cURL / Changes

Changelog

Related:

Daily Snapshots - daily tarballs
Source repo - get the code
Security - security advisories
Vulnerabilities - which version has what flaws
Releaselog - all our releases
Source activity - recent commits
The work-in-progress RELEASE-NOTES

Fixed in 7.49.1 - May 30 2016

Bugfixes:

Windows: prevent DLL hijacking, CVE-2016-4802
dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
schannel: fix compile break with MSVC XP toolset
curlbuild.h.dist: check __LP64__ as well to fix MIPS build
dist: include curl_multi_socket_all.3
http2: use HTTP/2 in the HTTP/1.1-alike response
openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
CURLOPT_CONNECT_TO.3: user must not free the list prematurely
libcurl.m4: Avoid obsolete warning
winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
curl_multibyte: fix compiler error
openssl: cleanup must free compression methods (memory leak)
mbedtls: fix includes so snprintf() works
checksrc.pl: Added variants of strcat() & strncat() to banned function list
contributors.sh: better grep pattern and show GitHub username
ssh: fix build for libssh2 before 1.2.6
curl_share_setopt.3: Add min ver needed for ssl session lock

Fixed in 7.49.0 - May 18 2016

Changes:

schannel: Add ALPN support
SSH: support CURLINFO_FILETIME
SSH: new CURLOPT_QUOTE command "statvfs"
wolfssl: Add ALPN support
http2: added --http2-prior-knowledge
http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
libcurl: added CURLOPT_CONNECT_TO
curl: added --connect-to
libcurl: added CURLOPT_TCP_FASTOPEN
curl: added --tcp-fastopen
curl: remove support for --ftpport, -http-request and --socks

Bugfixes:

CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
checksrc.bat: Updated the help to be consistent with generate.bat
checksrc.bat: Added support for scanning the tests and examples
openssl: fix ERR_remove_thread_state() for boringssl/libressl
openssl: boringssl provides the same numbering as openssl
multi: fix "Operation timed out after" timer
url: don't use bad offset in tld_check_name to show error
sshserver.pl: use quotes for given options
Makefile.am: skip the scripts dir
curl: warn for --capath use if not supported by libcurl
http2: fix connection reuse
GSS: make Curl_gss_log_error more verbose
build-wolfssl: Allow a broader range of ciphers (Visual Studio)
wolfssl: Use ECC supported curves extension
openssl: Fix compilation warnings
Curl_add_buffer_send: avoid possible NULL dereference
SOCKS5_gssapi_negotiate: don't assume little-endian ints
strerror: don't bit shift a signed integer
url: Corrected get protocol family for FTP and LDAP
curl/mprintf.h: remove support for _MPRINTF_REPLACE
upload: missing rewind call could make libcurl hang
IMAP: check pointer before dereferencing it
build: Changed the Visual Studio projects warning level from 3 to 4
checksrc: now stricter, wider checks, code cleaned up
checksrc: added docs/CHECKSRC.md
curl_sasl: Fixed potential null pointer utilisation
krb5: Fixed missing client response when mutual authentication enabled
krb5: Only process challenge when present
krb5: Only generate a SPN when its not known
formdata: use appropriate fopen() macros
curl.1: -w filename_effective was introduced in 7.26.0
http2: make use of the nghttp2 error callback
http2: fix connection reuse when PING comes after last DATA
curl.1: change example for -F
HTTP2: Add a space character after the status code
curl.1: use example.com more
mbedtls.c: changed private prefix to mbed_
mbedtls: implement and provide *_data_pending() to avoid hang
mbedtls: fix MBEDTLS_DEBUG builds
ftp/imap/pop3/smtp: Allow the service name to be overridden
CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
build: include scripts/ in the dist
http2: Add handling stream level error
http2: Improve header parsing
makefile.vc6: use d suffix on debug object
configure: remove check for libresolve
scripts/make: use $(EXEEXT) for executables
checksrc: got rid of the whitelist files
sendf: added ability to call recv() before send() as workaround
NTLM: check for NULL pointer before dereferencing
openssl: builds with OpenSSL 1.1.0-pre5
configure: ac_cv_ -> curl_cv_ for all cached vars
winbuild: add mbedtls support
curl: make --ftp-create-dirs retry on failure
PolarSSL: implement public key pinning
multi: accidentally used resolved host name instead of proxy
CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
CONNECT_ONLY: don't close connection on GSS 401/407 reponses
opts: Fix some syntax errors in example code fragments
mbedtls: Fix session resume
test1139: verifies libcurl option man page presence
CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
curl: make --disable work as long form of -q
curl: use --telnet-option as documented
curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
curl: -h output lacked --proxy-header and --ntlm-wb
curl -J: make it work even without http:// scheme on URL
lib: include curl_printf.h as one of the last headers
tests: handle path properly on Msys/Cygwin
curl.1: --mail-rcpt can be used multiple times
CURLOPT_ACCEPT_ENCODING.3: clarified
docs: fixed lots of broken man page references
tls: make setting pinnedkey option fail if not supported
test1140: run nroff-scan to verify man pages
http: make sure a blank header overrides accept_decoding
connections: do not reuse non-HTTP proxies on different ports
connect: fix invalid "Network is unreachable" errors
TLS: move the ALPN/NPN enable bits to the connection
TLS: SSL_peek is not a const operation
http2: Add space between colon and header value
darwinssl: fix certificate verification disable on OS X 10.8
mprintf: Fix processing of width and prec args
ftp wildcard: segfault due to init only in multi_perform

Fixed in 7.48.0 - March 23 2016

Changes:

Bugfixes:

Proxy-Connection: stop sending this header by default
os400: sync ILE/RPG definitions with latest public header files
cookies: allow spaces in cookie names, cut of trailing spaces
tool_urlglob: Allow reserved dos device names (Windows)
openssl: remove most BoringSSL #ifdefs
tool_doswin: Support for literal path prefix \\?
mbedtls: fix ALPN usage segfault
mbedtls: fix memory leak when destroying SSL connection data
nss: do not count enabled cipher-suites
examples/cookie_interface.c: add cleanup call
examples: adhere to curl code style
curlx_tvdiff: handle 32bit time_t overflows
dist: ship buildconf.bat too
curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
generate.bat: Fix comment bug by removing old comments
test1604: Add to Makefile.inc so it gets run
gtls: fix for builds lacking encrypted key file support
SCP: use libssh2_scp_recv2 to support > 2GB files on windows
CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
cookie: do not refuse cookies to localhost
openssl: avoid direct PKEY access with OpenSSL 1.1.0
http: Don't break the header into chunks if HTTP/2
http2: don't decompress gzip decoding automatically
curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
curl.1: add a missing dash
curl.1: HTTP headers for --cookie must be Set-Cookie style
CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
curl_sasl: Fix memory leak in digest parser
src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
CURLOPT_DEBUGFUNCTION.3: Fix example
runtests: Fixed usage of %PWD on MinGW64
tests/sshserver.pl: use RSA instead of DSA for host auth
multi_remove_handle: keep the timeout list until after disconnect
Curl_read: check for activated HTTP/1 pipelining, not only requested
configure: warn on invalid ca bundle or path
file: try reading from files with no size
getinfo: Add support for mbedTLS TLS session info
formpost: fix memory leaks in AddFormData error branches
makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
url: if Curl_done is premature then pipeline not in use
cookie: remove redundant check
cookie: Don't expire session cookies in remove_expired
makefile.m32: fix to allow -ssh2-winssl combination
checksrc.bat: Fixed cannot find perl if installed but not in path
build-openssl.bat: Fixed cannot find perl if installed but not in path
mbedtls: fix user-specified SSL protocol version
makefile.m32: add missing libs for static -winssl-ssh2 builds
test46: change cookie expiry date
pipeline: Sanity check pipeline pointer before accessing it
openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
ftp_done: clear tunnel_state when secondary socket closes
opt-docs: fix heading macros
imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
curl_multi_wait: never return -1 in 'numfds'
url.c: fix clang warning: no newline at end of file
krb5: improved type handling to avoid clang compiler warnings
cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
multi hash: ensure modulo performed on curl_socket_t
curl: glob_range: no need to check unsigned variable for negative
easy: add check to malloc() when running event-based
CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
version: thread safety
openssl: verbose: show matching SAN pattern
openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
formdata.c: Fixed compilation warning
configure: use cpp -P when needed
imap.c: Fixed compilation warning with /Wall enabled
config-w32.h: Fixed compilation warning when /Wall enabled
ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
build: Added missing Visual Studio filter files for VC10 onwards
easy: Remove poll failure check in easy_transfer
mbedtls: fix compiler warning
build-wolfssl: Update VS properties for wolfSSL v3.9.0
Fixed various compilation warnings when verbose strings disabled
sshserver: remove use of AuthorizedKeysFile2

Fixed in 7.47.1 - February 8 2016

Bugfixes:

getredirect.c: fix variable name
tool_doswin: silence unused function warning
cmake: fixed when OpenSSL enabled on Windows and schannel detected
curl.1: Explain remote-name behavior if file already exists
tool_operate: Don't sanitize --output path (Windows)
URLs: change all http:// URLs to https:// in documentation & comments
sasl_sspi: Fix memory leak in domain populate
COPYING: clarify that Daniel is not the sole author
examples/htmltitle: Use _stricmp on Windows
examples/asiohiper: Avoid function name collision on Windows
idn_win32: Better error checking
openssl: Fix signed/unsigned mismatch warning in X509V3_ext
curl save files: check for backslashes on cygwin

Fixed in 7.47.0 - January 27 2016

Changes:

version: Add flag CURL_VERSION_PSL for libpsl
http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
curl: use 2TLS by default
curl --expect100-timeout: added
Add .dir-locals and set c-basic-offset to 2 (for emacs)

Bugfixes:

curl: avoid local drive traversal when saving file on Windows
NTLM: do not resuse proxy connections without diff proxy credentials
tests: Disable the OAUTHBEARER tests when using a non-default port number
curl: remove keepalive #ifdef checks done on libcurl's behalf
formdata: Check if length is too large for memory
lwip: Fix compatibility issues with later versions
openssl: BoringSSL doesn't have CONF_modules_free
config-win32: Fix warning HAVE_WINSOCK2_H undefined
build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
http2: Fix hanging paused stream
scripts/Makefile: fix GNUism and survive no perl
openssl: adapt to 1.1.0+ name changes
openssl: adapt to openssl >= 1.1.0 X509 opaque structs
HTTP2.md: spell fix and remove TODO now implemented
setstropt: const-correctness
cyassl: fix compiler warning on type conversion
gskit: Fix host subject altname verification
http2: Support trailer fields
wolfssl: handle builds without SSLv3 support
cyassl: deal with lack of *get_peer_certificate
sockfilt: do not wait on unreliable file or pipe handle
make: build zsh script even in an out-of-tree build
test 1326: fix getting stuck on Windows
test 87: fix file check on Windows
configure: allow static builds on mingw
configure: detect IPv6 support on Windows
ConnectionExists: with *PIPEWAIT, wait for connections
Makefile.inc: s/curl_SOURCES/CURL_FILES
test 16: fixed for Windows
test 252-255: use datacheck mode text for ASCII-mode LISTings
tftpd server: add Windows support by writing files in binary mode
ftplistparser: fix handling of file LISTings using Windows EOL
tests first.c: fix calculation of sleep timeout on Windows
tests (several): use datacheck mode text for ASCII-mode LISTings
CURLOPT_RANGE.3: for HTTP servers, range support is optional
test 1515: add MSYS support by passing a relative path
curl_global_init.3: Add Windows-specific info for init via DLL
http2: Fix client write for trailers on stream close
mbedtls: Fix ALPN support
connection reuse: IDN host names fixed
http2: Fix PUSH_PROMISE headers being treated as trailers
http2: handle the received SETTINGS frame
http2: Ensure that http2_handle_stream_close is called
mbedtls: implement CURLOPT_PINNEDPUBLICKEY
runtests: Add mbedTLS to the SSL backends
IDN host names: Remove the port number before converting to ACE
zsh.pl: fail if no curl is found
scripts: fix zsh completion generation
scripts: don't generate and install zsh completion when cross-compiling
lib: Prefix URLs with lower-case protocol names/schemes
ConnectionExists: only do pipelining/multiplexing when asked
configure: assume IPv6 works when cross-compiled
openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
openssl: improved error detection/reporting
ssh: CURLOPT_SSH_PUBLIC_KEYFILE now treats "" as NULL again
mbedtls: Fix pinned key return value on fail
maketgz: generate date stamp with LC_TIME=C

Fixed in 7.46.0 - December 2 2015

Changes:

configure: build silently by default
cookies: Add support for Publix Suffix List with libpsl
vtls: added support for mbedTLS
Added CURLOPT_STREAM_DEPENDS
Added CURLOPT_STREAM_DEPENDS_E
Added CURLOPT_STREAM_WEIGHT
Added CURLFORM_CONTENTLEN
oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP

Bugfixes:

des: Fix header conditional for Curl_des_set_odd_parity
ntlm: get rid of unconditional use of long long
CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
http2: Fix http2_recv to return -1 if recv returned -1
curl_global_init_mem: set function pointers before doing init
ntlm: error out without 64bit support as the code needs it
openssl: Fix set up of pkcs12 certificate verification chain
acinclude: remove PKGCONFIG override
test1531: case the size to fix the test on non-largefile builds
fread_func: move callback pointer from set to state struct
test1601: fix compilation with --enable-debug and --disable-crypto-auth
http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
curlbuild.h: Fix non-configure compiling to mips and sh4 targets
tool: Generate easysrc with last cache linked-list
cmake: Fix for add_subdirectory(curl) use-case
vtls: fix compiler warning for TLS backends without sha256
build: fix for MSDOS/djgpp
checksrc: add crude // detection
http2: on_frame_recv: trust the conn/data input
ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
polarssl/mbedtls: fix name space pollution
build: Fix mingw ssl gdi32 order
build: Fix support for PKG_CONFIG
MacOSX-Framework: sdk regex fix for sdk 10.10 and later
socks: Fix incorrect port numbers in failed connect messages
curl.1: -E: s/private certificate/client certificate
curl.h: s/HTTPPOST_/CURL_HTTPOST_
curl_formadd: support >2GB files on windows
http redirects: %-encode bytes outside of ascii range
rawstr: Speed up Curl_raw_toupper by 40%
curl_ntlm_core: fix 2 curl_off_t constant overflows.
getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
tftp tests: verify sent options too
imap: Don't call imap_atom() when no mailbox specified in LIST command
imap: Fixed double quote in LIST command when mailbox contains spaces
imap: Don't check for continuation when executing a CUSTOMREQUEST
acinclude: Remove check for 16-bit curl_off_t
BoringSSL: Work with stricter BIO_get_mem_data()
cmake: Add missing feature macros in config header
sasl_sspi: fixed unicode build for digest authentication
sasl_sspi: fix identity memory leak in digest authentication
unit1602: Fixed failure in torture test
unit1603: Added unit tests for hash functions
vtls/openssl: remove unused traces of yassl ifdefs
openssl: remove #ifdefs for < 0.9.7 support
typecheck-gcc.h: add some missing options
curl: mark two more options strings for --libcurl output
openssl: Free modules on cleanup
CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
getconnectinfo: Don't call recv(2) if socket == -1
http2: http_done: don't free already-freed push headers
zsh completion: Preserve single quotes in output
os400: Provide options for libssh2 use in compile scripts.
build: Fix theoretical infinite loops
pop3: Differentiate between success and continuation responses
examples: Fixed compilation warnings
schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
CURLOPT_HEADERFUNCTION.3: fix typo
curl: expanded the -XHEAD warning text
done: make sure the final progress update is made
build: Install zsh completion
RTSP: do not add if-modified-since without timecondition
curl: Fixed display of URL index in password prompt for --next
nonblock: fix setting non-blocking mode for Amiga
http2 push: add missing inits of new stream
http2: convert some verbose output into debug-only output
Curl_read_plain: clean up ifdefs that break statements

Fixed in 7.45.0 - October 7 2015

Changes:

added CURLOPT_DEFAULT_PROTOCOL
added new tool option --proto-default
getinfo: added CURLINFO_ACTIVESOCKET
turned CURLINFO_* option docs as stand-alone man pages
curl: point out unnecessary uses of -X in verbose mode

Bugfixes:

curl_global_init_mem.3: Stronger thread safety warning
buildconf.bat: Fixed issues when ran in directories with special chars
cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
generate.bat: Fixed issues when ran in directories with special chars
generate.bat: Only call buildconf.bat if it exists
generate.bat: Added support for generating only the prerequisite files
curl.1: Document weaknesses in SSLv2 and SSLv3
CURLOPT_HTTP_VERSION.3: connection re-use goes before version
docs: Update the redirect protocols disabled by default
inet_pton.c: Fix MSVC run-time check failure
CURLMOPT_PUSHFUNCTION.3: fix argument types
rtsp: support basic/digest authentication
rtsp: stop reading empty DESCRIBE responses
travis: Upgrading to container based build
travis.yml: Add OS X testbot
FTP: make state machine not get stuck in state
openssl: handle lack of server cert when strict checking disabled
configure: change functions to detect openssl (clones)
configure: detect latest boringssl
runtests: Allow for spaces in server-verify curl custom path
http2: on_frame_recv: get a proper 'conn' for the debug logging
ntlm: mark deliberate switch case fall-through
http2: remove dead code
curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
curl: point out the conflicting HTTP methods if used
cmake: added Windows SSL support
curl_easy_{escape,setopt}.3: fix example
curl_easy_escape.3: escape '\n'
libcurl.m4: Put braces around empty if body
buildconf.bat: Fixed double blank line in 'curl manual' warning output
sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
inet_pton.c: Fix MSVC run-time check failure
CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
http2: don't pass on Connection: headers
nss: do not directly access SSL_ImplementedCiphers
docs: numerous cleanups and spelling fixes
FTP: do_more: add check for wait_data_conn in upload case
parse_proxy: reject illegal port numbers
cmake: IPv6 : disable Unix header check on Windows platform
winbuild: run buildconf.bat if necessary
buildconf.bat: fix syntax error
curl_sspi: fix possibly undefined CRYPT_E_REVOKED
nss: prevent NSS from incorrectly re-using a session
libcurl-errors.3: add two missing error codes
openssl: fix build with < 0.9.8
openssl: refactor certificate parsing to use OpenSSL memory BIO
openldap: only part of LDAP query results received
ssl: add server cert's "sha256//" hash to verbose
NTLM: Reset auth-done when using a fresh connection
curl: generate easysrc only on --libcurl
tests: disable 1801 until fixed
CURLINFO_TLS_SESSION: always return backend info
gnutls: Support CURLOPT_KEYPASSWD
gnutls: Report actual GnuTLS error message for certificate errors
tests: disable 1510 due to CI-problems on github
cmake: Put "winsock2.h" before "windows.h" during configure checks
cmake: Ensure discovered include dirs are considered
configure: Add missing ')' for CURL_CHECK_OPTION_RT
build: fix failures with -Wcast-align and -Werror
FTP: fix uploading ASCII with unknown size
readwrite_data: set a max number of loops
http2: avoid superfluous Curl_expire() calls
http2: set TCP_NODELAY unconditionally
docs: fix unescaped '\n' in man pages
openssl: Fix algorithm init to make (gost) engines work
win32: make recent Borland compilers use long long
runtests: Fix pid check in checkdied
gopher: don't send NUL byte
tool_setopt: fix c_escape truncated octal
hiperfifo: fix the pointer passed to WRITEDATA
getinfo: Fix return code for unknown CURLINFO options

Fixed in 7.44.0 - August 12 2015

Changes:

http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
examples: added http2-serverpush.c
http2: added curl_pushheader_byname() and curl_pushheader_bynum()
docs: added CODE_OF_CONDUCT.md
curl: Add --ssl-no-revoke to disable certificate revocation checks
libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
makefile: Added support for VC14
build: Added Visual Studio 2015 (VC14) project files
build: Added wolfSSL configurations to VC10+ project files

Bugfixes:

FTP: fix HTTP CONNECT logic regression
openssl: Fix build with openssl < ~ 0.9.8f
openssl: fix build with BoringSSL
curl_easy_setopt.3: option order doesn't matter
openssl: fix use of uninitialized buffer
RTSP: removed dead code
Makefile.m32: add support for CURL_LDFLAG_EXTRAS
curl: always provide negotiate/kerberos options
cookie: Fix bug in export if any-domain cookie is present
curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
INSTALL: Advise use of non-native SSL for Windows <= XP
tool_help: fix --tlsv1 help text to use >= for TLSv1
HTTP: POSTFIELDSIZE set after added to multi handle
SSL-PROBLEMS: mention WinSSL problems in WinXP
setup-vms.h: Symbol case fixups
SSL: Pinned public key hash support
libtest: call PR_Cleanup() on exit if NSPR is used
ntlm_wb: Fix theoretical memory leak
runtests: Allow for spaces in curl custom path
http2: add stream != NULL checks for reliability
schannel: Replace deprecated GetVersion with VerifyVersionInfo
http2: verify success of strchr() in http2_send()
configure: add --disable-rt option
openssl: work around MSVC warning
HTTP: ignore "Content-Encoding: compress"
configure: check if OpenSSL linking wants -ldl
build-openssl.bat: Show syntax if required args are missing
test1902: attempt to make the test more reliable
libcurl-thread.3: Consolidate thread safety info
maketgz: Fixed some VC makefiles missing from the release tarball
libcurl-multi.3: mention curl_multi_wait
ABI doc: use secure URL
http: move HTTP/2 cleanup code off http_disconnect()
libcurl-thread.3: Warn memory functions must be thread safe
curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
docs: formpost needs the full size at start of upload
curl_gssapi: remove 'const' to fix compiler warnings
SSH: three state machine fixups
libcurl.3: fix a single typo
generate.bat: Only clean prerequisite files when in ALL mode
curl_slist_append.3: add error checking to the example
buildconf.bat: Added support for file clean-up via -clean
generate.bat: Use buildconf.bat for prerequisite file clean-up
NTLM: handle auth for only a single request
curl_multi_remove_handle.3: fix formatting
checksrc.bat: Fixed error when [directory] isn't a curl source directory
checksrc.bat: Fixed error when missing *.c and *.h files
CURLOPT_RESOLVE.3: Note removal support was added in 7.42
test46: update cookie expire time
SFTP: fix range request off-by-one in size check
CMake: fix GSSAPI builds
build: refer to fixed libidn versions
http2: discard frames with no SessionHandle
curl_easy_recv.3: fix formatting
libcurl-tutorial.3: fix formatting
curl_formget.3: correct return code

Fixed in 7.43.0 - June 17 2015

Changes:

Added CURLOPT_PROXY_SERVICE_NAME
Added CURLOPT_SERVICE_NAME
New curl option: --proxy-service-name
New curl option: --service-name
New curl option: --data-raw
Added CURLOPT_PIPEWAIT
Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
HTTP/2: requires nghttp2 1.0.0 or later
scripts: add zsh.pl for generating zsh completion
curl.h: add CURL_HTTP_VERSION_2

Bugfixes:

CVE-2015-3236: lingering HTTP credentials in connection re-use
CVE-2015-3237: SMB send off unrelated memory contents
nss: fix compilation failure with old versions of NSS
curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
Curl_ossl_init: load builtin modules
configure: follow-up fix for krb5-config
sasl_sspi: Populate domain from the realm in the challenge
netrc: support 'default' token
README: convert to UTF-8
cyassl: Implement public key pinning
nss: implement public key pinning for NSS backend
mingw build: add arch -m32/-m64 to LDFLAGS
schannel: Fix out of bounds array
configure: remove autogenerated files by autoconf
configure: remove --automake from libtoolize call
acinclude.m4: fix shell test for default CA cert bundle/path
schannel: fix regression in schannel_recv
openssl: skip trace outputs for ssl_ver == 0
gnutls: properly retrieve certificate status
netrc: Read in text mode when cygwin
winbuild: Document the option used to statically link the CRT
FTP: Make EPSV use the control IP address rather than the original host
FTP: fix dangling conn->ip_addr dereference on verbose EPSV
conncache: keep bundles on host+port bases, not only host names
runtests.pl: use 'h2c' now, no -14 anymore
curlver: introducing new version number (checking) macros
openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
CURLOPT_POSTFIELDS.3: correct variable names
curl_easy_unescape.3: update RFC reference
gnutls: don't fail on non-fatal alerts during handshake
testcurl.pl: allow source to be in an arbitrary directory
CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
parse_proxy: switch off tunneling if non-HTTP proxy
share_init: fix OOM crash
perl: remove subdir, not touched in 9 years
CURLOPT_COOKIELIST.3: Add example
CURLOPT_COOKIE.3: Explain that the cookies won't be modified
CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
FAQ: How do I port libcurl to my OS?
openssl: Use TLS_client_method for OpenSSL 1.1.0+
HTTP-NTLM: fail auth on connection close instead of looping
curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
curl_getdate.3: update RFC reference
curl_multi_info_read.3: added example
curl_multi_perform.3: added example
curl_multi_timeout.3: added example
cookie: Stop exporting any-domain cookies
openssl: remove dummy callback use from SSL_CTX_set_verify()
openssl: remove SSL_get_session()-using code
openssl: removed USERDATA_IN_PWD_CALLBACK kludge
openssl: removed error string #ifdef
openssl: Fix verification of server-sent legacy intermediates
docs: man page indentation and syntax fixes
docs: Spelling fixes
fopen.c: fix a few compiler warnings
CURLOPT_OPENSOCKETFUNCTION: return error at once
schannel: Add support for optional client certificates
build: Properly detect OpenSSL 1.0.2 when using configure
urldata: store POST size in state.infilesize too
security:choose_mech remove dead code
rtsp_do: remove dead code
docs: many HTTP URIs changed to HTTPS
schannel: schannel_recv overhaul

Fixed in 7.42.1 - April 29 2015

Bugfixes:

CURLOPT_HEADEROPT: default to separate
dist: include {src,lib}/checksrc.whitelist
connectionexists: fix build without NTLM
docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
curl -z: do not write empty file on unmet condition
openssl: fix serial number output
curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
sws: init http2 state properly
curl.1: fix typo

Fixed in 7.42.0 - April 22 2015

Changes:

openssl: show the cipher selection to use in verbose text
gtls: implement CURLOPT_CERTINFO
add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
curl: add --false-start option
add CURLOPT_PATH_AS_IS
curl: add --path-as-is option
curl: create output file on successful download of an empty file

Bugfixes:

ConnectionExists: for NTLM re-use, require credentials to match
cookie: cookie parser out of boundary memory access
fix_hostname: zero length host name caused -1 index offset
http_done: close Negotiate connections when done
sws: timeout idle CONNECT connections
nss: improve error handling in Curl_nss_random()
nss: do not skip Curl_nss_seed() if data is NULL
curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
http2: move lots of verbose output to be debug-only
dist: add extern-scan.pl to the tarball
http2: return recv error on unexpected EOF
build: Use default RandomizedBaseAddress directive in VC9+ project files
build: Removed DataExecutionPrevention directive from VC9+ project files
tool: Updated the warnf() function to use the GlobalConfig structure
http2: Return error if stream was closed with other than NO_ERROR
mprintf.h: remove #ifdef CURLDEBUG
libtest: fixed linker errors on msvc
tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
curl.1: fix "The the" typo
cmake: handle build definitions CURLDEBUG/DEBUGBUILD
openssl: remove all uses of USE_SSLEAY
multi: fix memory-leak on timeout (regression)
curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
metalink: add some error checks
TLS: make it possible to enable ALPN/NPN without HTTP/2
http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
conncontrol: only log changes to the connection bit
multi: fix *getsock() with CONNECT
symbols.pl: handle '-' in the deprecated field
MacOSX-Framework: use @rpath instead of @executable_path
GnuTLS: add support for CURLOPT_CAPATH
GnuTLS: print negotiated TLS version and full cipher suite name
GnuTLS: don't print double newline after certificate dates
memanalyze.pl: handle free(NULL)
proxy: re-use proxy connections (regression)
mk-ca-bundle: Don't report SHA1 numbers with "-q"
http: always send Host: header as first header
openssl: sort ciphers to use based on strength
openssl: use colons properly in the ciphers list
http2: detect premature close without data transfered
hostip: Fix signal race in Curl_resolv_timeout
closesocket: call multi socket cb on close even with custom close
mksymbolsmanpage.pl: use std header and generate better nroff header
connect: Fix happy eyeballs logic for IPv4-only builds
curl_easy_perform.3: remove superfluous close brace from example
HTTP: don't use Expect: headers when on HTTP/2
Curl_sh_entry: remove unused 'timestamp'
docs/libcurl: makefile portability fix
mkhelp: Remove trailing carriage return from every line of input
nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
curl_easy_setopt.3: added a few missing options
metalink: fix resource leak in OOM
axtls: version 1.5.2 now requires that config.h be manually included
HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
cyassl: detect the library as renamed wolfssl
CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
CURLOPT_URL.3: Added "SECURITY CONCERNS
openssl: try to avoid accessing OCSP structs when possible
test938: added missing closing tags
testcurl: Allow '=' in values given on command line
tests/certs: added make target to rebuild certificates
tests/certs: rebuild certificates with modified key usage bits
gtls: avoid uninitialized variable
gtls: dereferencing NULL pointer
gtls: add check of return code
test1513: eliminated race condition in test run
dict: rename byte to avoid compiler shadowed declaration warning
curl_easy_recv/send: make them work with the multi interface
vtls: fix compile with --disable-crypto-auth but with SSL
openssl: adapt to ASN1/X509 things gone opaque in 1.1
openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
curl_memory: make curl_memory.h the second-last header file loaded
testcurl.pl: add the --notes option to supply more info about a build
cyassl: If wolfSSL then identify as such in version string
cyassl: Check for invalid length parameter in Curl_cyassl_random
cyassl: default to highest possible TLS version
Curl_ssl_md5sum: return CURLcode (fixes OOM)
polarssl: remove dead code
polarssl: called mbedTLS in 1.3.10 and later
globbing: fix step parsing for character globbing ranges
globbing: fix url number calculation when using range with step
multi: on a request completion, check all CONNECT_PEND transfers
build: link curl to openssl libraries when openssl support is enabled
url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
vtls: Don't accept unknown CURLOPT_SSLVERSION values
build: Fix libcurl.sln erroneous mixed configurations
cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
cyassl: add SSL context callback support for CyaSSL
tool: only set SSL options if SSL is enabled
multi: remove_handle: move pending connections
configure: Use KRB5CONFIG for krb5-config
axtls: add timeout within Curl_axtls_connect
CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
cyassl: Fix library initialization return value
cookie: handle spaces after the name in Set-Cookie
http2: Fix missing nghttp2_session_send call in Curl_http2_switched
cyassl: Fix certificate load check
build-openssl.bat: Fix mixed line endings
checksrc.bat: Check lib\vtls source
DNS: fix refreshing of obsolete dns cache entries
CURLOPT_RESOLVE: actually implement removals
checksrc.bat: quotes to support an SRC_DIR with spaces
cyassl: Remove 'Connecting to' message from cyassl_connect_step2
cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
lib/transfer.c: Remove factor of 8 from sleep time calculation
lib/makefile.m32: add missing libs to build libcurl.dll
build: Generate source prerequisites for Visual Studio in generate.bat
cyassl: Include the CyaSSL build config
firefox-db2pem: fix wildcard to find Firefox default profile
BUGS: refer to the github issue tracker now as primary
vtls_openssl: improve several certificate error messages
cyassl: Add support for TLS extension SNI
parsecfg: do not continue past a zero termination
configure --with-nss=PATH: query pkg-config if available
configure --with-nss: drop redundant if statement
cyassl: Fix include order
HTTP: fix PUT regression with Negotiate
curl_version_info.3: fixed the 'protocols' variable type

Fixed in 7.41.0 - February 25 2015

Changes:

NetWare build: added TLS-SRP enabled build
winbuild: Added option to build with c-ares
Added --cert-status
Added CURLOPT_SSL_VERIFYSTATUS
sasl: implement EXTERNAL authentication mechanism

Bugfixes:

sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
FTP: fix IPv6 host using link-local address
FTP: if EPSV fails on IPV6 connections, bail out
gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
NSS: fix compiler error when built http2-enabled
mingw build: allow to pass custom CFLAGS
add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
curl_schannel.c: mark session as removed from cache if not freed
Curl_pretransfer: reset expected transfer sizes
curl.h: remove extra space
curl_endian: Fixed build when 64-bit integers are not supported
checksrc.bat: Better detection of Perl installation
build-openssl.bat: Added check for Perl installation
http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
http_negotiate: Added empty decoded challenge message info text
vtls: Removed unimplemented overrides of curlssl_close_all()
sasl_gssapi: Fixed memory leak with local SPN variable
http_negotiate: Use dynamic buffer for SPN generation
ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
openssl: do public key pinning check independently
timeval: typecast for better type (on Amiga)
ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
SASL: common URL option and auth capabilities decoders for all protocols
BoringSSL: fix build
BoringSSL: detected by configure, switches off NTLM
openvms: Handle openssl/0.8.9zb version parsing
configure: detect libresssl
configure: remove detection of the old yassl emulation API
curl_setup: Disable SMB/CIFS support when HTTP only
imap: remove automatic password setting: it breaks external sasl authentication
sasl: remove XOAUTH2 from default enabled authentication mechanism
runtests: identify BoringSSL and libressl
security: avoid compiler warning
ldap: build with BoringSSL
des: Added Curl_des_set_odd_parity()
CURLOPT_SEEKFUNCTION.3: also when server closes a connection
CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
build: Removed unused Visual Studio bscmake settings
build: Enabled DEBUGBUILD in Visual Studio debug builds
build: Renamed top level Visual Studio solution files
build: Removed Visual Studio SuppressStartupBanner directive for VC8+
libcurl-symbols: first basic shot for autogenerated docs
Makefile.am: fix 'make distcheck'
getpass_r: read from stdin, not stdout!
getpass: protect include with proper #ifdef
opts: CURLOPT_CAINFO availability depends on SSL engine
more cleanup of 'CURLcode result' return code
MD4: replace implementation
MD5: replace implementation
openssl: SSL_SESSION->ssl_version no longer exist
md5: use axTLS's own MD5 functions when available
schannel: Removed curl_ prefix from source files
curl.1: add warning when using -H and redirects
curl.1: clarify that -X is used for all requests
gskit: Fix exclusive SSLv3 option
polarssl: Fix exclusive SSL protocol version options
http2: Fix bug that associated stream canceled on PUSH_PROMISE
ftp: accept all 2xx responses to the PORT command
configure: allow both --with-ca-bundle and --with-ca-path
cmake: install the dll file to the correct directory
nss: fix NPN/ALPN protocol negotiation
polarssl: fix ALPN protocol negotiation
cmake: Fix generation of tool_hugehelp.c on windows
cmake: fix winsock2 detection on windows
gnutls: fix build with HTTP2
connect: fix a spurious connect failure on dual-stacked hosts
test: test 530 is now less timing dependent
telnet: invalid use of custom read function if not set

Fixed in 7.40.0 - January 8 2015

Changes:

http_digest: Added support for Windows SSPI based authentication
version info: Added Kerberos V5 to the supported features
Makefile: Added VC targets for WinIDN
config-win32: Introduce build targets for VS2012+
SSL: Add PEM format support for public key pinning
smtp: Added support for the conversion of Unix newlines during mail send
smb: Added initial support for the SMB/CIFS protocol
Added support for HTTP over unix domain sockets, via CURLOPT_UNIX_SOCKET_PATH and --unix-socket
sasl: Added support for GSS-API based Kerberos V5 authentication

Bugfixes:

darwinssl: fix session ID keys to only reuse identical sessions
url-parsing: reject CRLFs within URLs
OS400: Adjust specific support to last release
THANKS: Remove duplicate names
url.c: Fixed compilation warning
ssh: Fixed build on platforms where R_OK is not defined
tool_strdup.c: include the tool strdup.h
build: Fixed Visual Studio project file generation of strdup.[c|h]
curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
curl.1: show zone index use in a URL
mk-ca-bundle.vbs: switch to new certdata.txt url
Makefile.dist: Added some missing SSPI configurations
build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
SSH: use the port number as well for known_known checks
libssh2: detect features based on version, not configure checks
http2: Deal with HTTP/2 data inside Upgrade response header buffer
multi: removed Curl_multi_set_easy_connection
symbol-scan.pl: do not require autotools
cmake: add ENABLE_THREADED_RESOLVER, rename ARES
cmake: build libhostname for test suite
cmake: fix HAVE_GETHOSTNAME definition
tests: fix libhostname visibility
tests: fix memleak in server/resolve.c
vtls.h: Fixed compiler warning when compiled without SSL
CMake: Restore order-dependent header checks
CMake: Restore order-dependent library checks
tool: Removed krb4 from the supported features
http2: Don't send Upgrade headers when we already do HTTP/2
examples: Don't call select() to sleep on windows
win32: Updated some legacy APIs to use the newer extended versions
easy.c: Fixed compilation warning when no verbose string support
connect.c: Fixed compilation warning when no verbose string support
build: in Makefile.m32 pass -F flag to windres
build: in Makefile.m32 add -m32 flag for 32bit
multi: when leaving for timeout, close accordingly
CMake: Simplify if() conditions on check result variables
build: in Makefile.m32 try to detect 64bit target
multi: inform about closed sockets before they are closed
multi-uv.c: close the file handle after download
examples: Wait recommended 100ms when no file descriptors are ready
ntlm: Split the SSPI based messaging code from the native messaging code
cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
cmake: add Kerberos to the supported feature
CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
http: Disable pipelining for HTTP/2 and upgraded connections
ntlm: Fixed static'ness of local decode function
sasl: Reduced the need for two sets of NTLM messaging functions
multi.c: Fixed compilation warnings when no verbose string support
select.c: fix compilation for VxWorks
multi-single.c: switch to use curl_multi_wait
curl_multi_wait.3: clarify numfds being used if not NULL
http.c: Fixed compilation warnings from features being disabled
NSS: enable the CAPATH option
docs: Fix FAILONERROR typos
HTTP: don't abort connections with pending Negotiate authentication
HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
http_perhapsrewind: don't abort CONNECT requests
build: updated dependencies in makefiles
multi.c: Fixed compilation warning
ftp.c: Fixed compilation warnings when proxy support disabled
get_url_file_name: Fixed crash on OOM on debug build
cookie.c: Refactored cleanup code to simplify
OS400: enable NTLM authentication
ntlm: Use Windows Crypt API
http2: avoid logging neg "failure" if h2 was not requested
schannel_recv: return the correct code
VC build: added sspi define for winssl-zlib builds
Curl_client_write(): chop long data, convert data only once
openldap: do not ignore Curl_client_write() return code
ldap: check Curl_client_write() return codes
parsedate.c: Fixed compilation warning
url.c: Fixed compilation warning when USE_NTLM is not defined
ntlm_wb_response: fix "statement not reached"
telnet: fix "cast increases required alignment of target type"
smtp: Fixed dot stuffing when EOL characters at end of input buffers
ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
ntlm: Disable NTLM v2 when 64-bit integers are not supported
ntlm: Use short integer when decoding 16-bit values
ftp.c: Fixed compilation warning when no verbose string support
synctime.c: fixed timeserver URLs
mk-ca-bundle.pl: restored forced run again
ntlm: Fixed return code for bad type-2 Target Info
curl_schannel.c: Data may be available before connection shutdown
curl_schannel: Improvements to memory re-allocation strategy
darwinssl: aprintf() to allocate the session key
tool_util.c: Use GetTickCount64 if it is available
lib: Fixed multiple code analysis warnings if SAL are available
tool_binmode.c: Explicitly ignore the return code of setmode
tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
SFTP: work-around servers that return zero size on STAT
connect: singleipconnect(): properly try other address families after failure
IPV6: address scope != scope id
parseurlandfillconn(): fix improper non-numeric scope_id stripping
secureserver.pl: make OpenSSL CApath and cert absolute path values
secureserver.pl: update Windows detection and fix path conversion
secureserver.pl: clean up formatting of config and fix verbose output
tests: Added Windows support using Cygwin-based OpenSSH
sockfilt.c: use non-Ex functions that are available before WinXP
VMS: Updates for 0740-0D1220
openssl: warn for SRP set if SSLv3 is used, not for TLS version
openssl: make it compile against openssl 1.1.0-DEV master branch
openssl: fix SSL/TLS versions in verbose output
curl: show size of inhibited data when using -v
build: Removed WIN32 definition from the Visual Studio projects
build: Removed WIN64 definition from the libcurl Visual Studio projects
vtls: Use bool for Curl_ssl_getsessionid() return type
sockfilt.c: Replace 100ms sleep with thread throttle
sockfilt.c: Reduce the number of individual memory allocations
vtls: Don't set cert info count until memory allocation is successful
nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
nss: Don't ignore Curl_extract_certinfo() OOM failure
vtls: Fixed compilation warning and an ignored return code
sockfilt.c: Fixed compilation warnings
darwinssl: Fixed compilation warning
vtls: Use '(void) arg' for unused parameters
sepheaders.c: Fixed resource leak on failure
lib1900.c: Fixed cppcheck error
ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
ldap: Fixed Unicode DN, attributes and filter in Win32 search calls

Fixed in 7.39.0 - November 5 2014

Changes:

SSLv3 is disabled by default
CURLOPT_COOKIELIST: Added "RELOAD" command
build: Added WinIDN build configuration options to Visual Studio projects
ssh: improve key file search
SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
vtls: remove QsoSSL support, use gskit!
mk-ca-bundle: added SHA-384 signature algorithm
docs: added many examples for libcurl opts and other doc improvements
build: Added VC ssh2 target to main Makefile
MinGW: Added support to build with nghttp2
NetWare: Added support to build with nghttp2
build: added Watcom support to build with WinSSL
build: Added optional specific version generation of VC project files

Bugfixes:

curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
openssl: build fix for versions < 0.9.8e
newlines: fix mixed newlines to LF-only
ntlm: Fixed HTTP proxy authentication when using Windows SSPI
sasl_sspi: Fixed Unicode build
file: reject paths using embedded %00
threaded-resolver: revert Curl_expire_latest() switch
configure: allow --with-ca-path with PolarSSL too
HTTP/2: Fix busy loop when EOF is encountered
CURLOPT_CAPATH: return failure if set without backend support
nss: do not fail if a CRL is already cached
smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
fixed 20+ nits/memory leaks identified by Coverity scans
curl_schannel.c: Fixed possible memory or handle leak
multi-uv.c: call curl_multi_info_read() better
cmake: Check for OpenSSL before OpenLDAP
cmake: Fix library list provided to cURL tests
cmake: Avoid cycle directory dependencies
cmake: Build with GSS-API libraries (MIT or Heimdal)
vtls: provide backend defines for internal source code
nss: fix a connection failure when FTPS handle is reused
tests/http_pipe.py: Python 3 support
cmake: build tool_hugehelp (ENABLE_MANUAL)
cmake: enable IPv6 by default if available
tests: move TESTCASES to Makefile.inc, add show for cmake
ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
ntlm: Fixed empty/bad base-64 decoded buffer return codes
ntlm: Fixed empty type-2 decoded message info text
cmake: add CMake/Macros.cmake to the release tarball
cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
cmake: use LIBCURL_VERSION from curlver.h
cmake: generate pkg-config and curl-config
fixed several superfluous variable assignements identified by cppcheck
cleanup of 'CURLcode result' return code
pipelining: only output "is not blacklisted" in debug builds
SSL: Remove SSLv3 from SSL default due to POODLE attack
gskit.c: remove SSLv3 from SSL default
darwinssl: detect possible future removal of SSLv3 from the framework
ntlm: Only define ntlm data structure when USE_NTLM is defined
ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
sspi: Only call CompleteAuthToken() when complete is needed
http_negotiate: Fixed missing check for USE_SPNEGO
HTTP: return larger than 3 digit response codes too
openssl: Check for NPN / ALPN via OpenSSL version number
openssl: enable NPN separately from ALPN
sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
resume: consider a resume from
sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
build-openssl.bat: Fix x64 release build
cmake: drop _BSD_SOURCE macro usage
cmake: fix gethostby{addr,name}_r in CurlTests
cmake: clean OtherTests, fixing -Werror
cmake: fix struct sockaddr_storage check
Curl_single_getsock: fix hold/pause sock handling
SSL: PolarSSL default min SSL version TLS 1.0
cmake: fix ZLIB_INCLUDE_DIRS use
buildconf: stop checking for libtool

Fixed in 7.38.0 - September 10 2014

Changes:

supports HTTP/2 draft-14
CURLE_HTTP2 is a new error code
CURLAUTH_NEGOTIATE is a new auth define
CURL_VERSION_GSSAPI is a new capability bit
no longer use fbopenssl for anything
schannel: use CryptGenRandom for random numbers
axtls: define curlssl_random using axTLS's PRNG
cyassl: use RNG_GenerateBlock to generate a good random number
findprotocol: show unsupported protocol within quotes
version: detect and show LibreSSL
version: detect and show BoringSSL
imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
http2: requires nghttp2 0.6.0 or later

Bugfixes:

SECURITY ADVISORY: cookie leak with IP address as domain
SECURITY ADVISORY: cookie leak for TLDs
fix a build failure on Debian when NSS support is enabled
HTTP/2: fixed compiler warnings when built disabled
cyassl: return the correct error code on no CA cert
http: Deprecate GSS-Negotiate macros due to bad naming
http: Fixed Negotiate: authentication
multi: Improve proxy CONNECT performance (regression)
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
url.c: use the preferred symbol name: *READDATA
smtp: fixed a segfault during test 1320 torture test
cyassl: made it compile with version 2.0.6 again
nss: do not check the version of NSS at run time
c-ares: fix build without IPv6 support
HTTP/2: use base64url encoding
SSPI Negotiate: Fix 3 memory leaks
libtest: fixed duplicated line in Makefile
conncache: fix compiler warning
openssl: make ossl_send return CURLE_OK better
HTTP/2: Support expect: 100-continue
HTTP/2: Fix infinite loop in readwrite_data()
parsedate: fix the return code for an overflow edge condition
darwinssl: don't use strtok()
http_negotiate_sspi: Fixed specific username and password not working
openssl: replace call to OPENSSL_config
http2: show the received header for better debugging
HTTP/2: Move :authority before non-pseudo header fields
HTTP/2: Reset promised stream, not its associated stream
HTTP/2: added some more logging for debugging stream problems
ntlm: Added support for SSPI package info query
ntlm: Fixed hard coded buffer for SSPI based auth packet generation
sasl_sspi: Fixed memory leak with not releasing Package Info struct
sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
http_negotiate_sspi: Use a dynamic buffer for SPN generation
sasl_sspi: Fixed missing free of challenge buffer on SPN failure
sasl_sspi: Fixed hard coded buffer for response generation
Curl_poll + Curl_wait_ms: fix timeout return value
docs/SSLCERTS: update the section about NSS database
create_conn: prune dead connections
openssl: fix version report for the 0.9.8 branch
mk-ca-bundle.pl: switched to using hg.mozilla.org
http: fix the Content-Range: parser
Curl_disconnect: don't free the URL
win32: Fixed WinSock 2 #if
NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
curl.1: clarify --limit-rate's effect on both directions
disconnect: don't touch easy-related state on disconnects
cmake: big cleanup and numerous fixes
HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
HTTP/2: Reset promised stream, not its associated stream
configure.ac: Add support for recent GSS-API implementations for HP-UX
CONNECT: close proxy connections that fail
CURLOPT_NOBODY.3: clarify this option is for downloads
darwinssl: fix CA certificate checking using PEM format
resolve: cache lookup for async resolvers
low-speed-limit: avoid timeout flood
polarssl: implement CURLOPT_SSLVERSION
multi: convert CURLM_STATE_CONNECT_PEND handling to a list
curl_multi_cleanup: remove superfluous NULL assigns
polarssl: support CURLOPT_CAPATH / --capath
progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly

Fixed in 7.37.1 - July 16 2014

Changes:

bits.close: introduce connection close tracking
darwinssl: Add support for --cacert
polarssl: add ALPN support
docs: Added new option man pages

