Sync from SUSE:SLFO:1.1 curl revision 6a0241dbc1c193137bd63721b86c82cb

curl-8.12.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmetnEcACgkQXMkI/bce
-EsIwoAf9F1UCx5VBJxgSQ/375gOs2rcoMEjKhahRRJDBU/VMscX6VNOK3cnzj32Z
-ZtdC1ywGsPXdFNPi2Pwd9YDDqiDyn9donzwgNkKcoV5X/RGk2yTGhXfu+jjl7VI0
-9nbLZAtiZfc24CGc8qBDc5NT5DWw6vbYt3pXH+LqVTnjH8RgOkpfePcwHVxO2KhO
-+ldMxcu3tkxzc3s/AfYRBooKnfepv6vGu+U+jDhhrJS2MOXiRe3Ahy/P9bagsKqW
-vJGa1yxFsshEWqfSPrcwAS9KAqK5ll+0AmZVyBtg0kcFD5OyDWcG/8J5Ek/AreBv
-iaA5AvoxF+ICPEXq/IFoDTaiTitgXA==
-=bYhe
------END PGP SIGNATURE-----

curl-8.14.1.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmg/3PcACgkQXMkI/bce
+EsJqDAf/Q6bzaPr1MlnbF3yFwzpMNY4ZH6SXWvmztLaFksrNFM8fuby00yNQ02pi
+4kfyIWgR4SRpHq2rmM//JudwRO5vObEctrtw/bQWR9IQ/rkrt2RtwDfFXLOtq2k/
+aHmmnZmQNeVJYQUpGlsehtXMCO0wIpvRK4yecHZC4ueq+UCJjrp2rJVpaKm+KOVY
+2DxPA5OyBKVKV/hJXD8+7V06HnsbojyxGf4Wg2XuXz1pa7z6lxWaf3ACf9gi+BzX
+4uPRT4ZChWCqUvLBl2C95ulY0/rmem7ffJuhBC0hBDk3qpqV8tv9TyS9xoTEVVkh
+sK20aPD0vcHjnTM0u/IfVVhfliNC+Q==
+=mjWb
+-----END PGP SIGNATURE-----

curl-CVE-2025-10148.patch

@@ -0,0 +1,64 @@
+From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+---
+ lib/ws.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+Index: curl-8.14.1/lib/ws.c
+===================================================================
+--- curl-8.14.1.orig/lib/ws.c
++++ curl-8.14.1/lib/ws.c
+@@ -758,6 +758,7 @@ static ssize_t ws_enc_write_head(struct
+   unsigned char head[14];
+   size_t hlen;
+   ssize_t n;
++  CURLcode result;
+ 
+   if(payload_len < 0) {
+     failf(data, "[WS] starting new frame with negative payload length %"
+@@ -831,6 +831,17 @@ static ssize_t ws_enc_write_head(struct
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
++  /* 4 bytes random */
++  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
++  if(result)
++    return result;
++
++#ifdef DEBUGBUILD
++  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
++    /* force the bit mask to 0x00000000, effectively disabling masking */
++    memset(&enc->mask, 0, sizeof(enc->mask));
++#endif
++
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -1025,21 +1036,7 @@ CURLcode Curl_ws_accept(struct Curl_easy
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-
+-#ifdef DEBUGBUILD
+-  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
+-    /* force the bit mask to 0x00000000, effectively disabling masking */
+-    memset(ws->enc.mask, 0, sizeof(ws->enc.mask));
+-#endif
+-
+-  infof(data, "[WS] Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
++  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,

