Daniel Stenberg, the Swedish open source developer and maintainer of Curl, has announced the release of Curl 8.9.0. This release marks a significant milestone in the project's history, with a whopping 260 bugfixes, 11 changes, and 2 security fixes.
Table of Contents
Curl 8.9.0 Release Statistics
Curl is one of the oldest and mature software in the opensource ecosystem.
Curl 8.9.0 is the 258th release of the software, demonstrating the project's ongoing commitment to improvement and innovation.
The new version incorporates 11 changes and an impressive 260 bugfixes, setting a record for the project. These improvements came through 423 commits from a diverse group of 80 contributors, including 38 newcomers. The release also saw contributions from 47 authors, with 16 first-time contributors, showcasing the project's growing community.
That brings the total number of contributors to an impressive 3,209, with 1,288 authors having contributed to the project so far.
Here's the concise summary of Curl 8.9.0 release statistics:
- 258th release,
- 11 changes implemented,
- 260 bugfixes added,
- 423 commits made,
- 80 contributors, including 38 new ones,
- 47 authors, with 16 first-time contributors.
Security Enhancements
Security remains a top priority for Curl. Version 8.9.0 addresses two vulnerabilities: CVE-2024-6197 and CVE-2024-6874. These fixes further strengthen Curl's security profile.
The first, CVE-2024-6197, is a medium-severity issue in the ASN1 parser. This vulnerability involves freeing a stack buffer in the utf8asn1str function.
The issue arises in libcurl’s ASN1 parser when the utf8asn1str function detects an invalid field and returns an error. Unfortunately, it also invokes free() on a 4-byte local stack buffer.
The second, CVE-2024-6874, is a low-severity problem related to punycode conversions in the URL API.
The issue occurs in libcurl’s URL API function curl_url_get() which offers punycode conversions to and from IDN. When converting a name that is exactly 256 bytes, libcurl reads outside of a stack-based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly but does not null-terminate the string.
New Features
Curl 8.9.0 introduces several new command-line options to enhance its functionality. Users can now set the IP Type of Service / Traffic Class with the --ip-tos option.
The --mptcp option enables Multipath TCP for connections, potentially improving network performance.
For local network management, the --vlan-priority option allows setting the VLAN priority field for IP traffic.
Lastly, the --keepalive-cnt option lets users specify the number of keepalive probes before marking a connection as dead.
Improvements
The update brings various enhancements to Curl's capabilities. Both GnuTLS and WolfSSL now support CA caching, which can significantly speed up serial TLS connections.
MbedTLS adds support for CURLOPT_CERTINFO, allowing applications to retrieve certificate information.
The URL API introduces CURLU_NO_GUESS_SCHEME for better scheme detection. Additionally, users can now bind a connection to both interface and IP simultaneously, offering more flexibility in network configurations.
New Options
Curl 8.9.0 introduces one new curl_easy_setopt() option and four new command line options. These additions expand the functionality of Curl, providing users with more tools and flexibility.
Notable Bugfixes
This release includes a record-breaking 260 bugfixes, the most ever in Curl’s long history. The improvements span various areas, including numerous enhancements to CMake and configure scripts.
Documentation and help features have been refined for better user experience. The team has addressed memory leaks and crashes in DNS over HTTPS (DoH) implementations.
Handling of HTTPS, QUIC, and TLS connections has been improved. The release also includes better support for various operating systems and SSL libraries, making Curl more versatile across different platforms.
Here's a list of notable bug fixes in this release:
- cmake: 26 separate bugfixes.
- configure: 10 separate bugfixes.
- Help category cleanup: Improved the
--helpoutput by listing categories and cleaning up the presentation. - 3xx replies: Allowed
etagandcontent-dispositionfor 3xx replies. - Documentation: Countless fixes, polish, and corrections.
- Test summary: Show names and keywords for failed tests in the summary.
- GetAddrInfoExW: Avoid using this with impersonation.
- AWS Sigv4: URL encode the canonical path.
- DoH (DNS over HTTPS): Various fixes including cleanup, memory leak resolution, and zero-length HTTPS RR crash fixes.
- AppleIDN: Fixed handling of
ß. - OpenSSL 1.x: Fixed compilation issues with
md4disabled. - Progress updates: Added a final progress update on connect failure.
- Multi: Fixed pollset during the RESOLVING phase.
- QUIC: Enabled UDP GRO and added shutdown support, with OpenSSL 3.3 now required.
- Input conversion: Fixed CRLF conversion of input.
- SMTP: Fixed
starttlsfor SMTP. - TCP keepalive: Changed from milliseconds to seconds on DragonFly BSD and supported parameters on Solaris <11.4.
- TLS and TCP: Improved shutdown.
- GnuTLS: Passed in SNI name instead of hostname when checking certificates, and rectified TLS version checks for QUIC.
- mbedTLS v3.6.0: Added workarounds.
- X509 ASN.1 parser: Several fixes.
With numerous bugfixes, new options, and security enhancements, this release ensures that Curl remains a powerful and reliable tool for data transfer.
Download and Install Curl 8.9.0
You can download the new Curl release from curl.se as always. Since this version is new, it is not yet packaged for most Linux distributions. But no worries. You can install the latest Curl from source using GNU Stow.
1. Ensure your system package database is up-to-date.
sudo apt update # For Debian/Ubuntu-based systems sudo yum update # For CentOS/RHEL systems sudo dnf update # For Fedora systems sudo pacman -Syu # For Arch Linux systems
2. Install the necessary development tools if they are not already installed.
sudo apt install build-essential # Debian/Ubuntu sudo yum groupinstall "Development Tools" # CentOS/RHEL sudo dnf groupinstall "Development Tools" # Fedora sudo pacman -S base-devel # Arch Linux
You will also need to install the OpenSSL development libraries if you want to compile Curl with the OpenSSL backend. For example on Debian-based systems, you can install OpenSSL development libraries using the command:
sudo apt install libssl-dev
If you want to compile Curl with the GnuTLS backend, install the following on a Debian-based system:
sudo apt install libgnutls28-dev libgnutls30
3. Install GNU Stow.
sudo pacman -S stow # Arch Linux sudo apt install stow # Debian/Ubuntu sudo yum install stow # Older CentOS/RHEL sudo dnf install stow # Latest Fedora/RHEL/AlmaLinux/Rocky Linux
4. Download the latest Curl source code from its official releases page and extract it.
wget https://github.com/curl/curl/releases/download/curl-8_9_0/curl-8.9.0.tar.gz tar xvf curl-8.9.0.tar.gz
5. Configure the Build with the Prefix.
Cd into the extracted directory:
cd curl-8.9.0
Configure the build with the TLS backend and installation directory to be managed by GNU Stow.
./configure --with-ssl --prefix=/usr/local/stow/curl-8.9.0
If you want to configure Curl with GnuTLS, use this command instead:
./configure --with-gnutls --prefix=/usr/local/stow/curl-8.9.0
6. Compile the Software.
make
7. Install Curl 8.9.0
sudo make install
8. Use GNU Stow to add Curl to your PATH.
Change to the stow directory and use stow to manage the installation.
cd /usr/local/stow sudo stow curl-8.9.0
9. Verify that Curl is correctly installed and accessible.
curl --version
Sample Output:
curl 8.9.0 (x86_64-pc-linux-gnu) libcurl/8.9.0 GnuTLS/3.7.1 zlib/1.2.11 libidn2/2.3.0 Release-Date: 2024-07-24 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets
Looking Ahead: Curl 8.10.0
Due to the extended release cycle for Curl 8.9.0, the developer says that the next release 8.10.0 will have a shortened cycle.
He also added that the feature window for Curl 8.10.0 will be just two weeks, which might impact the number of new features and changes that can be merged.
Despite this, there is already a large number of pull requests pending merge, awaiting the release window to open.
If all goes well, Curl 8.10.0 is expected to be released on September 11, 2024. This upcoming release will continue the tradition of improvement and innovation that Curl is known for.
For more details, please check the official release notes:
Related Read:
