Changes in 8.17.0 - November 5 2025

Changes:

• build: drop Heimdal support
• build: drop the winbuild build system
• krb5: drop support for Kerberos FTP
• libssh2: up the minimum requirement to 1.9.0
• multi: add notifications API
• progress: expand to use 6 characters per size
• ssl: support Apple SecTrust configurations
• tool_getparam: add --knownhosts
• vssh: drop support for wolfSSH
• wcurl: import v2025.11.04
• write-out: make %header{} able to output *all* occurrences of a header

Bugfixes:

• ares: fix leak in tracing
• asyn-ares: remove wrong comment about the callback argument
• asyn-ares: use the duped hostname pointer for all calls
• asyn-thrdd resolver: clear timeout when done
• asyn-thrdd: drop pthread_cancel
• autotools: add support for libgsasl auto-detection via pkg-config
• autotools: capitalize Rustls in the log output
• autotools: drop detection of ancient OpenSSL libs RSAglue and rsaref
• autotools: fix duplicate UNIX and BSD flags in buildinfo.txt
• autotools: fix silly mistake in clang detection for buildinfo.txt
• autotools: make --enable-code-coverage support llvm/clang
• autotools: merge `if`s in GnuTLS/OpenSSL feature detection
• aws-lc: re-enable large read-ahead with v1.61.0 again
• base64: accept zero length argument to base64_encode
• build: address some -Weverything warnings, update picky warnings
• build: avoid overriding system open and stat symbols
• build: avoid overriding system symbols for fopen functions
• build: avoid overriding system symbols for socket functions
• build: show llvm/clang in platform flags and buildinfo.txt
• c-ares: when resolving failed, persist error
• cf-h2-proxy: break loop on edge case
• cf-ip-happy: mention unix domain path, not port number
• cf-socket: always check Curl_cf_socket_peek() return code
• cf-socket: check params and remove accept procondition
• cf-socket: make set_local_ip void, and remove failf()
• cf-socket: set FD_CLOEXEC on all sockets opened
• cf-socket: tweak a memcpy() to read better
• cf-socket: use the right byte order for ports in bindlocal
• cfilter: unlink and discard
• cfilters: check return code from Curl_pollset_set_out_only()
• checksrc: allow disabling warnings on FIXME/TODO comments
• checksrc: catch banned functions when preceded by (
• checksrc: fix possible endless loop when detecting BANNEDFUNC
• checksrc: fix possible endless loops in the banned function logic
• checksrc: fix to handle ) predecing a banned function
• checksrc: reduce directory-specific exceptions
• CI.md: refresh
• cmake/FindGSS: dedupe pkg-config module strings
• cmake/FindGSS: drop wrong header check for GNU GSS
• cmake/FindGSS: fix pkg-config fallback logic for CMake <3.16
• cmake/FindGSS: simplify/de-dupe lib setup
• cmake/FindGSS: whitespace/formatting
• cmake: add and use local FindGnuTLS module
• cmake: add CURL_CODE_COVERAGE option
• cmake: build the "all" examples source list dynamically
• cmake: clang detection tidy-ups
• cmake: drop exclamation in comment looking like a name
• cmake: fix `HAVE_GNUTLS_SRP` detection after adding local FindGnuTLS module
• cmake: fix building docs when the base directory contains .3
• cmake: fix Linux pre-fill `HAVE_POSIX_STRERROR_R` (when `_CURL_PREFILL=ON`)
• cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`)
• cmake: minor Heimdal flavour detection fix
• cmake: pre-fill three more type sizes on Windows
• cmake: say 'absolute path' in option descriptions and docs
• cmake: support building some complicated examples, build them in CI
• cmake: use modern alternatives for get_filename_component()
• cmake: use more COMPILER_OPTIONS, LINK_OPTIONS / LINK_FLAGS
• cmdline-docs: extended, clarified, refreshed
• cmdline-opts/_PROGRESS.md: explain the suffixes
• configure: add "-mt" for pthread support on HP-UX
• conn: fix hostname move on connection reuse
• conncache: prevent integer overflow in maxconnects calculation
• connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
• connect: remove redundant condition in shutdown start
• cookie: avoid saving a cookie file if no transfer was done
• cookie: only count accepted cookies in Curl_cookie_add
• cookie: remove the temporary file on (all) errors
• cpool: make bundle->dest an array; fix UB
• curl.h: remove incorrect comment about CURLOPT_PINNEDPUBLICKEY
• curl_easy_getinfo: error code on NULL arg
• curl_easy_setopt.md: add missing CURLOPT_POSTFIELDS
• curl_mem_undef.h: limit to CURLDEBUG for non-memalloc overrides
• curl_ngtcp2: fix `-Wunreachable-code` with H3 !verbose !unity clang
• curl_osslq: error out properly if BIO_ADDR_rawmake() fails
• curl_path: make sure just whitespace is illegal
• Curl_resolv: fix comment. 'entry' argument is not optional
• curl_slist_append.md: clarify that a NULL pointer is not acceptable
• curl_threads: delete WinCE fallback branch
• CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well
• CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded
• CURLOPT_COPYPOSTFIELDS.md: used with MQTT and RTSP as well
• CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1
• CURLOPT_MAXLIFETIME_CONN: make default 24 hours
• CURLOPT_POSTFIELDSIZE*: these also work for MQTT and RTSP
• CURLOPT_SERVER_RESPONSE_TIMEOUT*: add default and see-also
• CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options
• CURLOPT_TIMECONDITION.md: works for FILE and FTP as well
• cw-out: fix EAGAIN handling on pause
• cw-out: unify the error handling pattern in cw_out_do_write
• digest_sspi: fix two memory leaks in error branches
• dist: do not distribute CI.md
• docs/cmdline-opts: drop double quotes from GLOBBING and URL examples
• docs/libcurl: clarify some timeout option behavior
• docs/libcurl: remove ancient version references
• docs/libcurl: use lowercase must
• docs: expand on quoting rules for filenames in SFTP quote
• docs: fix/tidy code fences
• doh: cleanup resources on error paths
• doswin: CloseHandle the thread on shutdown
• easy_getinfo: check magic, Curl_close safety
• ECH.md: make OpenSSL branch clone instructions work
• examples/chkspeed: portable printing when outputting curl_off_t values
• examples/http2-serverpush: fix file handle leaks
• examples/sessioninfo: cast printf string mask length to int
• examples/sessioninfo: do not disable security
• examples/synctime: fix null termination assumptions
• examples/synctime: make the sscanf not overflow the local buffer
• examples/usercertinmem: avoid stripping const
• examples/websocket: fix use of uninitialized rlen
• examples: call curl_global_cleanup() where missing
• examples: check more errors, fix cleanups, scope variables
• examples: drop unused curl/mprintf.h includes
• examples: fix build issues in 'complicated' examples
• examples: fix more potential resource leaks, and more
• examples: fix two build issues surfaced with WinCE
• examples: fix two issues found by CodeQL
• examples: fix two more cases of stat() TOCTOU
• examples: improve global init, error checks and returning errors
• examples: replace casts with `curl_off_t` printf masks
• examples: return curl_easy_perform() results
• firefox-db2pem.sh: add macOS support, tidy-ups
• form.md: drop reference to MANUAL
• ftp: add extra buffer length check
• ftp: check errors on remote ip for data connection
• ftp: fix ftp_do_more returning with *completep unset
• ftp: fix port number range loop for PORT commands
• ftp: fix the 213 scanner memchr buffer limit argument
• ftp: improve fragile check for first digit > 3
• ftp: reduce size of some struct fields
• ftp: remove 'newhost' and 'newport' from the ftp_conn struct
• ftp: remove misleading comments
• ftp: remove the retr_size_saved struct field
• ftp: remove the state_saved struct field
• ftp: replace strstr() in ;type= handling
• ftp: simplify the 150/126 size scanner
• gnutls: check conversion of peer cert chain
• gnutls: fix re-handshake comments
• gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
• gtls: avoid potential use of uninitialized variable in trace output
• gtls: check the return value of gnutls_pubkey_init()
• header.md: see-also --proxy-header and vice versa
• hmac: free memory properly on errors
• hostip: don't store negative resolves due unrelated errors
• hostip: fix infof() output for non-ipv6 builds using IPv6 address
• hostip: remove leftover INT_MAX check in Curl_dnscache_prune
• http2: check push header names by length first
• http2: cleanup pushed newhandle on fail
• http2: ingress handling edge cases
• HTTP3: clarify the status for "old" OpenSSL, not current
• http: check the return value of strdup
• http: fix `-Wunreachable-code` in !websockets !unity builds
• http: fix `-Wunused-variable` in !alt-svc !proxy !ws builds
• http: handle user-defined connection headers
• http: look for trailing 'type=' in ftp:// without strstr
• http: make Content-Length parser more WHATWG
• http: only accept ';' as a separator for custom headers
• http: return error for a second Location: header
• http_aws_sigv4: check the return value of curl_maprintf()
• http_proxy: fix adding custom proxy headers
• httpsrr: free old pointers when storing new
• httpsrr: send HTTPS query to the right target
• imap: fix custom FETCH commands to handle literal responses
• imap: parse and use UIDVALIDITY as a number
• imap: treat capabilities case insensitively
• INSTALL-CMAKE.md: add manual configuration examples
• INSTALL-CMAKE.md: document useful build targets
• INSTALL-CMAKE.md: fix descriptions for LDAP dependency options
• INSTALL: update the list of known operating systems
• INTERNALS: drop Winsock 2.2 from the dependency list
• ip-happy: do not set unnecessary timeout
• ip-happy: prevent event-based stall on retry
• kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
• kerberos: drop logic for MIT Kerberos <1.2.3 (pre-2002) versions
• kerberos: stop including gssapi/gssapi_generic.h
• krb5: fix output_token allocators in the GSS debug stub (Windows)
• krb5: return appropriate error on send failures
• krb5_gssapi: fix memory leak on error path
• krb5_sspi: the chlg argument is NOT optional
