From: Daniel Stenberg Date: Mon, 6 Oct 2025 21:59:33 +0000 (+0200) Subject: RELEASE-NOTES: synced X-Git-Tag: rc-8_17_0-1~91 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e3725a7afe46fac093412f64193c807fcff1440;p=thirdparty%2Fcurl.git RELEASE-NOTES: synced --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b638b559c4..846340aee1 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,16 +1,19 @@ curl and libcurl 8.17.0 Public curl releases: 271 - Command line options: 272 + Command line options: 273 curl_easy_setopt() options: 308 Public functions in libcurl: 98 - Contributors: 3513 + Contributors: 3514 This release includes the following changes: o build: drop the winbuild build system [81] o krb5: drop support for Kerberos FTP [43] o libssh2: up the minimum requirement to 1.9.0 [85] + o progress: expand to use 6 characters per size [234] + o ssl: support Apple SecTrust configurations [240] + o tool_getparam: add --knownhosts [204] o vssh: drop support for wolfSSH [58] o wcurl: import v2025.09.27 [182] o write-out: make %header{} able to output *all* occurrences of a header [25] @@ -34,11 +37,16 @@ This release includes the following bugfixes: o build: show llvm/clang in platform flags and `buildinfo.txt` [126] o cf-h2-proxy: break loop on edge case [140] o cf-ip-happy: mention unix domain path, not port number [161] + o cf-socket: always check Curl_cf_socket_peek() return code [198] + o cf-socket: check params and remove accept procondition [197] o cf-socket: tweak a memcpy() to read better [177] o cf-socket: use the right byte order for ports in bindlocal [61] o cfilter: unlink and discard [46] o checksrc: catch banned functions when preceded by `(` [146] o checksrc: fix possible endless loop when detecting `BANNEDFUNC` [149] + o checksrc: fix possible endless loops/errors in the banned function logic [220] + o checksrc: fix to handle `)` predecing a banned function [229] + o checksrc: reduce directory-specific exceptions [228] o cmake: add `CURL_CODE_COVERAGE` option [78] o cmake: clang detection tidy-ups [116] o cmake: drop exclamation in comment looking like a name [160] @@ -49,8 +57,10 @@ This release includes the following bugfixes: o cmdline-opts/_PROGRESS.md: explain the suffixes [154] o configure: add "-mt" for pthread support on HP-UX [52] o cookie: avoid saving a cookie file if no transfer was done [11] + o cpool: make bundle->dest an array; fix UB [218] o curl_easy_getinfo: error code on NULL arg [2] o curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides [19] + o curl_osslq: error out properly if BIO_ADDR_rawmake() fails [184] o curl_slist_append.md: clarify that a NULL pointer is not acceptable [72] o CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well [8] o CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1 [63] @@ -59,16 +69,23 @@ This release includes the following bugfixes: o CURLOPT_TIMECONDITION.md: works for FILE and FTP as well [27] o digest_sspi: fix two memory leaks in error branches [77] o dist: do not distribute `CI.md` [29] + o docs/cmdline-opts: drop double quotes from GLOBBING and URL examples [238] o docs/libcurl: clarify some timeout option behavior [15] o docs/libcurl: remove ancient version references [7] o docs/libcurl: use lowercase must [5] o docs: fix/tidy code fences [87] o easy_getinfo: check magic, Curl_close safety [3] + o examples: drop unused `curl/mprintf.h` includes [224] + o examples: fix two build issues surfaced with WinCE [223] o examples: fix two issues found by CodeQL [35] o examples: fix two more cases of `stat()` TOCTOU [147] o form.md: drop reference to MANUAL [178] + o ftp: add extra buffer length check [195] o ftp: fix ftp_do_more returning with *completep unset [122] o ftp: fix port number range loop for PORT commands [66] + o ftp: fix the 213 scanner