Pending RELEASE-NOTES for the upcoming release
This is work in progress and seeing changes before the release goes public on 2026-03-11.
Changes:
- BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
- cmake: add `CURL_BUILD_EVERYTHING` option
- mqtt: initial support for MQTTS
- tool: support fractions for --limit-rate and --max-filesize
- tool_cb_hdr: with -J, use the redirect name as a backup
- vquic: drop support for OpenSSL-QUIC
- windows: add build option to use the native CA store
- windows: bump minimum to Vista (from XP)
Bugfixes:
- altsvc: only accept 17 byte dates from files
- asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
- build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
- build: constify `memchr()`/`strchr()`/etc result variables (cont.)
- build: detect and include `inttypes.h` again
- build: drop duplicate C includes
- build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
- build: fix `-Wunused-macros` warnings, and related tidy-ups
- build: fully omit verbose strings and code when disabled
- build: globally suppress DJGPP warnings in `FD_SET()`
- build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
- build: move curl stat struct type to the curlx namespace
- build: opt-in MSVC to C99-style verbose logging logic
- build: require POSIX `strdup()`
- build: tidy up and dedupe `strdup` functions
- cf-socket: use SOCK_CLOEXEC in socket_open when available
- checksrc-all.pl: skip non-repository files
- checksrc: do not apply `BANNEDFUNC` to struct member functions
- checksrc: warn for leading spaces before the preprocessor hash
- cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` 4.0.0
- cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
- cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
- cmake: enable binutils ld workaround for all toolchains at build-time
- cmake: fix logic for openssl/zlib binutils ld workaround
- cmake: normalize uppercase hex winver (for display)
- cmake: reference OpenSSL and ZLIB imported targets only when enabled
- cmake: silence silly Apple clang warnings in C89 mode, test in CI
- cmake: silence useless compiler warnings triggered by the FASTBuild generator
- cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
- cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values
- cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
- config-plan9: set `HAVE_STDINT_H` again
- config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
- config2setopts: fix for --disable-aws build configuration
- curl: add -I and -i to -h important
- curl: limit Windows-specific code to Windows builds, other tidy-ups
- curl_easy_nextheader.md: a new transfer invalidates 'prev'
- curl_get_line: drop single-use macro
- curl_multi_perform.md: resolve inconsistency
- curl_ntlm_core: merge two `#if` blocks
- curl_setup.h: drop extra header guard for internal include
- curl_setup.h: merge back single-use internal header `curl_setup_once.h`
- curl_setup.h: simplify curl memory macro mappings
- curl_setup_once: allow CURL_DEBUGASSERT for customization
- CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
- curlx: drop unused `curlx_saferealloc()`
- digest: escape double quotes and backslashes in realm and nonce
- digest: handle quotes in the path
- docs/INSTALL: update configure details
- docs/libcurl: unify WARNING use
- docs: add LibreELEC to DISTROS.md
- docs: clarify --ipv4 and --ipv6
- docs: document the need for a 64-bit type and stdint.h
- docs: explicitly call out Slowloris as not a security flaw
- docs: fix grammar nitpicks
- docs: reword explanation of --variable option
- easy: reset errorbuf on eyeballing success
- examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA
- examples: omit forward declarations, apply misc fixes
- fopen.h: simplify curl memory macro mappings
- ftp: replace a `curlx_free()` with `curlx_dyn_free()`
- GOVERNANCE.md: Post-Daniel BDFL
- gss: exclude verbose error logic from non-verbose builds
- h2+h3: align stream close handling
- hostip.c: fix leak of addrinfo
- hostip6: remove debug-only code
- hostip: fix unreachable code in rare build configuration
- http/3: add description for known server error codes
- http_aws_sigv4: fix query normalization of %2b
- imap: add a check for Curl_meta_get()
- imap: check `imap_sendf()` printf masks at compile-time
- imap: skip literals inside quoted strings
- include: avoid recursive macros
- include: mask computed auth/proto bitmasks to 32 bits
- INSTALL-CMAKE.md: document Apple framework options
- INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
- KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
- ldap: silence potential unused variable warning (OS400)
- lib: delete unused local includes
- lib: disable websockets early if no http
- lib: make sigpipe handling more lazy
- lib: reorder protocol functions to avoid forward declarations (email)
- lib: reorder protocol functions to avoid forward declarations (ftp)
- lib: reorder protocol functions to avoid forward declarations (misc cont.)
