Update to 8.18.0

* [bsc#1256105, CVE-2025-14017] call ldap_init() before setting the options
* [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer
* [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth
* [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
* [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file

Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>

curl-8.14.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmg/3PcACgkQXMkI/bce
-EsJqDAf/Q6bzaPr1MlnbF3yFwzpMNY4ZH6SXWvmztLaFksrNFM8fuby00yNQ02pi
-4kfyIWgR4SRpHq2rmM//JudwRO5vObEctrtw/bQWR9IQ/rkrt2RtwDfFXLOtq2k/
-aHmmnZmQNeVJYQUpGlsehtXMCO0wIpvRK4yecHZC4ueq+UCJjrp2rJVpaKm+KOVY
-2DxPA5OyBKVKV/hJXD8+7V06HnsbojyxGf4Wg2XuXz1pa7z6lxWaf3ACf9gi+BzX
-4uPRT4ZChWCqUvLBl2C95ulY0/rmem7ffJuhBC0hBDk3qpqV8tv9TyS9xoTEVVkh
-sK20aPD0vcHjnTM0u/IfVVhfliNC+Q==
-=mjWb
------END PGP SIGNATURE-----

curl-8.18.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmleBDIACgkQXMkI/bce
+EsINpQf8C15Nc/X/d/CjOOMV66+0bpDnUzab+8qDItfD3uNR66B7gj+ZUfyiuNp8
+rPAbjWhuDlvdVATfOpax5KltK/+IweoOHevt15eEG/iERpJShsIPmX0PGkvsPpxP
+LzrquV0pjOUWGxMN8ophfeE+hMh37AROvYlcbK/bGG9xJquAbLj2kW+xGbUouPzL
+taq2Pnm8TvqyrnNulWRbezQRv4AB7cM0z9w5q6m4vpJfv+DLSHfmX8svXx2EkdPN
+ij0+v5UESKforBwm3OYfL5bkgEaii5yJS5h2T8NQCQn4hldFJxO/h+OLjV89HRZp
+uasF96+6nhG/q7x829p1pQ6le3Btag==
+=J4xV
+-----END PGP SIGNATURE-----

curl-fix--ftp-pasv.patch

@@ -1,147 +0,0 @@
-From 5f805eec1149c218145097ec2a24ac7fb7d46f25 Mon Sep 17 00:00:00 2001
-From: Dan Fandrich <dan@coneharvesters.com>
-Date: Fri, 6 Jun 2025 10:21:09 -0700
-Subject: [PATCH] tool_getparam: fix --ftp-pasv
-
-This boolean option was moved to the wrong handling function. Make it
-an ARG_NONE and move it to the correct handler and add a test to
-verify that the option works.
-
-Follow-up to 698491f44
-
-Reported-by: fjaell on github
-Fixes #17545
-Closes #17547
----
- docs/cmdline-opts/ftp-pasv.md |  3 +-
- src/tool_getparam.c           |  8 ++---
- tests/data/Makefile.am        |  2 +-
- tests/data/test1547           | 59 +++++++++++++++++++++++++++++++++++
- 4 files changed, 66 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test1547
-
-diff --git a/docs/cmdline-opts/ftp-pasv.md b/docs/cmdline-opts/ftp-pasv.md
-index 964f9769ae59..02deee30ded8 100644
---- a/docs/cmdline-opts/ftp-pasv.md
-+++ b/docs/cmdline-opts/ftp-pasv.md
-@@ -6,7 +6,8 @@ Help: Send PASV/EPSV instead of PORT
- Protocols: FTP
- Added: 7.11.0
- Category: ftp
--Multi: boolean
-+Multi: mutex
-+Mutexed: ftp-port
- See-also:
-   - disable-epsv
- Example:
-diff --git a/src/tool_getparam.c b/src/tool_getparam.c
-index 51156e46b97e..6d7020987d0a 100644
---- a/src/tool_getparam.c
-+++ b/src/tool_getparam.c
-@@ -153,7 +153,7 @@ static const struct LongShort aliases[]= {
-   {"ftp-alternative-to-user",    ARG_STRG, ' ', C_FTP_ALTERNATIVE_TO_USER},
-   {"ftp-create-dirs",            ARG_BOOL, ' ', C_FTP_CREATE_DIRS},
-   {"ftp-method",                 ARG_STRG, ' ', C_FTP_METHOD},
--  {"ftp-pasv",                   ARG_BOOL, ' ', C_FTP_PASV},
-+  {"ftp-pasv",                   ARG_NONE, ' ', C_FTP_PASV},
-   {"ftp-port",                   ARG_STRG, 'P', C_FTP_PORT},
-   {"ftp-pret",                   ARG_BOOL, ' ', C_FTP_PRET},
-   {"ftp-skip-pasv-ip",           ARG_BOOL, ' ', C_FTP_SKIP_PASV_IP},
-@@ -1703,6 +1703,9 @@ static ParameterError opt_none(struct GlobalConfig *global,
-     break;
-   case C_DUMP_CA_EMBED: /* --dump-ca-embed */
-     return PARAM_CA_EMBED_REQUESTED;
-+  case C_FTP_PASV: /* --ftp-pasv */
-+    tool_safefree(config->ftpport);
-+    break;
- 
-   case C_HTTP1_0: /* --http1.0 */
-     /* HTTP version 1.0 */
-@@ -2293,9 +2296,6 @@ static ParameterError opt_filestring(struct GlobalConfig *global,
-   case C_URL: /* --url */
-     err = parse_url(global, config, nextarg);
-     break;
--  case C_FTP_PASV: /* --ftp-pasv */
--    tool_safefree(config->ftpport);
--    break;
-   case C_SOCKS5: /* --socks5 */
-     /*  socks5 proxy to use, and resolves the name locally and passes on the
-         resolved address */
-diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
-index 1ef85cd3a2da..446674605835 100644
---- a/tests/data/Makefile.am
-+++ b/tests/data/Makefile.am
-@@ -203,7 +203,7 @@ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
- test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
- test1524 test1525 test1526 test1527 test1528 test1529 test1530 test1531 \
- test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 \
--test1540 test1541 test1542 test1543 test1544 test1545 test1546 \
-+test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 \
- \
- test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
- test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \
-diff --git a/tests/data/test1547 b/tests/data/test1547
-new file mode 100644
-index 000000000000..244151a5abd1
---- /dev/null
-+++ b/tests/data/test1547
-@@ -0,0 +1,59 @@
-+<testcase>
-+# Based on test100 & test101
-+<info>
-+<keywords>
-+FTP
-+PASV
-+LIST
-+</keywords>
-+</info>
-+#
-+# Server-side
-+<reply>
-+<data mode="text">
-+total 20
-+drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
-+drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
-+drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
-+-r--r--r--   1 0        1             35 Jul 16  1996 README
-+lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
-+dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
-+drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
-+dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
-+drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
-+dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+ftp
-+</server>
-+<name>
-+FTP dir list PASV overriding PORT
-+</name>
-+<command>
-+ftp://%HOSTIP:%FTPPORT/test-%TESTNUMBER/ -P %CLIENTIP --ftp-pasv
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+QUIT
-+</strip>
-+<protocol>
-+USER anonymous
-+PASS ftp@example.com
-+PWD
-+CWD test-%TESTNUMBER
-+EPSV
-+TYPE A
-+LIST
-+QUIT
-+</protocol>
-+</verify>
-+</testcase>

curl-secure-getenv.patch

@@ -1,10 +1,10 @@
-Index: curl-8.13.0/lib/getenv.c
+Index: curl-8.18.0/lib/getenv.c
 ===================================================================
---- curl-8.13.0.orig/lib/getenv.c
-+++ curl-8.13.0/lib/getenv.c
-@@ -29,6 +29,14 @@
- 
- #include "memdebug.h"
+--- curl-8.18.0.orig/lib/getenv.c
++++ curl-8.18.0/lib/getenv.c
+@@ -23,6 +23,14 @@
+  ***************************************************************************/
+ #include "curl_setup.h"
  
 +#ifndef HAVE_SECURE_GETENV
 +#  ifdef HAVE___SECURE_GETENV
@@ -14,23 +14,23 @@ Index: curl-8.13.0/lib/getenv.c
 +#  endif
 +#endif
 +
- static char *GetEnv(const char *variable)
+ char *curl_getenv(const char *variable)
  {
- #if defined(CURL_WINDOWS_UWP) || defined(UNDER_CE) || \
-@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
+ #if defined(CURL_WINDOWS_UWP) || \
+@@ -63,7 +71,7 @@ char *curl_getenv(const char *variable)
      /* else rc is bytes needed, try again */
    }
  #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
-   return (env && env[0]) ? strdup(env) : NULL;
+   return (env && env[0]) ? curlx_strdup(env) : NULL;
  #endif
  }
-Index: curl-8.13.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.13.0.orig/configure.ac
-+++ curl-8.13.0/configure.ac
-@@ -5384,6 +5384,8 @@ fi
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -5528,6 +5528,8 @@ fi
  
  CURL_PREPARE_CONFIGUREHELP_PM
  

curl.changes

@@ -1,3 +1,516 @@
+-------------------------------------------------------------------
+Wed Jan  7 11:48:31 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 8.18.0:
+  * Security fixes:
+    - [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options
+    - [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer
+    - [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth
+    - [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
+    - [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file
+  * Changes:
+    - openssl: bump minimum OpenSSL version to 3.0.0
+  * Bugfixes:
+    - alt-svc: more flexibility on same destination
+    - altsvc: accept ma/persist per alternative entry
+    - altsvc: make it one malloc instead of three per entry
+    - asyn-ares: handle Curl_dnscache_mk_entry() OOM error
+    - asyn-ares: remove hostname free on OOM
+    - asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
+    - asyn-thrdd: release rrname if ares_init_options fails
+    - auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
+    - autotools: add nettle library detection via pkg-config (for GnuTLS)
+    - autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
+    - autotools: fix LargeFile feature display on Windows (after prev patch)
+    - autotools: tidy-up 'if' expressions
+    - build: add build-level 'CURL_DISABLE_TYPECHECK' options
+    - build: exclude clang prereleases from compiler warning options
+    - build: replace '-pedantic' with '-Wpedantic' when supported
+    - build: set '-Wno-format-signedness'
+    - build: tidy-up MSVC CRT warning suppression macros
+    - ccsidcurl: make curl_mime_data_ccsid() use the converted size
+    - cf-h1-proxy: support folded headers in CONNECT responses
+    - cf-https-connect: allocate ctx at first in cf_hc_create()
+    - cf-socket: drop feature check for 'IPV6_V6ONLY' on Windows
+    - cf-socket: enable Win10 'TCP_KEEP*' options with old SDKs
+    - cf-socket: limit use of 'TCP_KEEP*' to Windows 10.0.16299+ at runtime
+    - cf-socket: return OOM error if socket() fails due to OOM
+    - cf-socket: trace ignored errors
+    - cfilters: make conn_forget_socket a private libssh function
+    - checksrc.pl: detect assign followed by more than one space
+    - cmake: adjust defaults for target platforms not supporting shared libs
+    - cmake: define dependencies as 'IMPORTED' interface targets
+    - cmake: delete unused file 'CMake/CMakeConfigurableFile.in'
+    - cmake: disable 'CURL_CA_PATH' auto-detection if 'USE_APPLE_SECTRUST=ON'
+    - cmake: fix 'ws2_32' reference in 'curl-config.cmake'
+    - cmake: honor 'CURL_DISABLE_INSTALL' and 'CURL_ENABLE_EXPORT_TARGET'
+    - cmake: replace deprecated 'OPENSSL_FOUND' with 'OpenSSL_FOUND'
+    - cmake: replace deprecated 'PERL_FOUND' with 'Perl_FOUND'
+    - cmake: save and restore 'CMAKE_MODULE_PATH' in 'curl-config.cmake'
+    - cmake: set found status to OFF when not found (for compression deps)
+    - code: minor indent fixes before closing braces
+    - config-win32.h: delete obsolete, non-Windows comments
+    - config-win32.h: drop unused/obsolete 'CURL_HAS_OPENLDAP_LDAPSDK'
+    - config2setopts: add space in cookie header with multiple -b
+    - config2setopts: bail out if curl_url_get() returns OOM
+    - config2setopts: exit if curl_url_set() fails on OOM
+    - configure: delete unused variable
+    - conncache: silence '-Wnull-dereference' on gcc 14 RISC-V 64
+    - conncontrol: reuse handling
+    - connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
+    - connection: attached transfer count
+    - content_encoding: avoid strcpy
+    - cookie. return proper error on OOM
+    - cookie: allocate the main struct once cookie is fine
+    - cookie: flush better
+    - cookie: only keep and use the canonical cleaned up path
+    - cookie: propagate errors better, cleanup the internal API
+    - cookie: return error on OOM
+    - cookie: when parsing a cookie header, delay all allocations until okay
+    - cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
+    - curl: fix progress meter in parallel mode
+    - curl_fopen: do not pass invalid mode flags to 'open()' on Windows
+    - curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
+    - curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
+    - curl_quiche: refuse headers with CR, LF or null bytes
+    - curl_sasl: make Curl_sasl_decode_mech compare case insensitively
+    - curl_setup.h: document more funcs flagged by '_CRT_SECURE_NO_WARNINGS'
+    - curl_setup.h: drop stray '#undef stat' (Windows)
+    - curl_setup.h: drop superfluous parenthesis from 'Curl_safefree' macro
+    - curl_threads: don't do another malloc if the first fails
+    - curl_trc: delete unused DoH remains
+    - CURLINFO: remove 'get' and 'get the' from each short desc
+    - CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
+    - CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
+    - CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
+    - CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
+    - CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
+    - CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
+    - CURLOPT_READFUNCTION.md: clarify the size of the buffer
+    - CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
+    - curlx/fopen: replace open CRT functions their with '_s' counterparts (Windows)
+    - curlx/multibyte: stop setting macros for non-Windows
+    - curlx/strerr: use 'strerror_s()' on Windows
+    - curlx: add 'curlx_rename()', fix to support long filenames on Windows
+    - curlx: curlx_strcopy() instead of strcpy()
+    - curlx: limit use of system allocators to the minimum possible
+    - curlx: replace 'mbstowcs'/'wcstombs' with '_s' counterparts (Windows)
+    - curlx: replace 'sprintf' with 'snprintf'
+    - curlx: use curl alloc in 'curlx_win32_stat()' (Windows)
+    - curlx: use curlx allocators in non-memdebug builds (Windows)
+    - DEPRECATE: add CMake <3.18 deprecation for April 2026
+    - digest: fix OWS and escaped quote handling
+    - digest_sspi: fix a memory leak on error path
+    - digest_sspi: properly free sspi identity
+    - doc: some returned in-memory data may not be altered
+    - docs: add a note about --compressed to note about binary output
+    - docs: clarify how to do unix domain sockets with SOCKS proxy
+    - docs: fix checksrc 'EQUALSPACE' warnings
+    - docs: fix time_posttransfer output unit as seconds
+    - docs: mention umask need when curl creates files
+    - docs: remove dead URLs
+    - docs: rename CURLcode variables to 'result'
+    - docs: spell it Rustls with a capital R
+    - docs: switch more URLs to https://
+    - docs: use mresult as variable name for CURLMcode
+    - escape: add a length check in curl_easy_escape
+    - file: do not pass invalid mode flags to 'open()' on upload (Windows)
+    - formdata: validate callback is non-NULL before use
+    - ftp: make EPRT connections non-blocking
+    - ftp: refactor a piece of code by merging the repeated part
+    - ftp: remove #ifdef for define that is always defined
+    - ftp: return better on OOM in two places
+    - ftp: return from ftp_state_use_port immediately on OOM
+    - getenv: drop internal 1-to-1 wrapper
+    - getinfo: improve perf in debug mode
+    - h2/h3: handle methods with spaces
+    - headers: add length argument to Curl_headers_push()
+    - hostcheck: fail wildcard match if host starts with a dot
+    - hostip.h: drop redundant 'setjmp.h' include
+    - hostip: don't store negative lookup on OOM
+    - hostip: make more functions return CURLcode
+    - hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
+    - hsts: propagate and error out correctly on OOM
+    - hsts: use one malloc instead of two per entry
+    - http: acknowledge OOM errors from Curl_input_ntlm
+    - http: avoid two strdup()s and do minor simplifications
+    - http: error on OOM when creating range header
+    - http: fix OOM exit in Curl_http_follow
+    - http: handle oom error from Curl_input_digest()
+    - http: replace atoi use in Curl_http_follow with curlx_str_number
+    - http: return OOM errors from hsts properly
+    - http: the :authority header should never contain user+password
+    - http: unfold response headers earlier
+    - idn: avoid allocations and wcslen on Windows
+    - idn: clarify null-termination on Windows
+    - idn: fix memory leak in 'win32_ascii_to_idn()'
+    - idn: use curlx allocators on Windows
+    - imap: check buffer length before accessing it
+    - imap: make sure Curl_pgrsSetDownloadSize() does not overflow
+    - inet_ntop: avoid the strlen()
+    - krb5: fix detecting channel binding feature
+    - krb5_sspi: unify a part of error handling
+    - ldap: drop PP logic for old, unsupported, Windows SDKs
+    - ldap: improve detection of Apple LDAP
+    - ldap: provide version for "legacy" ldap as well
+    - lib/sendf.h: forward declare two structs
+    - lib: cleanup for some typos about spaces and code style
+    - lib: create unitprotos.h in the builddir, not srcdir
+    - lib: drop unused or duplicate 'curlx/timeval.h' includes
+    - lib: drop unused protocol headers
+    - lib: eliminate size_t casts
+    - lib: error for OOM when extracting URL query
+    - lib: fix formatting nits (part 2)
+    - lib: fix formatting nits (part 3)
+    - lib: fix formatting nits
+    - lib: fix gssapi.h include on IBMi
+    - lib: name the main CURLMcode variable 'mresult'
+    - lib: refactor the type of funcs which have useless return and checks
+    - lib: replace '_tcsncpy'/'wcsncpy'/'wcscpy' with '_s' counterparts (Windows)
+    - lib: timer stats improvements
+    - lib: use 'SOCKET_WRITABLE()'/'SOCKET_READABLE()' where possible
+    - libssh2: add paths to error messages for quote commands
+    - libssh2: cleanup ssh_force_knownhost_key_type
+    - libssh2: consider strdup() failures OOM and return correctly
+    - libssh2: replace atoi() in ssh_force_knownhost_key_type
+    - libssh: fix state machine loop to progress as it should
+    - libssh: properly free sftp_attributes
+    - libtests: replace 'atoi()' with 'curlx_str_number()'
+    - limit-rate: add example using --limit-rate and --max-time together
+    - localtime: detect thread-safe alternatives and use them
+    - m4/sectrust: fix test(1) operator
+    - manage: expand the 'libcurl support required' message
+    - mbedTLS: cleanup insecure/deprecated code
+    - mbedtls: fix potential use of uninitialized 'nread'
+    - mbedtls: sync format across log messages
+    - mbedtls_threadlock: avoid calloc, use array
+    - mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
+    - mdlinkcheck: only look for markdown links in markdown files
+    - memdebug: add mutex for thread safety
+    - memdebug: fix realloc logging
+    - mk-ca-bundle.md: the file format docs URL is permaredirected
+    - mk-ca-bundle.pl: default to SHA256 fingerprints with '-t' option
+    - mk-ca-bundle.pl: use 'open()' with argument list to replace backticks
+    - mqtt: reject overly big messages
+    - mqtt: return error when a too large packet is decoded
+    - multi: make max_total_* members size_t
+    - multi: remove MSTATE_TUNNELING
+    - multi: simplify admin handle processing
+    - multibyte: limit 'curlx_convert_*wchar*()' functions to Unicode builds
+    - ngtcp2+openssl: fix leak of session
+    - ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
+    - ngtcp2: retune window sizes
+    - noproxy: fix build on systems without IPv6
+    - noproxy: fix ipv6 handling
+    - noproxy: replace atoi with curlx_str_number
+    - openssl: exit properly on OOM when getting certchain
+    - openssl: fix a potential memory leak of bio_out
+    - openssl: fix a potential memory leak of params.cert
+    - openssl: fix building against no-dsa openssl
+    - openssl: fix building against no-ocsp openssl with Apple SecTrust
+    - openssl: no verify failf message unless strict
+    - openssl: release ssl_session if sess_reuse_cb fails
+    - openssl: remove code handling default version
+    - openssl: simplify 'HAVE_KEYLOG_CALLBACK' guard
+    - openssl: stop checking for 'OPENSSL_NO_SHA*' macros
+    - openssl: stop checking for 'OPENSSL_NO_TLSEXT' macro
+    - osslq: code readability
+    - progress: make it one column narrower
+    - progress: narrower time display, multiple fixes
+    - progress: show fewer digits
+    - quiche: use client writer
+    - ratelimit blocking: fix busy loop
+    - ratelimit: redesign
+    - rtmp: fix double-free on URL parse errors
+    - rtmp: precaution for a potential integer truncation
+    - rtmp: stop redefining 'setsockopt' system symbol on Windows
+    - schannel: cap the maximum allowed size for loading cert
+    - schannel: fix memory leak of cert_store_path on four error paths
+    - schannel: replace atoi() with curlx_str_number()
+    - schannel: use Win8 'CERT_NAME_SEARCH_ALL_NAMES_FLAG' with old SDKs
+    - schannel_verify: fix a memory leak of cert_context
+    - scripts: fix shellcheck SC2046 warnings
+    - scripts: use end-of-options marker in 'find -exec' commands
+    - setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
+    - setopt: when setting bad protocols, don't store them
+    - sftp: fix range downloads in both SSH backends
+    - slist: constify Curl_slist_append_nodup() string argument
+    - smb: fix a size check to be overflow safe
+    - socketpair: drop redundant '_WIN32' branch and include
+    - socks_sspi: use free() not FreeContextBuffer()
+    - source: misc typos
+    - speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE
+    - speedlimit: also reset on send unpausing
+    - src: drop redundant definition of 'BIT()'
+    - src: fix formatting nits
+    - ssh: tracing and better pollset handling
+    - sspi: fix memory leaks on error paths in 'Curl_create_sspi_identity()'
+    - sws: fix binding to unix socket on Windows
+    - synctime: tidy up, make it work on all platforms
+    - telnet: abort on bad suboption sequence
+    - telnet: replace atoi for BINARY handling with curlx_str_number
+    - tftp: release filename if conn_get_remote_addr fails
+    - tftpd: fix/tidy up 'open()' mode flags
+    - tidy-up: avoid '(())', clang-format fixes and more
+    - tidy-up: move 'CURL_UNCONST()' out from macro 'curl_unicodefree()'
+    - tidy-up: URLs (cont.) and mdlinkcheck
+    - tidy-up: URLs
+    - tool: consider (some) curl_easy_setopt errors fatal
+    - tool: log when loading .curlrc in verbose mode
+    - tool_cfgable: free ssl-sessions at exit
+    - tool_doswin: clear pointer when thread takes ownership
+    - tool_doswin: increase allowable length of path sanitizer
+    - tool_doswin: remove the max length check
+    - tool_getparam: simplify the --rate parser
+    - tool_getparam: use memdup0() instead of malloc + copy
+    - tool_getparam: verify that a file exists for some options
+    - tool_help: add checks to avoid unsigned wrap around
+    - tool_ipfs: check return codes better
+    - tool_msgs: make voutf() use stack instead of heap
+    - tool_operate: exit on curl_share_setopt errors
+    - tool_operate: fix a case of ignoring return code in operate()
+    - tool_operate: fix case of ignoring return code in single_transfer
+    - tool_operate: remove redundant condition
+    - tool_operate: return error for OOM in append2query
+    - tool_operate: use curlx_str_number instead of atoi
+    - tool_paramhlp: refuse --proto remove all protocols
+    - tool_paramhlp: remove a malloc+free from proto2num()
+    - tool_paramhlp: simplify number parsing
+    - tool_progress: fix large time outputs and decimal size display
+    - tool_urlglob: acknowledge OOM in peek_ipv6
+    - tool_urlglob: clean up used memory on errors better
+    - tool_urlglob: constify an argument
+    - tool_urlglob: fix propagating OOM error from 'sanitize_file_name()'
+    - tool_urlglob: support globs as long as config line lengths
+    - tool_writeout: bail out proper on OOM
+    - url: fix return code for OOM in parse_proxy()
+    - url: if curl_url_get() fails due to OOM, error out properly
+    - url: if OOM in parse_proxy() return error
+    - url: return error at once when OOM in netrc handling
+    - urlapi: fix mem-leaks in curl_url_get error paths
+    - urlapi: handle OOM properly when setting URL
+    - urlapi: return OOM correctly from parse_hostname_login()
+    - verify-release: update to avoid shellcheck warning SC2034
+    - vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+    - vquic: do not pass invalid mode flags to 'open()' (Windows)
+    - vquic: do_sendmsg full init
+    - vquic: ignore 0-length UDP packets
+    - vquic: initialize new callback in nghttp3 1.14.0+
+    - vtls: drop unused 'use_alpn' from 'ssl_connect_data' struct
+    - vtls: fix CURLOPT_CAPATH use
+    - vtls: handle possible malicious certs_num from peer
+    - vtls: pinned key check
+    - wcurl: import v2025.11.09
+    - wcurl: import v2026.01.05
+    - ws: replace a cast by matching the format string
+    - x509asn1: drop unused 'hostcheck.h', 'vtls_int.h' includes
+  * Rebase patches:
+    - libcurl-ocloexec.patch
+    - curl-secure-getenv.patch
+  * Remove patch curl-vtls-fix-CURLOPT_CAPATH-use.patch
+
+-------------------------------------------------------------------
+Wed Nov 19 13:07:46 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix a regression in curl 8.17.0: [bsc#1253116]
+  * Builds with no CURL_CA_PATH ignore CURLOPT_CAPATH
+  * vtls: fix CURLOPT_CAPATH use [gh#curl/curl#19401]
+  * Add upstream curl-vtls-fix-CURLOPT_CAPATH-use.patch
+
+-------------------------------------------------------------------
+Wed Nov  5 08:45:52 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.17.0:
+  * Security fixes:
+    - [bsc#1252859, CVE-2025-10966] curl: missing SFTP host
+      verification with wolfSSH
+    - [bsc#1253757, CVE-2025-11563] curl: wcurl path traversal with
+      percent-encoded slashes
+  * Changes:
+    - krb5: drop support for Kerberos FTP
+    - multi: add notifications API
+    - ssl: support Apple SecTrust configurations
+    - tool_getparam: add --knownhosts
+    - vssh: drop support for wolfSSH
+    - wcurl: import v2025.11.04
+  * Bugfixes:
+    - ares: fix leak in tracing
+    - base64: accept zero length argument to base64_encode
+    - c-ares: when resolving failed, persist error
+    - cf-socket: set FD_CLOEXEC on all sockets opened
+    - cf-socket: use the right byte order for ports in bindlocal
+    - conn: fix hostname move on connection reuse
+    - conncache: prevent integer overflow in maxconnects calculation
+    - cookie: avoid saving a cookie file if no transfer was done
+    - curl_easy_getinfo: error code on NULL arg
+    - curl_path: make sure just whitespace is illegal
+    - digest_sspi: fix two memory leaks in error branches
+    - ftp: add extra buffer length check
+    - ftp: check errors on remote ip for data connection
+    - gnutls: check conversion of peer cert chain
+    - gnutls: fix re-handshake comments
+    - gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
+    - gtls: check the return value of gnutls_pubkey_init()
+    - hmac: free memory properly on errors
+    - HTTP3: clarify the status for "old" OpenSSL, not current
+    - kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
+    - krb5_gssapi: fix memory leak on error path
+    - krb5_sspi: the chlg argument is NOT optional
+    - ldap: avoid null ptr deref on failure
+    - ldap: do not base64 encode zero length string
+    - lib: SSL connection reuse
+    - libssh/libssh2: reject quote command lines with too much data
+    - libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
+    - libssh: acknowledge SSH_AGAIN in the SFTP state machine
+    - nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
+    - ngtcp2: close just-opened QUIC stream when submit_request fails
+    - ngtcp2: compare idle timeout in ms to avoid overflow
+    - noproxy: fix the IPV6 network mask pattern match
+    - NTLM: disable if DES support missing from OpenSSL or mbedTLS
+    - openldap: limit max incoming size
+    - openssl: call SSL_get_error() with proper error
+    - openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
+    - openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
+    - openssl: fail the transfer if ossl_certchain() fails
+    - openssl: fix peer certificate leak in channel binding
+    - openssl: fix resource leak in provider error path
+    - openssl: free UI_METHOD on exit path
+    - openssl: only try engine/provider if a cert file/name is provided
+    - openssl: set io_need always
+    - openssl: skip session resumption when verifystatus is set
+    - pop3: fix CAPA response termination detection
+    - quic: fix min TLS version handling
+    - quic: ignore EMSGSIZE on receive
+    - schannel: properly close the certfile on error
+    - schannel_verify: fix mem-leak in Curl_verify_host
+    - socks: avoid UAF risk in error path
+    - socks: deny server basic-auth if not configured
+    - socks_gssapi: reject too long tokens
+    - socks_gssapi: remove the forced "no protection"
+    - thread: errno on thread creation
+    - ws: reject curl_ws_recv called with NULL buffer with a buflen
+  * Rebase libcurl-ocloexec.patch
+  * Remove curl-handle_user-defined_connection_headers.patch upstream
+
+-------------------------------------------------------------------
+Fri Sep 26 07:37:28 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- curl: http: handle user-defined connection headers [bsc#1249448]
+  * Add curl-handle_user-defined_connection_headers.patch
+
+-------------------------------------------------------------------
+Wed Sep 10 08:43:19 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.16.0:
+  * Security fixes:
+    - [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
+    - [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
+  * Changes:
+    - curl: add --follow and --out-null
+    - curl: add --parallel-max-host to limit concurrent connections per host
+    - curl: make --retry-delay and --retry-max-time accept decimal seconds
+    - hostip: cache negative name resolves
+    - ip happy eyeballing: keep attempts running
+    - multi: add curl_multi_get_offt
+    - multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
+    - netrc: use the NETRC environment variable (first) if set
+    - smtp: allow suffix behind a mail address for RFC 3461
+    - tls: make default TLS version be minimum 1.2
+    - tool_getparam: add support for `--longopt=value`
+    - vquic: drop msh3
+    - websocket: support CURLOPT_READFUNCTION
+  * Bugfixes:
+    - _PROTOCOLS.md: mention file:// is only for absolute paths
+    - acinclude: --with-ca-fallback only works with OpenSSL
+    - bufq: add integer overflow checks before chunk allocations
+    - cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
+    - cmake: fix setting LTO properties on the wrong targets
+    - configure: tidy up internal names in ngtcp2 ossl detection logic
+    - connectdata: remove primary+secondary ip_quadruple
+    - connection: terminate after goaway
+    - cookie: don't treat the leading slash as trailing
+    - cookie: remove expired cookies before listing
+    - curl: tool_read_cb fix of segfault
+    - curl_ossl: extend callback table for nghttp3 1.11.0
+    - DEPRECATE.md: drop old OpenSSL versions
+    - idn: reject conversions that end up as a zero length hostname
+    - ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
+    - ngtcp2: handshake timeout should be equal to --connect-timeout
+    - openssl: add and use `HAVE_OPENSSL3` internal macro
+    - openssl: check SSL_write() length on retries
+    - openssl: clear errors after a failed `d2i_X509()`
+    - openssl: drop redundant `HAVE_OPENSSL_VERSION` macro
+    - openssl: drop single-use interim macro `USE_OPENSSL_SRP`
+    - openssl: output unescaped utf8 x509 issuer/subject DNs
+    - parallel-max: bump the max value to 65535
+    - resolving: dns error tracing
+    - schannel: add an error message for client cert not found
+    - schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN`
+    - schannel: fix renegotiation
+    - schannel: improve handshake procedure
+    - socks: do_SOCKS5: Fix invalid buffer content on short send
+    - threaded-resolver: fix shutdown
+    - tool_getparam: warn on more unicode prefixes
+    - tool_urlglob: add integer overflow protection
+    - urlapi: allow more path characters "raw" when asked to URL encode
+    - urlglob: only accept 255 globs
+    - vtls: set seen http version on successful ALPN
+    - websocket: handling of PONG frames
+    - websocket: improve handling of 0-len frames
+    - websocket: reset upload_done when sending data
+    - ws: avoid NULL pointer deref in curl_ws_recv
+  * Rebase libcurl-ocloexec.patch
+
+-------------------------------------------------------------------
+Mon Jul 21 08:16:16 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.15.0:
+  * Changes:
+    - TLS: remove support for Secure Transport and BearSSL
+  * Bugfixes:
+    - cf-socket: make socket data_pending a nop
+    - configure: order LDAP after the SSL libraries
+    - curl: improve non-blocking STDIN performance
+    - curl_get_line: make sure lines end with newline
+    - curl_path: make SFTP handle a path like /~ properly.
+    - curlinfo: provide the 'digest' feature
+    - digest: fix build with disabled digest auth
+    - docs: note SSLS-EXPORT feature in -ssl-sessions doc
+    - docs: reflect that delimiter-separated capath is only OpenSSL
+    - docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS
+    - http/3: report handshake with version and cipher as for TCP connections
+    - http2: do not delay RST send on aborted transfer
+    - http_ntlm: protect against null deref
+    - ldap: initial support for --with-ldap option
+    - lib: address singleuse issues
+    - lib: avoid reusing unclean connection
+    - lib: drop two interim macros in favor of native libcurl API calls
+    - lib: stop 'time()' debug overrides at the end of source in altsvc, hsts
+    - lib: unify recv/send function signatures
+    - memdebug.h: #undef 'fclose' before defining it
+    - openssl: enable readahead
+    - openssl: error on SSL_ERROR_SYSCALL
+    - openssl: fix handling of buffered data
+    - openssl: fix openssl engine use
+    - openssl: fix pkcs11 provider available check
+    - quic: implement CURLINFO_TLS_SSL_PTR
+    - schannel: allow partial chains for manual peer verification
+    - SCP/SFTP: avoid busy loop after EAGAIN
+    - socks: fix query when filter context is null
+    - tls: remove Curl_ssl false_start
+    - tool_getparam: fix --ftp-pasv
+    - tool_operate: fix return code when --retry is used but not triggered
+    - top-complexity: lower max allowed complexity threshold to 90
+    - url: fix NULL deref with bad password when no user is provided
+    - urlapi: use uppercase hex encoding
+    - vtls: change send/recv signatures of tls backends
+    - vtls: prefer ciphersuite to cipher in msgs
+    - vtls: prefer rustls-ffi ciphersuite name API
+    - xfer: manage pause bits
+  * Remove patches upstream:
+    - curl-fix--ftp-pasv.patch
+    - fix-return-code-with-retry.patch
+
 -------------------------------------------------------------------
 Mon Jul 14 08:29:01 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -36,7 +36,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.14.1
+Version:        8.18.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -51,10 +51,6 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
-# PATCH-FIX-UPSTREAM fix return code with --fail when --retry is used
-Patch4:         fix-return-code-with-retry.patch
-# PATCH-FIX-UPSTREAM bsc#1246197 Fix the --ftp-pasv option in curl v8.14.1
-Patch5:         curl-fix--ftp-pasv.patch
 BuildRequires:  groff
 BuildRequires:  libtool
 BuildRequires:  pkgconfig

fix-return-code-with-retry.patch

@@ -1,124 +0,0 @@
-From b42776b4f4a6e9c9f5e3ff49d7bf610ad99c45c9 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 Jun 2025 08:37:49 +0200
-Subject: [PATCH] tool_operate: fix return code when --retry is used but not
- triggered
-
-Verify with test 752
-
-Reported-by: fjaell on github
-Fixes #17554
-Closes #17559
----
- src/tool_operate.c     |  3 +-
- tests/data/Makefile.am |  2 +-
- tests/data/test752     | 72 ++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 75 insertions(+), 2 deletions(-)
- create mode 100644 tests/data/test752
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 24e79e6f61fa..2397de1686d9 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -548,8 +548,9 @@ static CURLcode retrycheck(struct OperationConfig *config,
-     *retryp = TRUE;
-     per->num_retries++;
-     *delayms = sleeptime;
-+    result = CURLE_OK;
-   }
--  return CURLE_OK;
-+  return result;
- }
- 
- 
-diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
-index 446674605835..ab21e0e220be 100644
---- a/tests/data/Makefile.am
-+++ b/tests/data/Makefile.am
-@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
- test718 test719 test720 test721 test722 test723 test724 test725 test726 \
- test727 test728 test729 test730 test731 test732 test733 test734 test735 \
- test736 test737 test738 test739 test740 test741 test742 test743 test744 \
--test745 test746 test747 test748 test749 test750 test751 \
-+test745 test746 test747 test748 test749 test750 test751 test752 \
- \
- test780 test781 test782 test783 test784 test785 test786 test787 test788 \
- test789 test790 test791 \
-diff --git a/tests/data/test752 b/tests/data/test752
-new file mode 100644
-index 000000000000..00f14909d125
---- /dev/null
-+++ b/tests/data/test752
-@@ -0,0 +1,72 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP GET
-+-f
-+--retry
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data crlf="yes">
-+HTTP/1.1 404 nopes
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+
-+<datacheck crlf="yes">
-+HTTP/1.1 404 nopes
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+</datacheck>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+<name>
-+--retry and -f on a HTTP 404 response
-+</name>
-+<command>
-+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -f --retry 1
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol crlf="yes">
-+GET /%TESTNUMBER HTTP/1.1
-+Host: %HOSTIP:%HTTPPORT
-+User-Agent: curl/%VERSION
-+Accept: */*
-+
-+</protocol>
-+<errorcode>
-+22
-+</errorcode>
-+</verify>
-+</testcase>

