maxconnects calculation
connect: For CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
connect: Remove redundant condition in shutdown start
- cookie: Avoid saving a cookie file if no transfer was done
cookie: Only count accepted cookies in Curl_cookie_add
- cookie: Remove the temporary file on (all) errors
cpool: Make bundle->dest an array; fix UB
curl.h: Remove incorrect comment about CURLOPT_PINNEDPUBLICKEY
curl_easy_getinfo: Error code on NULL arg
curl_easy_setopt.md: Add missing CURLOPT_POSTFIELDS
curl_mem_undef.h: Limit to CURLDEBUG for non-memalloc overrides
curl_ngtcp2: Fix '-Wunreachable-code' with H3 !verbose !unity clang
curl_osslq: Error out properly if BIO_ADDR_rawmake() fails
curl_path: Make sure just whitespace is illegal
Curl_resolv: Fix comment: 'entry' argument is not optional
curl_slist_append.md: Clarify that a NULL pointer is not acceptable
curl_threads: Delete WinCE fallback branch
CURLINFO_FTP_ENTRY_PATH.md: This is for SFTP as well
CURLOPT_COOKIEFILE.md: Clarify when the cookies are loaded
CURLOPT_COPYPOSTFIELDS.md: Used with MQTT and RTSP as well
CURLOPT_HEADER/WRITEFUNCTION.md: Drop '* size' since size is always 1
CURLOPT_MAXLIFETIME_CONN: Make default 24 hours
CURLOPT_POSTFIELDSIZE*: These also work for MQTT and RTSP
CURLOPT_SERVER_RESPONSE_TIMEOUT*: Add default and see-also
CURLOPT_SSL_VERIFYHOST.md: Add see-also to two other VERIFYHOST options
CURLOPT_TIMECONDITION.md: Works for FILE and FTP as well
cw-out: Fix EAGAIN handling on pause
cw-out: Unify the error handling pattern in cw_out_do_write
digest_sspi: Fix two memory leaks in error branches
dist: Do not distribute CI.md
docs/cmdline-opts: Drop double quotes from GLOBBING and URL examples
docs/libcurl: Clarify some timeout option behaviour
docs/libcurl: Remove ancient version references
docs/libcurl: Use lowercase must
- docs: Expand on quoting rules for file names in SFTP quote
- docs: Fix/tidy code fences
- doh: Clean up resources on error paths
doswin: CloseHandle the thread on shutdown
easy_getinfo: Check magic, Curl_close safety
ECH.md: Make OpenSSL branch clone instructions work
examples/chkspeed: Portable printing when outputting curl_off_t values
examples/http2-serverpush: Fix file handle leaks
examples/sessioninfo: Cast printf string mask length to int
examples/sessioninfo: Do not disable security
examples/synctime: Fix null termination assumptions
examples/synctime: Make the sscanf not overflow the local buffer
examples/usercertinmem: Avoid stripping const
examples/websocket: Fix use of uninitialized rlen
examples: Call curl_global_cleanup() where missing
- examples: Check more errors, fix cleanups, scope variables
examples: Drop unused curl/mprintf.h includes
- examples: Fix build issues in 'complicated' examples
- examples: Fix more potential resource leaks, and more
- examples: Fix two build issues surfaced with WinCE
- examples: Fix two issues found by CodeQL
examples: Fix two more cases of stat() TOCTOU
- examples: Improve global init, error checks and returning errors
examples: Replace casts with 'curl_off_t' printf masks
examples: Return curl_easy_perform() results
firefox-db2pem.sh: Add macOS support, tidy-ups
form.md: Drop reference to MANUAL
- ftp: Add extra buffer length check
- ftp: Check errors on remote ip for data connection
ftp: Fix ftp_do_more returning with *completep unset
ftp: Fix port number range loop for PORT commands
ftp: Fix the 213 scanner memchr buffer limit argument
ftp: Improve fragile check for first digit > 3
- ftp: Reduce size of some struct fields
ftp: Remove 'newhost' and 'newport' from the ftp_conn struct
- ftp: Remove misleading comments
ftp: Remove the retr_size_saved struct field
ftp: Remove the state_saved struct field
ftp: Replace strstr() in ;type= handling
