From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 25 Dec 2025 11:13:55 +0000 (+0100)
Subject: RELEASE-NOTES: synced
X-Git-Tag: rc-8_18_0-3~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed966832b6a171da53dbecd8a7bf71a4f7464f17;p=thirdparty%2Fcurl.git

RELEASE-NOTES: synced
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 887ae11dda..0bb05ae5c2 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,7 +4,7 @@ curl and libcurl 8.18.0
  Command line options:         273
  curl_easy_setopt() options:   308
  Public functions in libcurl:  100
- Contributors:                 3562
+ Contributors:                 3563
 
 This release includes the following changes:
 
@@ -20,6 +20,7 @@ This release includes the following bugfixes:
  o alt-svc: more flexibility on same destination [298]
  o altsvc: make it one malloc instead of three per entry [266]
  o AmigaOS: increase minimum stack size for tool_main [137]
+ o apple sectrust: fix ancient evaluation [327]
  o apple-sectrust: always ask when `native_ca_store` is in use [162]
  o asyn-ares: handle Curl_dnscache_mk_entry() OOM error [199]
  o asyn-ares: remove hostname free on OOM [122]
@@ -39,6 +40,7 @@ This release includes the following bugfixes:
  o build: set `-Wno-format-signedness` [288]
  o build: tidy-up MSVC CRT warning suppression macros [140]
  o ccsidcurl: make curl_mime_data_ccsid() use the converted size [74]
+ o cf-h1-proxy: support folded headers in CONNECT responses [296]
  o cf-https-connect: allocate ctx at first in cf_hc_create() [79]
  o cf-socket: drop feature check for `IPV6_V6ONLY` on Windows [210]
  o cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs [323]
@@ -48,6 +50,7 @@ This release includes the following bugfixes:
  o checksrc.pl: detect assign followed by more than one space [26]
  o cmake: adjust defaults for target platforms not supporting shared libs [35]
  o cmake: define dependencies as `IMPORTED` interface targets [223]
+ o cmake: delete unused file `CMake/CMakeConfigurableFile.in` [363]
  o cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` [16]
  o cmake: fix `ws2_32` reference in `curl-config.cmake` [201]
  o cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET` [106]
@@ -66,8 +69,10 @@ This release includes the following bugfixes:
  o conncontrol: reuse handling [170]
  o connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' [100]
  o connection: attached transfer count [228]
+ o content_encoding: avoid strcpy [331]
  o cookie. return proper error on OOM [330]
  o cookie: allocate the main struct once cookie is fine [259]
+ o cookie: flush better [218]
  o cookie: only keep and use the canonical cleaned up path [256]
  o cookie: propagate errors better, cleanup the internal API [118]
  o cookie: return error on OOM [131]
@@ -76,6 +81,7 @@ This release includes the following bugfixes:
  o curl: fix progress meter in parallel mode [15]
  o curl_fopen: do not pass invalid mode flags to `open()` on Windows [84]
  o curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer [257]
+ o curl_ntlm_core: fix DES_* symbols for some wolfSSL builds [281]
  o curl_sasl: if redirected, require permission to use bearer [250]
  o curl_sasl: make Curl_sasl_decode_mech compare case insensitively [160]
  o curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS` [124]
@@ -88,14 +94,18 @@ This release includes the following bugfixes:
  o CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use [206]
  o CURLOPT_ACCEPT_ENCODING.md: warn about the expansion [224]
  o CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/ [283]
+ o CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use [328]
  o CURLOPT_READFUNCTION.md: clarify the size of the buffer [47]
  o CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
  o curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) [204]
  o curlx/multibyte: stop setting macros for non-Windows [226]
  o curlx/strerr: use `strerror_s()` on Windows [75]
+ o curlx: add `curlx_rename()`, fix to support long filenames on Windows [354]
+ o curlx: curlx_strcopy() instead of strcpy() [326]
  o curlx: limit use of system allocators to the minimum possible [169]
  o curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) [143]
  o curlx: replace `sprintf` with `snprintf` [194]
+ o curlx: use curl alloc in `curlx_win32_stat()` (Windows) [360]
  o curlx: use curlx allocators in non-memdebug builds (Windows) [155]
  o DEPRECATE: add CMake <3.18 deprecation for April 2026 [291]
  o digest_sspi: fix a memory leak on error path [149]
@@ -116,6 +126,7 @@ This release includes the following bugfixes:
  o docs: switch more URLs to https:// [229]
  o docs: use .example URLs for proxies
  o docs: use mresult as variable name for CURLMcode
+ o escape: add a length check in curl_easy_escape [284]
  o example: fix formatting nits [232]
  o examples/crawler: fix variable [92]
  o examples/multi-uv: fix invalid req->data access [177]
@@ -172,6 +183,7 @@ This release includes the following bugfixes:
  o lib/sendf.h: forward declare two structs [221]
  o lib: cleanup for some typos about spaces and code style [3]
  o lib: create unitprotos.h in the builddir, not srcdir [322]
+ o lib: drop unused protocol headers [270]
  o lib: eliminate size_t casts [112]
  o lib: error for OOM when extracting URL query [127]
  o lib: fix formatting nits (part 2) [253]
@@ -182,17 +194,20 @@ This release includes the following bugfixes:
  o lib: refactor the type of funcs which have useless return and checks [1]
  o lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) [164]
  o lib: timer stats improvements [190]
+ o lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible [350]
  o libssh2: add paths to error messages for quote commands [114]
  o libssh2: cleanup ssh_force_knownhost_key_type [64]
  o libssh2: consider strdup() failures OOM and return correctly [72]
  o libssh2: replace atoi() in ssh_force_knownhost_key_type [63]
  o libssh: fix state machine loop to progress as it should
  o libssh: properly free sftp_attributes [153]
+ o libssh: set both knownhosts options to the same file [271]
  o libtests: replace `atoi()` with `curlx_str_number()` [120]
  o limit-rate: add example using --limit-rate and --max-time together [89]
  o localtime: detect thread-safe alternatives and use them [325]
  o m4/sectrust: fix test(1) operator [4]
  o manage: expand the 'libcurl support required' message [208]
+ o mbedTLS: cleanup insecure/deprecated code [351]
  o mbedtls: fix potential use of uninitialized `nread` [8]
  o mbedtls: sync format across log messages [213]
  o mbedtls_threadlock: avoid calloc, use array [244]
@@ -210,6 +225,7 @@ This release includes the following bugfixes:
  o multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds [135]
  o ngtcp2+openssl: fix leak of session [172]
  o ngtcp2: remove the unused Curl_conn_is_ngtcp2 function [85]
+ o ngtcp2: retune window sizes [365]
  o noproxy: fix build on systems without IPv6 [264]
  o noproxy: fix ipv6 handling [239]
  o noproxy: replace atoi with curlx_str_number [67]
@@ -223,6 +239,7 @@ This release includes the following bugfixes:
  o openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache [313]
  o OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs [94]
  o OS400/makefile.sh: fix shellcheck warning SC2038 [86]
+ o os400sys: replace `strcpy()` with `memcpy()` [273]
  o osslq: code readability [5]
  o progress: show fewer digits [78]
  o projects/README.md: Markdown fixes [148]
@@ -262,6 +279,7 @@ This release includes the following bugfixes:
  o sftp: fix range downloads in both SSH backends [82]
  o slist: constify Curl_slist_append_nodup() string argument [195]
  o smb: fix a size check to be overflow safe [161]
+ o socketpair: drop redundant `_WIN32` branch and include [367]
  o socks_sspi: use free() not FreeContextBuffer() [93]
  o speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE [113]
  o speedlimit: also reset on send unpausing [197]
@@ -282,6 +300,7 @@ This release includes the following bugfixes:
  o test568: fix codespell, catch it next time early in CI [299]
  o test568: remove what looks like an email and a URL [304]
  o test787: fix possible typo `&` -> `%` in curl option [241]
+ o test96: fix to accept non-unity memdump content with MSVC [339]
  o tests/data: move `--libcurl` output to external data files [34]
  o tests/data: replace hard-coded test numbers with `%TESTNUMBER` [33]
  o tests/data: support using native newlines on disk, drop `.gitattributes` [91]
@@ -317,6 +336,7 @@ This release includes the following bugfixes:
  o tool_paramhlp: refuse --proto remove all protocols [10]
  o tool_urlglob: acknowledge OOM in peek_ipv6 [175]
  o tool_urlglob: clean up used memory on errors better [44]
+ o tool_urlglob: constify an argument [361]
  o tool_urlglob: support globs as long as config line lengths [282]
  o tool_writeout: bail out proper on OOM [104]
  o url: fix return code for OOM in parse_proxy() [193]
@@ -329,11 +349,13 @@ This release includes the following bugfixes:
  o vquic: do not pass invalid mode flags to `open()` (Windows) [58]
  o vquic: do_sendmsg full init [171]
  o vquic: ignore 0-length UDP packets [336]
+ o vquic: initialize new callback in nghttp3 1.14.0+ [317]
  o vtls: fix CURLOPT_CAPATH use [51]
  o vtls: handle possible malicious certs_num from peer [53]
  o vtls: pinned key check [98]
  o wcurl: import v2025.11.09 [29]
  o windows: assume `USE_WIN32_LARGE_FILES` [292]
+ o windows: fix `CreateFile()` calls to support long filenames [356]
  o windows: use `_strdup()` instead of `strdup()` where missing [145]
  o wolfSSL: able to differentiate between IP and DNS in alt names [13]
  o wolfssl: avoid NULL dereference in OOM situation [77]
@@ -342,6 +364,7 @@ This release includes the following bugfixes:
  o wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds [261]
  o wolfssl: proof use of wolfSSL_i2d_SSL_SESSION [314]
  o wolfssl: simplify wssl_send_earlydata [111]
+ o x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes [340]
 
 This release includes the following known bugs:
 
@@ -363,21 +386,22 @@ Planned upcoming removals include:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Aleksandr Sergeev, Aleksei Bavshin, Andrew Kirillov,
+  Aleksandr Sergeev, Aleksei Bavshin, Alexander Batischev, Andrew Kirillov,
   anonymous237 on hackerone, BANADDA, boingball, Brad King, bttrfl on github,
-  Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg,
-  Denis Goleshchikhin, Deniz Parlak, dependabot[bot], Fabian Keil,
-  Fd929c2CE5fA on github, ffath-vo on github, Gabriel Marin,
-  Georg Schulz-Allgaier, Gisle Vanem, Greg Hudson, Harry Sintonen, Jeff King,
-  Jiyong Yang, John Haugabook, Juliusz Sosinowicz, Kai Pastor,
-  Leonardo Taccari, letshack9707 on hackerone, Marc Aldorasi, Marcel Raad,
-  Max FaxÃ¤lv, nait-furry, ncaklovic on github, Nick Korepanov,
-  Omdahake on github, Patrick Monnerat, pelioro on hackerone, Ray Satiro,
-  renovate[bot], Robert W. Van Kirk, Samuel Henrique, Sergey Katsubo,
-  st751228051 on github, Stanislav Fort, Stefan Eissing, Sunny, Theo Buehler,
-  Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang, Yedaya Katsman,
-  Yuhao Jiang, yushicheng7788 on github
-  (56 contributors)
+  Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Pouzzner,
+  Daniel Santos, Daniel Stenberg, Denis Goleshchikhin, Deniz Parlak,
+  dependabot[bot], Fabian Keil, Fd929c2CE5fA on github, ffath-vo on github,
+  Gabriel Marin, Georg Schulz-Allgaier, Gisle Vanem, Greg Hudson,
+  Harry Sintonen, Jeff King, Jiyong Yang, John Haugabook, Juliusz Sosinowicz,
+  Kai Pastor, koujaz on github, Leonardo Taccari, letshack9707 on hackerone,
+  Marc Aldorasi, Marcel Raad, Mathesh V, Max FaxÃ¤lv, nait-furry,
+  ncaklovic on github, Nick Korepanov, Omdahake on github, Patrick Monnerat,
+  pelioro on hackerone, Ray Satiro, renovate[bot], Robert W. Van Kirk,
+  Samuel Henrique, Sergey Katsubo, st751228051 on github, Stanislav Fort,
+  Stefan Eissing, Sunny, Theo Buehler, Thomas Klausner, Viktor Szakats,
+  Wesley Moore, Wyatt O'Day, Xiaoke Wang, Yedaya Katsman, Yuhao Jiang,
+  yushicheng7788 on github
+  (62 contributors)
 
 References to bug reports and discussions on issues:
 
@@ -598,6 +622,7 @@ References to bug reports and discussions on issues:
  [215] = https://curl.se/bug/?i=19764
  [216] = https://curl.se/bug/?i=18009
  [217] = https://curl.se/bug/?i=19763
+ [218] = https://curl.se/bug/?i=20090
  [219] = https://curl.se/bug/?i=19759
  [220] = https://curl.se/bug/?i=19756
  [221] = https://curl.se/bug/?i=19761
@@ -649,7 +674,10 @@ References to bug reports and discussions on issues:
  [267] = https://curl.se/bug/?i=19858
  [268] = https://curl.se/bug/?i=19753
  [269] = https://curl.se/bug/?i=19965
+ [270] = https://curl.se/bug/?i=20093
+ [271] = https://curl.se/bug/?i=20092
  [272] = https://curl.se/bug/?i=20026
+ [273] = https://curl.se/bug/?i=20089
  [274] = https://curl.se/bug/?i=19964
  [275] = https://curl.se/bug/?i=18189
  [276] = https://curl.se/bug/?i=19922
@@ -657,8 +685,10 @@ References to bug reports and discussions on issues:
  [278] = https://curl.se/bug/?i=19920
  [279] = https://curl.se/bug/?i=19918
  [280] = https://curl.se/bug/?i=19770
+ [281] = https://curl.se/bug/?i=20083
  [282] = https://curl.se/bug/?i=19960
  [283] = https://curl.se/bug/?i=19915
+ [284] = https://curl.se/bug/?i=20086
  [285] = https://curl.se/bug/?i=19911
  [286] = https://curl.se/bug/?i=19900
  [288] = https://curl.se/bug/?i=19907
@@ -666,6 +696,7 @@ References to bug reports and discussions on issues:
  [292] = https://curl.se/bug/?i=19888
  [294] = https://curl.se/bug/?i=19901
  [295] = https://curl.se/bug/?i=19899
+ [296] = https://curl.se/bug/?i=20080
  [297] = https://curl.se/bug/?i=19894
  [298] = https://curl.se/bug/?i=19740
  [299] = https://curl.se/bug/?i=19945
@@ -684,6 +715,7 @@ References to bug reports and discussions on issues:
  [313] = https://curl.se/bug/?i=20009
  [314] = https://curl.se/bug/?i=20008
  [316] = https://curl.se/bug/?i=19997
+ [317] = https://curl.se/bug/?i=20077
  [318] = https://curl.se/bug/?i=20002
  [319] = https://curl.se/bug/?i=19995
  [320] = https://curl.se/bug/?i=20001
@@ -692,8 +724,23 @@ References to bug reports and discussions on issues:
  [323] = https://curl.se/bug/?i=19999
  [324] = https://curl.se/bug/?i=19980
  [325] = https://curl.se/bug/?i=19957
+ [326] = https://curl.se/bug/?i=20067
+ [327] = https://curl.se/bug/?i=20074
+ [328] = https://curl.se/bug/?i=20075
  [329] = https://curl.se/bug/?i=19996
  [330] = https://curl.se/bug/?i=19992
+ [331] = https://curl.se/bug/?i=20072
  [334] = https://curl.se/bug/?i=19984
  [335] = https://curl.se/bug/?i=19986
  [336] = https://curl.se/bug/?i=19978
+ [339] = https://curl.se/bug/?i=20064
+ [340] = https://curl.se/bug/?i=20063
+ [350] = https://curl.se/bug/?i=20052
+ [351] = https://curl.se/bug/?i=19983
+ [354] = https://curl.se/bug/?i=20042
+ [356] = https://curl.se/bug/?i=19286
+ [360] = https://curl.se/bug/?i=20043
+ [361] = https://curl.se/bug/?i=20045
+ [363] = https://curl.se/bug/?i=20038
+ [365] = https://curl.se/bug/?i=20030
+ [367] = https://curl.se/bug/?i=20032