curl / Development / Pending Release Notes
Pending RELEASE-NOTES for the upcoming release
This is work in progress and seeing changes before the release goes public on 2026-09-02.
Changes:
Bugfixes:
- autotools: minor fixes and improvements
- build: always use local `inet_pton()`/`inet_ntop()` implementations
- build: drop superfluous `STDC_HEADERS` macro
- build: enable thread-safe `getaddrinfo()` for OpenBSD
- cf-ngtcp2-cmn: initialize new callback ptr for ngtcp2 1.24.0+
- cmake: dedupe expressions into local vars in `cmake_uninstall.in.cmake`
- cmake: fix not to build `tunits` when `BUILD_CURL_EXE=OFF`
- cmake: flatten build tree, tidy up base dir variables
- cmake: minor improvements to `cmake_uninstall.in.cmake`
- cmake: replace `remove` command with `rm` and pass arg safely
- cmake: robustify base path in local file reference
- cmake: stop probing unused `float.h` for `STDC_HEADERS`
- conncache: connection alive checks intervals
- content_encoding: give a clear error on multi-member gzip
- CREDENTIALS.md: remove comment about emtpy user/pass
- curl_ws_meta.md: polish and better vocabulary
- CURLOPT_SSH_*_KEYFILE: used for setting up, then no more
- CURLSHOPT_(UN)SHARE.md: do not modify shares while in use
- gopher: reject CR and LF in the selector
- http: trim custom header name before the Authorization drop
- INSTALL.md: add building-from-source overview section
- ldap: support insecure mode for Windows native LDAP
- lib1587: fix gcc `-Wconversion` with LibreSSL on Windows, test in CI
- lib: fix 'ns' -> 'us' in trace messages
- mbedtls: replace `memset()` with `psa_hash_operation_init()`
- mod_curltest: fix compiler warnings
- mqtt: reject control bytes in the topic
- multi: forbid curl_easy_pause from within multi socket callback
- openldap: handle Curl_sasl_continue() returns better
- openssl+sectrust: fix session reuse
- openssl: drop unused pre-OpenSSL3 `ctx_option_t` typedef
- openssl: prefer modern API flavors for `EVP_MD_CTX` new/free
- openssl: replace stray legacy API variant with `EVP_DigestInit_ex()`
- runtests: restore `-k` option and actively process as no-op
- sasl: fix zero-length response encoding
- schannel: shut off experimental TLS 1.3 support for Win 10
- scripts: use end-of-options marker in `cd`, `mkdir`, `mv`, `sha256sum` commands
- smtp: reject CR and LF in the envelope address
- sws: allow connection-monitor to log all disconnects
- test 1560: test RFC4291 style IPv6 IPv4-mapped addresses
- tool: do not flush on out-null
- tool: init progress bar on demand
- tool_cb_hdr: de-duplicate filename setter
- tool_operate: remove call to abort()
- urlapi: do not keep an internal port string
- VULN-DISCLOSURE-POLICY.md: issues that should be found by tests are LOW
Contributors:
Alhuda Khan, Bigtang on hackerone, Dan Fandrich, Daniel Stenberg, dependabot[bot], ed0d2b2ce19451f2 on github, Emmanuel Ugwu, Eunsoo Kim, Hendrik Hübner, HwangRock, Memduh Çelik, Patrick Monnerat, Ray Satiro, renovate[bot], Roger Leigh, Sam James, Samuel Dainard, smaeljaish on hackerone, Stefan Eissing, stze on hackerone, Viktor Szakats