Accepting request 1325821 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1325821
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=221

curl-8.14.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmg/3PcACgkQXMkI/bce
-EsJqDAf/Q6bzaPr1MlnbF3yFwzpMNY4ZH6SXWvmztLaFksrNFM8fuby00yNQ02pi
-4kfyIWgR4SRpHq2rmM//JudwRO5vObEctrtw/bQWR9IQ/rkrt2RtwDfFXLOtq2k/
-aHmmnZmQNeVJYQUpGlsehtXMCO0wIpvRK4yecHZC4ueq+UCJjrp2rJVpaKm+KOVY
-2DxPA5OyBKVKV/hJXD8+7V06HnsbojyxGf4Wg2XuXz1pa7z6lxWaf3ACf9gi+BzX
-4uPRT4ZChWCqUvLBl2C95ulY0/rmem7ffJuhBC0hBDk3qpqV8tv9TyS9xoTEVVkh
-sK20aPD0vcHjnTM0u/IfVVhfliNC+Q==
-=mjWb
------END PGP SIGNATURE-----

curl-8.18.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmleBDIACgkQXMkI/bce
+EsINpQf8C15Nc/X/d/CjOOMV66+0bpDnUzab+8qDItfD3uNR66B7gj+ZUfyiuNp8
+rPAbjWhuDlvdVATfOpax5KltK/+IweoOHevt15eEG/iERpJShsIPmX0PGkvsPpxP
+LzrquV0pjOUWGxMN8ophfeE+hMh37AROvYlcbK/bGG9xJquAbLj2kW+xGbUouPzL
+taq2Pnm8TvqyrnNulWRbezQRv4AB7cM0z9w5q6m4vpJfv+DLSHfmX8svXx2EkdPN
+ij0+v5UESKforBwm3OYfL5bkgEaii5yJS5h2T8NQCQn4hldFJxO/h+OLjV89HRZp
+uasF96+6nhG/q7x829p1pQ6le3Btag==
+=J4xV
+-----END PGP SIGNATURE-----

curl-CVE-2025-10148.patch

@@ -1,64 +0,0 @@
-From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 8 Sep 2025 14:14:15 +0200
-Subject: [PATCH] ws: get a new mask for each new outgoing frame
-
-Reported-by: Calvin Ruocco
-Closes #18496
----
- lib/ws.c | 28 +++++++++++++---------------
- 1 file changed, 13 insertions(+), 15 deletions(-)
-
-Index: curl-8.14.1/lib/ws.c
-===================================================================
---- curl-8.14.1.orig/lib/ws.c
-+++ curl-8.14.1/lib/ws.c
-@@ -758,6 +758,7 @@ static ssize_t ws_enc_write_head(struct
-   unsigned char head[14];
-   size_t hlen;
-   ssize_t n;
-+  CURLcode result;
- 
-   if(payload_len < 0) {
-     failf(data, "[WS] starting new frame with negative payload length %"
-@@ -831,6 +831,17 @@ static ssize_t ws_enc_write_head(struct
-   enc->payload_remain = enc->payload_len = payload_len;
-   ws_enc_info(enc, data, "sending");
- 
-+  /* 4 bytes random */
-+  result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask));
-+  if(result)
-+    return result;
-+
-+#ifdef DEBUGBUILD
-+  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
-+    /* force the bit mask to 0x00000000, effectively disabling masking */
-+    memset(&enc->mask, 0, sizeof(enc->mask));
-+#endif
-+
-   /* add 4 bytes mask */
-   memcpy(&head[hlen], &enc->mask, 4);
-   hlen += 4;
-@@ -1025,21 +1036,7 @@ CURLcode Curl_ws_accept(struct Curl_easy
-      subprotocol not requested by the client), the client MUST Fail
-      the WebSocket Connection. */
- 
--  /* 4 bytes random */
--
--  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
--                     sizeof(ws->enc.mask));
--  if(result)
--    return result;
--
--#ifdef DEBUGBUILD
--  if(getenv("CURL_WS_FORCE_ZERO_MASK"))
--    /* force the bit mask to 0x00000000, effectively disabling masking */
--    memset(ws->enc.mask, 0, sizeof(ws->enc.mask));
--#endif
--
--  infof(data, "[WS] Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
--        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
-+  infof(data, "[WS] Received 101, switch to WebSocket");
- 
-   /* Install our client writer that decodes WS frames payload */
-   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,

