curl/RELEASE-NOTES

curl and libcurl 8.10.0

 Public curl releases:         260
 Command line options:         265
 curl_easy_setopt() options:   306
 Public functions in libcurl:  94
 Contributors:                 3224

This release includes the following changes:

 o autotools: add `--with-windows-unicode` option [103]
 o curl: --help [option] displays documentation for given cmdline option [19]
 o curl: add --skip-existing [54]
 o curl: for -O, use "default" as filename when the URL has none [34]
 o curl: make --rate accept "number of units" [4]
 o curl: make --show-headers the same as --include [6]
 o curl: support --dump-header % to direct to stderr [31]
 o curl: support embedding a CA bundle and --dump-ca-embed [20]
 o curl: support repeated use of the verbose option; -vv etc [35]
 o curl: use libuv for parallel transfers with --test-event [82]
 o getinfo: add CURLINFO_POSTTRANSFER_TIME_T [87]
 o mbedtls: add CURLOPT_TLS13_CIPHERS support [78]
 o vtls: stop offering alpn http/1.1 for http2-prior-knowledge [53]
 o wolfssl: add CURLOPT_TLS13_CIPHERS support [76]
 o wolfssl: add support for ssl cert blob / ssl key blob options [50]

This release includes the following bugfixes:

 o autotools: fix typo in tests/data target [30]
 o aws_sigv4: fix canon order for headers with same prefix [74]
 o bearssl: improve shutdown handling [45]
 o BINDINGS: add zig binding [100]
 o build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds [137]
 o cfilters: send flush [13]
 o CHANGES: rename to CHANGES.md, no longer generated [40]
 o CI: enable parallel testing in CI builds [18]
 o ci: Update actions/upload-artifact digest to 89ef406 [24]
 o cmake: add `CURL_USE_PKGCONFIG` option [138]
 o cmake: add Linux CI job, fix pytest with cmake [71]
 o cmake: add math library when using wolfssl and ngtcp2 [66]
 o cmake: add rustls [116]
 o cmake: add support for versioned symbols option [51]
 o cmake: allow `pkg-config` in more envs [147]
 o cmake: cleanup header paths [59]
 o cmake: delete MSVC warning suppression for tests/server [101]
 o cmake: detect `nghttp2` via `pkg-config`, enable by default [21]
 o cmake: detect and show VCPKG in platform flags [84]
 o cmake: distcheck for files in CMake subdir [9]
 o cmake: drop custom `CMakeOutput.log`/`CMakeError.log` logs [27]
 o cmake: drop no-op `tests/data/CMakeLists.txt` [26]
 o cmake: drop reference to undefined variable [25]
 o cmake: drop unused `HAVE_IDNA_STRERROR` [62]
 o cmake: drop unused internal variable [22]
 o cmake: exclude tests/http/clients builds by default [110]
 o cmake: fix `GSS_VERSION` for Heimdal found via pkg-config [77]
 o cmake: fix `pkg-config`-based detection in `FindGSS.cmake` [94]
 o cmake: limit libidn2 `pkg-config` detection to `UNIX` [109]
 o cmake: more small tidy-ups and fixes [80]
 o cmake: show CMake platform/compiler flags [63]
 o cmake: sync up formatting in Find modules [129]
 o cmake: update `curl-config.cmake.in` template var list
 o cmake: update list of "advanced" variables [119]
 o cmake: use numeric comparison for `HAVE_WIN32_WINNT` [69]
 o configure: delete unused `m4/xc-translit.m4` [114]
 o configure: detect AppleIDN [70]
 o configure: fail if PSL is not disabled but not found [46]
 o configure: replace nonportable grep -o with awk [111]
 o cookie.md: try to articulate the two different uses this option has [92]
 o curl: allow 500MB data URL encode strings [38]
 o curl: fix --proxy-pinnedpubkey [91]
 o curl: warn on unsupported SSL options [106]
 o Curl_rand_bytes to control env override [17]
 o curl_sha512_256: fix symbol collisions with nettle library [131]
 o DEPRECATE.md: remove hyper after February 2025 [89]
 o dist: add missing `docs/examples/CMakeLists.txt` [58]
 o dist: add missing `FindNettle.cmake` [11]
 o dist: add missing `lib/optiontable.pl` [115]
 o dist: add missing `test_*.py` scripts [102]
 o dist: drop buildconf [65]
 o dist: fix reproducible build from release tarball [36]
 o dmaketgz: only run 'make distclean' if Makefile exists
