Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-11-05.

Changes:

• build: drop Heimdal support
• build: drop the winbuild build system
• krb5: drop support for Kerberos FTP
• libssh2: up the minimum requirement to 1.9.0
• multi: add notifications API
• progress: expand to use 6 characters per size
• ssl: support Apple SecTrust configurations
• tool_getparam: add --knownhosts
• vssh: drop support for wolfSSH
• wcurl: import v2025.09.27
• write-out: make %header{} able to output *all* occurrences of a header

Bugfixes:

• ares: fix leak in tracing
• asyn-ares: use the duped hostname pointer for all calls
• asyn-thrdd resolver: clear timeout when done
• asyn-thrdd: drop pthread_cancel
• autotools: add support for libgsasl auto-detection via pkg-config
• autotools: capitalize 'Rustls' in the log output
• autotools: fix duplicate `UNIX` and `BSD` flags in `buildinfo.txt`
• autotools: fix silly mistake in clang detection for `buildinfo.txt`
• autotools: make `--enable-code-coverage` support llvm/clang
• aws-lc: re-enable large read-ahead with v1.61.0 again
• base64: accept zero length argument to base64_encode
• build: address some `-Weverything` warnings, update picky warnings
• build: avoid overriding system `open` and `stat` symbols
• build: avoid overriding system symbols for fopen functions
• build: avoid overriding system symbols for socket functions
• build: show llvm/clang in platform flags and `buildinfo.txt`
• cf-h2-proxy: break loop on edge case
• cf-ip-happy: mention unix domain path, not port number
• cf-socket: always check Curl_cf_socket_peek() return code
• cf-socket: check params and remove accept procondition
• cf-socket: tweak a memcpy() to read better
• cf-socket: use the right byte order for ports in bindlocal
• cfilter: unlink and discard
• checksrc: catch banned functions when preceded by `(`
• checksrc: fix possible endless loop when detecting `BANNEDFUNC`
• checksrc: fix possible endless loops/errors in the banned function logic
• checksrc: fix to handle `)` predecing a banned function
• checksrc: reduce directory-specific exceptions
• cmake/FindGSS: fix `pkg-config` fallback logic for CMake <3.16
• cmake/FindGSS: whitespace/formatting
• cmake: add `CURL_CODE_COVERAGE` option
• cmake: build the "all" examples source list dynamically
• cmake: clang detection tidy-ups
• cmake: drop exclamation in comment looking like a name
• cmake: fix building docs when the base directory contains `.3`
• cmake: minor Heimdal flavour detection fix
• cmake: support building some complicated examples, build them in CI
• cmake: use modern alternatives for `get_filename_component()`
• cmake: use more `COMPILER_OPTIONS`, `LINK_OPTIONS` / `LINK_FLAGS`
• cmdline-docs: extended, clarified, refreshed
• cmdline-opts/_PROGRESS.md: explain the suffixes
• configure: add "-mt" for pthread support on HP-UX
• cookie: avoid saving a cookie file if no transfer was done
• cpool: make bundle->dest an array; fix UB
• curl_easy_getinfo: error code on NULL arg
• curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides
• curl_osslq: error out properly if BIO_ADDR_rawmake() fails
• Curl_resolv: fix comment. 'entry' argument is not optional
• curl_slist_append.md: clarify that a NULL pointer is not acceptable
• CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well
• CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded
• CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1
• CURLOPT_MAXLIFETIME_CONN: make default 24 hours
• CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options
• CURLOPT_TIMECONDITION.md: works for FILE and FTP as well
• digest_sspi: fix two memory leaks in error branches
• dist: do not distribute `CI.md`
• docs/cmdline-opts: drop double quotes from GLOBBING and URL examples
• docs/libcurl: clarify some timeout option behavior
• docs/libcurl: remove ancient version references
• docs/libcurl: use lowercase must
• docs: fix/tidy code fences
• easy_getinfo: check magic, Curl_close safety
• examples/sessioninfo: cast printf string mask length to int
• examples/sessioninfo: do not disable security
• examples/synctime: make the sscanf not overflow the local buffer
• examples/usercertinmem: avoid stripping const
• examples: drop unused `curl/mprintf.h` includes
• examples: fix build issues in 'complicated' examples
• examples: fix two build issues surfaced with WinCE
• examples: fix two issues found by CodeQL
• examples: fix two more cases of `stat()` TOCTOU
• form.md: drop reference to MANUAL
• ftp: add extra buffer length check
• ftp: fix ftp_do_more returning with *completep unset
• ftp: fix port number range loop for PORT commands
• ftp: fix the 213 scanner memchr buffer limit argument