curl-CVE-2025-11563.patch

@@ -1,108 +0,0 @@
-From fb0c014e30e5f4de7aa0d566c52c836a6423da29 Mon Sep 17 00:00:00 2001
-From: Samuel Henrique <samueloph@debian.org>
-Date: Sun, 26 Oct 2025 17:34:46 +0000
-Subject: [PATCH] wcurl: sync to +dev snapshot
-
-Closes #19247
----
- scripts/wcurl | 36 +++++++++++++++++++++++++++++-------
- 1 file changed, 29 insertions(+), 7 deletions(-)
-
-Index: curl-8.14.1/scripts/wcurl
-===================================================================
---- curl-8.14.1.orig/scripts/wcurl
-+++ curl-8.14.1/scripts/wcurl
-@@ -65,7 +65,7 @@ Options:
-                            multiple times, only the last value is considered.
- 
-   --no-decode-filename: Don't percent-decode the output filename, even if the percent-encoding in
--                        the URL was done by wcurl, e.g.: The URL contained whitespaces.
-+                        the URL was done by wcurl, e.g.: The URL contained whitespace.
- 
-   --dry-run: Don't actually execute curl, just print what would be invoked.
- 
-@@ -77,7 +77,7 @@ Options:
-                  instead forwarded to the curl invocation.
- 
-   <URL>: URL to be downloaded. Anything that is not a parameter is considered
--         an URL. Whitespaces are percent-encoded and the URL is passed to curl, which
-+         an URL. Whitespace is percent-encoded and the URL is passed to curl, which
-          then performs the parsing. May be specified more than once.
- _EOF_
- }
-@@ -85,7 +85,7 @@ _EOF_
- # Display an error message and bail out.
- error()
- {
--    printf "%s\n" "$*" > /dev/stderr
-+    printf "%s\n" "$*" >&2
-     exit 1
- }
- 
-@@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\
-     --remote-time \
-     --retry 5 "
- 
-+# Valid percent-encode codes that are considered unsafe to be decoded.
-+# This is a list of space-separated percent-encoded uppercase
-+# characters.
-+# 2F = /
-+# 5C = \
-+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
-+
- # Whether to invoke curl or not.
- DRY_RUN="false"
- 
-@@ -137,6 +144,20 @@ is_subset_of()
-     esac
- }
- 
-+# Indicate via exit code whether the HTML code given in the first
-+# parameter is safe to be decoded.
-+is_safe_percent_encode()
-+{
-+    upper_str=$(printf "%s" "${1}" | tr "[:lower:]" "[:upper:]")
-+    for unsafe in ${UNSAFE_PERCENT_ENCODE}; do
-+        if [ "${unsafe}" = "${upper_str}" ]; then
-+            return 1
-+        fi
-+    done
-+
-+    return 0
-+}
-+
- # Print the given string percent-decoded.
- percent_decode()
- {
-@@ -151,9 +172,10 @@ percent_decode()
-                 decode_out="${decode_out}${decode_hex2}"
-                 # Skip decoding if this is a control character (00-1F).
-                 # Skip decoding if DECODE_FILENAME is not "true".
--                if is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" && \
--                    is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" && \
--                    [ "${DECODE_FILENAME}" = "true" ]; then
-+                if [ "${DECODE_FILENAME}" = "true" ] \
-+                    && is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" \
-+                    && is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" \
-+                    && is_safe_percent_encode "${decode_out}"; then
-                     # Use printf to decode it into octal and then decode it to the final format.
-                     decode_out="$(printf "%b" "\\$(printf %o "0x${decode_hex1}${decode_hex2}")")"
-                 fi
-@@ -298,7 +320,7 @@ while [ -n "${1-}" ]; do
-             # This is the start of the list of URLs.
-             shift
-             for url in "$@"; do
--                # Encode whitespaces into %20, since wget supports those URLs.
-+                # Encode whitespace into %20, since wget supports those URLs.
-                 newurl=$(printf "%s\n" "${url}" | sed 's/ /%20/g')
-                 URLS="${URLS} ${newurl}"
-             done
-@@ -311,7 +333,7 @@ while [ -n "${1-}" ]; do
- 
-         *)
-             # This must be a URL.
--            # Encode whitespaces into %20, since wget supports those URLs.
-+            # Encode whitespace into %20, since wget supports those URLs.
-             newurl=$(printf "%s\n" "${1}" | sed 's/ /%20/g')
-             URLS="${URLS} ${newurl}"
-             ;;

curl-CVE-2025-14017.patch

@@ -1,110 +0,0 @@
-From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 4 Dec 2025 00:14:20 +0100
-Subject: [PATCH] ldap: call ldap_init() before setting the options
-
-Closes #19830
----
- lib/ldap.c | 50 +++++++++++++++++++-------------------------------
- 1 file changed, 19 insertions(+), 31 deletions(-)
-
-Index: curl-8.14.1/lib/ldap.c
-===================================================================
---- curl-8.14.1.orig/lib/ldap.c
-+++ curl-8.14.1/lib/ldap.c
-@@ -375,16 +375,29 @@ static CURLcode ldap_do(struct Curl_easy
-     passwd = conn->passwd;
-   }
- 
-+#ifdef USE_WIN32_LDAP
-+  if(ldap_ssl)
-+    server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
-+  else
-+#else
-+    server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
-+#endif
-+  if(!server) {
-+    failf(data, "LDAP local: Cannot connect to %s:%u",
-+          conn->host.dispname, conn->primary.remote_port);
-+    result = CURLE_COULDNT_CONNECT;
-+    goto quit;
-+  }
-+
- #ifdef LDAP_OPT_NETWORK_TIMEOUT
--  ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
-+  ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
- #endif
--  ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
-+  ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
- 
-   if(ldap_ssl) {
- #ifdef HAVE_LDAP_SSL
- #ifdef USE_WIN32_LDAP
-     /* Win32 LDAP SDK does not support insecure mode without CA! */
--    server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
-     ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
- #else
-     int ldap_option;
-@@ -404,7 +417,7 @@ static CURLcode ldap_do(struct Curl_easy
-         goto quit;
-       }
-       infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
--      rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
-+      rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
-       if(rc != LDAP_SUCCESS) {
-         failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
-                 ldap_err2string(rc));
-@@ -416,20 +429,13 @@ static CURLcode ldap_do(struct Curl_easy
-     else
-       ldap_option = LDAP_OPT_X_TLS_NEVER;
- 
--    rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
-+    rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
-     if(rc != LDAP_SUCCESS) {
-       failf(data, "LDAP local: ERROR setting cert verify mode: %s",
-               ldap_err2string(rc));
-       result = CURLE_SSL_CERTPROBLEM;
-       goto quit;
-     }
--    server = ldap_init(host, conn->primary.remote_port);
--    if(!server) {
--      failf(data, "LDAP local: Cannot connect to %s:%u",
--            conn->host.dispname, conn->primary.remote_port);
--      result = CURLE_COULDNT_CONNECT;
--      goto quit;
--    }
-     ldap_option = LDAP_OPT_X_TLS_HARD;
-     rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
-     if(rc != LDAP_SUCCESS) {
-@@ -438,15 +444,6 @@ static CURLcode ldap_do(struct Curl_easy
-       result = CURLE_SSL_CERTPROBLEM;
-       goto quit;
-     }
--/*
--    rc = ldap_start_tls_s(server, NULL, NULL);
--    if(rc != LDAP_SUCCESS) {
--      failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
--              ldap_err2string(rc));
--      result = CURLE_SSL_CERTPROBLEM;
--      goto quit;
--    }
--*/
- #else
-     (void)ldap_option;
-     (void)ldap_ca;
-@@ -465,15 +462,6 @@ static CURLcode ldap_do(struct Curl_easy
-     result = CURLE_NOT_BUILT_IN;
-     goto quit;
-   }
--  else {
--    server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
--    if(!server) {
--      failf(data, "LDAP local: Cannot connect to %s:%u",
--            conn->host.dispname, conn->primary.remote_port);
--      result = CURLE_COULDNT_CONNECT;
--      goto quit;
--    }
--  }
- #ifdef USE_WIN32_LDAP
-   ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
-   rc = ldap_win_bind(data, server, user, passwd);

curl-CVE-2025-14524.patch

@@ -1,25 +0,0 @@
-From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 10 Dec 2025 11:40:47 +0100
-Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
-
-Closes #19933
----
- lib/curl_sasl.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-Index: curl-8.14.1/lib/curl_sasl.c
-===================================================================
---- curl-8.14.1.orig/lib/curl_sasl.c
-+++ curl-8.14.1/lib/curl_sasl.c
-@@ -356,7 +356,9 @@ CURLcode Curl_sasl_start(struct SASL *sa
-     data->set.str[STRING_SERVICE_NAME] :
-     sasl->params->service;
- #endif
--  const char *oauth_bearer = data->set.str[STRING_BEARER];
-+  const char *oauth_bearer =
-+    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
-+    data->set.str[STRING_BEARER] : NULL;
-   struct bufref nullmsg;
- 
-   Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port);

curl-CVE-2025-14819.patch

@@ -1,66 +0,0 @@
-From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 17 Dec 2025 10:54:16 +0100
-Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
- different CA cache
-
-Reported-by: Stanislav Fort
-
-Closes #20009
----
- lib/vtls/openssl.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-Index: curl-8.14.1/lib/vtls/openssl.c
-===================================================================
---- curl-8.14.1.orig/lib/vtls/openssl.c
-+++ curl-8.14.1/lib/vtls/openssl.c
-@@ -3457,6 +3457,7 @@ struct ossl_x509_share {
-   char *CAfile;         /* CAfile path used to generate X509 store */
-   X509_STORE *store;    /* cached X509 store or NULL if none */
-   struct curltime time; /* when the cached store was created */
-+  BIT(no_partialchain); /* keep partial chain state */
- };
- 
- static void oss_x509_share_free(void *key, size_t key_len, void *p)
-@@ -3491,9 +3492,14 @@ ossl_cached_x509_store_expired(const str
- 
- static bool
- ossl_cached_x509_store_different(struct Curl_cfilter *cf,
-+                                 const struct Curl_easy *data,
-                                  const struct ossl_x509_share *mb)
- {
-   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
-+  struct ssl_config_data *ssl_config =
-+    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
-+  if(mb->no_partialchain != ssl_config->no_partialchain)
-+    return TRUE;
-   if(!mb->CAfile || !conn_config->CAfile)
-     return mb->CAfile != conn_config->CAfile;
- 
-@@ -3513,7 +3519,7 @@ static X509_STORE *ossl_get_cached_x509_
-                                  sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL;
-   if(share && share->store &&
-      !ossl_cached_x509_store_expired(data, share) &&
--     !ossl_cached_x509_store_different(cf, share)) {
-+     !ossl_cached_x509_store_different(cf, data, share)) {
-     store = share->store;
-   }
- 
-@@ -3550,6 +3556,8 @@ static void ossl_set_cached_x509_store(s
- 
-   if(X509_STORE_up_ref(store)) {
-     char *CAfile = NULL;
-+    struct ssl_config_data *ssl_config =
-+      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
- 
-     if(conn_config->CAfile) {
-       CAfile = strdup(conn_config->CAfile);
-@@ -3567,6 +3575,7 @@ static void ossl_set_cached_x509_store(s
-     share->time = curlx_now();
-     share->store = store;
-     share->CAfile = CAfile;
-+    share->no_partialchain = ssl_config->no_partialchain;
-   }
- }
- 

curl-CVE-2025-15079.patch

@@ -1,28 +0,0 @@
-From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 24 Dec 2025 17:47:03 +0100
-Subject: [PATCH] libssh: set both knownhosts options to the same file
-
-Reported-by: Harry Sintonen
-
-Closes #20092
----
- lib/vssh/libssh.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
-index 7d5905c83d75..98c109ab59a3 100644
---- a/lib/vssh/libssh.c
-+++ b/lib/vssh/libssh.c
-@@ -2629,6 +2629,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
-     infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
-     rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
-                          data->set.str[STRING_SSH_KNOWNHOSTS]);
-+    if(rc == SSH_OK)
-+      /* libssh has two separate options for this. Set both to the same file
-+         to avoid surprises */
-+      rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
-+                           data->set.str[STRING_SSH_KNOWNHOSTS]);
-     if(rc != SSH_OK) {
-       failf(data, "Could not set known hosts file path");
-       return CURLE_FAILED_INIT;

curl-CVE-2025-15224.patch

@@ -1,27 +0,0 @@
-From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
-From: Harry Sintonen <sintonen@iki.fi>
-Date: Mon, 29 Dec 2025 16:56:39 +0100
-Subject: [PATCH] libssh: require private key or user-agent for public key auth
-
-Closes #20110
----
- lib/vssh/libssh.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-Index: curl-8.14.1/lib/vssh/libssh.c
-===================================================================
---- curl-8.14.1.orig/lib/vssh/libssh.c
-+++ curl-8.14.1/lib/vssh/libssh.c
-@@ -698,7 +698,11 @@ static int myssh_state_authlist(struct C
-           "keyboard-interactive, " : "",
-           sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
-           "password": "");
--  if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
-+  /* For public key auth we need either the private key or
-+     CURLSSH_AUTH_AGENT. */
-+  if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
-+    (data->set.str[STRING_SSH_PRIVATE_KEY] ||
-+     (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
-     myssh_state(data, sshc, SSH_AUTH_PKEY_INIT);
-     infof(data, "Authentication using SSH public key file");
-   }

curl-CVE-2025-9086.patch

@@ -1,51 +0,0 @@
-From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 11 Aug 2025 20:23:05 +0200
-Subject: [PATCH] cookie: don't treat the leading slash as trailing
-
-If there is only a leading slash in the path, keep that. Also add an
-assert to make sure the path is never blank.
-
-Reported-by: Google Big Sleep
-Closes #18266
----
- lib/cookie.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index 914a4aca12ac..b72dd99bce9b 100644
---- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -296,9 +296,9 @@ static char *sanitize_cookie_path(const char *cookie_path)
-     /* Let cookie-path be the default-path. */
-     return strdup("/");
- 
--  /* remove trailing slash */
-+  /* remove trailing slash when path is non-empty */
-   /* convert /hoge/ to /hoge */
--  if(len && cookie_path[len - 1] == '/')
-+  if(len > 1 && cookie_path[len - 1] == '/')
-     len--;
- 
-   return Curl_memdup0(cookie_path, len);
-@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
-          clist->spath && co->spath && /* both have paths */
-          clist->secure && !co->secure && !secure) {
-         size_t cllen;
--        const char *sep;
-+        const char *sep = NULL;
- 
-         /*
-          * A non-secure cookie may not overlay an existing secure cookie.
-@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
-          * "/loginhelper" is ok.
-          */
- 
--        sep = strchr(clist->spath + 1, '/');
--
-+        DEBUGASSERT(clist->spath[0]);
-+        if(clist->spath[0])
-+          sep = strchr(clist->spath + 1, '/');
-         if(sep)
-           cllen = sep - clist->spath;
-         else

