curl/RELEASE-NOTES

curl and libcurl 8.17.0

 Public curl releases:         271
 Command line options:         272
 curl_easy_setopt() options:   308
 Public functions in libcurl:  98
 Contributors:                 3513

This release includes the following changes:

 o build: drop the winbuild build system [81]
 o krb5: drop support for Kerberos FTP [43]
 o libssh2: up the minimum requirement to 1.9.0 [85]
 o vssh: drop support for wolfSSH [58]
 o wcurl: import v2025.09.27 [182]
 o write-out: make %header{} able to output *all* occurrences of a header [25]

This release includes the following bugfixes:

 o ares: fix leak in tracing [91]
 o asyn-thrdd resolver: clear timeout when done [97]
 o asyn-thrdd: drop pthread_cancel [30]
 o autotools: add support for libgsasl auto-detection via pkg-config [112]
 o autotools: capitalize 'Rustls' in the log output [106]
 o autotools: fix duplicate `UNIX` and `BSD` flags in `buildinfo.txt` [113]
 o autotools: fix silly mistake in clang detection for `buildinfo.txt` [114]
 o autotools: make `--enable-code-coverage` support llvm/clang [79]
 o aws-lc: re-enable large read-ahead with v1.61.0 again [16]
 o base64: accept zero length argument to base64_encode [82]
 o build: address some `-Weverything` warnings, update picky warnings [74]
 o build: avoid overriding system `open` and `stat` symbols [141]
 o build: avoid overriding system symbols for fopen functions [150]
 o build: avoid overriding system symbols for socket functions [68]
 o build: show llvm/clang in platform flags and `buildinfo.txt` [126]
 o cf-h2-proxy: break loop on edge case [140]
 o cf-ip-happy: mention unix domain path, not port number [161]
 o cf-socket: tweak a memcpy() to read better [177]
 o cf-socket: use the right byte order for ports in bindlocal [61]
 o cfilter: unlink and discard [46]
 o checksrc: catch banned functions when preceded by `(` [146]
 o checksrc: fix possible endless loop when detecting `BANNEDFUNC` [149]
 o cmake: add `CURL_CODE_COVERAGE` option [78]
 o cmake: clang detection tidy-ups [116]
 o cmake: drop exclamation in comment looking like a name [160]
 o cmake: fix building docs when the base directory contains `.3` [18]
 o cmake: use modern alternatives for `get_filename_component()` [102]
 o cmake: use more `COMPILER_OPTIONS`, `LINK_OPTIONS` / `LINK_FLAGS` [152]
 o cmdline-docs: extended, clarified, refreshed [28]
 o cmdline-opts/_PROGRESS.md: explain the suffixes [154]
 o configure: add "-mt" for pthread support on HP-UX [52]
 o cookie: avoid saving a cookie file if no transfer was done [11]
 o curl_easy_getinfo: error code on NULL arg [2]
 o curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides [19]
 o curl_slist_append.md: clarify that a NULL pointer is not acceptable [72]
 o CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well [8]
 o CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1 [63]
 o CURLOPT_MAXLIFETIME_CONN: make default 24 hours [10]
 o CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options [32]
 o CURLOPT_TIMECONDITION.md: works for FILE and FTP as well [27]
 o digest_sspi: fix two memory leaks in error branches [77]
 o dist: do not distribute `CI.md` [29]
 o docs/libcurl: clarify some timeout option behavior [15]
 o docs/libcurl: remove ancient version references [7]
 o docs/libcurl: use lowercase must [5]
