curl: update to 8.19.0.
curl and libcurl 8.19.0
Public curl releases: 273
Command line options: 273
curl_easy_setopt() options: 308
Public functions in libcurl: 100
Contributors: 3619
This release includes the following changes:
o we stopped the bug bounty [23]
o cmake: add `CURL_BUILD_EVERYTHING` option [51]
o initial support for MQTTS [81]
o tool: support fractions for --limit-rate and --max-filesize [79]
o tool_cb_hdr: with -J, use the redirect name as a backup [147]
o vquic: drop support for OpenSSL-QUIC [80]
o windows: add build option to use the native CA store [82]
[268 lines not shown]
adguardhome: updated to 0.107.73
0.107.73
Security
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
giflib*: update to 6.1.2
Version 6.1.2
=============
Code Fixes
----------
* Fix for low-severity CVE-2026-23868 affecting gifponge, giftool, and gifbuild,
but not the core library - library clients need not be alarned.
Version 6.1.1
=============
This release bumps the major version, but only one entry point -
EGifSpew() - has changed signature and behavior (in order to be able
to pass out a detailed error code). The internal error
codes in the E_GIF_ERR series have changed value so none of them
collides with GIF_ERROR.
[66 lines not shown]
shells/oh-my-posh: update to 29.8.0
Bug Fixes
spotify: use correct D-Bus interface name on Linux (3c44733), closes #7365
theme: align socials icons and add bluesky instead of at (8857a5c)
zsh: prevent stream process from inheriting parent stdin (40164ef)
Features
lint markfown with vale (57df69a)
net/xfr: update to 0.9.3
Added
- Server --bind flag (#38) — xfr serve --bind <IP> binds TCP, QUIC, and UDP data listeners to a specific address.
Validates against -4/-6 flags and rejects unspecified addresses (::, 0.0.0.0).
Changed
- Server sends random payloads (#34) — server-side TCP and UDP send paths now use random bytes by default in
reverse and bidirectional modes, matching the client's default-on behavior.
Fixed
- QUIC dual-stack on Windows (#39) — QUIC server endpoint now creates its UDP socket via socket2 with explicit
IPV6_V6ONLY handling instead of relying on Quinn's Endpoint::server(). On Windows/macOS where IPV6_V6ONLY defaults
to true, binding to [::] would only accept IPv6 connections.
- Server random payload on single-port TCP reverse (#34) — the single-port TCP handler (DataHello path used by all
modern clients) was missing random_payload = true, causing reverse-mode downloads to still send zeros.
[4 lines not shown]