- ftp: Simplify the 150/126 size scanner
- gnutls: Check conversion of peer cert chain
- gnutls: Fix re-handshake comments
gssapi: Make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
- gtls: Avoid potential use of uninitialized variable in trace output
gtls: Check the return value of gnutls_pubkey_init()
header.md: See-also --proxy-header and vice versa
- hmac: Free memory properly on errors
- hostip: Don't store negative resolves due unrelated errors
hostip: Fix infof() output for non-ipv6 builds using IPv6 address
hostip: Remove leftover INT_MAX check in Curl_dnscache_prune
- http2: Check push header names by length first
http2: Clean up pushed newhandle on fail
- http2: Ingress handling edge cases
- HTTP3: Clarify the status for "old" OpenSSL, not current
http: Check the return value of strdup
http: Fix '-Wunreachable-code' in !websockets !unity builds
http: Fix '-Wunused-variable' in !alt-svc !proxy !ws builds
- http: Handle user-defined connection headers
http: Look for trailing 'type=' in ftp:// without strstr
http: Make Content-Length parser more WHATWG
http: Only accept ';' as a separator for custom headers
http: Return error for a second Location: header
http_aws_sigv4: Check the return value of curl_maprintf()
http_proxy: Fix adding custom proxy headers
- httpsrr: Free old pointers when storing new
- httpsrr: Send HTTPS query to the right target
imap: Fix custom FETCH commands to handle literal responses
imap: Parse and use UIDVALIDITY as a number
- imap: Treat capabilities case insensitively
INSTALL-CMAKE.md: Add manual configuration examples
INSTALL-CMAKE.md: Document useful build targets
INSTALL-CMAKE.md: Fix descriptions for LDAP dependency options
INSTALL: Update the list of known operating systems
INTERNALS: Drop Winsock 2.2 from the dependency list
- ip-happy: Do not set unnecessary timeout
- ip-happy: Prevent event-based stall on retry
- kerberos: Bump minimum to 1.3 (2003-07-08), drop legacy logic
kerberos: Drop logic for MIT Kerberos <1.2.3 (pre-2002) versions
kerberos: Stop including gssapi/gssapi_generic.h
krb5: Fix output_token allocators in the GSS debug stub (Windows)
- krb5: Return appropriate error on send failures
krb5_gssapi: Fix memory leak on error path
krb5_sspi: The chlg argument is not optional
- ldap: Avoid null pointer dereference on failure
- ldap: Do not base64 encode zero length string
ldap: Do not pass a \n to failf()
- ldap: Tidy-up types, fix error code confusion
lib1514: Fix return code mixup
- lib: Delete unused crypto header includes
- lib: Drop unused include and duplicate guards
- lib: Fix build error with verbose strings disabled
lib: Remove newlines from failf() calls
- lib: Remove personal names from comments
- lib: SSL connection reuse
lib: Stop NULL-checking conn->passwd and ->user
- lib: Upgrade/multiplex handling
libcurl-multi.md: Added curl_multi_get_offt mention
libcurl-security.md: Mention long-running connections
libssh/libssh2: Reject quote command lines with too much data
libssh/sftp: Fix resume corruption by avoiding O_APPEND with rresume
libssh2/sftp: Fix resume corruption by avoiding O_APPEND with rresume
libssh2/sftp_realpath: Change state consistently
- libssh2: Avoid risking using an uninitialized local struct field
libssh2: Bail out on chgrp and chown number parsing errors
libssh2: Clarify that sshp->path is always at least one byte
- libssh2: Drop two redundant null-terminations
libssh2: Error check and null-terminate in ssh_state_sftp_readdir_link()
libssh2: Fix EAGAIN return in ssh_state_auth_agent
libssh2: Fix return code for EAGAIN
libssh2: Use sockindex consistently
libssh: Acknowledge SSH_AGAIN in the SFTP state machine
- libssh: Catch a resume point larger than the size
libssh: Clarify myssh_block2waitfor
- libssh: Drop two unused assignments
libssh: Error on bad chgrp number
libssh: Error on bad chown number and store the value
- libssh: Fix range parsing error handling mistake
libssh: Make atime and mtime cap the timestamp instead of wrap
libssh: React on errors from ssh_scp_read
libssh: Return out of memory correctly if aprintf fails
libssh: Return the proper error for readdir problems
Makefile.example: Bump default example from FTP to HTTPS
Makefile.example: Fix option order
Makefile.example: Make default options more likely to work
Makefile.example: Simplify and make it configurable
managen: Ignore version mentions < 7.66.0
managen: Render better manpage references/links
managen: Strict protocol check
managen: Verify the options used in example lines
- mbedtls: Add support for 4.0.0
- mbedtls: Check result of setting ALPN
mbedtls: Fix building with <3.6.1
- mbedtls: Fix building with sha-256 missing from PSA
mbedtls: Handle WANT_WRITE from mbedtls_ssl_read()
md4: Drop mbedtls implementation (not available in mbedtls v3+)
mdlinkcheck: Reject URLs containing quotes
memdup0: Handle edge case
- mime: Fix unpausing of readers
mime: Fix use of fseek()
multi.h: Add CURLMINFO_LASTENTRY
multi: Check the return value of strdup()
multi_ev: Remove unnecessary data check that confuses analysers
netrc: When the cached file is discarded, unmark it as loaded
nghttp3: Return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
ngtcp2: Add a comment explaining write result handling
ngtcp2: Adopt ngtcp2_conn_get_stream_user_data if available
ngtcp2: Check error code on connect failure
ngtcp2: Close just-opened QUIC stream when submit_request fails
ngtcp2: Compare idle timeout in ms to avoid overflow
ngtcp2: Fix early return
ngtcp2: Fix handling of blocked stream data
ngtcp2: Fix returns when TLS verify failed
ngtcp2: Overwrite rate-limits defaults
- noproxy: Fix the IPV6 network mask pattern match
- NTLM: Disable if DES support missing from OpenSSL or mbedTLS
- ntlm: Improved error path on bad incoming NTLM TYPE3 message
- openldap/ldap: Check for binary attribute case insensitively
- openldap: Avoid indexing the result at -1 for blank responses
openldap: Check ber_sockbuf_add_io() return code
openldap: Check ldap_get_option() return codes
openldap: Do not pass newline to infof()
- openldap: Fix memory-leak in error path
- openldap: Fix memory-leak on oldap_do's exit path
- openldap: Limit max incoming size
- openssl-quic: Check results better
openssl-quic: Handle error in SSL_get_stream_read_error_code
- openssl-quic: Ignore unexpected streams opened by server
- openssl: Better return code checks when logging cert data
openssl: Call SSL_get_error() with proper error
openssl: Check CURL_SSLVERSION_MAX_DEFAULT properly
- openssl: Clear retry flag on x509 error
- openssl: Combine all the x509-store flags
openssl: Fail if more than MAX_ALLOWED_CERT_AMOUNT certs
openssl: Fail the transfer if ossl_certchain() fails
- openssl: Fix build for v1.0.2
- openssl: Fix peer certificate leak in channel binding
- openssl: Fix resource leak in provider error path
openssl: Fix unable do typo in failf() calls
openssl: Free UI_METHOD on exit path
openssl: Make the asn1_object_dump name null terminated
- openssl: Only try engine/provider if a cert file/name is provided
openssl: Set io_need always
openssl: Skip session resumption when verifystatus is set
- os400: Document threads handling in code
- OS400: Fix a use-after-free/double-free case
osslq: Set idle timeout to 0
pingpong: Remove two old leftover debug infof() calls
pop3: Check for CAPA responses case insensitively
pop3: Fix CAPA response termination detection
pop3: Function could get the ->transfer field wrong
- pytest: Skip specific tests for no-verbose builds