curl-CVE-2025-11563.patch

@@ -0,0 +1,108 @@
+From fb0c014e30e5f4de7aa0d566c52c836a6423da29 Mon Sep 17 00:00:00 2001
+From: Samuel Henrique <samueloph@debian.org>
+Date: Sun, 26 Oct 2025 17:34:46 +0000
+Subject: [PATCH] wcurl: sync to +dev snapshot
+
+Closes #19247
+---
+ scripts/wcurl | 36 +++++++++++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 7 deletions(-)
+
+Index: curl-8.14.1/scripts/wcurl
+===================================================================
+--- curl-8.14.1.orig/scripts/wcurl
++++ curl-8.14.1/scripts/wcurl
+@@ -65,7 +65,7 @@ Options:
+                            multiple times, only the last value is considered.
+ 
+   --no-decode-filename: Don't percent-decode the output filename, even if the percent-encoding in
+-                        the URL was done by wcurl, e.g.: The URL contained whitespaces.
++                        the URL was done by wcurl, e.g.: The URL contained whitespace.
+ 
+   --dry-run: Don't actually execute curl, just print what would be invoked.
+ 
+@@ -77,7 +77,7 @@ Options:
+                  instead forwarded to the curl invocation.
+ 
+   <URL>: URL to be downloaded. Anything that is not a parameter is considered
+-         an URL. Whitespaces are percent-encoded and the URL is passed to curl, which
++         an URL. Whitespace is percent-encoded and the URL is passed to curl, which
+          then performs the parsing. May be specified more than once.
+ _EOF_
+ }
+@@ -85,7 +85,7 @@ _EOF_
+ # Display an error message and bail out.
+ error()
+ {
+-    printf "%s\n" "$*" > /dev/stderr
++    printf "%s\n" "$*" >&2
+     exit 1
+ }
+ 
+@@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\
+     --remote-time \
+     --retry 5 "
+ 
++# Valid percent-encode codes that are considered unsafe to be decoded.
++# This is a list of space-separated percent-encoded uppercase
++# characters.
++# 2F = /
++# 5C = \
++readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
++
+ # Whether to invoke curl or not.
+ DRY_RUN="false"
+ 
+@@ -137,6 +144,20 @@ is_subset_of()
+     esac
+ }
+ 
++# Indicate via exit code whether the HTML code given in the first
++# parameter is safe to be decoded.
++is_safe_percent_encode()
++{
++    upper_str=$(printf "%s" "${1}" | tr "[:lower:]" "[:upper:]")
++    for unsafe in ${UNSAFE_PERCENT_ENCODE}; do
++        if [ "${unsafe}" = "${upper_str}" ]; then
++            return 1
++        fi
++    done
++
++    return 0
++}
++
+ # Print the given string percent-decoded.
+ percent_decode()
+ {
+@@ -151,9 +172,10 @@ percent_decode()
+                 decode_out="${decode_out}${decode_hex2}"
+                 # Skip decoding if this is a control character (00-1F).
+                 # Skip decoding if DECODE_FILENAME is not "true".
+-                if is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" && \
+-                    is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" && \
+-                    [ "${DECODE_FILENAME}" = "true" ]; then
++                if [ "${DECODE_FILENAME}" = "true" ] \
++                    && is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" \
++                    && is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" \
++                    && is_safe_percent_encode "${decode_out}"; then
+                     # Use printf to decode it into octal and then decode it to the final format.
+                     decode_out="$(printf "%b" "\\$(printf %o "0x${decode_hex1}${decode_hex2}")")"
+                 fi
+@@ -298,7 +320,7 @@ while [ -n "${1-}" ]; do
+             # This is the start of the list of URLs.
+             shift
+             for url in "$@"; do
+-                # Encode whitespaces into %20, since wget supports those URLs.
++                # Encode whitespace into %20, since wget supports those URLs.
+                 newurl=$(printf "%s\n" "${url}" | sed 's/ /%20/g')
+                 URLS="${URLS} ${newurl}"
+             done
+@@ -311,7 +333,7 @@ while [ -n "${1-}" ]; do
+ 
+         *)
+             # This must be a URL.
+-            # Encode whitespaces into %20, since wget supports those URLs.
++            # Encode whitespace into %20, since wget supports those URLs.
+             newurl=$(printf "%s\n" "${1}" | sed 's/ /%20/g')
+             URLS="${URLS} ${newurl}"
+             ;;

curl-CVE-2025-14017.patch

@@ -0,0 +1,110 @@
+From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 4 Dec 2025 00:14:20 +0100
+Subject: [PATCH] ldap: call ldap_init() before setting the options
+
+Closes #19830
+---
+ lib/ldap.c | 50 +++++++++++++++++++-------------------------------
+ 1 file changed, 19 insertions(+), 31 deletions(-)
+
+Index: curl-8.14.1/lib/ldap.c
+===================================================================
+--- curl-8.14.1.orig/lib/ldap.c
++++ curl-8.14.1/lib/ldap.c
+@@ -375,16 +375,29 @@ static CURLcode ldap_do(struct Curl_easy
+     passwd = conn->passwd;
+   }
+ 
++#ifdef USE_WIN32_LDAP
++  if(ldap_ssl)
++    server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
++  else
++#else
++    server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
++#endif
++  if(!server) {
++    failf(data, "LDAP local: Cannot connect to %s:%u",
++          conn->host.dispname, conn->primary.remote_port);
++    result = CURLE_COULDNT_CONNECT;
++    goto quit;
++  }
++
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-  ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
++  ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+ #endif
+-  ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
++  ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+ 
+   if(ldap_ssl) {
+ #ifdef HAVE_LDAP_SSL
+ #ifdef USE_WIN32_LDAP
+     /* Win32 LDAP SDK does not support insecure mode without CA! */
+-    server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
+     ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
+ #else
+     int ldap_option;
+@@ -404,7 +417,7 @@ static CURLcode ldap_do(struct Curl_easy
+         goto quit;
+       }
+       infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
+-      rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
++      rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+       if(rc != LDAP_SUCCESS) {
+         failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
+                 ldap_err2string(rc));
+@@ -416,20 +429,13 @@ static CURLcode ldap_do(struct Curl_easy
+     else
+       ldap_option = LDAP_OPT_X_TLS_NEVER;
+ 
+-    rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
++    rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+     if(rc != LDAP_SUCCESS) {
+       failf(data, "LDAP local: ERROR setting cert verify mode: %s",
+               ldap_err2string(rc));
+       result = CURLE_SSL_CERTPROBLEM;
+       goto quit;
+     }
+-    server = ldap_init(host, conn->primary.remote_port);
+-    if(!server) {
+-      failf(data, "LDAP local: Cannot connect to %s:%u",
+-            conn->host.dispname, conn->primary.remote_port);
+-      result = CURLE_COULDNT_CONNECT;
+-      goto quit;
+-    }
+     ldap_option = LDAP_OPT_X_TLS_HARD;
+     rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
+     if(rc != LDAP_SUCCESS) {
+@@ -438,15 +444,6 @@ static CURLcode ldap_do(struct Curl_easy
+       result = CURLE_SSL_CERTPROBLEM;
+       goto quit;
+     }
+-/*
+-    rc = ldap_start_tls_s(server, NULL, NULL);
+-    if(rc != LDAP_SUCCESS) {
+-      failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
+-              ldap_err2string(rc));
+-      result = CURLE_SSL_CERTPROBLEM;
+-      goto quit;
+-    }
+-*/
+ #else
+     (void)ldap_option;
+     (void)ldap_ca;
+@@ -465,15 +462,6 @@ static CURLcode ldap_do(struct Curl_easy
+     result = CURLE_NOT_BUILT_IN;
+     goto quit;
+   }
+-  else {
+-    server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
+-    if(!server) {
+-      failf(data, "LDAP local: Cannot connect to %s:%u",
+-            conn->host.dispname, conn->primary.remote_port);
+-      result = CURLE_COULDNT_CONNECT;
+-      goto quit;
+-    }
+-  }
+ #ifdef USE_WIN32_LDAP
+   ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+   rc = ldap_win_bind(data, server, user, passwd);

