Navigation:
-
Browse pkgsrc
(this page)
archivers
audio
benchmarks
biology
cad
chat
comms
converters
cross
crosspkgtools
databases
devel
doc
editors
emulators
filesystems
finance
fonts
games
geography
graphics
ham
inputmethod
lang
math
mbone
meta-pkgs
misc
multimedia
net
news
parallel
pkgtools
regress
security
shells
sysutils
textproc
time
wayland
wip
wm
www curlx11
* = Virtual Category
New packages:Path to this page:
./www/curl, Client that groks URLs
[ 
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ]
Branch: CURRENT, Version: 8.21.0, Package name: curl-8.21.0, Maintainer: leot
Curl is a command line tool for transferring files with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Curl supports
HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload,
proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload of other
useful tricks.
Required to run:
[security/heimdal] [security/openssl] [www/nghttp2] [devel/libidn2]
Required to build:
[pkgtools/cwrappers]
Package options: http2, idn, inet6, openssl
Master sites:
Filesize: 2814.781 KBVersion history: (Expand)
- (2026-06-25) Updated to version: curl-8.21.0
- (2026-05-15) Updated to version: curl-8.20.0nb2
- (2026-05-14) Updated to version: curl-8.20.0nb1
- (2026-04-29) Updated to version: curl-8.20.0
- (2026-03-11) Updated to version: curl-8.19.0
- (2026-02-06) Updated to version: curl-8.18.0nb2
CVS history: (Expand)
2026-06-25 10:25:51 by Thomas Klausner | Files touched by this commit (9) |  |
Log message:
curl: update to 8.21.0.
Lots of security fixes.
Changes:
curl: named globs in output filename for upload glob references
HTTP/3: add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC)
http2: remove stream dependency tracking
lib: drop support for CURLAUTH_DIGEST_IE
libssh: add support for SHA256 host public keys
tool_urlglob: add named globs
Bugfixes:
_ENVIRONMENT.md. Windows does case insensitive env variables
_URL.md: remove the zone-id mention
AmigaOS: curl_setup.h avoid explicit_bzero with clib2
AmigaOS: fix build fallouts, re-add to CI
asyn-thrdd: add IPv6 guards
asyn-thrdd: fix result processing without wakeup socketpair
autotools: mbedtls detection fixes
BINDINGS: Update Hollywood link
BUFQ.md: re-sync with source code
build: enable `-Wlogical-op` picky warning for GCC 4.4+
build: omit zlib pkg-config reference for Android
cf-h2-prox: fix peer leak
cf-h2-proxy: drop interim responses
cf-https-connect: do not engage on proxy origin
cf-ip-happy.c: minor comment typo
cf-ip-happy: update documentation
cf-socket: make Curl_addr2string static
cf-socket: set scope_id for IPv6 link-local addresses
cf-socket: store errno from do_connect in ctx->error
cfilters: fix busy loop on blocked transfers
chunked: reject invalid bytes in trailer
CIPHERS.md: fix the example that uses only TLS 1.3
cmake/FindGSS: drop "MIT Unknown" version value, related tidy ups
cmake/FindGSS: drop CMake <3.16 compatibility logic
cmake/FindGSS: fix comment, adjust custom flavor property name
cmake/FindGSS: prioritize MIT over GNU in pkg-config detection
cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config
cmake: export/forward `NGTCP2_CRYPTO_BACKEND`
cmake: fix three issues generating lib options in config files
cmake: fix zstd CMake config name
cmake: opt in `MSVC_VERSION` 1951 to picky warnings
cmake: quote `COMPONENTS` string in `curl-config.in.cmake`
cmake: simplify `LINK_ONLY` imported target extraction
config2setopts: use default protocol properly
connect: remove deref of freed pointer in trace call
content_encoding: fix limit failure message
content_encoding: fix non-last chunked rejection
content_encoding: timeout during slow decoding
cookie: check __Secure- and __Host- case sensitively when read from file
cookie: compare path case sensitively
cookie: reject control octets in file-loaded cookies
cookie: simplify strstore(), remove outdated comment
cookie: tailmatch the domains for secure override
cookie: trim trailing dots when checking PSL
creds: add sasl service name