- quic: Fix min TLS version handling
quic: Ignore EMSGSIZE on receive
quic: Improve UDP GRO receives
quic: Remove data_idle handling
- quiche: Fix possible leaks on teardown
- quiche: Fix verbose message when ip quadruple cannot be obtained
- quiche: Handle tls fail correctly
- quiche: When ingress processing fails, return that error code
rtsp: Use explicit postfieldsize if specified
runtests: Tag tests that require curl verbose strings
- rustls: Exit on error
rustls: Fix clang-tidy warning
rustls: Fix comment describing cr_recv()
rustls: Limit snprintf proper in cr_keylog_log_cb()
rustls: Make read_file_into not reject good files
rustls: Pass the correct result to rustls_failf
- rustls: Typecast variable for safer trace output
rustls: Use %zu for size_t in failf() format string
- sasl: Clear cancelled mechanism instead of toggling it
- schannel: Assign result before using it
- schannel: Fix memory leak
schannel: Handle Curl_conn_cf_send() errors better
- schannel: Lower the maximum allowed time to block to 7 seconds
schannel: Properly close the certfile on error
schannel_verify: Do not call infof with an appended \n
schannel_verify: Fix mem-leak in Curl_verify_host
schannel_verify: Use more human friendly error messages
- scp/sftp: Fix disconnect
scripts: Pass -- before passing xargs
setopt: Accept *_SSL_VERIFYHOST set to 2L
setopt: Allow CURLOPT_DNS_CACHE_TIMEOUT set to -1
- setopt: Fix unused variable warning in minimal build
setopt: Make CURLOPT_MAXREDIRS accept -1 (again)
singleuse.pl: Fix string warning
- smb: Adjust buffer size checks
smb: Transfer debugassert to real check
smtp: Check EHLO responses case insensitively
- smtp: Fix EOB handling
- smtp: Return value ignored
socks: Advance iobuf instead of reset
- socks: Avoid UAF risk in error path
- socks: Deny server basic-auth if not configured
- socks: Handle error in verbose trace gracefully
- socks: Handle premature close
socks: Make Curl_blockread_all return CURLcode
socks: Properly maintain the status of 'done'
- socks: Rewwork, cleaning up socks state handling
socks_gssapi: Also reset buffer length after free
socks_gssapi: Make the gss_context a local variable
socks_gssapi: Reject too long tokens
socks_gssapi: Remove superfluous releases of the gss_recv_token
socks_gssapi: Remove the forced "no protection"
socks_gssapi: Replace 'gss_release_buffer()' with curl free
socks_sspi: Bail out on too long fields
socks_sspi: Fix memory clean-up calls
socks_sspi: Remove the enforced mode clearing
socks_sspi: Restore non-blocking socket on error paths
socks_sspi: Use the correct free function
socksd: Remove --bindonly mention, there is no such option
spelling: Fix new finds by typos-cli 1.39.0
- src/var: Remove dead code
- ssl-session-cache: Check use on config and availability
ssl-sessions.md: Mark option experimental
strerror: Drop workaround for SalfordC win32 header bug
sws: Fix checking sscanf() return value
- sws: Pass in socket reference to allow function to close it
tcp-nodelay.md: Expand the documentation
- telnet: Ignore empty suboptions
telnet: Make bad_option() consider NULL a bad option too
- telnet: Make printsub require another byte input
telnet: Print DISPlay LOCation in printsub without mutating buffer
- telnet: Refuse IAC codes in content
telnet: Return error if WSAEventSelect fails
telnet: Return error on crazy TTYPE or XDISPLOC lengths
- telnet: Send failure logged but not returned
telnet: Use pointer[0] for "unknown" option instead of pointer[i]
test1100: Fix missing '<protocol>' section
tests/libtest/cli*: Fix init/deinit, leaks, and more
tests/server: Drop pointless memory allocation overrides
tests/server: Drop unsafe open() override in signal handler (Windows)
tftp: Check and act on tftp_set_timeouts() returning error
