- Update to 8.11.0:

* Security fixes: [bsc#1232528, CVE-2024-9681]
    *  curl: HSTS subdomain overwrites parent cache entry
  * Changes:
    - curl: --create-dirs works for --dump-header as well
    - gtls: Add P12 format support
    - ipfs: add options to disable
    - TLS: TLSv1.3 earlydata support for curl
    - WebSockets: make support official (non-experimental)
  * Bugfixes:
    - build: clarify CA embed is for curl tool, mark default, improve summary
    - build: show if CA bundle to embed was found
    - build: tidy up and improve versioned-symbols options
    - cmake/FindNGTCP2: use library path as hint for finding crypto module
    - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
    - cmake: rename LDAP dependency config variables to match Find modules
    - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
    - cmake: use OpenSSL for LDAP detection only if available
    - curl: add build options for safe/no CA bundle search (Windows)
    - curl: detect ECH support dynamically, not at build time
    - curl_addrinfo: support operating systems with only getaddrinfo(3)
    - ftp: fix 0-length last write on upload from stdin
    - gnutls: use session cache for QUIC
    - hsts: improve subdomain handling
    - hsts: support "implied LWS" properly around max-age
    - http2: auto reset stream on server eos
    - json.md: cli-option '--json' is an alias of '--data-binary'
    - lib: move curl_path.[ch] into vssh/
    - lib: remove function pointer typecasts for hmac/sha256/md5
    - libssh.c: handle EGAINS during proto-connect correctly

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=380

curl-8.10.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:73a4b0e99596a09fa5924a4fb7e4b995a85fda0d18a2c02ab9cf134bebce04ee
-size 2726748

curl-8.10.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmbqa9UACgkQXMkI/bce
-EsLPVAgAgU3eRcjaE3geCcYc95Rpnm4+8IEQ4845GUTlNVackS+PDogdhAOCgja+
-vwbyXe2uegAJC7PVmvt1chQDc444h0k9X2zuQ6TdQVFNEqApdKwm0uZxXZtAfiky
-EMvIZ9mr5xFbQShjDdt//TBS0PRyc5hv9wFMGn7ePE20I3SKqXho0UeBkiLV9SXm
-4KO/6fNMLH8UxodCyhR2sHR67den2G3JJmwD8reLBDDi8drUrhFSE0/jf2MkLzsQ
-tvjt/vA62cnubNF+1E/ETwDdE+C2nPxxnuWenrq9YkgUBI2a+v6ySr6RkaDkXkO+
-IVJpttpWWQrJL+A6tCIMCDTEsBPsQw==
-=dt8p
------END PGP SIGNATURE-----

curl-8.11.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmcrFoYACgkQXMkI/bce
+EsIHCAf/fcpnxxtl7XTgSXF3V2tntKZJskiiTuXsJtBCJoDWiOOjrM3gnafXC3Bt
+CcncdGHIubKuUTc+JeuQowr6e+oXWPX5k45SF35U9n1EvWgF/s8uxAF8vJdDQme9
+z30M6UjMkEB7tbADUt1Q7Dyh8ZWWsFC5emekYnMQVDvzmad76Z3o4ZeQAly7xUhd
+V++5Il3Ql44nyMeTDTlHOuOc3jiA5rCmoLr4mMbRqAO8wF+Y2KCDYd5BaNvXZOln
+snEM496m3p0S1sliiEnRwDeccepUpkAyHPQgESS/ATCIvFZb4/MDrLSc5HSr5K+8
+MNYxBV03wmfR5QUqihbH8KXZKpYDnw==
+=9DLI
+-----END PGP SIGNATURE-----

curl-secure-getenv.patch

@@ -1,7 +1,7 @@
-Index: curl-8.10.0/lib/getenv.c
+Index: curl-8.11.0/lib/getenv.c
 ===================================================================
---- curl-8.10.0.orig/lib/getenv.c
-+++ curl-8.10.0/lib/getenv.c
+--- curl-8.11.0.orig/lib/getenv.c
++++ curl-8.11.0/lib/getenv.c
 @@ -29,6 +29,14 @@
  