• ftp: improve fragile check for first digit > 3
• ftp: remove misleading comments
• gtls: avoid potential use of uninitialized variable in trace output
• hostip: don't store negative resolves due unrelated errors
• hostip: remove leftover INT_MAX check in Curl_dnscache_prune
• http2: check push header names by length first
• http2: cleanup pushed newhandle on fail
• http2: ingress handling edge cases
• http: handle user-defined connection headers
• http: make Content-Length parser more WHATWG
• httpsrr: free old pointers when storing new
• INSTALL-CMAKE.md: document useful build targets
• INTERNALS: drop Winsock 2.2 from the dependency list
• ip-happy: do not set unnecessary timeout
• ip-happy: prevent event-based stall on retry
• krb5: return appropriate error on send failures
• krb5_gssapi: fix memory leak on error path
• krb5_sspi: the chlg argument is NOT optional
• ldap: do not base64 encode zero length string
• ldap: tidy-up types, fix error code confusion
• lib: drop unused include and duplicate guards
• lib: fix build error and compiler warnings with verbose strings disabled
• lib: remove personal names from comments
• lib: upgrade/multiplex handling
• libcurl-multi.md: added curl_multi_get_offt mention
• libcurl-security.md: mention long-running connections
• libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
• libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume
• libssh2/sftp_realpath: change state consistently
• libssh2: bail out on chgrp and chown number parsing errors
• libssh2: clarify that sshp->path is always at least one byte
• libssh2: drop two redundant null-terminations
• libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()
• libssh2: fix return code for EAGAIN
• libssh: acknowledge SSH_AGAIN in the SFTP state machine
• libssh: clarify myssh_block2waitfor
• libssh: drop two unused assignments
• libssh: error on bad chgrp number
• libssh: error on bad chown number and store the value
• libssh: fix range parsing error handling mistake
• libssh: react on errors from ssh_scp_read
• libssh: return out of memory correctly if aprintf fails
• Makefile.example: fix option order
• Makefile.example: simplify and make it configurable
• managen: ignore version mentions < 7.66.0
• managen: render better manpage references/links
• managen: strict protocol check
• managen: verify the options used in example lines
• mbedtls: check result of setting ALPN
• mbedtls: handle WANT_WRITE from mbedtls_ssl_read()
• mdlinkcheck: reject URLs containing quotes
• memdup0: handle edge case
• multi.h: add CURLMINFO_LASTENTRY
• multi_ev: remove unnecessary data check that confuses analysers
• nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
• ngtcp2: check error code on connect failure
• ngtcp2: close just-opened QUIC stream when submit_request fails
• ngtcp2: compare idle timeout in ms to avoid overflow
• ngtcp2: fix early return
• ngtcp2: fix handling of blocked stream data
• ngtcp2: fix returns when TLS verify failed
• noproxy: fix the IPV6 network mask pattern match
• openldap: avoid indexing the result at -1 for blank responses
• openldap: check ber_sockbuf_add_io() return code
• openldap: check ldap_get_option() return codes
• openssl-quic: check results better
• openssl-quic: handle error in SSL_get_stream_read_error_code
• openssl-quic: ignore unexpected streams opened by server
• openssl: call SSL_get_error() with proper error
• openssl: clear retry flag on x509 error
• openssl: fail the transfer if ossl_certchain() fails
• openssl: fix build for v1.0.2
• openssl: fix peer certificate leak in channel binding
• openssl: make the asn1_object_dump name null terminated
• openssl: set io_need always
• openssl: skip session resumption when verifystatus is set
• OS400: fix a use-after-free/double-free case
• osslq: set idle timeout to 0
• pingpong: remove two old leftover debug infof() calls
• pytest: skip specific tests for no-verbose builds
• quic: fix min TLS version handling
• quic: ignore EMSGSIZE on receive
• quiche: fix possible leaks on teardown
• quiche: fix verbose message when ip quadruple cannot be obtained.
• quiche: handle tls fail correctly
• quiche: when ingress processing fails, return that error code
• runtests: tag tests that require curl verbose strings
• rustls: fix clang-tidy warning
• rustls: fix comment describing cr_recv()
• rustls: pass the correct result to rustls_failf
• rustls: typecast variable for safer trace output
• rustls: use %zu for size_t in failf() format string
• sasl: clear canceled mechanism instead of toggling it
• schannel: assign result before using it
• schannel_verify: fix mem-leak in Curl_verify_host
• schannel_verify: use more human friendly error messages