curl-CVE-2025-14524.patch

@@ -0,0 +1,25 @@
+From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+---
+ lib/curl_sasl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+Index: curl-8.14.1/lib/curl_sasl.c
+===================================================================
+--- curl-8.14.1.orig/lib/curl_sasl.c
++++ curl-8.14.1/lib/curl_sasl.c
+@@ -356,7 +356,9 @@ CURLcode Curl_sasl_start(struct SASL *sa
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref nullmsg;
+ 
+   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);

curl-CVE-2025-14819.patch

@@ -0,0 +1,66 @@
+From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 17 Dec 2025 10:54:16 +0100
+Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
+ different CA cache
+
+Reported-by: Stanislav Fort
+
+Closes #20009
+---
+ lib/vtls/openssl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+Index: curl-8.14.1/lib/vtls/openssl.c
+===================================================================
+--- curl-8.14.1.orig/lib/vtls/openssl.c
++++ curl-8.14.1/lib/vtls/openssl.c
+@@ -3457,6 +3457,7 @@ struct ossl_x509_share {
+   char *CAfile;         /* CAfile path used to generate X509 store */
+   X509_STORE *store;    /* cached X509 store or NULL if none */
+   struct curltime time; /* when the cached store was created */
++  BIT(no_partialchain); /* keep partial chain state */
+ };
+ 
+ static void oss_x509_share_free(void *key, size_t key_len, void *p)
+@@ -3491,9 +3492,14 @@ ossl_cached_x509_store_expired(const str
+ 
+ static bool
+ ossl_cached_x509_store_different(struct Curl_cfilter *cf,
++                                 const struct Curl_easy *data,
+                                  const struct ossl_x509_share *mb)
+ {
+   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
++  struct ssl_config_data *ssl_config =
++    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
++  if(mb->no_partialchain != ssl_config->no_partialchain)
++    return TRUE;
+   if(!mb->CAfile || !conn_config->CAfile)
+     return mb->CAfile != conn_config->CAfile;
+ 
+@@ -3513,7 +3519,7 @@ static X509_STORE *ossl_get_cached_x509_
+                                  sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL;
+   if(share && share->store &&
+      !ossl_cached_x509_store_expired(data, share) &&
+-     !ossl_cached_x509_store_different(cf, share)) {
++     !ossl_cached_x509_store_different(cf, data, share)) {
+     store = share->store;
+   }
+ 
+@@ -3550,6 +3556,8 @@ static void ossl_set_cached_x509_store(s
+ 
+   if(X509_STORE_up_ref(store)) {
+     char *CAfile = NULL;
++    struct ssl_config_data *ssl_config =
++      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+ 
+     if(conn_config->CAfile) {
+       CAfile = strdup(conn_config->CAfile);
+@@ -3567,6 +3575,7 @@ static void ossl_set_cached_x509_store(s
+     share->time = curlx_now();
+     share->store = store;
+     share->CAfile = CAfile;
++    share->no_partialchain = ssl_config->no_partialchain;
+   }
+ }
+ 

curl-CVE-2025-15079.patch

@@ -0,0 +1,28 @@
+From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 Dec 2025 17:47:03 +0100
+Subject: [PATCH] libssh: set both knownhosts options to the same file
+
+Reported-by: Harry Sintonen
+
+Closes #20092
+---
+ lib/vssh/libssh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 7d5905c83d75..98c109ab59a3 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2629,6 +2629,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
+     infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
+     rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
+                          data->set.str[STRING_SSH_KNOWNHOSTS]);
++    if(rc == SSH_OK)
++      /* libssh has two separate options for this. Set both to the same file
++         to avoid surprises */
++      rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
++                           data->set.str[STRING_SSH_KNOWNHOSTS]);
+     if(rc != SSH_OK) {
+       failf(data, "Could not set known hosts file path");
+       return CURLE_FAILED_INIT;