tftp: Check for trailing ";mode=" in URL without strstr
- tftp: Default timeout per block is now 15 seconds
- tftp: Error requests for blank filenames
tftp: Handle tftp_multi_statemach() return code
- tftp: Pin the first used address
tftp: Propagate expired timer from tftp_state_timeout()
- tftp: Return error if it hits an illegal state
tftp: Return error when sendto() fails
thread: errno on thread creation
- tidy-up: Assortment of small fixes
- tidy-up: Avoid using the reserved macro namespace
tidy-up: fcntl.h includes
tidy-up: Update MS links, allow long URLs via checksrc
- tidy-up: URLs
time-cond.md: Refer to the singular curl_getdate man page
- TLS: IP address verification, extend test
TODO: Fix a typo
TODO: Remove already implemented or bad items
- tool: Fix exponential retry delay
tool_cb_hdr: Fix fwrite check in header callback
tool_cb_hdr: Size is always 1
tool_cb_rea: Use poll instead of select if available
tool_cfgable: Remove superfluous free calls
tool_doswin: Fix to use curl socket functions
tool_filetime: Cap crazy file times instead of erroring
tool_filetime: Replace cast with the fitting printf mask (Windows)
tool_formparse: Rewrite the headers file parser
tool_getparam/set_rate: Skip the multiplication on overflow
tool_getparam: Always disable "lib-ids" for tracing
tool_getparam: Make --fail and --fail-with-body override each other
tool_getparam: Warn if provided header looks malformed
tool_ipfs: Check the return value of curl_url_get for gwpath
tool_ipfs: Simplify the ipfs gateway logic
tool_msgs: Make errorf() show if --show-error
tool_operate: Improve wording in retry message
tool_operate: Keep failed partial download for retry auto-resume
tool_operate: Keep the progress meter for --out-null
tool_operate: Move the checks that skip ca cert detection
tool_operate: Retry on HTTP response codes 522 and 524
tool_operate: Return error on strdup() failure
tool_paramhlp: Remove outdated comment in str2tls_max()
tool_parsecfg: Detect and error on recursive --config use
tool_progress: Handle possible integer overflows
tool_progress: Make max5data() use an algorithm
- transfer: Avoid busy loop with tiny speed limit
- transfer: Fix retry for empty downloads on reuse
- transfer: Reset retry count on each request
unit1323: Sync time types and printf masks, drop casts
unit1664: Drop casts, expand masks to full values
url: Make Curl_init_userdefined return void
urldata: FILE is not a list-only protocol
urldata: Make 'retrycount' a single byte
- urldata: Make redirect counter 16 bit
vauth/digest: Improve the digest parser
- version: Add GSS backend name and version
vquic: Fix idle-timeout checks (ms<-->ns), 64-bit log and honour 0=no-timeout
vquic: Fix recvmsg loop for max_pkts
- vquic: Handling of I/O improvements
vquic: Sending non-gso packets fix for EAGAIN
- vtls: ALPN setting, check proto parameter
vtls: Check final cfilter node in find_ssl_filter
vtls: Drop duplicate 'CURL_SHA256_DIGEST_LENGTH' definition
- vtls: Properly handle SSL shutdown timeout
vtls: Remove call to PKCS12_PBE_add()
vtls: Unify the error handling in ssl_cf_connect()
vtls_int.h: Clarify data_pending
vtls_scache: Fix race condition
windows: Replace _beginthreadex() with CreateThread()
- windows: Stop passing unused, optional argument for Win9x compatibility
- windows: Use consistent format when showing error codes
- windows: Use native error code types more
- wolfssl: Check BIO read parameters
- wolfssl: Clear variable to avoid uninitialized use
- wolfssl: Fix error check in shutdown
wolfssl: Fix resource leak in verify_pinned error paths
wolfssl: No double get_error() detail
- ws: Clarify an error message
- ws: Fix some edge cases
- ws: Fix type conversion check
ws: Reject curl_ws_recv called with NULL buffer with a buflen