curl/RELEASE-NOTES

curl and libcurl 7.87.1

 Public curl releases:         213
 Command line options:         250
 curl_easy_setopt() options:   302
 Public functions in libcurl:  91
 Contributors:                 2811

This release includes the following changes:

 o curl.h: add CURL_HTTP_VERSION_3ONLY [82]
 o share: add sharing of HSTS cache among handles [7]
 o src: add --http3-only [81]
 o tool_operate: share HSTS between handles
 o urlapi: add CURLU_PUNYCODE [25]
 o writeout: add %{certs} and %{num_certs} [33]

This release includes the following bugfixes:

 o cf-socket: fix build when not HAVE_GETPEERNAME [89]
 o cf-socket: keep sockaddr local in the socket filters [69]
 o cfilters:Curl_conn_get_select_socks: use the first non-connected filter [24]
 o CI: add a workflow to automatically label pull requests [102]
 o CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup [109]
 o CI: Retry failed downloads to reduce spurious failures
 o cmake: bump requirement to 3.7 [23]
 o cmake: check for sendmsg [39]
 o cmake: delete redundant macro definition `SECURITY_WIN32` [91]
 o cmake: fix dev warning due to mismatched arg [160]
 o cmake: fix the snprintf detection [5]
 o cmake: remove deprecated symbols check [96]
 o cmake: set SOVERSION also for macOS [68]
 o cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS [94]
 o CODEOWNERS: remove the peeps mentioned as CI owners [128]
 o connect: fix access of pointer before NULL check [83]
 o connect: fix build when not ENABLE_IPV6 [88]
 o connect: fix strategy testing for attempts, timeouts and happy-eyeball [110]
 o connections: introduce http/3 happy eyeballs [127]
 o cookies: fp is always not NULL [104]
 o copyright.pl: cease doing year verifications [74]
 o copyright: update all copyright lines and remove year ranges [35]
 o curl.h: allow up to 10M buffer size [76]
 o curl.h: mark CURLSSLBACKEND_MESALINK as deprecated [52]
 o curl/websockets.h: extend the websocket frame struct
 o curl: output warning at --verbose output for debug-enabled version [80]
 o curl_free.3: fix return type of `curl_free` [113]
 o curl_global_sslset.3: clarify the openssl situation [53]
 o curl_log: for failf/infof and debug logging implementations [87]
 o curl_setup: Disable by default recv-before-send in Windows [154]
 o curl_version_info.3: fix typo [100]
 o curl_ws_send.3: clarify how to send multi-frame messages
 o CURLOPT_HEADERDATA.3: warn DLL users must set write function [45]
 o CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1 [73]
 o CURLOPT_WRITEFUNCTION.3: fix memory leak in example [122]
 o dict: URL decode the entire path always [120]
 o docs/DEPRECATE.md: deprecate gskit [36]
 o docs: add link to GitHub Discussions [49]
 o docs: mention indirect effects of --insecure [19]
 o docs: POSTFIELDSIZE must be set to -1 with read function [97]
 o doh: ifdef IPv6 code [123]
 o easyoptions: fix header printing in generation script [84]
 o escape: hex decode with a lookup-table [107]
 o escape: use table lookup when adding %-codes to output [105]
 o examples: remove the curlgtk.c example [48]
 o fopen: remove unnecessary assignment [111]
 o ftpserver: lower the DATA connect timeout to speed up torture tests [27]
 o GHA/macos.yml: bump to gcc-12 [106]
 o GHA/macos: use Xcode_14.0.1 for cmake builds [132]
 o GHA: add job on Slackware 15.0 [58]
 o GHA: enable websockets in the torture job [148]
 o GHA: move the quiche job here from zuul [75]
 o GHA: use designated ngtcp2 and its dependencies versions [77]
 o haxproxy: send before TLS handhshake [34]
 o header.d: add a header file example [149]
 o hsts.d: explain hsts more [78]
 o hsts: handle adding the same host name again
 o HTTP/[23]: continue upload when state.drain is set [150]
 o http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames [155]
 o http2: fix compiler warning due to uninitialized variable
 o http2: minor buffer and error path fixes [151]
 o http2: when using printf %.*s, the length arg must be 'int' [41]
 o HTTP3: mention what needs to be in place to remove EXPERIMENTAL label [31]
 o http: add additional condition for including stdint.h [54]
 o http: decode transfer encoding first [51]
 o http: fix "part of conditional expression is always false" [125]
 o http: remove the trace message "Mark bundle... multiuse" [6]
 o http_aws_sigv4: remove typecasts from HMAC_SHA256 macro [121]
 o http_proxy: do not assign data->req.p.http use local copy [59]
 o INSTALL: document how to use multiple TLS backends [103]
 o lib670: make test.h the first include [56]
 o lib: connect/h2/h3 refactor [57]
 o lib: fix typos [99]
 o lib: fix typos in comments which repeat a word [67]
 o libssh2: try sha2 algos for hostkey methods [2]
 o libtest: add a sleep macro for Windows [115]
 o Linux CI: update some dependecies to latest tag [44]
 o Makefile.mk: fix wolfssl and mbedtls default paths [21]
 o man pages: call the custom user pointer 'clientp' consistently [135]
