curl / Development / Pending Release Notes
Pending RELEASE-NOTES for the upcoming release
This is work in progress and seeing changes before the release goes public on 2026-01-07.
Changes:
- build: drop support for VS2008 (Windows)
- build: drop Windows CE / CeGCC support
- gnutls: drop support for GnuTLS < 3.6.5
- gnutls: implement CURLOPT_CAINFO_BLOB
- openssl: bump minimum OpenSSL version to 3.0.0
Bugfixes:
- _PROGRESS.md: add the E unit, mention kibibyte
- AmigaOS: increase minimum stack size for tool_main
- apple-sectrust: always ask when `native_ca_store` is in use
- asyn-ares: remove hostname free on OOM
- asyn-thrdd: release rrname if ares_init_options fails
- autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
- badwords: fix issues found in scripts and other files
- badwords: fix issues found in tests
- build: add build-level `CURL_DISABLE_TYPECHECK` options
- build: exclude clang prereleases from compiler warning options
- build: tidy-up MSVC CRT warning suppression macros
- ccsidcurl: make curl_mime_data_ccsid() use the converted size
- cf-https-connect: allocate ctx at first in cf_hc_create()
- cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime
- cf-socket: trace ignored errors
- checksrc.pl: detect assign followed by more than one space
- cmake: adjust defaults for target platforms not supporting shared libs
- cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON`
- cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET`
- code: minor indent fixes before closing braces
- config2setopts: bail out if curl_url_get() returns OOM
- config2setopts: exit if curl_url_set() fails on OOM
- conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64
- connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
- cookie: propagate errors better, cleanup the internal API
- cookie: return error on OOM
- cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
- curl: fix progress meter in parallel mode
- curl_fopen: do not pass invalid mode flags to `open()` on Windows
- curl_sasl: make Curl_sasl_decode_mech compare case insensitively
- curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS`
- curl_setup.h: drop stray `#undef stat` (Windows)
- CURLINFO: remove 'get' and 'get the' from each short desc
- CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
- CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
- CURLOPT_READFUNCTION.md: clarify the size of the buffer
- CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
- curlx/strerr: use `strerror_s()` on Windows
- curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows)
- digest_sspi: fix a memory leak on error path
- digest_sspi: properly free sspi identity
- DISTROS.md: add OpenBSD
- docs: fix checksrc `EQUALSPACE` warnings
- docs: mention umask need when curl creates files
- examples/crawler: fix variable
- examples/multithread: fix race condition
- examples: make functions/data static where missing
- examples: tidy-up headers and includes
- file: do not pass invalid mode flags to `open()` on upload (Windows)
- ftp: refactor a piece of code by merging the repeated part
- ftp: remove #ifdef for define that is always defined
- getinfo: improve perf in debug mode
- gnutls: report accurate error when TLS-SRP is not built-in
- gtls: add return checks and optimize the code
- gtls: skip session resumption when verifystatus is set
- h2/h3: handle methods with spaces
- hostip: don't store negative lookup on OOM
- hsts: propagate and error out correctly on OOM
- http: avoid two strdup()s and do minor simplifications
- http: error on OOM when creating range header
- http: replace atoi use in Curl_http_follow with curlx_str_number
- http: the :authority header should never contain user+password
- INSTALL-CMAKE.md: document static option defaults more
- krb5_sspi: unify a part of error handling
- lib: cleanup for some typos about spaces and code style
- lib: eliminate size_t casts
- lib: error for OOM when extracting URL query
- lib: fix gssapi.h include on IBMi
- lib: refactor the type of funcs which have useless return and checks
- lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows)
- libssh2: add paths to error messages for quote commands
- libssh2: cleanup ssh_force_knownhost_key_type
- libssh2: replace atoi() in ssh_force_knownhost_key_type
- libssh: properly free sftp_attributes
- libtests: replace `atoi()` with `curlx_str_number()`
- limit-rate: add example using --limit-rate and --max-time together
- m4/sectrust: fix test(1) operator
- mbedtls: fix potential use of uninitialized `nread`
- mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option
- mk-ca-bundle.pl: use `open()` with argument list to replace backticks
- mqtt: reject overly big messages
- multi: make max_total_* members size_t
- noproxy: replace atoi with curlx_str_number
- openssl: exit properly on OOM when getting certchain
- openssl: fix a potential memory leak of bio_out
- openssl: fix a potential memory leak of params.cert
- openssl: no verify failf message unless strict
- openssl: release ssl_session if sess_reuse_cb fails
- openssl: remove code handling default version
- OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs
- OS400/makefile.sh: fix shellcheck warning SC2038
- osslq: code readability
- progress: show fewer digits
- projects/README.md: Markdown fixes
- pytest fixes and improvements
- pytest: skip H2 tests if feature missing from curl
- rtmp: fix double-free on URL parse errors
- rtmp: precaution for a potential integer truncation
- runtests: detect bad libssh differently for test 1459
- runtests: drop Python 2 support remains
- rustls: fix a potential memory issue
- rustls: minor adjustment of sizeof()
- schannel: fix memory leak of cert_store_path on four error paths
- schannel: replace atoi() with curlx_str_number()
- schannel_verify: fix a memory leak of cert_context
- scripts: fix shellcheck SC2046 warnings
- scripts: use end-of-options marker in `find -exec` commands
- setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
- setopt: when setting bad protocols, don't store them
- sftp: fix range downloads in both SSH backends
- smb: fix a size check to be overflow safe
- socks_sspi: use free() not FreeContextBuffer()
- speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE
- telnet: replace atoi for BINARY handling with curlx_str_number
- TEST-SUITE.md: correct the man page's path
- test07_22: fix flakiness
- test2045: replace HTML multi-line comment markup with `#` comments
- test363: delete stray character (typo) from a section tag
- tests/data: replace hard-coded test numbers with `%TESTNUMBER`
- tests/data: support using native newlines on disk, drop `.gitattributes`
- tests/server: do not fall back to original data file in `test2fopen()`
- tests/server: replace `atoi()` and `atol()` with `curlx_str_number()`
- tftp: release filename if conn_get_remote_addr fails
- tftpd: fix/tidy up `open()` mode flags
- tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()`
- tool: consider (some) curl_easy_setopt errors fatal
- tool_cfgable: free ssl-sessions at exit
- tool_getparam: verify that a file exists for some options
- tool_help: add checks to avoid unsigned wrap around
- tool_ipfs: check return codes better
- tool_msgs: make voutf() use stack instead of heap
- tool_operate: exit on curl_share_setopt errors
- tool_operate: fix a case of ignoring return code in operate()
- tool_operate: fix case of ignoring return code in single_transfer
- tool_operate: remove redundant condition
- tool_operate: use curlx_str_number instead of atoi
- tool_paramhlp: refuse --proto remove all protocols
- tool_urlglob: clean up used memory on errors better
- tool_writeout: bail out proper on OOM
- url: if OOM in parse_proxy() return error
- urlapi: fix mem-leaks in curl_url_get error paths
- verify-release: update to avoid shellcheck warning SC2034
- vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
- vquic: do not pass invalid mode flags to `open()` (Windows)
- vtls: fix CURLOPT_CAPATH use
- vtls: handle possible malicious certs_num from peer
- vtls: pinned key check
- wcurl: import v2025.11.09
- wolfSSL: able to differentiate between IP and DNS in alt names
- wolfssl: avoid NULL dereference in OOM situation
- wolfssl: fix a potential memory leak of session
- wolfssl: fix cipher list, skip 5.8.4 regression
- wolfssl: simplify wssl_send_earlydata
Contributors:
Aleksandr Sergeev, Andrew Kirillov, boingball, Brad King, bttrfl on github, Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg, Fd929c2CE5fA on github, ffath-vo on github, Gisle Vanem, Jiyong Yang, Juliusz Sosinowicz, Leonardo Taccari, letshack9707 on hackerone, Marc Aldorasi, Marcel Raad, nait-furry, ncaklovic on github, Nick Korepanov, Omdahake on github, Patrick Monnerat, pelioro on hackerone, Ray Satiro, renovate[bot], Samuel Henrique, Stanislav Fort, Stefan Eissing, Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang