Accepting request 1325821 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1325821
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=221

curl-8.15.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6cd0a8a5b126ddfda61c94dc2c3fc53481ba7a35461cf7c5ab66aa9d6775b609
-size 2773156

curl-8.15.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmh3RWkACgkQXMkI/bce
-EsINTwgAuJntXF2reoflyZwl6AswQzQM8O42IkHnokH5V3rAt//lWxEcIiq/tvVP
-JBJb2kfd7Vq6x5W9C6EYDAbfyQCn1cnIcQLi+/RNhMELOcBmS3LR7Fjrcgx8BtSv
-cxpcwpSYUQtZwLNVFUKchdeQP2NfFeixiOTJdeAu2e+e1cXVmahJR+B3GizMfhsQ
-p3muyF2HZJedLLIZQc4hA9C/rdUkF1jZUumlON+Lr4ukhP8gJ0U3Dck1h8GbbVgt
-eHO+Bqxzt/Y4l3L+Qaqll+3OGzjgsMK4Kx7fflcRYnX/Cr00jQluIHdCN8ghfeew
-pw1ArqrWyFp/VIQaEZYSX26yb7L23g==
-=tIqr
------END PGP SIGNATURE-----

curl-8.18.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmleBDIACgkQXMkI/bce
+EsINpQf8C15Nc/X/d/CjOOMV66+0bpDnUzab+8qDItfD3uNR66B7gj+ZUfyiuNp8
+rPAbjWhuDlvdVATfOpax5KltK/+IweoOHevt15eEG/iERpJShsIPmX0PGkvsPpxP
+LzrquV0pjOUWGxMN8ophfeE+hMh37AROvYlcbK/bGG9xJquAbLj2kW+xGbUouPzL
+taq2Pnm8TvqyrnNulWRbezQRv4AB7cM0z9w5q6m4vpJfv+DLSHfmX8svXx2EkdPN
+ij0+v5UESKforBwm3OYfL5bkgEaii5yJS5h2T8NQCQn4hldFJxO/h+OLjV89HRZp
+uasF96+6nhG/q7x829p1pQ6le3Btag==
+=J4xV
+-----END PGP SIGNATURE-----

curl-secure-getenv.patch

@@ -1,10 +1,10 @@
-Index: curl-8.13.0/lib/getenv.c
+Index: curl-8.18.0/lib/getenv.c
 ===================================================================
---- curl-8.13.0.orig/lib/getenv.c
-+++ curl-8.13.0/lib/getenv.c
-@@ -29,6 +29,14 @@
- 
- #include "memdebug.h"
+--- curl-8.18.0.orig/lib/getenv.c
++++ curl-8.18.0/lib/getenv.c
+@@ -23,6 +23,14 @@
+  ***************************************************************************/
+ #include "curl_setup.h"
  
 +#ifndef HAVE_SECURE_GETENV
 +#  ifdef HAVE___SECURE_GETENV
@@ -14,23 +14,23 @@ Index: curl-8.13.0/lib/getenv.c
 +#  endif
 +#endif
 +
- static char *GetEnv(const char *variable)
+ char *curl_getenv(const char *variable)
  {
- #if defined(CURL_WINDOWS_UWP) || defined(UNDER_CE) || \
-@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
+ #if defined(CURL_WINDOWS_UWP) || \
+@@ -63,7 +71,7 @@ char *curl_getenv(const char *variable)
      /* else rc is bytes needed, try again */
    }
  #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
-   return (env && env[0]) ? strdup(env) : NULL;
+   return (env && env[0]) ? curlx_strdup(env) : NULL;
  #endif
  }
-Index: curl-8.13.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.13.0.orig/configure.ac
-+++ curl-8.13.0/configure.ac
-@@ -5384,6 +5384,8 @@ fi
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -5528,6 +5528,8 @@ fi
  
  CURL_PREPARE_CONFIGUREHELP_PM
  

curl.changes

@@ -1,3 +1,466 @@
+-------------------------------------------------------------------
+Wed Jan  7 11:48:31 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 8.18.0:
+  * Security fixes:
+    - [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options
+    - [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer
+    - [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth
+    - [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
+    - [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file
+  * Changes:
+    - openssl: bump minimum OpenSSL version to 3.0.0
+  * Bugfixes:
+    - alt-svc: more flexibility on same destination
+    - altsvc: accept ma/persist per alternative entry
+    - altsvc: make it one malloc instead of three per entry
+    - asyn-ares: handle Curl_dnscache_mk_entry() OOM error
+    - asyn-ares: remove hostname free on OOM
+    - asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
+    - asyn-thrdd: release rrname if ares_init_options fails
+    - auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
+    - autotools: add nettle library detection via pkg-config (for GnuTLS)
+    - autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
+    - autotools: fix LargeFile feature display on Windows (after prev patch)
+    - autotools: tidy-up 'if' expressions
