How I maintain release notes for #curl

daniel.haxx.se/blog/2025/10/01…

How I maintain release notes for curl

I believe a good product needs clear and thorough documentation. I think shipping a quality product requires you to provide detailed and informative release notes. I try to live up to this in the curl project, and this is how we do it. https://www.

^{daniel.haxx.se}

At exactly three weeks since the previous #curl release we have merged no less than 148 bugfixes already...

See curl.se/dev/release-notes.html

can #curl send a request that's stored in a a text file?

GET /yadayada HTTP/1.1
Host: blahblah.com

Daniel Stenberg - @bagder - is ready!
AI slop attacks on the curl project

We're all excited!

#EuroBSDCon #ebc25 #ebc2025 #curl

I started thinking about when we should adapt #curl's progress meters to deal with > 63 bit download sizes (8192 Petabytes).

I'm thinking it might not be terribly far away when people can start downloading that. In particular when doing N super huge transfers in parallel.

Got me thinking about 128 bit math...

Twenty-four years ago on this day, Mac OS X 10.1 was released which bundled #curl with their OS for the first time.

curl 7.7.2

"A conversation with Daniel Stenberg, creator and maintainer of #curl, one of the most widely used networking tools on the internet. We talk about Daniel’s journey through decades of protocol work, the story of curl, what keeps him going, and how he balances open source with real life."

netstack.fm/#episode-6

Netstack.FM — A Podcast About Networking and Rust

Interviews, monologues, and deep dives into Rust and modern networking systems.

^netstack.fm

@bagder Interesting. Was AI slop difficult to spot back in 2023?

hackerone.com/reports/2298307

#Curl #HackerOne #slop

curl disclosed on HackerOne: Buffer Overflow Vulnerability in...

## Summary: Hello security team, Hope you are doing well :) I would like to report a potential security vulnerability in the WebSocket handling code of the curl library. The issue is related to...

^HackerOne

Reminding the businesses that CRA compliance is not a problem with #curl

daniel.haxx.se/blog/2025/09/22…

CRA compliant curl

As the Cyber Resilience Act (CRA) is getting closer and companies wanting to sell digital services in goods within the EU need to step up, tighten their procedures, improve their documentation and get control over their dependencies I feel it could b…

^{daniel.haxx.se}

Joshua Rogers sent us a *massive* list of potential issues in #curl that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.

I have already landed 22(!) bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.

Credited "Reported in Joshua's sarif data" if you want to look for yourself

If no one sponsors #curl keeping OpenSSL 1.1.1 support around, we will drop it earlier than previously planned.

Leaches be leaches.

Giant company begs tiny Open Source project to graciously spend more of our copious spare time to help them - for free.

Apparently the latest #curl release has a build problem on HarmonyOS. What a pity.

For this exact date through #curl history I have nothing at all noted.

Possibly because this is my son's 19th birthday!

(My document with curl related event dates contains >300 separate events for 205 unique dates)

Bye bye Kerberos FTP (in #curl)

daniel.haxx.se/blog/2025/09/19…

Bye bye Kerberos FTP

We are dropping support for this feature in curl 8.17.0. Kerberos5 FTP to be exact. The last Kerberos support we had for FTP.

^{daniel.haxx.se}

Working on adding Apple SecTrust support to curl (e.g. the native macOS and other Apple *OS system certificates store) and reaching out to the Homebrew/Macports people if they'd like that too or have other needs.
#curl

github.com/curl/curl/discussio…

Apple Native CA and homebrew/macports · curl curl · Discussion #18597

In the general discussion about curl's handling of a "native CA" and our addition of support for using Apple's SecTrust directly, the question arose how homebrew and macports can/wont make use of t...

^GitHub

From suspicion to published #curl #CVE. The process.

daniel.haxx.se/blog/2025/09/18…

From suspicion to published curl CVE

Every curl security report starts out with someone submitting an issue to us on https://hackerone.com/curl. The reporter tells us what they suspect and what they think the problem is.

^{daniel.haxx.se}

In this interview, Daniel Stenberg, lead developer of #cURL, discusses how the widely used tool remains secure across billions of devices, from cloud services to IoT. He shares insights into cURL’s decades-long journey of testing, reviewing, and refining its code to minimize risks.

Stenberg also explains the team’s approach to handling vulnerabilities, ensuring transparency, and maintaining trust in the open-source ecosystem.

helpnetsecurity.com/2025/09/18…

Behind the scenes of cURL with its founder: Releases, updates, and security - Help Net Security

Explore how the cURL project keeps billions of devices secure, from vulnerability handling to best practices and updates.

^{Mirko Zorz (Help Net Security)}

Starting now, the #curl man page is rendered to use the long form only of the command line options in text, instead of like before insist on mentioning both the short AND long option.

This should make the text easier on the eye. I could make it this way after having fixed so that the long-option-only also renders appropriate links in the web version.

A tiny step forward.

Time to drop support for Kerberos5 FTP in #curl

github.com/curl/curl/pull/1857…

drop support for Kerberos5 FTP by bagder · Pull Request #18577 · curl/curl

It was accidentally broken in commit 0f4c439, shipped since 8.8.0 (May 2024) and yet not a single person has noticed or reported, indicating that we might as well drop support for FTP Kerberos. Krb...

^GitHub

literally the dumbest thing I've ever read
youtube.com/watch?v=-uxF4KNdTj…

#curl

literally the dumbest thing I've ever read

Please stop.https://hackerone.com/reports/3340109🏫 MY COURSESSign-up for my FREE 3-Day C Course: https://lowlevel.academy🧙‍♂️ HACK YOUR CAREERWanna learn t...

^YouTube

«This code does not call #curl. This is not a ‹POC› of anything than suggesting you did this with an AI and that you do not understand what you're doing here.» 🍿🍿🍿

hackerone.com/reports/3340109

#ai #ki #slug

curl disclosed on HackerOne: Stack Buffer Overflow in cURL Cookie...

## Summary I discovered a critical stack-based buffer overflow vulnerability in cURL's cookie parsing mechanism that can lead to remote code execution. The vulnerability occurs when processing...

^HackerOne

RIP pthread_cancel() in curl. It was an interesting adventure.
#curl

eissing.org/icing/posts/rip_pt…

#curl 8.16.0

youtu.be/n9RRiAOlT-A

curl 8.16.0 with Daniel Stenberg

Daniel presents the security vulnerabilities, the changes, bugfixes in 8.16.0 and what might possibly be coming next.

^YouTube

#curl 8.16.0 was just released:

daniel.haxx.se/blog/2025/09/10…

I will live-stream a release presentation at 10:00 CEST on twitch

curl 8.16.0

Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0.

^{daniel.haxx.se}

There's going to be more speak about AIs finding genuine security problems soon.

Google Big Sleep found one in #curl that we reveal tomorrow.... in about eight hours. (but no, we don't know how much was AI and how much was human or how many false positives they had to wade through to get there etc maybe they will let us know later?)

This second, there are 213 people joined in the official #curl IRC channel.

curl.se/docs/irc.html