- Update to 8.18.0:
* Security fixes:
- [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options
- [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer
- [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth
- [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
- [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file
* Changes:
- openssl: bump minimum OpenSSL version to 3.0.0
* Bugfixes:
- alt-svc: more flexibility on same destination
- altsvc: accept ma/persist per alternative entry
- altsvc: make it one malloc instead of three per entry
- asyn-ares: handle Curl_dnscache_mk_entry() OOM error
- asyn-ares: remove hostname free on OOM
- asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
- asyn-thrdd: release rrname if ares_init_options fails
- auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
- autotools: add nettle library detection via pkg-config (for GnuTLS)
- autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
- autotools: fix LargeFile feature display on Windows (after prev patch)
- autotools: tidy-up 'if' expressions
- build: add build-level 'CURL_DISABLE_TYPECHECK' options
- build: exclude clang prereleases from compiler warning options
- build: replace '-pedantic' with '-Wpedantic' when supported
- build: set '-Wno-format-signedness'
- build: tidy-up MSVC CRT warning suppression macros
- ccsidcurl: make curl_mime_data_ccsid() use the converted size
- cf-h1-proxy: support folded headers in CONNECT responses
- cf-https-connect: allocate ctx at first in cf_hc_create()
OBS-URL: https://build.opensuse.org/request/show/1325820
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=420
- Update to 8.17.0:
* Security fixes: [bsc#1252859, CVE-2025-10966]
- curl: missing SFTP host verification with wolfSSH
* Changes:
- krb5: drop support for Kerberos FTP
- multi: add notifications API
- ssl: support Apple SecTrust configurations
- tool_getparam: add --knownhosts
- vssh: drop support for wolfSSH
- wcurl: import v2025.11.04
* Bugfixes:
- ares: fix leak in tracing
- base64: accept zero length argument to base64_encode
- c-ares: when resolving failed, persist error
- cf-socket: set FD_CLOEXEC on all sockets opened
- cf-socket: use the right byte order for ports in bindlocal
- conn: fix hostname move on connection reuse
- conncache: prevent integer overflow in maxconnects calculation
- cookie: avoid saving a cookie file if no transfer was done
- curl_easy_getinfo: error code on NULL arg
- curl_path: make sure just whitespace is illegal
- digest_sspi: fix two memory leaks in error branches
- ftp: add extra buffer length check
- ftp: check errors on remote ip for data connection
- gnutls: check conversion of peer cert chain
- gnutls: fix re-handshake comments
- gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
- gtls: check the return value of gnutls_pubkey_init()
- hmac: free memory properly on errors
- HTTP3: clarify the status for "old" OpenSSL, not current
OBS-URL: https://build.opensuse.org/request/show/1315729
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=417
- curl: http: handle user-defined connection headers [bsc#1249448]
* Add curl-handle_user-defined_connection_headers.patch
- Update to 8.16.0:
* Security fixes:
- [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
- [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Changes:
- curl: add --follow and --out-null
- curl: add --parallel-max-host to limit concurrent connections per host
- curl: make --retry-delay and --retry-max-time accept decimal seconds
- hostip: cache negative name resolves
- ip happy eyeballing: keep attempts running
- multi: add curl_multi_get_offt
- multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
- netrc: use the NETRC environment variable (first) if set
- smtp: allow suffix behind a mail address for RFC 3461
- tls: make default TLS version be minimum 1.2
- tool_getparam: add support for `--longopt=value`
- vquic: drop msh3
- websocket: support CURLOPT_READFUNCTION
* Bugfixes:
- _PROTOCOLS.md: mention file:// is only for absolute paths
- acinclude: --with-ca-fallback only works with OpenSSL
- bufq: add integer overflow checks before chunk allocations
- cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
- cmake: fix setting LTO properties on the wrong targets
- configure: tidy up internal names in ngtcp2 ossl detection logic
- connectdata: remove primary+secondary ip_quadruple
OBS-URL: https://build.opensuse.org/request/show/1307305
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=219
- Update to 8.16.0:
* Security fixes:
- [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
- [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Changes:
- curl: add --follow and --out-null
- curl: add --parallel-max-host to limit concurrent connections per host
- curl: make --retry-delay and --retry-max-time accept decimal seconds
- hostip: cache negative name resolves
- ip happy eyeballing: keep attempts running
- multi: add curl_multi_get_offt
- multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
- netrc: use the NETRC environment variable (first) if set
- smtp: allow suffix behind a mail address for RFC 3461
- tls: make default TLS version be minimum 1.2
- tool_getparam: add support for `--longopt=value`
- vquic: drop msh3
- websocket: support CURLOPT_READFUNCTION
* Bugfixes:
- _PROTOCOLS.md: mention file:// is only for absolute paths
- acinclude: --with-ca-fallback only works with OpenSSL
- bufq: add integer overflow checks before chunk allocations
- cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
- cmake: fix setting LTO properties on the wrong targets
- configure: tidy up internal names in ngtcp2 ossl detection logic
- connectdata: remove primary+secondary ip_quadruple
- connection: terminate after goaway
- cookie: don't treat the leading slash as trailing
- cookie: remove expired cookies before listing
- curl: tool_read_cb fix of segfault
OBS-URL: https://build.opensuse.org/request/show/1303556
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=414
- Update to 8.15.0:
* Changes:
- TLS: remove support for Secure Transport and BearSSL
* Bugfixes:
- cf-socket: make socket data_pending a nop
- configure: order LDAP after the SSL libraries
- curl: improve non-blocking STDIN performance
- curl_get_line: make sure lines end with newline
- curl_path: make SFTP handle a path like /~ properly.
- curlinfo: provide the 'digest' feature
- digest: fix build with disabled digest auth
- docs: note SSLS-EXPORT feature in -ssl-sessions doc
- docs: reflect that delimiter-separated capath is only OpenSSL
- docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS
- http/3: report handshake with version and cipher as for TCP connections
- http2: do not delay RST send on aborted transfer
- http_ntlm: protect against null deref
- ldap: initial support for --with-ldap option
- lib: address singleuse issues
- lib: avoid reusing unclean connection
- lib: drop two interim macros in favor of native libcurl API calls
- lib: stop 'time()' debug overrides at the end of source in altsvc, hsts
- lib: unify recv/send function signatures
- memdebug.h: #undef 'fclose' before defining it
- openssl: enable readahead
- openssl: error on SSL_ERROR_SYSCALL
- openssl: fix handling of buffered data
- openssl: fix openssl engine use
- openssl: fix pkcs11 provider available check
- quic: implement CURLINFO_TLS_SSL_PTR
OBS-URL: https://build.opensuse.org/request/show/1294765
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=412
- Update to 8.14.1:
* Security fixes:
- [bsc#1243933, CVE-2025-5399] libcurl can possibly get
trapped in an endless busy-loop when processing specially
crafted packets [d1145df2]
* Bugfixes:
- asyn-thrdd: fix cleanup when RR fails due to OOM
- ftp: fix teardown of DATA connection in done
- http: fail early when rewind of input failed when following redirects
- multi: fix add_handle resizing
- tls BIOs: handle BIO_CTRL_EOF correctly
- tool_getparam: make --no-anyauth not be accepted
- wolfssl: fix sending of early data
- ws: handle blocked sends better
- ws: tests and fixes
OBS-URL: https://build.opensuse.org/request/show/1282597
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=397
- Update to 8.13.0:
* Changes:
- curl: add write-out variable 'tls_earlydata'
- curl: make --url support a file with URLs
- gnutls: set priority via --ciphers
- IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
- lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
- OpenSSL/quictls: add support for TLSv1.3 early data
- rustls: add support for CERTINFO
- rustls: add support for SSLKEYLOGFILE
- rustls: support ECH w/ DoH lookup for config
- rustls: support native platform verifier
- var: add a '64dec' function that can base64 decode a string
* Bugfixes:
- conn: fix connection reuse when SSL is optional
- hash: use single linked list for entries
- http2: detect session being closed on ingress handling
- http2: reset stream on response header error
- http: remove a HTTP method size restriction
- http: version negotiation
- httpsrr: fix port detection
- libssh: fix freeing of resources in disconnect
- libssh: fix scp large file upload for 32-bit size_t systems
- openssl-quic: do not iterate over multi handles
- openssl: check return value of X509_get0_pubkey
- openssl: drop support for old OpenSSL/LibreSSL versions
- openssl: fix crash on missing cert password
- openssl: fix pkcs11 URI checking for key files.
