Pending RELEASE-NOTES for the upcoming release

This is work in progress and seeing changes before the release goes public on 2026-06-24.

Changes:

• curl: named globs in output file name for upload glob references
• http2: remove stream dependency tracking
• lib: drop support for CURLAUTH_DIGEST_IE
• libssh: add support for SHA256 host public keys
• tool_urlglob: add named globs

Bugfixes:

• asyn-thrdd: fix result processing without wakeup socketpair
• BUFQ.md: re-sync with source code
• build: omit zlib pkg-config reference for Android
• cf-h2-prox: fix peer leak
• cf-h2-proxy: drop interim responses
• cfilters: fix busy loop on blocked transfers
• cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config
• cmake: export/forward `NGTCP2_CRYPTO_BACKEND`
• cmake: fix three issues generating lib options in config files
• cmake: fix zstd CMake config name
• cmake: opt in `MSVC_VERSION` 1951 to picky warnings
• cmake: quote `COMPONENTS` string in `curl-config.in.cmake`
• connect: remove deref of freed pointer in trace call
• cookie: compare path case sensitively
• cookie: simplify strstore(), remove outdated comment
• cookie: trim trailing dots when checking PSL
• creds: add sasl service name
• creds: mask OAuth bearer token in trace logs
• curl_easy_pause.md: rephrase the stream cache when pause clause
• curl_easy_setopt.md: change options when no transfer runs
• curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos
• curl_ntlm_core: propagate DES `CryptEncrypt()` error
• CURLOPT_ECH.md: simplify the description language
• CURLOPT_HAPROXYPROTOCOL.md: only sent for newly setup connections
• CURLOPT_MAXFILESIZE: clarify this also works for on-going transfers
• CURLOPT_SHARE: warn about early remove
• CURLOPT_SSH_HOSTKEYFUNCTION.md: for new connections only
• delta: harden external command invocations
• docs/libcurl: fix the version for curl_multi_socket_action
• docs: end "...can be used several times..." sentences with period
• docs: fix --follow doc typo
• docs: fix a couple of typos
• docs: fix grammar and wording in FAQ
• docs: note CURLOPT_PINNEDPUBLICKEY has no effect on legacy LDAP backend
• ECH: cleanups
• event: fix wakeup consumption
• ftp: avoid accessing EPSV response one byte past the NULL
• ftp: remove 2 Curl_resolv_blocking() calls
• ftp: remove bits.ftp_use_control_ssl
• gnutls: allow building with nettle 4.0
• gnutls: fix more nettle 4+ compatibility issues
• gsasl: fix potential double free
• gtls: fix some typos
• hostip: remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE
• idn: replace header guards with forward declaration
• KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug
• ldap: fix minor leak on write callback error
• ldap: fix to not leak `attribute` on OOM (WinLDAP)
• lib678: fix to not be perma-skipped
• lib: make `__STDC_VERSION__` literals `L` (where missing)
• lib: two minor typos
• libcurl-easy.md: minor clarifications
• managen: apply minor fixes and improvements
• mbedtls: null-terminate the private key blob
• mk-unity.pl: `#include`, and not concatenate input headers
• mqtt: validate PINGRESP and DISCONNECT have remaining_length == 0
• multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test
• netrc: scanner refactor
• pythonlint.sh: make it fail on error, fix ruff warnings in pytest
• rtsp: bump buf after rtsp_filter_rtp()
• runner.pm: apply minor correctness fix
• runner.pm: set `CURL_TESTNUM` for `precheck` commands
• rustls: error on CURLOPT_CRLFILE with native CA store
• schannel: enforce Extended Key Usage for custom CA roots
• schannel: fix revoke_best_effort setting for proxy
• schannel_verify: avoid out of blob access
• scripts: catch Credits-to contributors
• setopt: changing the proxy port is also a proxy change
• setopt: clear proxy auth properly on NULL
• setopt: fix to honor `CURLOPT_PROXY_CAINFO_BLOB` over Native CA
• setopt: gate a few proxy TLS options by checking backend support
• setopt: more careful cleanup of the HSTS cache
• show-headers.md: mention bold headers and --no-styled-output
• snpego_sspi: preserve distinction btw policy-only and uncond delegation
• spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI
• src: fix comment typos
• SSLCERTS: document 8.19.0 default Native CA builds (Windows)
• sspi: clear SSPI credentials on AcquireCredentialsHandle failure
• test1588: use %TESTNUMBER, not hard-coded number
• tests: add an assert to avoid IPC blocking
• tests: fix unit1636 with --disable-progress-meter
• tftp: stricter option name checks
• tidy-up: miscellaneous
• tls: fix incomplete mTLS config in conn reuse and session cache
• tool_formparse.c: fix two minor comment typos
• tool_formparse: polish error message + make two functions static
• tool_formparse: tool2curlparts is no longer recursive
• tool_urlglob: avoid overflow at end of range
• tool_urlglob: better 'Duplicate glob name' position
• tool_urlglob: make globbing error reported for correct position
• unix-sockets: ignore proxy settings
• url: compare full origin when setting credentials
• url: detect proxy changes read from environment
• url: fix connection reuse for starttls protocols
• url: keep the question mark for empty queries
• url: remove ssh_config_matches
• url: remove superfluous check
• url: url_match_destination fix
• urlapi: change more lowercase percent-encoded to uppercase
• urlapi: compare zone-id in Curl_url_same_origin()
• urlapi: consume trailing dots after IPv4 numerical addresses
• urlapi: deny hostnames with more than one trailing dot
• urlapi: fix redirect handling if CURLU_NO_GUESS_SCHEME is set
• urlapi: handle redirect without set scheme with default-scheme
• user-agent.md: mention double quotes too
• vtls: use Curl_safecmp for CRLfile and pinned_key comparison
• vtls_scache: include signature_algorithms in the SSL peer cache key
• VULN-DISCLOSURE-POLICY.md: test code is not secure
• websockets: auto-tunnel through http proxy
• windows: update MS SDK versions in comments
• x509asn1: fix DH public key parameter extraction
• x509asn1: fix operator order in do_pubkey

Contributors:

0xN3R3K3, 11soda11, Alan De Smet, amitbidlan, Andrei Rybak, Andrew Nesbitt, Bastian Jesuiter, Bill Mill, chrizilla on github, co-authors in libssh2, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Dario Vinella, dependabot[bot], Earnestly on github, Elise Vance, Emanuel Krollmann, Fabian Keil, Harry Sintonen, jeffhuang, Jeremy Nicoll, Joshua Rogers, Kai Pastor, Mark Esler, mulan_dh on hackerone, parasol-aser, penpal, Raymond Steen, Ray Satiro, renovate[bot], Sergio Correia, sfan5 on github, Shintomon Mathew, Sollace on github, Song X. Gao, Stefan Eissing, Tim Martin, Viktor Szakats, Will Cosgrove, Xi Ruoyao, x-xiang on github