* Security fixes:
- [bsc#1243933, CVE-2025-5399] libcurl can possibly get
trapped in an endless busy-loop when processing specially
crafted packets [d1145df2]
* Bugfixes:
- asyn-thrdd: fix cleanup when RR fails due to OOM
- ftp: fix teardown of DATA connection in done
- http: fail early when rewind of input failed when following redirects
- multi: fix add_handle resizing
- tls BIOs: handle BIO_CTRL_EOF correctly
- tool_getparam: make --no-anyauth not be accepted
- wolfssl: fix sending of early data
- ws: handle blocked sends better
- ws: tests and fixes
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=397
* Changes:
- curl: add write-out variable 'tls_earlydata'
- curl: make --url support a file with URLs
- gnutls: set priority via --ciphers
- IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
- lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
- OpenSSL/quictls: add support for TLSv1.3 early data
- rustls: add support for CERTINFO
- rustls: add support for SSLKEYLOGFILE
- rustls: support ECH w/ DoH lookup for config
- rustls: support native platform verifier
- var: add a '64dec' function that can base64 decode a string
* Bugfixes:
- conn: fix connection reuse when SSL is optional
- hash: use single linked list for entries
- http2: detect session being closed on ingress handling
- http2: reset stream on response header error
- http: remove a HTTP method size restriction
- http: version negotiation
- httpsrr: fix port detection
- libssh: fix freeing of resources in disconnect
- libssh: fix scp large file upload for 32-bit size_t systems
- openssl-quic: do not iterate over multi handles
- openssl: check return value of X509_get0_pubkey
- openssl: drop support for old OpenSSL/LibreSSL versions
- openssl: fix crash on missing cert password
- openssl: fix pkcs11 URI checking for key files.
- openssl: remove bad `goto`s into other scope
- setopt: illegal CURLOPT_SOCKS5_AUTH should return error
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=392
* Bugfixes:
- asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
- asyn-thread: fix HTTPS RR crash
- asyn-thread: fix the returned bitmask from Curl_resolver_getsock
- asyn-thread: survive a c-ares channel set to NULL
- cmake: always reference OpenSSL and ZLIB via imported targets
- cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
- cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
- content_encoding: #error on too old zlib
- imap: TLS upgrade fix
- ldap: drop support for legacy Novell LDAP SDK
- libssh2: comparison is always true because rc <= -1
- libssh2: raise lowest supported version to 1.2.8
- libssh: drop support for libssh older than 0.9.0
- openssl-quic: ignore ciphers for h3
- pop3: TLS upgrade fix
- runtests: fix the disabling of the memory tracking
- runtests: quote commands to support paths with spaces
- scache: add magic checks
- smb: silence '-Warray-bounds' with gcc 13+
- smtp: TLS upgrade fix
- tool_cfgable: sort struct fields by size, use bitfields for booleans
- tool_getparam: add "TLS required" flag for each such option
- vtls: fix multissl-init
- wakeup_write: make sure the eventfd write sends eight bytes
- Update to 8.12.0:
* Security fixes:
- [bsc#1234068, CVE-2024-11053] curl could leak the password used
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=389
* Security fixes:
- [bsc#1234068, CVE-2024-11053] curl could leak the password used
for the first host to the followed-to host under certain circumstances.
- [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
- [bsc#1236589, CVE-2025-0665] eventfd double close
* Changes:
- curl: add byte range support to --variable reading from file
- curl: make --etag-save acknowledge --create-dirs
- getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: provide info which auth was used for HTTP and proxy
- hyper: drop support
- openssl: add support to use keys and certificates from PKCS#11 provider
- QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
- vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
- altsvc: avoid integer overflow in expire calculation
- asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: fix memory leak
- asyn-ares: initial HTTPS resolve support
- asyn-thread: use c-ares to resolve HTTPS RR
- async-thread: avoid closing eventfd twice
- cd2nroff: do not insist on quoted <> within backticks
- cd2nroff: support "none" as a TLS backend
- conncache: count shutdowns against host and max limits
- content_encoding: drop support for zlib before 1.2.0.4
- content_encoding: namespace GZIP flag constants
- content_encoding: put the decomp buffers into the writer structs
- content_encoding: support use of custom libzstd memory functions
- cookie: cap expire times to 400 days
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=387
- Update to 8.11.1:
* Security fixes:
- netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
* Bugfixes:
- build: fix ECH to always enable HTTPS RR
- cookie: treat cookie name case sensitively
- curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
- curl: use realtime in trace timestamps
- digest: produce a shorter cnonce in Digest headers
- docs: document default 'User-Agent'
- docs: suggest --ssl-reqd instead of --ftp-ssl
- duphandle: also init netrc
- hostip: don't use the resolver for FQDN localhost
- http_negotiate: allow for a one byte larger channel binding buffer
- krb5: fix socket/sockindex confusion, MSVC compiler warnings
- libssh: use libssh sftp_aio to upload file
- libssh: when using IPv6 numerical address, add brackets
- mime: fix reader stall on small read lengths
- mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
- mprintf: fix the integer overflow checks
- multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
- netrc: address several netrc parser flaws
- netrc: support large file, longer lines, longer tokens
- nghttp2: use custom memory functions
- OpenSSL: improvde error message on expired certificate
- openssl: remove three "Useless Assignments"
- openssl: stop using SSL_CTX_ function prefix for our functions
- pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
- rtsp: check EOS in the RTSP receive and return an error code
- schannel: remove TLS 1.3 ciphersuite-list support
OBS-URL: https://build.opensuse.org/request/show/1230013
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=385
* Security fixes: [bsc#1232528, CVE-2024-9681]
* curl: HSTS subdomain overwrites parent cache entry
* Changes:
- curl: --create-dirs works for --dump-header as well
- gtls: Add P12 format support
- ipfs: add options to disable
- TLS: TLSv1.3 earlydata support for curl
- WebSockets: make support official (non-experimental)
* Bugfixes:
- build: clarify CA embed is for curl tool, mark default, improve summary
- build: show if CA bundle to embed was found
- build: tidy up and improve versioned-symbols options
- cmake/FindNGTCP2: use library path as hint for finding crypto module
- cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
- cmake: rename LDAP dependency config variables to match Find modules
- cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
- cmake: use OpenSSL for LDAP detection only if available
- curl: add build options for safe/no CA bundle search (Windows)
- curl: detect ECH support dynamically, not at build time
- curl_addrinfo: support operating systems with only getaddrinfo(3)
- ftp: fix 0-length last write on upload from stdin
- gnutls: use session cache for QUIC
- hsts: improve subdomain handling
- hsts: support "implied LWS" properly around max-age
- http2: auto reset stream on server eos
- json.md: cli-option '--json' is an alias of '--data-binary'
- lib: move curl_path.[ch] into vssh/
- lib: remove function pointer typecasts for hmac/sha256/md5
- libssh.c: handle EGAINS during proto-connect correctly
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=380
* Bugfixes:
- autotools: fix `--with-ca-embed` build rule
- cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
- cmake: fix MSH3 to appear on the feature list
- connect: store connection info when really done
- FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
- http2: when uploading data from stdin, fix eos forwarding
- http: make max-filesize check not count ignored bodies
- lib: fix AF_INET6 use outside of USE_IPV6
- multi: check that the multi handle is valid in curl_multi_assign
- QUIC: on connect, keep on trying on draining server
- request: correctly reset the eos_sent flag
- setopt: remove superfluous use of ternary expressions
- singleuse: drop `Curl_memrchr()` for no-HTTP builds
- tool_cb_wrt: use "curl_response" if no file name in URL
- transfer: fix sendrecv() without interim poll
- vtls: fix `Curl_ssl_conn_config_match` doc param
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=378
* Security fixes:
- [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
* Changes:
- curl: make --rate accept "number of units"
- curl: make --show-headers the same as --include
- curl: support --dump-header % to direct to stderr
- curl: support embedding a CA bundle and --dump-ca-embed
- curl: support repeated use of the verbose option; -vv etc
- curl: use libuv for parallel transfers with --test-event
- vtls: stop offering alpn http/1.1 for http2-prior-knowledge
* Bugfixes:
- curl: allow 500MB data URL encode strings
- curl: warn on unsupported SSL options
- Curl_rand_bytes to control env override
- curl_sha512_256: fix symbol collisions with nettle library
- dist: fix reproducible build from release tarball
- http2: fix GOAWAY message sent to server
- http2: improve rate limiting of downloads
- INSTALL.md: MultiSSL and QUIC are mutually exclusive
- lib: add eos flag to send methods
- lib: make SSPI global symbols use Curl_ prefix
- lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
- lib: remove the final strncpy() calls
- lib: remove use of RANDOM_FILE
- Makefile.mk: fixup enabling libidn2
- max-filesize.md: mention zero disables the limit
- mime: avoid inifite loop in client reader
- ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
- openssl quic: fix memory leak
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=376
* Security fixes:
- curl: ASN.1 date parser overread [bsc#1228535, CVE-2024-7264]
* Bugfixes:
- cmake: detect 'libssh' via 'pkg-config'
- cmake: detect 'nettle' when building with GnuTLS
- connect: fix connection shutdown for event based processing
- curl: more defensive socket code for --ip-tos
- CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching
- CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe
- ftpserver.pl: make POP3 LIST serve content from the test file
- lib: survive some NULL input args
- os400: build cli manual.
