THANKS: from the 8.0.0 release

scripts/delta: fix "ambiguous argument" when used in branches

SECURITY-PROCESS.md: Busy-loops are not security problems

Closes #10790

tests/http: do not save files for downloads in scorecard testing

Closes #10788

cf-socket: use port 80 when resolving name for local bind

It turns out c-ares returns an error when asked to resolve a host name with
ares_getaddrinfo using port number 0.

Repor

cf-socket: use port 80 when resolving name for local bind

It turns out c-ares returns an error when asked to resolve a host name with
ares_getaddrinfo using port number 0.

Reported as a c-ares bug here: https://github.com/c-ares/c-ares/issues/517

The work-around is to simply use port 80 instead, as the number typically does
not make a difference and a non-zero number works for c-ares.

Fixes #10759
Reported-by: Matt Jolly
Closes #10789

show more ...

curl.h: require gcc 12.1 for the deprecation magic

Reported-by: kchow-FTNT on github
Fixes #10726
Closes #10784

Revert "rtsp: use dynbuf instead of custom reallocs"

This reverts commit 1b9ea3239d22147e00d8 because of OSS-fuzz reports.
I'll do another take after the pending release.

Closes

Revert "rtsp: use dynbuf instead of custom reallocs"

This reverts commit 1b9ea3239d22147e00d8 because of OSS-fuzz reports.
I'll do another take after the pending release.

Closes #10785

show more ...

test422: verify --next used without a prior URL

Closes #10782

tool_getparam: error if --next is used without a prior URL

Reported-by: 積丹尼 Dan Jacobson
Ref: https://github.com/curl/curl/pull/10769#discussion_r1137895629

Closes #10782

libssh: use dynbuf instead of realloc

When building lines to show for SFTP directory listings.

Closes #10778

lib2305: deal with CURLE_AGAIN

The test does a slightly ugly busy-loop for this case but should be
managable due to it likely being a very short moment.

Mention CURLE_AGAIN in c

lib2305: deal with CURLE_AGAIN

The test does a slightly ugly busy-loop for this case but should be
managable due to it likely being a very short moment.

Mention CURLE_AGAIN in curl_ws_recv.3

Fixes #10760
Reported-by: Jay Satiro
Closes #10781

show more ...

rtsp: use dynbuf instead of custom reallocs

For the RTP buffering.

Closes #10776

libssh2: remove unused variable from libssh2's struct

Closes #10777

RELEASE-NOTES: synced

multi: remove PENDING + MSGSENT handles from the main linked list

As they are not driving transfers or any socket activity, the main loop
does not need to iterate over these handles. A p

multi: remove PENDING + MSGSENT handles from the main linked list

As they are not driving transfers or any socket activity, the main loop
does not need to iterate over these handles. A performance improvement.

They are instead only held in their own separate lists.

Assisted-by: Stefan Eissing
Ref: #10743
Closes #10762

show more ...

multi: turn link/unlinking easy handles into dedicated functions

http_aws_sigv4: fix scan-build "value stored to 'ret' is never read"

Follow-up to 495d09810aa9a

Closes #10766

lib: skip Curl_llist_destroy calls

Linked lists themselves do not carry any allocations, so for the lists
that do not have have a set destructor we can just skip the
Curl_llist_destr

lib: skip Curl_llist_destroy calls

Linked lists themselves do not carry any allocations, so for the lists
that do not have have a set destructor we can just skip the
Curl_llist_destroy() call and save CPU time.

Closes #10764

show more ...

lib643: LIB644 is never defined, this is dead code

Closes #10765

libtest/Makefile.inc: remove superfluous variables

Rely on the defaults when possible.

Closes #10765

tests/http: remove year ranges from copyrights

Closes #10763

aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3

all s3 requests default to UNSIGNED-PAYLOAD and add the required
x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to co

aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3

all s3 requests default to UNSIGNED-PAYLOAD and add the required
x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to correctly
sign s3 requests to amazon with no additional configuration

Signed-off-by: Casey Bodley <cbodley@redhat.com>

Closes #9995

show more ...

wolfssl: add quic/ngtcp2 detection in cmake, and fix builds

- add QUIC/ngtcp2 detection in CMake with wolfSSL.

Because wolfSSL uses zlib if available, move compression detection

wolfssl: add quic/ngtcp2 detection in cmake, and fix builds

- add QUIC/ngtcp2 detection in CMake with wolfSSL.

Because wolfSSL uses zlib if available, move compression detection
before TLS detection. (OpenSSL might also need this in the future.)

- wolfSSL 5.5.0 started using C99 types in its `quic.h` header, but it
doesn't #include the necessary C99 header itself, breaking builds
(unless another dependency pulled it by chance.) Add local workaround
for it. For this to work with all build tools, we had to fix our
header detection first. Ref: #10745

Ref: https://github.com/curl/curl-for-win/commit/6ad5f6ecc15620c15625fc443476b3a1ecef4f3f

Closes #10739

show more ...

secure-transport: fix recv return code handling

Return code handling of recv calls were not always correct when an error
occured or the connection was closed.

Closes #10717

http2: Use KEEP_SEND_HOLD for flow control in HTTP/2

- use the defined, but so far not used, KEEP_SEND_HOLD bit for flow
control based suspend of sending in transfers.

Prior t

http2: Use KEEP_SEND_HOLD for flow control in HTTP/2

- use the defined, but so far not used, KEEP_SEND_HOLD bit for flow
control based suspend of sending in transfers.

Prior to this change KEEP_SEND_PAUSE bit was used instead, but that can
interfere with pausing streams from the user side via curl_easy_pause.

Fixes https://github.com/curl/curl/issues/10751
Closes https://github.com/curl/curl/pull/10753

show more ...