+    - build: add build-level 'CURL_DISABLE_TYPECHECK' options
+    - build: exclude clang prereleases from compiler warning options
+    - build: replace '-pedantic' with '-Wpedantic' when supported
+    - build: set '-Wno-format-signedness'
+    - build: tidy-up MSVC CRT warning suppression macros
+    - ccsidcurl: make curl_mime_data_ccsid() use the converted size
+    - cf-h1-proxy: support folded headers in CONNECT responses
+    - cf-https-connect: allocate ctx at first in cf_hc_create()
+    - cf-socket: drop feature check for 'IPV6_V6ONLY' on Windows
+    - cf-socket: enable Win10 'TCP_KEEP*' options with old SDKs
+    - cf-socket: limit use of 'TCP_KEEP*' to Windows 10.0.16299+ at runtime
+    - cf-socket: return OOM error if socket() fails due to OOM
+    - cf-socket: trace ignored errors
+    - cfilters: make conn_forget_socket a private libssh function
+    - checksrc.pl: detect assign followed by more than one space
+    - cmake: adjust defaults for target platforms not supporting shared libs
+    - cmake: define dependencies as 'IMPORTED' interface targets
+    - cmake: delete unused file 'CMake/CMakeConfigurableFile.in'
+    - cmake: disable 'CURL_CA_PATH' auto-detection if 'USE_APPLE_SECTRUST=ON'
+    - cmake: fix 'ws2_32' reference in 'curl-config.cmake'
+    - cmake: honor 'CURL_DISABLE_INSTALL' and 'CURL_ENABLE_EXPORT_TARGET'
+    - cmake: replace deprecated 'OPENSSL_FOUND' with 'OpenSSL_FOUND'
+    - cmake: replace deprecated 'PERL_FOUND' with 'Perl_FOUND'
+    - cmake: save and restore 'CMAKE_MODULE_PATH' in 'curl-config.cmake'
+    - cmake: set found status to OFF when not found (for compression deps)
+    - code: minor indent fixes before closing braces
+    - config-win32.h: delete obsolete, non-Windows comments
+    - config-win32.h: drop unused/obsolete 'CURL_HAS_OPENLDAP_LDAPSDK'
+    - config2setopts: add space in cookie header with multiple -b
+    - config2setopts: bail out if curl_url_get() returns OOM
+    - config2setopts: exit if curl_url_set() fails on OOM
+    - configure: delete unused variable
+    - conncache: silence '-Wnull-dereference' on gcc 14 RISC-V 64
+    - conncontrol: reuse handling
+    - connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
+    - connection: attached transfer count
+    - content_encoding: avoid strcpy
+    - cookie. return proper error on OOM
+    - cookie: allocate the main struct once cookie is fine
+    - cookie: flush better
+    - cookie: only keep and use the canonical cleaned up path
+    - cookie: propagate errors better, cleanup the internal API
+    - cookie: return error on OOM
+    - cookie: when parsing a cookie header, delay all allocations until okay
+    - cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
+    - curl: fix progress meter in parallel mode
+    - curl_fopen: do not pass invalid mode flags to 'open()' on Windows
+    - curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
+    - curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
+    - curl_quiche: refuse headers with CR, LF or null bytes
+    - curl_sasl: make Curl_sasl_decode_mech compare case insensitively
+    - curl_setup.h: document more funcs flagged by '_CRT_SECURE_NO_WARNINGS'
+    - curl_setup.h: drop stray '#undef stat' (Windows)
+    - curl_setup.h: drop superfluous parenthesis from 'Curl_safefree' macro
+    - curl_threads: don't do another malloc if the first fails
+    - curl_trc: delete unused DoH remains
+    - CURLINFO: remove 'get' and 'get the' from each short desc
+    - CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
+    - CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
+    - CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
+    - CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
+    - CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
+    - CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
+    - CURLOPT_READFUNCTION.md: clarify the size of the buffer
+    - CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