- os400: workaround an IBM ASCII run-time library bug
- transfer: speed limiting fix for 32bit systems
- vtls: avoid forward declaration in MultiSSL builds
- x509asn1: unittests and fixes for gtime2str
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=373
* Security fixes:
- [bsc#1227888, CVE-2024-6197] curl: freeing stack buffer
in utf8asn1str
- [bsc#1228260, CVE-2024-6874] idn: tweak buffer use when
converting with macidn
* Changes:
- curl: add --ip-tos (IP Type of Service / Traffic Class)
- curl: add --mptcp
- curl: add --vlan-priority
- curl: add -w '%{num_retries}
- gnutls: support CA caching
- mbedtls: support CURLOPT_CERTINFO
- noproxy: patterns need to be comma separated
- socket: support binding to interface *AND* IP
- tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt
- urlapi: add CURLU_NO_GUESS_SCHEME
- wolfssl: support CA caching
* Bugfixes:
- connection: shutdown TLS (for FTP) better
- curl-config: revert to backticks to support old target envs
- curl: allow etag and content-disposition for 3xx reply
- curl: bsearch the --write-out variable name
- curl: check for --disable case *sensitively*
- doh: fix leak and zero-length HTTPS RR crash
- file: separate fake headers and body with a stand-alone CRLF
- ftp: remove redundant null pointer check in loop condition
- gnutls: improve TLS shutdown
- gnutls: pass in SNI name, not hostname when checking cert
- hostip: skip error check for infallible function call
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=371
- ws: make the curl_ws_meta() return pointer a const
- tool_writeout: add URL component variables
- build: remove support for curl_off_t < 8 bytes
- Update to 7.87.0:
- version: add a feature names array to curl_version_info_data
- x509asn1: avoid freeing unallocated pointers
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- socks: support unix sockets for socks proxy
- x509asn1: mark msnprintf return as unchecked
- (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
- x509asn1: make do_pubkey handle EC public keys
* Renamed:
- msh3: add support for QUIC and HTTP/3 using msh3
- wolfssl: fix compiler error without IPv6
- tests/sshserver.pl: make it work with openssh-8.7p1
- vtls: refuse setting any SSL version
- http: introduce AWS HTTP v4 Signature support
- Enable zstd and brotli support
- Update to 7.74.0
- tls: add CURLOPT_SSL_EC_CURVES and --curves
- vtls: compare cert blob when finding a connection to reuse
- tool: Add option --retry-all-errors to retry on any error
- write-out.d: added "response_code"
- writeout: support to generate JSON output with '%{json}'
- gnutls: ensure TLS 1.3 when SRP isn't requested
- version: make curl_version* thread-safe without using global context
- wolfSSH: new SSH backend
- winbuild: Document CURL_STATICLIB requirement for static libcurl
- urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=366
- Fix make install for curl-config.1
* docs/Makefile.am: make curl-config.1 install
* Fixed upstream in: github.com/curl/curl/pull/13741
* Add curl-make-install-curl-config.patch
- Update to 8.8.0:
* Changes:
- curl_version_info: provide librtmp version
- file: add support for directory listings
- lib: add curl_multi_waitfds
- NTLM_WB: drop support
- TLS: add support for ECH (Encrypted Client Hello)
- urlapi: add CURLU_GET_EMPTY for empty queries and fragments
* Bugfixes:
- build: prefer "USE_IPV6" macro internally (was: "ENABLE_IPV6")
- cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set
- cf-socket: don't try getting local IP without socket
- cf-socket: remove references to l_ip, l_port
- configure: make --disable-docs imply --disable-manual
- curl.h: change CURL_SSLVERSION_* from enum to defines
- curl_path: make Curl_get_pathname use dynbuf
- curl_sha512_256: do not use workaround for NetBSD when not needed
- curl_sha512_256: fix detection of OpenSSL 1.1.1 or later
- curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY
- DEPRECATE.md: TLS libraries without 1.3 support
- digest: replace strcpy for empty string with simple assignment
- doc: pytest "--repeat" -> "--count"
- docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd
- dynbuf: fix returncode on memory error
- ftp: add tracing support
OBS-URL: https://build.opensuse.org/request/show/1176742
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=364