curl-CVE-2025-15224.patch

@@ -0,0 +1,27 @@
+From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Mon, 29 Dec 2025 16:56:39 +0100
+Subject: [PATCH] libssh: require private key or user-agent for public key auth
+
+Closes #20110
+---
+ lib/vssh/libssh.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: curl-8.14.1/lib/vssh/libssh.c
+===================================================================
+--- curl-8.14.1.orig/lib/vssh/libssh.c
++++ curl-8.14.1/lib/vssh/libssh.c
+@@ -698,7 +698,11 @@ static int myssh_state_authlist(struct C
+           "keyboard-interactive, " : "",
+           sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
+           "password": "");
+-  if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
++  /* For public key auth we need either the private key or
++     CURLSSH_AUTH_AGENT. */
++  if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
++    (data->set.str[STRING_SSH_PRIVATE_KEY] ||
++     (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
+     myssh_state(data, sshc, SSH_AUTH_PKEY_INIT);
+     infof(data, "Authentication using SSH public key file");
+   }

curl-CVE-2025-9086.patch

@@ -0,0 +1,51 @@
+From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+---
+ lib/cookie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 914a4aca12ac..b72dd99bce9b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -296,9 +296,9 @@ static char *sanitize_cookie_path(const char *cookie_path)
+     /* Let cookie-path be the default-path. */
+     return strdup("/");
+ 
+-  /* remove trailing slash */
++  /* remove trailing slash when path is non-empty */
+   /* convert /hoge/ to /hoge */
+-  if(len && cookie_path[len - 1] == '/')
++  if(len > 1 && cookie_path[len - 1] == '/')
+     len--;
+ 
+   return Curl_memdup0(cookie_path, len);
+@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else

curl-fix--ftp-pasv.patch

@@ -0,0 +1,147 @@
+From 5f805eec1149c218145097ec2a24ac7fb7d46f25 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 6 Jun 2025 10:21:09 -0700
+Subject: [PATCH] tool_getparam: fix --ftp-pasv
+
+This boolean option was moved to the wrong handling function. Make it
+an ARG_NONE and move it to the correct handler and add a test to
+verify that the option works.
+
+Follow-up to 698491f44
+
+Reported-by: fjaell on github
+Fixes #17545
+Closes #17547
+---
+ docs/cmdline-opts/ftp-pasv.md |  3 +-
+ src/tool_getparam.c           |  8 ++---
+ tests/data/Makefile.am        |  2 +-
+ tests/data/test1547           | 59 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test1547
+
+diff --git a/docs/cmdline-opts/ftp-pasv.md b/docs/cmdline-opts/ftp-pasv.md
+index 964f9769ae59..02deee30ded8 100644
+--- a/docs/cmdline-opts/ftp-pasv.md
++++ b/docs/cmdline-opts/ftp-pasv.md
+@@ -6,7 +6,8 @@ Help: Send PASV/EPSV instead of PORT
+ Protocols: FTP
+ Added: 7.11.0
+ Category: ftp
+-Multi: boolean
++Multi: mutex
++Mutexed: ftp-port
+ See-also:
+   - disable-epsv
+ Example:
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 51156e46b97e..6d7020987d0a 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -153,7 +153,7 @@ static const struct LongShort aliases[]= {
+   {"ftp-alternative-to-user",    ARG_STRG, ' ', C_FTP_ALTERNATIVE_TO_USER},
+   {"ftp-create-dirs",            ARG_BOOL, ' ', C_FTP_CREATE_DIRS},
+   {"ftp-method",                 ARG_STRG, ' ', C_FTP_METHOD},
+-  {"ftp-pasv",                   ARG_BOOL, ' ', C_FTP_PASV},
++  {"ftp-pasv",                   ARG_NONE, ' ', C_FTP_PASV},
+   {"ftp-port",                   ARG_STRG, 'P', C_FTP_PORT},
+   {"ftp-pret",                   ARG_BOOL, ' ', C_FTP_PRET},
+   {"ftp-skip-pasv-ip",           ARG_BOOL, ' ', C_FTP_SKIP_PASV_IP},
+@@ -1703,6 +1703,9 @@ static ParameterError opt_none(struct GlobalConfig *global,
+     break;
+   case C_DUMP_CA_EMBED: /* --dump-ca-embed */
+     return PARAM_CA_EMBED_REQUESTED;
++  case C_FTP_PASV: /* --ftp-pasv */
++    tool_safefree(config->ftpport);
++    break;
+ 
+   case C_HTTP1_0: /* --http1.0 */
+     /* HTTP version 1.0 */
+@@ -2293,9 +2296,6 @@ static ParameterError opt_filestring(struct GlobalConfig *global,
+   case C_URL: /* --url */
+     err = parse_url(global, config, nextarg);
+     break;
+-  case C_FTP_PASV: /* --ftp-pasv */
+-    tool_safefree(config->ftpport);
+-    break;
+   case C_SOCKS5: /* --socks5 */
+     /*  socks5 proxy to use, and resolves the name locally and passes on the
+         resolved address */
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 1ef85cd3a2da..446674605835 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -203,7 +203,7 @@ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+ test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
+ test1524 test1525 test1526 test1527 test1528 test1529 test1530 test1531 \
+ test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 \
+-test1540 test1541 test1542 test1543 test1544 test1545 test1546 \
++test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 \
+ \
+ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
+ test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \
+diff --git a/tests/data/test1547 b/tests/data/test1547
+new file mode 100644
+index 000000000000..244151a5abd1
+--- /dev/null
++++ b/tests/data/test1547
+@@ -0,0 +1,59 @@
++<testcase>
++# Based on test100 & test101
++<info>
++<keywords>
++FTP
++PASV
++LIST
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<data mode="text">
++total 20
++drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
++drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
++drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
++-r--r--r--   1 0        1             35 Jul 16  1996 README
++lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
++dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
++drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
++dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
++drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
++dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<name>
++FTP dir list PASV overriding PORT
++</name>
++<command>
++ftp://%HOSTIP:%FTPPORT/test-%TESTNUMBER/ -P %CLIENTIP --ftp-pasv
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++QUIT
++</strip>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD test-%TESTNUMBER
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++</verify>
++</testcase>