memchr buffer limit argument [196] + o ftp: improve fragile check for first digit > 3 [194] + o ftp: remove misleading comments [193] o gtls: avoid potential use of uninitialized variable in trace output [83] o hostip: remove leftover INT_MAX check in Curl_dnscache_prune [88] o http: handle user-defined connection headers [165] @@ -78,14 +95,21 @@ This release includes the following bugfixes: o ip-happy: do not set unnecessary timeout [95] o ip-happy: prevent event-based stall on retry [155] o krb5: return appropriate error on send failures [22] + o krb5_sspi: the chlg argument is NOT optional [200] o ldap: do not base64 encode zero length string [42] + o ldap: tidy-up types, fix error code confusion [191] + o lib: drop unused include and duplicate guards [226] o lib: fix build error and compiler warnings with verbose strings disabled [173] o lib: remove personal names from comments [168] o lib: upgrade/multiplex handling [136] o libcurl-multi.md: added curl_multi_get_offt mention [53] o libcurl-security.md: mention long-running connections [6] + o libssh2/sftp_realpath: change state consistently [185] + o libssh2: bail out on chgrp and chown number parsing errors [202] + o libssh2: clarify that sshp->path is always at least one byte [201] o libssh2: drop two redundant null-terminations [26] o libssh2: error check and null-terminate in ssh_state_sftp_readdir_link() [34] + o libssh2: fix return code for EAGAIN [186] o libssh: acknowledge SSH_AGAIN in the SFTP state machine [89] o libssh: clarify myssh_block2waitfor [92] o libssh: drop two unused assignments [104] @@ -94,30 +118,38 @@ This release includes the following bugfixes: o libssh: fix range parsing error handling mistake [120] o libssh: react on errors from ssh_scp_read [24] o libssh: return out of memory correctly if aprintf fails [60] + o Makefile.example: fix option order [231] o Makefile.example: simplify and make it configurable [20] o managen: ignore version mentions < 7.66.0 [55] o managen: render better manpage references/links [54] o managen: strict protocol check [109] + o managen: verify the options used in example lines [181] o mbedtls: check result of setting ALPN [127] o mbedtls: handle WANT_WRITE from mbedtls_ssl_read() [145] + o mdlinkcheck: reject URLs containing quotes [174] o multi.h: add CURLMINFO_LASTENTRY [51] o multi_ev: remove unnecessary data check that confuses analysers [167] o ngtcp2: check error code on connect failure [13] o ngtcp2: fix early return [131] + o noproxy: fix the IPV6 network mask pattern match [166] o openldap: avoid indexing the result at -1 for blank responses [44] o openldap: check ber_sockbuf_add_io() return code [163] o openldap: check ldap_get_option() return codes [119] o openssl-quic: check results better [132] o openssl-quic: handle error in SSL_get_stream_read_error_code [129] o openssl-quic: ignore unexpected streams opened by server [176] + o openssl: call SSL_get_error() with proper error [207] o openssl: clear retry flag on x509 error [130] o openssl: fail the transfer if ossl_certchain() fails [23] + o openssl: fix build for v1.0.2 [225] o openssl: make the asn1_object_dump name null terminated [56] o openssl: set io_need always [99] o OS400: fix a use-after-free/double-free case [142] + o pingpong: remove two old leftover debug infof() calls o pytest: skip specific tests for no-verbose builds [171] o quic: fix min TLS version handling [14] o quic: ignore EMSGSIZE on receive [4] + o quiche: fix possible leaks on teardown [205] o quiche: fix verbose message when ip quadruple cannot be obtained. [128] o quiche: when ingress processing fails, return that error code [103] o runtests: tag tests that require curl verbose strings [172] @@ -143,16 +175,25 @@ This release includes the following bugfixes: o socks_sspi: fix memory cleanup calls [40] o socks_sspi: restore non-blocking socket on error paths [48] o ssl-sessions.md: mark option experimental [12] + o strerror: drop workaround for SalfordC win32 header bug [214] o sws: fix checking `sscanf()` return value [17] o tcp-nodelay.md: expand the documentation [153] + o telnet: ignore empty suboptions [86] + o telnet: make bad_option() consider NULL a bad option too [192] o telnet: make printsub require another byte input [21] + o telnet: print DISPlay LOCation in printsub without mutating buffer [216] o telnet: refuse IAC codes in content [111] + o telnet: return error if WSAEventSelect fails [180] o telnet: return error on crazy TTYPE or XDISPLOC lengths [123] + o telnet: send failure logged but not returned [175] + o telnet: use pointer[0] for "unknown" option instead of pointer[i] [217] o tests/server: drop unsafe `open()` override in signal handler (Windows) [151] o tftp: check and act on tftp_set_timeouts() returning error [38] + o tftp: default timeout per block is now 15 seconds [156] o tftp: handle tftp_multi_statemach() return code [65] o tftp: pin the first used address [110] o tftp: propagate expired timer from tftp_state_timeout() [39] + o tftp: return error if it hits an illegal state [138] o tftp: return error when sendto() fails [59] o tidy-up: `fcntl.h` includes [98] o tidy-up: assortment of small fixes [115] @@ -166,6 +207,7 @@ This release includes the following bugfixes: o tool_cb_hdr: fix fwrite check in header callback [49] o tool_cb_hdr: size is always 1 [70] o tool_doswin: fix to use curl socket functions [108] + o tool_filetime: replace cast with the fitting printf mask (Windows) [212] o tool_getparam/set_rate: skip the multiplication on overflow [84] o tool_getparam: always disable "lib-ids" for tracing [169] o tool_getparam: warn if provided header looks malformed [179] @@ -174,12 +216,18 @@ This release includes the following bugfixes: o tool_progress: handle possible integer overflows [164] o tool_progress: make max5data() use an algorithm [170] o transfer: avoid busy loop with tiny speed limit [100] + o unit1323: sync time types and printf masks, drop casts [211] + o unit1664: drop casts, expand masks to full values [221] + o url: make Curl_init_userdefined return void [213] o urldata: FILE is not a list-only protocol [9] + o vquic: handling of io improvements [239] o vtls: alpn setting, check proto parameter [134] o vtls_int.h: clarify data_pending [124] o vtls_scache: fix race condition [157] o windows: replace `_beginthreadex()` with `CreateThread()` [80] o windows: stop passing unused, optional argument for Win9x compatibility [75] + o windows: use consistent format when showing error codes [199] + o windows: use native error code types more [206] o wolfssl: check BIO read parameters [133] o wolfssl: fix error check in shutdown [105] o ws: clarify an error message [125] @@ -209,15 +257,15 @@ advice from friends like these: Adam Light, Alice Lee Poetics, Andrew Kirillov, Andrew Olsen, BobodevMm on github, Christian Schmitz, Dan Fandrich, Daniel Stenberg, - dependabot[bot], divinity76 on github, Emilio Pozuelo Monfort, Ethan Everett, - Evgeny Grin (Karlson2k), fds242 on github, Howard Chu, Javier Blazquez, - Jicea, jmaggard10 on github, Johannes Schindelin, Joseph Birr-Pixton, - Joshua Rogers, kapsiR on github, kuchara on github, Marcel Raad, - Michael Osipov, Michał Petryka, Mohamed Daahir, Nir Azkiel, Patrick Monnerat, - Pocs Norbert, Ray Satiro, renovate[bot], rinsuki on github, - Samuel Dionne-Riel, Samuel Henrique, Stanislav Fort, Stefan Eissing, - Viktor Szakats - (38 contributors) + Daniel Terhorst-North, dependabot[bot], divinity76 on github, + Emilio Pozuelo Monfort, Ethan Everett, Evgeny Grin (Karlson2k), + fds242 on github, Howard Chu, Javier Blazquez, Jicea, jmaggard10 