libcurl-ocloexec.patch

@@ -7,49 +7,49 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.14.0/lib/file.c
+Index: curl-8.18.0/lib/file.c
 ===================================================================
---- curl-8.14.0.orig/lib/file.c
-+++ curl-8.14.0/lib/file.c
-@@ -270,7 +270,7 @@ static CURLcode file_connect(struct Curl
+--- curl-8.18.0.orig/lib/file.c
++++ curl-8.18.0/lib/file.c
+@@ -258,7 +258,7 @@ static CURLcode file_connect(struct Curl
      }
    }
    #else
--  fd = open(real_path, O_RDONLY);
-+  fd = open(real_path, O_RDONLY|O_CLOEXEC);
+-  fd = curlx_open(real_path, O_RDONLY);
++  fd = curlx_open(real_path, O_RDONLY|O_CLOEXEC);
    file->path = real_path;
    #endif
  #endif
-@@ -349,9 +349,9 @@ static CURLcode file_upload(struct Curl_
- 
- #if (defined(ANDROID) || defined(__ANDROID__)) && \
-     (defined(__i386__) || defined(__arm__))
--  fd = open(file->path, mode, (mode_t)data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
+@@ -339,9 +339,9 @@ static CURLcode file_upload(struct Curl_
+                   data->set.new_file_perms & (_S_IREAD | _S_IWRITE));
+ #elif (defined(ANDROID) || defined(__ANDROID__)) && \
+   (defined(__i386__) || defined(__arm__))
+-  fd = curlx_open(file->path, mode, (mode_t)data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
  #else
--  fd = open(file->path, mode, data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
+-  fd = curlx_open(file->path, mode, data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
  #endif
    if(fd < 0) {
      failf(data, "cannot open %s for writing", file->path);
-Index: curl-8.14.0/lib/if2ip.c
+Index: curl-8.18.0/lib/if2ip.c
 ===================================================================
---- curl-8.14.0.orig/lib/if2ip.c
-+++ curl-8.14.0/lib/if2ip.c
-@@ -209,7 +209,7 @@ if2ip_result_t Curl_if2ip(int af,
+--- curl-8.18.0.orig/lib/if2ip.c
++++ curl-8.18.0/lib/if2ip.c
+@@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
--  dummy = socket(AF_INET, SOCK_STREAM, 0);
-+  dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
+-  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM, 0);
++  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.14.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.14.0.orig/configure.ac
-+++ curl-8.14.0/configure.ac
-@@ -440,6 +440,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -504,6 +504,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -58,39 +58,38 @@ Index: curl-8.14.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.14.0/lib/hostip.c
+Index: curl-8.18.0/lib/hostip.c
 ===================================================================
---- curl-8.14.0.orig/lib/hostip.c
-+++ curl-8.14.0/lib/hostip.c
-@@ -46,6 +46,7 @@
+--- curl-8.18.0.orig/lib/hostip.c
++++ curl-8.18.0/lib/hostip.c
+@@ -43,6 +43,7 @@
+ #include <setjmp.h>  /* for sigjmp_buf, sigsetjmp() */
  #include <signal.h>
- #endif
  
 +#include <fcntl.h>
  #include "urldata.h"
- #include "sendf.h"
+ #include "curl_trc.h"
  #include "connect.h"
-@@ -691,7 +692,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -689,7 +690,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
--    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
-+    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+-    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM, 0);
++    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we cannot get/use one */
        ipv6_works = 0;
-Index: curl-8.14.0/lib/cf-socket.c
+Index: curl-8.18.0/lib/cf-socket.c
 ===================================================================
---- curl-8.14.0.orig/lib/cf-socket.c
-+++ curl-8.14.0/lib/cf-socket.c
-@@ -369,7 +369,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.18.0.orig/lib/cf-socket.c
++++ curl-8.18.0/lib/cf-socket.c
+@@ -345,7 +345,8 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */
--    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+    *sockfd = socket(addr->family,
-+		     addr->socktype|SOCK_CLOEXEC,
-+		     addr->protocol);
+-    *sockfd = CURL_SOCKET(addr->family, addr->socktype, addr->protocol);
++    *sockfd = CURL_SOCKET(addr->family, addr->socktype|SOCK_CLOEXEC,
++                          addr->protocol);
+     if((*sockfd == CURL_SOCKET_BAD) && (SOCKERRNO == SOCKENOMEM))
+       return CURLE_OUT_OF_MEMORY;
    }
- 
-   if(*sockfd == CURL_SOCKET_BAD)