Pending RELEASE-NOTES for the upcoming release
This is work in progress and will change before the release goes public on 2025-02-05.
Changes:
- curl: add byte range support to --variable reading from file
- curl: make --etag-save acknowledge --create-dirs
- getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: provide info which auth was used for HTTP and proxy
- hyper: drop support
- openssl: add support to use keys and certificates from PKCS#11 provider
- QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
- vtls: feature ssls-export for SSL session im-/export
Bugfixes:
- altsvc: avoid integer overflow in expire calculation
- altsvc: return error on dot-only name
- android: add CI jobs, buildinfo, cmake docs, disable `CURL_USE_PKGCONFIG` by default
- asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: initial HTTPS resolve support
- async-thread: avoid closing eventfd twice
- autotools: add support for mingw UWP builds
- autotools: silence gcc warnings in libtool code
- binmode: convert to macro and use it from tests
- build: delete `-Wsign-conversion` related FIXMEs
- build: drop `-Winline` picky warning
- build: drop unused feature macros, update exception list
- build: fix `-Wtrampolines` picky warning for gcc 4.x versions
- build: fix the tidy targets for autotools
- build: fix unsigned `time_t` detection for cmake, MS-DOS, AmigaOS
- build: replace configure check with PP condition (Android <21)
- build: stop detecting `sched_yield()` on Windows
- cd2nroff: support "none" as a TLS backend
- cf-https-connect: look into httpsrr alpns when available
- cf-socket: error if address can't be copied
- checksrc.bat: remove explicit SNPRINTF bypass
- checksrc: ban use of sscanf()
- checksrc: check for return with parens around a value/name
- checksrc: fix the return() checker
- checksrc: introduce 'banfunc' to ban specific functions
- cmake/FindLDAP: avoid empty 'Requires' item when omitting `pkg-config` module
- cmake/FindLDAP: avoid framework locations for libs too (Apple)
- cmake/FindLibpsl: protect against `pkg-config` "half-detection"
- cmake/FindLibssh: sync header comment with other modules
- cmake/FindMbedTLS: drop lib duplicates early
- cmake: add `librtmp` Find module
- cmake: add LDAP Find module
- cmake: add native `pkg-config` detection for remaining Find modules
- cmake: allow `CURL_LTO` regardless of `CURL_BUILD_TYPE`, enable in CI
- cmake: clang-cl improvements
- cmake: delete accidental debug message
- cmake: deprecate winbuild, add migration guide from legacy build methods
- cmake: detect mingw-w64 version, pre-fill `HAVE_STRTOK_R`
- cmake: do not store `MINGW64_VERSION` in cache
- cmake: drop `fseeko()` pre-fill and check for Windows
- cmake: drop duplicate Windows cache value
- cmake: drop redundant FOUND checks (libgsasl, libssh, libuv)
- cmake: drop redundant opening/closing `.*` from `MATCH` expressions
- cmake: drop unused `HAVE_SYS_XATTR_H` detection
- cmake: drop VS2010 "Dialog Hell" workaround added in 2013
- cmake: extend zlib's `AUTO` option to brotli, zstd and enable if found
- cmake: fix `net/in.h` detection for MS-DOS
- cmake: improve `curl_dumpvars()` and move to `Utilities.cmake`
- cmake: make libpsl required by default
- cmake: make system libraries `dl`, `m`, `pthread` customizable
- cmake: move `pkg-config` names to Find modules
- cmake: move GSS init before feature detections
- cmake: move mingw UWP workaround from GHA to `CMakeLists.txt`
- cmake: namespace functions and macros
- cmake: optimize out 4 picky warning option detections with gcc
- cmake: pick a better IPv6 feature flag when assembling the feature list
- cmake: pre-fill `HAVE_STDATOMIC_H`, `HAVE_ATOMIC` for mingw-w64
- cmake: pre-fill `HAVE_STDINT_H` on Windows
