From: Daniel Stenberg Date: Thu, 27 Nov 2025 15:14:37 +0000 (+0100) Subject: RELEASE-NOTES: synced X-Git-Tag: rc-8_18_0-1~115 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa9342058fbf0ce1d387b7c590e674e6acabbda8;p=thirdparty%2Fcurl.git RELEASE-NOTES: synced --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 217f8c7504..2dbac34d0f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -4,7 +4,7 @@ curl and libcurl 8.18.0 Command line options: 273 curl_easy_setopt() options: 308 Public functions in libcurl: 100 - Contributors: 3549 + Contributors: 3553 This release includes the following changes: @@ -19,8 +19,10 @@ This release includes the following bugfixes: o _PROGRESS.md: add the E unit, mention kibibyte [24] o AmigaOS: increase minimum stack size for tool_main [137] o apple-sectrust: always ask when `native_ca_store` is in use [162] + o asyn-ares: handle Curl_dnscache_mk_entry() OOM error [199] o asyn-ares: remove hostname free on OOM [122] o asyn-thrdd: release rrname if ares_init_options fails [41] + o autotools: add nettle library detection via pkg-config (for GnuTLS) [178] o autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr) [70] o badwords: fix issues found in scripts and other files [142] o badwords: fix issues found in tests [156] @@ -31,6 +33,7 @@ This release includes the following bugfixes: o cf-https-connect: allocate ctx at first in cf_hc_create() [79] o cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime [157] o cf-socket: trace ignored errors [97] + o cfilters: make conn_forget_socket a private libssh function [109] o checksrc.pl: detect assign followed by more than one space [26] o cmake: adjust defaults for target platforms not supporting shared libs [35] o cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` [16] @@ -39,6 +42,7 @@ This release includes the following bugfixes: o config2setopts: bail out if curl_url_get() returns OOM [102] o config2setopts: exit if curl_url_set() fails on OOM [105] o conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64 [17] + o conncontrol: reuse handling [170] o connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' [100] o cookie: propagate errors better, cleanup the internal API [118] o cookie: return error on OOM [131] @@ -53,15 +57,21 @@ This release includes the following bugfixes: o CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text [49] o CURLOPT_READFUNCTION.md: clarify the size of the buffer [47] o CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example + o curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) [204] o curlx/strerr: use `strerror_s()` on Windows [75] o curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) [143] + o curlx: replace `sprintf` with `snprintf` [194] o digest_sspi: fix a memory leak on error path [149] o digest_sspi: properly free sspi identity [12] o DISTROS.md: add OpenBSD [126] + o doc: some returned in-memory data may not be altered [196] o docs: fix checksrc `EQUALSPACE` warnings [21] o docs: mention umask need when curl creates files [56] + o docs: spell it Rustls with a capital R [181] o examples/crawler: fix variable [92] + o examples/multi-uv: fix invalid req->data access [177] o examples/multithread: fix race condition [101] + o examples: fix minor typo [203] o examples: make functions/data static where missing [139] o examples: tidy-up headers and includes [138] o file: do not pass invalid mode flags to `open()` on upload (Windows) [83] @@ -73,9 +83,12 @@ This release includes the following bugfixes: o gtls: skip session resumption when verifystatus is set o h2/h3: handle methods with spaces [146] o hostip: don't store negative lookup on OOM [61] + o hostip: make more functions return CURLcode [202] + o hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST [183] o hsts: propagate and error out correctly on OOM [130] o http: avoid two strdup()s and do minor simplifications [144] o http: error on OOM when creating range header [59] + o http: fix OOM exit in Curl_http_follow [179] o http: replace atoi use in