curl 7.74.0 is released with experimental HSTS support. The 196th curl release has 107 bug-fixes, including three fixed vulnerabilities. 46 contributors (22 mew) made this in 56 days, out of which 22 were authors (8 new). https://daniel.haxx.se/blog/2020/12/09/curl-7-74-0-with-hsts/
At 9:00 UTC today, Dec 9, you can see the live-streamed curl 7.74.0 release presentation with me going through the highlights and digging into some details on what's new and special with this release. https://www.twitch.tv/curlhacker
CVE-2020-8284: A malicious server can use a `PASV` response to trick curl into connecting to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed. https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8285: A malicious server can DOS a libcurl-using application that uses FTP wildcard matching and that skips certain entries, by providing as skipped entries until libcurl overflows the stack due to recursive calls. https://curl.se/docs/CVE-2020-8285.html
CVE-2020-8286: This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP stapling response that would appear fine to curl. Possibly avoiding for example a revoked cert to be detected. https://curl.se/docs/CVE-2020-8286.html
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!