curl-fix--ftp-pasv.patch

@@ -1,147 +0,0 @@
-From 5f805eec1149c218145097ec2a24ac7fb7d46f25 Mon Sep 17 00:00:00 2001
-From: Dan Fandrich <dan@coneharvesters.com>
-Date: Fri, 6 Jun 2025 10:21:09 -0700
-Subject: [PATCH] tool_getparam: fix --ftp-pasv
-
-This boolean option was moved to the wrong handling function. Make it
-an ARG_NONE and move it to the correct handler and add a test to
-verify that the option works.
-
-Follow-up to 698491f44
-
-Reported-by: fjaell on github
-Fixes #17545
-Closes #17547
----
- docs/cmdline-opts/ftp-pasv.md |  3 +-
- src/tool_getparam.c           |  8 ++---
- tests/data/Makefile.am        |  2 +-
- tests/data/test1547           | 59 +++++++++++++++++++++++++++++++++++
- 4 files changed, 66 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test1547
-
-diff --git a/docs/cmdline-opts/ftp-pasv.md b/docs/cmdline-opts/ftp-pasv.md
-index 964f9769ae59..02deee30ded8 100644
---- a/docs/cmdline-opts/ftp-pasv.md
-+++ b/docs/cmdline-opts/ftp-pasv.md
-@@ -6,7 +6,8 @@ Help: Send PASV/EPSV instead of PORT
- Protocols: FTP
- Added: 7.11.0
- Category: ftp
--Multi: boolean
-+Multi: mutex
-+Mutexed: ftp-port
- See-also:
-   - disable-epsv
- Example:
-diff --git a/src/tool_getparam.c b/src/tool_getparam.c
-index 51156e46b97e..6d7020987d0a 100644
---- a/src/tool_getparam.c
-+++ b/src/tool_getparam.c
-@@ -153,7 +153,7 @@ static const struct LongShort aliases[]= {
-   {"ftp-alternative-to-user",    ARG_STRG, ' ', C_FTP_ALTERNATIVE_TO_USER},
-   {"ftp-create-dirs",            ARG_BOOL, ' ', C_FTP_CREATE_DIRS},
-   {"ftp-method",                 ARG_STRG, ' ', C_FTP_METHOD},
--  {"ftp-pasv",                   ARG_BOOL, ' ', C_FTP_PASV},
-+  {"ftp-pasv",                   ARG_NONE, ' ', C_FTP_PASV},
-   {"ftp-port",                   ARG_STRG, 'P', C_FTP_PORT},
-   {"ftp-pret",                   ARG_BOOL, ' ', C_FTP_PRET},
-   {"ftp-skip-pasv-ip",           ARG_BOOL, ' ', C_FTP_SKIP_PASV_IP},
-@@ -1703,6 +1703,9 @@ static ParameterError opt_none(struct GlobalConfig *global,
-     break;
-   case C_DUMP_CA_EMBED: /* --dump-ca-embed */
-     return PARAM_CA_EMBED_REQUESTED;
-+  case C_FTP_PASV: /* --ftp-pasv */
-+    tool_safefree(config->ftpport);
-+    break;
- 
-   case C_HTTP1_0: /* --http1.0 */
-     /* HTTP version 1.0 */
-@@ -2293,9 +2296,6 @@ static ParameterError opt_filestring(struct GlobalConfig *global,
-   case C_URL: /* --url */
-     err = parse_url(global, config, nextarg);
-     break;
--  case C_FTP_PASV: /* --ftp-pasv */
--    tool_safefree(config->ftpport);
--    break;
-   case C_SOCKS5: /* --socks5 */
-     /*  socks5 proxy to use, and resolves the name locally and passes on the
-         resolved address */
-diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
-index 1ef85cd3a2da..446674605835 100644
---- a/tests/data/Makefile.am
-+++ b/tests/data/Makefile.am
-@@ -203,7 +203,7 @@ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
- test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
- test1524 test1525 test1526 test1527 test1528 test1529 test1530 test1531 \
- test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 \
--test1540 test1541 test1542 test1543 test1544 test1545 test1546 \
-+test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 \
- \
- test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
- test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \
-diff --git a/tests/data/test1547 b/tests/data/test1547
-new file mode 100644
-index 000000000000..244151a5abd1
---- /dev/null
-+++ b/tests/data/test1547
-@@ -0,0 +1,59 @@
-+<testcase>
-+# Based on test100 & test101
-+<info>
-+<keywords>
-+FTP
-+PASV
-+LIST
-+</keywords>
-+</info>
-+#
-+# Server-side
-+<reply>
-+<data mode="text">
-+total 20
-+drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
-+drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
-+drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
-+-r--r--r--   1 0        1             35 Jul 16  1996 README
-+lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
-+dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
-+drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
-+dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
-+drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
-+dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+ftp
-+</server>
-+<name>
-+FTP dir list PASV overriding PORT
-+</name>
-+<command>
-+ftp://%HOSTIP:%FTPPORT/test-%TESTNUMBER/ -P %CLIENTIP --ftp-pasv
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+QUIT
-+</strip>
-+<protocol>
-+USER anonymous
-+PASS ftp@example.com
-+PWD
-+CWD test-%TESTNUMBER
-+EPSV
-+TYPE A
-+LIST
-+QUIT
-+</protocol>
-+</verify>
-+</testcase>

curl-secure-getenv.patch

@@ -1,10 +1,10 @@
-Index: curl-8.13.0/lib/getenv.c
+Index: curl-8.18.0/lib/getenv.c
 ===================================================================
---- curl-8.13.0.orig/lib/getenv.c
-+++ curl-8.13.0/lib/getenv.c
-@@ -29,6 +29,14 @@
- 
- #include "memdebug.h"
+--- curl-8.18.0.orig/lib/getenv.c
++++ curl-8.18.0/lib/getenv.c
+@@ -23,6 +23,14 @@
+  ***************************************************************************/
+ #include "curl_setup.h"
  