Curl_http_follow with curlx_str_number [65] o http: the :authority header should never contain user+password [147] o INSTALL-CMAKE.md: document static option defaults more [37] @@ -86,6 +99,7 @@ This release includes the following bugfixes: o lib: fix gssapi.h include on IBMi [55] o lib: refactor the type of funcs which have useless return and checks [1] o lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) [164] + o lib: timer stats improvements [190] o libssh2: add paths to error messages for quote commands [114] o libssh2: cleanup ssh_force_knownhost_key_type [64] o libssh2: replace atoi() in ssh_force_knownhost_key_type [63] @@ -93,11 +107,15 @@ This release includes the following bugfixes: o libtests: replace `atoi()` with `curlx_str_number()` [120] o limit-rate: add example using --limit-rate and --max-time together [89] o m4/sectrust: fix test(1) operator [4] + o manage: expand the 'libcurl support required' message [208] o mbedtls: fix potential use of uninitialized `nread` [8] o mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option [73] o mk-ca-bundle.pl: use `open()` with argument list to replace backticks [71] o mqtt: reject overly big messages [39] o multi: make max_total_* members size_t [158] + o multi: simplify admin handle processing [189] + o ngtcp2+openssl: fix leak of session [172] + o ngtcp2: remove the unused Curl_conn_is_ngtcp2 function [85] o noproxy: replace atoi with curlx_str_number [67] o openssl: exit properly on OOM when getting certchain [133] o openssl: fix a potential memory leak of bio_out [150] @@ -111,7 +129,9 @@ This release includes the following bugfixes: o progress: show fewer digits [78] o projects/README.md: Markdown fixes [148] o pytest fixes and improvements [159] + o pytest: disable two H3 earlydata tests for all platforms (was: macOS) [116] o pytest: skip H2 tests if feature missing from curl [46] + o ratelimit: redesign [209] o rtmp: fix double-free on URL parse errors [27] o rtmp: precaution for a potential integer truncation [54] o runtests: detect bad libssh differently for test 1459 [11] @@ -126,9 +146,11 @@ This release includes the following bugfixes: o setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL [30] o setopt: when setting bad protocols, don't store them [9] o sftp: fix range downloads in both SSH backends [82] + o slist: constify Curl_slist_append_nodup() string argument [195] o smb: fix a size check to be overflow safe [161] o socks_sspi: use free() not FreeContextBuffer() [93] o speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE [113] + o speedlimit: also reset on send unpausing [197] o telnet: replace atoi for BINARY handling with curlx_str_number [66] o TEST-SUITE.md: correct the man page's path [136] o test07_22: fix flakiness [95] @@ -138,11 +160,14 @@ This release includes the following bugfixes: o tests/data: support using native newlines on disk, drop `.gitattributes` [91] o tests/server: do not fall back to original data file in `test2fopen()` [32] o tests/server: replace `atoi()` and `atol()` with `curlx_str_number()` [110] + o tests: allow 2500-2503 to use ~2MB malloc [31] o tftp: release filename if conn_get_remote_addr fails [42] o tftpd: fix/tidy up `open()` mode flags [57] o tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()` [121] o tool: consider (some) curl_easy_setopt errors fatal [7] + o tool: log when loading .curlrc in verbose mode [191] o tool_cfgable: free ssl-sessions at exit [123] + o tool_doswin: clear pointer when thread takes ownership [198] o tool_getparam: verify that a file exists for some options [134] o tool_help: add checks to avoid unsigned wrap around [14] o tool_ipfs: check return codes better [20] @@ -157,9 +182,11 @@ This release includes the following bugfixes: o tool_writeout: bail out proper on OOM [104] o url: if OOM in parse_proxy() return error [132] o urlapi: fix mem-leaks in curl_url_get error paths [22] + o urlapi: handle OOM properly when setting URL [180] o verify-release: update to avoid shellcheck warning SC2034 [88] o vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally [96] o vquic: do not pass invalid mode flags to `open()` (Windows) [58] + o vquic: do_sendmsg full init [171] o vtls: fix CURLOPT_CAPATH use [51] o vtls: handle possible malicious certs_num from peer [53] o vtls: pinned key check [98] @@ -190,15 +217,16 @@ Planned upcoming removals include: This release would not have looked like this without help, code, reports and advice from friends like these: - Aleksandr Sergeev, Andrew Kirillov, boingball, Brad King, bttrfl on github, - Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg, - Fd929c2CE5fA on github, ffath-vo on github, Gisle Vanem, Jiyong Yang, - Juliusz Sosinowicz, Leonardo Taccari, letshack9707 on hackerone, - Marc Aldorasi, Marcel Raad, nait-furry, ncaklovic on github, Nick Korepanov, - Omdahake on github, Patrick Monnerat, pelioro on hackerone, Ray Satiro, - renovate[bot], Samuel Henrique, Stanislav Fort, Stefan Eissing, - Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang - (33 contributors) + Aleksandr Sergeev, Aleksei Bavshin, Andrew Kirillov, BANADDA, boingball, + Brad King, bttrfl on github, Christian Schmitz, Dan Fandrich, + Daniel McCarney, Daniel Stenberg, Fd929c2CE5fA on github, ffath-vo on github, + Gisle Vanem, Jiyong Yang, Juliusz Sosinowicz, Leonardo Taccari, + letshack9707 on hackerone, Marc Aldorasi, Marcel Raad, nait-furry, + ncaklovic on github, Nick Korepanov, Omdahake on github, Patrick Monnerat, + pelioro on hackerone, Ray Satiro, renovate[bot], Samuel Henrique, + st751228051 on github, Stanislav Fort, Stefan Eissing, Sunny, + Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang, Yedaya Katsman + (38 contributors) References to bug reports and discussions on issues: @@ -232,6 +260,7 @@ References to bug reports and discussions on issues: [28] = https://curl.se/bug/?i=19354 [29] = https://curl.se/bug/?i=19430 [30] = https://curl.se/bug/?i=19434 + [31] = https://curl.se/bug/?i=19716 [32] = https://curl.se/bug/?i=19429 [33] = https://curl.se/bug/?i=19427 [35] = https://curl.se/bug/?i=19420 @@ -283,6 +312,7 @@ References to bug reports and discussions on issues: [82] = https://curl.se/bug/?i=19460 [83] = https://curl.se/bug/?i=19647 [84] = https://curl.se/bug/?i=19645 + [85] = https://curl.se/bug/?i=19725 [86] = https://curl.se/bug/?i=19451 [87] = https://curl.se/bug/?i=19450 [88] = https://curl.se/bug/?i=19449 @@ -306,11 +336,13 @@ References to bug reports and discussions on issues: [106] = https://curl.se/bug/?i=19144 [107] = https://curl.se/bug/?i=19512 [108] = https://curl.se/bug/?i=19513 + [109] = https://curl.se/bug/?i=19727 [110] = https://curl.se/bug/?i=19510 [111] = https://curl.se/bug/?i=19509 [112] = https://curl.se/bug/?i=19495 [113] = https://curl.se/bug/?i=19653 [114] = https://curl.se/bug/?i=19605 + [116] = https://curl.se/bug/?i=19724 [117] = https://curl.se/bug/?i=19644 [118] = https://curl.se/bug/?i=19493 [119] = https://curl.se/bug/?i=19483 @@ -358,3 +390,26 @@ References to bug reports and discussions on issues: [166] = https://curl.se/bug/?i=19615 [167] = https://curl.se/bug/?i=19609 [168] = https://curl.se/bug/?i=19612 + [170] = https://curl.se/bug/?i=19333 + [171] = https://curl.se/bug/?i=19714 + [172] = https://curl.se/bug/?i=19717 + [177] = https://curl.se/bug/?i=19462 + [178] = https://curl.se/bug/?i=19703 + [179] = https://curl.se/bug/?i=19705 + [180] = https://curl.se/bug/?i=19704 + [181] = https://curl.se/bug/?i=19702 + [183] = https://curl.se/bug/?i=19701 + [189] = https://curl.se/bug/?i=19604 + [190] = https://curl.se/bug/?i=19269 + [191] = https://curl.se/bug/?i=19663 + [194] = https://curl.se/bug/?i=19681 + [195] = https://curl.se/bug/?i=19692 + [196] = https://curl.se/bug/?i=19692 + [197] = https://curl.se/bug/?i=19687 + [198] = https://curl.se/bug/?i=19689 + [199] = https://curl.se/bug/?i=19688 + [202] = https://curl.se/bug/?i=19669 + [203] = https://curl.se/bug/?i=19683 + [204] = https://curl.se/bug/?i=19643 + [208] = https://curl.se/bug/?i=19665 + [209] = https://curl.se/bug/?i=19384