{"id":26439,"date":"2025-02-05T09:24:03","date_gmt":"2025-02-05T08:24:03","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=26439"},"modified":"2025-02-05T13:58:19","modified_gmt":"2025-02-05T12:58:19","slug":"curl-8-12-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2025\/02\/05\/curl-8-12-0\/","title":{"rendered":"curl 8.12.0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.12.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/FDBw2uxI-R8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 264th release<br>8 changes<br>56 days (total: 9,819)<\/strong><br><strong>244 bugfixes (total: 11,417)<\/strong><br><strong>367 commits (total: 34,180)<br>2 new public libcurl function (total: 96)<br>0 new curl_easy_setopt() option (total: 306)<\/strong><br><strong>1 new curl command line option (total: 267)<\/strong><br><strong>65 contributors, 34 new (total: 3,332)<\/strong><br><strong>34 authors, 18 new (total: 1,341)<\/strong><br><strong>3 security fixes (total: 164)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p><a href=\"https:\/\/curl.se\/docs\/CVE-2025-0167.html\">CVE-2025-0167: netrc and default credential leak<\/a>. When asked to use a <code>.netrc<\/code> file for credentials <strong>and<\/strong> to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a <code>default<\/code> entry that omits both login and password. A rare circumstance.<\/p>\n\n\n\n<p><a href=\"https:\/\/curl.se\/docs\/CVE-2025-0665.html\">CVE-2025-0665: eventfd double close<\/a>. libcurl would wrongly close the same file descriptor twice when taking down a connection channel after having completed a threaded name resolve.<\/p>\n\n\n\n<p><a href=\"https:\/\/curl.se\/docs\/CVE-2025-0725.html\">CVE-2025-0725: gzip integer overflow<\/a>. When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the <code>CURLOPT_ACCEPT_ENCODING<\/code> option, <strong>using zlib 1.2.0.3 or older<\/strong>, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. <em>There should be virtually no users left using such an old and vulnerable zlib version.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>curl: <a href=\"https:\/\/daniel.haxx.se\/blog\/2024\/12\/30\/curl-with-partial-files\/\" data-type=\"post\" data-id=\"26207\">add byte range support<\/a> to &#8211;variable reading from file <\/li>\n\n\n\n<li>curl: make &#8211;etag-save acknowledge &#8211;create-dirs<\/li>\n\n\n\n<li>curl: add &#8216;time_queue&#8217; variable to -w<\/li>\n\n\n\n<li>getinfo: provide info which auth was used for HTTP and proxy: <\/li>\n\n\n\n<li>openssl: add support to use keys and certificates from PKCS#11 provider<\/li>\n\n\n\n<li>QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA<\/li>\n\n\n\n<li>vtls: feature ssls-export for SSL session im-\/export<\/li>\n\n\n\n<li><a href=\"https:\/\/daniel.haxx.se\/blog\/2024\/12\/21\/dropping-hyper\/\" data-type=\"post\" data-id=\"25520\">hyper: dropped support<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>Some of the bugfixes to highlight.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">libcurl<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>acknowledge CURLOPT_DNS_SERVERS set to NULL<\/li>\n\n\n\n<li>fix CURLOPT_CURLU override logic<\/li>\n\n\n\n<li>initial HTTPS RR resolve support<\/li>\n\n\n\n<li>ban use of sscanf()<\/li>\n\n\n\n<li>conncache: count shutdowns against host and max limits<\/li>\n\n\n\n<li>support use of custom libzstd memory functions<\/li>\n\n\n\n<li>cap cookie expire times to 400 days<\/li>\n\n\n\n<li>parse only the exact cookie expire date<\/li>\n\n\n\n<li>include the shutdown connections in the set curl_multi_fdset returns<\/li>\n\n\n\n<li>easy_lock: use Sleep(1) for thread yield on old Windows<\/li>\n\n\n\n<li>ECH: update APIs to those agreed with OpenSSL maintainers<\/li>\n\n\n\n<li>fix &#8216;time_appconnect&#8217; for early data with GnuTLS<\/li>\n\n\n\n<li>HTTP\/2 and HTTP7\/3: strip TE request header<\/li>\n\n\n\n<li>mbedtls: fix handling of blocked sends<\/li>\n\n\n\n<li>mime: explicitly rewind subparts at attachment time.<\/li>\n\n\n\n<li>fix mprintf integer handling in float precision<\/li>\n\n\n\n<li>terminate snprintf output on windows<\/li>\n\n\n\n<li>fix curl_multi_waitfds reporting of fd_count<\/li>\n\n\n\n<li>fix return code for an already-removed easy handle from multi handle<\/li>\n\n\n\n<li>add an ssl_scache to the multi handle<\/li>\n\n\n\n<li>auto-enable <code>OPENSSL_COEXIST<\/code> for wolfSSL + OpenSSL builds<\/li>\n\n\n\n<li>use SSL_poll to determine writeability of OpenSSL QUIC streams<\/li>\n\n\n\n<li>free certificate on error with Secure Transport<\/li>\n\n\n\n<li>fix redirect handling to a new fragment or query (only)<\/li>\n\n\n\n<li>return &#8220;IDN&#8221; feature set for winidn and appleidn<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>numerous cmake improvements<\/li>\n\n\n\n<li>scripts\/mdlinkcheck: markdown link checker<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">curl tool<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>return error if etag options are used with multiple URLs<\/li>\n\n\n\n<li>accept digits in &#8211;form type= strings<\/li>\n\n\n\n<li>make &#8211;etag-compare accept a non-existing file<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">docs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>add INFRASTRUCTURE.md describing project infra<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Next<\/h2>\n\n\n\n<p>The next release is <em>probably<\/em> going to be curl 8.13.0 and if things go well, it ships on April 2, 2025.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Release presentation Numbers the 264th release8 changes56 days (total: 9,819)244 bugfixes (total: 11,417)367 commits (total: 34,180)2 new public libcurl function (total: 96)0 new curl_easy_setopt() option (total: 306)1 new curl command line option (total: 267)65 contributors, 34 new (total: 3,332)34 authors, 18 new (total: 1,341)3 security fixes (total: 164) Security CVE-2025-0167: netrc and default credential leak. &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/02\/05\/curl-8-12-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.12.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":26465,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-26439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/26439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=26439"}],"version-history":[{"count":12,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/26439\/revisions"}],"predecessor-version":[{"id":26477,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/26439\/revisions\/26477"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/26465"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=26439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=26439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=26439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}