curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

[RELEASE] curl 8.6.0

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 31 Jan 2024 08:11:24 +0100 (CET)

Hello!

Welcome to a new curl release! Get it as always from https://curl.se/

curl and libcurl 8.6.0

  Public curl releases: 254
  Command line options: 258
  curl_easy_setopt() options: 304
  Public functions in libcurl: 93
  Contributors: 3078

This release includes the following changes:

  o add CURLE_TOO_LARGE [48]
  o add CURLINFO_QUEUE_TIME_T [76]
  o add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add [39]
  o asyn-thread: use GetAddrInfoExW on >= Windows 8 [55]
  o configure: make libpsl detection failure cause error [109]
  o docs/cmdline: change to .md for cmdline docs [77]
  o docs: introduce "curldown" for libcurl man page format [102]
  o runtests: support -gl. Like -g but for lldb. [47]

This release includes the following bugfixes:

  o altsvc: free 'as' when returning error [23]
  o appveyor: replace PowerShell with bash + parallel autotools [54]
  o appveyor: switch to out-of-tree builds [29]
  o asyn-ares: with modern c-ares, use its default timeout [127]
  o build: delete unused `HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}` [4]
  o build: delete/replace clang warning pragmas [111]
  o build: enable missing OpenSSF-recommended warnings, with fixes [11]
  o build: fix `-Wconversion`/`-Wsign-conversion` warnings [26]
  o build: fix Windows ADDRESS_FAMILY detection [35]
  o build: more `-Wformat` fixes [40]
  o build: remove redundant `CURL_PULL_*` settings [8]
  o cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper [133]
  o cf-socket: show errno in tcpkeepalive error messages [120]
  o CI/distcheck: run full tests [31]
  o cmake: add option to disable building docs
  o cmake: fix generation for system name iOS [53]
  o cmake: fix typo [5]
  o cmake: freshen up docs/INSTALL.cmake [101]
  o cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE` [45]
  o cmake: rework options to enable curl and libcurl docs [161]
  o cmake: when USE_MANUAL=YES, build the curl.1 man page [113]
  o cmdline-opts/write-out.d: remove spurious double quotes
  o cmdline-opts: update availability for the *-ca-native options [66]
  o cmdline/gen: fix the sorting of the man page options [33]
  o configure: add libngtcp2_crypto_boringssl detection [155]
  o configure: fix no default int compile error in ipv6 detection [69]
  o configure: when enabling QUIC, check that TLS supports QUIC [87]
  o connect: remove margin from eyeballer alloc [79]
  o content_encoding: change return code to typedef'ed enum [94]
  o cookie.d: document use of empty string to enable cookie engine [106]
  o cookie: avoid fopen with empty file name [24]
  o curl.h: CURLOPT_DNS_SERVERS is only available with c-ares [131]
  o curl: show ipfs and ipns as supported "protocols" [15]
  o curl_easy_getinfo.3: remove the wrong time value count [116]
  o curl_multi_fdset.3: remove mention of null pointer support [134]
  o CURLINFO_REFERER.3: clarify that it is the *request* header [70]
  o CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER
  o CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example [27]
  o CURLOPT_SSH_*_KEYFILE: clarify [57]
  o dist: add tests/errorcodes.pl to the tarball [6]
  o docs: clean up Protocols: for cmdline options [32]
  o docs: describe and highlight super cookies [80]
  o docs: do not start lines/sentences with So, But nor And [140]
  o docs: install curl.1 with cmake [166]
  o docs: mention env vars not used by schannel [124]
  o doh: remove unused local variable [34]
  o examples: add four new examples [99]
  o file+ftp: use stack buffers instead of data->state.buffer [138]
  o ftp: handle the PORT parsing without allocation [44]
  o ftp: use dynbuf to store entrypath [83]
  o ftp: use memdup0 to store the OS from a SYST 215 response [82]
  o ftpserver.pl: send 213 SIZE response without spurious newline
  o gen.pl: support ## for doing .IP in table-like lists [105]
  o gen: do italics/bold for a range of letters, not just single word [78]
  o GHA: add a job scanning for "bad words" in markdown [164]
  o GHA: bump ngtcp2, gnutls, mod_h2, quiche [158]
  o gnutls: fix build with --disable-verbose [3]
  o haproxy-clientip.d: document the arg [68]
  o headers: make sure the trailing newline is not stored [97]
  o headers: remove assert from Curl_headers_push [115]
  o hostip: return error immediately when Curl_ip2addr() fails [19]
  o hsts: remove assert for zero length domain [96]
  o http2: improved on_stream_close/data_done handling [49]
  o http3/quiche: fix result code on a stream reset [91]
  o http3: initial support for OpenSSL 3.2 QUIC stack [110]
  o http: adjust_pollset fix [85]
  o http: check for "Host:" case insensitively [154]
  o http: fix off-by-one error in request method length check [14]
  o http: only act on 101 responses when they are HTTP/1.1 [98]