curl-mini.rpmlintrc

@@ -0,0 +1 @@
+addFilter('shlib-policy-name-error')

curl-secure-getenv.patch

@@ -1,7 +1,7 @@
-Index: curl-8.11.0/lib/getenv.c
+Index: curl-8.13.0/lib/getenv.c
 ===================================================================
---- curl-8.11.0.orig/lib/getenv.c
-+++ curl-8.11.0/lib/getenv.c
+--- curl-8.13.0.orig/lib/getenv.c
++++ curl-8.13.0/lib/getenv.c
 @@ -29,6 +29,14 @@
  
  #include "memdebug.h"
@@ -16,7 +16,7 @@ Index: curl-8.11.0/lib/getenv.c
 +
  static char *GetEnv(const char *variable)
  {
- #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_UWP) || \
+ #if defined(CURL_WINDOWS_UWP) || defined(UNDER_CE) || \
 @@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
      /* else rc is bytes needed, try again */
    }
@@ -26,11 +26,11 @@ Index: curl-8.11.0/lib/getenv.c
    return (env && env[0]) ? strdup(env) : NULL;
  #endif
  }
-Index: curl-8.11.0/configure.ac
+Index: curl-8.13.0/configure.ac
 ===================================================================
---- curl-8.11.0.orig/configure.ac
-+++ curl-8.11.0/configure.ac
-@@ -5370,6 +5370,8 @@ fi
+--- curl-8.13.0.orig/configure.ac
++++ curl-8.13.0/configure.ac
+@@ -5384,6 +5384,8 @@ fi
  
  CURL_PREPARE_CONFIGUREHELP_PM
  

curl-tool_operate-fix-return-code-when-retry-is-used.patch

@@ -0,0 +1,121 @@
+From b42776b4f4a6e9c9f5e3ff49d7bf610ad99c45c9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 Jun 2025 08:37:49 +0200
+Subject: [PATCH 1238/2000] tool_operate: fix return code when --retry is used
+ but not triggered
+
+Verify with test 752
+
+Reported-by: fjaell on github
+Fixes #17554
+Closes #17559
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 24e79e6f61..2397de1686 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -548,8 +548,9 @@ static CURLcode retrycheck(struct OperationConfig *config,
+     *retryp = TRUE;
+     per->num_retries++;
+     *delayms = sleeptime;
++    result = CURLE_OK;
+   }
+-  return CURLE_OK;
++  return result;
+ }
+ 
+ 
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 4466746058..ab21e0e220 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+ test718 test719 test720 test721 test722 test723 test724 test725 test726 \
+ test727 test728 test729 test730 test731 test732 test733 test734 test735 \
+ test736 test737 test738 test739 test740 test741 test742 test743 test744 \
+-test745 test746 test747 test748 test749 test750 test751 \
++test745 test746 test747 test748 test749 test750 test751 test752 \
+ \
+ test780 test781 test782 test783 test784 test785 test786 test787 test788 \
+ test789 test790 test791 \
+diff --git a/tests/data/test752 b/tests/data/test752
+new file mode 100644
+index 0000000000..00f14909d1
+--- /dev/null
++++ b/tests/data/test752
+@@ -0,0 +1,72 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++-f
++--retry
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 404 nopes
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++
++<datacheck crlf="yes">
++HTTP/1.1 404 nopes
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++</datacheck>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<name>
++--retry and -f on a HTTP 404 response
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -f --retry 1
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++22
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.51.0
+