• setopt: accept *_SSL_VERIFYHOST set to 2L
• setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1
• setopt: make CURLOPT_MAXREDIRS accept -1 (again)
• smb: adjust buffer size checks
• smtp: check EHLO responses case insensitively
• socks: deny server basic-auth if not configured
• socks: handle error in verbose trace gracefully
• socks: handle premature close
• socks: make Curl_blockread_all return CURLcode
• socks: rewwork, cleaning up socks state handling
• socks_gssapi: make the gss_context a local variable
• socks_gssapi: reject too long tokens
• socks_gssapi: remove superfluous releases of the gss_recv_token
• socks_gssapi: remove the forced "no protection"
• socks_sspi: bail out on too long fields
• socks_sspi: fix memory cleanup calls
• socks_sspi: restore non-blocking socket on error paths
• ssl-sessions.md: mark option experimental
• strerror: drop workaround for SalfordC win32 header bug
• sws: fix checking `sscanf()` return value
• tcp-nodelay.md: expand the documentation
• telnet: ignore empty suboptions
• telnet: make bad_option() consider NULL a bad option too
• telnet: make printsub require another byte input
• telnet: print DISPlay LOCation in printsub without mutating buffer
• telnet: refuse IAC codes in content
• telnet: return error if WSAEventSelect fails
• telnet: return error on crazy TTYPE or XDISPLOC lengths
• telnet: send failure logged but not returned
• telnet: use pointer[0] for "unknown" option instead of pointer[i]
• tests/server: drop pointless memory allocation overrides
• tests/server: drop unsafe `open()` override in signal handler (Windows)
• tftp: check and act on tftp_set_timeouts() returning error
• tftp: default timeout per block is now 15 seconds
• tftp: handle tftp_multi_statemach() return code
• tftp: pin the first used address
• tftp: propagate expired timer from tftp_state_timeout()
• tftp: return error if it hits an illegal state
• tftp: return error when sendto() fails
• tidy-up: `fcntl.h` includes
• tidy-up: assortment of small fixes
• tidy-up: avoid using the reserved macro namespace
• tidy-up: update MS links, allow long URLs via `checksrc`
• tidy-up: URLs
• time-cond.md: refer to the singular curl_getdate man page
• TODO: fix a typo
• TODO: remove already implemented or bad items
• tool: fix exponential retry delay
• tool_cb_hdr: fix fwrite check in header callback
• tool_cb_hdr: size is always 1
• tool_doswin: fix to use curl socket functions
• tool_filetime: replace cast with the fitting printf mask (Windows)
• tool_getparam/set_rate: skip the multiplication on overflow
• tool_getparam: always disable "lib-ids" for tracing
• tool_getparam: warn if provided header looks malformed
• tool_operate: improve wording in retry message
• tool_operate: keep failed partial download for retry auto-resume
• tool_operate: keep the progress meter for --out-null
• tool_progress: handle possible integer overflows
• tool_progress: make max5data() use an algorithm
• transfer: avoid busy loop with tiny speed limit
• unit1323: sync time types and printf masks, drop casts
• unit1664: drop casts, expand masks to full values
• url: make Curl_init_userdefined return void
• urldata: FILE is not a list-only protocol
• vauth/digest: improve the digest parser
• vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout
• vquic: handling of io improvements
• vquic: sending non-gso packets fix for EAGAIN
• vtls: alpn setting, check proto parameter
• vtls_int.h: clarify data_pending
• vtls_scache: fix race condition
• windows: replace `_beginthreadex()` with `CreateThread()`
• windows: stop passing unused, optional argument for Win9x compatibility
• windows: use consistent format when showing error codes
• windows: use native error code types more
• wolfssl: check BIO read parameters
• wolfssl: fix error check in shutdown
• wolfssl: no double get_error() detail
• ws: clarify an error message
• ws: reject curl_ws_recv called with NULL buffer with a buflen

Contributors:

Adam Light, Alice Lee Poetics, Andrei Kurushin, Andrew Kirillov, Andrew Olsen, BobodevMm on github, Christian Schmitz, Dan Fandrich, Daniel Stenberg, Daniel Terhorst-North, dependabot[bot], divinity76 on github, Emilio Pozuelo Monfort, Ethan Everett, Evgeny Grin (Karlson2k), fds242 on github, Howard Chu, Ignat Loskutov, Javier Blazquez, Jicea, jmaggard10 on github, Johannes Schindelin, Joseph Birr-Pixton, Joshua Rogers, kapsiR on github, kuchara on github, Marcel Raad, Michael Osipov, Michał Petryka, Mohamed Daahir, Nir Azkiel, Patrick Monnerat, Pocs Norbert, Ray Satiro, renovate[bot], rinsuki on github, Samuel Dionne-Riel, Samuel Henrique, Stanislav Fort, Stefan Eissing, tkzv on github, Viktor Szakats