Pending RELEASE-NOTES for the upcoming release

This is work in progress and seeing changes before the release goes public on 2026-03-11.

Changes:

• BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
• cmake: add `CURL_BUILD_EVERYTHING` option
• mqtt: initial support for MQTTS
• tool: support fractions for --limit-rate and --max-filesize
• tool_cb_hdr: with -J, use the redirect name as a backup
• vquic: drop support for OpenSSL-QUIC
• windows: add build option to use the native CA store
• windows: bump minimum to Vista (from XP)

Bugfixes:

• altsvc: only accept 17 byte dates from files
• asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
• build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
• build: constify `memchr()`/`strchr()`/etc result variables (cont.)
• build: detect and include `inttypes.h` again
• build: drop duplicate C includes
• build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
• build: fully omit verbose strings and code when disabled
• build: globally suppress DJGPP warnings in `FD_SET()`
• build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
• build: move curl stat struct type to the curlx namespace
• build: opt-in MSVC to C99-style verbose logging logic
• build: require POSIX `strdup()`
• build: tidy up and dedupe `strdup` functions
• cf-socket: use SOCK_CLOEXEC in socket_open when available
• checksrc-all.pl: skip non-repository files
• checksrc: do not apply `BANNEDFUNC` to struct member functions
• checksrc: warn for leading spaces before the preprocessor hash
• cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
• cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
• cmake: enable binutils ld workaround for all toolchains at build-time
• cmake: fix logic for openssl/zlib binutils ld workaround
• cmake: reference OpenSSL and ZLIB imported targets only when enabled
• cmake: silence silly Apple clang warnings in C89 mode, test in CI
• cmake: silence useless compiler warnings triggered by the FASTBuild generator
• cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
• cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
• config-plan9: set `HAVE_STDINT_H` again
• config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
• config2setopts: fix for --disable-aws build configuration
• curl: add -I and -i to -h important
• curl: limit Windows-specific code to Windows builds, other tidy-ups
• curl_easy_nextheader.md: a new transfer invalidates 'prev'
• curl_get_line: drop single-use macro
• curl_multi_perform.md: resolve inconsistency
• curl_setup.h: drop extra header guard for internal include
• curl_setup.h: merge back single-use internal header `curl_setup_once.h`
• curl_setup.h: simplify curl memory macro mappings
• curl_setup_once: allow CURL_DEBUGASSERT for customization
• CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
• curlx: drop unused `curlx_saferealloc()`
• digest: escape double quotes and backslashes in realm and nonce
• digest: handle quotes in the path
• docs/INSTALL: update configure details
• docs/libcurl: unify WARNING use
• docs: add LibreELEC to DISTROS.md
• docs: document the need for a 64-bit type and stdint.h
• docs: explicitly call out Slowloris as not a security flaw
• docs: fix grammar nitpicks
• examples: omit forward declarations, apply misc fixes
• fopen.h: simplify curl memory macro mappings
• ftp: replace a `curlx_free()` with `curlx_dyn_free()`
• GOVERNANCE.md: Post-Daniel BDFL
• gss: exclude verbose error logic from non-verbose builds
• h2+h3: align stream close handling
• hostip.c: fix leak of addrinfo
• hostip6: remove debug-only code
• hostip: fix unreachable code in rare build configuration
• http/3: add description for known server error codes
• http_aws_sigv4: fix query normalization of %2b
• imap: add a check for Curl_meta_get()
• imap: check `imap_sendf()` printf masks at compile-time
• imap: skip literals inside quoted strings
• include: mask computed auth/proto bitmasks to 32 bits
• INSTALL-CMAKE.md: document Apple framework options
• INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
• KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
• ldap: silence potential unused variable warning (OS400)
• lib: disable websockets early if no http
• lib: make sigpipe handling more lazy
• lib: reorder protocol functions to avoid forward declarations (email)
• lib: reorder protocol functions to avoid forward declarations (ftp)
• lib: reorder protocol functions to avoid forward declarations (misc cont.)