Bugfixes:

build: Fixed incorrect reference to curl_setup.h in Visual Studio files
build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
curl.1: clarify that -u can't specify a user with colon
openssl: Fix uninitialized variable use in NPN callback
curl_easy_reset: reset the URL
curl_version_info.3: returns a pointer to a static struct
url-parser: only use if_nametoindex if detected by configure
select: with winsock, avoid passing unsupported arguments to select()
gnutls: don't use deprecated type names anymore
gnutls: allow building with nghttp2 but without ALPN support
tests: Fix portability issue with the tftpd server
curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
random: use Curl_rand() for proper random data
Curl_ossl_init: call OPENSSL_config for initing engines
config-win32.h: Updated for VC12
winbuild: Don't USE_WINSSL when WITH_SSL is being used
getinfo: HTTP CONNECT code not reset between transfers
Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
http2: avoid segfault when using the plain-text http2
conncache: move the connection counter to the cache struct
http2: better return code error checking
curlbuild: fix GCC build on SPARC systems without configure script
tool_metalink: Support polarssl as digest provider
curl.h: reverse the enum/define setup for old symbols
curl.h: moved two really old deprecated symbols
curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
buildconf: do not search tools in current directory.
OS400: make it compilable again. Make RPG binding up to date
nss: do not abort on connection failure (failing tests 305 and 404)
nss: make the fallback to SSLv3 work again
tool: prevent valgrind from reporting possibly lost memory (nss only)
progress callback: skip last callback update on errors
nss: fix a memory leak when CURLOPT_CRLFILE is used
compiler warnings: potentially uninitialized variables
url.c: Fixed memory leak on OOM
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
gnutls: fix SRP support with versions of GnuTLS from 2.99.0
gnutls: fixed a couple of uninitialized variable references
gnutls: fixed compilation against versions < 2.12.0
build: Fixed overridden compiler PDB settings in VC7 to VC12
ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
netrc: don't abort if home dir cannot be found
netrc: fixed thread safety problem by using getpwuid_r if available
cookie: avoid mutex deadlock
configure: respect host tool prefix for krb5-config
gnutls: handle IP address in cert name check

Fixed in 7.37.0 - May 21 2014

Changes:

URL parser: IPv6 zone identifiers are now supported
CURLOPT_PROXYHEADER: set headers for proxy-only
CURLOPT_HEADEROPT: added
curl: add --proxy-header
sasl: Added support for DIGEST-MD5 via Windows SSPI
sasl: Added DIGEST-MD5 qop-option validation in native challange handling
imap: Expanded mailbox SEARCH support to use URL query strings
imap: Extended FETCH support to include PARTIAL URL specifier
nss: implement non-blocking SSL handshake
build: Reworked Visual Studio project files
poll: enable poll on darwin13
mk-ca-bundle: added -p
libtests: add a wait_ms() function

Bugfixes:

mkhelp: generate code for --disable-manual as well
hostcheck: added a system include to define struct in_addr
winbuild: added warnless.c to fix build
Makefile.vc6: added warnless.c to fix build
smtp: Fixed login denied when server doesn't support AUTH capability
smtp: Fixed login denied with a RFC-821 based server
curl: stop interpreting IPv6 literals as glob patterns
http2: remove _DRAFT09 from the NPN_HTTP2 enum
http2: let openssl mention the exact protocol negotiated
http2+openssl: fix compiler warnings in ALPN using code
ftp: in passive data connect wait for happy eyeballs sockets
HTTP: don't send Content-Length: 0 _and_ Expect: 100-continue
http2: Compile with current nghttp2, which supports h2-11
http_negotiate_sspi: Fixed compilation when USE_HTTP_NEGOTIATE not defined
strerror: fix comment about vxworks' strerror_r buffer size
url: only use if_nametoindex() if IFNAMSIZ is available
imap: Fixed untagged response detection when no data after command
various: fix possible dereference of null pointer
various: fix use of uninitialized variable
various: fix use of non-null terminated strings
telnet.c: check sscanf results before passing them to snprintf
parsedate.c: check sscanf result before passing it to strlen
sockfilt.c: free memory in case of memory allocation errors
sockfilt.c: ignore non-key-events and continue waiting for input
sockfilt.c: properly handle disk files, pipes and character input
sockfilt.c: fixed getting stuck waiting for MinGW stdin pipe
sockfilt.c: clean up threaded approach and add documentation
configure: use the nghttp2 path correctly with pkg-config
curl_global_init_mem: bump initialized even if already initialized
gtls: fix NULL pointer dereference
cyassl: Use error-ssl.h when available
handler: make 'protocol' always specified as a single bit
INFILESIZE: fields in UserDefined must not be changed run-time
openssl: biomem->data is not zero terminated
config-win32.h: Fixed HAVE_LONGLONG for Visual Studio .NET 2003 and up
curl_ntlm_core: Fixed use of long long for VC6 and VC7
SNI: strip off a single trailing dot from host name
curl: bail on cookie use when built with disabled cookies
curl_easy_setopt.3: added the proto for CURLOPT_SSH_KNOWNHOSTS
curl_multi_cleanup: ignore SIGPIPE better
schannel: don't use the connect-timeout during send
mprintf: allow %.s with data not being zero terminated
tool_help: Fixed missing --login-options option
configure: Don't set LD_LIBRARY_PATH when cross-compiling
http: auth failure on duplicated 'WWW-Authenticate: Negotiate' header
cacertinmem: fix memory leak
lib1506: make sure the transfers are not within the same ms
Makefile.b32: Fixed for vtls changes
sasl: Fixed missing qop in the client's challenge-response message
openssl: unbreak PKCS12 support
darwinssl: fix potential crash with a P12 file
timers: fix timer regression involving redirects / reconnects
CURLINFO_SSL_VERIFYRESULT: made more reliable
HTTP: fixed connection re-use
configure: add SPNEGO to supported features
configure: add GSS-API to supported features
ALPN: fix typo in http/1.1 identifier
http2: make connection re-use work

Fixed in 7.36.0 - March 26 2014

Release contains security-related bug fixes

Changes:

ntlm: Added support for NTLMv2
tool: Added support for URL specific options
openssl: add ALPN support
gtls: add ALPN support
nss: add ALPN and NPN support
added CURLOPT_EXPECT_100_TIMEOUT_MS
tool: add --no-alpn and --no-npn
added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
winssl: enable TLSv1.1 and TLSv1.2 by default
winssl: TLSv1.2 disables certificate signatures using MD5 hash
winssl: enable hostname verification of IP address using SAN or CN
darwinssl: Don't omit CN verification when an IP address is used
http2: build with current nghttp2 version
polarssl: dropped support for PolarSSL < 1.3.0
openssl: info message with SSL version used

Bugfixes:

SECURITY ADVISORY: wrong re-use of connections
SECURITY ADVISORY: IP address wildcard certificate validation
SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
nss: allow to use ECC ciphers if NSS implements them
netrc: Fixed a memory leak in an OOM condition
ftp: fixed a memory leak on wildcard error path
pipeline: Fixed a NULL pointer dereference on OOM
nss: prefer highest available TLS version
100-continue: fix timeout condition
ssh: Fixed a NULL pointer dereference on OOM condition
formpost: use semicolon in multipart/mixaed
--help: add missing --tlsv1.x options
formdata: Fixed memory leak on OOM condition
ConnectionExists: reusing possible HTTP+NTLM connections better
mingw32: fix compilation
chunked decoder: track overflows correctly
curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
dict: fix memory leak in OOM exit path
valgrind: added suppression on optimized code
curl: output protocol headers using binary mode
tool: Added URL index to password prompt for multiple operations
ConnectionExists: re-use non-NTLM connections better
axtls: call ssl_read repeatedly
multi: make MAXCONNECTS default 4 x number of easy handles function
configure: Fix the --disable-crypto-auth option
multi: ignore SIGPIPE internally
curl.1: update the description of --tlsv1
SFTP: skip reading the dir when NOBODY=1
easy: Fixed a memory leak on OOM condition
tool: Fixed incorrect return code when setting HTTP request fails
configure: Tiny fix to honor POSIX
tool: Do not output libcurl source for the information only parameters
Rework Open Watcom make files to use standard Wmake features
x509asn: moved out Curl_verifyhost from NSS builds
configure: call it GSS-API
hostcheck: Curl_cert_hostcheck is not used by NSS builds
multi_runsingle: move timestamp into INIT
remote_port: allow connect to port 0
parse_remote_port: error out on illegal port numbers better
ssh: Pass errors from libssh2_sftp_read up the stack
docs: remove documentation on setting up krb4 support
polarssl: build fixes to work with PolarSSL 1.3.x
polarssl: fix possible handshake timeout issue in multi
nss: allow to enable/disable cipher-suites better
ssh: prevent a logic error that could result in an infinite loop
http2: free resources on disconnect
polarssl: avoid extra newlines in debug messages
rtsp: parse "Session:" header properly
trynextip: don't store 'ai' on failed connects
Curl_cert_hostcheck: strip trailing dots in host name and wildcard

Fixed in 7.35.0 - January 29 2014

Release contains security-related bug fix

Changes:

imap/pop3/smtp: Added support for SASL authentication downgrades
imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
TheArtOfHttpScripting: major update, converted layout and more
mprintf: Added support for I, I32 and I64 size specifiers
makefile: Added support for VC7, VC11 and VC12

Bugfixes:

SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
pop3: Fixed APOP being determined by CAPA response rather than by timestamp
Curl_pp_readresp: zero terminate line
FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
pop3: Fixed auth preference not being honored when CAPA not supported
imap: Fixed auth preference not being honored when CAPABILITY not supported
threaded resolver: Use pthread_t * for curl_thread_t
FILE: we don't support paused transfers using this protocol
connect: Try all addresses in first connection attempt
curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
OpenSSL: Fix forcing SSLv3 connections
openssl: allow explicit sslv2 selection
FTP parselist: fix "total" parser
conncache: fix possible dereference of null pointer
multi.c: fix possible dereference of null pointer
mk-ca-bundle: introduces -d and warns about using this script
ConnectionExists: fix NTLM check for new connection
trynextip: fix build for non-IPV6 capable systems
Curl_updateconninfo: don't do anything for UDP "connections"
darwinssl: un-break Leopard build after PKCS#12 change
threaded-resolver: never use NULL hints with getaddrinf
multi_socket: remind app if timeout didn't run
OpenSSL: deselect weak ciphers by default
error message: Sensible message on timeout when transfer size unknown
curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
configure: fix gssapi linking on HP-UX
chunked-parser: abort on overflows, allow 64 bit chunks
chunked parsing: relax the CR strictness
cookie: max-age fixes
progress bar: always update when at 100%
progress bar: increase update frequency to 10Hz
tool: Fixed incorrect return code if command line parser runs out of memory
tool: Fixed incorrect return code if password prompting runs out of memory
HTTP POST: omit Content-Length if data size is unknown
GnuTLS: disable insecure ciphers
GnuTLS: honor --slv2 and the --tlsv1[.N] switches
multi: Fixed a memory leak on OOM condition
netrc: Fixed a memory and file descriptor leak on OOM
getpass: fix password parsing from console
TFTP: fix crash on time-out
hostip: don't remove DNS entries that are in use
tests: lots of tests fixed to pass the OOM torture tests

Fixed in 7.34.0 - December 17 2013

Changes:

SSL: protocol version can be specified more precisely
imap/pop3/smtp: Added graceful cancellation of SASL authentication
Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
base64: Added validation of base64 input strings when decoding
curl_easy_setopt: Added the ability to set the login options separately
smtp: Added support for additional SMTP commands
curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
nss: allow to use TLS > 1.0 if built against recent NSS
SECURITY: added this document to describe our security processes
parseconfig: warn if unquoted white spaces are detected

Bugfixes:

SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
darwinssl: un-break iOS build after PKCS#12 feature added
tool: use XFERFUNCTION to save some casts
usercertinmem: fix memory leaks
ssh: Handle successful SSH_USERAUTH_NONE
NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
test906: Fixed failing test on some platforms
sasl: initialize NSS before using NTLM crypto
sasl: Fixed memory leak in OAUTH2 message creation
imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
cmake: unbreak for non-Windows platforms
ssh: initialize per-handle data in ssh_connect()
glob: fix broken URLs
configure: check for long long when building with cyassl
CURLOPT_RESOLVE: mention they don't time-out
docs/examples/httpput.c: fix build for MSVC
FTP: make the data connection work when going through proxy
NSS: support for CERTINFO feature
curl_multi_wait: accept 0 from multi_timeout() as valid timeout
glob_range: pass the closing bracket for a-z ranges
tool_help: Updated --list-only description to include POP3
Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
cmake: fix Windows build with IPv6 support
ares: Fixed compilation under Visual Studio 2012
curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
curl.1: mention that -O does no URL decoding
darwinssl: PKCS#12 import feature now requires Lion or later
darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
configure: Fix test with -Werror=implicit-function-declaration
sigpipe: factor out sigpipe_reset from easy.c
curl_multi_cleanup: ignore SIGPIPE
globbing: curl glob counter mismatch with {} list use
parseconfig: dash options can't specified with colon or equals
digest: fix CURLAUTH_DIGEST_IE
curl.h: for OpenBSD
darwinssl: Fix #if 10.6.0 for SecKeychainSearch
TFTP: fix return codes for connect timeout
login options: remove the ;[options] support from CURLOPT_USERPWD
imap: Fixed incorrect fallback to clear text authentication
parsedate: avoid integer overflow
curl.1: document -J doesn't %-decode
multi: add timer inaccuracy margin to timeout/connecttimeout

Fixed in 7.33.0 - October 14 2013

Changes:

test code for testing the event based API
CURLM_ADDED_ALREADY: new error code
test TFTP server: support "writedelay" within
krb4 support has been removed
imap/pop3/smtp: added basic SASL XOAUTH2 support
darwinssl: add support for PKCS#12 files for client authentication
darwinssl: enable BEAST workaround on iOS 7 & later
Pass password to OpenSSL engine by user interface
c-ares: Add support for various DNS binding options
cookies: add expiration
curl: added --oauth2-bearer option

Bugfixes:

nss: make sure that NSS is initialized
curl: make --no-[option] work properly for several options
FTP: with socket_action send better socket updates in active mode
curl: fix the --sasl-ir in the --help output
tests 2032, 2033: Don't hardcode port in expected output
urlglob: better detect unclosed braces, empty lists and overflows
urlglob: error out on range overflow
imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
handle arbitrary-length username and password
TFTP: make the CURLOPT_LOW_SPEED* options work
curl.h: name space pollution by "enum type"
multi: move on from STATE_DONE faster
FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
multi_socket: improved 100-continue timeout handling
curl_multi_remove_handle: allow multiple removes
FTP: fix getsock during DO_MORE state
-x: rephrased the --proxy section somewhat
acinclude: fix --without-ca-path when cross-compiling
LDAP: fix bad free() when URL parsing failed
--data: mention CRLF treatment when reading from file
curl_easy_pause: suggest one way to unpause
imap: Fixed calculation of transfer when partial FETCH received
pingpong: Check SSL library buffers for already read data
imap/pop3/smtp: Speed up SSL connection initialization
libcurl.3: for multi interface connections are held in the multi handle
curl_easy_setopt.3: mention RTMP URL quirks
curl.1: detail how short/long options work
curl.1: Added information about optional login options to --user option
curl: Added clarification to the --mail options in the --help output
curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
openssl: use correct port number in error message
darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
xattr: add support for FreeBSD xattr API
win32: fix Visual Studio 2010 build with WINVER >= 0x600
configure: use icc options without space
test1112: Increase the timeout from 7s to 16s
SCP: upload speed on a fast connection limited to 16384 B/s
curl_setup_once: fix errno access for lwip on Windows
HTTP: Output http response 304 when modified time is too old

Fixed in 7.32.0 - August 12 2013

Changes:

curl: allow timeouts to accept decimal values
OS400: add slist and certinfo EBCDIC support
OS400: new SSL backend GSKit
CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
LIBCURL-STRUCTS: new document

Bugfixes:

dotdot: introducing dot file path cleanup
docs: fix typo in curl_easy_getinfo manpage
test1230: avoid using hard-wired port number
test1396: invoke the correct test tool
SIGPIPE: ignored while inside the library
darwinssl: fix crash that started happening in Lion
OpenSSL: check for read errors, don't assume
c-ares: improve error message on failed resolve
printf: make sure %x are treated unsigned
formpost: better random boundaries
url: restore the functionality of 'curl -u :'
curl.1: fix typo in --xattr description
digest: improve nonce generation
configure: automake 1.14 compatibility tweak
curl.1: document the --post303 option in the man page
curl.1: document the --sasl-ir option in the man page
setup-vms.h: sk_pop symbol tweak
tool_paramhlp: try harder to catch negatives
cmake: Fix for MSVC2010 project generation
asyn-ares: Don't blank ares servers if none configured
curl_multi_wait: set revents for extra fds
Reinstate WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
ftp_do_more: consider DO_MORE complete when server connects back
curl_easy_perform: gradually increase the delay time
curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
curl: fix upload of a zip file in OpenVMS
build: fix linking on Solaris 10
curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
curl_formadd: fix file upload on VMS
curl_easy_pause: on unpause, trigger mulit-socket handling
md5 & metalink: use better build macros on Apple operating systems
darwinssl: fix build error in crypto authentication under Snow Leopard
curl: make --progress-bar update the line less frequently
configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
mk-ca-bundle: skip more untrusted certificates
formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
FTP: when EPSV gets a 229 but fails to connect, retry with PASV
mk-ca-bundle.1: don't install on make install
VMS: lots of updates and fixes of the build procedure
global dns cache: didn't work (regression)
global dns cache: fix memory leak

Fixed in 7.31.0 - June 22 2013

Changes:

darwinssl: add TLS session resumption
darwinssl: add TLS crypto authentication
imap/pop3/smtp: Added support for ;auth= in the URL
imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
usercertinmem.c: add example showing user cert in memory
url: Added smtp and pop3 hostnames to the protocol detection list
imap/pop3/smtp: Added support for enabling the SASL initial response
curl -E: allow to use ':' in certificate nicknames

Bugfixes:

SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer
FTP: access files in root dir correctly
configure: try pthread_create without -lpthread
FTP: handle a 230 welcome response
curl-config: don't output static libs when they are disabled
CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
Various documentation updates
getinfo.c: reset timecond when clearing session-info variables
FILE: prevent an artificial timeout event due to stale speed-check data
ftp_state_pasv_resp: connect through proxy also when set by env
sshserver: disable StrictHostKeyChecking
ftpserver: Fixed imap logout confirmation data
curl_easy_init: use less mallocs
smtp: Fixed unknown percentage complete in progress bar
smtp: Fixed sending of double CRLF caused by first in EOB
bindlocal: move brace out of #ifdef
winssl: Fixed invalid memory access during SSL shutdown
OS X framework: fix invalid symbolic link
OpenSSL: allow empty server certificate subject
axtls: prevent memleaks on SSL handshake failures
cookies: only consider full path matches
Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
Curl_cookie_add: handle IPv6 hosts
ossl_send: SSL_write() returning 0 is an error too
ossl_recv: SSL_read() returning 0 is an error too
Digest auth: escape user names with backslash or " in them
curl_formadd.3: fixed wrong "end-marker" syntax
libcurl-tutorial.3: fix incorrect backslash
curl_multi_wait: reduce timeout if the multi handle wants to
tests/Makefile: typo in the perlcheck target
axtls: honor disabled VERIFYHOST
OpenSSL: avoid double free in the PKCS12 certificate code
multi_socket: reduce timeout inaccuracy margin
digest: support auth-int for empty entity body
axtls: now done non-blocking
lib1900: use tutil_tvnow instead of gettimeofday
curl_easy_perform: avoid busy-looping
CURLOPT_COOKIELIST: take cookie share lock
multi_socket: react on socket close immediately

Fixed in 7.30.0 - April 12 2013

Changes:

imap: Changed response tag generation to be completely unique
imap: Added support for SASL-IR extension
imap: Added support for the list command
imap: Added support for the append command
imap: Added custom request parsing
imap: Added support to the fetch command for UID and SECTION properties
imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
darwinssl: Make certificate errors less techy
imap/pop3/smtp: Added support for the STARTTLS capability
checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control

Bugfixes:

SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
darwinssl: Fix build under Leopard
DONE: consider callback-aborted transfers premature
ntlm: Fixed memory leaks
smtp: Fixed an issue when processing EHLO failure responses
pop3: Fixed incorrect return value from pop3_endofresp()
pop3: Fixed SASL authentication capability detection
pop3: Fixed blocking SSL connect when connecting via POP3S
imap: Fixed memory leak when performing multiple selects
nss: fix misplaced code enabling non-blocking socket mode
AddFormData: prevent only directories from being posted
darwinssl: fix infinite loop if server disconnected abruptly
metalink: fix improbable crash parsing metalink filename
show proper host name on failed resolve
MacOSX-Framework: Make script work in Xcode 4.0 and later
strlcat: remove function
darwinssl: Fix send glitchiness with data > 32 or so KB
polarssl: better 1.1.x and 1.2.x support
various documentation improvements
multi: NULL pointer reference when closing an unused multi handle
SOCKS: fix socks proxy when noproxy matched
install-sh: updated to support multiple source files as arguments
PolarSSL: added human readable error strings
resolver_error: remove wrong error message output
docs: updates HTML index and general improvements
curlbuild.h.dist: enhance non-configure GCC ABI detection logic
sasl: Fixed null pointer reference when decoding empty digest challenge
easy: do not ignore poll() failures other than EINTR
darwinssl: disable ECC ciphers under Mountain Lion by default
CONNECT: count received headers
build: fixes for VMS
CONNECT: clear 'rewindaftersend' on success
HTTP proxy: insert slash in URL if missing
hiperfifo: updated to use current libevent API
getinmemory.c: abort the transfer nicely if not enough memory
improved win32 memorytracking
corrected proxy header response headers count
FTP quote operations on re-used connection
tcpkeepalive on win32
tcpkeepalive on Mac OS X
easy: acknowledge the CURLOPT_MAXCONNECTS option properly
easy interface: restore default MAXCONNECTS to 5
win32: don't set SO_SNDBUF for windows vista or later versions
HTTP: made cookie sort function more deterministic
winssl: Fixed memory leak if connection was not successful
FTP: wait on both connections during active STOR state
connect: treat a failed local bind of an interface as a non-fatal error
darwinssl: disable insecure ciphers by default
FTP: handle "rubbish" in front of directory name in 257 responses
mk-ca-bundle: Fixed lost OpenSSL output with "-t"

Fixed in 7.29.0 - February 6 2013

Changes:

test: offer "automake" output and check for perl better
always-multi: always use non-blocking internals
imap: Added support for sasl digest-md5 authentication
imap: Added support for sasl cram-md5 authentication
imap: Added support for sasl ntlm authentication
imap: Added support for sasl login authentication
imap: Added support for sasl plain text authentication
imap: Added support for login disabled server capability
mk-ca-bundle: add -f, support passing to stdout and more
writeout: -w now supports remote_ip/port and local_ip/port

Bugfixes:

SECURITY ADVISORY: SASL buffer overflow vulnerability
nss: prevent NSS from crashing on client auth hook failure
darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
SCP: relative path didn't work as documented
setup_once.h: HP-UX issue workaround
configure: fix cross pkg-config detection
runtests: Do not add undefined values to @INC
build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
multi: fix re-sending request on early connection close
HTTP: remove stray CRLF in chunk-encoded content-free request bodies
build: fix AIX compilation and usage of events/revents
VC Makefiles: add missing hostcheck
nss: clear session cache if a client certificate from file is used
nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
fix HTTP CONNECT tunnel establishment upon delayed response
--libcurl: fix for non-zero default options
FTP: reject illegal port numbers in EPSV 229 responses
build: use per-target '_CPPFLAGS' for those currently using default
configure: fix automake 1.13 compatibility
curl: ignore SIGPIPE
pop3: Added support for non-blocking SSL upgrade
pop3: Fixed default authentication detection
imap: Fixed usernames and passwords that contain escape characters
packages/DOS/common.dj: remove COFF debug info generation
imap/pop3/smtp: Fixed failure detection during TLS upgrade
pop3: Fixed no known authentication mechanism when fallback is required
formadd: reject trying to read a directory where a file is expected
formpost: support quotes, commas and semicolon in file names
docs: update the comments about loading CA certs with NSS
docs: fix typos in man pages
darwinssl: Fix bug where packets were sometimes transmitted twice
winbuild: include version info for .dll .exe
schannel: Removed extended error connection setup flag
VMS: fix and generate the VMS build config

Fixed in 7.28.1 - November 20 2012

Changes:

metalink/md5: Use CommonCrypto on Apple operating systems
href_extractor: new example code extracting href elements
NSS can be used for metalink hashing

Bugfixes:

Fix broken libmetalink-aware OpenSSL build
gnutls: fix the error is fatal logic
darwinssl: un-broke iOS build, fix error on server disconnect
asyn-ares: restore functionality with c-ares < 1.6.1
tlsauthtype: deal with the string case insensitively
Fixed MSVC libssh2 static build
evhiperfifo: fix the pointer passed to WRITEDATA
BUGS: fix the bug tracker URL
winbuild: Use machine type of development environment
FTP: prevent the multi interface from blocking
uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
httpcustomheader.c: free the headers after use
fix >2000 bytes POST over NTLM-using proxy
redirects to URLs with fragments
don't send '#' fragments when using proxy
OpenSSL: show full issuer string
fix HTTP auth regression
CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
ftp: EPSV-disable fix over SOCKS
Digest: Add microseconds into nounce calculation
SCP/SFTP: improve error code used for send failures
SSL: Several SSL-backend related fixes
removed the notorious "additional stuff not fine" debug output
OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
FILE: Make upload-writes unbuffered
custom memory callbacks failure with HTTP proxy (and more)
TFTP: handle resends
autoconf: don't force-disable compiler debug option
winbuild: Fix PDB file output
test2032: spurious failure caused by premature termination
memory leak: CURLOPT_RESOLVE with multi interface

Fixed in 7.28.0 - October 10 2012

Changes:

SSH: added agent based authentication
ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
multi: add curl_multi_wait()
metalink: Added support for Microsoft Windows CryptoAPI
md5: Added support for Microsoft Windows CryptoAPI
parse_proxy: treat "socks://x" as a socks4 proxy
socks: Added support for IPv6 connections through SOCKSv5 proxy

Bugfixes:

WSAPoll disabled on Windows builds due to its bugs
segfault on request retries
curl-config: parentheses fix
VC build: add define for openssl
globbing: fix segfault when >9 globs were used
fixed a few clang-analyzer warnings
metalink: change code order to build with gnutls-nettle
gtls: fix build failure by including nettle-specific headers
change preferred HTTP auth on a handle previously used for another auth
file: use fdopen() to avoid race condition
Added DWANT_IDN_PROTOTYPES define for MSVC too
verbose: fixed (nil) output of hostnames in re-used connections
metalink: Un-broke the build when building --with-darwinssl
curl man page cleanup
Avoid leak of local device string when reusing connection
Curl_socket_check: fix return code for timeout
nss: do not print misleading NSS error codes
configure: remove the --enable/disable-nonblocking options
darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
NTLM: re-use existing connection better
schannel crash on multi and easy handle cleanup
SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
mk-ca-bundle: detect start of trust section better
gnutls: do not fail on non-fatal handshake errors
SMTP: only send SIZE if supported
ftpserver: respond with a 250 to SMTP EHLO
ssh: do not crash if MD5 fingerprint is not provided by libssh2
winbuild: Added support for building with SPNEGO enabled
metalink: Fixed validation of binary files containing EOF
setup.h: fixed for MS VC10 build
cmake: use standard findxxx modules for cmake v2.8+
HTTP_ONLY: disable more protocols
Curl_reconnect_request: clear pointer on failure
https.c example: remember to call curl_global_init()
metalink: Filter resource URLs by type
multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
curl_schannel: Removed buffer limit and optimized buffer strategy

Fixed in 7.27.0 - July 27 2012

Changes:

nss: use human-readable error messages provided by NSS
added --metalink for metalink download support
pop3: Added support for sasl plain text authentication
pop3: Added support for sasl login authentication
pop3: Added support for sasl ntlm authentication
pop3: Added support for sasl cram-md5 authentication
pop3: Added support for sasl digest-md5 authentication
pop3: Added support for apop authentication
Added support for Schannel (Native Windows) SSL/TLS encryption
Added support for Darwin SSL (Native Mac OS X and iOS)
http: print reason phrase from HTTP status line on error

Bugfixes:

pop3: Fixed the issue of having to supply the user name for all requests
configure: fix LDAPS disabling related misplaced closing parenthesis
cmdline: made -D option work with -O and -J
configure: Fix libcurl.pc and curl-config generation for static MingW* cross builds
ssl: fix duplicated SSL handshake with multi interface and proxy
winbuild: Fix Makefile.vc ignoring USE_IPV6 and USE_IDN flags
OpenSSL: support longer certificate subject names
openldap: OOM fixes
log2changes.pl: fix the Version output
lib554.c: use curl_formadd() properly
urldata.h: fix cyassl build clash with wincrypt.h
cookies: changed the URL in the cookiejar headers
http-proxy: keep CONNECT connections alive (for NTLM)
NTLM SSPI: fixed to work with unicode user names and passwords
OOM fix in the curl tool when cloning cmdline options
fixed some examples to use curl_global_init() properly
cmdline: stricter numerical option parser
HTTP HEAD: don't force-close after response-headers
test231: fix wrong -C use
docs: switch to proper UTF-8 for text file encoding
keepalive: DragonFly uses milliseconds
HTTP Digest: Client's "qop" value should not be quoted
make distclean works again

Fixed in 7.26.0 - May 24 2012

Changes:

nss: the minimal supported version of NSS bumped to 3.12.x
nss: human-readable names are now provided for NSS errors if available
add a manual page for mk-ca-bundle
added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
smtp: Add support for DIGEST-MD5 authentication
pop3: Added support for additional pop3 commands
curl: -w now supports 'filename_effective'

Bugfixes:

nss: libcurl now uses NSS_InitContext() to prevent collisions if available
URL parse: reject numerical IPv6 addresses outside brackets
MD5: fix OOM memory leak
OpenSSL cert: provide more details when cert check fails
HTTP: empty chunked POST ended up in two zero size chunks
fixed a regression when curl resolved to multiple addresses and the first isn't supported [7]
-# progress meter: avoid superfluous updates and duplicate lines
headers: surround GCC attribute names with double underscores
PolarSSL: correct return code for CRL matches
PolarSSL: include version number in version string
PolarSSL: add support for asynchronous connect
mk-ca-bundle: revert the LWP usage
IPv6 cookie domain: get rid of the first bracket before the second
connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
OpenSSL: Made cert hostname check conform to RFC 6125
HTTP: reset expected DL/UL sizes on redirects
CMake: fix Windows LDAP/LDAPS option handling
CMake: fix MS Visual Studio x64 unsigned long long literal suffix
configure: update detection logic of getaddrinfo() thread-safeness
configure: check for gethostbyname in the watt lib
curl-config.1: fix curl-config usage in example
smtp: Fixed non-escaping of dot character at beginning of line
MakefileBuild.vc: use the correct IDN variable
autoconf: improve handling of versioned symbols
curl.1: clarify -x usage
curl: shorten user-agent
smtp: issue with the multi-interface always sending postdata
compile error with GnuTLS+Nettle fixed
winbuild: fix IPv6 enabled build

Fixed in 7.25.0 - March 22 2012

Changes:

Bugfixes:

--max-redirs: allow negative numbers as option value
parse_proxy: bail out on zero-length proxy names
configure: don't modify LD_LIBRARY_PATH for cross compiles
curl_easy_reset: reset the referer string
curl tool: don't abort glob-loop due to failures
CONNECT: send correct Host: with IPv6 numerical address
Explicitly link to the nettle/gcrypt libraries
more resilient connection times among IP addresses
winbuild: fix IPV6 and IDN options
SMTP: Fixed error when using CURLOPT_CONNECT_ONLY
cyassl: update to CyaSSL 2.0.x API
smtp: Fixed an issue with the EOB checking
pop3: Fixed drop of final CRLF in EOB checking
smtp: Fixed an issue with writing postdata
smtp: Added support for returning SMTP response codes
CONNECT: fix ipv6 address in the Request-Line
curl-config: only provide libraries with --libs
LWIP: don't consider HAVE_ERRNO_H to be winsock
ssh: tunnel through HTTP proxy if requested
cookies: strip off [brackets] from numerical ipv6 host names
libcurl docs: version corrections
cmake: list_spaces_append_once failure
resolve with c-ares: don't resolve IPv6 when not working
smtp: changed error code for EHLO and HELO responses
parsedate: fix a numeric overflow

Fixed in 7.24.0 - January 24 2012

Changes:

Bugfixes:

curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
SSL session share: move the age counter to the share object
-J -O: use -O name if no Content-Disposition header comes!
protocol_connect: show verbose connect and set connect time
query-part: ignore the URI part for given protocols
gnutls: only translate winsock errors for old versions
POP3: fix end of body detection
POP3: detect when LIST returns no mails
TELNET: improved treatment of options
configure: add support for pkg-config detection of libidn
CyaSSL 2.0+ library initialization adjustment
multi interface: only use non-NULL socker function pointer
call opensocket callback properly for active FTP
don't call close socket callback for sockets created with accept()
differentiate better between host/proxy errors
SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
multi: handle timeouts on DNS servers by checking for new sockets
CURLOPT_DNS_SERVERS: fix return code
POP3: fixed escaped dot not being stripped out
OpenSSL: check for the SSLv2 function in configure
MakefileBuild: fix the static build
create_conn: don't switch to HTTP protocol if tunneling is enabled
multi interface: fix block when CONNECT_ONLY option is used
Fix connection reuse for TLS upgraded connections
multiple file upload with -F and custom type
multi interface: active FTP connections are no longer blocking
Android build fix
timer: restore PRETRANSFER timing
libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
appconnect time fixed for non-blocking connect ssl backends
do not include SSL handshake into time spent waiting for 100-continue
handle dns cache case insensitive
use new host name casing for subsequent HTTP requests
CURLOPT_RESOLVE: avoid adding already present host names
SFTP mkdir: use correct permission
resolve: don't leak pre-populated dns entries
--retry: Retry transfers on timeout and DNS errors
negotiate with SSPI backend: use the correct buffer for input
SFTP dir: increase buffer size counter to avoid cut off file names
TFTP: fix resending (again)
c-ares: don't include getaddrinfo-using code
FTP: CURLE_PARTIAL_FILE will not close the control channel
win32-threaded-resolver: stop using a dummy socket
OpenSSL: remove reference to openssl internal struct
OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
OpenSSL: fix PKCS#12 certificate parsing related memory leak
OpenLDAP: fix LDAP connection phase memory leak
Telnet: Use correct file descriptor for telnet upload
Telnet: Remove bogus optimisation of telnet upload
URL parse: user name with ipv6 numerical address
polarssl: show cipher suite name correctly with 1.1.0
polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure
gnutls: enforced use of SSLv3

Fixed in 7.23.1 - November 17 2011

Bugfixes:

Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used

Fixed in 7.23.0 - November 15 2011

Changes:

Empty headers can be sent in HTTP requests by terminating with a semicolon
SSL session sharing support added to curl_share_setopt()
Added support to MAIL FROM for the optional SIZE parameter
smtp: Added support for NTLM authentication
curl tool: code split into tool_*.[ch] files

Bugfixes:

handle HTTP redirects to "//hostname/path"
SMTP without --mail-from caused segfault
prevent extra progress meter headers between multiple files
allow Content-Length to be replaced when sending HTTP requests
curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
curl_multi_fdset: avoid FD_SET out of bounds
lots of MinGW build tweaks
Curl_gethostname: return un-qualified machine name
fixed the openssl version number configure check
nss: certificates from files are no longer looked up by file base names
returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
fix libcurl.m4 to not fail with modern gcc versions
ftp: improved the failed PORT host name resolved error message
TFTP timeout and unexpected block adjustments
HTTP and GOPHER test server-side connection closing adjustments
fix endless loop upon transport connection timeout
don't clobber errno on failed connect
typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
formdata: ack read callback abort
make --show-error properly position independent
set the ipv6-connection boolean correctly on connect
SMTP: fix end-of-body string escaping
gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
curl_multi_fdset: correct fdset with FTP PORT use
windbuild: fix the static build
fix builds with GnuTLS version 3
fix calling of OpenSSL's ERR_remove_state(0)
HTTP auth: fix proxy Negotiate bug when Negotiate not requested
ftp PORT: don't hang if bind() fails
-# would crash on terminals wider than 256 columns

Fixed in 7.22.0 - September 13 2011

Changes:

Added CURLOPT_GSSAPI_DELEGATION
Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
Display notes from setup file in testcurl.pl
BSD-style lwIP TCP/IP stack experimental support on Windows
OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
--delegation was added to set CURLOPT_GSSAPI_DELEGATION
nss: start with no database if the selected database is broken
telnet: allow programatic use on Windows

Bugfixes:

curl_getdate: detect some illegal dates better
when sending a request and an error is received before the (entire) request body is sent, stop sending the request and close the connection after having received the entire response. This is equally true if an Expect: 100-continue header was used.
When using both -J and a single -O with multiple URLs, a missing init could cause a segfault
-J fixed for escaped quotes
-J fixed for file names with semicolons
progress: reset flags at transfer start to avoid wrong CURLINFO_CONTENT_LENGTH_DOWNLOAD
curl_gssapi: Guard files with HAVE_GSSAPI and rename private header
silence picky compilers: mark unused parameters
help output: more gnu like output
libtests: stop checking for CURLM_CALL_MULTI_PERFORM
setting a non-HTTP proxy with an environment variable or with CURLOPT_PROXY / --proxy (without specifying CURLOPT_PROXYTYPE) would still make it do proxy-like HTTP requests
CURLFORM_BUFFER: insert filename as documented (regression)
SOCKS: fix the connect timeout
ftp_doing: bail out on error properly while multi interfacing
improved Content-Encoded decoding error message
asyn-thread: check for dotted addresses before thread starts
cmake: find winsock when building on windows
Curl_retry_request: check return code
cookies: handle 'secure=' as if it was 'secure'
tests: break busy loops in tests 502, 555, and 573
FTP: fix proxy connect race condition with multi interface and SOCKS proxy
RTSP: GET_PARAMETER requests have a body
fixed several memory leaks in OOM situations
bad expire(0) caused multi_socket API to hang
Avoid ftruncate() static define with mingw64
mk-ca-bundle.pl: ignore untrusted certs
builds with PolarSSL 1.0.0

Fixed in 7.21.7 - June 23 2011

Changes:

recognize the [protocol]:// prefix in proxy hosts where the protocol is one of socks4, socks4a, socks5 or socks5h.
Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA

Bugfixes:

SECURITY ADVISORY: inappropriate GSSAPI delegation
NTLM: work with unicode
fix connect with SOCKS proxy when using the multi interface
anyauthput.c: stdint.h must not be included unconditionally
CMake: improved build
SCP/SFTP enable non-blocking earlier
GnuTLS handshake: fix timeout
cyassl: build without filesystem
HTTPS over HTTP proxy using the multi interface
speedcheck: invalid timeout event on a reused handle
Force connection close for HTTP 200 OK when time condition matched
curl_formget: fix FILE * leak
configure: improved OpenSSL detection
Android build: support gingerbread
CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
windows build: use correct MS CRT
pop3: remove extra space in LIST command

Fixed in 7.21.6 - April 22 2011

Changes:

Added --tr-encoding and CURLOPT_TRANSFER_ENCODING

Bugfixes:

curl-config: fix --version
curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
use HTTPS properly after CONNECT
SFTP: close file before post quote operations

Fixed in 7.21.5 - April 17 2011

Changes:

SOCKOPTFUNCTION: callback can say already-connected
Added --netrc-file
Added (new) support for cyassl
TSL-SRP: enabled with OpenSSL
Added CURLE_NOT_BUILT_IN and CURLE_UNKNOWN_OPTION

Bugfixes:

nss: avoid memory leak on SSL connection failure
nss: do not ignore failure of SSL handshake
multi: better failed connect handling when using FTP, SMTP, POP3 and IMAP
runtests.pl: fix pid number concatenation that prevented it from killing the correct process at times
PolarSSL: Return 0 on receiving TLS CLOSE_NOTIFY alert
curl_easy_setopt.3: Removed wrong reference to CURLOPT_USERPASSWORD
multi: close connection on timeout
IMAP in multi mode does SSL connections non-blocking
honours the --disable-ldaps configure option
Force setopt constants written by --libcurl to be long
ssh_connect: treat libssh2 return code better
SFTP upload could stall the state machine when the multi_socket API was used
SFTP and SCP could leak memory when used with the multi interface and the connection was closed
Added missing file to repair the MSVC makefiles
Fixed detection of recvfrom arguments on Android/bionic
GSS: handle reuse fix
transfer: avoid insane conversion of time_t
nss: do not ignore value of CURLOPT_SSL_VERIFYPEER in certain cases
SMTP-multi: non-blocking connect
SFTP-multi: set cselect for sftp and scp to fix "stall" risk
configure: removed wrongly claimed default paths
pop3: fixed torture tests to succeed
symbols-in-versions: many corrections
if a HTTP request gets retried because the connection was dead, rewind if any data was sent as part of it
only probe for working ipv6 once and then re-use that info for further requests
requests that are asked to bound to a local interface/port will no longer wrongly re-use connections that aren't
libcurl.m4: Add missing quotes in AC_LINK_IFELSE
progress output: don't print the last update on a separate line
POP3: the command to send is STLS, not STARTTLS
POP3: PASS command was not sent after upgrade to TLS
configure: fix libtool warning
nss: allow to use multiple client certificates for a single host
HTTP pipelining: Fix handling of zero-length responses
Don't list NTLM in curl-config when HTTP is disabled
curl_easy_setopt.3: CURLOPT_RESOLVE typo version
OpenSSL: build fine with no-sslv2 versions
checkconnection: don't call with NULL pointer with RTSP and multi interface
Borland makefile updates
configure: libssh2 link fix without pkg-config
certinfo crash
CCC crash

Fixed in 7.21.4 - February 17 2011

Changes:

CURLINFO_FTP_ENTRY_PATH now supports SFTP
introduced new framework for unit-testing
IDN: use win32 API if told to
ares: ask for both IPv4 and IPv6 addresses
HTTP: do Negotiate authentication using SSPI on windows
Windows build: alternative makefile
TLS-SRP: support added when using GnuTLS
added support for axTLS

Bugfixes:

SMTP: add brackets for MAIL FROM
ossl_seed: no more RAND_screen (on Windows)
multi: connect fail => use next IP address
use the timeout when using multiple IP addresses similar to how the easy interface does it
cookies: tricked dotcounter fixed
pubkey_show: allocate buffer to fit any-size result
Curl_nss_connect: avoid PATH_MAX
Curl_do: avoid using stale conn pointer
tftpd test server: avoid buffer overflow report from glibc
nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
nss: fix a bug in handling of CURLOPT_CAPATH
CMake: Use upstream CheckTypeSize module
OpenSSL get_cert_chain: support larger data sets
SCP/SFTP transfers: acknowledge speedcheck
GnuTLS builds: fix memory leak
connect problem: use UDP correctly
Borland C++ makefile tweaks
OpenSSL: improved error message on SSL_CTX_new failures
HTTP: memory leak on multiple Location:
ares_query_completed_cb: don't touch invalid data
ares: memory leak fix
mk-ca-bundle: use new cacert url
Curl_gmtime: added a portable gmtime and check for NULL
curl.1: typo in -v description
CURLOPT_SOCKOPTFUNCTION: return proper error code
--keepalive-time: warn if not supported properly
file: add support for CURLOPT_TIMECONDITION
nss: avoid memory leaks and failure of NSS shutdown
multi: fix CURLM_STATE_TOOFAST for multi_socket

Fixed in 7.21.3 - December 15 2010

Changes:

Added --noconfigure switch to testcurl.pl
Added --xattr option
Added CURLOPT_RESOLVE and --resolve
Added CURLAUTH_ONLY
Added version-check.pl to the examples dir

Bugfixes:

check for libcurl features for some command line options
Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
http_chunks: remove debug output
URL-parsing: consider ? a divider
SSH: avoid using the libssh2_ prefix
SSH: use libssh2_session_handshake() to work on win64
ftp: prevent server from hanging on closed data connection when stopping a transfer before the end of the full transfer (ranges)
LDAP: detect non-binary attributes properly
ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
gnutls->handshake: improved timeout handling
security: Pass the right parameter to init
krb5: Use GSS_ERROR to check for error
TFTP: resend the correct data
configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
GnuTLS: now detects socket errors on Windows
symbols-in-versions: updated en masse
added a couple examples that were missing from the tar ball
Curl_send/recv_plain: return errno on failure
Curl_wait_for_resolv (for c-ares): correct timeout
ossl_connect_common: detect connection re-use
configure: Prevent link errors with --librtmp
openldap: use remote port in URL passed to ldap_init_fd()
url: provide dead_connection flag in Curl_handler::disconnect
lots of compiler warning fixes
ssh: fix a download resume point calculation
fix getinfo CURLINFO_LOCAL* for reused connections
multi: the returned running handles conuter could turn negative
multi: only ever consider pipelining for connections doing HTTP(S)

Fixed in 7.21.2 - October 13 2010

Changes:

curl -T: ignore file size of special files
Added GOPHER protocol support
Added mk-ca-bundle.vbs script
c-ares build now requires c-ares >= 1.6.0

Bugfixes:

--remote-header-name security vulnerability fixed
multi: support the timeouts correctly, fixes known bug #62
multi: use timeouts properly for MAX_RECV/SEND_SPEED
negotiation: Wrong proxy authorization
multi: avoid sending multiple complete messages
cmdline: make -F type= accept ;charset=
RESUME_FROM: clarify what ftp uploads do
http: handle trailer headers in all chunked responses
Curl_is_connected: use correct errno
Added SSPI build to Watcom makefile
progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
linking problem on Fedora 13
Link curl and the test apps with -lrt explicitly when necessary
chunky parser: only rewind stream internally if needed
remote-header-name: don't output filename when NULL
Curl_timeleft: avoid returning "no timeout" by mistake
timeout: use the correct start value as offset
FTP: fix wrong timeout trigger
buildconf got better output on failures
rtsp: avoid SIGSEGV on malformed header
LDAP: Support for tunnelling queries through HTTP proxy
configure's --enable-werror had a bashism
test565: Don't hardcode IP:PORT
configure: check for gcrypt if using GnuTLS
configure: don't enable RTMP if the lib detect fails
curl_easy_duphandle: clone the c-ares handle correctly
MacOSX-Framework: updates for Snowleopard
support URL containing colon without trailing port number
parsedate: allow time specified without seconds
curl_easy_escape: don't escape "unreserved" characters
SFTP: avoid downloading negative sizes
Lots of GSS/KRB FTP fixes
TFTP: Work around tftpd-hpa upload bug
libcurl.m4: several fixes
HTTP: remove special case for 416
examples: use example.com in example URLs
globbing: fix crash on unballanced open brace
cmake: build fixed

Fixed in 7.21.1 - August 11 2010

Changes:

maketgz: produce CHANGES automatically
added support for NTLM authentication when compiled with NSS
build: Enable configure --enable-werror
curl-config: --built-shared returns shared info

Bugfixes:

configure: spell --disable-threaded-resolver correctly
multi: call the progress callback in all states
multi: unmark handle as used when no longer head of pipeline
sendrecv: treat all negative values from send/recv as errors
ftp-wildcard: avoid tight loop when used without any pattern
multi_socket: re-use of same socket without notifying app
ftp wildcard: FTP LIST parser FIX
urlglobbing backslash escaping bug
build: add enable IPV6 option for the VC makefiles
multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
--libcurl: use *_LARGE options with typecasted constants
--libcurl: hide setopt() calls setting default options
curl: avoid setting libcurl options to its default
--libcurl: list the tricky options instead of using [REMARK]
http: don't enable chunked during authentication negotiations
upload: warn users trying to upload from stdin with anyauth
configure: allow environments variable to override internals
threaded resolver: fix timeout issue
multi: fix condition that remove timers before trigger
examples: add curl_multi_timeout
--retry: access violation with URL part sets continued
ssh: Fix compile error on 64-bit systems.
remote-header-name: chop filename at next semicolon
ftp: response timeout bug in "quote" sending
CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
Watcom makefiles overhaul.
NTLM tests: boost coverage by forcing the hostname
multi: fix FTPS connecting the data connection with OpenSSL
retry: consider retrying even if -f is used
fix SOCKS problem when using multi interface
typecheck-gcc: add checks for recently added options
SCP: send large files properly with new enough libssh2
multi_socket: set timeout for 100-continue
";type=" URL suffix over HTTP proxy
acknowledge progress callback error returns during connect
Watcom makefile fixes
runtests: clear old setenv remainders before test

Fixed in 7.21.0 - June 16 2010

Changes:

added the --proto and -proto-redir options
new configure option --enable-threaded-resolver
improve TELNET ability with libcurl
added support for PolarSSL
added support for FTP wildcard matching and downloads
added support for RTMP
introducing new LDAP code for new enough OpenLDAP
OpenLDAP support enabled for cygwin builds
added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT

Bugfixes:

prevent needless reverse name lookups
detect GSS on ancient Linux distros
GnuTLS: EOF caused error when it wasn't
GnuTLS: SSL handshake phase is non-blocking
-J/--remote-header-name strips CRLF
MSVC makefiles now use ws2_32.lib instead of wsock32.lib
-O crash on windows
SSL handshake timeout underflow in libcurl-NSS
multi interface missed storing connection time
broken CRL support in libcurl-NSS
ignore response-body on redirect even if compressed
OpenSSL handshake state-machine for multi interface
TFTP timeout option sent correctly
TFTP block id wrap
curl_multi_socket_action() timeout handles inaccuracy in timers better
SCP/SFTP failure to respect the timeout
spurious SSL connection aborts with OpenSSL

Fixed in 7.20.1 - April 14 2010

Changes:

The 'ares' subtree has been removed from the source repository
smoother rate limiting
allow user+password in the URL for all protocols
POP3: Get message listing if no mailbox in URL

Bugfixes:

VMS builder bad behavior when used in a batch job
multiple recepients with SMTP
fixed the CURL_FORMAT_* defines when building with cmake
missing quote in libcurl.m4
SMTP: now waits for 250 after the DATA transfer
SMTP: use angle brackets in RCPT TO
curl --trace-time not using local time
off-by-one in the chunked encoding trailer parser
superfluous blocking for OpenSSL-based SSL connects and multi interface
TFTP upload
FTP timeouts after file transferred completely
skip poll() on Interix
CURLOPT_CERTINFO memory leak
sub-second timeouts improvements
configure fixes for GSSAPI
threaded resolver double free when closing curl handle
configure fixes for building with the clang compiler
easy interix rate limiting logic
curl_multi_remove_handle() caused use after free
TFTP improved error codes
TFTP fixed TSIZE handling for uploads
SSL possible double free when reusing curl handle
alarm()-based DNS timeout bug
re-used FTP connection multi interface crash
chunked-encoding with Content-Length: header problem
multi interface HTTP POST over a proxy using PROXYTUNNEL
RTSP GET_PARAMETER
timeout after last data chunk was handled
SFTP download hang
FTP quote commands prefixed with '*' now can fail without aborting

Fixed in 7.20.0 - February 9 2010

Changes:

support SSL_FILETYPE_ENGINE for client certificate
curl-config can now show the arguments used when building curl
non-blocking TFTP
send Expect: 100-continue for POSTs with unknown sizes
added support for IMAP(S), POP3(S), SMTP(S) and RTSP
added new curl_easy_setopt() options for SMTP and RTSP
added --mail-from and --mail-rcpt for SMTP
VMS build system enhancements
added support for the PRET ftp command
curl supports --ssl and --ssl-reqd
added -J/--remote-header-name for using server-provided filename with -O
enhanced asynchronous DNS lookups
symbol CURL_FORMAT_OFF_T is obsoleted

Bugfixes:

progress meter percentage and transfer time estimates fixes
portability enhancement for OS's without orthogonal directory tree structure
progress meter/callback during FTP connection
DNS cache timeout while transfer in progress
compilation when configured --with-gssapi having GNU GSS installed
SSL connection reused with mismatched protection level
configure --with-nss is set but not "yes"
don't store LDFLAGS in pkg-config file
never-pruned DNS cached entries
HTTP proxy tunnel re-used connection even if tunnel got disabled
SSL lib post-close write
curl failed to report write errors for tiny failed downloads
TFTP BLKSIZE
Expect: 100-continue handling when set by the application
multi interface with OpenSSL read already freed memory when closing down
--retry didn't do right for FTP transient errors
some *_proxy environment variables didn't function
libcurl-OpenSSL engine cleanup
header include fix for FreeBSD versions before v8
fragment part of URLs are no longer sent to the server
progress callback called repeatedly with c-ares for resolving
OpenSSL session id ref count leak
progress callback called repeatedly during slow connects
curl_multi_fdset() would return -1 too often during SCP/SFTP transfers
FTP file size checks with ASCII transfers
HTTP Cookie: headers sort cookies based on specified path lengths
CURLM_CALL_MULTI_PERFORM fix for multi socket timeout calls
libcurl data callback excessive length

Fixed in 7.19.7 - November 4 2009

Changes:

-T. is now for non-blocking uploading from stdin
SYST handling on FTP for OS/400 FTP server cases
libcurl refuses to read a single HTTP header longer than 100K
added the --crlfile option to curl

Bugfixes:

The windows makefiles work again
libcurl-NSS acknowledges verifyhost
SIGSEGV when pipelined pipe unexpectedly breaks
data corruption issue with re-connected transfers
use after free if we're completed but easy_conn not NULL (pipelined)
missing strdup() return code check
CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
configure --with-gnutls=PATH fixed
ftp response reader bug on failed control connections
improved NSS error message on failed host name verifications
ftp NOBODY on re-used connection hang
configure uses pkg-config for cross-compiles as well
improved NSS detection in configure
cookie expiry date at 1970-jan-1 00:00:00
libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
libcurl-OpenSSL can load CRL files with more than one certificate inside
received cookies without explicit path got saved wrong if the URL had a query part
don't shrink SO_SNDBUF on windows for those who have it set large already
connect next bug
invalid file name characters handling on Windows
double close() on the primary socket with libcurl-NSS
GSS negotiate infinite loop on bad credentials
memory leak in SCP/SFTP connections
use pkg-config to find out libssh2 installation details in configure
unparsable cookie expire dates make cookies get treated as session coookies
POST with Digest authentication and "Transfer-Encoding: chunked"
SCP connection re-use with wrong auth
CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)

Fixed in 7.19.6 - August 12 2009

Changes:

CURLOPT_FTPPORT (and curl's -P/--ftpport) support port ranges
Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA
CURLOPT_QUOTE, CURLOPT_POSTQUOTE and CURLOPT_PREQUOTE can be told to ignore error responses when used with FTP

Bugfixes:

crash on bad socket close with FTP
leaking cookie memory when duplicate domains or paths were used
build fix for Symbian
CURLOPT_USERPWD set to NULL clears auth credentials
libcurl-NSS build fixes
configure script fixed for VMS
set Content-Length: with POST and PUT failed with NTLM auth
allow building libcurl for VxWorks
curl tool exit codes fixed for VMS
--no-buffer treated correctly
djgpp build fix
configure detection of GnuTLS now based on pkg-config as well
libcurl-NSS client cert handling segfaults
curl uploading from stdin/pipes now works in non-blocking way so that it continues the downloading even when the read stalls
ftp credentials are added to the url if needed for http proxies
curl -o - sends data to stdout using binary mode on windows
fixed the separators for "array" style string that CURLINFO_CERTINFO returns
auth problem over several hosts with re-used connection
improved the support for client certificates in libcurl+NSS
fix leak in gtls code
missing algorithms in libcurl+OpenSSL
with noproxy set you could still get a proxy if a proxy env was set
rand seeding on libcurl on windows built with OpenSSL was not thread-safe
fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
libcurl+OpenSSL would wrongly acknowledge a cert if CN matched but subjectAltName didn't
TFTP upload sent illegal TSIZE packets

Fixed in 7.19.5 - May 18 2009

Changes:

libcurl now closes all dead connections whenever you attempt to open a new connection
libssh2's version number can now be figured out run-time instead of using the build-time fixed number
CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK
curl can now upload with resume even when reading from a pipe
a build-time configured curl_socklen_t is now used instead of socklen_t

Bugfixes:

NTLM authentication memory leak on SSPI enabled Windows builds
fixed the GnuTLS-using code to do correct return code checks
an alloc-related call in the OpenSSL-using code didn't check the return value
curl_easy_duphandle() failed to duplicate cookies at times
missing TELNET timeout support in Windows builds
missing Curl_read() and write callback result checking in TELNET transfers
more ciphers enabled in libcurl built to use NSS
properly return an error code in curl_easy_recv
Sun compilers specific preprocessor block removed from curlbuild.h.dist
allow creation of four way fat libcurl Mac OS X Framework
several memory leaks in libcurl+NSS
improved the CURLOPT_NOBODY set to 0 confusions
persistent connections when doing FTP over a HTTP proxy
--libcurl bogus strings where other data was pointed to
crash related to FTP and "Re-used connection seems dead, get a new one"
CURLINFO_APPCONNECT_TIME with the multi interface
Enhanced upload speeds on Windows
TFTP problems after a failed transfer to the same host
improved out of the box TPF compatibility
HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
Deal with the TFTP OACK packet
fixed roff mistakes in man pages
use SOCKS proxy with the multi interface
fixed the Curl_getoff_all_pipelines SIGSEGV
POST, NTLM and following a redirect hang
libcurl+NSS endless loop on incorrect password for private key
gzip decompression memory leak
no_proxy flaw with user name in URL

Fixed in 7.19.4 - March 3 2009

Changes:

Added CURLOPT_NOPROXY and the corresponding --noproxy
the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default in openssl 0.9.8j
Added CURLOPT_TFTP_BLKSIZE
Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options --socks5-gssapi-service and --socks5-gssapi-nec
Improved IPv6 support when built with with c-ares >= 1.6.1
Added CURLPROXY_HTTP_1_0 and --proxy1.0
Added docs/libcurl/symbols-in-versions
Added CURLINFO_CONDITION_UNMET
Added support for Digest and NTLM authentication using GnuTLS
CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails
GnuTLS initing moved to curl_global_init()
Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS, see also the security advisory

Bugfixes:

missing ssh.obj in VS makefiles
FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish locale
realms with quoted quotation marks in HTTP Digest headers
VC9 makefiles are now really included
multi interface memory leak with CURLMOPT_MAXCONNECTS set
CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true
memory leak on some libz errors for content encodings
NSS-enabled build is repaired
superfluous wait in SFTP downloads removed
FTP with the multi interface no longer kills the control connection as easily on transfer failures
compilation halting when using VS2008 to build a Windows 2000 target
ease creation of libcurl Mac OS X Framework
CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1 if unknown
Negotiate proxy authentication
CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together

Fixed in 7.19.3 - January 19 2009

Changes:

CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH
VC9 Makefiles were added to the release package

Bugfixes:

build failure when disabling FTP but enabling GSS
fixed several calls to memory functions that didn't check return codes
memory leak for SSL connects with libcurl/NSS when CURLOPT_ISSUERCERT was used
re-use of connections with the multi interface when multiple handles used the same server
memory leak with HTTP GSS/kerberos authentication
removed the default use of "Pragma: no-cache"
fix SCP/SFTP busyloop by using a new libssh2 1.0 function
bad fclose() after a fatal error in cookie code
curl_multi_remove_handle() when the handle was in use in a HTTP pipeline
GSS authentication infinite loop problem
550 response from SIZE no longer treated as missing file
ftps:// control connections now use explicit protection level
dotted IPv6 addresses longer than 39 bytes failed
curl_easy_duphandle() doesn't try to duplicate the connection cache pointer
build failure on OS/400 when enabling IPv6
better detection of SFTP failures
improved connection re-use for subsequent SCP and SFTP transfers
multi interface does less busy-loops for SCP and SFTP transfers with libssh2 1.0 or later
curl_multi_timeout() no longer returns timeout 0 when there's still more than 0 but less than 999 microseconds left
the multi_socket API and HTTP pipelining now work a lot better when combined
SFTP seek/resume beyond 32bit file sizes
fixed breakage with --with-ssl --disable-verbose
TTL "leak" in the DNS cache
improved NSS initing
curl_easy_reset now resets more options
rare Location: follow bug with the multi interface
the configure script can now detect gnutls with pkg-config
curlbuild.h was adjusted for SunPro compilers
CURLOPT_COOKIELIST set to "SESS" on an easy handle with no cookies data
fixed timeouts for TFTP
fixed PPC builds

Fixed in 7.19.2 - November 13 2008

Bugfixes:

build failure when using MSVC 6 makefile and on four platforms more
crash when using --interface name on Linux systems with a TEQL device
using the multi interface to download a HTTPS page with libcurl built powered by OpenSSL could download "rubbish" instead of actual content

Fixed in 7.19.1 - November 5 2008

Changes:

pkg-config can now show supported_protocols and supported_features
Added CURLOPT_CERTINFO and CURLINFO_CERTINFO
Added CURLOPT_POSTREDIR
Better detect HTTP 1.0 servers and don't do HTTP 1.1 requests on them
configure --disable-proxy disables proxy support
Added CURLOPT_USERNAME and CURLOPT_PASSWORD
--interface now works with IPv6 connections on glibc systems
Added CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD

Bugfixes:

MingW32 non-configure builds are now largefile feature enabled by default
NetWare LIBC builds are now largefile feature enabled by default
curl_easy_pause() could behave wrongly on unpause
cookies with invalid expire dates are now considered expired
HTTP pipelining over proxy
fix regression in configure script which affected OpenSSL builds on MSYS
GnuTLS-based multi interface doing HTTPS over proxy failed
recv() failures cause CURLE_RECV_ERROR
SFTP over SOCKS crash fixed
thread-safety issues addressed for NSS-powered libcurls
removed the use of mktime() and gmtime(_r)() in date parsing and conversions
HTTP Digest with a blank realm did wrong
CURLINFO_REDIRECT_URL didn't work with the multi interface
CURLOPT_RANGE now works for SFTP downloads
FTP SIZE response 550 now causes CURLE_REMOTE_FILE_NOT_FOUND
CURLINFO_PRIMARY_IP fixed for persistent connection re-use cases
remove_handle/add_handle multi interface timer callback flaw
CURLINFO_REDIRECT_URL memory leak and wrong-doing
case insensitive string matching works in Turkish too
Solaris builds get _REENTRANT defined properly and work again
Garbage sent on chunky upload after curl_easy_pause()
ipv4 name resolves when libcurl is built with ipv6-enabled c-ares
undersized IPv6 address internal buffer truncated long IPv6 addresses
CURLINFO_FILETIME works for file:// transfers as well

Fixed in 7.19.0 - September 1 2008

Changes:

curl_off_t gets its size/typedef somewhat differently than before. This _may_ cause an ABI change for you. See lib/README.curl_off_t for a full explanation.
Added CURLINFO_PRIMARY_IP
Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE
Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR
curl's option parser for boolean options reworked
Added --remote-name-all
Now builds for the INTEGRITY operating system
Added CURLINFO_APPCONNECT_TIME
Added test selection by key word in runtests.pl
the curl tool's -w option support the %{ssl_verify_result} variable
Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL according to RFC4007
Support --append on SFTP uploads (not with OpenSSH, though)
Added curlbuild.h and curlrules.h to the external library interface

Bugfixes:

Fixed curl-config --ca
Fixed the multi interface connection re-use with NSS-built libcurl
connection re-use when using the multi interface with pipelining enabled
curl_multi_socket() socket callback fix for close/re-create sockets case
SCP or SFTP over socks proxy crashed
RC4-MD5 cipher now works with NSS-built libcurl
range requests with --head are now done correctly
fallback to gettimeofday when monotonic clock is unavailable at run-time
range numbers could be made to wrongly get output as signed
unexpected 1xx responses hung transfers
FTP transfers segfault when using different CURLOPT_FTP_FILEMETHOD
c-ares powered libcurls can resolve/use IPv6 addresses
poll not working on Windows Vista due to POLLPRI being incorrectly used
user-agent in CONNECT with non-HTTP protocols
CURL_READFUNC_PAUSE problems fixed
--use-ascii now works on Symbian OS, MS-DOS and OS/2
CURLINFO_SSL_VERIFYRESULT is fixed
FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
a user name in a proxy URL without a password was parsed incorrectly
library will now be built with _REENTRANT symbol defined only if needed
no longer link with gdi32 on Windows cross-compiled targets
HTTP PUT with -C - sent bad Content-Range: header
HTTP PUT or POST with redirect could lead to hang
re-use of connections with failed SSL connects in the multi interface
NTLM over proxy state was wrongly cleared when host connection was closed
Windows SSPI DLL loading is now done in curl_global_init()
runtests.pl has an improved find-stunnel-and-invoke
FTP sessions could go out of sync on a long header boundary condition
potential buffer overflows in the MS-DOS command-line port fixed
--stderr is now honoured with the -v option
memory leak in libcurl on Windows built with OpenSSL
improved curl_m*printf() integral data type size and signedness handling
error when --dump-header - used with more than one URL
proxy closing connect during CONNECT with auth with the multi interface
CURLOPT_UPLOAD sets HTTP method back to GET or HEAD when passed in a 0
shared cookies could get locked twice
deal with closed connection while doing POST/PUT

Fixed in 7.18.2 - June 4 2008

Changes:

CURLFORM_STREAM was added
CURLOPT_NOBODY is now supported over SFTP
curl can now run on Symbian OS
curl -w redirect_url and CURLINFO_REDIRECT_URL
added curl_easy_send() and curl_easy_recv()

Bugfixes:

CURLOPT_NOBODY first set to TRUE and then FALSE for HTTP no longer causes the confusion that could lead to a hung transfer
curl_easy_reset() resets the max redirect limit properly
configure now correctly recognizes Heimdal and MIT gssapi libraries
malloc() failure check in Negotiate
-i and -I together now work the same no matter what order they're used
the typechecker can be bypassed by defining CURL_DISABLE_TYPECHECK
a pointer mixup could make the FTP code send bad user+password under rare circumstances (found when using curlftpfs)
CURLOPT_OPENSOCKETFUNCTION can now be used to create a unix domain socket
CURLOPT_TCP_NODELAY crash due to getprotobyname() use
libcurl sometimes sent body twice when using CURLAUTH_ANY
configure detecting debug-enabled c-ares
microsecond resolution keys for internal splay trees
krb4 and krb5 ftp segfault
multi interface busy loop for CONNECT requests
internal time differences now use monotonic time source if available
several curl_multi_socket() fixes
builds fine for Haiku OS
follow redirect with only a new query string
SCP and SFTP memory leaks on aborted transfers
curl_multi_socket() and HTTP pipelining transfer stalls
lost telnet data on an EWOULDBLOCK condition

Fixed in 7.18.1 - March 30 2008

Changes:

added support for HttpOnly cookies
'make ca-bundle' downloads and generates an updated ca bundle file
we no longer distribute or install a ca cert bundle
SSLv2 is now disabled by default for SSL operations
the test509-style setting URL in callback is officially no longer supported
support a full chain of certificates in a given PKCS12 certificate
resumed transfers work with SFTP
added type checking macros for curl_easy_setopt() and curl_easy_getinfo(), watch out for new warnings in code using libcurl (needs gcc-4.3 and currently only works in C mode)
curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments
--with-ca-path=DIR configure option allows to set an openSSL CApath instead of a default ca bundle.
supports server name indication (RFC 4366), aka SNI

Bugfixes:

improved pipelining
improved strdup replacement
GnuTLS-built libcurl failed when doing global cleanup and reinit
error message problem when unable to resolve a host on Windows
Accept: header replacing
not verifying server certs with GnuTLS still failed if gnutls had problems with the cert
when using the multi interface and a handle is removed while still having a transfer going on, the connection is now closed by force
bad re-use of SSL connections in non-complete state
test case 405 failures with GnuTLS builds
crash when connection cache size is 1 and Curl_do() failed
GnuTLS-built libcurl can now be forced to prefer SSLv3
crash when doing Negotiate again on a re-used connection
select/poll regression
better MIT kerberos configure check
curl_easy_reset() + SFTP re-used connection download crash
SFTP non-existing file + SFTP existing file error
sharing DNS cache between easy handles running in multiple threads could lead to crash
SFTP upload with CURLOPT_FTP_CREATE_MISSING_DIRS on re-used connection
SFTP infinite loop when given an invalid quote command
curl-config erroneously reported LDAPS support with missing LDAP libraries
SCP infinite loop when downloading a zero byte file
setting the CURLOPT_SSL_CTX_FUNCTION with libcurl built without OpenSSL now makes curl_easy_setopt() properly return failure
configure --with-libssh2 (with no given path)

Fixed in 7.18.0 - January 28 2008

Changes:

--data-urlencode
CURLOPT_PROXY_TRANSFER_MODE
--no-keepalive - now curl does connections with keep-alive enabled by default
--socks4a added (proxy type CURLPROXY_SOCKS4A for libcurl)
--socks5-hostname added (CURLPROXY_SOCKS5_HOSTNAME for libcurl)
curl_easy_pause()
CURLOPT_SEEKFUNCTION and CURLOPT_SEEKDATA
--keepalive-time
curl --help output was re-ordered

Bugfixes:

curl-config --features and --protocols show the correct output when built with NSS, and also when SCP, SFTP and libz are not available
free problem in the curl tool for users with empty home dir
curl.h version 7.17.1 problem when building C++ apps with MSVC
SFTP and SCP use persistent connections
segfault on bad URL
variable wrapping when using absolutely huge send buffer sizes
variable wrapping when using debug callback and the HTTP request wasn't sent in one go
SSL connections with NSS done with the multi-interface
setting a share no longer activates cookies
Negotiate now works on auth and proxy simultanouesly
support HTTP Digest nonces up to 1023 letters
resumed ftp upload no longer requires the read callback to return full buffers
no longer default-appends ;type= on FTP URLs thru proxies
SSL session id caching
POST with callback over proxy requiring NTLM or Digest
Expect: 100-continue flaw on re-used connection with POSTs
build fix for MSVC 9.0 (VS2008)
Windows curl builds failed file truncation when retry downloading
SSL session ID cache memory leak
bad connection re-use check with environment variable-activated proxy use
--libcurl now generates a return statement as well
socklen_t is no longer used in the public includes
time zone offsets from -1400 to +1400 are now accepted by the date parser
allows more spaces in WWW/Proxy-Authenticate: headers
curl-config --libs skips /usr/lib64
range support for file:// transfers
libcurl hang with huge POST request and request-body read from callback
removed extra newlines from many error messages
improved pipelining
improved OOM handling for data url encoded HTTP POSTs when read from a file
test suite could pick wrong tool(s) if more than one existed in the PATH
curl_multi_fdset() failed to return socket while doing CONNECT over proxy
curl_multi_remove_handle() on a handle that is in used for a pipeline now break that pipeline
CURLOPT_COOKIELIST memory leaks
progress meter/callback during http proxy CONNECT requests
auth for http proxy when the proxy closes connection after first response

Fixed in 7.17.1 - October 29 2007

Changes:

automatically append ";type=" when using HTTP proxies for FTP urls
improved NSS support
added --proxy-negotiate
added --post301 and CURLOPT_POST301
builds with c-ares 1.5.0
added CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
renamed CURLE_SSL_PEER_CERTIFICATE to CURLE_PEER_FAILED_VERIFICATION
added CURLOPT_OPENSOCKETFUNCTION and CURLOPT_OPENSOCKETDATA
CULROPT_COOKIELIST supports "FLUSH"
added CURLOPT_COPYPOSTFIELDS
added --static-libs to curl-config

Bugfixes:

curl-config --protocols now properly reports LDAPS, SCP and SFTP
ldapv3 support on Windows
ldap builds with the MSVC makefiles
no HOME and no key given caused SSH auth failure
Negotiate authentication over proxy
--ftp-method nocwd on directory listings
FTP, CURLOPT_NOBODY enabled and CURLOPT_HEADER disabled now does TYPE before SIZE
re-used handle transfers with SFTP
curl_easy_escape() problem with byte values >= 128
handles chunked-encoded CONNECT responses
misuse of ares_timeout() result
--local-port on TFTP transfers
CURLOPT_POSTFIELDS could fail to send binary data
specifying a proxy with a trailing slash didn't work (unless it also contained a port number)
redirect from HTTP to FTP or TFTP memory problems and leaks
re-used connections a bit too much when using non-SSL protocols tunneled over a HTTP proxy
embed the manifest in VC8 builds
use valgrind in the tests even when the lib is built shared with libtool
libcurl built with NSS can now ignore the peer verification even when the ca cert bundle is absent

Fixed in 7.17.0 - September 13 2007

Changes:

support for OS/400 Secure Sockets Layer library
curl_easy_setopt() now allocates strings passed to it
SCP and SFTP support now requires libssh2 0.16 or later
LDAP libraries are now linked "regularly" and not with dlopen
HTTP transfers have the download size info "available" earlier
FTP transfers have the download size info "available" earlier
builds and runs on OS/400
several error codes and options were marked as obsolete and subject to future removal (set CURL_NO_OLDIES to see if your application is using them)
SFTP errors can return more specific error codes