 o docs: mention "@-" in more places [67]
 o docs: update CIPHERS.md [140]
 o doh-url.md: point out DOH server IP pinning [37]
 o easy: fix curl_easy_upkeep for shared connection caches [52]
 o escape: allow curl_easy_escape to generate 3*input length output [39]
 o ftp: flush pingpong before response [73]
 o GHA/windows: enable MulitSSL in an MSVC job [2]
 o GHA: scan git repository and detect unvetted binary files [3]
 o gnutls/wolfssl: improve error message when certificate fails [125]
 o hash: provide asserts to verify API use [96]
 o http/2: simplify eos/blocked handling [90]
 o http2+h3 filters: fix ctx init [142]
 o http2: improve rate limiting of downloads [33]
 o http2: improved upload eos handling [41]
 o hyper: call Curl_req_set_upload_done() [126]
 o idn: more strictly check AppleIDN errors [98]
 o idn: support non-UTF-8 input under AppleIDN [99]
 o INSTALL.md: MultiSSL and QUIC are mutually exclusive [7]
 o KNOWN_BUGS: "special characers" in URL works with aws-sigv4 [81]
 o krb5: add Linux/macOS CI tests, fix cmake GSS detection [83]
 o krb5: fix `-Wcast-align` [95]
 o lib: add eos flag to send methods [14]
 o lib: avoid macro collisions between wolfSSL and GnuTLS headers [133]
 o lib: convert some debugf()s into traces [8]
 o lib: fix AIX build issues [112]
 o lib: fix building with wolfSSL without DES support [134]
 o lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name [132]
 o libcurl.pc: add `Cflags.private` [10]
 o libcurl/docs: expand on redirect following and secrets to other hosts [85]
 o llist: remove direct struct accesses, use only functions [72]
 o Makefile.mk: fixup enabling libidn2 [61]
 o Makefile: remove 'scripts' duplicate from DIST_SUBDIRS
 o maketgz: accept option to include latest commit hash [5]
 o manpage: ensure a maximum width for the text version [75]
 o max-filesize.md: mention zero disables the limit [93]
 o mk-ca-bundle.pl: include a link to the caextract webpage [68]
 o multi: make the "general" list of easy handles a Curl_llist [97]
 o ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks [79]
 o openssl: improve shutdown handling [44]
 o progress: ratelimit/progress tweaks [32]
 o pytests: add tests for HEAD requests in all HTTP versions [42]
 o runtests: if DISABLED cannot be read, error out [56]
 o runtests: log ignored but passed tests [130]
 o rustls: make all tests pass [1]
 o sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL [135]
 o sigpipe: init the struct so that first apply ignores [49]
 o smtp: add tracing feature [120]
 o spnego_gssapi: implement TLS channel bindings for openssl [146]
 o test httpd: tweak cipher list [124]
 o test556: improve robustness [64]
 o test579: improve robustness [60]
 o test587: improve robustness [123]
 o test649: improve robustness [122]
 o test677: improve robustness [47]
 o tests/runner: only allow [!A-Za-z0-9_-] in %if feature names [55]
 o tests: don't mangle output if hostname or type unknown
 o tests: ignore QUIT from FTP protocol comparisons [108]
 o tests: provide docs as curldown, not nroff [12]
 o tidy-up: OS names [57]
 o tool_operhlp: fix  "potentially uninitialized local variable 'pc' used" [48]
 o tool_paramhlp: bump maximum post data size in memory to 16GB [128]
 o url: dns_entry related improvements [16]
 o urldata: introduce `data->mid`, a unique identifier inside a multi [127]
 o urldata: remove 'scratch' from the UrlState struct [86]
 o verify-release: shell script that verifies a release tarball [29]
 o vtls: add SSLSUPP_CIPHER_LIST [107]
 o vtls: fix MSVC 'cast truncates constant value' warning [23]
 o vtls: fix static function name collisions between TLS backends [136]
 o vtls: init ssl peer only once [15]
 o websocket: introduce blocking sends [145]
 o wolfssl: avoid taking cached x509 store ref if sslctx already using it [88]
 o wolfssl: fix CURLOPT_SSLVERSION [144]
 o wolfssl: improve shutdown handling [43]
 o ws: flags to opcodes should ignore CURLWS_CONT flag [104]
 o x509asn1: raise size limit for x509 certification information [28]