• lib: reorder protocol functions to avoid forward declarations (misc)
• lib: reorder protocol functions to avoid forward declarations (ssh)
• lib: separate scheme info from protocol implementation
• lib: use (u)int64_t instead of long long
• libcurl docs: reduce 'since ...' in descriptions
• Makefile.am: delete RPM targets referencing non-existent files
• Makefile.am: drop stray VC project files from dist
• mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
• mbedtls: remove newline from failf() call
• md4, md5: drop redundant forward declarations
• md4, md5: replace custom types with `uint32_t`
• mime: drop fallback for unused `R_OK` macro
• mimepost: allocate main struct on-demand
• mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
• mod_curltest: silence unused argument compiler warning
• mprintf: drop old sprintf fallback
• mqtt: better too-big-message-check
• mqtt: verify Remaining Length for CONNACK and PUBACK
• msvc: drop exception, make `BIT()` a bitfield with Visual Studio
• multi: probe for IPv6 functionality in multi_init()
• multi: update timer unconditionally in multi_remove_handle
• ngtcp2: stabilize recv
• noproxy: simplify, don't mix const non-const in strchr()
• openldap: avoid forward declarations in ldaps code
• OpenSSL: check reuse of sessions for verify status
• plan9: drop special build and orphaned references
• pytest: remove 03_02
• ratelimit: download finetune
• REUSE: drop broken reference to `MAIL-ETIQUETTE`
• runtests: pass config filename to stunnel in native format (Windows)
• send: drop `CURL_UNCONST()` from buffer argument on most platforms
• setopt: fix checking range for CURLOPT_MAXCONNECTS
• setup-os400.h: drop no longer used custom type `u_int32_t`
• sigpipe: unset SA_SIGINFO since it is using sa_handler
• socket: check result of SO_NOSIGPIPE
• socketpair: set SO_NOSIGPIPE where possible
• ssh: dedupe state change function
• sws: prevent "connection monitor" to say disconnect twice
• tests/server/sockfilt: avoid possible endless loop on Windows
• tests/server: tidy-up error messages (Windows)
• tests: convert base64 data to %b64[]
• tftp: correct the filename length check
• timeout handling: auto-detect effective timeout
• tls: add new SSLSUPP flags for several options
• tls: remove checks for DEFAULT
• tool: enable header separation for HTTPS proxies
• tool: improve error/warning messages when output filename sanitization fails
• tool: rename curl handle and result variable in `--libcurl`-generated code
• tool: return code variable consistency
• tool_cb_hdr: suppress header output when --out-null
• tool_cb_prg: drop duplicate preprocessor logic
• tool_dirhie: drop superfluous `F_OK` fallback (Windows)
• tool_doswin: avoid Windowsisms in socket code (cont.)
• tool_doswin: avoid Windowsisms in socket code
• tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
• tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
• tool_operate: remove 'else' for VMS
• typos: silence false positives found in C code
• url.c: code/comment cleanup around conn creation
• url.h: fix `-Wdocumentation`
• url: fix reuse of connections using HTTP Negotiate
• urldata.h: remove two forward-declared structs not used
• urldata: change 'keep_post' into three distinct bitfields
• urldata: convert 'long' fields to fixed variable types
• urldata: switch to uint* types
• verbose.md: explain the { and } prefixes
• vquic: handle SOCKEMSGSIZE correctly
• vtls: dedupe common on-session-reuse logic
• vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
• VULN-DISCLOSURE-POLICY.md: push reports to the web form
• winapi: use FormatMessageA instead of FormatMessageW
• windows: `USE_WINSOCK` to guard winsock2 code (where missing)
• wolfssl: fix build without USE_BIO_CHAIN

Contributors:

Andrew Kvalheim, Arnav Purushotam, Arnav-Purushotam-CUBoulder, Billy O'Neal, calm329, Christian Schmitz, Christian Schmitza, cooldadpresident on github, Dag Haavi Finstad, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Daniil Gentili, dEajL3kA, dependabot[bot], Frank Buss, gudyuu on hackerone, Itay Bookstein, Jacek Migacz, James Fuller, Jan Macku, jhauga, Joshua Vandaële, Juan Belon, Kai Pastor, Maksim Ściepanienka, Megamouse on github, Michał Antoniak, Nuno Goncalves, Patrick Monnerat, programmerlexi on github, Ray Satiro, renovate[bot], Rudi Heitbaum, Sascha Frinken, Spenser Black, Stefan Eissing, Tenant HellTower, Thibault de Villèle, Tomáš Malý, tommy, Viktor Szakats, Wyuer on github, z2_, Zhicheng Chen, Йоте