- openssl: remove bad `goto`s into other scope
- setopt: illegal CURLOPT_SOCKS5_AUTH should return error
OBS-URL: https://build.opensuse.org/request/show/1268148
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=392
- Update to 8.12.1:
* Bugfixes:
- asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
- asyn-thread: fix HTTPS RR crash
- asyn-thread: fix the returned bitmask from Curl_resolver_getsock
- asyn-thread: survive a c-ares channel set to NULL
- cmake: always reference OpenSSL and ZLIB via imported targets
- cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
- cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
- content_encoding: #error on too old zlib
- imap: TLS upgrade fix
- ldap: drop support for legacy Novell LDAP SDK
- libssh2: comparison is always true because rc <= -1
- libssh2: raise lowest supported version to 1.2.8
- libssh: drop support for libssh older than 0.9.0
- openssl-quic: ignore ciphers for h3
- pop3: TLS upgrade fix
- runtests: fix the disabling of the memory tracking
- runtests: quote commands to support paths with spaces
- scache: add magic checks
- smb: silence '-Warray-bounds' with gcc 13+
- smtp: TLS upgrade fix
- tool_cfgable: sort struct fields by size, use bitfields for booleans
- tool_getparam: add "TLS required" flag for each such option
- vtls: fix multissl-init
- wakeup_write: make sure the eventfd write sends eight bytes
- Update to 8.12.0:
* Security fixes:
- [bsc#1234068, CVE-2024-11053] curl could leak the password used
OBS-URL: https://build.opensuse.org/request/show/1245668
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=389
- Update to 8.12.0:
* Security fixes:
- [bsc#1234068, CVE-2024-11053] curl could leak the password used
for the first host to the followed-to host under certain circumstances.
- [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
- [bsc#1236589, CVE-2025-0665] eventfd double close
* Changes:
- curl: add byte range support to --variable reading from file
- curl: make --etag-save acknowledge --create-dirs
- getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: provide info which auth was used for HTTP and proxy
- hyper: drop support
- openssl: add support to use keys and certificates from PKCS#11 provider
- QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
- vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
- altsvc: avoid integer overflow in expire calculation
- asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: fix memory leak
- asyn-ares: initial HTTPS resolve support
- asyn-thread: use c-ares to resolve HTTPS RR
- async-thread: avoid closing eventfd twice
- cd2nroff: do not insist on quoted <> within backticks
- cd2nroff: support "none" as a TLS backend
- conncache: count shutdowns against host and max limits
- content_encoding: drop support for zlib before 1.2.0.4
- content_encoding: namespace GZIP flag constants
- content_encoding: put the decomp buffers into the writer structs
- content_encoding: support use of custom libzstd memory functions
- cookie: cap expire times to 400 days
OBS-URL: https://build.opensuse.org/request/show/1243583
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=387
- Update to 8.11.1:
* Security fixes:
- netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
* Bugfixes:
- build: fix ECH to always enable HTTPS RR
- cookie: treat cookie name case sensitively
- curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
- curl: use realtime in trace timestamps
- digest: produce a shorter cnonce in Digest headers
- docs: document default 'User-Agent'
- docs: suggest --ssl-reqd instead of --ftp-ssl
- duphandle: also init netrc
- hostip: don't use the resolver for FQDN localhost
- http_negotiate: allow for a one byte larger channel binding buffer
- krb5: fix socket/sockindex confusion, MSVC compiler warnings
- libssh: use libssh sftp_aio to upload file
- libssh: when using IPv6 numerical address, add brackets
- mime: fix reader stall on small read lengths
- mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
- mprintf: fix the integer overflow checks
- multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
- netrc: address several netrc parser flaws
- netrc: support large file, longer lines, longer tokens
- nghttp2: use custom memory functions
- OpenSSL: improvde error message on expired certificate
- openssl: remove three "Useless Assignments"