 +#ifndef HAVE_SECURE_GETENV
 +#  ifdef HAVE___SECURE_GETENV
@@ -14,23 +14,23 @@ Index: curl-8.13.0/lib/getenv.c
 +#  endif
 +#endif
 +
- static char *GetEnv(const char *variable)
+ char *curl_getenv(const char *variable)
  {
- #if defined(CURL_WINDOWS_UWP) || defined(UNDER_CE) || \
-@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
+ #if defined(CURL_WINDOWS_UWP) || \
+@@ -63,7 +71,7 @@ char *curl_getenv(const char *variable)
      /* else rc is bytes needed, try again */
    }
  #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
-   return (env && env[0]) ? strdup(env) : NULL;
+   return (env && env[0]) ? curlx_strdup(env) : NULL;
  #endif
  }
-Index: curl-8.13.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.13.0.orig/configure.ac
-+++ curl-8.13.0/configure.ac
-@@ -5384,6 +5384,8 @@ fi
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -5528,6 +5528,8 @@ fi
  
  CURL_PREPARE_CONFIGUREHELP_PM
  

curl-tool_operate-fix-return-code-when-retry-is-used.patch

@@ -1,121 +0,0 @@
-From b42776b4f4a6e9c9f5e3ff49d7bf610ad99c45c9 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 Jun 2025 08:37:49 +0200
-Subject: [PATCH 1238/2000] tool_operate: fix return code when --retry is used
- but not triggered
-
-Verify with test 752
-
-Reported-by: fjaell on github
-Fixes #17554
-Closes #17559
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 24e79e6f61..2397de1686 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -548,8 +548,9 @@ static CURLcode retrycheck(struct OperationConfig *config,
-     *retryp = TRUE;
-     per->num_retries++;
-     *delayms = sleeptime;
-+    result = CURLE_OK;
-   }
--  return CURLE_OK;
-+  return result;
- }
- 
- 
-diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
-index 4466746058..ab21e0e220 100644
---- a/tests/data/Makefile.am
-+++ b/tests/data/Makefile.am
-@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
- test718 test719 test720 test721 test722 test723 test724 test725 test726 \
- test727 test728 test729 test730 test731 test732 test733 test734 test735 \
- test736 test737 test738 test739 test740 test741 test742 test743 test744 \
--test745 test746 test747 test748 test749 test750 test751 \
-+test745 test746 test747 test748 test749 test750 test751 test752 \
- \
- test780 test781 test782 test783 test784 test785 test786 test787 test788 \
- test789 test790 test791 \
-diff --git a/tests/data/test752 b/tests/data/test752
-new file mode 100644
-index 0000000000..00f14909d1
---- /dev/null
-+++ b/tests/data/test752
-@@ -0,0 +1,72 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP GET
-+-f
-+--retry
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data crlf="yes">
-+HTTP/1.1 404 nopes
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+
-+<datacheck crlf="yes">
-+HTTP/1.1 404 nopes
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+</datacheck>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+<name>
-+--retry and -f on a HTTP 404 response
-+</name>
-+<command>
-+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -f --retry 1
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol crlf="yes">
-+GET /%TESTNUMBER HTTP/1.1
-+Host: %HOSTIP:%HTTPPORT
-+User-Agent: curl/%VERSION
-+Accept: */*
-+
-+</protocol>
-+<errorcode>
-+22
-+</errorcode>
-+</verify>
-+</testcase>
--- 
-2.51.0
-

curl.changes

@@ -1,47 +1,515 @@
 -------------------------------------------------------------------
-Wed Jan  7 12:52:25 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+Wed Jan  7 11:48:31 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
 
