Curl 8.9.0 Released: New Features, Bugfixes, and How to Install

Curl 8.9.0 release: 260 bug fixes and multiple improvements

Swedish open source developer Daniel Stenberg announced the release of Curl 8.9.0, an important milestone in the development history of the project. This release contains an amazing 260 bug fixes, 11 changes, and 2 security fixes.

Table of contents

- Curl 8.9.0 version statistics

• Security enhancement
• New Features
• improve
  • New Options
• Important bug fixes
• Download and install Curl 8.9.0
• Looking to the future: Curl 8.10.0

Curl 8.9.0 version statistics

Curl is one of the oldest and most mature software in the open source ecosystem.

Curl 8.9.0 is the 258th version of the software, demonstrating the project's ongoing commitment to improvement and innovation.

The new release has 11 changes and an impressive 260 bug fixes, setting a record for the project. These improvements came from 423 submissions from 80 contributors, including 38 newbies. This edition also received contributions from 47 authors, 16 of whom were first-time contributors, showing the project’s growing community.

This brings the total number of contributors to an impressive 3209, with 1288 authors contributing to the project so far.

The following is a brief summary of Curl 8.9.0 version statistics:

• Version 258,
• 11 changes were implemented,
• Added 260 bug fixes,
• 423 submissions were made,
• 80 contributors, including 38 newbies,
• 47 authors, 16 of whom are first-time contributors.

Security enhancement

Security remains Curl's priority. Version 8.9.0 resolves two vulnerabilities : CVE-2024-6197 and CVE-2024-6874 . These fixes further enhance Curl's security features.

The first vulnerability, CVE-2024-6197 , is a moderately severity issue in the ASN1 parser. This vulnerability involves freeing the stack buffer in the utf8asn1str function.

This problem occurs in the ASN1 parser of libcurl when the utf8asn1str function detects an invalid field and returns an error. Unfortunately, it also calls free() on a 4-byte local stack buffer.

The second vulnerability, CVE-2024-6874 , is a low-severity issue related to the punycode conversion in the URL API.

This problem occurs in the URL API function curl_url_get() of libcurl, which provides a conversion from puzzle code to IDN. When converting a name that is exactly 256 bytes, libcurl reads content outside the stack buffer when constructed to use the macidn IDN backend. The conversion function then completely fills the provided buffer, but does not end with null.

New Features

Curl 8.9.0 introduces several new command-line options to enhance its functionality. Users can now set IP service type/traffic category using the --ip-tos option.

The --mptcp option enables multipath TCP connections, which may improve network performance.

For local network management, the --vlan-priority option allows setting the VLAN priority field for IP traffic.

Finally, the --keepalive-cnt option allows the user to specify the number of keepalive probes before marking the connection as invalid.

improve

This update brings various enhancements to Curl's capabilities. Both GnuTLS and WolfSSL now support CA caching , which can significantly speed up serial TLS connections.

MbedTLS adds support for CURLOPT_CERTINFO, allowing applications to retrieve certificate information.

The URL API introduces CURLU_NO_GUESS_SCHEME to better perform scheme detection. Additionally, users can now bind connections to both interfaces and IPs, providing greater flexibility in network configuration.

New Options

Curl 8.9.0 introduces a new curl_easy_setopt() option and four new command line options. These new features extend Curl's capabilities, giving users more tools and flexibility.

Important bug fixes

This release contains a record 260 bug fixes, the most in Curl's long history. These improvements cover various areas, including many enhancements to CMake and configuration scripts.

Documentation and help features have been improved to provide a better user experience. The team resolved memory leaks and crashes in the DNS over HTTPS (DoH) implementation.

The processing of HTTPS, QUIC and TLS connections has been improved. This release also includes better support for various operating systems and SSL libraries, making Curl more universal on different platforms.

Here are some important bug fixes in this release:

• cmake : 26 separate bug fixes.
• configure : 10 separate bug fixes.
• Help Category Cleanup : Improve --help output by listing categories and cleaning presentations.
• 3xx Reply : Allow 3xx replies to etag and content-disposition.
• Documentation : Countless repairs, polishes and corrections.
• Test Summary : Displays the name and keywords of the failed test in the summary.
• GetAddrInfoExW : Avoid using it with simulation.
• AWS Sigv4 : ​​URL encoding specification path.
• DoH (DNS over HTTPS) : Various fixes include cleaning, memory leak resolution, and zero-length HTTPS RR crash fix.
• AppleIDN : Fixed the processing of ß.
• OpenSSL 1.x : Fixed the compilation issue of disabling md4.
• Progress Update : Added final progress update when the connection fails.
• Multi : Fixed pollset during the RESOLVING phase.
• QUIC : UDP GRO enabled and closing support added, OpenSSL 3.3 is now required.
• Input Conversion : Fixed CRLF conversion of input.
• SMTP : Fixed starttls for SMTP.
• TCP keepalive : Change from milliseconds to seconds on DragonFly BSD and support parameters on Solaris
• TLS and TCP : Improved shutdown.
• GnuTLS : Passed in the SNI name instead of the host name when checking the certificate, and corrected the TLS version check of QUIC.
• mbedTLS v3.6.0 : Added workaround.
• X509 ASN.1 parser : multiple fixes.

With numerous bug fixes, new options and security enhancements, this release ensures Curl remains a powerful and reliable data transfer tool.

Download and install Curl 8.9.0

You can always download the new Curl version from curl.se. Since this release is new, it has not been packaged for most Linux distributions. But don't worry. You can use GNU Stow to install the latest Curl from source.

1. Make sure your system package database is up to date.

 <code>sudo apt update # Debian/Ubuntu 系统sudo yum update # CentOS/RHEL 系统sudo dnf update # Fedora 系统sudo pacman -Syu # Arch Linux 系统</code>

2. If the necessary development tools have not been installed, install them.

 <code>sudo apt install build-essential # Debian/Ubuntu sudo yum groupinstall "Development Tools" # CentOS/RHEL sudo dnf groupinstall "Development Tools" # Fedora sudo pacman -S base-devel # Arch Linux</code>

If you want to compile Curl using the OpenSSL backend, you also need to install the OpenSSL development library. For example, on a Debian-based system, you can install the OpenSSL development library using the following command:

 <code>sudo apt install libssl-dev</code>

If you want to compile Curl using the GnuTLS backend, install the following on a Debian-based system:

 <code>sudo apt install libgnutls28-dev libgnutls30</code>

3. Install GNU Stow.

 <code>sudo pacman -S stow # Arch Linux sudo apt install stow # Debian/Ubuntu sudo yum install stow # 旧版CentOS/RHEL sudo dnf install stow # 最新Fedora/RHEL/AlmaLinux/Rocky Linux</code>

4. Download the latest Curl source code from its official releases page and unzip it.

 <code>wget https://github.com/curl/curl/releases/download/curl-8_9_0/curl-8.9.0.tar.gz tar xvf curl-8.9.0.tar.gz</code>

5. Build with prefix configuration.

Go to the decompressed directory:

 <code>cd curl-8.9.0</code>

Built with the TLS backend and installation directory configuration for management by GNU Stow.

 <code>./configure --with-ssl --prefix=/usr/local/stow/curl-8.9.0</code>

If you want to configure Curl using GnuTLS, use the following command instead:

 <code>./configure --with-gnutls --prefix=/usr/local/stow/curl-8.9.0</code>

6. Compile the software.

 <code>make</code>

7. Install Curl 8.9.0

 <code>sudo make install</code>

8. Use GNU Stow to add Curl to your PATH.

Change to the stall directory and use stall to manage the installation.

 <code>cd /usr/local/stow sudo stow curl-8.9.0</code>

9. Verify that Curl is installed correctly and available.

 <code>curl --version</code>

Sample output :

 <code>curl 8.9.0 (x86_64-pc-linux-gnu) libcurl/8.9.0 GnuTLS/3.7.1 zlib/1.2.11 libidn2/2.3.0 Release-Date: 2024-07-24 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets</code>

Looking to the future: Curl 8.10.0

Due to the extended release cycle of Curl 8.9.0, the developer said that the next version 8.10.0 will shorten the cycle.

He also added that Curl 8.10.0's feature window is only two weeks old, which may affect the number of new features and changes that can be merged.

Nevertheless, there are still a large number of requests to be merged waiting for the publishing window to open.

If all goes well, Curl 8.10.0 is expected to be released on September 11, 2024 . The upcoming release will continue Curl's famous tradition of improvement and innovation.

For more details, please check the official release notes:

• Curl 8.9.0 Release Notes

Related readings :

• Wcurl: A user-friendly Curl wrapper for easy download of files
• Debian Curl now supports HTTP3: What you need to know
• How to install Curl using GnuTLS backend in Debian

Please note that the format of the image remains the same as I have not modified the format information of the image in the input text. I used similar titles and descriptions to keep the article intact.

The above is the detailed content of Curl 8.9.0 Released: New Features, Bugfixes, and How to Install. For more information, please follow other related articles on the PHP Chinese website!