+    - curlx/fopen: replace open CRT functions their with '_s' counterparts (Windows)
+    - curlx/multibyte: stop setting macros for non-Windows
+    - curlx/strerr: use 'strerror_s()' on Windows
+    - curlx: add 'curlx_rename()', fix to support long filenames on Windows
+    - curlx: curlx_strcopy() instead of strcpy()
+    - curlx: limit use of system allocators to the minimum possible
+    - curlx: replace 'mbstowcs'/'wcstombs' with '_s' counterparts (Windows)
+    - curlx: replace 'sprintf' with 'snprintf'
+    - curlx: use curl alloc in 'curlx_win32_stat()' (Windows)
+    - curlx: use curlx allocators in non-memdebug builds (Windows)
+    - DEPRECATE: add CMake <3.18 deprecation for April 2026
+    - digest: fix OWS and escaped quote handling
+    - digest_sspi: fix a memory leak on error path
+    - digest_sspi: properly free sspi identity
+    - doc: some returned in-memory data may not be altered
+    - docs: add a note about --compressed to note about binary output
+    - docs: clarify how to do unix domain sockets with SOCKS proxy
+    - docs: fix checksrc 'EQUALSPACE' warnings
+    - docs: fix time_posttransfer output unit as seconds
+    - docs: mention umask need when curl creates files
+    - docs: remove dead URLs
+    - docs: rename CURLcode variables to 'result'
+    - docs: spell it Rustls with a capital R
+    - docs: switch more URLs to https://
+    - docs: use mresult as variable name for CURLMcode
+    - escape: add a length check in curl_easy_escape
+    - file: do not pass invalid mode flags to 'open()' on upload (Windows)
+    - formdata: validate callback is non-NULL before use
+    - ftp: make EPRT connections non-blocking
+    - ftp: refactor a piece of code by merging the repeated part
+    - ftp: remove #ifdef for define that is always defined
+    - ftp: return better on OOM in two places
+    - ftp: return from ftp_state_use_port immediately on OOM
+    - getenv: drop internal 1-to-1 wrapper
+    - getinfo: improve perf in debug mode
+    - h2/h3: handle methods with spaces
+    - headers: add length argument to Curl_headers_push()
+    - hostcheck: fail wildcard match if host starts with a dot
+    - hostip.h: drop redundant 'setjmp.h' include
+    - hostip: don't store negative lookup on OOM
+    - hostip: make more functions return CURLcode
+    - hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
+    - hsts: propagate and error out correctly on OOM
+    - hsts: use one malloc instead of two per entry
+    - http: acknowledge OOM errors from Curl_input_ntlm
+    - http: avoid two strdup()s and do minor simplifications
+    - http: error on OOM when creating range header
+    - http: fix OOM exit in Curl_http_follow
+    - http: handle oom error from Curl_input_digest()
+    - http: replace atoi use in Curl_http_follow with curlx_str_number
+    - http: return OOM errors from hsts properly
+    - http: the :authority header should never contain user+password
+    - http: unfold response headers earlier
+    - idn: avoid allocations and wcslen on Windows
+    - idn: clarify null-termination on Windows
+    - idn: fix memory leak in 'win32_ascii_to_idn()'
+    - idn: use curlx allocators on Windows
+    - imap: check buffer length before accessing it
+    - imap: make sure Curl_pgrsSetDownloadSize() does not overflow
+    - inet_ntop: avoid the strlen()
+    - krb5: fix detecting channel binding feature
+    - krb5_sspi: unify a part of error handling
+    - ldap: drop PP logic for old, unsupported, Windows SDKs
+    - ldap: improve detection of Apple LDAP
+    - ldap: provide version for "legacy" ldap as well
+    - lib/sendf.h: forward declare two structs
+    - lib: cleanup for some typos about spaces and code style
+    - lib: create unitprotos.h in the builddir, not srcdir
+    - lib: drop unused or duplicate 'curlx/timeval.h' includes
+    - lib: drop unused protocol headers
+    - lib: eliminate size_t casts
+    - lib: error for OOM when extracting URL query
+    - lib: fix formatting nits (part 2)
+    - lib: fix formatting nits (part 3)
+    - lib: fix formatting nits
+    - lib: fix gssapi.h include on IBMi
+    - lib: name the main CURLMcode variable 'mresult'
+    - lib: refactor the type of funcs which have useless return and checks
+    - lib: replace '_tcsncpy'/'wcsncpy'/'wcscpy' with '_s' counterparts (Windows)
+    - lib: timer stats improvements
+    - lib: use 'SOCKET_WRITABLE()'/'SOCKET_READABLE()' where possible
+    - libssh2: add paths to error messages for quote commands
+    - libssh2: cleanup ssh_force_knownhost_key_type
+    - libssh2: consider strdup() failures OOM and return correctly
+    - libssh2: replace atoi() in ssh_force_knownhost_key_type
+    - libssh: fix state machine loop to progress as it should
+    - libssh: properly free sftp_attributes
+    - libtests: replace 'atoi()' with 'curlx_str_number()'
+    - limit-rate: add example using --limit-rate and --max-time together
+    - localtime: detect thread-safe alternatives and use them
+    - m4/sectrust: fix test(1) operator
+    - manage: expand the 'libcurl support required' message
+    - mbedTLS: cleanup insecure/deprecated code
+    - mbedtls: fix potential use of uninitialized 'nread'
+    - mbedtls: sync format across log messages
+    - mbedtls_threadlock: avoid calloc, use array
+    - mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
+    - mdlinkcheck: only look for markdown links in markdown files
+    - memdebug: add mutex for thread safety
+    - memdebug: fix realloc logging
+    - mk-ca-bundle.md: the file format docs URL is permaredirected
+    - mk-ca-bundle.pl: default to SHA256 fingerprints with '-t' option
+    - mk-ca-bundle.pl: use 'open()' with argument list to replace backticks
+    - mqtt: reject overly big messages
+    - mqtt: return error when a too large packet is decoded
+    - multi: make max_total_* members size_t
+    - multi: remove MSTATE_TUNNELING
+    - multi: simplify admin handle processing
+    - multibyte: limit 'curlx_convert_*wchar*()' functions to Unicode builds
+    - ngtcp2+openssl: fix leak of session
+    - ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
+    - ngtcp2: retune window sizes
+    - noproxy: fix build on systems without IPv6
+    - noproxy: fix ipv6 handling
+    - noproxy: replace atoi with curlx_str_number
+    - openssl: exit properly on OOM when getting certchain
+    - openssl: fix a potential memory leak of bio_out
+    - openssl: fix a potential memory leak of params.cert
+    - openssl: fix building against no-dsa openssl
+    - openssl: fix building against no-ocsp openssl with Apple SecTrust
+    - openssl: no verify failf message unless strict
+    - openssl: release ssl_session if sess_reuse_cb fails
+    - openssl: remove code handling default version
+    - openssl: simplify 'HAVE_KEYLOG_CALLBACK' guard
+    - openssl: stop checking for 'OPENSSL_NO_SHA*' macros
+    - openssl: stop checking for 'OPENSSL_NO_TLSEXT' macro
+    - osslq: code readability
+    - progress: make it one column narrower
+    - progress: narrower time display, multiple fixes
+    - progress: show fewer digits
+    - quiche: use client writer
+    - ratelimit blocking: fix busy loop
+    - ratelimit: redesign
+    - rtmp: fix double-free on URL parse errors
+    - rtmp: precaution for a potential integer truncation
+    - rtmp: stop redefining 'setsockopt' system symbol on Windows
+    - schannel: cap the maximum allowed size for loading cert
+    - schannel: fix memory leak of cert_store_path on four error paths
+    - schannel: replace atoi() with curlx_str_number()
+    - schannel: use Win8 'CERT_NAME_SEARCH_ALL_NAMES_FLAG' with old SDKs
+    - schannel_verify: fix a memory leak of cert_context
+    - scripts: fix shellcheck SC2046 warnings
+    - scripts: use end-of-options marker in 'find -exec' commands
+    - setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
+    - setopt: when setting bad protocols, don't store them
+    - sftp: fix range downloads in both SSH backends
+    - slist: constify Curl_slist_append_nodup() string argument
+    - smb: fix a size check to be overflow safe
+    - socketpair: drop redundant '_WIN32' branch and include
+    - socks_sspi: use free() not FreeContextBuffer()
+    - source: misc typos
+    - speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE
+    - speedlimit: also reset on send unpausing
+    - src: drop redundant definition of 'BIT()'
+    - src: fix formatting nits
+    - ssh: tracing and better pollset handling
+    - sspi: fix memory leaks on error paths in 'Curl_create_sspi_identity()'
+    - sws: fix binding to unix socket on Windows
+    - synctime: tidy up, make it work on all platforms
+    - telnet: abort on bad suboption sequence
+    - telnet: replace atoi for BINARY handling with curlx_str_number
+    - tftp: release filename if conn_get_remote_addr fails
+    - tftpd: fix/tidy up 'open()' mode flags
+    - tidy-up: avoid '(())', clang-format fixes and more
+    - tidy-up: move 'CURL_UNCONST()' out from macro 'curl_unicodefree()'
+    - tidy-up: URLs (cont.) and mdlinkcheck
+    - tidy-up: URLs
+    - tool: consider (some) curl_easy_setopt errors fatal
+    - tool: log when loading .curlrc in verbose mode
+    - tool_cfgable: free ssl-sessions at exit
+    - tool_doswin: clear pointer when thread takes ownership
+    - tool_doswin: increase allowable length of path sanitizer
+    - tool_doswin: remove the max length check
+    - tool_getparam: simplify the --rate parser
+    - tool_getparam: use memdup0() instead of malloc + copy
+    - tool_getparam: verify that a file exists for some options
+    - tool_help: add checks to avoid unsigned wrap around
+    - tool_ipfs: check return codes better
+    - tool_msgs: make voutf() use stack instead of heap
+    - tool_operate: exit on curl_share_setopt errors
+    - tool_operate: fix a case of ignoring return code in operate()
+    - tool_operate: fix case of ignoring return code in single_transfer
+    - tool_operate: remove redundant condition
+    - tool_operate: return error for OOM in append2query
+    - tool_operate: use curlx_str_number instead of atoi
+    - tool_paramhlp: refuse --proto remove all protocols
+    - tool_paramhlp: remove a malloc+free from proto2num()
+    - tool_paramhlp: simplify number parsing
+    - tool_progress: fix large time outputs and decimal size display
+    - tool_urlglob: acknowledge OOM in peek_ipv6
+    - tool_urlglob: clean up used memory on errors better
+    - tool_urlglob: constify an argument
+    - tool_urlglob: fix propagating OOM error from 'sanitize_file_name()'
+    - tool_urlglob: support globs as long as config line lengths
+    - tool_writeout: bail out proper on OOM
+    - url: fix return code for OOM in parse_proxy()
+    - url: if curl_url_get() fails due to OOM, error out properly
+    - url: if OOM in parse_proxy() return error
+    - url: return error at once when OOM in netrc handling
+    - urlapi: fix mem-leaks in curl_url_get error paths
+    - urlapi: handle OOM properly when setting URL
+    - urlapi: return OOM correctly from parse_hostname_login()
+    - verify-release: update to avoid shellcheck warning SC2034
+    - vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+    - vquic: do not pass invalid mode flags to 'open()' (Windows)
+    - vquic: do_sendmsg full init
+    - vquic: ignore 0-length UDP packets
+    - vquic: initialize new callback in nghttp3 1.14.0+
+    - vtls: drop unused 'use_alpn' from 'ssl_connect_data' struct
+    - vtls: fix CURLOPT_CAPATH use
+    - vtls: handle possible malicious certs_num from peer
+    - vtls: pinned key check
+    - wcurl: import v2025.11.09
+    - wcurl: import v2026.01.05
+    - ws: replace a cast by matching the format string
+    - x509asn1: drop unused 'hostcheck.h', 'vtls_int.h' includes
+  * Rebase patches:
+    - libcurl-ocloexec.patch
+    - curl-secure-getenv.patch
+  * Remove patch curl-vtls-fix-CURLOPT_CAPATH-use.patch
+
+-------------------------------------------------------------------
+Wed Nov 19 13:07:46 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix a regression in curl 8.17.0: [bsc#1253116]
+  * Builds with no CURL_CA_PATH ignore CURLOPT_CAPATH
+  * vtls: fix CURLOPT_CAPATH use [gh#curl/curl#19401]
+  * Add upstream curl-vtls-fix-CURLOPT_CAPATH-use.patch
+
+-------------------------------------------------------------------
+Wed Nov  5 08:45:52 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.17.0:
+  * Security fixes:
+    - [bsc#1252859, CVE-2025-10966] curl: missing SFTP host
+      verification with wolfSSH
+    - [bsc#1253757, CVE-2025-11563] curl: wcurl path traversal with
+      percent-encoded slashes
+  * Changes:
+    - krb5: drop support for Kerberos FTP
+    - multi: add notifications API
+    - ssl: support Apple SecTrust configurations
+    - tool_getparam: add --knownhosts
+    - vssh: drop support for wolfSSH
+    - wcurl: import v2025.11.04
+  * Bugfixes:
+    - ares: fix leak in tracing
+    - base64: accept zero length argument to base64_encode
+    - c-ares: when resolving failed, persist error
+    - cf-socket: set FD_CLOEXEC on all sockets opened
+    - cf-socket: use the right byte order for ports in bindlocal
+    - conn: fix hostname move on connection reuse
+    - conncache: prevent integer overflow in maxconnects calculation
+    - cookie: avoid saving a cookie file if no transfer was done
+    - curl_easy_getinfo: error code on NULL arg
+    - curl_path: make sure just whitespace is illegal
+    - digest_sspi: fix two memory leaks in error branches
+    - ftp: add extra buffer length check
+    - ftp: check errors on remote ip for data connection
+    - gnutls: check conversion of peer cert chain
+    - gnutls: fix re-handshake comments
+    - gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
+    - gtls: check the return value of gnutls_pubkey_init()
+    - hmac: free memory properly on errors
+    - HTTP3: clarify the status for "old" OpenSSL, not current
+    - kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
+    - krb5_gssapi: fix memory leak on error path
+    - krb5_sspi: the chlg argument is NOT optional
+    - ldap: avoid null ptr deref on failure
+    - ldap: do not base64 encode zero length string
+    - lib: SSL connection reuse
+    - libssh/libssh2: reject quote command lines with too much data
+    - libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
+    - libssh: acknowledge SSH_AGAIN in the SFTP state machine
+    - nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
+    - ngtcp2: close just-opened QUIC stream when submit_request fails
+    - ngtcp2: compare idle timeout in ms to avoid overflow
+    - noproxy: fix the IPV6 network mask pattern match
+    - NTLM: disable if DES support missing from OpenSSL or mbedTLS
+    - openldap: limit max incoming size
+    - openssl: call SSL_get_error() with proper error
+    - openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
+    - openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
+    - openssl: fail the transfer if ossl_certchain() fails
+    - openssl: fix peer certificate leak in channel binding
+    - openssl: fix resource leak in provider error path
+    - openssl: free UI_METHOD on exit path
+    - openssl: only try engine/provider if a cert file/name is provided
+    - openssl: set io_need always
+    - openssl: skip session resumption when verifystatus is set
+    - pop3: fix CAPA response termination detection
+    - quic: fix min TLS version handling
+    - quic: ignore EMSGSIZE on receive
+    - schannel: properly close the certfile on error
+    - schannel_verify: fix mem-leak in Curl_verify_host
+    - socks: avoid UAF risk in error path
+    - socks: deny server basic-auth if not configured
+    - socks_gssapi: reject too long tokens
+    - socks_gssapi: remove the forced "no protection"
+    - thread: errno on thread creation
+    - ws: reject curl_ws_recv called with NULL buffer with a buflen
+  * Rebase libcurl-ocloexec.patch
+  * Remove curl-handle_user-defined_connection_headers.patch upstream
+
+-------------------------------------------------------------------
