Numbers
the 262nd release
5 changes
49 days (total: 9,728)
266 bugfixes (total: 11,094)
435 commits (total: 33,694)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)
1 new curl command line option (total: 266)
55 contributors, 22 new (total: 3,268)
25 authors, 10 new (total: 1,312)
1 security fixes (total: 160)
Release presentation
At 10:00 CET (09:00 ETC) today the release presentation is live-streamed on Twitch. After the fact, this paragraph is instead replaced with a link to the recording on YouTube.
Security
CVE-2024-9681: HSTS subdomain overwrites parent cache entry. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain’s cache entry, making it end sooner or later than otherwise intended.
Changes
- –create-dirs works for –dump-header as well
- P12 format support added to GnuTLS backend
- Added options to disable IPFS
- TLSv1.3 earlydata support (with GnuTLS)
- Official WebSocket support
Bugfixes
These are some of my favorite bugfixes in this release.
Build
- cmake: document -D and env build options
- configure: add support for ‘unity’ builds
- configure: set linker flags to allow rustls build on macos
curl
- detect ECH support dynamically, not at build time
- support –show-headers AND –remote-header-name
- make –skip-existing work for –parallel
libcurl
- conncache: find bundle again in case it is removed
- curl.h: remove the struct pointer for CURL/CURLSH/CURLM typedefs
- ftp: fix 0-length last write on upload from stdin
- hsts: support “implied LWS” properly around max-age
- lib: remove function pointer typecasts for hmac/sha256/md5
- mprintf: do not ignore length modifiers of %o, %x, %X
- mprintf: treat %o as unsigned
- multi: make curl_multi_cleanup invalidate magic latter
- multi: make multi_handle_timeout use the connect timeout
- netrc: cache the netrc file in memory
- select: use poll() if existing, avoid poll() with no sockets
- url: use same credentials on redirect
- urlapi: normalize the IPv6 address
protocols
- ngtcp2: set max window size to 10x of initial (128KB)
- url: connection reuse on h3 connections
- gnutls: use session cache for QUIC
- mbedTLS: fix handling of TLSv1.3 sessions
- schannel: ignore error on recv beyond close notify
- schannel: reclassify extra-verbose schannel_recv messages
- quic: use send/recvmmsg when available
- quic: use the session cache with wolfSSL as well
tests
- generate lib1521.c atomically
- remove all valgrind disable instructions
- remove debug requirement on 38 tests
- use ‘-4’ where needed
Next
Unless we find a terrible regression, the next curl release is scheduled to ship on January 8, 2025.