 o md4: fix build with GnuTLS + OpenSSL v1 [12]
 o misc: fix grammar and spelling [14]
 o misc: fix spelling [134]
 o misc: reduce struct and struct field sizes [65]
 o msh3: add support for request payload [28]
 o msh3: update to v0.5 Release [17]
 o msh3: update to v0.6 [60]
 o multi: stop sending empty HTTP/3 UDP datagrams on Windows [136]
 o multihandle: turn bool struct fields into bits [26]
 o ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl [62]
 o ngtcp2: fix the build without 'sendmsg' [38]
 o ngtcp2: replace removed define and stop using removed function [164]
 o no-clobber.d: only use long form options in man page text [145]
 o noproxy: support for space-separated names is deprecated [66]
 o nss: implement data_pending method [43]
 o openldap: fix missing sasl symbols at build in specific configs [152]
 o openssl: adapt to boringssl's error code type [118]
 o openssl: don't ignore CA paths when using Windows CA store (redux) [101]
 o openssl: don't log raw record headers [93]
 o openssl: make the BIO_METHOD a local variable in the connection filter [79]
 o openssl: only use CA_BLOB if verifying peer [112]
 o openssl: remove attached easy handles from SSL instances [29]
 o openssl: store the CA after first send (ClientHello) [156]
 o os400: fixes to make-lib.sh and initscript.sh [71]
 o packages: remove Android, update README [108]
 o release-notes.pl: check fixes/closes lines better
 o Revert "x509asn1: avoid freeing unallocated pointers" [37]
 o runtest.pl: add expected fourth return value [40]
 o runtests: also tear down http2/http3 servers when https server is stopped [8]
 o runtests: consider warnings fatal and error on them [32]
 o runtests: fix detection of TLS backends [50]
 o runtests: make 'mbedtls' a testable feature
 o rustls: improve error messages [162]
 o scripts/delta: show percent of number of files changed since last tag
 o scripts: fix Appveyor job detection in cijobs.pl
 o scripts: set file mode +x on all perl and shell scripts [63]
 o sectransp: fix for incomplete read/writes [61]
 o SECURITY-PROCESS.md: document severity levels [20]
 o setopt: Address undefined behaviour by checking for null [161]
 o setopt: move the SHA256 opt within #ifdef libssh2 [42]
 o setopt: use >, not >=, when checking if uarg is larger than uint-max [140]
 o smb: return error on upload without size [142]
 o socketpair: allow localhost MITM sniffers [30]
 o strdup: name it Curl_strdup [16]
 o system.h: assume OS400 is always built with ILEC compiler [95]
 o test1560: use a UTF8-using locale when run [46]
 o test2304: remove stdout verification
 o tests-httpd: basic infra to run curl against an apache httpd [72]
 o tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx [9]
 o tests: avoid use of sha1 in certificates [4]
 o tls: fixes for wolfssl + openssl combo builds [133]
 o tool_getparam: fix hiding of command line secrets [85]
 o tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type [1]
 o tool_operate: fix error codes during DOS filename sanitize [138]
 o tool_operate: fix error codes on bad URL & OOM [139]
 o tool_operate: fix headerfile writing [64]
 o tool_operate: repair --rate [119]
 o transfer: break the read loop when RECV is cleared [22]
 o typecheck: accept expressions for option/info parameters [3]
 o url: fix part of conditional expression is always true [147]
 o urlapi: avoid Curl_dyn_addf() for hex outputs [130]
 o urlapi: fix part of conditional expression is always true: qlen [146]
 o urlapi: skip path checks if path is just "/" [131]
 o urlapi: skip the extra dedotdot alloc if no dot in path [126]
 o urldata: cease storing TLS auth type [55]
 o urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP [13]
 o urldata: make set.http200aliases conditional on HTTP being present [11]
 o urldata: move the cookefilelist to the 'set' struct [15]
 o urldata: remove unused struct fields, made more conditional [10]
 o vquic: stabilization and improvements [141]
 o vtls: fix hostname handling in filters [98]
 o vtls: manage current easy handle in nested cfilter calls [90]
 o vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
 o winbuild: document that arm64 is supported [92]
 o windows: always use curl's basename() implementation [157]
 o wolfssl: remove deprecated post-quantum algorithms [124]
 o workflows/linux.yml: merge 3 common packages [18]
 o write-out.d: add 'since version' to %{header_json} documentation [129]
 o write-out.d: clarify Windows % symbol escaping [86]
 o ws: fix autoping handling [70]
 o ws: fix multiframe send handling [143]
 o ws: fix recv of larger frames [144]
 o ws: remove bad assert [117]
 o ws: unstick connect-only shutdown [116]
 o ws: use %Ou for outputting curl_off_t with info() [153]
 o x509asn1: fix compile errors and warnings [47]
 o zuul: stop using this CI service [114]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