+Fri Sep 26 07:37:28 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- curl: http: handle user-defined connection headers [bsc#1249448]
+  * Add curl-handle_user-defined_connection_headers.patch
+
+-------------------------------------------------------------------
+Wed Sep 10 08:43:19 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.16.0:
+  * Security fixes:
+    - [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
+    - [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
+  * Changes:
+    - curl: add --follow and --out-null
+    - curl: add --parallel-max-host to limit concurrent connections per host
+    - curl: make --retry-delay and --retry-max-time accept decimal seconds
+    - hostip: cache negative name resolves
+    - ip happy eyeballing: keep attempts running
+    - multi: add curl_multi_get_offt
+    - multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
+    - netrc: use the NETRC environment variable (first) if set
+    - smtp: allow suffix behind a mail address for RFC 3461
+    - tls: make default TLS version be minimum 1.2
+    - tool_getparam: add support for `--longopt=value`
+    - vquic: drop msh3
+    - websocket: support CURLOPT_READFUNCTION
+  * Bugfixes:
+    - _PROTOCOLS.md: mention file:// is only for absolute paths
+    - acinclude: --with-ca-fallback only works with OpenSSL
+    - bufq: add integer overflow checks before chunk allocations
+    - cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
+    - cmake: fix setting LTO properties on the wrong targets
+    - configure: tidy up internal names in ngtcp2 ossl detection logic
+    - connectdata: remove primary+secondary ip_quadruple
+    - connection: terminate after goaway
+    - cookie: don't treat the leading slash as trailing
+    - cookie: remove expired cookies before listing
+    - curl: tool_read_cb fix of segfault
+    - curl_ossl: extend callback table for nghttp3 1.11.0
+    - DEPRECATE.md: drop old OpenSSL versions
+    - idn: reject conversions that end up as a zero length hostname
+    - ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
+    - ngtcp2: handshake timeout should be equal to --connect-timeout
+    - openssl: add and use `HAVE_OPENSSL3` internal macro
+    - openssl: check SSL_write() length on retries
+    - openssl: clear errors after a failed `d2i_X509()`
+    - openssl: drop redundant `HAVE_OPENSSL_VERSION` macro
+    - openssl: drop single-use interim macro `USE_OPENSSL_SRP`
+    - openssl: output unescaped utf8 x509 issuer/subject DNs
+    - parallel-max: bump the max value to 65535
+    - resolving: dns error tracing
+    - schannel: add an error message for client cert not found
+    - schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN`
+    - schannel: fix renegotiation
+    - schannel: improve handshake procedure
+    - socks: do_SOCKS5: Fix invalid buffer content on short send
+    - threaded-resolver: fix shutdown
+    - tool_getparam: warn on more unicode prefixes
+    - tool_urlglob: add integer overflow protection
+    - urlapi: allow more path characters "raw" when asked to URL encode
+    - urlglob: only accept 255 globs
+    - vtls: set seen http version on successful ALPN
+    - websocket: handling of PONG frames
+    - websocket: improve handling of 0-len frames
+    - websocket: reset upload_done when sending data
+    - ws: avoid NULL pointer deref in curl_ws_recv
+  * Rebase libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Mon Jul 21 08:16:16 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -36,7 +36,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.15.0
+Version:        8.18.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

libcurl-ocloexec.patch

@@ -7,49 +7,49 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.14.0/lib/file.c
+Index: curl-8.18.0/lib/file.c
 ===================================================================
---- curl-8.14.0.orig/lib/file.c
-+++ curl-8.14.0/lib/file.c
-@@ -270,7 +270,7 @@ static CURLcode file_connect(struct Curl
