[Daniel's week] December 20, 2025

Daniel Stenberg daniel at haxx.se
Sat Dec 20 17:20:01 CET 2025 

Hi friends!

A little shorter edition this week. Merry Christmas on you all, wether you 
celebrate or not!

## Security

Another week with a lot of security reports and related activities behind the
curtains. Lots of silly ones arrived on Hackerone but we also received a
stream of good ones (some over email) that kept us quite busy.

As a result, we now have a *fourth* CVE registered and queued up for
publication on January 7 when the pending curl release ships.

Twelve submissions on Hackerone the last week. Zero confirmed ones. Several
slops. It feels like I've done nothing else this week than handled security
reports.

## rc3

I realized we had the third curl release candidate date planned for Christmas
eve next week, so I decided we better push that to a few days later. This
release cycle is expanded by one week anyway so it should be totally fine.

I got excellent feedback on rc2 from our friends in the git project this week,
which led to be merging some additional fixes to reduce surprises for future
users of curl 8.18.0.

## graphs

I updated the color scheme for the code age graph [1] and have prepared it for
data arriving in 2026. I realized that the command line options graph [2]
stopped working at some point and it should now be fixed.

## MQTTS

I took my WIP branch [3] introducing MQTTS support a bit further and now it
seems to work even with a test case and initial documentation. Adding TLS to
an already spported protocol in libcurl really is not a lot of extra work nor
code.

## 2025 summary

I started writing a 2025 summary for this email but it got so terribly long
that I'm instead converting it to a blog post which I will post separately
within a few days.

## OpenSSL 1

Just a quick reminder that we have dropped support for OpenSSL 1 from the
public normal curl releases. We now only offer support for this OpenSSL
version through the means of a commercial curl support contract.

## Coming up

- Christmas week, hopefully slower than most weeks of the year
- undoubtedly more Hackerone reports to deal with

## Links

[1] = https://curl.se/dashboard1.html#source-code-age
[2] = https://curl.se/dashboard1.html#cmdline-options-over-time
[3] = https://github.com/curl/curl/pull/19418

-- 

  / daniel.haxx.se

More information about the daniel mailing list