Planned upcoming removals include:

 o gskit
 o NSS
 o Support for systems without 64 bit data types

 See https://curl.se/dev/deprecate.html for details

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alexey Savchuk, Andrei Rybak, Andy Alt, Anthony Hu, Brian Green,
  Cameron Blomquist, Cherish98 on Github, Dan Fandrich, Daniel Gustafsson,
  Daniel Stenberg, dekerser on github, Divy Le Ray, Dmitry Atamanov,
  Esdras de Morais da Silva, Federico Pellegrin, Fujii Hironori, Gerrit Renker,
  Gisle Vanem, Gregory Panakkal, Hannah Schierling, Harry Sintonen,
  Hide Ishikawa, highmtworks on github, Jacob Hoffman-Andrews, Jakob Hirsch,
  James Keast, John Bampton, John Porter, John Sherrill, Jon Rumsey,
  Josh Brobst, Karthikdasari0423 on github, Kvarec Lezki, Lucas Pardue,
  Marc Aldorasi, Marcel Raad, Marc Hörsken, Mark Roszko, Martin D'Aloia,
  Martin Waleczek, Michael Osipov, Mike Duglas, Muhammad Hussein Ammari,
  Nick Banks, nick-telia on github, norbertmm on github, odek86 on github,
  Patrick Monnerat, Paul Groke, Paul Howarth, Peter Wu, Philip Heiduck,
  Pronyushkin Petr, Radek Brich, Radu Hociung, RanBarLavie on github,
  Ray Satiro, Ryan Schmidt, Sébastien Helleu, Sergey Bronnikov,
  Sergio-IME on github, sergio-nsk on github, SerusDev on github, Stanley Wucw,
  Stefan Eissing, Stefan Talpalaru, Stephan Guilloux, Tatsuhiro Tsujikawa,
  Thomas1664 on github, Thomas Klausner, Timmy Schierling,
  UnicornZhang on Github, Viktor Szakats, violetlige on github, William Tang,
  Yurii Rashkovskii
  (76 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=10124
 [2] = https://curl.se/bug/?i=10143
 [3] = https://curl.se/bug/?i=10148
 [4] = https://curl.se/bug/?i=10135
 [5] = https://curl.se/bug/?i=10155
 [6] = https://curl.se/bug/?i=10159
 [7] = https://curl.se/bug/?i=10138
 [8] = https://curl.se/bug/?i=10114
 [9] = https://curl.se/bug/?i=10114
 [10] = https://curl.se/bug/?i=10147
 [11] = https://curl.se/bug/?i=10140
 [12] = https://curl.se/bug/?i=10110
 [13] = https://curl.se/bug/?i=10139
 [14] = https://curl.se/bug/?i=10137
 [15] = https://curl.se/bug/?i=10133
 [16] = https://curl.se/bug/?i=10132
 [17] = https://curl.se/bug/?i=10125
 [18] = https://curl.se/bug/?i=10071
 [19] = https://curl.se/bug/?i=10126
 [20] = https://curl.se/bug/?i=10118
 [21] = https://curl.se/bug/?i=10164
 [22] = https://curl.se/bug/?i=10172
 [23] = https://curl.se/bug/?i=10128
 [24] = https://curl.se/bug/?i=10157
 [25] = https://curl.se/bug/?i=10109
 [26] = https://curl.se/bug/?i=10179