• ldap: avoid null ptr deref on failure
• ldap: do not base64 encode zero length string
• ldap: do not pass a \n to failf()
• ldap: tidy-up types, fix error code confusion
• lib1514: fix return code mixup
• lib: delete unused crypto header includes
• lib: drop unused include and duplicate guards
• lib: fix build error with verbose strings disabled
• lib: remove newlines from failf() calls
• lib: remove personal names from comments
• lib: SSL connection reuse
• lib: stop NULL-checking conn->passwd and ->user
• lib: upgrade/multiplex handling
• libcurl-multi.md: added curl_multi_get_offt mention
• libcurl-security.md: mention long-running connections
• libssh/libssh2: reject quote command lines with too much data
• libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
• libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume
• libssh2/sftp_realpath: change state consistently
• libssh2: avoid risking using an uninitialized local struct field
• libssh2: bail out on chgrp and chown number parsing errors
• libssh2: clarify that sshp->path is always at least one byte
• libssh2: drop two redundant null-terminations
• libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()
• libssh2: fix EAGAIN return in ssh_state_auth_agent
• libssh2: fix return code for EAGAIN
• libssh2: use sockindex consistently
• libssh: acknowledge SSH_AGAIN in the SFTP state machine
• libssh: catch a resume point larger than the size
• libssh: clarify myssh_block2waitfor
• libssh: drop two unused assignments
• libssh: error on bad chgrp number
• libssh: error on bad chown number and store the value
• libssh: fix range parsing error handling mistake
• libssh: make atime and mtime cap the timestamp instead of wrap
• libssh: react on errors from ssh_scp_read
• libssh: return out of memory correctly if aprintf fails
• libssh: return the proper error for readdir problems
• Makefile.example: bump default example from FTP to HTTPS
• Makefile.example: fix option order
• Makefile.example: make default options more likely to work
• Makefile.example: simplify and make it configurable
• managen: ignore version mentions < 7.66.0
• managen: render better man page references/links
• managen: strict protocol check
• managen: verify the options used in example lines
• mbedtls: add support for 4.0.0
• mbedtls: check result of setting ALPN
• mbedtls: fix building with <3.6.1
• mbedtls: fix building with sha-256 missing from PSA
• mbedtls: handle WANT_WRITE from mbedtls_ssl_read()
• md4: drop mbedtls implementation (not available in mbedtls v3+)
• mdlinkcheck: reject URLs containing quotes
• memdup0: handle edge case
• mime: fix unpausing of readers
• mime: fix use of fseek()
• multi.h: add CURLMINFO_LASTENTRY
• multi: check the return value of strdup()
• multi_ev: remove unnecessary data check that confuses analysers
• netrc: when the cached file is discarded, unmark it as loaded
• nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
• ngtcp2: add a comment explaining write result handling
• ngtcp2: adopt ngtcp2_conn_get_stream_user_data if available
• ngtcp2: check error code on connect failure
• ngtcp2: close just-opened QUIC stream when submit_request fails
• ngtcp2: compare idle timeout in ms to avoid overflow
• ngtcp2: fix early return
• ngtcp2: fix handling of blocked stream data
• ngtcp2: fix returns when TLS verify failed
• ngtcp2: overwrite rate-limits defaults
• noproxy: fix the IPV6 network mask pattern match
• NTLM: disable if DES support missing from OpenSSL or mbedTLS
• ntlm: improved error path on bad incoming NTLM TYPE3 message
• openldap/ldap; check for binary attribute case insensitively
• openldap: avoid indexing the result at -1 for blank responses
• openldap: check ber_sockbuf_add_io() return code
• openldap: check ldap_get_option() return codes
• openldap: do not pass newline to infof()
• openldap: fix memory-leak in error path
• openldap: fix memory-leak on oldap_do's exit path
• openldap: limit max incoming size
• openssl-quic: check results better
• openssl-quic: handle error in SSL_get_stream_read_error_code
• openssl-quic: ignore unexpected streams opened by server
• openssl: better return code checks when logging cert data
• openssl: call SSL_get_error() with proper error
• openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
• openssl: clear retry flag on x509 error
• openssl: combine all the x509-store flags
• openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
• openssl: fail the transfer if ossl_certchain() fails
• openssl: fix build for v1.0.2
• openssl: fix peer certificate leak in channel binding
• openssl: fix resource leak in provider error path
• openssl: fix unable do typo in failf() calls
• openssl: free UI_METHOD on exit path
• openssl: make the asn1_object_dump name null terminated
• openssl: only try engine/provider if a cert file/name is provided
• openssl: set io_need always
• openssl: skip session resumption when verifystatus is set
• os400: document threads handling in code.
• OS400: fix a use-after-free/double-free case
• osslq: set idle timeout to 0
• pingpong: remove two old leftover debug infof() calls
• pop3: check for CAPA responses case insensitively
• pop3: fix CAPA response termination detection
• pop3: function could get the ->transfer field wrong
• pytest: skip specific tests for no-verbose builds
• quic: fix min TLS version handling
• quic: ignore EMSGSIZE on receive
• quic: improve UDP GRO receives
• quic: remove data_idle handling
• quiche: fix possible leaks on teardown
• quiche: fix verbose message when ip quadruple cannot be obtained.
• quiche: handle tls fail correctly
• quiche: when ingress processing fails, return that error code
• rtsp: use explicit postfieldsize if specified
• runtests: tag tests that require curl verbose strings
• rustls: exit on error
• rustls: fix clang-tidy warning
• rustls: fix comment describing cr_recv()
• rustls: limit snprintf proper in cr_keylog_log_cb()
• rustls: make read_file_into not reject good files
• rustls: pass the correct result to rustls_failf
• rustls: typecast variable for safer trace output
• rustls: use %zu for size_t in failf() format string
• sasl: clear canceled mechanism instead of toggling it
• schannel: assign result before using it
• schannel: fix memory leak
• schannel: handle Curl_conn_cf_send() errors better
• schannel: lower the maximum allowed time to block to 7 seconds
• schannel: properly close the certfile on error
• schannel_verify: do not call infof with an appended \n
• schannel_verify: fix mem-leak in Curl_verify_host
• schannel_verify: use more human friendly error messages
• scp/sftp: fix disconnect
• scripts: pass -- before passing xargs
• setopt: accept *_SSL_VERIFYHOST set to 2L
• setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1
• setopt: fix unused variable warning in minimal build
• setopt: make CURLOPT_MAXREDIRS accept -1 (again)
• singleuse.pl: fix string warning
• smb: adjust buffer size checks
• smb: transfer debugassert to real check
• smtp: check EHLO responses case insensitively
• smtp: fix EOB handling
• smtp: return value ignored
• socks: advance iobuf instead of reset
• socks: avoid UAF risk in error path
• socks: deny server basic-auth if not configured
• socks: handle error in verbose trace gracefully
• socks: handle premature close
• socks: make Curl_blockread_all return CURLcode
• socks: properly maintain the status of 'done'
• socks: rewwork, cleaning up socks state handling
• socks_gssapi: also reset buffer length after free
• socks_gssapi: make the gss_context a local variable
• socks_gssapi: reject too long tokens
• socks_gssapi: remove superfluous releases of the gss_recv_token
• socks_gssapi: remove the forced "no protection"
• socks_gssapi: replace `gss_release_buffer()` with curl free
• socks_sspi: bail out on too long fields
• socks_sspi: fix memory cleanup calls
• socks_sspi: remove the enforced mode clearing
• socks_sspi: restore non-blocking socket on error paths
• socks_sspi: use the correct free function
• socksd: remove --bindonly mention, there is no such option
• spelling: fix new finds by typos-cli 1.39.0
• src/var: remove dead code
• ssl-session-cache: check use on config and availability
• ssl-sessions.md: mark option experimental
• strerror: drop workaround for SalfordC win32 header bug
• sws: fix checking sscanf() return value
• sws: pass in socket reference to allow function to close it
• tcp-nodelay.md: expand the documentation
• telnet: ignore empty suboptions
• telnet: make bad_option() consider NULL a bad option too
• telnet: make printsub require another byte input
• telnet: print DISPlay LOCation in printsub without mutating buffer
• telnet: refuse IAC codes in content
• telnet: return error if WSAEventSelect fails
• telnet: return error on crazy TTYPE or XDISPLOC lengths
• telnet: send failure logged but not returned
• telnet: use pointer[0] for "unknown" option instead of pointer[i]
• test1100: fix missing `<protocol>` section
• tests/libtest/cli*: fix init/deinit, leaks, and more
• tests/server: drop pointless memory allocation overrides