  o http: remove comment reference to a removed solution [156]
  o http: use stack scratch buffer [150]
  o http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT [90]
  o krb5: add prototype to silence clang warnings on mvsnprintf() [119]
  o lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT [62]
  o lib: error out on multissl + http3 [13]
  o lib: fix variable undeclared error caused by `infof` changes [2]
  o lib: reduce use of strncpy [30]
  o lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding [36]
  o lib: replace readwrite with write_resp [137]
  o lib: strndup/memdup instead of malloc, memcpy and null-terminate [42]
  o libssh2: use `libssh2_session_callback_set2()` with v1.11.1 [103]
  o libssh: improve the deprecation warning dismissal [20]
  o libssh: supress warnings without version check [18]
  o Makefile.am: fix the MSVC project generation [22]
  o Makefile.mk: drop Windows support [12]
  o mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls` [117]
  o mbedtls: free the entropy when threaded [46]
  o mime: use memdup0 instead of malloc + memcpy [63]
  o mksymbolsmanpage.pl: provide references to where the symbol is used
  o mprintf: overhaul and bugfixes [52]
  o mqtt: use stack scratch buffer for recv+publish [148]
  o multi: remove total timer reset in file_do() while fetching file:// [89]
  o ngtcp2: put h3 at the front of alpn [58]
  o ntlm_wb: do not use data->state.buffer any longer [151]
  o openldap: fix an LDAP crash [75]
  o openldap: fix STARTTLS [67]
  o openssl: re-match LibreSSL deinit with init [17]
  o openssl: when verifystatus fails, remove session id from cache [100]
  o OS400: sync ILE/RPG binding [114]
  o pingpong: stop using the download buffer [159]
  o pop3: replace calloc + memcpy with memdup0 [60]
  o pytest: scorecard tracking CPU and RSS [157]
  o quiche: return CURLE_HTTP3 on send to invalid stream [65]
  o readwrite_data: loop less [21]
  o Revert "urldata: move async resolver state from easy handle to connectdata" [16]
  o rtsp: deal with borked server responses [129]
  o runtests: for mode="text" on <stdout>, fix newlines on both parts [64]
  o sasl: make login option string override http auth [142]
  o schannel: fix `-Warith-conversion` gcc 13 warning [28]
  o sectransp: do verify_cert without memdup for blobs [93]
  o sectransp_ make TLSCipherNameForNumber() available in non-verbose config [1]
  o sendf: fix compiler warning with CURL_DISABLE_HEADERS_API [38]
  o setopt: clear mimepost when formp is freed [92]
  o setopt: use memdup0 when cloning COPYPOSTFIELDS [107]
  o socks: fix generic output string to say SOCKS instead of SOCKS4 [144]
  o socks: use own buffer instead of data->state.buffer [143]
  o ssh: fix namespace of two local macros [51]
  o ssh: use stack scratch buffer for seeks [146]
  o strerror: repair get_winsock_error() [56]
  o system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers [9]
  o system_win32: fix a function pointer assignment warning [71]
  o telnet: use dynbuf instad of malloc for escape buffer [108]
  o telnet: use stack scratch buffer for do [149]
  o tests/server: delete workaround for old-mingw [25]
  o tests: avoid int/size_t conversion size/sign warnings [163]
  o tests: respect $TMPDIR when creating unix domain sockets [50]
  o tool: make parser reject blank arguments if not supported [86]
  o tool: prepend output_dir in header callback [95]
  o tool_getparam: bsearch cmdline options [74]
  o tool_getparam: do not try to expand without an argument [59]
  o tool_getparam: stop supporting `_at_filename` style for --cookie [121]
  o tool_listhelp: regenerate after recent .d updates [61]
  o tool_operate: make --remove-on-error only remove "real" files [125]
  o tool_operate: stop setting the file comment on Amiga [128]
  o transfer: adjust_pollset improvements [81]
  o transfer: fix upload rate limiting, add test cases [37]
  o transfer: make the select_bits_paused condition check both directions [104]
  o transfer: remove warning: Value stored to 'blen' is never read [136]
  o url: don't set default CA paths for Secure Transport backend [126]
  o url: for disabled protocols, mention if found in redirect [7]
  o urlapi: remove assert [162]
  o verify-examples.pl: fail verification on unescaped backslash [72]
  o version: show only the libpsl version, not its dependencies [130]
  o vquic: extract TLS setup into own source [88]
  o vtls: fix missing multissl version info [73]
  o vtls: receive max buffer [139]
  o vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY [41]
  o websockets: check for negative payload lengths [123]
  o websockets: refactor decode chain [122]
  o windows: delete redundant headers [43]
  o windows: simplify detecting and using system headers [10]
  o wolfssl: load certificate *chain* for PEM client certs [84]
  o x509asn1: remove code for WANT_VERIFYHOST [132]
  o x509asn1: switch from malloc to dynbuf [112]