 [27] = https://curl.se/bug/?i=10178
 [28] = https://curl.se/bug/?i=10136
 [29] = https://curl.se/bug/?i=10151
 [30] = https://curl.se/bug/?i=10144
 [31] = https://curl.se/bug/?i=10168
 [32] = https://curl.se/bug/?i=10208
 [33] = https://curl.se/bug/?i=10019
 [34] = https://curl.se/bug/?i=10165
 [35] = https://curl.se/bug/?i=10205
 [36] = https://curl.se/bug/?i=10201
 [37] = https://curl.se/bug/?i=10163
 [38] = https://curl.se/bug/?i=10210
 [39] = https://curl.se/bug/?i=10211
 [40] = https://curl.se/bug/?i=10206
 [41] = https://curl.se/bug/?i=10203
 [42] = https://curl.se/bug/?i=10255
 [43] = https://curl.se/bug/?i=10225
 [44] = https://curl.se/bug/?i=10195
 [45] = https://curl.se/bug/?i=10233
 [46] = https://curl.se/bug/?i=10193
 [47] = https://curl.se/bug/?i=10238
 [48] = https://curl.se/bug/?i=10197
 [49] = https://curl.se/bug/?i=10171
 [50] = https://curl.se/bug/?i=10236
 [51] = https://curl.se/bug/?i=10187
 [52] = https://curl.se/bug/?i=10189
 [53] = https://curl.se/bug/?i=10188
 [54] = https://curl.se/bug/?i=10185
 [55] = https://curl.se/bug/?i=10181
 [56] = https://curl.se/bug/?i=10182
 [57] = https://curl.se/bug/?i=10141
 [58] = https://curl.se/bug/?i=10230
 [59] = https://curl.se/bug/?i=10194
 [60] = https://curl.se/bug/?i=10192
 [61] = https://curl.se/bug/?i=10227
 [62] = https://curl.se/bug/?i=10222
 [63] = https://curl.se/bug/?i=10219
 [64] = https://curl.se/bug/?i=10224
 [65] = https://curl.se/bug/?i=10186
 [66] = https://curl.se/bug/?i=10209
 [67] = https://curl.se/bug/?i=10220
 [68] = https://curl.se/bug/?i=10214
 [69] = https://curl.se/bug/?i=10213
 [70] = https://curl.se/bug/?i=10289
 [71] = https://curl.se/bug/?i=10266
 [72] = https://curl.se/bug/?i=10175
 [73] = https://curl.se/bug/?i=10328
 [74] = https://curl.se/bug/?i=10345
 [75] = https://curl.se/bug/?i=10241
 [76] = https://curl.se/bug/?i=10256
 [77] = https://curl.se/bug/?i=10257
 [78] = https://curl.se/bug/?i=10258
 [79] = https://curl.se/bug/?i=10285
 [80] = https://curl.se/bug/?i=10278
 [81] = https://curl.se/bug/?i=10264
 [82] = https://curl.se/bug/?i=10264
 [83] = https://curl.se/bug/?i=10284
 [84] = https://curl.se/bug/?i=10275
 [85] = https://curl.se/bug/?i=10276
 [86] = https://curl.se/bug/?i=10323
 [87] = https://curl.se/bug/?i=10271
 [88] = https://curl.se/bug/?i=10344
 [89] = https://curl.se/bug/?i=10343
 [90] = https://curl.se/bug/?i=10336
 [91] = https://curl.se/bug/?i=10341
 [92] = https://curl.se/bug/?i=10332
 [93] = https://curl.se/bug/?i=10299
 [94] = https://curl.se/bug/?i=10272
 [95] = https://curl.se/bug/?i=10305
 [96] = https://curl.se/bug/?i=10314
 [97] = https://curl.se/bug/?i=10313
 [98] = https://curl.se/bug/?i=10273
 [99] = https://curl.se/bug/?i=10307
 [100] = https://curl.se/bug/?i=10306
 [101] = https://curl.se/bug/?i=10244
 [102] = https://curl.se/bug/?i=10326
 [103] = https://curl.se/bug/?i=10321
 [104] = https://curl.se/bug/?i=10383
 [105] = https://curl.se/bug/?i=10377
 [106] = https://curl.se/bug/?i=10415
 [107] = https://curl.se/bug/?i=10376
 [108] = https://curl.se/bug/?i=10416
 [109] = https://curl.se/bug/?i=10317
 [110] = https://curl.se/bug/?i=10312
 [111] = https://curl.se/bug/?i=10398
 [112] = https://curl.se/mail/lib-2023-01/0070.html
 [113] = https://curl.se/bug/?i=10373
 [114] = https://curl.se/bug/?i=10368
 [115] = https://curl.se/bug/?i=10295
 [116] = https://curl.se/bug/?i=10366
 [117] = https://curl.se/bug/?i=10347
 [118] = https://curl.se/bug/?i=10360
 [119] = https://curl.se/bug/?i=10357
 [120] = https://curl.se/bug/?i=10298
 [121] = https://curl.se/bug/?i=10400
 [122] = https://curl.se/bug/?i=10390
 [123] = https://curl.se/bug/?i=10397
 [124] = https://curl.se/bug/?i=10440
 [125] = https://curl.se/bug/?i=10399
 [126] = https://curl.se/bug/?i=10403
 [127] = https://curl.se/bug/?i=10349
 [128] = https://curl.se/bug/?i=10386
 [129] = https://curl.se/bug/?i=10395
 [130] = https://curl.se/bug/?i=10384
 [131] = https://curl.se/bug/?i=10385
 [132] = https://curl.se/bug/?i=10356
 [133] = https://curl.se/bug/?i=10322
 [134] = https://curl.se/bug/?i=10437
 [135] = https://curl.se/bug/?i=10434
 [136] = https://curl.se/bug/?i=9086
 [138] = https://curl.se/bug/?i=10414
 [139] = https://curl.se/bug/?i=10130
 [140] = https://curl.se/bug/?i=10421
 [141] = https://curl.se/bug/?i=10451
 [142] = https://curl.se/bug/?i=10484
 [143] = https://curl.se/bug/?i=10413
 [144] = https://curl.se/bug/?i=10438
 [145] = https://curl.se/bug/?i=10461
 [146] = https://curl.se/bug/?i=10408
 [147] = https://curl.se/bug/?i=10407
 [148] = https://curl.se/bug/?i=10448
 [149] = https://curl.se/bug/?i=10455
 [150] = https://curl.se/bug/?i=10433
 [151] = https://curl.se/bug/?i=10444
 [152] = https://curl.se/bug/?i=10445
 [153] = https://curl.se/bug/?i=10439
 [154] = https://curl.se/bug/?i=10409
 [155] = https://curl.se/bug/?i=10432
 [156] = https://curl.se/bug/?i=10432
 [157] = https://curl.se/bug/?i=10261
 [160] = https://curl.se/bug/?i=10471
 [161] = https://curl.se/bug/?i=10472
 [162] = https://curl.se/bug/?i=10463
 [164] = https://curl.se/bug/?i=10469