curl.changes

@@ -1,3 +1,191 @@
+-------------------------------------------------------------------
+Wed Jan  7 12:52:25 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Security fix: [bsc#1256105, CVE-2025-14017]
+  * call ldap_init() before setting the options
+  * Add patch curl-CVE-2025-14017.patch
+
+-------------------------------------------------------------------
+Fri Jan  2 01:09:49 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Security fixes:
+  * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer
+  * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth
+  * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
+  * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file
+  * Add patches:
+    - curl-CVE-2025-14524.patch
+    - curl-CVE-2025-15224.patch
+    - curl-CVE-2025-14819.patch
+    - curl-CVE-2025-15079.patch
+
+-------------------------------------------------------------------
+Wed Nov 19 14:19:19 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1253757, CVE-2025-11563]
+  * curl: wcurl path traversal with percent-encoded slashes
+  * Add curl-CVE-2025-11563.patch
+
+-------------------------------------------------------------------
+Wed Sep 10 11:09:50 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- tool_operate: fix return code when --retry is used but not
+  triggered [bsc#1249367]
+  * Add curl-tool_operate-fix-return-code-when-retry-is-used.patch
+
+-------------------------------------------------------------------
+Tue Sep  9 08:07:43 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fixes:
+  * [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
+  * [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
+  * Add patches:
+    - curl-CVE-2025-9086.patch
+    - curl-CVE-2025-10148.patch
+
+-------------------------------------------------------------------
+Mon Jul 14 08:29:01 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]
+  * tool_getparam: fix --ftp-pasv [5f805ee]
+  * Add curl-fix--ftp-pasv.patch
+
+-------------------------------------------------------------------
+Fri Jun  6 08:26:03 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]
+  * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error
+    when building the curl-mini package in SLE.
+  * Add libssh minimum version requirements.
+  * Use ldconfig_scriptlets when available.
+  * Remove unused option --disable-ntlm-wb.
+
+-------------------------------------------------------------------
+Wed Jun  4 07:06:46 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.14.1:
+  * Security fixes:
+    - [bsc#1243933, CVE-2025-5399] libcurl can possibly get
+      trapped in an endless busy-loop when processing specially
+      crafted packets [d1145df2]
+  * Bugfixes:
+    - asyn-thrdd: fix cleanup when RR fails due to OOM
+    - ftp: fix teardown of DATA connection in done
+    - http: fail early when rewind of input failed when following redirects
+    - multi: fix add_handle resizing
+    - tls BIOs: handle BIO_CTRL_EOF correctly
+    - tool_getparam: make --no-anyauth not be accepted
+    - wolfssl: fix sending of early data
+    - ws: handle blocked sends better
+    - ws: tests and fixes
+
+-------------------------------------------------------------------
+Wed May 28 09:36:23 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.14.0:
+  * Security fixes:
+    - [CVE-2025-4947, bsc#1243397] QUIC certificate check skip with wolfSSL
+    - [CVE-2025-5025, bsc#1243706] No QUIC certificate pinning with wolfSSL
+  * Changes:
+    - mqtt: send ping at upkeep interval
+    - schannel: handle pkcs12 client certificates containing CA certificates
+    - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
+    - vquic: ngtcp2 + openssl support
+    - wcurl: import v2025.04.20 script + docs
+    - websocket: add option to disable auto-pong reply
+  * Bugfixes:
+    - asny-thrdd: fix detach from running thread
+    - async-threaded resolver: use ref counter
+    - async: DoH improvements
+    - build: enable gcc-12/13+, clang-10+ picky warnings
+    - build: enable gcc-15 picky warnings
+    - certs: drop unused `default_bits` from `.prm` files
+    - cf-https-connect: use the passed in dns struct pointer
+    - cf-socket: fix FTP accept connect
+    - cfilters: remove assert
+    - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
+    - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
+    - cmake: revert `CURL_LTO` behavior for multi-config generators
+    - configure: fix --disable-rt
+    - CONTRIBUTE: add project guidelines for AI use
+    - cpool/cshutdown: force close connections under pressure
+    - curl: fix memory leak when -h is used in config file
+    - curl_get_line: handle lines ending on the buffer boundary
+    - headers: enforce a max number of response header to accept
+    - http: fix HTTP/2 handling of TE request header using "trailers"
+    - lib: include files using known path
+    - lib: unify conversions to/from hex
+    - libssh: add NULL check for Curl_meta_get()
+    - libssh: fix memory leak
+    - mqtt: use conn/easy meta hash
+    - multi: do transfer book keeping using mid
+    - multi: init_do(): check result
+    - netrc: avoid NULL deref on weird input
+    - netrc: avoid strdup NULL
+    - netrc: deal with null token better
+    - openssl-quic: avoid potential `-Wnull-dereference`, add assert
+    - openssl-quic: fix shutdown when stream not open
+    - openssl: enable builds for *both* engines and providers
+    - openssl: set the cipher string before doing private cert
+    - progress: avoid integer overflow when gathering total transfer size