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

Planned upcoming removals include:

  o support for space-separated NOPROXY patterns

  See https://curl.se/dev/deprecate.html for details

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Andy Alt, annalee, Baruch Siach, Ben, Boris Verkhovskiy, Brad Harder,
   bubbleguuum on github, Cajus Pollmeier, calvin2021y on github, Chara White,
   Chris Sauer, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
   dependabot[bot], Dmitry Karpov, Gabe, Geeknik Labs, Gisle Vanem,
   Graham Campbell, Hans-Christian Egtvedt, Harry Sintonen, Haydar Alaidrus,
   hgdagon on github, Hiroki Kurosawa, iAroc on github, ivanfywang,
   janko-js on github, Jay Wu, Jess Lowe, Karthikdasari0423 on github,
   Lealem Amedie, Lin Sun, Marcel Raad, Mark Huang, Mark Sinkovics,
   Mauricio Scheffer, Micha©© Antoniak, Mike Hommey, Mohammadreza Hendiani,
   Ozan Cansel, Patrick Monnerat, Pavel Pavlov, promptfuzz_ on hackerone,
   Ray Satiro, RevaliQaQ on github, Richard Levitte, Scarlett McAllister,
   Sergey Bronnikov, Sergey Markelov, sfan5 on github, Stefan Eissing,
   Tatsuhiko Miyagawa, Tatsuhiro Tsujikawa, Theo, Thomas Ferguson,
   Viktor Szakats, Xi Ruoyao, Yadhu Krishna M, Yedaya Katsman, Yifei Kong,
   YX Hao, zengwei, zengwei2000, «¦ªµªó
   (65 contributors)

References to bug reports and discussions on issues:

  [1] = https://curl.se/bug/?i=12474
  [2] = https://curl.se/bug/?i=12470
  [3] = https://curl.se/bug/?i=12505
  [4] = https://curl.se/bug/?i=12506
  [5] = https://curl.se/bug/?i=12464
  [6] = https://curl.se/bug/?i=12462
  [7] = https://curl.se/bug/?i=12466
  [8] = https://curl.se/bug/?i=12502
  [9] = https://curl.se/bug/?i=12501
  [10] = https://curl.se/bug/?i=12495
  [11] = https://curl.se/bug/?i=12489
  [12] = https://curl.se/bug/?i=12224
  [13] = https://curl.se/bug/?i=12807
  [14] = https://curl.se/bug/?i=12534
  [15] = https://curl.se/mail/archive-2023-12/0026.html
  [16] = https://curl.se/bug/?i=12524
  [17] = https://curl.se/bug/?i=12525
  [18] = https://curl.se/bug/?i=12523
  [19] = https://curl.se/bug/?i=12522
  [20] = https://curl.se/bug/?i=12519
  [21] = https://curl.se/bug/?i=12504
  [22] = https://curl.se/bug/?i=12564
  [23] = https://curl.se/bug/?i=12570
  [24] = https://curl.se/bug/?i=12514
  [25] = https://curl.se/bug/?i=12510
  [26] = https://curl.se/bug/?i=12557
  [27] = https://curl.se/bug/?i=12588
  [28] = https://curl.se/bug/?i=12616
  [29] = https://curl.se/bug/?i=12550
  [30] = https://curl.se/bug/?i=12499
  [31] = https://curl.se/bug/?i=12503
  [32] = https://curl.se/bug/?i=12496
  [33] = https://curl.se/mail/archive-2023-12/0014.html
  [34] = https://curl.se/bug/?i=12491
  [35] = https://curl.se/bug/?i=12441
  [36] = https://curl.se/bug/?i=12490
  [37] = https://curl.se/bug/?i=12559
  [38] = https://curl.se/bug/?i=12485
  [39] = https://curl.se/bug/?i=12369
  [40] = https://curl.se/bug/?i=12540
  [41] = https://curl.se/bug/?i=12459
  [42] = https://curl.se/bug/?i=12453
  [43] = https://curl.se/bug/?i=12539
  [44] = https://curl.se/bug/?i=12456
  [45] = https://curl.se/bug/?i=12537
  [46] = https://curl.se/bug/?i=12584
  [47] = https://curl.se/bug/?i=12547
  [48] = https://curl.se/bug/?i=12269
  [49] = https://curl.se/bug/?i=10936
  [50] = https://curl.se/bug/?i=12545
  [51] = https://curl.se/bug/?i=12544
  [52] = https://curl.se/bug/?i=12561
  [53] = https://curl.se/bug/?i=12515
  [54] = https://curl.se/bug/?i=12560
  [55] = https://curl.se/bug/?i=12481
  [56] = https://curl.se/bug/?i=12578
  [57] = https://curl.se/bug/?i=12554
  [58] = https://curl.se/bug/?i=12576
  [59] = https://curl.se/bug/?i=12565
  [60] = https://curl.se/bug/?i=12650
  [61] = https://curl.se/bug/?i=12612
  [62] = https://curl.se/bug/?i=12658
  [63] = https://curl.se/bug/?i=12649
  [64] = https://curl.se/bug/?i=12612
  [65] = https://curl.se/bug/?i=12590
  [66] = https://curl.se/bug/?i=12613
  [67] = https://curl.se/bug/?i=12610
  [68] = https://curl.se/bug/?i=12611
  [69] = https://curl.se/bug/?i=12607
  [70] = https://curl.se/bug/?i=12605
  [71] = https://curl.se/bug/?i=12581
  [72] = https://curl.se/bug/?i=12589
  [73] = https://curl.se/bug/?i=12599
  [74] = https://curl.se/bug/?i=12631
  [75] = https://curl.se/bug/?i=12593
  [76] = https://curl.se/bug/?i=12368
  [77] = https://curl.se/bug/?i=12751
  [78] = https://curl.se/bug/?i=12689
  [79] = https://curl.se/bug/?i=12647
  [80] = https://curl.se/bug/?i=12687
  [81] = https://curl.se/bug/?i=12640
  [82] = https://curl.se/bug/?i=12639