Bugfixes:

test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds
problem with closed proxy connection during HTTP CONNECT auth negotiation
transfer-encoding skipping didn't ignore the 407 response bodies properly
CURLOPT_SSL_VERIFYHOST set to 1
CONNECT endless loop
krb5 support builds with Heimdal
added returned error string for connection refused case
re-use of dead FTP control connections
login to FTP servers that don't require (nor understand) PASS after the USER command
bad free of memory from libssh2
the SFTP PWD command works
HTTP Digest auth on a re-used connection
FTPS data connection close
AIX 4 and 5 get to use non-blocking sockets
small POST with NTLM
resumed file:// transfers
CURLOPT_DNS_CACHE_TIMEOUT and CURLOPT_DNS_USE_GLOBAL_CACHE are 64 bit "clean"
memory leak when handling compressed data streams from broken servers
no NTLM unicode response
resume HTTP PUT using Digest authentication
FTP NOBODY requests on directories sent "SIZE (null)"
FTP NOBODY request on file crash
excessively long FTP server responses and response lines
file:// upload then FTP:// upload crash
TFTP error 0 is no longer treated as success
uploading empty file over FTP on re-used connection
superfluous CWD command on re-used FTP connections without subdirs used

Fixed in 7.16.4 - July 10 2007

Changes:

added CURLOPT_NEW_FILE_PERMS and CURLOPT_NEW_DIRECTORY_PERMS
improved hashing of sockets for the multi_socket API
ftp kerberos5 support added

Bugfixes:

adjusted how libcurl treats HTTP 1.1 responses without content-lenth or chunked encoding
fixed the 10-at-a-time.c example
FTP over SOCKS proxy
improved error messages on SCP upload failures
security flaw in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS

Fixed in 7.16.3 - June 25 2007

Changes:

added curl_multi_socket_action()
deprecated curl_multi_socket()
uses less memory in non-pipelined use cases
CURLOPT_HTTP200ALIASES matched transfers assume HTTP 1.0 compliance
more than one test harness can run at the same time without conflict
SFTP now supports quote commands before a transfer
CURLMOPT_MAXCONNECTS added to curl_multi_setopt()
upload resume works for file:// URLs
asynchronous name resolves now require c-ares 1.4.0 or later
added SOCKS test cases
CURLOPT_FTP_CREATE_MISSING_DIRS and --ftp-create-dirs now work for SFTP operations as well

Bugfixes:

if2up too long interface name memory leak
test case 534 started to fail 2007-04-13 due to the existance of a new host on the net with the same silly domain the test was using for a host which was supposed not to exist.
test suite SSL certificate works better with newer stunnel
internal progress meter update frequency back to once per second
avoid some unnecessary calls to function gettimeofday
a double-free in the SSL-layer
GnuTLS free of NULL credentials
NSS-fix for closing down SSL
bad warning from configure when gnutls was selected
compilation on VMS 64-bit mode
SCP/SFTP downloads could hang on the last bytes of a transfer
curl_easy_duphandle() crash
curl -V / curl_version*() works even when GnuTLS is used on a system without a good random source
curl_multi_socket() not "noticing" newly added handles
lack of Content-Length and chunked encoding now requires HTTP 1.1 as well to be treated as without response body
connection cache growth in multi handles
better handling of out of memory conditions
overwriting an uploaded file with sftp now truncates it first
SFTP quote commands chmod, chown, chgrp can now set a value of 0
TFTP connect timouts less than 5 seconds
improved curl -w for TFTP transfers
memory leak when failed OpenSSL certificate CN field checking
memory leak when OpenSSL failed PKCS #12 parsing
FTP-SSL when built with NSS
out-of-boundary write in Curl_select()
-s/--silent can now be used to toggle off the silence again
builds fine on 64bit HP-UX
multi interface HTTP CONNECT glitch
list FTP root directories when login dir is not root
no longer slows down when getting very many URLs on the same command line
lock share before decreasing dirty counter
no-body FTP requests on re-used connections

Fixed in 7.16.2 - April 11 2007

Changes:

added CURLOPT_TIMEOUT_MS and CURLOPT_CONNECTTIMEOUT_MS
added CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING and --raw
added support for using the NSS library for TLS/SSL
changed default anonymous FTP password
changed the CURLOPT_FTP_SSL_CCC option to handle active and passive CCC shutdown
added the --ftp-ssl-ccc-mode command line option
includes VC8 Makefiles in the release archive
--ftp-ssl-control is now honoured on ftps:// URLs
added experimental CURL_ACKNOWLEDGE_EINTR symbol definition check
--key and new --pubkey options for SSH public key file logins
--pass now works for a SSH public key file, too
select (2) support no longer needed to build the library if poll() used
CURLOPT_POSTQUOTE works for SFTP

Bugfixes:

in testsuite, update test cookies expiration from 2007-Feb-1 to year 2035
socks5 works
builds fine with VC2005
CURLOPT_RANGE set to NULL resets the range for FTP
curl_multi_remove_handle() rare crash
passive FTP transfers work with SOCKS
multi interface HTTPS connection re-use memory leak
libcurl.m4's --with-libcurl is improved
curl-config --libs and libcurl.pc no longer list unnecessary dependencies
fixed an issue with CCC not working on some servers
several HTTP pipelining problems
HTTP CONNECT thru a proxy is now less blocking when the multi interface is used
HTTP Digest header parsing fix for unquoted last word ending with CRLF
CURLOPT_PORT, HTTP proxy, re-using connections and non-HTTP protocols
CURLOPT_INTERFACE for ipv6
use-after-free issue with HTTP transfers with the multi interface
the progress callback can get called more frequently
timeout would restart when signal caught while awaiting socket events
curl -f with user+password embedded in the URL
26 flaws identified by coverity.com
builds on QNX 6 again

Fixed in 7.16.1 - January 29 2007

Changes:

Support for SCP and SFTP were added (powered by libssh2)
CURLOPT_CLOSEPOLICY is now deprecated
--ftp-ssl-ccc and CURLOPT_FTP_SSL_CCC were added
HTTP support for non-ASCII platforms
--libcurl was added

Bugfixes:

proxy close during CONNECT authentication is now dealt with nicely
the CURLOPT_DEBUGFUNCTION was sometimes called even when CURLOPT_VERBOSE was not enabled
multiple TFTP transfers on the same (easy or multi) handle could cause a crash
SIGSEGV when disconnecting on a transfer on a re-used handle when the host name didn't resolve
stack overwrite on 64bit Windows in the chunked decoding department
HTTP responses on persistent connections without Content-Length nor chunked encoding are now considered to be without response body
Content-Range: header parsing improved
CPU 100% load when HTTP upload connection broke
active FTP didn't work with multi interface
curl_getdate() could be off one hour for TZ time zones with DST, on windows
CURLOPT_FORBID_REUSE works again
CURLOPT_MAXCONNECTS set to zero caused libcurl to SIGSEGV
rate limiting works better
getting FTP response code errors when using the multi-interface caused libcurl to leak memory
no more SIGPIPE when GnuTLS is used
FTP downloading 2 zero byte files in a row
using proxy and URLs without protocol prefixes
first using a proxy and then accessing a site that 'no_proxy' matched, would still make libcurl use the proxy...
curl_easy_duphandle() now makes a handle that is valid for the multi interface since the magic number is set fine
libcurl.pc now uses Libs.private for "private" libs
--limit-rate (CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE) now work on windows again
improved download performance by avoiding the unconditional "double copying"
base64 encoding/decoding works on non-ASCII platforms
large file downloads
CURLOPT_COOKIELIST set to "ALL" crash
easy handle removal from multi handle before completion
TFTP upload memory leak
curl_easy_reset() now resets the CA bundle path correctly
two User-Agent headers in CONNECT requests with custom User-Agent

Fixed in 7.16.0 - October 30 2006

Changes:

the SONAME on the shared library was bumped from 3 to 4
Added CURLE_SSL_CACERT_BADFILE
Added CURLMOPT_TIMERFUNCTION and CURLMOPT_TIMERDATA
(FTP) the CURLOPT_SOURCE_* options are removed and so are the --3p* command line options
curl_multi_socket() and family are suitable to start using
uses WSAPoll() on Windows Vista
(FTP) --ftp-ssl-control was added
CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid added
CURLMOPT_PIPELINING added for enabling HTTP pipelined transfers
multi handles now have a shared connection cache
Added support for other MS-DOS compilers (besides djgpp)
CURLOPT_SOCKOPTFUNCTION and CURLOPT_SOCKOPTDATA were added
(FTP) libcurl avoids sending TYPE if the desired type was already set
(FTP) CURLOPT_PREQUOTE works even when CURLOPT_NOBODY is set true

Bugfixes:

(HTTP) CURLOPT_FAILONERROR (curl -f) covers a few more reponse cases
curl_multi_socket() and the LOW_SPEED options
curl_multi_socket() expire timer during c-ares name resolves
curl_multi_add_handle on an already added handle now fails gracefully
multi interface crash if bad function call order was used for cleanup
put a new URL in saved cookie jar files
configure --with-gssapi-libs
SOCKS proxy connection fixes
(FTP) a failed upload does not invalidate the control connection
proxy URL with user name and empty password or no password at all now work
fixed a socket state problem with *multi_socket()
(HTTP) NTLM hostname fix
getsockname usage fixes
SOCKS5 proxy connects can now time-out
SOCKS5 connects that require auth no longer segfaults when auth not given
multi interface using asynch resolves could get stuck in wrong state
the 'running_handles' counter wasn't always updated properly when curl_multi_remove_handle() was used
(FTP) EPRT transfers with IPv6 didn't work properly
(FTP) SINGLECWD mode and using files in the root dir
(HTTP) Expect: header disabling work better
(HTTP) "Expect: 100-continue" disable on second POST on re-used connection
src/config.h.in is fixed
(HTTP) POST data logged to the debug callback function is now correctly tagged as data, not header

Fixed in 7.15.5 - August 7 2006

Changes:

added --ftp-ssl-reqd
modified the prototype for the socket callback set with CURLMOPT_SOCKETFUNCTION
added curl_multi_assign()
added CURLOPT_FTP_ALTERNATIVE_TO_USER and --ftp-alternative-to-user
added a vcproj file for building libcurl
added curl_formget()
added CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE
added configure --enable-hidden-symbols
Made -K on a file that couldn't be read cause a warning to be displayed

Bugfixes:

chunked encoding when custom header "Transfer-Encoding: chunked" is set
Curl_strerror() crash on unknown errors
changing Content-Type when doing formposts
added CURL_EXTERN to a few recent multi functions that lacked them
splay-tree related problems for internal expire time handling
FTP ASCII CRLF counter reset
cookie parser now compares paths case sensitive
an easy handle with shared DNS cache added to a multi handle caused a crash
couldn't override the Proxy-Connection: header for non-CONNECT requests
curl_multi_fdset() could wrongly return -1 as max_fd value

Fixed in 7.15.4 - June 12 2006

Changes:

NTLM2 session response support
CURLOPT_COOKIELIST set to "SESS" clears all session cookies
CURLINFO_LASTSOCKET returned sockets are now checked more before returned
curl-config got a --checkfor option to compare version numbers
line end conversions for FTP ASCII transfers
curl_multi_socket() API added (still mostly untested)
conversion callback options for EBCDIC <=> ASCII conversions
added CURLINFO_FTP_ENTRY_PATH
less blocking for the multi interface during (Open)SSL connect negotiation

Bugfixes:

builds fine on cygwin
md5-sess with Digest authentication
dict with letters such as space in a word
dict with url-encoded words in the URL
libcurl.m4 when default=yes but no libcurl was found
numerous bugs fixed in the TFTP code
possible memory leak when adding easy handles to multi stack
TFTP works in a more portable fashion (== on more platforms)
WSAGetLastError() is now used (better) on Windows
GnuTLS non-block case that could cause data trashing
deflate code survives lack of zlib header
CURLOPT_INTERFACE works with hostname
configure runs fine with ICC
closed control connection with FTP when easy handle was removed from multi
curl --trace crash when built with VS2005
SSL connect time-out
improved NTLM functionality
following redirects with more than one question mark in source URL
fixed debug build crash with -d
generates a fine AIX Toolbox RPM spec
treat FTP AUTH failures properly
TFTP transfers could trash data
-d + -G combo crash

Fixed in 7.15.3 - March 20 2006

Changes:

added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD

Bugfixes:

TFTP Packet Buffer Overflow Vulnerability
properly detecting problems with sending the FTP command USER
wrong error message shown when certificate verification failed
multi-part formpost with multi interface crash
the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
"SSL: couldn't set callback" is now treated as a less serious problem
Interix build fix
fixed curl "hang" when out of file handles at start
prevent FTP uploads to URLs with trailing slash

Fixed in 7.15.2 - February 27 2006

Changes:

Support for SOCKS4 proxies (added --socks4)
CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET added
CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE (--local-port) added
Dropped support for the LPRT ftp command
Gopher is now officially abandoned as a protocol (lib)curl tries to support
curl_global_init() and curl_global_cleanup() are now using a refcount so that it is now legal to call them multiple times. See updated info for details

Bugfixes:

two bugs concerning using curl_multi_remove_handle() before the transfer was complete
multi-pass authentication and compressed content
minor format string mistake in the GSS/Negotiate code
cached DNS entries could remain in the cache too long
improved GnuTLS check in configure
re-used FTP connections when the second request didn't do a transfer
plain --limit-rate [num] means bytes
re-creating a dead connection is no longer counted internally as a followed redirect and thus prevents a weird error that would occur if a FTP connection died on an attempted re-use
Try PASV after failing to connect to the port the EPSV response contained
-P [IP] with non-local address with ipv6-enabled curl
-P [hostname] with ipv6-disabled curl
libcurl.m4 was updated
configure no longer warns if the current path contains a space
test suite kill race condition
FTP_SKIP_PASV_IP and FTP_USE_EPSV when doing FTP over HTTP proxy
Doing a second request with FTP on the same bath path, would make libcurl confuse what current working directory it had
FTP over HTTP proxy now sends the second CONNECT properly
numerous compiler warnings and build quirks for various compilers have been addressed
supports name and passwords up to 255 bytes long, embedded in URLs
the HTTP_ONLY define disables the TFTP support

Fixed in 7.15.1 - December 7 2005

Changes:

the libcurl.pc pkgconfig file now gets installed on make install
URL globbing now offers "range steps": [1-100:10]
LDAPv3 is now the preferred LDAP protocol version
--max-redirs and CURLOPT_MAXREDIRS set to 0 limits redirects
improved MSVC makefile

Bugfixes:

URL buffer overflow problem
using file:// on non-existing files are properly handled
builds fine on DJGPP
CURLOPT_ERRORBUFFER is now always filled in on errors
curl outputs error on bad --limit-rate units
fixed libcurl's use of poll() on cygwin
the GnuTLS code didn't support client certificates
TFTP over IPv6 works
no reverse lookups on IP addresses when ipv6-enabled
SSPI compatibility fix: using the proper DLLs
binary LDAP properties are now shown base64 encoded
Windows uploads from stdin using curl can now contain ctrl-Z bytes
-r [num] would produce an invalid HTTP Range: header
multi interface with multi IP hosts could leak socket descriptors
the GnuTLS code didn't handle rehandshakes
re-use of a dead FTP connection
name resolve error codes fixed for Windows builds
double WWW-Authenticate Digest headers are now handled
curl-config --vernum fixed

Fixed in 7.15.0 - October 13 2005

Changes:

--ftp-skip-pasv-ip / CURLOPT_FTP_SKIP_PASV_IP (sponsored by CU*Answers)
TFTP support added

Bugfixes:

user+domain name buffer overflow in the NTLM code (security flaw)
-z over FTP now considers equal timestamps "not modified since"
Weird characters removed from the configure script
Fixed time zone offsets for MEST and CEST for the time parser
HTTP Content-Range header parser crash
FTPS negotiation timeouts/errors
SSPI works even for Windows 9x
crash in --dump-header on FTP
test 56 runs better

Fixed in 7.14.1 - September 1 2005

Changes:

GNU GSS support
--ignore-content-length and CURLOPT_IGNORE_CONTENT_LENGTH added
negotiates data connection SSL earlier when doing FTPS with PASV
CURLOPT_COOKIELIST and CURLINFO_COOKIELIST
trailer support for chunked encoded data streams
-x/CURL_PROXY strings may now contain user+password
--trace-time now outputs the full microsecond, all 6 digits

Bugfixes:

MSVC build problem with the DSP file
windows threaded resolver access violation with multi interface
test suite works with valgrind 3
CA cert verification with GnuTLS builds
handles expiry times in cookie files that go beyond 32 bits in size
several client problems with files, such as doing -d @file when the file isn't readable now gets a warning displayed
write callback abort didn't always "take"
the curl -z "bad syntax" warning is now hidden when -s is used
curl -d @nonexisting no longer makes a GET
minor debug callback data size
date parsing of dates including daylight savings time zone names
using NTLM over proxy with an FTP URL
curl-config --features now displays SSL when built with GnuTLS too
CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST reset CURLOPT_NOBODY
builds fine on AmigaOS again
corrected date parsing on Windows with auto-DST-adjust enabled
treats CONNECT 407 responses with bodies better during Digest/NTLM auth
improved strerror_r() API guessing when cross-compiling
debug builds work on Tru64
improved libcurl.m4
possible memory leak in windows name resolves
c-ares enabled build with mingw
proxy host set with numerical IPv6 address
better treatment of binary zeroes in HTTP response headers
fixed the notorious FTP server failure in the test suite
better checking of text output in the test suite on windows
FTP servers' TYPE command response check made less strict
URL-without-slash as in http://example?data
strerror_r() configure check for HP-UX 10.20 (and others)
time parse work-around on HP-UX 10.20 since its gmtime_r() is broken

Fixed in 7.14.0 - May 16 2005

Changes:

modified default HTTP request headers
curl --trace-time added for time stamping trace logs
curl now respects the SSL_CERT_DIR and SSL_CERT_PATH environment variables
more search paths for curl's default .curlrc config file check
GnuTLS support, use configure --with-gnutls. Work on this was sponsored by The Written Word.

Bugfixes:

uses select() instead of poll() even on Mac OS X 10.4
reconnected proxy use with NTLM auth on the same handle
warns about bad -z date syntax
docs/THANKS now contains all known contributors
builds out-of-the-box on (presumably ipv6-enabled) AIX 4.3 hosts
curl --head could wrongly complain on bad chunked-encoding
--interface SIGSEGVed on a bad address
kill the HTTPS server better when stopping the test suite
builds fine with VS2005 on x64
auth fix for HTTP redirects and .netrc usage
FTP uploads show the progress meter easier
MSVC makefile fixes for static libcurl builds
configure fix for static libcurl build on Windows
--retry-delay
POST with read callback now uses Expect: 100-continue
CURLOPT_PORT didn't actually use the set port number
HTTP 304 response with Content-Length: header
time-conditioned FTP uploads

Fixed in 7.13.2 - April 4 2005

Changes:

Added --form-string
libcurl can be built with SSPI support. curl_version_info() then returns a new feature bit: CURL_VERSION_SSPI. configure --enable-sspi added
Added --proxy-anyauth
Added runtests.1 and testcurl.1 man pages

Bugfixes:

the MSVC libcurl Makefile was fixed
libcurl on Windows crash if resolver was active when easy handle was killed
HTTP POST with auth and an initial 100 response before the 401/407
configure's SSL-detection for msys/mingw
better connection keep-alive when POSTing with HTTP Digest
FTP-SSL
reading FTP server response in multiple reads
picking one out of multiple proxy auth methods
inet_ntoa_r() when built with uClibc
the so name issue for the LDAP library dynamic load
crash when using SOCKS4 proxy
a debug printf() was removed
CURLOPT_FILETIME when downloading FTP corrupted data
FTP upload resume now works even if no file is present on the site
SSL seeding no longer attempts to read the whole random file

Fixed in 7.13.1 - March 4 2005

Changes:

CURLOPT_COOKIEFILE set to "" is now activating the cookie engine
FTP code overhaul => multi interface much less blocking
Added CURLE_LOGIN_DENIED to be returned when curl is denied login to FTP servers

Bugfixes:

-# crash when more data than expected was retrieved
NTLM/krb4 buffer overflow fixed
proxy auth bug when following redirects to another host
socket leak when local bind failed
HTTP POST with --anyauth picking NTLM
SSL problems when downloading exactly 16KB data
out of memory conditions preserve error codes better
a few crashes at out of memory
inflate buffer usage bugfix
better DICT protocol adherence
disable valgrind-checking while testing if libcurl is built shared
locale names in some date strings

Fixed in 7.13.0 - February 1 2005

Changes:

added --ftp-account and CURLOPT_FTP_ACCOUNT
added CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE
obsoleted CURLOPT_SOURCE_HOST, CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT and CURLOPT_PASV_HOST
added --3p-url, --3p-user and --3p-quote
-Q "+[command]" was added
src/getpass.c license issue sorted (code was rewritten)
curl -w now supports 'http_connect' for the proxy's response to CONNECT
introducing "curl-config --protocols"

Bugfixes:

re-sending a request when retrying on a fresh connection with multi interface
improved valgrind report parser in the test suite
several valgrind reports
CURLOPT_FTPPORT and -P work when built ipv6-enabled
FTP third party transfers was much improved
proxy environment variables are now ignored when built HTTP-disabled
CURLOPT_PROXY can now disable HTTP proxy even when built HTTP-disabled
"curl dictionary.com" no longer assumes DICT protocol
re-invoke some system calls on EINTR
duplicate Host: when failed connection re-use
SOCKS5 version check
memory problem with cleaning up multi interface
SSL certificate name memory leak
-d with -G to multiple URLs crashed
double va_list access crash fixed
minor memory leak when "version" is set in a cookie header
builds fine on BeOS and NetBSD
builds and runs fine on FreeBSD

Fixed in 7.12.3 - December 20 2004

Changes:

PKCS12 certificate support added
added CURLINFO_SSL_ENGINES (and "--engine list")
new configure options: --disable-cookies, --disable-crypto-auth and --disable-verbose
persistent ftp request improvements
CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA added. If your app uses HTTP Digest, NTLM or Negotiate authentication, you will most likely want to use these
-w time_redirect and num_redirects
no longer uses libcurl.def for building on Windows, OS/2 and Netware
builds on Windows CE
request retrying, --retry and family added
FTP 3rd party transfers with source and dest on the same host now works
added CURLINFO_NUM_CONNECTS

Bugfixes:

curl -E on windows accepts "c:/path" with forward-slash
several improvements for large file support on windows
file handle leak in aborted multipart formpost file upload
-T upload multiple files with backslashes in file names
modified credentials between two requests on a persistent http connection
large file file:// resumes on Windows
URLs with username and IPv6 numerical addresses
configure works better with SSL libs in a "non-standard ld.so dir"
curl-config --vernum zero prefixed
bad memory access in the NTLM code
EPSV on multi-homed servers now works correctly
chunked-encoded transfers could get closed pre-maturely without error
proxy CONNECT now default timeouts after 3600 seconds
disabling EPSV or EPRT is ignored when connecting to an IPv6 FTP server
no extra progress meter newline output after each Location: followed
HTTP PUT/POST with Digest, NTLM or Negotiate no longer uses HEAD
works with or gracefully bails out when exceeding FD_SETSIZE file descriptors
CURLINFO_REDIRECT_TIME works
building with gssapi libs and hdeaders in the default dirs
curl_getdate() parsing of dates later than year 2037 with 32 bit time_t
curl -v when stderr is closed wrote debug messages to the network socket
build failure with libidn 0.3.X or older
huge POSTs on VMS
configure no longer uses pkg-config on cross-compiles
potential gzip decompress memory leak
"-C - --fail" on a HTTP page already downloaded
formposting a zero byte file
use setlocale() for better IDN functionality by default

Fixed in 7.12.2 - October 18 2004

Changes:

the IDN code now verifies that only TLD-legitmate letters are used in the name or a warning is displayed (when verbose is enabled)
provides error texts for IDN errors
file upload parts in formposts now get their directory names cut off
added CURLINFO_OS_ERRNO
added CURLOPT_FTPSSLAUTH to allow ftp connects to attempt "AUTH TLS" instead before "AUTH SSL"
curl_getdate() completely rewritten: may affect rare curl -z use cases

Bugfixes:

CURLOPT_FTP_CREATE_MISSING_DIRS works for third party transfers
memory leak for cookies received with max-age set
potential memory leaks in the window name resolver
URLs with ?-letters in the user name or password fields
libcurl error message is now provided when send() fails
no more SIGPIPE on Mac OS X and other SO_NOSIGPIPE-supporting platforms
HTTP resume was refused if redirected
configure's gethostbyname check when both nsl and socket libs are required
configure --with-libidn now checks the given path before defaults
a race condition sometimes resulting in CURLE_COULDNT_RESOLVE_HOST in the windows threaded name resolver code
isspace() invokes with negative values in the cookie code
a case of read-already-freed-data when CURLOPT_VERBOSE is used and a (very) persistent connection
now includes descriptive error messages for IDN errors
more forgivning PASS response code check for better working with proftpd
curl/multi.h works better included in winsock-using apps
curl_easy_reset() no longer enables the progress meter
build fix for SSL disabled curl with SSL Engine support present
configure --with-ssl=PATH now ignores pkg-config path info
CURLOPT_SSLENGINE can be set to NULL even if no engine support is available
LDAP crash when more than one record was received
connect failures properly stores an error message in the errorbuffer
Rare Location:-following problem with bad original URL
-F can now add Content-Type on non-file sections
double Host: header when following Location: with replaced Host:
curl_multi_add_handle() return code
"Proxy-Connection: close" is now understood and properly dealt with
curl_getdate() crash
downloading empty files now calls the write callback properly
no reverse DNS lookups for ip-only addresses with ipv6-enabled libcurl
file handler leak when getting an empty file:// URL
libcurl works better multi-threaded on AIX (when built with xlc)
cookies over proxy didn't match the path properly
MSVC makefile fixes to build better
FTP response 530 on 'PASS' now sends back a better error message

Fixed in 7.12.1 - August 10 2004

Changes:

the version string now only contains info about (sub) package versions, while for example krb4 and ipv6 now only are available as 'features'
added curl_easy_reset()
socks proxy support even when libcurl is built ipv6-enabled
read callbacks can stop the transfer by returning CURL_READFUNC_ABORT
libcurl-tutorial.3 is the new man page formerly known as libcurl-the-guide
additional SSL trace data might be sent to the debug callback using two new types: CURLINFO_SSL_DATA_IN and CURLINFO_SSL_DATA_OUT
multipart formposts can upload files larger than system memory
the curl tool continues with the next URL even if one transfer fails
FTP 3rd party transfer support - seven new setopt() options

Bugfixes:

UTF-8 encoded certificate names can now be verified properly
krb4 link problem
HTTP Negotiate service name now provided in uppercase
no longer accepts any cookies with domain set to just a TLD
HTTP Digest properties without quotes in the header
bad Host: header case on re-used connections over proxy
duplicate Host: header case on re-used connections
curl -o name#[num] now works when no globbing for [num] exists
test suite runs fine with valgrind 2.1.x
negative Content-Length is ignored
test 505 runs fine on windows
curl_share_cleanup() crash
--trace files now get the final info lines too
multi interface connects fine to multi-IP resolving hosts
--limit-rate works on Mac OS X (and other systems with bad poll()s)
cookies can now hold 4999 bytes of content
HTTP POST/PUT with NTLM/Digest/Negotiate to a URL returning 3XX
HTTPS POST/PUT over a proxy requiring NTLM/Digest/Negotiate
less restrictive libidn requirements, 0.4.1 or later is fine
HTTP POST or PUT with Digest/Negotiate/NTLM selected but the server didn't require any authentication
win32 file:// transfer free memory bug
configure --disable-http builds a libcurl without HTTP support
CURLOPT_FILETIME had wrong type in curl.h, it expects a long argument
builds fine with Borland on Windows
the msvc curllib.dsp now builds the libcurl.lib file
builds fine on VMS
builds fine on NetWare
HTTP Digest authentication with proxies uses correct user name + password
builds fine with lcc-win32

Fixed in 7.12.0 - June 2 2004

Changes:

added ability to "upload" to file:// URLs
added curl_global_init_mem()
removed curl_formparse()
the MSVC project file in the release archive is automatically built
curl --proxy-digest is a new command line option
the Windows version of libcurl can use wldap32.dll for LDAP
added curl_easy_strerror(), curl_multi_strerror() and curl_share_strerror()
IPv6-enabled Windows hosts now resolves names threaded/asynch as well
configure --with-libidn can be used to point out the root dir of a libidn installation (version 0.4.5 or later) for curl to use, then libcurl can resolve and use IDNA names (domain names with "international" letters)

Bugfixes:

incoming cookies with domains set with a prefixed dot now works better
CURLOPT_COOKIEFILE and CURLOPT_COOKIE can be used in the same request
improved peer certificate name verification
allocation failures cause no leaks nor crashes
the progress meter display now handles file sizes up to full 8 exabytes (which is as high a signed 64 bit number can reach)
general HTTP authentication improvements
HTTP Digest authentication with the proxy works
mulipart formposting with -F and file names with spaces work again
curl_easy_duphandle() now works when ares-enabled
HTTP Digest authentication works a lot more like the RFC says
curl works with telnet and stdin properly on Windows
configure --without-ssl works even when pkg-config has OpenSSL details
src/hugehelp.c builds correct again in non-configure build environments

Fixed in 7.11.2 - April 26 2004

Changes:

removed maximum user+password+hostname size limit
removed maximum dir depth limit for FTP
the ares build now requires c-ares 1.2.0 or later
--tcp-nodelay and CURLOPT_TCP_NODELAY were added
curl/curlver.h contains the libcurl version info now

Bugfixes:

configure --disable-manual works better
removed a memory leak when doing a windows threaded resolve and it failed
--proxy-ntlm now checks if libcurl supports NTLM before using it
minor --fail with authentication bugfix
CURLOPT_IPRESOLVE set to CURL_IPRESOLVE_V6 will now cause a returned error if the host only can resolve ipv4 addresses
curl -4/-6 now actually sets the requested option in libcurl
multi interface on Windows without ares works again
improved resolution for the CURLINFO_*_TIME info variables
getting only a 100 Continue response and nothing else, when talking HTTP, is now treated as an error by libcurl
fixed minor memory leak in libcurl for Windows when statically linked
POST/PUT using Digest/NTLM/Negotiate (including anyauth) now work better
--limit-rate with high speed rates is a lot more accurate now, and supports limiting to speeds >2GB/sec on systems with Large File support.
curl_strnqual.3 "refer-to" man page fix
fixed a minor very old progress meter final update bug
added checks for a working NI_WITHSCOPEID before that is used
fixed a flaw that prevented ares name resolve timeouts to occur
getting user name from http_proxy env variable works now
fixed too early name resolve timeouts with ares
HTTP Digest "re-negotiation" works now
CURLOPT_FAILONERROR (-f/--fail) works with all kinds of authentication
better thread-safety thanks to the internal strerror() replacement
better thread-safety on AIX thanks to better function detection
minor ipv6 build fix for windows
the test suite runs fine with mingw-built curl
the postit2.c example works now
better error message when --interface fails on windows
the progress meter now displays very long times better
CURLINFO_CONTENT_LENGTH_DOWNLOAD with CURLOPT_NOBODY set TRUE now works
passwords longer than 14 letters work with NTLM
'make netware' in the root dir works now
builds fine on VMS again and even nicer than before

Fixed in 7.11.1 - March 19 2004

Changes:

CURLOPT_POSTFIELDSIZE_LARGE added to offer POSTs larger than 2GB
CURL_VERSION_LARGEFILE is a feature bit returned by libcurls that feature large file support
libcurl only requires winsock 1.1 on windows now
when doing FTP, curl now sends QUIT before disconnecting
name resolves can now timeout on windows too
$HOME is now recognized better when looking for .netrc files
now re-uses the ares handle when re-using curl handles
SO_BINDTODEVICE is used for network interface binding
configure --disable-manual disables the built-in huge manual from the command line tool
the default Accept: header used in HTTP requests changed
asynch dns lookups now require the c-ares library
curl --socks can be used to set a SOCKS5 proxy to use
response-headers received after a (proxy) CONNECT request are now passed to the header callback just like other headers

Bugfixes:

builds and runs on Novell NetWare
Windows builds now report OS as "i386-pc-win32"
received signals during SSL connect is handled better
improved PUT/POST with NTLM/Digest authentication
following redirects and doing NTLM/Digest (where the first connection gets closed) with the multi interface work better now
file: progress meter and getinfo variables work now
CURLOPT_FRESH_CONNECT and CURLAUTH_NTLM now work when set together
share interface usage without (un)lock functions segfaulted
--limit-rate no longer cripples the --speed-limit feature
fixed verbose output problem with ipv6-enabled re-used connections
fixed the socks5 code to check version in the socks response properly
dns cache bug - fixed the 'inuse' counter
large file fix for Content-Length
better docs for the share interface
several configure fixes for mingw/msys
setting a Host: header is no longer affecting the Host: header used when libcurl follows a Location:
fixed numerous compiler warnings on several operating systems and compilers
PUTing from stdin couldn't disable chunked transfer-encoding
corrected the mingw makefiles
improved the configure libz detection
fixed EPRT/PORT use when doing FTP on ipv6-enabled AIX hosts
*nroff commands that only support -mandoc and not -man are now supported (for the built-in manual text in the command line tool)
fixed the unconditional #include of config.h in hugehelp.c
builds fine on MPE/iX
upload using chunked transfer-encoding now sends the last chunk properly teriminated with an extra CRLF
Fixed the progress meter display for files >2GB
persistant connections over a proxy messed up the proxy name/password
the socks5 code segfaulted if no username/password was set
the *_LARGE options now take curl_off_t types as parameters and this will make it possible to handle large files on windows too
builds with large file support even on systems without strtoll()

Fixed in 7.11.0 - January 22 2004

Changes:

allows the URL to be set by a callback when using the multi interface
large file support was added. Use one of the new options: INFILESIZE_LARGE, RESUME_FROM_LARGE and MAXFILESIZE_LARGE
the new --ftp-pasv overrides a previous --ftpport
CURLOPT_FTPSSL and ftps:// now do ssl over FTP "The Right Way" (the curl tool now features the --ftp-ssl option)
The Windows DLLs are built with an added "resource file"
New LIBCURL_VERSION_* defines for easier checking version number
Included Mac OS X 'framework' makefile in the release archive
Removed the TRUE and FALSE #defines from the public curl header file
Added CURLOPT_NETRC_FILE

Bugfixes:

improved config file parsing for options with required parameters
using --trace with a bad file name could crash
release archive contains compressed help text
the win32 password prompting supports backspace
builds natively on AmigaOS (without unix emulation)
ftps:// now uses port 990 by default
the "configure --with-spnego" action was improved
fixed a rare follow-redirect problem
curl-config --feature now outputs AsynchDNS if enabled
occational re-use of freed-memory problem fixed
curl-config --libs now include the ares link directory
configure --enable-ares now accepts a given path
-lz no longer appear twice on the link line
more descriptive error message if the FTP response reader fails
curl-config --feature now shows 'AsynchDNS' when built with ares
VMS build up-to-date and clarified source code
resolve bug caused socks5 to fail
Content-Length: is ignored when getting chunked Transfer-Encoding
POST over proxy to https server failed
improved how libcurl deals with persistant connections over FTP when a transfer fails
accessing a proxy that requires Basic auth without password caused a hang
a free free-twice problem in the server certificate code
minor memory leak when using ranges on persistant connections
formpost parts sending files with .html extensions now use "Content-Type: text/html"
formpost parts now default to "Content-Type: application/octet-stream"
--progress-bar was slightly improved
Failing to connect to localhost, using the multi interface on Solaris showed a connect problem now fixed.
The generated ca-bundle.h file is now generated in the build dir, not the source dir
The FTP-EPSV response parser for the 229 code was fixed
curl finds the user's home dir slightly different and hopefully better on Windows
testcurl.sh can now be used to autotest daily tarballs
a couple of command line options now check that the underlying library actually supports the features before trying to enable them
uninitialized variable fix
better html versions of the man pages

Fixed in 7.10.8 - November 1 2003

Changes:

--head now works on file:// URLs too
file: URLs with only one initial slash now works too
RELEASE-NOTES document added to the release archive to summarize the big and visible changes and bugfixes
CURLOPT_MAXFILESIZE was added, and --max-filesize
CURLOPT_PASSWDFUNCTION and CURLOPT_PASSWDDATA are no longer supported
IPv6 is now supported on Windows builds too
CURLOPT_IPRESOLVE lets you select pure IPv6 or IPv4 resolved addresses (curl offers the command line options -4/--ipv4 and -6/--ipv6)
GSS-Negotiate works fine with the MIT kerberos library
SPNEGO support added, if libcurl is built with the FBopenssl libraries, curl_version_info() can return a feature bit for it and curl -V displays SPNEGO as a feature if libcurl is built with it enabled
easy handles added to a multi handle now share DNS cache automaticly
CURLINFO_HTTPAUTH_AVAIL and CURLINFO_PROXYAUTH_AVAIL were added
CURLOPT_FTP_RESPONSE_TIMEOUT was added
NTLM, Digest and GSS-Negotiate authentications also work for HTTPS over proxies
curl supports multiple -T flags to allow serveral uploaded files using a single command line
CURLINFO_RESPONSE_CODE can return the last FTP response code

Bugfixes:

added work-around for a name resolve problem on some glibc versions
a rare ERRORBUFFER single-byte overflow was fixed
HTTP-resuming an already downloaded file works better
builds better on Solaris 8+ with gcc
--disable-eprt works now
improved CA cert verification
--anyauth could bug when the first response had no body contents
double password prompting when doing NTLM fixed
improved performance when used multi-threaded on windows
share-locking during DNS lookups was modified
resume was not possible to switch off properly once enabled
fixed the ipv4 connect code when a DNS entry has multiple IPs
now checks subjectAltNames when matching certs
HTTP POST using read callback works again
builds fine on BeOS now
CURLOPT_COOKIE set to NULL no longer sends the previously set cookie
if an FTP transfer used a bad path, the next transfer could fail too
ares-built libcurl resolves IP-only names properly
changed the curl_lock_function proto to prevent warnings on some compilers
builds fine on QNX 6.2.x now
PUT with --digest works now
--anyauth that picks NTLM and then follows a redirect (and does NTLM again) works now
asynch resolves now work on NT4 too
a DNS cache trash (possible segfault) was fixed
runtests.pl clears all proxy environment variables before the test is run
Microsoft's "Negotiate" authentication is now supported by the existing GSSNEGOTIATE option
A set zero-length proxy name confused libcurl
Digest authentication works again without OpenSSL on 64bit architectures
configure --enable-thread works now
buffer problems in the test suite's web server were fixed
improved proxy password handling
LDAP is again working nicely with the current OpenLDAP
asynch name lookup for non-resolving hosts now return a proper error message
CURLOPT_SSL_VERIFYHOST set to 1 no longer aborts if no CN field is obtainable, it will merely warn about it
name resolve segfault with uClibc fixed
multi interface and multi-part/formpost could end in segfault
curl_multi_info_read() sets the msgs_in_queue to 0 when returning NULL
multi interface, ares and non-resolving host caused a segfault
minor single SSL memory leak fixed
Setting CURLOPT_WRITEFUNCTION or CURLOPT_READFUNCTION to NULL resets them to default

Fixed in 7.10.7 - August 15 2003

Changes:

CURLOPT_PROXYAUTH was added to allow different authentication methods on proxies (--proxy-ntlm was added to the curl tool).
--ftp-create-dirs and CURLOPT_FTP_CREATE_MISSING_DIRS were added
optional and still experimetal asynch name resolve support
getting headers-only and no-body from FTP can now reply "Accept-Ranges" if the server seems to suppport REST.

Bugfixes:

fixed a memory leak on re-used connections with proxy-authentication
cookies with no contents are sent off too now
64bit-related bugfix for uploads
file:// URLs with drive letters now work on windows and OS/2
The output numbering (#[num]) on url globbing didn't work due to a bug in curl_msprintf()
FTP persitent download directory re-use problem fixed
cookie parser now only requires two dots in cookie domain
FOLLOWLOCATION (or -L) did not always ignore the redirect page properly
information leak fixed. When proxy authentication is used in a CONNECT request (as used for all SSL connects and otherwise enforced tunnel-thru-proxy requests), the same authentication header was also wrongly sent to the remote host.
the VC++ Makefiles were updated
builds better on VMS
src/hugehelp.c is now distributed uncompressed in the source package
the mkhelp script now compresses properly on DOS/Windows

Fixed in 7.10.6 - July 28 2003

Changes:

CURLOPT_SSL_CTX_FUNCTION allows a custom callback for SSL connections
multiple patches lets curl build and run on DOS
libcurl now deals with spaces in Location: redirects and URLifies them
curl --version shows more detailed info
curl_version_info() now returns info on NTLM, GSS-Negotiate and Debug
curl_version() includes "GSS" in the string if built with GSSAPI available
Pick-best-authentication option added (--anyauth, using the CURLOPT_HTTPAUTH set to CURLAUTH_ANY)
NTLM authentication support (--ntlm and CURLAUTH_NTLM)
GSS-Negotiate authentication support (--negotiate and CURLAUTH_GSSNEGOTIATE)
Digest authentication support added (--digest and CURLAUTH_DIGEST)
Allow curl to switch (back to) to Basic authentication (--basic)
libcurl supports name and password in proxy environment variables

Bugfixes:

double slash after the host name on a FTP URL again points out the root dir
obscure and rare DNS cache problem was fixed
multiple FTP connections to the same host with different user names didn't work properly
no more CWD commands without arguments for ftp connections
curl no longer uses setvbuf() due to portability problems
VMS build fixes
the curl tool has the -M manual compressed internally if built with libz
url globbing syntax error could cause segfault
Huge (>40-60KB) GET requests over HTTPS failed.
Content-Length now overrides socket-closed as a means of knowing when the response body is complete.
--progress-bar takes the initial size into account when doing resumed downloads
work around SSL bugs better
libcurl typically issues POST requests with less send() calls
better main makefile
external headers improved portability
Listing FTP directories without contents could leak a socket
Getting HTTP contents in one line without headers failed
bugfixed the socks5-proxy usage (twice)
h_aliases name-lookup rare crash fixed
improved curl -M output
curl_unescape() now only unescapes valid %HH codes

Fixed in 7.10.5 - May 19 2003

Changes:

support for Content-Encoding: gzip was added
test cases modified to include server requirement in each test case file
CURLOPT_FTP_USE_EPRT was added, --disable-eprt with the tool
setting CURLOPT_ENCODING to "" automaticly enables all supported encodings

Bugfixes:

libcurl now calls the progress meter during slow ftp responses as well
a write loop resulting in badly updated progress meter was fixed
non-blocking sockets fix for PORT ftp downloads
CURLOPT_INTERFACE performance fix on Linux
EAGAIN-fix improves HPUX (at least) functionality
configure script fix for the writable argv check and cross-compiles
features more verbose error message when some OpenSSL read errors occur
improved ftp compliance with RFC1738, now performs individual CWD commands for each path part in the URL
cookie overhaul: fixed jarsaving, improved path treatment and stricter cookie receiving, adjusts to Hosts: headers
CURLINFO_CONNECT_TIME works with the multi interface too
curl_easy_setopt() now returns correct error codes
formposting .html files set Content-Type text/html now
curl reports a new huge and verbose error message on CA cert problems
libcurl now returns CURLE_SSL_CACERT on CA cert problems
chunked-transfer deflate downloads work
FTP-server responses to CWD are now more liberally treated
fixed url parsing when '?' is used after the host name without '/'.
curl -I on ftp files outputs the date with correct time zone (GMT)
curl -z now works for FTP files (CURLOPT_TIMECONDITION)
the default DEBUGFUNCTION outputs incoming headers as well
Content-Type extraction did wrong if there was no space after the colon
the MSVC project file was fixed
no longer installs the ca bundle when built --without-ssl
the boundary strings in formposts now look very similar to the ones IE uses
test suite runs on cygwin

Fixed in 7.10.4 - April 2 2003

Changes:

the curl tool now "clears" sensitive commands line args
no more emacs local variables in the source files
script for distributed, automatic, multi-platform testing added. Please join up and help us test the bleeding edge curl on various platforms!
the "scratch buffer" is now only allocated when actually needed
removed the strequal and strnequal macros from curl/curl.h
added CURLOPT_UNRESTRICTED_AUTH / --location-trusted

Bugfixes:

"curl -O" only, now outputs an error message accordingly
builds fine on Redhat Linux 9 (configure fix)
the CA cert bundle included a demo cert now removed
changing some attributes between two transfers when re-using a connection did not "take effect" properly
the test suite runs faster and hopefully a bit more reliably
improved configure check for presence of functions, needed for HPUX
the curl tool now makes a correct URL escaping when appending to the URL when using -T and the file name is appended to the URL.
configure --enable-libgcc now explicitly add -lgcc to the linker
better configure checks for headers (since some platforms got nasty warnings output previously)
configure --help looks nicer
data transfer bug on HP-UX systems
improved random seeding for systems without a reliable random source
64bit Sparc compiler warnings removed
a case where a connect failure didn't return an error string
DNS cache problem in AIX 4.3 and later was fixed
a POST-then-GET problem when re-using the same handle in libcurl
extra precaution added for FTP servers returning 0 bytes to SIZE commands
looping issue in the receive function (i.e badly updated progress meter)
Fixed the 'Expect: 100-continue' behavior
CURLOPT_MAXCONNECTS segfault fixed
multi-interface connecting on Windows to non-listening ports fixed
Curl_base64_encode() now encodes zero-bytes too properly
fixed the infamous SSL error:00000000 outputs
zlib build fix in the mingw makefile
don't check for ca cert env variable if --insecure is used
always use strict cert name check unless --insecure is used
content-type extracting fixed
DEBUGFUNCTION could be called with wrong arguments in uploads
ftp downloads could wrongly return CURLE_PARTIAL_FILE in some conditions
the fopen.c example code didn't work
content-type extracting memory leak fixed
curl/multi.h was fixed for C++ compiles
.netrc file scanning for names+passwored fixed
curl-config --cflags works even when include dirs isn't /usr/include
CURLINFO_PRIVATE can return NULL properly

Fixed in 7.10.3 - January 14 2003

Changes:

Added CURLOPT_PRIVATE and CURLINFO_PRIVATE
Added CURLOPT_HTTP200ALIASES
Added --create-dirs
libcurl test cases have been added
configure --enable-maintainer-mode was added

Bugfixes:

Transfer-Encoding: chunked for uploads works
Test cases 306 and 402 now run fine
configure script bug related to CONTENT_ENCODING fixed
Borland Makefiles up-to-date
Name resolve fix to correct the 7.10.2-fix!
curl/curl.h now has a more proper extern "C" for C++
CURL_MAX_WRITE_SIZE lowered to 16KB: improves performance on Windows
configure --enable-debug now cuts off -O* options to the compiler
Using multi interface and proxy to non-listening port caused a hang
CURLOPT_USERPWD-imposed memory leak removed
Verbose connect message crash removed
curl-config --cflags
better SSL-reading with no CPU-eating loop left
A base64 decoding bug was fixed (affected kerberos4)
The MSVC++ Makefile for debug targets was improved
Initing the global DNS cache is now done better
"curl -I ftp://domain/non-existing-file" was flawed
fixed wildcard name checks in server certificates

Fixed in 7.10.2 - November 18 2002

Changes:

PDF versions of much documentation are included in the tarball
Transfer-Encoding: chunked for uploads are now supported

Bugfixes:

builds fine on MSVC again
CURLOPT_CONNECTTIMEOUT works better
name resolving failed with glibc 2.2.93
libtool build fix for -no-undefined
the follow location code could crash occasionally
multi interface and FOLLOWLOCATION didn't work properly
curl -j (CURLOPT_COOKIESESSION) didn't work properly
config file parser could crash on the presense of CRLF newlines
downloading HTTP without headers sometimes corrupted the data
connecting to a bad port number with the multi interface did wrong

Fixed in 7.10.1 - October 11 2002

Changes:

configure --without-zlib explicitly disables zlib in builds

Bugfixes:

junk data could get inserted when saving HTTP headers
telnet connections timeout properly
make install when built outside source tree works again
FOLLOW_LOCATION works for the multi interface too
HTTP Location following now deals with ./ and ../ cases
The OpenSSL ENGINE check was improved in the configure script

Fixed in 7.10 - October 1 2002

Changes:

curl -x "" now disables proxy-usage completely
The libcurl and thus the curl version string too are modified slightly
added curl_version_info() for various runtime version info
added curl_free() that allows freeing data libcurl malloced()
CURLOPT_ENCODING added, supports decompression of compressed downloaded data This is used with 'curl --compressed'. This feature uses the libz library, if present.
MIT-licensed only, no dual-stuff. That is history. Old. Gone. Forgotten.
libcurl does peer certificate verification by default. This needs to be disabled if you need to talk to SSL servers in an insecure way! (curl -k does this). See further details in the UPGRADE document.
SOCKS5-proxy support was added (somewhat flawed, see CHANGES for details)
More SSL error codes was added
CURLOPT_NOSIGNAL was added for multi-threaded programs to use
--limit-rate is now supported
CURLOPT_BUFFERSIZE sets a desired read buffer size
The FTP PORT command uses a better default IP address

Bugfixes:

transfer after a failed connect when using the multi interface
headerless HTTP downloads
"-C -" on multiple file downloads
resume on file:// downloads
memory leak in libcurl on repeated resume http downloads
crashes on 64bit machines solved
IPv6 IP-address only URLs sent bad Host: headers
--silent is more silent when doing URL globbing fetches
*multi_perform() now returns control properly when waiting for connect
curl_formadd man page was corrected
curl_escape() and curl_unescape() no longer deals with '+'
improved performance on persistent transfers on windows
no longer closes ftp connections unncessarily often
-N works again
the windows DLL now builds with the multi interface enabled
the internal password prompt now uses stderr instead of stdout
minor cookie parsing bug when no space came after the header colon
better #ifdef conditions in the global curl header files
the curl tool didn't allow POST of zero contents
literal RFC2732-style IPv6 addresses didn't work

Fixed in 7.9.8 - June 13 2002

Changes:

curl_formadd() can do file upload parts from buffer
libcurl can be built with specific protocols disabled
should build nicely with modified OpenSSL 0.9.7 API
win32 timers now use higher resolution
CURLOPT_CAPATH was added (--capath on the command line)
CURLOPT_NETRC now supports optional or required netrc mode
curl_formadd() now returns a CURLFORMcode type, not a plain int.