+    - rand: update comment on Curl_rand_bytes weak random
+    - rustls: make max size of cert and key reasonable
+    - smb: avoid integer overflow on weird input date
+    - urlapi: redirecting to "" is considered fine
+  * Remove curl-8.13.0-CloseSocket.patch upstream
+  * Rebase libcurl-ocloexec.patch
+
+-------------------------------------------------------------------
+Fri Apr 11 17:36:27 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- fix Leap build add curl-8.13.0-CloseSocket.patch
+
+-------------------------------------------------------------------
+Wed Apr  9 11:05:46 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.13.0:
+  * Changes:
+    - curl: add write-out variable 'tls_earlydata'
+    - curl: make --url support a file with URLs
+    - gnutls: set priority via --ciphers
+    - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
+    - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
+    - OpenSSL/quictls: add support for TLSv1.3 early data
+    - rustls: add support for CERTINFO
+    - rustls: add support for SSLKEYLOGFILE
+    - rustls: support ECH w/ DoH lookup for config
+    - rustls: support native platform verifier
+    - var: add a '64dec' function that can base64 decode a string
+  * Bugfixes:
+    - conn: fix connection reuse when SSL is optional
+    - hash: use single linked list for entries
+    - http2: detect session being closed on ingress handling
+    - http2: reset stream on response header error
+    - http: remove a HTTP method size restriction
+    - http: version negotiation
+    - httpsrr: fix port detection
+    - libssh: fix freeing of resources in disconnect
+    - libssh: fix scp large file upload for 32-bit size_t systems
+    - openssl-quic: do not iterate over multi handles
+    - openssl: check return value of X509_get0_pubkey
+    - openssl: drop support for old OpenSSL/LibreSSL versions
+    - openssl: fix crash on missing cert password
+    - openssl: fix pkcs11 URI checking for key files.
+    - openssl: remove bad `goto`s into other scope
+    - setopt: illegal CURLOPT_SOCKS5_AUTH should return error
+    - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
+    - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
+    - sshserver: fix excluding obsolete client config lines
+    - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
+    - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
+    - tool_operate: fail SSH transfers without server auth
+    - url: call protocol handler's disconnect in Curl_conn_free
+    - urlapi: remove percent encoded dot sequences from the URL path
+    - urldata: remove 'hostname' from struct Curl_async
+  * Rebase patches:
+    - libcurl-ocloexec.patch
+    - curl-secure-getenv.patch
+
 -------------------------------------------------------------------
 Thu Feb 13 13:34:05 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -2,6 +2,7 @@
 # spec file for package curl
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +30,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.12.1
+Version:        8.14.1
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -38,11 +39,32 @@ Source:         https://curl.se/download/curl-%{version}.tar.xz
 Source2:        https://curl.se/download/curl-%{version}.tar.xz.asc
 Source3:        baselibs.conf
 Source4:        https://daniel.haxx.se/mykey.asc#/curl.keyring
+Source5:        curl-mini.rpmlintrc
 Patch0:         libcurl-ocloexec.patch
 Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
-#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
+# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
+# PATCH-FIX-UPSTREAM bsc#1246197 Fix the --ftp-pasv option in curl v8.14.1
+Patch4:         curl-fix--ftp-pasv.patch
+# PATCH-FIX-UPSTREAM bsc#1249191 CVE-2025-9086: Out of bounds read for cookie path
+Patch5:         curl-CVE-2025-9086.patch
+# PATCH-FIX-UPSTREAM bsc#1249348 CVE-2025-10148: Predictable WebSocket mask
+Patch6:         curl-CVE-2025-10148.patch
+# PATCH-FIX-UPSTREAM bsc#1249367 tool_operate: fix return code when --retry is used but not triggered
+Patch7:         curl-tool_operate-fix-return-code-when-retry-is-used.patch
+# PATCH-FIX-UPSTREAM bsc#1253757 CVE-2025-11563: wcurl path traversal with percent-encoded slashes
+Patch8:         curl-CVE-2025-11563.patch
+# PATCH-FIX-UPSTREAM bsc#1255731 CVE-2025-14524: bearer token leak on cross-protocol redirect
+Patch10:        curl-CVE-2025-14524.patch
+# PATCH-FIX-UPSTREAM bsc#1255734 CVE-2025-15224: libssh key passphrase bypass without agent set
+Patch11:        curl-CVE-2025-15224.patch
+# PATCH-FIX-UPSTREAM bsc#1255732 CVE-2025-14819: openSSL partial chain store policy bypass
+Patch12:        curl-CVE-2025-14819.patch
+# PATCH-FIX-UPSTREAM bsc#1255733 CVE-2025-15079: libssh global knownhost override
+Patch13:        curl-CVE-2025-15079.patch
+# PATCH-FIX-UPSTREAM bsc#1256105 CVE-2025-14017: broken TLS options for threaded LDAPS
+Patch14:        curl-CVE-2025-14017.patch
 BuildRequires:  groff
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -61,7 +83,7 @@ BuildRequires:  pkgconfig(libssl)
 BuildRequires:  openldap2-devel
 BuildRequires:  pkgconfig(krb5)
 BuildRequires:  pkgconfig(libbrotlidec)
-BuildRequires:  pkgconfig(libssh)
+BuildRequires:  pkgconfig(libssh) >= 0.9.0
 %endif
 %if 0%{?_with_stunnel:1}
 # used by the testsuite
@@ -167,7 +189,6 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure
     --disable-imap \
     --disable-mqtt \
     --disable-ntlm \
-    --disable-ntlm-wb \
     --disable-pop3 \
     --disable-rtsp \
     --disable-smtp \
@@ -218,30 +239,44 @@ pushd scripts
 popd
 %endif
 