- lib: reorder protocol functions to avoid forward declarations (misc)
- lib: reorder protocol functions to avoid forward declarations (ssh)
- lib: separate scheme info from protocol implementation
- lib: skip compiling code with features disabled
- lib: use (u)int64_t instead of long long
- libcurl docs: reduce 'since ...' in descriptions
- libcurl-security.md: fix typos and add a point about URLs
- libtests: drop two redundant `memset()`s
- Makefile.am: delete RPM targets referencing non-existent files
- Makefile.am: drop stray VC project files from dist
- mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
- mbedtls: remove newline from failf() call
- md4, md5: drop redundant forward declarations
- md4, md5: replace custom types with `uint32_t`
- memdebug: include `backtrace.h` as system header
- mime: drop fallback for unused `R_OK` macro
- mimepost: allocate main struct on-demand
- mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
- mod_curltest: silence unused argument compiler warning
- mprintf: drop old sprintf fallback
- mprintf: rename internal enum to avoid collision with AmigaOS symbol
- mqtt: better too-big-message-check
- mqtt: verify Remaining Length for CONNACK and PUBACK
- msvc: drop exception, make `BIT()` a bitfield with Visual Studio
- msvc: VS2026: unlock picky warning in cmake, test in CI
- multi: probe for IPv6 functionality in multi_init()
- multi: split multi_runsingle into sub functions
- multi: update timer unconditionally in multi_remove_handle
- ngtcp2: stabilize recv
- noproxy: simplify, don't mix const non-const in strchr()
- openldap: avoid forward declarations in ldaps code
- OpenSSL: check reuse of sessions for verify status
- openssl: disable local keylog feature if built-in upstream
- plan9: drop special build and orphaned references
- pytest: remove 03_02
- ratelimit: download finetune
- REUSE: drop broken reference to `MAIL-ETIQUETTE`
- rtspd: fix to check `realloc()` result
- runtests: pass config filename to stunnel in native format (Windows)
- schannel: refactor: reduce variable scopes, fix comment, fix indent
- send: drop `CURL_UNCONST()` from buffer argument on most platforms
- setopt: fix checking range for CURLOPT_MAXCONNECTS
- setup-os400.h: drop no longer used custom type `u_int32_t`
- sigpipe: unset SA_SIGINFO since it is using sa_handler
- smb: include arpa/inet.h for NonStop
- socket: check result of SO_NOSIGPIPE
- socketpair: set SO_NOSIGPIPE where possible
- src: simplify declaring `curl_ca_embed`
- ssh: dedupe state change function
- sws: prevent "connection monitor" to say disconnect twice
- tests/server/sockfilt: avoid possible endless loop on Windows
- tests/server: tidy-up error messages (Windows)
- tests: avoid assignment in `if` conditions in `first.h`
- tests: convert base64 data to %b64[]
- tftp: correct the filename length check
- timeout handling: auto-detect effective timeout
- tls: add new SSLSUPP flags for several options
- tls: remove checks for DEFAULT
- tool: enable header separation for HTTPS proxies
- tool: improve error/warning messages when output filename sanitization fails
- tool: rename curl handle and result variable in `--libcurl`-generated code
- tool: return code variable consistency
- tool_cb_hdr: suppress header output when --out-null
- tool_cb_prg: drop duplicate preprocessor logic
- tool_dirhie: drop superfluous `F_OK` fallback (Windows)
- tool_doswin: avoid Windowsisms in socket code (cont.)
- tool_doswin: avoid Windowsisms in socket code
- tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
- tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
- tool_operate: remove 'else' for VMS
- typos: silence false positives found in C code
- url.c: code/comment cleanup around conn creation
- url.h: fix `-Wdocumentation`
- url: fix reuse of connections using HTTP Negotiate
- urldata.h: remove two forward-declared structs not used
- urldata: change 'keep_post' into three distinct bitfields
- urldata: convert 'long' fields to fixed variable types
- urldata: switch to uint* types
- verbose.md: explain the { and } prefixes
- vquic: handle SOCKEMSGSIZE correctly
- vtls: dedupe common on-session-reuse logic
- vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
- VULN-DISCLOSURE-POLICY.md: push reports to the web form
- winapi: use FormatMessageA instead of FormatMessageW
- windows: `USE_WINSOCK` to guard winsock2 code (where missing)
- windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround
- wolfssl: fix build without USE_BIO_CHAIN
- ws/tftp: include header file even when protocol disabled
Contributors:
Andrew Kvalheim, Anna Liberty, Arnav Purushotam, Arnav-Purushotam-CUBoulder, Billy O'Neal, calm329, Christian Schmitz, Christian Schmitza, cooldadpresident on github, Dag Haavi Finstad, Dan Fandrich, Daniel Gustafsson, Daniel Lublin, Daniel Stenberg, Daniil Gentili, dEajL3kA, dependabot[bot], Frank Buss, gudyuu on hackerone, Itay Bookstein, Jacek Migacz, James Fuller, Jan Macku, jhauga, Joshua Vandaële, Juan Belon, Kai Pastor, Maksim Ściepanienka, Marcel Raad, Megamouse on github, Michał Antoniak, nono303 on github, Nuno Goncalves, Patrick Monnerat, Paul Howarth, programmerlexi on github, Randall S. Becker, Ray Satiro, renovate[bot], Rudi Heitbaum, Sascha Frinken, Spenser Black, Stefan Eissing, tawmoto on github, Tenant HellTower, Thibault de Villèle, Tim Friedrich Brüggemann, Tomáš Malý, tommy, Viktor Szakats, Wyuer on github, z2_, Zhicheng Chen, Йоте