  [83] = https://curl.se/bug/?i=12638
  [84] = https://curl.se/bug/?i=12634
  [85] = https://curl.se/bug/?i=12632
  [86] = https://curl.se/bug/?i=12620
  [87] = https://curl.se/bug/?i=12683
  [88] = https://curl.se/bug/?i=12678
  [89] = https://curl.se/bug/?i=12682
  [90] = https://curl.se/bug/?i=12680
  [91] = https://curl.se/bug/?i=12629
  [92] = https://curl.se/bug/?i=12608
  [93] = https://curl.se/bug/?i=12679
  [94] = https://curl.se/bug/?i=12618
  [95] = https://curl.se/bug/?i=12614
  [96] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65661
  [97] = https://curl.se/mail/lib-2024-01/0019.html
  [98] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66184
  [99] = https://curl.se/bug/?i=12671
  [100] = https://curl.se/bug/?i=12760
  [101] = https://curl.se/bug/?i=12772
  [102] = https://curl.se/bug/?i=12730
  [103] = https://curl.se/bug/?i=12754
  [104] = https://curl.se/mail/lib-2024-01/0049.html
  [105] = https://curl.se/bug/?i=12667
  [106] = https://curl.se/bug/?i=12643
  [107] = https://curl.se/bug/?i=12651
  [108] = https://curl.se/bug/?i=12652
  [109] = https://curl.se/bug/?i=12661
  [110] = https://curl.se/bug/?i=12734
  [111] = https://curl.se/bug/?i=12812
  [112] = https://curl.se/bug/?i=12808
  [113] = https://curl.se/bug/?i=12742
  [114] = https://curl.se/bug/?i=12815
  [115] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65839
  [116] = https://curl.se/bug/?i=12727
  [117] = https://curl.se/bug/?i=12720
  [119] = https://curl.se/bug/?i=12803
  [120] = https://curl.se/bug/?i=12726
  [121] = https://curl.se/bug/?i=12645
  [122] = https://curl.se/bug/?i=12713
  [123] = https://curl.se/bug/?i=12707
  [124] = https://curl.se/bug/?i=12711
  [125] = https://curl.se/bug/?i=12710
  [126] = https://curl.se/bug/?i=12704
  [127] = https://curl.se/bug/?i=12703
  [128] = https://curl.se/bug/?i=12709
  [129] = https://curl.se/bug/?i=12701
  [130] = https://curl.se/bug/?i=12700
  [131] = https://curl.se/bug/?i=12695
  [132] = https://curl.se/bug/?i=12804
  [133] = https://curl.se/bug/?i=12697
  [134] = https://curl.se/bug/?i=12691
  [136] = https://curl.se/bug/?i=12693
  [137] = https://curl.se/bug/?i=12480
  [138] = https://curl.se/bug/?i=12789
  [139] = https://curl.se/bug/?i=12801
  [140] = https://curl.se/bug/?i=12802
  [142] = https://curl.se/bug/?i=10259
  [143] = https://curl.se/bug/?i=12788
  [144] = https://curl.se/bug/?i=12797
  [146] = https://curl.se/bug/?i=12794
  [148] = https://curl.se/bug/?i=12792
  [149] = https://curl.se/bug/?i=12793
  [150] = https://curl.se/bug/?i=12791
  [151] = https://curl.se/bug/?i=12787
  [154] = https://curl.se/bug/?i=12784
  [155] = https://curl.se/bug/?i=12724
  [156] = https://curl.se/bug/?i=12785
  [157] = https://curl.se/bug/?i=12765
  [158] = https://curl.se/bug/?i=12778
  [159] = https://curl.se/bug/?i=12757
  [161] = https://curl.se/bug/?i=12773
  [162] = https://curl.se/bug/?i=12775
  [163] = https://curl.se/bug/?i=12768
  [164] = https://curl.se/bug/?i=12764
  [166] = https://curl.se/bug/?i=12759

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html


-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2024-01-31