 o docs: fix/tidy code fences [87]
 o easy_getinfo: check magic, Curl_close safety [3]
 o examples: fix two issues found by CodeQL [35]
 o examples: fix two more cases of `stat()` TOCTOU [147]
 o form.md: drop reference to MANUAL [178]
 o ftp: fix ftp_do_more returning with *completep unset [122]
 o ftp: fix port number range loop for PORT commands [66]
 o gtls: avoid potential use of uninitialized variable in trace output [83]
 o hostip: remove leftover INT_MAX check in Curl_dnscache_prune [88]
 o http: handle user-defined connection headers [165]
 o httpsrr: free old pointers when storing new [57]
 o INTERNALS: drop Winsock 2.2 from the dependency list [162]
 o INTERNALS: specify minimum version for Heimdal: 7.1.0 [158]
 o ip-happy: do not set unnecessary timeout [95]
 o ip-happy: prevent event-based stall on retry [155]
 o krb5: return appropriate error on send failures [22]
 o ldap: do not base64 encode zero length string [42]
 o lib: fix build error and compiler warnings with verbose strings disabled [173]
 o lib: remove personal names from comments [168]
 o lib: upgrade/multiplex handling [136]
 o libcurl-multi.md: added curl_multi_get_offt mention [53]
 o libcurl-security.md: mention long-running connections [6]
 o libssh2: drop two redundant null-terminations [26]
 o libssh2: error check and null-terminate in ssh_state_sftp_readdir_link() [34]
 o libssh: acknowledge SSH_AGAIN in the SFTP state machine [89]
 o libssh: clarify myssh_block2waitfor [92]
 o libssh: drop two unused assignments [104]
 o libssh: error on bad chgrp number [71]
 o libssh: error on bad chown number and store the value [64]
 o libssh: fix range parsing error handling mistake [120]
 o libssh: react on errors from ssh_scp_read [24]
 o libssh: return out of memory correctly if aprintf fails [60]
 o Makefile.example: simplify and make it configurable [20]
 o managen: ignore version mentions < 7.66.0 [55]
 o managen: render better manpage references/links [54]
 o managen: strict protocol check [109]
 o mbedtls: check result of setting ALPN [127]
 o mbedtls: handle WANT_WRITE from mbedtls_ssl_read() [145]
 o multi.h: add CURLMINFO_LASTENTRY [51]
 o multi_ev: remove unnecessary data check that confuses analysers [167]
 o ngtcp2: check error code on connect failure [13]
 o ngtcp2: fix early return [131]
 o openldap: avoid indexing the result at -1 for blank responses [44]
 o openldap: check ber_sockbuf_add_io() return code [163]
 o openldap: check ldap_get_option() return codes [119]
 o openssl-quic: check results better [132]
 o openssl-quic: handle error in SSL_get_stream_read_error_code [129]
 o openssl-quic: ignore unexpected streams opened by server [176]
 o openssl: clear retry flag on x509 error [130]
 o openssl: fail the transfer if ossl_certchain() fails [23]
 o openssl: make the asn1_object_dump name null terminated [56]
 o openssl: set io_need always [99]
 o OS400: fix a use-after-free/double-free case [142]
 o pytest: skip specific tests for no-verbose builds [171]
 o quic: fix min TLS version handling [14]
 o quic: ignore EMSGSIZE on receive [4]
 o quiche: fix verbose message when ip quadruple cannot be obtained. [128]
 o quiche: when ingress processing fails, return that error code [103]
 o runtests: tag tests that require curl verbose strings [172]
 o rustls: fix clang-tidy warning [107]