-- Security fix: [bsc#1256105, CVE-2025-14017]
-  * call ldap_init() before setting the options
-  * Add patch curl-CVE-2025-14017.patch
+- Update to 8.18.0:
+  * Security fixes:
+    - [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options
+    - [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer
+    - [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth
+    - [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
+    - [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file
+  * Changes:
+    - openssl: bump minimum OpenSSL version to 3.0.0
+  * Bugfixes:
+    - alt-svc: more flexibility on same destination
+    - altsvc: accept ma/persist per alternative entry
+    - altsvc: make it one malloc instead of three per entry
+    - asyn-ares: handle Curl_dnscache_mk_entry() OOM error
+    - asyn-ares: remove hostname free on OOM
+    - asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
+    - asyn-thrdd: release rrname if ares_init_options fails
+    - auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
+    - autotools: add nettle library detection via pkg-config (for GnuTLS)
+    - autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
+    - autotools: fix LargeFile feature display on Windows (after prev patch)
+    - autotools: tidy-up 'if' expressions
+    - build: add build-level 'CURL_DISABLE_TYPECHECK' options
+    - build: exclude clang prereleases from compiler warning options
+    - build: replace '-pedantic' with '-Wpedantic' when supported
+    - build: set '-Wno-format-signedness'
+    - build: tidy-up MSVC CRT warning suppression macros
+    - ccsidcurl: make curl_mime_data_ccsid() use the converted size
+    - cf-h1-proxy: support folded headers in CONNECT responses
+    - cf-https-connect: allocate ctx at first in cf_hc_create()
+    - cf-socket: drop feature check for 'IPV6_V6ONLY' on Windows
+    - cf-socket: enable Win10 'TCP_KEEP*' options with old SDKs
+    - cf-socket: limit use of 'TCP_KEEP*' to Windows 10.0.16299+ at runtime
+    - cf-socket: return OOM error if socket() fails due to OOM
+    - cf-socket: trace ignored errors
+    - cfilters: make conn_forget_socket a private libssh function
+    - checksrc.pl: detect assign followed by more than one space
+    - cmake: adjust defaults for target platforms not supporting shared libs
+    - cmake: define dependencies as 'IMPORTED' interface targets
+    - cmake: delete unused file 'CMake/CMakeConfigurableFile.in'
+    - cmake: disable 'CURL_CA_PATH' auto-detection if 'USE_APPLE_SECTRUST=ON'
+    - cmake: fix 'ws2_32' reference in 'curl-config.cmake'
+    - cmake: honor 'CURL_DISABLE_INSTALL' and 'CURL_ENABLE_EXPORT_TARGET'
+    - cmake: replace deprecated 'OPENSSL_FOUND' with 'OpenSSL_FOUND'
+    - cmake: replace deprecated 'PERL_FOUND' with 'Perl_FOUND'
+    - cmake: save and restore 'CMAKE_MODULE_PATH' in 'curl-config.cmake'
+    - cmake: set found status to OFF when not found (for compression deps)
+    - code: minor indent fixes before closing braces
+    - config-win32.h: delete obsolete, non-Windows comments
+    - config-win32.h: drop unused/obsolete 'CURL_HAS_OPENLDAP_LDAPSDK'
+    - config2setopts: add space in cookie header with multiple -b
+    - config2setopts: bail out if curl_url_get() returns OOM
+    - config2setopts: exit if curl_url_set() fails on OOM
+    - configure: delete unused variable
+    - conncache: silence '-Wnull-dereference' on gcc 14 RISC-V 64
+    - conncontrol: reuse handling
+    - connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
+    - connection: attached transfer count
+    - content_encoding: avoid strcpy
+    - cookie. return proper error on OOM
+    - cookie: allocate the main struct once cookie is fine
+    - cookie: flush better
+    - cookie: only keep and use the canonical cleaned up path
+    - cookie: propagate errors better, cleanup the internal API
+    - cookie: return error on OOM
+    - cookie: when parsing a cookie header, delay all allocations until okay
+    - cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
+    - curl: fix progress meter in parallel mode
+    - curl_fopen: do not pass invalid mode flags to 'open()' on Windows
+    - curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
+    - curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
+    - curl_quiche: refuse headers with CR, LF or null bytes
+    - curl_sasl: make Curl_sasl_decode_mech compare case insensitively
+    - curl_setup.h: document more funcs flagged by '_CRT_SECURE_NO_WARNINGS'
+    - curl_setup.h: drop stray '#undef stat' (Windows)
+    - curl_setup.h: drop superfluous parenthesis from 'Curl_safefree' macro
+    - curl_threads: don't do another malloc if the first fails
+    - curl_trc: delete unused DoH remains
+    - CURLINFO: remove 'get' and 'get the' from each short desc
+    - CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
+    - CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
+    - CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
+    - CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
+    - CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
+    - CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
+    - CURLOPT_READFUNCTION.md: clarify the size of the buffer
+    - CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
+    - curlx/fopen: replace open CRT functions their with '_s' counterparts (Windows)
+    - curlx/multibyte: stop setting macros for non-Windows
+    - curlx/strerr: use 'strerror_s()' on Windows
+    - curlx: add 'curlx_rename()', fix to support long filenames on Windows
+    - curlx: curlx_strcopy() instead of strcpy()
+    - curlx: limit use of system allocators to the minimum possible
+    - curlx: replace 'mbstowcs'/'wcstombs' with '_s' counterparts (Windows)
+    - curlx: replace 'sprintf' with 'snprintf'
+    - curlx: use curl alloc in 'curlx_win32_stat()' (Windows)
+    - curlx: use curlx allocators in non-memdebug builds (Windows)
+    - DEPRECATE: add CMake <3.18 deprecation for April 2026
+    - digest: fix OWS and escaped quote handling
+    - digest_sspi: fix a memory leak on error path
+    - digest_sspi: properly free sspi identity
+    - doc: some returned in-memory data may not be altered
+    - docs: add a note about --compressed to note about binary output
+    - docs: clarify how to do unix domain sockets with SOCKS proxy
