#Tag · Gnar 🔥 social

We are doing another curl + distro online meeting this spring in what now has become an established annual tradition. A two-hour discussion, meeting, workshop for curl developers and curl distro maintainers. 2026 curl distro meeting details The objective for these meetings is simply to make curl better in distros. To make distros do better … Continue reading curl distro meeting 2026 →

curl distro meeting 2026

Max Resing

@resingm@infosec.exchange · yesterday

Is there any reason, why curl lists an example in their --header section as follows:

curl -H "User-Agent: yes-please/2000" https://example.com

Is there someone a #Jazz fan, or is it some other kind of a pun? 🤔

#foss #OpenSource #curl #manpage #unix

daniel:// stenberg:// boosted

Anna Liberty

@liberty@mathstodon.xyz · 2 days ago

My little #curl documentation fix is being shipped in version 8.19.0 🎉

daniel:// stenberg:// boosted

https://daniel.haxx.se/blog/2026/03/12/chicken-nuget/

@bagder@mastodon.social · 2 days ago

chicken nuget

Insecure #curl packages hosted by Microsoft. They think it's fine.

Background: nuget.org is a Microsoft owned and run service that allows users to package software and upload it to nuget so that other users can download it. It is targeted for .Net developers but there is really no filter in what you can offer through their service. Three years ago I reported on how nuget … Continue reading chicken nuget →

chicken nuget

https://daniel.haxx.se/blog/2026/03/12/chicken-nuget/

@bagder@mastodon.social · 2 days ago

chicken nuget

Insecure #curl packages hosted by Microsoft. They think it's fine.

chicken nuget

Safigo

@safigo@c.im replied · 2 days ago

@bagder I have a strong feeling you've already written about #Microsoft using outdated #curl version somewhere.

Am I hallucinating?

Anna Liberty

@liberty@mathstodon.xyz · 2 days ago

My little #curl documentation fix is being shipped in version 8.19.0 🎉

https://daniel.haxx.se/blog/2026/03/12/chicken-nuget/

@bagder@mastodon.social · 2 days ago

chicken nuget

Insecure #curl packages hosted by Microsoft. They think it's fine.

chicken nuget

https://curl.se/docs/CVE-2026-3784.html

@bagder@mastodon.social · 2 days ago

CVE-2026-3784 beat a new #curl record. This flaw existed in curl source code for 24.97 years before it was discovered.

Illustrated in the slightly hard-to-read graph below. The average age of a curl vulnerability when reported is eight years.

curl - wrong proxy connection reuse with credentials - CVE-2026-3784

@bagder@mastodon.social · 3 days ago

Welcome Vladimír Marek as #curl commit author 1452: https://github.com/curl/curl/pull/20885

daniel:// stenberg:// boosted

Twitch is the world's leading video platform and community for gamers.

@icing@chaos.social · 3 days ago

#curl 8.19.0 release presentation by @bagder live now at https://www.twitch.tv/moderator/curlhacker

Twitch

Twitch is the world's leading video platform and community for gamers.

@icing@chaos.social · 3 days ago

#curl 8.19.0 release presentation by @bagder live now at https://www.twitch.tv/moderator/curlhacker

Twitch

daniel:// stenberg:// boosted

vsz

@vsz@mastodon.social · 3 days ago

@bagder #curl 8.19.0 Windows builds at https://curl.se/windows/ via https://github.com/curl/curl-for-win/commit/b64e9da1f0a39c4a4a43ec8c316c94d815db83ff

curl for Windows

https://daniel.haxx.se/blog/2026/03/11/curl-8-19-0/

@bagder@mastodon.social · 3 days ago

Welcome to #curl 8.19.0

8 changes, 4 vulnerabilities and 264 bugs fixed. Enjoy!

(The 4 new CVEs are explained in follow-up toots.)

Release presentation Welcome to the curlhacker stream at 10:00 CET (09:00 UTC) today March 11, 2026 for a live-streamed presentation of curl 8.19.0. The changes, the security fixes and some bugfixes. Numbers the 273rd release8 changes63 days (total: 10,712)264 bugfixes (total: 13,640)538 commits (total: 38,024)0 new public libcurl function (total: 100)0 new curl_easy_setopt() option (total: … Continue reading curl 8.19.0 →

curl 8.19.0

vsz

@vsz@mastodon.social (and 1 other) recently replied · 3 days ago

@bagder #curl 8.19.0 Windows builds at https://curl.se/windows/ via https://github.com/curl/curl-for-win/commit/b64e9da1f0a39c4a4a43ec8c316c94d815db83ff

curl for Windows

daniel:// stenberg:// boosted

https://eissing.org/icing/posts/curl-rate-limits/

@icing@chaos.social · 3 days ago

#curl 8.19.0, released today, has my reimplementation of rate limits for up- and downloads. They work the same for all network protocols and HTTP versions, and per URL, even on shared connections.

Meaning you can mix different limits (including unlimited) on the same HTTP/2 connection.

(This was not a goal as such, mainly a side effect of doing things properly. „Technical Credit“ I would call it. 😌)

icing's blog

curl rate limits

The curl project merged #19384, #20033 and #20228 which re-implements rate limiting of transfers in libcurl. This will be part of the upcoming 8.19.0 release at the beginning of March 2026. What is it, why did we change it and how? libcurl’s rate limiting libcurl offers the options CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE on transfers to set the limit in bytes per second for up- and downloads. This is available in the curl tool as command line option --limitrate . Running

https://eissing.org/icing/posts/curl-rate-limits/

@icing@chaos.social · 3 days ago

#curl 8.19.0, released today, has my reimplementation of rate limits for up- and downloads. They work the same for all network protocols and HTTP versions, and per URL, even on shared connections.

Meaning you can mix different limits (including unlimited) on the same HTTP/2 connection.

(This was not a goal as such, mainly a side effect of doing things properly. „Technical Credit“ I would call it. 😌)

icing's blog

curl rate limits

https://daniel.haxx.se/blog/2026/03/11/curl-8-19-0/

@bagder@mastodon.social · 3 days ago

Welcome to #curl 8.19.0

8 changes, 4 vulnerabilities and 264 bugs fixed. Enjoy!

(The 4 new CVEs are explained in follow-up toots.)

curl 8.19.0

@bagder@mastodon.social · 4 days ago

Ahead of tomorrow's release of four new #curl CVEs I want you to know: we do our very best to secure curl every step of the way. Security is hard.

Code style
Banned functions
Complexity checks
Human reviews
Review bots
No binary blobs
No confusables
Document everything
Many tests
Cl like crazy
All the picky compiler options and -Werror
Valgrind and sanitizers
Static code analyzers
Fuzzing (in Cl and non-stop)
Cl jobs never “write back"
Reproducible releases
Signed releases, commits, tags
code audits
2fa for all committers — Code style Banned functions Complexity checks Human reviews Review bots No binary blobs No confusables Document everything Many tests Cl like crazy All the picky compiler options and -Werror Valgrind and sanitizers Static code analyzers Fuzzing (in Cl and non-stop) Cl jobs never “write back" Reproducible releases Signed releases, commits, tags code audits 2fa for all committers

@bagder@mastodon.social · 4 days ago

The end of the release cycle is really the peak. When a full cycle's worth of work and efforts are combined into a fresh tarball that is sent out into the cold harsh real world with the ideal outcome that everything just keeps on working exactly like before, ideally a little better.

The night before a release we believe this is the best we ever did. Every time we think this. Who knows what we will think tomorrow at this time.

Thanks for flying #curl. It's an adventure and honor to pilot this.

@bagder@mastodon.social · 4 days ago

24 hours to #curl release