Numbers
the 260th release
18 changes
42 days (total: 9,672)
245 bugfixes (total: 10,804)
461 commits (total: 33,209)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)
2 new curl command line option (total: 265)
57 contributors, 28 new (total: 3,239)
27 authors, 14 new (total: 1,302)
1 security fixes (total: 158)
Download the new curl release from curl.se as always.
Release presentation
Security
CVE-2024-8096: OCSP stapling bypass with GnuTLS When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine.
Changes
- –help [option]
- –skip-existing
- with -O, try harder to get a filename
- make –rate accept number of units. Previously it accepted N requests per single time unit, now it supports N requests per Z time units.
- make –show-headers the same as –include. To make the option name better spell out what it is for.
- –dump-header supports % to direct to stderr. To match a few of the other options that already support this.
- supports embedding a CA bundle and –dump-ca-embed. As this allows the curl tool to get built stand-alone without relying on an external CA store.
- supports repeated use of the verbose option; -vv etc.
- libuv for parallel transfers with –test-event. To allow better and easier testing of curl’s event-based API. Available in debug-builds only.
- add CURLINFO_POSTTRANSFER_TIME_T
- add –enable-windows-unicode configure option
- CURLOPT_TLS13_CIPHERS for mbedTLS and wolfSSL
- support for setting TLS version and ciphers for Rustls
- stop offering ALPN http/1.1 for http2-prior-knowledge
- support for sslcert/sslkey blob options for wolfSSL
- release tarball 100% reproducible. We also provide verify-release a convenient shell script allowing anyone and everyone to easily verify curl release tarballs.
Bugfixes
See the full changelog for the complete list. Here follows my favorite subset:
- build: add
poll()
detection for cross-builds - cmake: 40+ bugfixes
- configure: fail if PSL is not disabled but not found
- runtests: remove “has_textaware”
- curl: find curlrc in XDG_CONFIG_HOME without leading dot
- curl: make the progress bar detect terminal width changes
- curl: bump maximum post data size in memory to 16GB
- bearssl/mbedtls/rustls/wolfssl: fix setting tls version
- gnutls/wolfssl: improve error message when certificate fails
- gnutls: send all data
- openssl: certinfo errors now fail correctly
- sectransp: fix setting tls version
- x509asn1: raise size limit for x509 certification information
- ftp: always offer line end conversions
- ftp: fix pollset for listening
- http2: improved upload eos handling
- idn: support non-UTF-8 input under AppleIDN
- ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
- pop3: fix multi-line responses
- managen: fix superfluous leading blank line in quoted sections. Nicer HTML version of the manpages.
- managen: in man output, remove the leading space from examples
- managen: wordwrap long example lines in ASCII output. Nicer curl
--manual
and-h
output. - manpage: ensure a maximum width for the text version.
- connect: always prefer ipv6 in IP eyeballing
- aws_sigv4: fix canon order for headers with same prefix
- cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows
- rand: only provide weak random when needed
- sigpipe: init the struct so that first apply ignores
- url: fix connection reuse for HTTP/2 upgrades
- urlapi: verify URL decoded hostname when set
- asyn-thread: stop using GetAddrInfoExW on Windows