This release includes the following known bugs:

 See docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

For all changes ever done in curl:

 See https://curl.se/changes.html

Planned upcoming removals include:

 o TLS libraries not supporting TLS 1.3

 See https://curl.se/dev/deprecate.html for details

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alex Snast, Antoine du Hamel, Austin Moore, Bo Anderson, Christoph Reiter,
  Dan Fandrich, Daniel Stenberg, David Sardari, dependabot[bot], Jan Venekamp,
  Jiacai Liu, Joe Birr-Pixton, John Haugabook, kit-ty-kate on github,
  MasterInQuestion on github, Matt Jolly, Max Faxälv, Micah Snyder,
  Moritz Buhl, Pete Cordell, Rasmus Thomsen, Ray Satiro, renovate[bot],
  Ryan Carsten Schmidt, Sergio Durigan Junior, Slaven Rezić, Stefan Eissing,
  Steffen Kieß, Tal Regev, Tim Yuer, Viktor Szakats, Yedaya Katsman, 罗朝辉
  (33 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=14317
 [2] = https://curl.se/bug/?i=14276
 [3] = https://curl.se/bug/?i=14333
 [4] = https://curl.se/bug/?i=14245
 [5] = https://curl.se/bug/?i=14363
 [6] = https://curl.se/bug/?i=13987
 [7] = https://curl.se/bug/?i=14308
 [8] = https://curl.se/bug/?i=14322
 [9] = https://curl.se/bug/?i=14323
 [10] = https://curl.se/bug/?i=14321
 [11] = https://curl.se/bug/?i=14285
 [12] = https://curl.se/bug/?i=14324
 [13] = https://curl.se/bug/?i=14271
 [14] = https://curl.se/bug/?i=14220
 [15] = https://curl.se/bug/?i=14152
 [16] = https://curl.se/bug/?i=14195
 [17] = https://curl.se/bug/?i=14264
 [18] = https://curl.se/bug/?i=11510
 [19] = https://curl.se/bug/?i=13997
 [20] = https://curl.se/bug/?i=14059
 [21] = https://curl.se/bug/?i=14136
 [22] = https://curl.se/bug/?i=14361
 [23] = https://curl.se/bug/?i=14341
 [24] = https://curl.se/bug/?i=14359
 [25] = https://curl.se/bug/?i=14358
 [26] = https://curl.se/bug/?i=14357
 [27] = https://curl.se/bug/?i=14356
 [28] = https://curl.se/bug/?i=14352
 [29] = https://curl.se/bug/?i=14350
 [30] = https://curl.se/bug/?i=14355
 [31] = https://curl.se/bug/?i=13992
 [32] = https://curl.se/bug/?i=14335
 [33] = https://curl.se/bug/?i=14326
 [34] = https://curl.se/bug/?i=13988
 [35] = https://curl.se/bug/?i=13977
 [36] = https://curl.se/bug/?i=14336
 [37] = https://curl.se/bug/?i=14377
 [38] = https://curl.se/bug/?i=14337
 [39] = https://curl.se/bug/?i=14339
 [40] = https://curl.se/bug/?i=14331
 [41] = https://curl.se/bug/?i=14253
 [42] = https://curl.se/bug/?i=14367
 [43] = https://curl.se/bug/?i=14376
 [44] = https://curl.se/bug/?i=14375
 [45] = https://curl.se/bug/?i=14374
 [46] = https://curl.se/bug/?i=14373
 [47] = https://curl.se/bug/?i=14455
 [48] = https://curl.se/bug/?i=14389
 [49] = https://curl.se/bug/?i=14344
 [50] = https://curl.se/bug/?i=14018
 [51] = https://curl.se/bug/?i=14349
 [52] = https://curl.se/bug/?i=12677
 [53] = https://curl.se/bug/?i=9963
 [54] = https://curl.se/bug/?i=13993
 [55] = https://curl.se/bug/?i=14403
 [56] = https://curl.se/bug/?i=14411
 [57] = https://curl.se/bug/?i=14360
 [58] = https://curl.se/bug/?i=14380
 [59] = https://curl.se/bug/?i=14416
 [60] = https://curl.se/bug/?i=14454
 [61] = https://curl.se/bug/?i=14421
 [62] = https://curl.se/bug/?i=14420
 [63] = https://curl.se/bug/?i=14417
 [64] = https://curl.se/bug/?i=14453
 [65] = https://curl.se/bug/?i=14412
 [66] = https://curl.se/bug/?i=14343
 [67] = https://curl.se/bug/?i=14402
 [68] = https://github.com/curl/curl-www/issues/374
 [69] = https://curl.se/bug/?i=14409
 [70] = https://curl.se/bug/?i=14401
 [71] = https://curl.se/bug/?i=14382
 [72] = https://curl.se/bug/?i=14485
 [73] = https://curl.se/bug/?i=14452
 [74] = https://curl.se/bug/?i=14370
 [75] = https://curl.se/bug/?i=14423
 [76] = https://curl.se/bug/?i=14385
 [77] = https://curl.se/bug/?i=14393
 [78] = https://curl.se/bug/?i=14384
 [79] = https://curl.se/bug/?i=14394
 [80] = https://curl.se/bug/?i=14450
 [81] = https://curl.se/bug/?i=13754
 [82] = https://curl.se/bug/?i=14298
 [83] = https://curl.se/bug/?i=14447
 [84] = https://curl.se/bug/?i=14451
 [85] = https://curl.se/bug/?i=14472
 [86] = https://curl.se/bug/?i=14500
 [87] = https://curl.se/bug/?i=14189
 [88] = https://curl.se/bug/?i=14442
 [89] = https://curl.se/bug/?i=14492
 [90] = https://curl.se/bug/?i=14435
 [91] = https://curl.se/bug/?i=14438
 [92] = https://curl.se/bug/?i=14491
 [93] = https://curl.se/bug/?i=14440
 [94] = https://curl.se/bug/?i=14430
 [95] = https://curl.se/bug/?i=14433
 [96] = https://curl.se/bug/?i=14503
 [97] = https://curl.se/bug/?i=14474
 [98] = https://curl.se/bug/?i=14431
 [99] = https://curl.se/bug/?i=14431
 [100] = https://curl.se/bug/?i=14437
 [101] = https://curl.se/bug/?i=14428
 [102] = https://curl.se/bug/?i=14427
 [103] = https://curl.se/bug/?i=7229
 [104] = https://curl.se/bug/?i=14397
 [106] = https://curl.se/bug/?i=14406
 [107] = https://curl.se/bug/?i=14406
 [108] = https://curl.se/bug/?i=14404
 [109] = https://curl.se/bug/?i=14405
 [110] = https://curl.se/bug/?i=14477
 [111] = https://curl.se/bug/?i=14469
 [112] = https://curl.se/bug/?i=14464
 [114] = https://curl.se/bug/?i=14459
 [115] = https://curl.se/bug/?i=14467
 [116] = https://curl.se/bug/?i=14534
 [119] = https://curl.se/bug/?i=14540
 [120] = https://curl.se/bug/?i=14531
 [122] = https://curl.se/bug/?i=14526
 [123] = https://curl.se/bug/?i=14525
 [124] = https://curl.se/bug/?i=14502
 [125] = https://curl.se/bug/?i=14501
 [126] = https://curl.se/bug/?i=14539
 [127] = https://curl.se/bug/?i=14414
 [128] = https://curl.se/bug/?i=14521
 [129] = https://curl.se/bug/?i=14527
 [130] = https://curl.se/bug/?i=14457
 [131] = https://curl.se/bug/?i=14514
 [132] = https://curl.se/bug/?i=14513
 [133] = https://curl.se/bug/?i=14511
 [134] = https://curl.se/bug/?i=14512
 [135] = https://curl.se/bug/?i=14515
 [136] = https://curl.se/bug/?i=14516
 [137] = https://curl.se/bug/?i=14510
 [138] = https://curl.se/bug/?i=14504
 [140] = https://curl.se/bug/?i=14460
 [142] = https://curl.se/bug/?i=14505
 [144] = https://curl.se/bug/?i=14480
 [145] = https://curl.se/bug/?i=14458
 [146] = https://curl.se/bug/?i=13098
 [147] = https://curl.se/bug/?i=14483