creds: create with empty user+pass
creds: mask OAuth bearer token in trace logs
creds: remove two unused functions
curl_easy_pause.md: rephrase the stream cache when pause clause
curl_easy_setopt.md: change options when no transfer runs
curl_formdata: fix to pass long where missing, document `CURLFORM_NAMELENGTH`
curl_multi_assign.md: clarify lifetime
curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos
curl_ntlm_core: propagate DES `CryptEncrypt()` error
curl_sha512_256: fix result code on error
CURLINFO_CONTENT_LENGTH_UPLOAD_T.md: expand
CURLMOPT_SOCKETFUNCTION.md: this sends *all* file descriptors
CURLOPT_CHUNK_BGN_FUNCTION: target is there for symlinks only
CURLOPT_DISALLOW_USERNAME_IN_URL: is for CURLOPT_URL only
CURLOPT_DOH_URL.md: does not inherit proxy options
CURLOPT_ECH.md: simplify the description language
CURLOPT_HAPROXYPROTOCOL.md: only sent for newly setup connections
CURLOPT_MAXFILESIZE: clarify this also works for on-going transfers
CURLOPT_PINNEDPUBLICKEY.md: does not apply for other origins
CURLOPT_PORT.md: use stronger language
CURLOPT_SHARE: warn about early remove
CURLOPT_SSH_HOSTKEYFUNCTION.md: for new connections only
CURLOPT_WRITEFUNCTION.md: mention redirects
CURLOPT_WRITEFUNCTION.md: remove stray reference to HSTS
delta: harden external command invocations
digest: escape control codes too
digest: flush proxy state on proxy or credential change
digest: flush state on origin or credential change
dns-httpsrr-lookup: use origin, not peer
dnscache: remove Curl_dns_entry_link
docs/libcurl: fix the version for curl_multi_socket_action
docs: end "...can be used several times..." sentences with period
docs: fix --follow doc typo
docs: fix a couple of typos
docs: fix grammar and wording in FAQ
docs: fix odd wording in CONTRIBUTE.md
docs: note CURLOPT_PINNEDPUBLICKEY has no effect on legacy LDAP backend
docs: returned header size reflects HTTP/1-style format
doh: cap the maximum TTL to 24 hours
doh: stricter HTTPS RNAME parsing
ECH: cleanups
event: fix wakeup consumption
ftp: avoid accessing EPSV response one byte past the NULL
ftp: remove 2 Curl_resolv_blocking() calls
ftp: remove bits.ftp_use_control_ssl
ftplistparser: clear strings.target if not symlink
gnutls: allow building with nettle 4.0
gnutls: fix more nettle 4+ compatibility issues
gnutls: require 3.7.2 for earlydata
gsasl: fix potential double free
gtls: fix ignored return and uninitialized status in OCSP check
gtls: fix some typos
gtls: minor fixes and improvements
gtls: use the correct return code in trace output
gtls: verify OCSP response signature in gtls_verify_ocsp_status
h3-proxy: fix callback return values, and a typo in tests
hostip: remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE
hsts.md: mention multiple curl invokes effect
hsts: duplicate live HSTS data in curl_easy_duphandle
http-proxy: verify CONNECT response headers
HTTP3.md: update quiche build
http: don't pass on set cookies to new origins
http: prefer chunked encoding over Content-Length: 0
http: reject spurious CR bytes in headers
http_digest: return better error
idn: replace header guards with forward declaration
INSTALL-CMAKE.md: document CMake environment variables
INTERNALS.md: document minimum nghttp3 and ngtcp2 versions
KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug
KNOWN_BUGS: remove stale Threads::Threads entry
krb5_sspi: fix error message on `DecryptMessage()` fail
ldap: base64 encode binary LDIF values with WinLDAP
ldap: fix minor leak on write callback error
ldap: fix to not leak `attribute` on OOM (WinLDAP)
ldap: switch off chasing referrals
lib678: fix to not be perma-skipped
lib: make `__STDC_VERSION__` literals `L` (where missing)
lib: transfer origin and proxy handling
lib: two minor typos
libcurl-easy.md: minor clarifications
libssh2: do not use deprecated macros when unavailable
libssh2: drop stray double-negative from `strncmp()` result
libssh2: fix to return error code on missing parameter
libssh2: replace macro names with non-misspelled alternatives