on github, + Johannes Schindelin, Joseph Birr-Pixton, Joshua Rogers, kapsiR on github, + kuchara on github, Marcel Raad, Michael Osipov, Michał Petryka, + Mohamed Daahir, Nir Azkiel, Patrick Monnerat, Pocs Norbert, Ray Satiro, + renovate[bot], rinsuki on github, Samuel Dionne-Riel, Samuel Henrique, + Stanislav Fort, Stefan Eissing, Viktor Szakats + (39 contributors) References to bug reports and discussions on issues: @@ -306,6 +354,7 @@ References to bug reports and discussions on issues: [83] = https://curl.se/bug/?i=18620 [84] = https://curl.se/bug/?i=18624 [85] = https://curl.se/bug/?i=18612 + [86] = https://curl.se/bug/?i=18899 [87] = https://curl.se/bug/?i=18707 [88] = https://curl.se/bug/?i=18680 [89] = https://curl.se/bug/?i=18740 @@ -357,6 +406,7 @@ References to bug reports and discussions on issues: [135] = https://curl.se/bug/?i=18401 [136] = https://curl.se/bug/?i=18227 [137] = https://curl.se/bug/?i=18719 + [138] = https://curl.se/bug/?i=18894 [139] = https://curl.se/bug/?i=18714 [140] = https://curl.se/bug/?i=18715 [141] = https://curl.se/bug/?i=18776 @@ -374,6 +424,7 @@ References to bug reports and discussions on issues: [153] = https://curl.se/bug/?i=18811 [154] = https://curl.se/bug/?i=18817 [155] = https://curl.se/bug/?i=18815 + [156] = https://curl.se/bug/?i=18893 [157] = https://curl.se/bug/?i=18806 [158] = https://curl.se/bug/?i=18809 [160] = https://curl.se/bug/?i=18810 @@ -382,6 +433,7 @@ References to bug reports and discussions on issues: [163] = https://curl.se/bug/?i=18747 [164] = https://curl.se/bug/?i=18744 [165] = https://curl.se/bug/?i=18662 + [166] = https://curl.se/bug/?i=18891 [167] = https://curl.se/bug/?i=18804 [168] = https://curl.se/bug/?i=18803 [169] = https://curl.se/bug/?i=18805 @@ -389,8 +441,51 @@ References to bug reports and discussions on issues: [171] = https://curl.se/bug/?i=18801 [172] = https://curl.se/bug/?i=18800 [173] = https://curl.se/bug/?i=18799 + [174] = https://curl.se/bug/?i=18889 + [175] = https://curl.se/bug/?i=18887 [176] = https://curl.se/bug/?i=18780 [177] = https://curl.se/bug/?i=18787 [178] = https://curl.se/bug/?i=18790 [179] = https://curl.se/bug/?i=18793 + [180] = https://curl.se/bug/?i=18886 + [181] = https://curl.se/bug/?i=18884 [182] = https://curl.se/bug/?i=18754 + [184] = https://curl.se/bug/?i=18878 + [185] = https://curl.se/bug/?i=18875 + [186] = https://curl.se/bug/?i=18874 + [191] = https://curl.se/bug/?i=18888 + [192] = https://curl.se/bug/?i=18873 + [193] = https://curl.se/bug/?i=18871 + [194] = https://curl.se/bug/?i=18870 + [195] = https://curl.se/bug/?i=18869 + [196] = https://curl.se/bug/?i=18867 + [197] = https://curl.se/bug/?i=18882 + [198] = https://curl.se/bug/?i=18862 + [199] = https://curl.se/bug/?i=18877 + [200] = https://curl.se/bug/?i=18865 + [201] = https://curl.se/bug/?i=18864 + [202] = https://curl.se/bug/?i=18863 + [204] = https://curl.se/bug/?i=18859 + [205] = https://curl.se/bug/?i=18880 + [206] = https://curl.se/bug/?i=18868 + [207] = https://curl.se/bug/?i=18872 + [211] = https://curl.se/bug/?i=18860 + [212] = https://curl.se/bug/?i=18858 + [213] = https://curl.se/bug/?i=18855 + [214] = https://curl.se/bug/?i=18857 + [216] = https://curl.se/bug/?i=18852 + [217] = https://curl.se/bug/?i=18851 + [218] = https://curl.se/bug/?i=18850 + [220] = https://curl.se/bug/?i=18845 + [221] = https://curl.se/bug/?i=18838 + [223] = https://curl.se/bug/?i=18843 + [224] = https://curl.se/bug/?i=18842 + [225] = https://curl.se/bug/?i=18841 + [226] = https://curl.se/bug/?i=18839 + [228] = https://curl.se/bug/?i=18823 + [229] = https://curl.se/bug/?i=18836 + [231] = https://curl.se/bug/?i=18835 + [234] = https://curl.se/bug/?i=18828 + [238] = https://curl.se/bug/?i=18829 + [239] = https://curl.se/bug/?i=18812 + [240] = https://curl.se/bug/?i=18703