Numbers

the 257th release
8 changes
56 days (total: 9,560)
220 bug-fixes (total: 10,271)
348 commits (total: 32,280)
1 new public libcurl function (total: 94)
1 new curl_easy_setopt() option (total: 305)
1 new curl command line option (total: 259)
84 contributors, 41 new (total: 3,173)
49 authors, 20 new (total: 1,272)
0 security fixes (total: 155)

Download the new curl release from curl.se as always.

Release presentation

Security

It feels good to be able to say that this time around we do not have a single security vulnerability to announce and we in fact do not have any in the queue either.

Changes

• curl_version_info() provides librtmp version
• file:// supports directory listings
• AppleIDN support for macOS/iOS
• add curl_multi_waitfds
• mbedTLS supports CURLOPT_SSL_CIPHER_LIST
• drop support for NTLM_WB
• experimental ECH (Encrypted Client Hello)
• add CURLU_GET_EMPTY for empty queries and fragments

Bugfixes

Some of the bugfixes from this cycle that might be worth noticing:

dist and build

• reproducible tarballs. I will do a separate post with details later, but now it is easy for anyone who wants to, to generate an identical copy to verify what we ship.
• docs/RELEASE-TOOLS.md into the tarball. This documents the tools and versions used to generate the files included in the tarball that are not present in git.
• drop MSVC project files for recent versions. If you need to generate them for more recent versions, cmake can do it for you.
• configure fix HAVE_IOCTLSOCKET_FIONBIO test for gcc 14. It runs more picky by default so it would always fail the check.
• add -q as first option when invoking curl for tests. To reduce the risk of people having a ~/.curlrc file that ruins things.
• fix make install with configure –disable-docs

tool

• make –help adapt to the terminal width. Makes it easier on the eye when the terminal is wider.
• limit rate unpause for -T . uploads. Avoids busy-looping
• curl output warning for leading unicode quote character. Because it seems like a fairly common mistake when people copy and paste command lines from random sources
• don’t truncate the etag save file by default. A regression less.

TLS

• bearssl: use common code for cipher suite lookup
• mbedtls: call mbedtls_ssl_setup() after RNG callback is set. Otherwise, more recent versions of mbedTLS will just return error.
• mbedtls: support TLS 1.3. If you use a new enough version.
• openssl: do not set SSL_MODE_RELEASE_BUFFERS. Uses slightly more memory, but uses fewer memory allocation calls.
• wolfssl: plug memory leak in wolfssl_connect_step2()

bindings

• openldap: create ldap URLs correctly for IPv6 addresses, doing LDAP with IPv6 numerical IP addresses in the URL just did not work previously.
• quiche: expire all active transfers on connection close
• quiche: trust its timeout handling

libcurl

• fix curl_global_cleanup crash in Windows. A regression coming from the introduction of the async name resolver function.
• brotli and others, pass through 0-length writes
• ignore duplicate chunked encoding. Apparently some sites do this and browsers let them so we need to let it slide…
• CURLINFO_REQUEST_SIZE: fixed
• ftp: add tracing support. Gives us better tooling to track down FTP problems.
• http2: emit RST when client write fails. Previously it would just silently leave the stream there…
• http: reject HTTP major version switch mid connection. This should of course never happen, but if it does, curl will error out correctly.
• multi: introduce SETUP state for better timeouts. This adds a proper separation for when the existing transfer is retried or when the state machine is restarted because it make as a new transfer.
• multi: timeout handles even without connection. They would previously often be exempted from checks and would linger for too long until stopped.
• fix handling of paused upload on completed download
• do not URL decode proxy credentials
• allow setting port number zero. Remember this old post?
• fix relative redirects to fragment-only
• fix memory leak in websocket error path