  #include "memdebug.h"
@@ -16,23 +16,23 @@ Index: curl-8.10.0/lib/getenv.c
 +
  static char *GetEnv(const char *variable)
  {
- #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \
+ #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_UWP) || \
 @@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
      /* else rc is bytes needed, try again */
    }
  #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
-   return (env && env[0])?strdup(env):NULL;
+   return (env && env[0]) ? strdup(env) : NULL;
  #endif
  }
-Index: curl-8.10.0/configure.ac
+Index: curl-8.11.0/configure.ac
 ===================================================================
---- curl-8.10.0.orig/configure.ac
-+++ curl-8.10.0/configure.ac
-@@ -5213,6 +5213,8 @@ if test "x$want_curldebug_assumed" = "xy
-   ac_configure_args="$ac_configure_args --enable-curldebug"
- fi
+--- curl-8.11.0.orig/configure.ac
++++ curl-8.11.0/configure.ac
+@@ -5370,6 +5370,8 @@ fi
+ 
+ CURL_PREPARE_CONFIGUREHELP_PM
  
 +AC_CHECK_FUNCS([__secure_getenv secure_getenv])
 +

curl.changes

@@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Wed Nov  6 08:43:16 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.11.0:
+  * Security fixes: [bsc#1232528, CVE-2024-9681]
+    *  curl: HSTS subdomain overwrites parent cache entry
+  * Changes:
+    - curl: --create-dirs works for --dump-header as well
+    - gtls: Add P12 format support
+    - ipfs: add options to disable
+    - TLS: TLSv1.3 earlydata support for curl
+    - WebSockets: make support official (non-experimental)
+  * Bugfixes:
+    - build: clarify CA embed is for curl tool, mark default, improve summary
+    - build: show if CA bundle to embed was found
+    - build: tidy up and improve versioned-symbols options
+    - cmake/FindNGTCP2: use library path as hint for finding crypto module
+    - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
+    - cmake: rename LDAP dependency config variables to match Find modules
+    - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
+    - cmake: use OpenSSL for LDAP detection only if available
+    - curl: add build options for safe/no CA bundle search (Windows)
+    - curl: detect ECH support dynamically, not at build time
+    - curl_addrinfo: support operating systems with only getaddrinfo(3)
+    - ftp: fix 0-length last write on upload from stdin
+    - gnutls: use session cache for QUIC
+    - hsts: improve subdomain handling
+    - hsts: support "implied LWS" properly around max-age
+    - http2: auto reset stream on server eos
+    - json.md: cli-option '--json' is an alias of '--data-binary'
+    - lib: move curl_path.[ch] into vssh/
+    - lib: remove function pointer typecasts for hmac/sha256/md5
+    - libssh.c: handle EGAINS during proto-connect correctly
+    - libssh2: use the filename buffer when getting the homedir
+    - multi.c: warn/assert on stall only without timer
+    - negotiate: conditional check around GSS & SSL specific code
+    - netrc: cache the netrc file in memory
+    - ngtcp2: do not loop on recv
+    - ngtcp2: set max window size to 10x of initial (128KB)
+    - openssl quic: populate x509 store before handshake
+    - openssl: extend the OpenSSL error messages
+    - openssl: improve retries on shutdown
+    - quic: use send/recvmmsg when available
+    - schannel: fix TLS cert verification by IP SAN
+    - schannel: ignore error on recv beyond close notify
+    - select: use poll() if existing, avoid poll() with no sockets
+    - sendf: add condition to max-filesize check
+    - server/mqttd: fix two memory leaks
+    - setopt: return error for bad input to CURLOPT_RTSP_REQUEST
+    - setopt_cptr: make overflow check only done when needed
+    - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
+    - tool: support --show-headers AND --remote-header-name
+    - tool_operate: make --skip-existing work for --parallel
+    - url: connection reuse on h3 connections
+    - url: use same credentials on redirect
+    - urlapi: normalize the IPv6 address
+    - version: say quictls in MSH3 builds
+    - vquic: fix compiler warning with gcc + MUSL
+    - vquic: recv_mmsg, use fewer, but larger buffers
+    - vtls: convert Curl_pin_peer_pubkey to use dynbuf
+    - vtls: convert pubkey_pem_to_der to use dynbuf
+  * Rebase curl-secure-getenv.patch
+
 -------------------------------------------------------------------
 Tue Sep 24 09:42:35 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -29,7 +29,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.10.1
+Version:        8.11.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl