Changes in 8.19.0 - March 11 2026

Changes:

• BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
• cmake: add `CURL_BUILD_EVERYTHING` option
• mqtt: initial support for MQTTS
• tool: support fractions for --limit-rate and --max-filesize
• tool_cb_hdr: with -J, use the redirect name as a backup
• vquic: drop support for OpenSSL-QUIC
• windows: add build option to use the native CA store
• windows: bump minimum to Vista (from XP)

Bugfixes:

• altsvc: only accept 17 byte dates from files
• asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
• async-ares: blocking resolve timeout handling, better
• badwords: move into ./scripts, speed up
• build: add missing `GENERATEDCERTS` files
• build: adjust minimum version for some clang picky warnings
• build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
• build: constify `memchr()`/`strchr()`/etc result variables (cont.)
• build: detect and include `inttypes.h` again
• build: do not include wolfSSL header in `curl_setup.h`
• build: drop duplicate C includes
• build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
• build: drop unused `snprintf()` feature check on Windows
• build: fix `-Wunused-macros` warnings, and related tidy-ups
• build: fix building rare combinations
• build: fully omit verbose strings and code when disabled
• build: globally suppress DJGPP warnings in `FD_SET()`
• build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
• build: move curl stat struct type to the curlx namespace
• build: opt-in MSVC to C99-style verbose logging logic
• build: require POSIX `strdup()`
• build: tidy up and dedupe `strdup` functions
• cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks
• cf-socket: use SOCK_CLOEXEC in socket_open when available
• checksrc-all.pl: skip non-repository files
• checksrc: do not apply `BANNEDFUNC` to struct member functions
• checksrc: warn for leading spaces before the preprocessor hash
• clang-tidy: add missing and delete redundant parentheses
• clang-tidy: add more missing parentheses in macro values
• clang-tidy: avoid/silence `bugprone-not-null-terminated-result`
• clang-tidy: check `bugprone-macro-parentheses`, fix fallouts
• clang-tidy: drop redundant conditions reported by `misc-redundant-expression`
• clang-tidy: enable `bugprone-signed-char-misuse`, fix fallouts
• clang-tidy: enable more checks
• clang-tidy: enable scanning headers
• clang-tidy: fix issues found with build-fuzzing
• clang-tidy: silence more minor issues found by v22
• cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` 4.0.0
• cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
• cmake: add native clang-tidy support for tests, with concatenated sources
• cmake: always build curlu and curltool test libs in unity mode
• cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
• cmake: convert `curl_add_clang_tidy_test_target()` macro to function
• cmake: enable binutils ld workaround for all toolchains at build-time
• cmake: fix `LOCATION` property access condition (debug)
• cmake: fix `LOCATION` property read errors in target debug function
• cmake: fix building with `CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON`
• cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
• cmake: fix logic for openssl/zlib binutils ld workaround
• cmake: fix passing system header directories to clang-tidy for tests
• cmake: fix system include directory position for clang-tidy in tests
• cmake: improve clang-tidy test command-line reproduction
• cmake: minor fixes to test targets after prev
• cmake: normalize uppercase hex winver (for display)
• cmake: omit `curl.rc` from curltool lib
• cmake: reference OpenSSL and ZLIB imported targets only when enabled
• cmake: replace internal option with a new `tt` (test tools) target
• cmake: silence potential unused var warnings in C++ test snippet
• cmake: silence silly Apple clang warnings in C89 mode, test in CI
• cmake: silence useless compiler warnings triggered by the FASTBuild generator
• cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
• cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values
• cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
• config-plan9: set `HAVE_STDINT_H` again
• config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
• config2setopts: fix for --disable-aws build configuration
• configure: drop always true `if` check (Windows)
• content_encoding: return 'identity' if none other exists
• curl: add -I and -i to -h important
• curl: limit Windows-specific code to Windows builds, other tidy-ups
• curl_easy_nextheader.md: a new transfer invalidates 'prev'
• curl_get_line: drop single-use macro
• curl_multi_perform.md: resolve inconsistency
• curl_ntlm_core: merge two `#if` blocks
• curl_setup.h: drop extra header guard for internal include
• curl_setup.h: merge back single-use internal header `curl_setup_once.h`
• curl_setup.h: simplify curl memory macro mappings
• curl_setup_once: allow CURL_DEBUGASSERT for customization
• CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
• curlx: drop unused `curlx_saferealloc()`
• digest: escape double quotes and backslashes in realm and nonce
• digest: fix memory leak in auth_create_digest_http_message()
• digest: handle quotes in the path
• docs/INSTALL: update configure details
• docs/libcurl: unify WARNING use
• docs: add LibreELEC to DISTROS.md
• docs: add reproducible example for generating man page
• docs: avoid starting sentences with However,
• docs: avoid using the word 'magic'
• docs: clarify --ipv4 and --ipv6
• docs: document the need for a 64-bit type and stdint.h
• docs: drop basically
• docs: explicitly call out Slowloris as not a security flaw
• docs: fix grammar nitpicks
• docs: handle error in `curl_global_init*` examples
• docs: replace instances of the vague qualifier 'quite'
• docs: reword explanation of --variable option
• docs: some nitpicks
• docs: use dot instead of comma at end of sentences
• easy: reset errorbuf on eyeballing success
• easy: reset pausing when resetting request
• examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA
• examples: improve OpenSSL certificate examples
• examples: omit forward declarations, apply misc fixes
• FAQ: syntax improvements
• fopen.h: simplify curl memory macro mappings
• ftp: replace a `curlx_free()` with `curlx_dyn_free()`
• ftp: split ftp_state_use_port into sub functions
• GOVERNANCE.md: Post-Daniel BDFL
• gss: exclude verbose error logic from non-verbose builds
• h2+h3: align stream close handling
• hostip.c: fix leak of addrinfo
• hostip6: remove debug-only code
• hostip: fix unreachable code in rare build configuration
• http/3: add description for known server error codes
• http1: fix potential NULL dereference in `Curl_h1_req_parse_read()`
• http: only send bearer if auth is allowed
• http_aws_sigv4: fix query normalization of %2b
• imap: add a check for Curl_meta_get()
• imap: check `imap_sendf()` printf masks at compile-time
• imap: skip literals inside quoted strings
• include: avoid recursive macros
• include: mask computed auth/proto bitmasks to 32 bits
• INSTALL-CMAKE.md: document Apple framework options
• INSTALL.md: fix typo
• INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
• KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
• ldap: silence clang-tidy v22 warning
• ldap: silence potential unused variable warning (OS400)
• lib: delete unused local includes
• lib: disable websockets early if no http
• lib: make sigpipe handling more lazy
• lib: reorder protocol functions to avoid forward declarations (email)
• lib: reorder protocol functions to avoid forward declarations (ftp)
• lib: reorder protocol functions to avoid forward declarations (misc cont.)
• lib: reorder protocol functions to avoid forward declarations (misc)
• lib: reorder protocol functions to avoid forward declarations (ssh)
• lib: separate scheme info from protocol implementation
• lib: skip compiling code with features disabled
• lib: use (u)int64_t instead of long long
• libcurl docs: reduce 'since ...' in descriptions
• libcurl-security.md: fix typos and add a point about URLs
• libtests: drop two redundant `memset()`s
• Makefile.am: delete RPM targets referencing non-existent files
• Makefile.am: drop stray VC project files from dist
• managen: silence Perl warnings
• mbedtls: guard TLS 1.3 + session tickets usage inside ifdef
• mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
• mbedtls: remove newline from failf() call
• mbedtls: split mbed_connect_step1 into sub functions
• md4, md5: drop redundant forward declarations
• md4, md5: replace custom types with `uint32_t`
• memdebug: include `backtrace.h` as system header
• mime: drop fallback for unused `R_OK` macro
• mimepost: allocate main struct on-demand
• mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
• mod_curltest: silence unused argument compiler warning
• mprintf: drop old sprintf fallback
• mprintf: rename internal enum to avoid collision with AmigaOS symbol
• mprintf: silence clang-tidy `readability-suspicious-call-argument`
• mprintf: use `_snprintf()` when compiled with VS2013 and older
• mqtt: better too-big-message-check
• mqtt: fix EOF handling
• mqtt: verify Remaining Length for CONNACK and PUBACK
• msvc: drop exception, make `BIT()` a bitfield with Visual Studio
• msvc: VS2026: unlock picky warning in cmake, test in CI
• multi: avoid a theoretical 32-bit wrap
• multi: fix unreachable code compiler warning
• multi: probe for IPv6 functionality in multi_init()
• multi: split multi_runsingle into sub functions
• multi: update timer unconditionally in multi_remove_handle
• ngtcp2: stabilize recv
• noproxy: simplify, don't mix const non-const in strchr()
• openldap: avoid forward declarations in ldaps code
• openssl+ech: workaround for insecure handshakes
• openssl: adapt to OpenSSL master adding const to more APIs
• OpenSSL: check reuse of sessions for verify status
• openssl: disable local keylog feature if built-in upstream
• openssl: fix compiler warning with OpenSSL master
• openssl: fix potential NULL dereference when loading certs (Windows)
• openssl: fix potential OOB read in debug/verbose logging
• plan9: drop special build and orphaned references
• proxy-auth: additional tests
• pytest: remove 03_02
• quiche: use PRIu64 for outputting the stream id
• rand: drop impossible preprocessor branches (wincrypt)
• rand: drop scan-build silencer
• ratelimit: download finetune
• request.h: rename parameter 'buf' to 'req' in Curl_req_send
• REUSE: drop broken reference to `MAIL-ETIQUETTE`
• rtsp: fix assertion failure on zero-length RTP payload
• rtspd: fix to check `realloc()` result
• runtests: pass config filename to stunnel in native format (Windows)
• schannel: refactor: reduce variable scopes, fix comment, fix indent
• send: drop `CURL_UNCONST()` from buffer argument on most platforms
• setopt: fix checking range for CURLOPT_MAXCONNECTS
• setopt: refuse blobs with zero length
• setup-os400.h: drop no longer used custom type `u_int32_t`
• sigpipe: unset SA_SIGINFO since it is using sa_handler
• silent.md: also mention it shuts off warning messages
• smb: free the path in the request struct properly
• smb: include arpa/inet.h for NonStop
• socket: check result of SO_NOSIGPIPE
• socketpair: clear 'err' when retrying due to EINTR
• socketpair: set SO_NOSIGPIPE where possible
• socks: ensure DNS is freed in failure cases.
• src: simplify declaring `curl_ca_embed`
• ssh: dedupe state change function
• stop using the word 'just'
• sws: prevent "connection monitor" to say disconnect twice
• synctime: fix use of uninitialized buffer on non-Windows
• system_win32: replace manual init code with `curlx_now_init()` call
• tests/server/sockfilt: avoid possible endless loop on Windows
• tests/server: drop unused `curlx/version_win32.c`
• tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable
• tests/server: tidy-up error messages (Windows)
• tests: avoid assignment in `if` conditions in `first.h`
• tests: convert base64 data to %b64[]
• tftp: correct the filename length check
• timeout handling: auto-detect effective timeout
• tls: add new SSLSUPP flags for several options
• tls: remove checks for DEFAULT
• tool: enable header separation for HTTPS proxies
• tool: improve config error messaging
• tool: improve error/warning messages when output filename sanitization fails
• tool: rename curl handle and result variable in `--libcurl`-generated code
• tool: return code variable consistency
• tool_cb_hdr: suppress header output when --out-null
• tool_cb_prg: drop duplicate preprocessor logic
• tool_dirhie: drop superfluous `F_OK` fallback (Windows)
• tool_doswin: avoid memory-leak with CURL_FN_SANITIZE_*
• tool_doswin: avoid Windowsisms in socket code (cont.)
• tool_doswin: avoid Windowsisms in socket code
• tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
• tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
• tool_operate: remove 'else' for VMS
• tool_operate: reset the URL --url-query between --next
• typos: silence false positives found in C code
• unit3205: suppress two clang-tidy false positives
• URL-SYNTAX.md: fix port number mistakes for IMAP and LDAP
• url.c: code/comment cleanup around conn creation
• url.h: fix `-Wdocumentation`
• url: fix reuse of connections using HTTP Negotiate
• urlapi: use U_CURLU_URLDECODE when toggling it off unsigned
• urldata.h: remove two forward-declared structs not used
• urldata: byebye `conn->hostname_resolve`
• urldata: change 'keep_post' into three distinct bitfields
• urldata: convert 'long' fields to fixed variable types
• urldata: switch to uint* types
• usercertinmem: use the correct cert BIO
• verbose.md: explain the { and } prefixes
• vquic: fix unused variable warning reported by clang-tidy
• vquic: handle SOCKEMSGSIZE correctly
• vtls: dedupe common on-session-reuse logic
• vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
• VULN-DISCLOSURE-POLICY.md: push reports to the web form
• VULN-DISCLOSURE-POLICY.md: use hackerone
• winapi: use FormatMessageA instead of FormatMessageW
• windows: `USE_WINSOCK` to guard winsock2 code (where missing)
• windows: determine `RtlVerifyVersionInfo` address on global init
• windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround
• wolfssl: fix build without USE_BIO_CHAIN
• ws/tftp: include header file even when protocol disabled
• x509asn1: make encodeOID stop on too long input

Further