[Daniel's week] June 12, 2026

Daniel Stenberg daniel at haxx.se
Fri Jun 12 23:38:05 CEST 2026 

Hello friends!

# security

In my email last week I mentioned we had thirteen pending vulnerabilities to 
announce in sync with the next curl release. A week later that number is now 
eighteen and I have no reason to expect any slowdown in the near future.

The end of last week also signified the end of a dedicated week by a security 
engineer from Trail of Bits [1] spent looking closer on curl source code in 
some kind of cooperation they have with Open AI, so presumably using their 
models for it. That resulted in a list of twenty-two issues with various 
degrees of severity that gave us a little more to work on. One of those issues 
is now treated by us as a confirmed vulnerability. The others were a mix of 
documentation needing clarification, bugs to fix and a few false positives.

Right now, we project that we will ship more than 70 curl CVEs this year. 
Already in the first six months of this year we will have published more CVEs 
than we did in the three years 2023 - 2025 combined!

## curl meta-data

As I “caught” someone with week doing funny sed tricks to extract the latest 
curl version from the curl website’s download page, I figured I should remind 
everyone that we provide information and meta-data about the latest curl 
release in a machine-friendly format on the https://curl.se/info URL that is 
always accurate and up-to-date. It has been working fine for decades and is 
likely to continue to do so.

New in the info file this week is that I added a sha256sum for the tarball it 
links in there and I made the same information available in JSON format on 
https://curl.se/info.json. It was easy enough so why not.

## Humans in control

I have received questions about our use or non-use of AI in the curl project, 
which made me write up a blog post about my and the curl team’s general view 
and approach to AI [3]. We use tools. We keep humans in control.

## Coverity is dead

We have been scanning the curl source code for mistakes with the static code 
analyzer provided by Coverity for well over a decade and it has helped us keep 
things in check. Over the last several weeks their scanning service has been 
dead and there is no messaging suggesting when or if it will come back to 
life.

Coverity used to be the best code analyzer several years ago and it therefore 
was a fundamental tool to aid curl developers. Over time, competition has 
caught up and now I am not sure the loss of this service will be mourned much 
by us. We have clang-tidy and CodeSonar for old-style analyzing, but perhaps 
more importantly all the new AI things that take this art to the next level. 
We use Codex Security, Zeropath, Augment Code and GitHub Copilot ourselves but 
clearly lots of people out there also throw curl source code at all kinds of 
different AIs.

## Sponsors

I made sure that two recent gold sponsors show up correctly on the curl 
sponsor page[2], as both Automattic and CodeRabbit AI sponsor the project with 
an awesome 1,000 USD/month. Thank you!

We promise to use donated funds only for things and activities that we believe 
are beneficial for the project and its development. That includes but is not 
limited to developer conferences, infrastructure, services and hardware.

## Coming up

- Monday: announcing the curl summer of bliss
- Wednesday: curl 8.21.0 rc3
- More security report work for sure

## Links

[1] = https://www.trailofbits.com/
[2] = https://curl.se/sponsors.html
[3] = https://daniel.haxx.se/blog/2026/06/10/a-human-in-control/

-- 

  / daniel.haxx.se

More information about the daniel mailing list