libssh2: save non-standard port to `known_hosts`
libssh2: sync version check with INTERNALS.md
libssh2: use non-deprecated `libssh2_knownhost_addc()`
libssh: map SSH_KNOWN_HOSTS_OTHER to CURLKHMATCH_MISMATCH
m4: drop redundant conditions in TLS library detections
Makefile.am: drop test1190 listed twice
managen: apply minor fixes and improvements
mbedtls: null-terminate the private key blob
mk-unity.pl: `#include`, and not concatenate input headers
mqtt: return error on truncated Remaining Length
mqtt: validate PINGRESP and DISCONNECT have remaining_length == 0
multi: handle pause in multi socket callback
multi: remove a stale comment
multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test
multi: xfers_really_alive
netrc: remember and check filename loaded
netrc: scanner refactor
ngtcp2: fail handshake directly
openssl: do not mix OpenSSL int result with `CURLcode` variable
os400sys: fix theoretical length overflows
peer.h: fix typo in comment
pingpong: reject nul byte in server response line
progress: fix CURLINFO time reporting
psl: require libpsl 0.16.0 (2016-12-10) or greater
pytest: pass `--disable` to curl
pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+
pythonlint.sh: make it fail on error, fix ruff warnings in pytest
quic: count zero length packets against max
ratelimits: use minimal burst rate
RELEASE-PROCEDURE.md: update coming release dates
resolve: mention in error that IP address is expected
rtsp: bump buf after rtsp_filter_rtp()
runner.pm: apply minor correctness fix
runner.pm: set `CURL_TESTNUM` for `precheck` commands
runtests: fix tests for curl builds with embedded CA bundle
rustls: error on CURLOPT_CRLFILE with native CA store
schannel: check `schannel_sha256sum()` success, and more
schannel: enforce Extended Key Usage for custom CA roots
schannel: error on TLS 1.3-only with cipher list
schannel: fix https proxy for client cert and certinfo
schannel: fix revoke_best_effort setting for proxy
schannel: use fopen instead CreateFile
schannel_verify: avoid out of blob access
schannel_verify: simplify CryptQueryObject use
scripts: catch Credits-to contributors
SECURITY-ADVISORY.md: expand
setopt: changing the proxy port is also a proxy change
setopt: clear proxy auth properly on NULL
setopt: clear the "custom" CA booleans when set to NULL
setopt: CURLOPT_MAXCONNECTS set to 0 restores default value
setopt: defref the old referer when setting a new
setopt: fix to honor `CURLOPT_PROXY_CAINFO_BLOB` over Native CA
setopt: gate a few proxy TLS options by checking backend support
setopt: more careful cleanup of the HSTS cache
setopt: return error if received `curl_blob->data` is NULL
show-headers.md: mention bold headers and --no-styled-output
sigv4: URL encode the username in the header
smb: constify `strchr()` result variable
smb: integer overflow proof a size check
smbserver: update internal id generation for Python 3
socket: introduce `SOCK_EAGAIN()` and use it
socket: use name `sockerr` for socket error variables
socks_sspi: invalid response length is a fatal error
socks_sspi: store socks5_gssapi_enctype
spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI
spnego_sspi: preserve distinction btw policy-only and uncond delegation
src: fix comment typos
src: sync nghttp2 versions checks with current requirements
ssl native_ca_store: always reinit
SSLCERTS: document 8.19.0 default Native CA builds (Windows)
sspi: clear SSPI credentials on AcquireCredentialsHandle failure
sspi: free libcurl allocated memory with curlx_free
telnet: drop an `int` cast no longer necessary
telnet: drop redundant interim variables
telnet: fix error message typos
telnet: fix old copy-paste typo in variable name
telnet: honor CURLOPT_TIMEOUT in send_telnet_data()
test1588: use %TESTNUMBER, not hard-coded number
test1981: explicitly set the locale
tests: add `cookies` feature to some tests
tests: add an assert to avoid IPC blocking
tests: add the "--resolve" keyword to tests that lack it
tests: fix unit1636 with --disable-progress-meter
tftp: avoid the timeout calc if the timeout is crazy
tftp: stricter option name checks
tidy-up: add space around operators, where missing
tidy-up: apply clang-format fixes
tidy-up: drop stray casts for allocated pointers
tidy-up: miscellaneous
tls: fix incomplete mTLS config in conn reuse and session cache
tls: wolfssl: fixes for PQC key shares
tool: warn when --ssl and --ftp-ssl-control override each other
tool_formparse.c: fix two minor comment typos
tool_formparse: polish error message + make two functions static
tool_formparse: tool2curlparts is no longer recursive
tool_help: rectify a bad assert
tool_operhlp: avoid NULL to %s
tool_urlglob: avoid overflow at end of range
tool_urlglob: better 'Duplicate glob name' position
tool_urlglob: make globbing error reported for correct position
tool_writeout: fix %time{} output for %s
transfer: clear referer when set to NULL
unit1675: fix potential memory leak on dynbuf fail path
unix-sockets: ignore proxy settings
URL-SYNTAX: document more URL parsing details
url: compare full origin when setting credentials
url: connection credentials origin
url: connection reuse fixes for starttls
url: detect proxy changes read from environment
url: don't log bits.close state
url: fix connection reuse for starttls protocols
url: keep the question mark for empty queries
url: remove superfluous check
url: url_match_destination fix
urlapi: accept 0X prefix in IPv4 address as well
urlapi: change more lowercase percent-encoded to uppercase
urlapi: compare zone-id in Curl_url_same_origin()
urlapi: consume trailing dots after IPv4 numerical addresses
urlapi: deny hostnames with more than one trailing dot
urlapi: drop base fragment on empty redirect
urlapi: fix an issue parsing file URLs
urlapi: fix memleaks on error in `parse_hostname_login()`
urlapi: fix redirect handling if CURLU_NO_GUESS_SCHEME is set
urlapi: forbid '|' in host
urlapi: handle redirect without set scheme with default-scheme
urlapi: URL decode hostname before IP address normalization
user-agent.md: mention double quotes too
var: use a dedicated pointer for the alloc
verify-release: verify more thoroughly with git
vquic: drop stray casts for `iovec.iov_len`
vtls: more large buffer support and error checks for SHA-256
vtls: use Curl_safecmp for CRLfile and pinned_key comparison
vtls_scache: include signature_algorithms in the SSL peer cache key
vtls_spack: drop redundant macro fallbacks
VULN-DISCLOSURE-POLICY.md: emphasize comm as a human
VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part
VULN-DISCLOSURE-POLICY.md: test code is not secure
VULN-DISCLOSURE-POLICY: non-released code
websockets: auto-tunnel through http proxy
websockets: buffer upgrade data at connection level
windows: update MS SDK versions in comments
winldap: avoid NULL pointer deref on `ldap_get_dn()` fail
ws: make pong sending lazy
x509asn1: fix DH public key parameter extraction
x509asn1: fix operator order in do_pubkey
|
| 2026-06-07 20:03:46 by Adam Ciarcinski | Files touched by this commit (7) |
Log message: curl/libcurl-gnutls: fix build with nettle 4.0; support Darwin |
| 2026-06-01 12:10:12 by Leonardo Taccari | Files touched by this commit (1) |
Log message: curl: document the circular dependency We have it in the CVS history, but let's document it as an "XXX" \ comment too so possible future hands are less tempted to just uncomment them! Thanks <ryoon> and Marc Baudoin! |
| 2026-06-01 05:36:08 by Ryo ONODERA | Files touched by this commit (1) |
Log message: www/curl: Remove http3 option nghttp3, cmake and curl cause circular dependency. Reported by Marc Baudoin. Thank you. |
| 2026-05-30 21:01:34 by Ryo ONODERA | Files touched by this commit (1) |
Log message: www/curl: Add http3 option |
| 2026-05-15 14:32:20 by Robert Bagdan | Files touched by this commit (3) |
Log message: curl: apply patch to fix wakeup consumption |
| 2026-05-14 18:42:34 by Ryo ONODERA | Files touched by this commit (1335) |
Log message: *: Recursive revbump from security/nettle-4.0 |