 o rustls: fix comment describing cr_recv() [117]
 o rustls: typecast variable for safer trace output [69]
 o rustls: use %zu for size_t in failf() format string [121]
 o sasl: clear canceled mechanism instead of toggling it [41]
 o schannel: assign result before using it [62]
 o schannel_verify: use more human friendly error messages [96]
 o setopt: accept *_SSL_VERIFYHOST set to 2L [31]
 o setopt: make CURLOPT_MAXREDIRS accept -1 (again) [1]
 o smb: adjust buffer size checks [45]
 o smtp: check EHLO responses case insensitively [50]
 o socks: handle error in verbose trace gracefully [94]
 o socks: make Curl_blockread_all return CURLcode [67]
 o socks: rewwork, cleaning up socks state handling [135]
 o socks_gssapi: make the gss_context a local variable [144]
 o socks_gssapi: reject too long tokens [90]
 o socks_gssapi: remove superfluous releases of the gss_recv_token [139]
 o socks_gssapi: remove the forced "no protection" [143]
 o socks_sspi: bail out on too long fields [137]
 o socks_sspi: fix memory cleanup calls [40]
 o socks_sspi: restore non-blocking socket on error paths [48]
 o ssl-sessions.md: mark option experimental [12]
 o sws: fix checking `sscanf()` return value [17]
 o tcp-nodelay.md: expand the documentation [153]
 o telnet: make printsub require another byte input [21]
 o telnet: refuse IAC codes in content [111]
 o telnet: return error on crazy TTYPE or XDISPLOC lengths [123]
 o tests/server: drop unsafe `open()` override in signal handler (Windows) [151]
 o tftp: check and act on tftp_set_timeouts() returning error [38]
 o tftp: handle tftp_multi_statemach() return code [65]
 o tftp: pin the first used address [110]
 o tftp: propagate expired timer from tftp_state_timeout() [39]
 o tftp: return error when sendto() fails [59]
 o tidy-up: `fcntl.h` includes [98]
 o tidy-up: assortment of small fixes [115]
 o tidy-up: avoid using the reserved macro namespace [76]
 o tidy-up: update MS links, allow long URLs via `checksrc` [73]
 o tidy-up: URLs [101]
 o time-cond.md: refer to the singular curl_getdate man page [148]
 o TODO: fix a typo [93]
 o TODO: remove already implemented or bad items [36]
 o tool: fix exponential retry delay [47]
 o tool_cb_hdr: fix fwrite check in header callback [49]
 o tool_cb_hdr: size is always 1 [70]
 o tool_doswin: fix to use curl socket functions [108]
 o tool_getparam/set_rate: skip the multiplication on overflow [84]
 o tool_getparam: always disable "lib-ids" for tracing [169]
 o tool_getparam: warn if provided header looks malformed [179]
 o tool_operate: improve wording in retry message [37]
 o tool_operate: keep the progress meter for --out-null [33]
 o tool_progress: handle possible integer overflows [164]
 o tool_progress: make max5data() use an algorithm [170]
 o transfer: avoid busy loop with tiny speed limit [100]
 o urldata: FILE is not a list-only protocol [9]
 o vtls: alpn setting, check proto parameter [134]
 o vtls_int.h: clarify data_pending [124]
 o vtls_scache: fix race condition [157]
 o windows: replace `_beginthreadex()` with `CreateThread()` [80]
 o windows: stop passing unused, optional argument for Win9x compatibility [75]
 o wolfssl: check BIO read parameters [133]
 o wolfssl: fix error check in shutdown [105]
 o ws: clarify an error message [125]
 o ws: reject curl_ws_recv called with NULL buffer with a buflen [118]

This release includes the following known bugs:

 See https://curl.se/docs/knownbugs.html

For all changes ever done in curl:

 See https://curl.se/changes.html

Planned upcoming removals include:

 o Builds using VS2008
 o OpenSSL 1.x support
 o OpenSSL-QUIC
 o Support for c-ares versions before 1.16.0
 o Support for Windows XP/2003
 o Windows CE support

 See https://curl.se/dev/deprecate.html

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Adam Light, Alice Lee Poetics, Andrew Kirillov, Andrew Olsen,
  BobodevMm on github, Christian Schmitz, Dan Fandrich, Daniel Stenberg,
  dependabot[bot], divinity76 on github, Emilio Pozuelo Monfort, Ethan Everett,
  Evgeny Grin (Karlson2k), fds242 on github, Howard Chu, Javier Blazquez,
  Jicea, jmaggard10 on github, Johannes Schindelin, Joseph Birr-Pixton,
  Joshua Rogers, kapsiR on github, kuchara on github, Marcel Raad,
  Michael Osipov, Michał Petryka, Mohamed Daahir, Nir Azkiel, Patrick Monnerat,
  Pocs Norbert, Ray Satiro, renovate[bot], rinsuki on github,
  Samuel Dionne-Riel, Samuel Henrique, Stanislav Fort, Stefan Eissing,
  Viktor Szakats
  (38 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=18571
 [2] = https://curl.se/bug/?i=18512
 [3] = https://curl.se/bug/?i=18511
 [4] = https://curl.se/bug/?i=18505
 [5] = https://curl.se/bug/?i=18570
 [6] = https://curl.se/bug/?i=18533
 [7] = https://curl.se/bug/?i=18530
 [8] = https://curl.se/bug/?i=18531
 [9] = https://curl.se/bug/?i=18525
 [10] = https://curl.se/bug/?i=18527
 [11] = https://curl.se/bug/?i=18621
 [12] = https://curl.se/bug/?i=18523
 [13] = https://curl.se/bug/?i=18521
 [14] = https://curl.se/bug/?i=18518
 [15] = https://curl.se/bug/?i=18569
 [16] = https://curl.se/bug/?i=18568
 [17] = https://curl.se/bug/?i=18565
 [18] = https://curl.se/bug/?i=18560
 [19] = https://curl.se/bug/?i=18510
 [20] = https://curl.se/bug/?i=18554
 [21] = https://curl.se/bug/?i=18618
 [22] = https://curl.se/bug/?i=18561
 [23] = https://curl.se/bug/?i=18646
 [24] = https://curl.se/bug/?i=18616
 [25] = https://curl.se/bug/?i=18491
 [26] = https://curl.se/bug/?i=18606
 [27] = https://curl.se/bug/?i=18551
 [28] = https://curl.se/bug/?i=18550
 [29] = https://curl.se/bug/?i=18549
 [30] = https://curl.se/bug/?i=18532
 [31] = https://curl.se/mail/lib-2025-09/0031.html
 [32] = https://curl.se/bug/?i=18548
 [33] = https://curl.se/bug/?i=18607
 [34] = https://curl.se/bug/?i=18598
 [35] = https://curl.se/bug/?i=18605
 [36] = https://curl.se/bug/?i=18542
 [37] = https://curl.se/bug/?i=18604
 [38] = https://curl.se/bug/?i=18603
 [39] = https://curl.se/bug/?i=18574
 [40] = https://curl.se/bug/?i=18587
 [41] = https://curl.se/bug/?i=18573
 [42] = https://curl.se/bug/?i=18602
 [43] = https://curl.se/bug/?i=18577
 [44] = https://curl.se/bug/?i=18600
 [45] = https://curl.se/bug/?i=18599
 [46] = https://curl.se/bug/?i=18596
 [47] = https://curl.se/bug/?i=18591
 [48] = https://curl.se/bug/?i=18592
 [49] = https://curl.se/bug/?i=18593
 [50] = https://curl.se/bug/?i=18588
 [51] = https://curl.se/bug/?i=18578
 [52] = https://curl.se/bug/?i=18585
 [53] = https://curl.se/bug/?i=18579
 [54] = https://curl.se/bug/?i=18580
 [55] = https://curl.se/bug/?i=18583
 [56] = https://curl.se/bug/?i=18647
 [57] = https://curl.se/bug/?i=18631
 [58] = https://curl.se/bug/?i=18700
 [59] = https://curl.se/bug/?i=18643
 [60] = https://curl.se/bug/?i=18637
 [61] = https://curl.se/bug/?i=18641
 [62] = https://curl.se/bug/?i=18642
 [63] = https://curl.se/bug/?i=18640
 [64] = https://curl.se/bug/?i=18639
 [65] = https://curl.se/bug/?i=18638
 [66] = https://curl.se/bug/?i=18636
 [67] = https://curl.se/bug/?i=18635
 [68] = https://curl.se/bug/?i=18503
 [69] = https://curl.se/bug/?i=18628
 [70] = https://curl.se/bug/?i=18630
 [71] = https://curl.se/bug/?i=18629
 [72] = https://curl.se/bug/?i=18627