+--- curl-8.18.0.orig/lib/file.c
++++ curl-8.18.0/lib/file.c
+@@ -258,7 +258,7 @@ static CURLcode file_connect(struct Curl
      }
    }
    #else
--  fd = open(real_path, O_RDONLY);
-+  fd = open(real_path, O_RDONLY|O_CLOEXEC);
+-  fd = curlx_open(real_path, O_RDONLY);
++  fd = curlx_open(real_path, O_RDONLY|O_CLOEXEC);
    file->path = real_path;
    #endif
  #endif
-@@ -349,9 +349,9 @@ static CURLcode file_upload(struct Curl_
- 
- #if (defined(ANDROID) || defined(__ANDROID__)) && \
-     (defined(__i386__) || defined(__arm__))
--  fd = open(file->path, mode, (mode_t)data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
+@@ -339,9 +339,9 @@ static CURLcode file_upload(struct Curl_
+                   data->set.new_file_perms & (_S_IREAD | _S_IWRITE));
+ #elif (defined(ANDROID) || defined(__ANDROID__)) && \
+   (defined(__i386__) || defined(__arm__))
+-  fd = curlx_open(file->path, mode, (mode_t)data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
  #else
--  fd = open(file->path, mode, data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
+-  fd = curlx_open(file->path, mode, data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
  #endif
    if(fd < 0) {
      failf(data, "cannot open %s for writing", file->path);
-Index: curl-8.14.0/lib/if2ip.c
+Index: curl-8.18.0/lib/if2ip.c
 ===================================================================
---- curl-8.14.0.orig/lib/if2ip.c
-+++ curl-8.14.0/lib/if2ip.c
-@@ -209,7 +209,7 @@ if2ip_result_t Curl_if2ip(int af,
+--- curl-8.18.0.orig/lib/if2ip.c
++++ curl-8.18.0/lib/if2ip.c
+@@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
--  dummy = socket(AF_INET, SOCK_STREAM, 0);
-+  dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
+-  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM, 0);
++  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.14.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.14.0.orig/configure.ac
-+++ curl-8.14.0/configure.ac
-@@ -440,6 +440,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -504,6 +504,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -58,39 +58,38 @@ Index: curl-8.14.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.14.0/lib/hostip.c
+Index: curl-8.18.0/lib/hostip.c
 ===================================================================
---- curl-8.14.0.orig/lib/hostip.c
-+++ curl-8.14.0/lib/hostip.c
-@@ -46,6 +46,7 @@
+--- curl-8.18.0.orig/lib/hostip.c
++++ curl-8.18.0/lib/hostip.c
+@@ -43,6 +43,7 @@
+ #include <setjmp.h>  /* for sigjmp_buf, sigsetjmp() */
  #include <signal.h>
- #endif
  
 +#include <fcntl.h>
  #include "urldata.h"
- #include "sendf.h"
+ #include "curl_trc.h"
  #include "connect.h"
-@@ -691,7 +692,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -689,7 +690,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
--    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
-+    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+-    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM, 0);
++    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we cannot get/use one */
        ipv6_works = 0;
-Index: curl-8.14.0/lib/cf-socket.c
+Index: curl-8.18.0/lib/cf-socket.c
 ===================================================================
---- curl-8.14.0.orig/lib/cf-socket.c
-+++ curl-8.14.0/lib/cf-socket.c
-@@ -369,7 +369,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.18.0.orig/lib/cf-socket.c
++++ curl-8.18.0/lib/cf-socket.c
+@@ -345,7 +345,8 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */
--    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+    *sockfd = socket(addr->family,
-+		     addr->socktype|SOCK_CLOEXEC,
-+		     addr->protocol);
+-    *sockfd = CURL_SOCKET(addr->family, addr->socktype, addr->protocol);
++    *sockfd = CURL_SOCKET(addr->family, addr->socktype|SOCK_CLOEXEC,
++                          addr->protocol);
+     if((*sockfd == CURL_SOCKET_BAD) && (SOCKERRNO == SOCKENOMEM))
+       return CURLE_OUT_OF_MEMORY;
    }
- 
-   if(*sockfd == CURL_SOCKET_BAD)