2026-04-29 09:05:49 by Thomas Klausner | Files touched by this commit (3) |  |
Log message: curl: update to 8.20.0. This release includes the following changes: o async-thrdd: use thread queue for resolving [144] o build: make NTLM disabled by default [90] o cmake: drop support for CMake 3.17 and older [108] o lib: add thread pool and queue [74] o lib: drop support for < c-ares 1.16.0 [64] o lib: make SMB support opt-in [18] o multi.h: add CURLMNWC_CLEAR_ALL [127] o rtmp: drop support [91] This release includes the following bugfixes: o altsvc: cap the list at 5,000 entries [183] o altsvc: drop the prio field from the struct [185] o altsvc: skip expired entries read from file [187] o asyn-ares: connect async [220] o asyn-ares: drop orphaned variable references [86] o asyn-ares: fix HTTPS-lookup when not on port 443 [100] o asyn-thrdd: drop redundant `result` check [291] o asyn-thrdd: fix clang-tidy unused value warning [125] o async-ares: fix query counter handling [195] o autotools: limit checksrc target to ignore non-repo test sources [12] o badwords-all: exit with correct code on errors [50] o badwords: combine the whitelisting into a single regex [1] o badwords: detect the the and with with [51] o badwords: only check comments and strings in source code [61] o badwords: rework exceptions, fix many of them [15] o boringssl: fix more coexist cases with Schannel/WinCrypt [170] o build: adjust/add casts to fix `-Wformat-signedness` [218] o build: assume `snprintf()` in `mprintf`, drop feature check [107] o build: compiler warning silencing tidy-ups [4] o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33] o build: drop duplicate `pthread.h` includes [158] o build: drop redundant `USE_QUICHE` guards [159] o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84] o build: fix `-Wformat-signedness` by adjusting printf masks [226] o build: link `bcrypt.lib` via vcxproj files [239] o build: skip detecting `pipe2()` for Apple targets [227] o build: stop building and installing `runtests.1` and `testcurl.1` [235] o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132] o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63] o cf-ip-happy: limit concurrent attempts [191] o cf-socket: avoid low risk integer overflow on ancient Solaris [56] o cfilters: fix Curl_pollset_poll() return code mixup [206] o clang-tidy: avoid assignments in `if` expressions [175] o clang-tidy: enable more checks, fix fallouts [254] o cmake: add CMake Config-based dependency detection [87] o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134] o cmake: do not install `wcurl` when `BUILD_CURL_EXE=OFF` [265] o cmake: do not install shell completions when `BUILD_CURL_EXE=OFF` [263] o cmake: document functions used from Windows system DLLs [103] o cmake: enable pthreads for BoringSSL/AWS-LC [196] o cmake: resolve targets recursively when generating `libcurl.pc` [45] o cmake: rework binutils ld hack to not read `LOCATION` property [41] o cmake: silence bad library `Threads::Threads` warning [131] o cmake: use `AIX` built-in variable (with CMake 4.0+) [163] o config2setopts: make --capath work in proxy disabled builds [113] o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26] o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3] o configure: prefer dependency-specific variables over `$withval` [35] o configure: remove superfluous experimental warning for HTTP/3 [169] o configure: silence useless clang warnings in C89 builds [156] o configure: tidy up comments [202] o connect: fix typo on error message o cookie: fix rejection when tabs in value [189] o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36] o curl.h: replace macros with C++-friendly method to enforce 3 args [110] o curl_ctype.h: fix spelling in a couple of locally used macros [28] o curl_get_line: error out on read errors [9] o curl_get_line: fix potential infinite loop when filename is a directory [46] o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165] o curl_ntlm_core: drop redundant PP condition [140] o curl_ntlm_core: use wolfCrypt DES API with wolfSSL [200] o curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard [210] o curl_sha512_256: support delegating to wolfSSL API [149] o curl_version_info.md: clarify age details [69] o CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format [96] o CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers" [270] o CURLOPT_RTSP_SESSION_ID.md: expand the comment [267] o CURLOPT_RTSP_SESSION_ID.md: minor language fix o CURLOPT_SOCKS5_AUTH.md: an access property [212] o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105] o CURLOPT_UPLOAD_FLAGS.md: expand [223] o curlx_now(), prevent zero timestamp [93] o DEPRECATE: fix minor release number typo o digest: pass in the user name quoted (as well) [34] o dns: https-eyeballing async [229] o dnscache: own source file, improvements [116] o docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0 o docs/cmdline-opts: tidy up retry-connrefused [190] o docs/lib: fix typos [53] o docs/libcurl: improve easy setopt examples [266] o docs: clarify retry-max-time timing [294] o docs: CURLOPT_LOGIN_OPTIONS is a login property [228] o docs: enable more compiler warnings for C snippets, fix 3 finds [71] o docs: list more dependencies for running Python HTTP tests [123] o docs: mention more zip bomb precautions [166] o docs: minor wording tweaks o docs: noproxy wants the punycoded hostname version [214] o docs: SSH host verification is done at connect time [197] o docs: use the correct CURLOPT_WRITEFUNCTION signature [142] o doh: fix memory-leak when doing a second DoH resolve [55] o doh: remove superfluous doh_req check [222] o examples/websocket: fix to sleep more on Windows [92] o examples: drop warning silencers no longer hit [14] o examples: fix typo in comment [75] o file: init fd to -1 to prevent close fd 0 on early failure [40] o fopen: for temp files, inherit permissions only for owner [146] o ftp: do not strdup DATA hostname [29] o ftp: make the MDTM date parser stricter (again) [115] o ftp: reject PWD responses containing control characters [95] o gcc: guard `#pragma diagnostic` in core code for <4.6 [94] o generate.bat: remove extra % from VC11 and VC12 runs o genserv.pl: make external calls safe [119] o getinfo: initialize `PureInfo` field `used_proxy` [43] o getinfo: repair CURLINFO_TLS_SESSION [193] o gnutls: fix clang-tidy warning with !verbose [126] o gtls: fail for large files in `load_file()` [174] o h3: HTTPS-RR use in HTTP/3 [221] o Happy Eyeballs: add resolution time delay [238] o haproxy: use correct ip version on client supplied address [275] o hostip: clear the sockaddr_in6 structure before use [20] o hostip: init the curl_jmpenv_lock appropriately [278] o hostip: resolve user supplied ip addresses [259] o HSTS: cap the list [177] o hsts: make the HSTS read callback handle name dupes [141] o hsts: skip expired HSTS entries read from file [188] o hsts: when a dupe host adds subdomains, use that [130] o http2: clear the h2 session at delete [99] o http2: prevent secure schemes pushed over insecure connections [181] o http2: return error on OOM in push headers [65] o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2] o http: clear credentials better on redirect [204] o http: clear digest nonce on cross-orgin redirect [269] o http: clear the proxy credentials as well on port or scheme change [246] o http: fix auth_used and auth_avail [154] o http: fix Curl_compareheader for multi value headers [11] o http: make Curl_compareheader handle multiple commas in header o http: on 303, switch to GET [208] o http: use header_has_value() instead of duplicate code [251] o imap: reset the UIDVALIDITY state between transfers [7] o include: drop 'will' from public headers [73] o INSTALL.md: update Cygwin instructions [198] o keylog.h: replace literal number with macro in declaration [171] o keylog: drop unused/redundant includes and guards [172] o ldap: drop duplicate `ldap_set_option()` on Windows [42] o ldap: fix to initialize cleartext connection on Windows [49] o lib1560: fix comment typo o lib1960: fix test failure [255] o lib: accept larger input to md5/hmac/sha256/sha512 functions [194] o lib: always use Curl_1st_fatal instead of Curl_1st_err [89] o lib: fix typos in comments [240] o lib: make resolving HTTPS DNS records reliable: [176] o lib: minor comment typos [237] o lib: move request specific allocations to the request struct [256] o lib: replace `PRI*32` printf masks with C89 ones [201] o libssh2: allocate libssh2-friendly memory in kbd_callback [225] o libssh2: fix error handling on quote errors [21] o libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 [215] o libssh: fix `-Wsign-compare` in 32-bit builds [217] o libssh: path length precaution [164] o libssh: propagate error back in SFTP function [178] o libtest: drop duplicate include [111] o location/follow: mention netrc [138] o man: fix argument type for `CURLSHOPT_[UN]SHARE` options [211] o mbedtls: cleanup more without care for 'initialized' [262] o mbedtls: fix ECJPAKE matching [135] o mbedtls: remove failf() call with first argument as NULL [249] o md4, md5: switch to wolfCrypt API in wolfSSL builds [139] o mime: only allow 40 levels of calls [241] o misc: fix code quality findings [209] o mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s [44] o multi: enhance pending handles fairness [284] o multi: fix connection retry for non-http [180] o multi: improve wakeup and wait code [118] o netrc: find login-less password when user is given in URL [6] o netrc: remove unused parsenetrc() macro for netrc-disabled [121] o netrc: skip malformed macdef lines [67] o openssl channel_binding: lookup digest algorithm without NID [117] o openssl: drop obsolete SSLv2 logic [27] o openssl: fix build with 4.0.0-beta1 no-deprecated [184] o openssl: fix memory leaks in ECH code (OpenSSL 3) [78] o openssl: fix unused variable warnings in !verbose builds [252] o openssl: trace count of found / imported Windows native CA roots [8] o OS400: add new definitions to the ILE/RPG binding. [153] o os400sys: fix typo in comment (symetry -> symmetry) [58] o parsedate: bsearch the time zones [232] o parsedate: fix wrong treatment of "military time zones" [182] o parsedate: refactor [230] o perl: harden external command invocations [133] o progress: count amount of data "delivered" to application [66] o protocol.h: fix the CURLPROTO_MASK [31] o protocol: disable connection reuse for SMB(S) [199] o protocol: use scheme names lowercase [38] o proxy: chunked response, error code [143] o pytest: add additional quiche check for flaky test_05_01 [22] o pytest: check 429 handling [268] o rand: use `BCryptGenRandom()` in UWP builds [88] o ratelimit: reset on start [150] o request: reset resp_trailer in new requests [186] o runtests: skip setting ed25519 SSH key format [264] o rustls: fix memory leak on repeated SSLKEYLOGFILE fails [280] o rustls: handle EOF during initial handshake [203] o schannel: increase renegotiation timeout to 60 seconds [261] o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) \ [109] o scripts: harden / tidy up more Perl `system()` calls [70] o sectrust: fail on missing OCSP stapling [250] o sendf: fix CR detection if no LF is in the chunk [219] o setopt: clear proxy auth properties when switching [192] o setopt: fix typos in comments [257] o setopt: move CURLOPT_CURLU [260] o setup connection filter: mark as setup [234] o sha256, sha512_256: switch to wolfCrypt API [147] o sha256: support delegating to wolfSSL API [148] o share: concurrency handling, easy updates [104] o share: do bitshifts after the type is checked to be valid [216] o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157] o socks: use dns filter for resolving [244] o spelling: fix typos [173] o src: use ftruncate() unconditionally [128] o sshserver.pl: harden more `system()` calls [81] o sshserver.pl: pass command-line to `system()` safely [82] o strerr: correct the strerror_s() return code condition [25] o sws: fix potential OOB write [80] o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85] o test 766: flag as timing-dependent [136] o test1675: unit tests for URL API helper functions [248] o test459: switch to mode="warn" for stderr check [5] o testcurl.pl: replace shell commands with Perl `rmtree()` [76] o tests/unit/README: describe how to unit test static functions [60] o tests: avoid infinite recursion for `make check` [253] o tests: use %b64[] instead of "raw" base64 [245] o tool: check for curlinfo->age when determining if ssh backend [77] o tool: fix memory mixups [106] o tool: fix retries in parallel mode [137] o tool: fix two more allocator mismatches [155] o tool_cb_hdr: only truncate etags output when regular file [129] o tool_cb_rea: make waitfd() return void [168] o tool_cb_wrt: fix no-clobber error handling [39] o tool_cfgable: free the SSL signature algorithms [62] o tool_dirhie: fix to create drive-relative directory [276] o tool_formparse: propagate my_get_line errors when reading headers [102] o tool_getparam: use correct free function for libcurl memory [68] o tool_ipfs: accept IPFS gateway URL without set port number [13] o tool_msgs: avoid null pointer deref for early errors [98] o tool_operate: actually apply the --parallel-max-host limit [167] o tool_operate: drop the scheme-guessing in the -G handling [54] o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79] o tool_operate: fix memory-leak on failed uploads [124] o tool_operate: fix minor memory-leak on early error [23] o tool_operate: reset the upload glob counter for next URL [162] o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32] o tool_operhlp: iterate through all slashes to find name [114] o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112] o tool_setopt: return error on OOM correctly [152] o tool_urlglob: fix memory-leak on glob range overflow [19] o top-complexity: prevent filename-based shell injection risk [101] o transfer: clear the old autoreferer [236] o transfer: clear the URL pointer in OOM to avoid UAF [179] o transfer: enable custom methods again on next transfer [30] o transfer: enhance secure check [10] o unit1675: fix `-Wformat-signedness` [274] o url: do not reuse a non-tls starttls connection if new requires TLS [145] o url: improve connection reuse on negotiate [160] o url: init req.no_body in DO so that it works for h2 push [161] o url: set default upload flags to CURLULFLAG_SEEN [224] o url: use the socks type for socks proxy [47] o url: use URL for url even in comments [52] o urlapi: fix handling of "file:///" [122] o urlapi: make dedotdotify handle leading dots correctly [97] o urlapi: same origin tests [213] o urlapi: stop extracting hostname from file:// URLs on Windows [247] o urlapi: verify the last letter of a scheme when set explicitly [16] o urldata.h: fix typo and lingering backtick [279] o urldata: connection bit ipv6_ip is wrong [59] o urldata: import port types and conn destination format [57] o urldata: make hstslist only present in HSTS builds [120] o urldata: make speeder_c uint32 [37] o urldata: move cookiehost to struct SingleRequest [242] o urldata: remove trailers_state [17] o vquic: fix variable name in fallback code [207] o vtls: fix comment typos and tidy up a type [285] o vtls: log when key logging is enabled. [288] o vtls_scache: check reentrancy [243] o vtls_scache: include cert_blob independently of verifypeer [231] o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151] o wolfssl: fix `-Wmissing-prototypes` [233] o wolfssl: fix handling of abrupt connection close [24] o write-out.md: minor language fix [273] o write-out.md: tls_earlydata was adeded in 8.13.0 o ws: fix a blocking curl_ws_send() to report written length correctly [258] o x509asn1: fix to return error in an error case from `encodeOID()` [83] o x509asn1: fixed and adapted for ASN1tostr unit testing [48] o x509asn1: improve encodeOID [72] Planned upcoming removals include: o local crypto implementations o NTLM o SMB o TLS-SRP support See https://curl.se/dev/deprecate.html |