Bugfixes:

name resolves can now time-out properly (on unix-like systems)
an empty connect failure error message was filled in
when curl_easy_perform() failed on an ftp transfer, it could leak a socket
a curl_multi_remove_handle() crash was removed
windows versions will no longer complain on "weak seeding"
64bit architectures could crash in the resolve code
CURLINFO_REQUEST_SIZE now works as documented
CURLINFO_REDIRECT_TIME returns a correct time now
getting an empty FTP file does not cause an error anymore
curl_multi_perform() works without curl_multi_fdset()
re-using a connection over a proxy could do bad Host: headers
CURLOPT_POST with a "" string could lead to a crash.
better certificate loading
Name resolve crash on platforms without *_r() functions removed
minor compiler problems on FreeBSD fixed

Fixed in 7.9.7 - May 10 2002

Changes:

CURLOPT_COOKIESESSION (-j with the client) starts a new cookie session
--trace or --trace-ascii dump a full network/debug dump to a given file
Added: curl_multi_info_read() is now implemented as documented
Added CURLINFO_REDIRECT_TIME and CURLINFO_REDIRECT_COUNT

Bugfixes:

CURLOPT_DEBUGFUNCTION gets called as documented
-D with multiple URLs will append all headers in the same file
multi interface transfers work better
multiple transfers reset download counters better in between
Pruning now prevents the DNS cache from growing out of proportions
no_proxy didn't work when URL contained port numbers
--interface didn't work for IPv6 enabled libcurls
the TIMECOND defines are now using CURL_ prefixes
Now uses less memory for name resolves on most operating systems
pack_hostent works with 64 bit pointers
Prunes old DNS cache entries
HTTP 301 response after a POST now treated differently
rfc1867-formposting a non-existent file now causes a failure

Fixed in 7.9.6 - April 14 2002

Changes:

Added CURLOPT_DEBUGFUNCTION
Added multi interface man pages, examples and public header files.
All CURLFORM_* options can now be given in an array
Added: -F supports filename= (using the new CURLFORM_FILENAME)

Bugfixes:

libcurl skips preceeding white spaces in cookie contents
CURLINFO_CONNECT_TIME is now set even when connect fails
-x didn't use the documented default port
RISC OS version now offers --environment
HTTP/1.0 304-replies are dealt with better
.curlrc is read from current directory if HOME isn't set
The include file curl/curl.h compiles on pre-ISO compilers
getting http headers-only could "hang" during 1 second extra
verbose passive ftp transfers on AIX could crash
improved re-use of dead proxy connections
binary HTTP POSTs on Windows did not work (client-code problem)
CRLF replacing in uploads was not working
-G and -d work together again
using verbose when doing ftp passive transfers could core dump
IPv6 name lookups work again
HTTP POST with data passed in with the read callback now works
curl -O segfault
--progress-bar
Bugfixed a missing newline after --progress-bar output

Fixed in 7.9.5 - March 7 2002

Changes:

Added CURLOPT_PREQUOTE
-w now supports %{content_type}

Bugfixes:

fixed the client-side backslash treatment in URLs
Mofied the file hierarchy in the archive somewhat
fixed the dowloaded header size counter
fixed the cookie parser
Replaced the former test HTTP server with a new one written in C
fixed the total time counter that could end up blank at times
Minor portability changes
Tweaked name resolves with getaddrinfo() to run faster on Linux
fixed big HTTP requests (such as big POSTs)
fixed connection timeouts
fixed Host: lines on multiple requests over proxy
fixed 64bit archtitecture builds.
fixed Expect: header disabling
Improved the Windows makefiles and install documentation
fixed multipart formposts
fixed CURLINFO_CONTENT_TYPE
fixed another SSL download problem

Fixed in 7.9.4 - March 4 2002

Changes:

Introduced CURLINFO_CONTENT_TYPE
CURLOPT_CUSTOMREQUEST can now be used with CURLOPT_POSTFIELDS

Bugfixes:

Improved the gethostbyname_r configure check for HP-UX 11.00
Bugfixed the DNS cache
Bugfixed SSL download (due to the non-blocking sockets)
Only seed SSL once for a program's life time
IPv4-only Linux machines could crash on name resolves
curl_getdate() is now fully reentrant
The header length counter is now reset in each curl_easy_perform()
Normal HTTP POSTs no longer append an extra set of CRLF
Location: following on persistant connections work
No longer installs the multi examples on make install.

Fixed in 7.9.3 - January 23 2002

Changes:

introduced a DNS lookup cache
OpenSSL ENGINE support (read CHANGES for full details)
CURLFORM_CONTENTHEADER let's you add headers in form posts

Bugfixes:

fixed multipart formposts with non-existing files
builds with OpenSSL versions prior to 0.9.5 again
SSL session cache crashed when filled
improved timeouts with HTTPS
bugfixed the cookie engine and parser
HTTP code 204 is now treated properly
libcurl now provides the FTP response lines to the header callback
64bit-architecture fixes
bugfixed using proxy specified in an environment variable
made libcurl support FTP operations without any transfer
error messages are now stored without newlines
-T file names get the path stripped before used remotely
minor compiling problems fixed for some platforms

Fixed in 7.9.2 - December 5 2001

Changes:

--disable-epsv is a new option to the curl command line tool
added CURLOPT_FTP_USE_EPSV
added CURLINFO_STARTTRANSFER_TIME
added the -1/--TLSv1 option

Bugfixes:

compiles and builds on the good old Mac OS (in addition to Mac OS X)
bugfixed persistant connections over proxy with multiple protocols
bugfixed verbose ftp output on Tru64 unix
passive ftp download works with IPv6
always return proper error code on failed connects
bugfixed FTP response reader
bugfixed verbose telnet
bugfixed conditional HTTP fetches based on time
multiple calls to curl_global_init() is now treated better
bugfixed multiple ftp requests
made -p/--proxytunnel work for plain HTTP as well
"current speed" progress meter bugfix
improved the name resolver configure check
libcurl now restores signal handlers and timeouts properly
improved SSL over HTTP-proxy when using weird proxies(!)
bugfixed LDAP transfers

Fixed in 7.9.1 - November 4 2001

Changes:

CURLE_GOT_NOTHING is a new possible error code
-0/--http1.0 can now be used to set HTTP 1.0 operations
'curl' no longer uses curl_formparse()
non-blocking connects

Bugfixes:

much better connection re-use validity check
bugfixed connection re-use for FTP urls containing name and password
LDAP transfers no longer "hang"
a memory leak in the cookie engine was removed
curl_easy_duphandle() now duplicates cookie parser status too
--fail now only returns error if HTTP code is >= 400
a possible memory leak when a transfer failed was removed
builds better in cygwin
"current speed" meter more accurate
-c without -b saves the cookies now
bugfixed libcurl for "thread-hopping" on Windows
removed memory leak in IPv6-enabled libcurl
bugfixed curl_formadd()
bugfixed CURLINFO_FILETIME
bugfixed cookiejar

Fixed in 7.9 - September 23 2001

Changes:

-R sets the timestamp of a downloaded file to the same as the remote file
-c writes all cookies to a specified file (based on the new libcurl option CURLOPT_COOKIEJAR)
SSL session ID caching is being done for multiple requests to the same hosts
displays certificate expire date with SSL and verbose output
curl_formadd() is a new function to replace the now deprecated curl_formparse() one, for building rfc1867 form posts.
release archive now includes all docs as HTML pages too

Bugfixes:

now properly returns an error code when connection to an SSL server with a non-legitimate certificate.
CURLOPT_COOKIEFILE can now be specified any number of times
fixed portability issue in the SSL code
-G improvements, now works with -I and on URLs including question mark.
various windows compile, build and makefile fixes
multiple curl_easy_perform() invokes when a previous invoke followed a Location: could lead to a crash
rfc1867-posts are now done including the Expect: 100-continue header.
flushes the progress meter stream to improve look on windows
fixed the configure script --with-ssl problem

Fixed in 7.8.1 - August 20 2001

Changes:

added CURLOPT_HTTPGET

Bugfixes:

the configure script now sets up socklen_t properly
added the -G option that converts -d posts to use GET requests
bugfix: CURLOPT_POST without postfields caused libcurl crash
bugfixed the URL parser for IPv6 IP addresses (RFC 2732)
corrected some minor size_t mixups in the code
rfc1867-style form posts no longer has any size-limit
bugfixed the redirected stderr feature
more test cases added
libcurl now verifies the CN name of server certificates when SSLing
curl -E supports file names with driver letters now on windows
curl-config --libs now includes the path to the installed libcurl
file:// with "relative" paths now work like other tools/libs
curl builds under RISC OS and OpenVMS now
libcurl groks the NCSA httpd 1.5.x weirdo (non-standard) replies
curl_escape() no longer tries to skip already encoded data
progress callback minor bugfix
bugfixed the main transfer select() loop!
corrected FTP range downloads
better treatment of cut off FTP transfers
corrected the libcurl shared library version number
improved configure --with-ssl handling
multiple file download with resume works better
formpost with field names containing space works now
the ftp tests now run OK on IPv6 enabled hosts
verifying certificates bugfixed

Fixed in 7.8 - June 7 2001

Changes:

'curl-config --vernum' shows version number as a hexadecimal number
libcurl's got two new functions (for global init/cleanup)

Bugfixes:

SSL memory leak fixed
new file format for the tests in the test suite
netscape/mozilla cookie file parser bugfix
everything is now built with autoconf 2.50, libtool 1.4 and automake 1.4-p1
libcurl's own version of 'strlcat' no longer pollutes the name space
libcurl now treats an already completed resumed download as a successful operation, and not as an error like before
https and ftps test cases added to the test suite (depend on stunnel)
better white space awareness when parsing HTTP headers
curl -I now plays ball even if the ftp server doesn't grok SIZE
corrected resumed transfers on re-used persistent connections
FTP PORT works again when libcurl is IPv6-enabled
corrected path usage when doing multiple FTP transfers
several Location: header related bugs corrected

Fixed in 7.7.3 - May 4 2001

Bugfixes:

we've discovered that TELNET does not work under win32
HTTP Content-Length: 0 works better
HTTP 304-replies are better treated
persistent connections with mixed chunked and non-chunked transfers work now
connection re-use for non-proxy connections on non-default ports work
corrected the OpenSSL version string output

Fixed in 7.7.2 - April 22 2001

Changes:

'curl-config' was added to help applications use libcurl
A Tcl interface has been written
A Java interface has been written
A Ruby interface was announced

Bugfixes:

The Perl interface is improved a lot
Fixed download resumes on persistent connections
connection timeouts work in windows
HTTP_PROXY in uppercase is no longer used
curl_escape() with a 0 length argument works now
the MSVC projects files were updated
the Borland makefiles were updated
displays OpenSSL 0.9.6a properly in the version string
The Host: headers could get wrong on persistent connections

Fixed in 7.7.1 - April 3 2001

Bugfixes:

location:-fix
two crash reasons removed
ftps:// support added
the perl interface corrected to work with 7.7
bugfixed the HTTP/1.0 persistent connection support
Passing a read-only URL to libcurl could make it crash on http redirects
HEAD responses are now always headers-only
curl could re-use connections a little too much
different treatment of HTTP error 302
following http redirects on persistent connections could reach the maxredirs amount accidentally
curl_escape() don't re-encode already encoded letters anymore

Fixed in 7.7 - March 22 2001

Changes:

supports HTTP proxy with IPv6
curl_escape and curl_unescape are now part of the official libcurl interface
libcurl speaks HTTP/1.1 lingo now
persistent connection support

Bugfixes:

the .netrc parser finds the home directory better
fixed a crash that could happen with redirects and authentication
improved random seeding for SSL connections
improved TELNET functionality

Fixed in 7.6.1 - February 9 2001

Changes:

partial IPv6 support (HTTP without proxy and only "active" FTP so far)
two new options to curl_easy_getinfo() for file sizes were added

Bugfixes:

following Location: when using Range: requests work
telnet works again (7.6 crashed)
Corrected the HTTP PUT resume
Better Location: and HTTP return code (3xx) treatment
Resumed transfer status is displayed in progress meter (though simple)
HTTP download resume again complains if Range isn't supported

Fixed in 7.6 - January 26 2001

Changes:

-g/--globoff was added to disable the URL globbing
command line options can be written "merged" -ofile equals -o file
initial but still basic IPv6 adjustments

Bugfixes:

fixed 'total time' counter to be more accurate
possible SSL-read problem fixed (which could make curl return empty HTML)
no length restrictions on URLs anywhere in the libcurl code
supports building outside the source-tree
includes make-target for 'automatic' RPM package creation
added multiple URL support on the command line
krb4-ftp fixed
massive symbol renaming of libcurl internals to decrease name pollution

Fixed in 7.5.2 - January 4 2001

Changes:

new licensing, MPL or MIT/X

Bugfixes:

updated man page
FTP commands are now sent in single write()s
removed a file descriptor leak when doing PORT ftp
improved quote command error checks (FTP)
misaligned free() crash removed (patch)

Fixed in 7.5.1 - December 11 2000

Changes:

added Borland makefiles

Bugfixes:

portability fixes for SCO and HPUX
using an -o file name that is longer than the URL works (patch)
multiple URLs and -o or -O works better! (patch)

Fixed in 7.5 - December 1 2000

Changes:

new --max-redirs option and corrresponding CURLOPT_MAXREDIRS libcurl option.
libcurl now supports getting the time of a remote file
--head on a ftp file shows the modification time if available
--cacert lets you specify a CA certificate to verify peer certificates against when doing HTTPS connections
curl_formfree() added to libcurl
added --url to allow URLs to be specified easier in the config file

Bugfixes:

the shared libcurl library gets a proper version number now
the MSVC++ makefiles are updated to work
the test suite is much extened and enhanced
supports any URL lengths
ftp CWD could use wrong directory name (with trailing slash)
ftp transfer failure could leak memory
curl_unescape() could return a too long string
deals with lowercase environment variables for proxy settings
corrected spelling in a few error messages
memory leaks removed
improved config file parser
config file parser crash fixed
§ in HTTP usernames or passwords made bad authorization headers.

Fixed in 7.4.2 - November 15 2000

Changes:

an initial attempt to make a test suite is included
binary/custom package information is added
possibility to verify the peer's certificate for HTTPS connections (libcurl)

Bugfixes:

configure now attempts to find openssl libs better
the Host: port number could be wrong on HTTPS requests
-T and -o can be used on the same command line (bugfix)
file:// bugfix (free() twice)
ftp --head now sets type first, as some servers report different sizes for different types
ftp upload resume could hang if the whole file was already uploaded
another cookie parser fix
added possibilty to replace the internal 'enter password' function (libcurl)
encoded username/password in URL is now supported
username in http-URL bugfix
fixed the timers when location: headers were followed
timeouts are now working as supposed (under unix)!
the interactive password input on win32 no longer echoes the password
config file parser bugfix
multiple -d options are now concatenated
the memory debug system compiles on more systems
passwords specified with -u can now properly contain @!
The Host: header no longer sets port number for default ports (HTTP) (as suggested)
-Y/-y bug fix (bug report)
more informative error message when https has not been built-in

Fixed in 7.4.1 - October 16 2000

Bugfixes:

Corrected the makefiles in the release archive!

Fixed in 7.4 - October 16 2000

Bugfixes:

possible buffer overflow by an evil ftp server fixed
removed typedef bool from the public include file
more PHP-friendly multi-part posts (no more Content-Transfer-Encoding header)
FTP forced ASCII transfers fixed
memory leaks removed
the --longoption parser was corrected
HTTP download resume bugfix
more information available with -w and curl_easy_getinfo()
the HTTP request is now sent in one shot (single write())
-w stuff moved out from the libcurl, the information is now served with the new library function curl_easy_getinfo()
uploading with curl uses a smaller buffer to start with, to make a better progress meter

Fixed in 7.3 - September 28 2000

Changes:

--proxytunnel, non-HTTP tunneled through a http proxy is added
--interface allows you to specify outgoing interface
--krb4 enables kerberos for ftp transfers

Bugfixes:

file:// was fixed
cookie parser bugfixed
OpenSSL 0.9.6 usage fixed
multiple downloaded files bugfix
more resolver fixes

Fixed in 7.2.1 - August 31 2000

Bugfixes:

Linux name resolve check in the configure script is fixed
-I on ftp was fixed
ftp files with + in the file name was corrected.

Fixed in 7.2 - August 30 2000

Changes:

--data-binary was added to allow fully binary -d style posts.

Bugfixes:

Name resolving problems fixed for AIX, HPUX, Digital Unix/Tru64...
Updated the VC++ makefile

Fixed in 7.1.1 - August 21 2000

Bugfixes:

No user but password in a URL is now working properly
curl now allows replacing of the Content-Type: and Content-Length: headers when doing -d posts
fixed a name resolving problem that appeared at times
rearranged the gethostbyname_r() configure test
-w did not do well when used with multiple URLs

Fixed in 7.1 - August 7 2000

Changes:

CURLOPT_PROXYPORT added to curl_easy_setopt() in the lib
Now features an 'auto referer' so that curl can set the "correct" referer when following location:
removed CURLOPT_PROGRESSMODE from the lib
libcurl offers a progress meter callback
Lots of symbol renamings in the libcurl public stuff.

Bugfixes:

builds libcurl as a shared library with libtool
JavaWebServer's incorrect Content-Range headers are supported
localtime_r() is now used if available instead of localtime()
'make install' installs the include files properly
Replacing an internal HTTP header with one that has no content removes the header
user+password is now restricted and sent only to the first host when Location: is followed to another host
FTP command response reading now times out properly, even on win32
rfc1867 form-posting was extended for use with large text posts
FTP transfering (converted) ASCII could make curl wrongly believe the transfer was only partial, there is no way can tell the expected size of a file downloaded in FTP ASCII
various manual corrections
FTP transfers now accept 250 as well as 226 as a positive end-of-transfer result
The configure check for requiring the nsl and socket lib at once was re-added
Host: was not displaying the port number as supposed on non-standard ports
HTTPS connection failures could slip through and make curl attempt reading at a dead socket
Using -F, -I or -d in any weird mix now causes the curl client to alert
FTP PORT command bug fixed
HTTP POST and then following Location: now causes all except the first requests to become GET.
win32 now sends data binary to stdout unless -B / --use-ascii is specified
added a README.win32 file
Custom headers when doing location: works again
libcurl is much more threadsafe
Many portability issues have been smoothened out
The FTP range support were buggy and is now corrected
Major re-organisation of all library internals to allow for a new library interface.
A buffer overflow (with URLs larger than 4096 characters) was fixed
The FTP sessions are slightly modified and now they're using CWD to change to the directory where the operation is requested.
FTP URLs are now treated more like the RFC specifies (minor change)
now sends user agent string when talking ftp through a http proxy
made the progress meter nicer for sizes between 10 and 100 megabytes
no longer checks for install twice in the configure script
improved win32 headers for VC++ compiling
minor fix when using libcurl in a multi-threaded program
the OS/2 port was slightly adjusted
location following through a http proxy on a specified non-default port didn't work
location following to an absolute URL on a different port didn't work

Fixed in 6.5.2 - March 21 2000

Bugfixes:

corrected the -D mockup that caused 6.5.1 to crash

Fixed in 6.5.1 - March 20 2000

Bugfixes:

curl_unescape() buffer overrun removed
-w 'http_code' works!
OS/2 port
adjusted to compile smoothly with MS VC++
-D/--dump-header now only writes the file when needed, and not before

Fixed in 6.5 - March 13 2000

Changes:

-N now disables output buffering
the new -w/--write-out allows for script writers to specify what curl should output after a successful request

Bugfixes:

now sends cookies space separated
Corrected OpenSSL 0.9.5 compliance problems
the perl scripts are moved out from the distribution
Ultrix port
-K config files no longer have a max line length
new progress meter to better show both upload and download
MacOS X port
upload and download now performs simultaneously in case of need. This will make posting of big forms that are "echoed back" to finally work.
the cookie parser shouldn't crash on empty cookie names, nor should it send empty cookies to the server anymore.
-b now supports both @[filename] and @- for stdin
unlimited line lengths in the config file
Compiles on sunos4 again
Corrected the removed possibility to chose the progress bar
Made the max display width with progress bar 79 when the COLUMNS variable isn't set.

Fixed in 6.4 - January 17 2000

Changes:

Ability to run --quote commands after ftp transfers now, as well as before

Bugfixes:

Improved progress meter
Getting files with URL syntax codes (%-stuff) from a ftp server was not dealt with nicely
-b corrupted the cookie header lines when they were read off a server
Cleaned up the interface between the lib and the curl tool.
Made the -X's long option change name to --request and now you can specify full request command for ftp listings (like "LIST -l").
Improved the --stderr workings for win32.
BeOS port by Lars J. Aas!

Fixed in 6.3.1 - November 23 1999

Bugfixes:

posting an empty variable with -F, like "name=" did cause curl to hang
when the download from a http server gets cut off curl now warns about it
better error checks when fwrite()ing the output
minor fix that may correct the amiga-port problem
A lethal cookie bug was fixed.

Fixed in 6.3 - November 10 1999

Changes:

-b/--cookie is now capable of parsing and understanding the cookies saved in a netscape cookie file. This is useful when you want your script to better inherit the properties of your previous browser session.
-H/--header now is capable of replacing internal headers. If you add a header that would've been used internally, the added will be used instead.

Bugfixes:

-z (date-dependent HTTP fetches) now works better since we're doing a date comparison in the client as well.
Corrected several mistakes in the man page.
-I now works for ftp-files too. It merely shows the file size now.
Simple range support added for ftp downloads.
Following location: in a https:// header could lead to a crash.

Fixed in 6.2 - October 21 1999

Changes:

--stderr now supports redirecting the stderr stream to stdout or a file now. This is mainly for victims of Windows.
the configure script understands --without-ssl now!

Bugfixes:

another bug in loction: following with proxies when the protocol part isn't specified was fixed
fixed the lib Makefile to not include getpass twice when linking
removed core-dump due to bad free after download was complete in src/main.c
removed double text output when ftp-downloading
config.guess recognizes Mac OS X
HTTP headers are now parsed case insensitive!

Fixed in 6.1 - October 17 1999

Bugfixes:

zlib proved not to be as easy to add as I had anticipated. I'll keep it on hold for now.
moved the libcurl include files into a subdir named curl
#include zlib.h fixes
adjusted the maketgz script to reduce reruns of the configure when building

Fixed in 6.1 beta

Bugfixes:

-d now can get data from a file or stdin
HTTP: "Accept-Encoding: gzip,compress,deflate" - experiments
Misc: Multiple URL download capacity
HTTP: Made the -F form posting accept files from stdin as well.

Fixed in 6.0 - September 13 1999

Changes:

ldap:// with openldap
file:// works, for unix and win32

Bugfixes:

cookie matching when using HTTP proxy
better cookie sending (single line)
QUOT fix for ftp
ftp upload through http proxy is now allowed using HTTP PUT
improved configure openssl path specifier
enabled "custom" http requests (like DELETE or TRACE)

Earlier changes elsewhere