• tests/server: drop unsafe open() override in signal handler (Windows)
• tftp: check and act on tftp_set_timeouts() returning error
• tftp: check for trailing ";mode=" in URL without strstr
• tftp: default timeout per block is now 15 seconds
• tftp: error requests for blank filenames
• tftp: handle tftp_multi_statemach() return code
• tftp: pin the first used address
• tftp: propagate expired timer from tftp_state_timeout()
• tftp: return error if it hits an illegal state
• tftp: return error when sendto() fails
• thread: errno on thread creation
• tidy-up: assortment of small fixes
• tidy-up: avoid using the reserved macro namespace
• tidy-up: fcntl.h includes
• tidy-up: update MS links, allow long URLs via checksrc
• tidy-up: URLs
• time-cond.md: refer to the singular curl_getdate man page
• TLS: IP address verification, extend test
• TODO: fix a typo
• TODO: remove already implemented or bad items
• tool: fix exponential retry delay
• tool_cb_hdr: fix fwrite check in header callback
• tool_cb_hdr: size is always 1
• tool_cb_rea: use poll instead of select if available
• tool_cfgable: remove superfluous free calls
• tool_doswin: fix to use curl socket functions
• tool_filetime: cap crazy file times instead of erroring
• tool_filetime: replace cast with the fitting printf mask (Windows)
• tool_formparse: rewrite the headers file parser
• tool_getparam/set_rate: skip the multiplication on overflow
• tool_getparam: always disable "lib-ids" for tracing
• tool_getparam: make --fail and --fail-with-body override each other
• tool_getparam: warn if provided header looks malformed
• tool_ipfs: check the return value of curl_url_get for gwpath
• tool_ipfs: simplify the ipfs gateway logic
• tool_msgs: make errorf() show if --show-error
• tool_operate: improve wording in retry message
• tool_operate: keep failed partial download for retry auto-resume
• tool_operate: keep the progress meter for --out-null
• tool_operate: move the checks that skip ca cert detection
• tool_operate: retry on HTTP response codes 522 and 524
• tool_operate: return error on strdup() failure
• tool_paramhlp: remove outdated comment in str2tls_max()
• tool_parsecfg: detect and error on recursive --config use
• tool_progress: handle possible integer overflows
• tool_progress: make max5data() use an algorithm
• transfer: avoid busy loop with tiny speed limit
• transfer: fix retry for empty downloads on reuse
• transfer: reset retry count on each request
• unit1323: sync time types and printf masks, drop casts
• unit1664: drop casts, expand masks to full values
• url: make Curl_init_userdefined return void
• urldata: FILE is not a list-only protocol
• urldata: make 'retrycount' a single byte
• urldata: make redirect counter 16 bit
• vauth/digest: improve the digest parser
• version: add GSS backend name and version
• vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout
• vquic: fix recvmsg loop for max_pkts
• vquic: handling of io improvements
• vquic: sending non-gso packets fix for EAGAIN
• vtls: alpn setting, check proto parameter
• vtls: check final cfilter node in find_ssl_filter
• vtls: drop duplicate `CURL_SHA256_DIGEST_LENGTH` definition
• vtls: properly handle SSL shutdown timeout
• vtls: remove call to PKCS12_PBE_add()
• vtls: unify the error handling in ssl_cf_connect().
• vtls_int.h: clarify data_pending
• vtls_scache: fix race condition
• wcurl: sync to +dev snapshot
• windows: replace _beginthreadex() with CreateThread()
• windows: stop passing unused, optional argument for Win9x compatibility
• windows: use consistent format when showing error codes
• windows: use native error code types more
• wolfssl: check BIO read parameters
• wolfssl: clear variable to avoid uninitialized use
• wolfssl: fix error check in shutdown
• wolfssl: fix resource leak in verify_pinned error paths
• wolfssl: no double get_error() detail
• ws: clarify an error message
• ws: fix some edge cases
• ws: fix type conversion check
• ws: reject curl_ws_recv called with NULL buffer with a buflen

Further