- openssl: stop using SSL_CTX_ function prefix for our functions
- pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
- rtsp: check EOS in the RTSP receive and return an error code
- schannel: remove TLS 1.3 ciphersuite-list support
OBS-URL: https://build.opensuse.org/request/show/1230013
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=385
- Update to 8.11.0:
* Security fixes: [bsc#1232528, CVE-2024-9681]
* curl: HSTS subdomain overwrites parent cache entry
* Changes:
- curl: --create-dirs works for --dump-header as well
- gtls: Add P12 format support
- ipfs: add options to disable
- TLS: TLSv1.3 earlydata support for curl
- WebSockets: make support official (non-experimental)
* Bugfixes:
- build: clarify CA embed is for curl tool, mark default, improve summary
- build: show if CA bundle to embed was found
- build: tidy up and improve versioned-symbols options
- cmake/FindNGTCP2: use library path as hint for finding crypto module
- cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
- cmake: rename LDAP dependency config variables to match Find modules
- cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
- cmake: use OpenSSL for LDAP detection only if available
- curl: add build options for safe/no CA bundle search (Windows)
- curl: detect ECH support dynamically, not at build time
- curl_addrinfo: support operating systems with only getaddrinfo(3)
- ftp: fix 0-length last write on upload from stdin
- gnutls: use session cache for QUIC
- hsts: improve subdomain handling
- hsts: support "implied LWS" properly around max-age
- http2: auto reset stream on server eos
- json.md: cli-option '--json' is an alias of '--data-binary'
- lib: move curl_path.[ch] into vssh/
- lib: remove function pointer typecasts for hmac/sha256/md5
- libssh.c: handle EGAINS during proto-connect correctly
OBS-URL: https://build.opensuse.org/request/show/1221703
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=380
- Update to 8.10.1:
* Bugfixes:
- autotools: fix `--with-ca-embed` build rule
- cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
- cmake: fix MSH3 to appear on the feature list
- connect: store connection info when really done
- FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
- http2: when uploading data from stdin, fix eos forwarding
- http: make max-filesize check not count ignored bodies
- lib: fix AF_INET6 use outside of USE_IPV6
- multi: check that the multi handle is valid in curl_multi_assign
- QUIC: on connect, keep on trying on draining server
- request: correctly reset the eos_sent flag
- setopt: remove superfluous use of ternary expressions
- singleuse: drop `Curl_memrchr()` for no-HTTP builds
- tool_cb_wrt: use "curl_response" if no file name in URL
- transfer: fix sendrecv() without interim poll
- vtls: fix `Curl_ssl_conn_config_match` doc param
OBS-URL: https://build.opensuse.org/request/show/1202947
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=378
- Update to version 8.10.0:
* Security fixes:
- [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
* Changes:
- curl: make --rate accept "number of units"
- curl: make --show-headers the same as --include
- curl: support --dump-header % to direct to stderr
- curl: support embedding a CA bundle and --dump-ca-embed
- curl: support repeated use of the verbose option; -vv etc
- curl: use libuv for parallel transfers with --test-event
- vtls: stop offering alpn http/1.1 for http2-prior-knowledge
* Bugfixes:
- curl: allow 500MB data URL encode strings
- curl: warn on unsupported SSL options
- Curl_rand_bytes to control env override
- curl_sha512_256: fix symbol collisions with nettle library
- dist: fix reproducible build from release tarball
- http2: fix GOAWAY message sent to server
- http2: improve rate limiting of downloads
- INSTALL.md: MultiSSL and QUIC are mutually exclusive
- lib: add eos flag to send methods
- lib: make SSPI global symbols use Curl_ prefix
- lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
- lib: remove the final strncpy() calls
- lib: remove use of RANDOM_FILE
- Makefile.mk: fixup enabling libidn2
- max-filesize.md: mention zero disables the limit
- mime: avoid inifite loop in client reader
- ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
- openssl quic: fix memory leak
OBS-URL: https://build.opensuse.org/request/show/1200084
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=376