- cmake: publish/check supported protocols/features via `CURLConfig.cmake`
- cmake: replace `unset(VAR)` with `set(VAR "")` for init
- cmake: sync OpenSSL QUIC fork detection with autotools
- cmake: use `CMAKE_REQUIRED_LINK_DIRECTORIES`
- cmake: use `STREQUAL` to detect Linux
- cmdline-opts/version.md: describe multissl, mention SSLS-EXPORT
- completion.pl: add completion for paths after @ for fish
- config-mac: drop `MACOS_SSL_SUPPORT` macro
- config: drop unused code and variables
- configure: do not inline 'dnl' comments
- configure: drop unused detections and macros
- configure: streamline Windows large file feature check
- configure: UWP and Android follow-up fixes
- conncache: count shutdowns against host and max limits
- conncache: result_cb comment removed from function docs
- content_encoding: namespace GZIP flag constants
- content_encoding: support use of custom libzstd memory functions
- cookie: cap expire times to 400 days
- cookie: fix crash in netscape cookie parsing
- cookie: parse only the exact expire date
- curl-functions.m4: fix indentation in `CURL_SIZEOF()`
- curl: return error if etag options are used with multiple URLs
- curl_multi_fdset: include the shutdown connections in the set
- curl_multi_waitfds.md: tidy up the example
- curl_multibyte: support Windows paths longer than MAX_PATH
- curl_setup: fix missing `ADDRESS_FAMILY` type in rare build cases
- curl_sha512_256: rename symbols to the curl namespace
- curl_url_set.md: adjust the added-in to 7.62.0
- curl_ws_recv.md: fix typo
- CURLOPT_CONNECT_ONLY.md: an easy handle with this option set cannot be reused
- CURLOPT_PROXY.md: clarify the crendential support in proxy URLs
- CURLOPT_RESOLVE.md: fix wording
- CURLOPT_SEEKFUNCTION.md: used for FTP, HTTP and SFTP (only)
- docs/BUGS.md: remove leading space from a link
- docs/cmdline-opts/_ENVIRONMENT.md: minor language fix
- docs/HTTP-COOKIES.md: link to more information
- docs/libcurl/opts: clarify the return values
- docs/libcurl: return value overhall
- docs/TLS-SESSIONS: fix typo, the->they
- docs: document the behavior of -- in the curl command line
- docs: use lowercase curl and libcurl
- doh: cleanups and extended HTTPS RR code
- doh: send HTTPS RR requests for all HTTP(S) transfers
- easy: make curl_easy_perform() return error if connection still there
- easy_lock: use Sleep(1) for thread yield on old Windows
- ECH: update APIs to those agreed with OpenSSL maintainers
- examples/block-ip: drop redundant `memory.h` include
- examples/block-ip: show how to block IP addresses
- examples/complicated: fix warnings, bump deprecated callback, tidy up
- examples/synctime.c: remove references to dead URLs and functionality
- examples: make them compile with compatibility functions disabled (Windows)
- examples: use return according to code style
- file: drop `OPEN_NEEDS_ARG3` option
- file: fix Android compiler warning
- GnuTLS: fix 'time_appconnect' for early data
- hash: add asserts in hash_element_dtor()
- HTTP/2: strip TE request header
- http2: fix value stored to 'result' is never read
- http: fix build with `CURL_DISABLE_COOKIES`
- http: ignore invalid Retry-After times
- http_aws_sigv4: Fix invalid compare function handling zero-length pairs
- INFRASTRUCTURE.md: project infra
- INSTALL.md: document VS2008 and mingw-w64
- lib517: extend the getdate test with quotes and leading "junk"
- lib: remove `__EMX__` guards
- lib: replace `inline` redefine with `CURL_INLINE` macro
- lib: supress deprecation warnings in apple builds
- lib: TLS session ticket caching reworked
- libcurl/opts: do not save files in dirs where attackers have access
- Makefile.mk: drop in favour of autotools and cmake (MS-DOS, AmigaOS3)
- mbedtls: fix handling of blocked sends
- mime: explicitly rewind subparts at attachment time.
- mprintf: fix integer handling in float precision
- mprintf: terminate snprintf output on windows
- msvc: assume `_INTEGRAL_MAX_BITS >= 64`
- msvc: drop checks for ancient versions
- msvc: fix building with `HAVE_INET_NTOP` and MSVC <=1900
- msvc: require VS2005 for large file support
- msvc: tidy up `_CRT_*_NO_DEPRECATE` definitions
- multi: fix curl_multi_waitfds reporting of fd_count
- multi: fix return code for an already-removed easy handle
- multihandle: add an ssl_scache here
- multissl: auto-enable `OPENSSL_COEXIST` for wolfSSL + OpenSSL
- multissl: make openssl + wolfssl builds work
- netrc: 'default' with no credentials is not a match
- netrc: fix password-only entries
- netrc: restore _netrc fallback logic
- ngtcp2: fix two cases of value stored never read
- openssl: fix ECH logic
- osslq: use SSL_poll to determine writeability of QUIC streams
- projects/Windows: remove wolfSSL from legacy projects
- pytest: remove 'repeat' parameter
- pytest: use httpd/apache2 directly, no apachectl
- RELEASE-PROCEDURE.md: mention how to publish security advisories
- scripts/mdlinkcheck: markdown link checker
- sectransp: free certificate on error
- select: avoid a NULL deref in cwfds_add_sock
- smb: fix compiler warning
- src: add `CURL_STRICMP()` macro, use `_stricmp()` on Windows
- src: drop support for `CURL_TESTDIR` debug env
- ssl session cache: change cache dimensions
- strparse: string parsing helper functions
- system.h: add 64-bit curl_off_t definitions for NonStop
- system.h: drop compilers lacking 64-bit integer type (Windows/MS-DOS)
- system.h: drop duplicate and no-op code
- system.h: fix indentation
- telnet: handle single-byte input option
- test483: require cookie support
- tests/http/clients: use proper sleep() call on NonStop
- TheArtOfHttpScripting.md: rewrite double 'that'
- tidy-up: `curl_setup.h`, `curl_setup_once.h`, `config-win32ce.h`
- tidy-up: drop parenthesis around `return` expression
- tidy-up: drop parenthesis around `return` values
- tidy-up: extend `CURL_O_BINARY` to lib and tests
- TLS: check connection for SSL use, not handler
- tool_formparse.c: make curlx_uztoso a static in here
- tool_formparse: accept digits in --form type= strings
- tool_getparam: ECH param parsing refix
- tool_getparam: fix "Ignored Return Value"
- tool_getparam: fix memory leak on error in parse_ech
- tool_getparam: fix the ECH parser
- tool_operate: make --etag-compare always accept a non-existing file
- transfer: fix CURLOPT_CURLU override logic
- urlapi: fix redirect to a new fragment or query (only)
- variable.md: mention --expand-variable for variables to variables
- variable.md: show function use with examples
- vquic: fix 4th function call argument is an uninitialized value
- vquic: make vquic_send_packets not return without setting psent
- vtls: only remember the expiry timestamp in session cache
- vtls: remove 'detach/attach' functions from TLS handler struct
- vtls: remove unusued 'check_cxn' from TLS handler struct
- vtls: replace "none"-functions with NULL pointers
- VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS
- websocket: fix message send corruption
- windows: drop dupe macros, detect `CURL_OS` for WinCE ARM, indentation
- windows: drop redundant `USE_WIN32_SMALL_FILES` macro
- windows: merge `config-win32ce.h` into `config-win32.h`
- ws-docs: remove the outdated texts saying ws support is experimental
Contributors:
9cel, Aleksander Mazur, Andy Pan, Asger Hautop Drewsen, baranyaib90 on github, Ben Zanin, Brad House, Christian Heusel, Christian Schmitz, Christopher Dannemiller, Dan Fandrich, Daniel Stenberg, Darren Banfi, Deniz Sökmen, dependabot[bot], Derek Huang, Donguk Kim, dwickr, Ganesh Viswanathan, Hermes Zhang, IcedCoffeee on github, Jakub Jelen, Jeroen Ooms, Jiri Stary, Kai Pastor, Kevin Sun, Kuan-Wei Chiu, Manuel Einfalt, Marcel Raad, Milon Renatus, Mohammed Sadiq, na-trium-144 on github, Neil Horman, Neil Johari, Nicolás San Martín, Patrick Monnerat, prpr19xx on github, Qriist on github, Ralph Sennhauser, Randall S. Becker, Ray Satiro, renovate[bot], Rudi Heitbaum, Samuel Henrique, Stefan Eissing, Stephen Farrell, Tal Regev, Tamás Bálint Misius, Tamir Duberstein, Viktor Szakats, Yedaya Katsman, Yihang Zhou