+%if 0%{?sle_version} < 150400
+%post -n libcurl%{?psuffix}4 -p /sbin/ldconfig
+%postun -n libcurl%{?psuffix}4 -p /sbin/ldconfig
+%else
 %ldconfig_scriptlets -n libcurl%{?psuffix}4
+%endif
 
 %files -n libcurl%{?psuffix}4
 %license COPYING
 %{_libdir}/libcurl.so.4*
+%if %{with mini}
+%exclude %{_bindir}/wcurl
+%endif
 
 %if !%{with mini}
 %files
+%license COPYING
 %doc README RELEASE-NOTES CHANGES.md
 %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md}
 %{_bindir}/curl
 %{_mandir}/man1/curl.1%{?ext_man}
+%{_bindir}/wcurl
+%{_mandir}/man1/wcurl.1%{?ext_man}
 
 %files zsh-completion
+%license COPYING
 %dir %{_datadir}/zsh
 %dir %{_datadir}/zsh/site-functions
 %{_datadir}/zsh/site-functions/_curl
 
 %files fish-completion
+%license COPYING
 %dir %{_datadir}/fish/
 %dir %{_datadir}/fish/vendor_completions.d/
 %{_datadir}/fish/vendor_completions.d/curl.fish
 
 %files -n libcurl-devel
+%license COPYING
 %{_bindir}/curl-config
 %{_includedir}/curl
 %dir %{_datadir}/aclocal/
@@ -250,6 +285,7 @@ popd
 %{_libdir}/pkgconfig/libcurl.pc
 
 %files -n libcurl-devel-doc
+%license COPYING
 %{_mandir}/man1/curl-config.1%{?ext_man}
 %{_mandir}/man3/*
 %doc docs/libcurl/symbols-in-versions

libcurl-ocloexec.patch

@@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.12.0/lib/file.c
+Index: curl-8.14.0/lib/file.c
 ===================================================================
---- curl-8.12.0.orig/lib/file.c
-+++ curl-8.12.0/lib/file.c
-@@ -237,7 +237,7 @@ static CURLcode file_connect(struct Curl
+--- curl-8.14.0.orig/lib/file.c
++++ curl-8.14.0/lib/file.c
+@@ -270,7 +270,7 @@ static CURLcode file_connect(struct Curl
      }
    }
    #else
@@ -20,7 +20,7 @@ Index: curl-8.12.0/lib/file.c
    file->path = real_path;
    #endif
  #endif
-@@ -321,9 +321,9 @@ static CURLcode file_upload(struct Curl_
+@@ -349,9 +349,9 @@ static CURLcode file_upload(struct Curl_
  
  #if (defined(ANDROID) || defined(__ANDROID__)) && \
      (defined(__i386__) || defined(__arm__))
@@ -32,11 +32,11 @@ Index: curl-8.12.0/lib/file.c
  #endif
    if(fd < 0) {
      failf(data, "cannot open %s for writing", file->path);
-Index: curl-8.12.0/lib/if2ip.c
+Index: curl-8.14.0/lib/if2ip.c
 ===================================================================
---- curl-8.12.0.orig/lib/if2ip.c
-+++ curl-8.12.0/lib/if2ip.c
-@@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af,
+--- curl-8.14.0.orig/lib/if2ip.c
++++ curl-8.14.0/lib/if2ip.c
+@@ -209,7 +209,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
@@ -45,11 +45,11 @@ Index: curl-8.12.0/lib/if2ip.c
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.12.0/configure.ac
+Index: curl-8.14.0/configure.ac
 ===================================================================
---- curl-8.12.0.orig/configure.ac
-+++ curl-8.12.0/configure.ac
-@@ -426,6 +426,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
+--- curl-8.14.0.orig/configure.ac
++++ curl-8.14.0/configure.ac
+@@ -440,6 +440,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -58,19 +58,19 @@ Index: curl-8.12.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.12.0/lib/hostip.c
+Index: curl-8.14.0/lib/hostip.c
 ===================================================================
---- curl-8.12.0.orig/lib/hostip.c
-+++ curl-8.12.0/lib/hostip.c
-@@ -44,6 +44,7 @@
- #include <setjmp.h>
+--- curl-8.14.0.orig/lib/hostip.c
++++ curl-8.14.0/lib/hostip.c
+@@ -46,6 +46,7 @@
  #include <signal.h>
+ #endif
  
 +#include <fcntl.h>
  #include "urldata.h"
  #include "sendf.h"
- #include "hostip.h"
-@@ -624,7 +625,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+ #include "connect.h"
+@@ -691,7 +692,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
@@ -79,11 +79,11 @@ Index: curl-8.12.0/lib/hostip.c
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we cannot get/use one */
        ipv6_works = 0;
-Index: curl-8.12.0/lib/cf-socket.c
+Index: curl-8.14.0/lib/cf-socket.c
 ===================================================================
---- curl-8.12.0.orig/lib/cf-socket.c
-+++ curl-8.12.0/lib/cf-socket.c
-@@ -367,7 +367,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.14.0.orig/lib/cf-socket.c
++++ curl-8.14.0/lib/cf-socket.c
+@@ -369,7 +369,9 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */