curl / Development / Pending Release Notes
Pending RELEASE-NOTES for the upcoming release
This is work in progress and seeing changes before the release goes public on 2026-09-02.
Changes:
Bugfixes:
- autotools: minor fixes and improvements
- build: always use local `inet_pton()`/`inet_ntop()` implementations
- build: drop superfluous `STDC_HEADERS` macro
- build: enable thread-safe `getaddrinfo()` for OpenBSD
- cd2nroff: stricter checks for asterisks for italics
- cf-ngtcp2-cmn: initialize new callback ptr for ngtcp2 1.24.0+
- cmake: dedupe expressions into local vars in `cmake_uninstall.in.cmake`
- cmake: fix not to build `tunits` when `BUILD_CURL_EXE=OFF`
- cmake: flatten build tree, tidy up base dir variables
- cmake: minor improvements to `cmake_uninstall.in.cmake`
- cmake: replace `remove` command with `rm` and pass arg safely
- cmake: robustify base path in local file reference
- cmake: stop probing unused `float.h` for `STDC_HEADERS`
- configure: fix misleading error messages
- configure: link `-lcrypt32` instead of `-lm` for wolfSSL on Windows
- configure: remove double check for GnuTLS
- configure: set ldap lib to no by default for non-finds
- conncache: apply multi limits to transfers using a shared pool
- conncache: connection alive checks intervals
- content_encoding: give a clear error on multi-member gzip
- CREDENTIALS.md: remove comment about empty user/pass
- curl_ws_meta.md: polish and better vocabulary
- CURLOPT_HEADERFUNCTION.md: document folded header unfolding
- CURLOPT_SSH_*_KEYFILE: used for setting up, then no more
- CURLOPT_UNRESTRICTED_AUTH.md: 'Authorization' instead of 'Authentication'
- CURLSHOPT_(UN)SHARE.md: do not modify shares while in use
- FTP: fix TLS session reuse on the data connection
- ftp: reject control bytes in ACCT and alternative-to-user
- gopher: reject CR and LF in the selector
- hostip: only cache negative resolves for authoritative answers
- http: trim custom header name before the Authorization drop
- INSTALL.md: add building-from-source overview section
- ldap: support insecure mode for Windows native LDAP
- lib1587: fix gcc `-Wconversion` with LibreSSL on Windows, test in CI
- lib: add "Curl_" prefix to two global functions
- lib: fix 'ns' -> 'us' in trace messages
- lib: ratelimit timestamps
- mbedtls: replace `memset()` with `psa_hash_operation_init()`
- mime: reject CR and LF in mail part name and filename
- mod_curltest: fix compiler warnings
- mqtt: reject control bytes in the topic
- multi: forbid curl_easy_pause from within multi socket callback
- openldap: handle Curl_sasl_continue() returns better
- openssl+sectrust: fix session reuse
- openssl+sectrust: move session verified set into result check
- openssl: drop unused pre-OpenSSL3 `ctx_option_t` typedef
- openssl: prefer modern API flavors for `EVP_MD_CTX` new/free
- openssl: replace stray legacy API variant with `EVP_DigestInit_ex()`
- runtests: restore `-k` option and actively process as no-op
- sasl: fix zero-length response encoding
- schannel: shut off experimental TLS 1.3 support for Win 10
- scripts: use end-of-options marker in `cd`, `mkdir`, `mv`, `sha256sum` commands
- setopt: error for CURLOPT_SHARE when easy handle is used
- setopt: return OK earlier for the deprecated h2 dep options
- smtp: reject CR and LF in the envelope address
- sws: allow connection-monitor to log all disconnects
- test 1560: test RFC4291 style IPv6 IPv4-mapped addresses
- tests: remove test1701
- tests: skip test 311 for wolfSSL 5.9.2
- tidy-up: typos, comment nits
- tool: do not flush on out-null
- tool: fix memory use in parallel mode
- tool: init progress bar on demand
- tool_cb_hdr: de-duplicate filename setter
- tool_operate: remove call to abort()
- url: reject control codes in credentials set via CURLOPT
- urlapi: do not keep an internal port string
- vquic: add Curl_ prefix to some global functions
- vssh: keyfile use cleanups
- VULN-DISCLOSURE-POLICY.md: issues that should be found by tests are LOW
- wolfssl: fix build for wolfssl without bio chain support
- ws: pause/unpause write handling
Contributors:
Alhuda Khan, Bigtang on hackerone, Bryan Henderson, Christian Ullrich, Christoph Reiter, Dan Fandrich, Daniel Stenberg, dependabot[bot], ed0d2b2ce19451f2 on github, Emmanuel Ugwu, Eunsoo Kim, firexinghe on github, Graham Campbell, Hendrik Hübner, HwangRock, itzTanos29, Joel Depooter, Laurent Sabourin, Memduh Çelik, Patrick Monnerat, Ray Satiro, renovate[bot], Roger Leigh, Sam James, Samuel Dainard, smaeljaish on hackerone, Stefan Eissing, stze on hackerone, Viktor Szakats