At: https://curl.se/windows/ Starting with 8.16.0_11. It's experimental. More details: #375 (comment)GitHub
Fixes #19228 The current code checks if a line starts with . which doesn't match the RFC spec. Per RFC 2449, the CAPA response terminator is a line containing only a single dot (plus CRLF). Whi...GitHub
🧠 Summary Fixes a double free in free_config_fields() . 🔍 Details Double free bug in src/tool_cfgable.c. At lines 104–105 and 187–188, config->proto_str and config->proto_redir_str are each ...GitHub
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE algorithms to a static table: openssl/openssl@b8f702aGitHub
I have had multiple persons tell me recently that they truly hesitated and made really sure they didn't submit slop before they filed their first security reports to #curl.
Meaning: public shaming seems to at least partially work. Banning, taunting and ridiculing the fools works as a reminder for people to maybe think again and make sure.
== less wasted time for us.
#curl on 110 operating systems
daniel.haxx.se/blog/2025/10/23…
In November 2022, after I had been keeping track and adding names to this slide for a few years already, we could boast about curl having run on 89 different operating systems and only one year later we celebrated having reached 100 operating systems…daniel.haxx.se
#curl gets some of the worst #AIslop "vulnerabilities" reported to it via Hackerone: Here we have a fake 90s exploit assuming executable stack and x86 arch. Someone seriously passing this as their own research is stupid beyond belief.
Discovery Method Step 1: Initial Security Scan ``` # Find all files using dangerous string functions find src/ -name "*.c" -exec grep -l "strcpy\|strcat\|sprintf\|gets" {} \; # OUTPUT: #...HackerOne
Replacing the public suffix list bundled with libpsl. The original promise / expectation was that libpsl sees regular updates, and a psl update with it, but the latest release is soon to be 2 year...GitHub
AIxCC #curl details
daniel.haxx.se/blog/2025/10/22…
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.daniel.haxx.se
## Summary: Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib/ws.c:1287 where...HackerOne
I would of course never get any medals or recognition at all from anyone without the awesome friends and people in the Open Source universe.
I try to lead by example but I and #curl would not be where we are without the thousands of contributors.
I accept this medal, but know that you all helped me get it.
Thank you all. Let's improve the world, bit by bit the way we know.
I am awarded a gold medal by the Royal Swedish Academy of Sciences for my work on #curl
daniel.haxx.se/blog/2025/10/21…
The Royal Swedish Academy of Sciences (IVA, the same org that selects winners for three of the Nobel prize categories) awards me a gold medal 2025 for my work on curl.daniel.haxx.se
This reads like a warning. So is cURL like nuts? Are people allergic to cURL!?
@bagder my watch might contain your software, maybe. They aren't 100% sure though. 🤷 🤣
[Note to reader, it almost certainly does contain cURL. I would be shocked if it did not!]
On this day twelve years ago, in 2013, #curl got its first ever CI jobs. On Travis CI.
Before that we only ran post-merge tests on a set of volunteers' machines.
Today, we have around 230 separate CI jobs and we have tripled the number of test cases since then.
time for a little #chart involving #curl: "which host, which protocol"
daniel.haxx.se/blog/2025/10/16…
A flow chart describing some steps and decisions done within curl when a HTTP URL is provided. For hostnames, protocol and port numbers.daniel.haxx.se
A lovely follow-up to what is no longer any #curl license violation:
github.com/curl/curl/discussio…
Hi, I just want to let you know (and have there be a record) of the fact that Digital Extremes, a Canadian video-game-developer-turned-GaaS-developer, are using cURL (statically linked alongside Op...GitHub
Description: This MR fixes an issue where the connection retry mechanism does not trigger when CONN_MAX_RETRIES + 1 attempts are reached, resulting in the error: The root cause is that the retry co...GitHub
I came across the root of the word "cirrus" en passant the other day. I rather like it because #curl is a major part of the cloud...
We're at 809 received #curl issues from "team AI tooling", out of which about 15% has turned into commits/fixes.
The false positive/we don't care rate went up significantly when the scan included tests and examples. We should simply exclude those parts from normal scans as they live by different rules.
Never a dull moment.
Random current stats from the #curl CI (the last 30 days):
Tests executed per day: 1400019.4
Time spent running tests per day: 1087073 sec./day (12.6 days/day)
Total clock time spent running tests: 32612201 sec. (377 days)
Average time spent running each test: 0.776 sec./test
Number of git commits tested: 306
If you're curious, here are 158 of Joshua's reported issues on #curl to give you an idea what we talk about.
We have manually gone trough them all and dismissed or addressed them. None of them has been deemed a security problem. Not all the PRs for the valid problems have been merged yet.
gist.github.com/bagder/d1fff7f…
round three from Joshua. GitHub Gist: instantly share code, notes, and snippets.Gist
One of the recent AI generated bug reports for #curl quite impressively identifies mismatches between a function header's comment mentioning that an argument is optional, but the code uses it unconditionally.
This taking comments into account certainly allows for some extra magic the classic code analyzers can't do.
#curl October 9. The same number of commits done this year (2433) so far as the entire previous top-year with the most commits (2024).
We're not dead yet.
The kerberos5 library Heimdal is one of three GSS libraries curl support. It has a memory leak triggered by the new test in #18917 and the project seems mostly abandoned. Drop support and steer use...GitHub
In the 28.7 days since the #curl release, we have merged 233 bugfixes (8.13 per day)
Yeah, its a little crazy here right now. Those kids with the new tools reporting problems... 😁
In the end we decided on *not* a #curl security issue, but it's not an easy one to make:
## Summary: In curl’s OpenSSL backend, `ossl_get_channel_binding` retains a new reference to the server’s X509 certificate via `SSL_get1_peer_certificate` and never releases it. When Negotiate...HackerOne
Mr @samueloph posted two videos on #wcurl and #curl in Debian:
"wcurl - one year later - DebConf 25" youtube.com/watch?v=RvnDvic2ea…
Short presentation about what happened since wcurl’s creation in May 17 2024 and what will happen next.
"curl maintainers BoF - DebConf 25" youtube.com/watch?v=OhTjgU7LIO…
curl maintainers meet-up to discuss HTTP3, GnuTLS, wcurl and other things.
curl maintainers meet-up to discuss HTTP3, GnuTLS, wcurl and other things.Presenter:Samuel Henrique "samueloph" is a software developer focused on Debian, Li...YouTube
libcurl notificiations are coming in curl 8.17.0 on November 5.
#curl
eissing.org/icing/posts/curl-n…
We just merged #18432 which adds a new feature to the curl API: notifications. This is not visible in the curl command line, only for applications using libcurl.icing's blog
"Don't Forget: Remote MCP Servers are Just #cURL Calls"
joshbeckman.org/blog/practicin…
You can call any streamable-http transport MCP (Model Context Protocol) server tool with any HTTP client - even cURL! And lots of things take cURL as example configuration (like Shopify Flow!), so it’s a good starting point for building things....Josh Beckman
AI has found 50 bugs in cURL. "AI-native SASTs work well"
#HackerNews #AI #cURL #bugs #SAST #cybersecurity #technology
Nyheter för dig som är verksam i den svenska elektronikbranschen som exempelvis tillverkare, konsult, distributör, finansiär, investerare, konstruktör eller tekniker.etn.se