 [73] = https://curl.se/bug/?i=18626
 [74] = https://curl.se/bug/?i=18477
 [75] = https://curl.se/bug/?i=18490
 [76] = https://curl.se/bug/?i=18482
 [77] = https://curl.se/bug/?i=18488
 [78] = https://curl.se/bug/?i=18468
 [79] = https://curl.se/bug/?i=18473
 [80] = https://curl.se/bug/?i=18451
 [81] = https://curl.se/bug/?i=18040
 [82] = https://curl.se/bug/?i=18617
 [83] = https://curl.se/bug/?i=18620
 [84] = https://curl.se/bug/?i=18624
 [85] = https://curl.se/bug/?i=18612
 [87] = https://curl.se/bug/?i=18707
 [88] = https://curl.se/bug/?i=18680
 [89] = https://curl.se/bug/?i=18740
 [90] = https://curl.se/bug/?i=18681
 [91] = https://curl.se/bug/?i=18251
 [92] = https://curl.se/bug/?i=18739
 [93] = https://curl.se/bug/?i=18788
 [94] = https://curl.se/bug/?i=18722
 [95] = https://curl.se/bug/?i=18767
 [96] = https://curl.se/bug/?i=18737
 [97] = https://curl.se/bug/?i=18769
 [98] = https://curl.se/bug/?i=18782
 [99] = https://curl.se/bug/?i=18733
 [100] = https://curl.se/bug/?i=18732
 [101] = https://curl.se/bug/?i=18689
 [102] = https://curl.se/bug/?i=18688
 [103] = https://curl.se/bug/?i=18730
 [104] = https://curl.se/bug/?i=18684
 [105] = https://curl.se/bug/?i=18729
 [106] = https://curl.se/bug/?i=18671
 [107] = https://curl.se/bug/?i=18670
 [108] = https://curl.se/bug/?i=18633
 [109] = https://curl.se/bug/?i=18675
 [110] = https://curl.se/bug/?i=18658
 [111] = https://curl.se/bug/?i=18657
 [112] = https://curl.se/bug/?i=18669
 [113] = https://curl.se/bug/?i=18667
 [114] = https://curl.se/bug/?i=18666
 [115] = https://curl.se/bug/?i=18664
 [116] = https://curl.se/bug/?i=18659
 [117] = https://curl.se/bug/?i=18728
 [118] = https://curl.se/bug/?i=18656
 [119] = https://curl.se/bug/?i=18653
 [120] = https://curl.se/bug/?i=18652
 [121] = https://curl.se/bug/?i=18651
 [122] = https://curl.se/bug/?i=18650
 [123] = https://curl.se/bug/?i=18648
 [124] = https://curl.se/bug/?i=18644
 [125] = https://curl.se/bug/?i=18654
 [126] = https://curl.se/bug/?i=18645
 [127] = https://curl.se/bug/?i=18727
 [128] = https://curl.se/bug/?i=18726
 [129] = https://curl.se/bug/?i=18725
 [130] = https://curl.se/bug/?i=18724
 [131] = https://curl.se/bug/?i=18723
 [132] = https://curl.se/bug/?i=18720
 [133] = https://curl.se/bug/?i=18718
 [134] = https://curl.se/bug/?i=18717
 [135] = https://curl.se/bug/?i=18401
 [136] = https://curl.se/bug/?i=18227
 [137] = https://curl.se/bug/?i=18719
 [139] = https://curl.se/bug/?i=18714
 [140] = https://curl.se/bug/?i=18715
 [141] = https://curl.se/bug/?i=18776
 [142] = https://curl.se/bug/?i=18713
 [143] = https://curl.se/bug/?i=18712
 [144] = https://curl.se/bug/?i=18711
 [145] = https://curl.se/bug/?i=18682
 [146] = https://curl.se/bug/?i=18779
 [147] = https://curl.se/bug/?i=18778
 [148] = https://curl.se/bug/?i=18816
 [149] = https://curl.se/bug/?i=18775
 [150] = https://curl.se/bug/?i=18510
 [151] = https://curl.se/bug/?i=18774
 [152] = https://curl.se/bug/?i=18762
 [153] = https://curl.se/bug/?i=18811
 [154] = https://curl.se/bug/?i=18817
 [155] = https://curl.se/bug/?i=18815
 [157] = https://curl.se/bug/?i=18806
 [158] = https://curl.se/bug/?i=18809
 [160] = https://curl.se/bug/?i=18810
 [161] = https://curl.se/bug/?i=18749
 [162] = https://curl.se/bug/?i=18808
 [163] = https://curl.se/bug/?i=18747
 [164] = https://curl.se/bug/?i=18744
 [165] = https://curl.se/bug/?i=18662
 [167] = https://curl.se/bug/?i=18804
 [168] = https://curl.se/bug/?i=18803
 [169] = https://curl.se/bug/?i=18805
 [170] = https://curl.se/bug/?i=18807
 [171] = https://curl.se/bug/?i=18801
 [172] = https://curl.se/bug/?i=18800
 [173] = https://curl.se/bug/?i=18799
 [176] = https://curl.se/bug/?i=18780
 [177] = https://curl.se/bug/?i=18787
 [178] = https://curl.se/bug/?i=18790
 [179] = https://curl.se/bug/?i=18793
 [182] = https://curl.se/bug/?i=18754