+    - docs: fix checksrc 'EQUALSPACE' warnings
+    - docs: fix time_posttransfer output unit as seconds
+    - docs: mention umask need when curl creates files
+    - docs: remove dead URLs
+    - docs: rename CURLcode variables to 'result'
+    - docs: spell it Rustls with a capital R
+    - docs: switch more URLs to https://
+    - docs: use mresult as variable name for CURLMcode
+    - escape: add a length check in curl_easy_escape
+    - file: do not pass invalid mode flags to 'open()' on upload (Windows)
+    - formdata: validate callback is non-NULL before use
+    - ftp: make EPRT connections non-blocking
+    - ftp: refactor a piece of code by merging the repeated part
+    - ftp: remove #ifdef for define that is always defined
+    - ftp: return better on OOM in two places
+    - ftp: return from ftp_state_use_port immediately on OOM
+    - getenv: drop internal 1-to-1 wrapper
+    - getinfo: improve perf in debug mode
+    - h2/h3: handle methods with spaces
+    - headers: add length argument to Curl_headers_push()
+    - hostcheck: fail wildcard match if host starts with a dot
+    - hostip.h: drop redundant 'setjmp.h' include
+    - hostip: don't store negative lookup on OOM
+    - hostip: make more functions return CURLcode
+    - hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
+    - hsts: propagate and error out correctly on OOM
+    - hsts: use one malloc instead of two per entry
+    - http: acknowledge OOM errors from Curl_input_ntlm
+    - http: avoid two strdup()s and do minor simplifications
+    - http: error on OOM when creating range header
+    - http: fix OOM exit in Curl_http_follow
+    - http: handle oom error from Curl_input_digest()
+    - http: replace atoi use in Curl_http_follow with curlx_str_number
+    - http: return OOM errors from hsts properly
+    - http: the :authority header should never contain user+password
+    - http: unfold response headers earlier
+    - idn: avoid allocations and wcslen on Windows
+    - idn: clarify null-termination on Windows
+    - idn: fix memory leak in 'win32_ascii_to_idn()'
+    - idn: use curlx allocators on Windows
+    - imap: check buffer length before accessing it
+    - imap: make sure Curl_pgrsSetDownloadSize() does not overflow
+    - inet_ntop: avoid the strlen()
+    - krb5: fix detecting channel binding feature
+    - krb5_sspi: unify a part of error handling
+    - ldap: drop PP logic for old, unsupported, Windows SDKs
+    - ldap: improve detection of Apple LDAP
+    - ldap: provide version for "legacy" ldap as well
+    - lib/sendf.h: forward declare two structs
+    - lib: cleanup for some typos about spaces and code style
+    - lib: create unitprotos.h in the builddir, not srcdir
+    - lib: drop unused or duplicate 'curlx/timeval.h' includes
+    - lib: drop unused protocol headers
+    - lib: eliminate size_t casts
+    - lib: error for OOM when extracting URL query
+    - lib: fix formatting nits (part 2)
+    - lib: fix formatting nits (part 3)
+    - lib: fix formatting nits
+    - lib: fix gssapi.h include on IBMi
+    - lib: name the main CURLMcode variable 'mresult'
+    - lib: refactor the type of funcs which have useless return and checks
+    - lib: replace '_tcsncpy'/'wcsncpy'/'wcscpy' with '_s' counterparts (Windows)
+    - lib: timer stats improvements
+    - lib: use 'SOCKET_WRITABLE()'/'SOCKET_READABLE()' where possible
+    - libssh2: add paths to error messages for quote commands
+    - libssh2: cleanup ssh_force_knownhost_key_type
+    - libssh2: consider strdup() failures OOM and return correctly
+    - libssh2: replace atoi() in ssh_force_knownhost_key_type
+    - libssh: fix state machine loop to progress as it should
+    - libssh: properly free sftp_attributes
+    - libtests: replace 'atoi()' with 'curlx_str_number()'
+    - limit-rate: add example using --limit-rate and --max-time together
+    - localtime: detect thread-safe alternatives and use them
+    - m4/sectrust: fix test(1) operator
+    - manage: expand the 'libcurl support required' message
+    - mbedTLS: cleanup insecure/deprecated code
+    - mbedtls: fix potential use of uninitialized 'nread'
+    - mbedtls: sync format across log messages
+    - mbedtls_threadlock: avoid calloc, use array
+    - mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
+    - mdlinkcheck: only look for markdown links in markdown files
+    - memdebug: add mutex for thread safety
+    - memdebug: fix realloc logging
+    - mk-ca-bundle.md: the file format docs URL is permaredirected
+    - mk-ca-bundle.pl: default to SHA256 fingerprints with '-t' option
+    - mk-ca-bundle.pl: use 'open()' with argument list to replace backticks
+    - mqtt: reject overly big messages
+    - mqtt: return error when a too large packet is decoded
+    - multi: make max_total_* members size_t
+    - multi: remove MSTATE_TUNNELING
+    - multi: simplify admin handle processing
+    - multibyte: limit 'curlx_convert_*wchar*()' functions to Unicode builds
+    - ngtcp2+openssl: fix leak of session
+    - ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
+    - ngtcp2: retune window sizes
+    - noproxy: fix build on systems without IPv6
+    - noproxy: fix ipv6 handling
+    - noproxy: replace atoi with curlx_str_number
+    - openssl: exit properly on OOM when getting certchain
+    - openssl: fix a potential memory leak of bio_out
+    - openssl: fix a potential memory leak of params.cert
+    - openssl: fix building against no-dsa openssl
+    - openssl: fix building against no-ocsp openssl with Apple SecTrust
+    - openssl: no verify failf message unless strict
+    - openssl: release ssl_session if sess_reuse_cb fails
+    - openssl: remove code handling default version
+    - openssl: simplify 'HAVE_KEYLOG_CALLBACK' guard
+    - openssl: stop checking for 'OPENSSL_NO_SHA*' macros
+    - openssl: stop checking for 'OPENSSL_NO_TLSEXT' macro
+    - osslq: code readability
+    - progress: make it one column narrower
+    - progress: narrower time display, multiple fixes
+    - progress: show fewer digits
+    - quiche: use client writer
+    - ratelimit blocking: fix busy loop
+    - ratelimit: redesign
+    - rtmp: fix double-free on URL parse errors
+    - rtmp: precaution for a potential integer truncation
+    - rtmp: stop redefining 'setsockopt' system symbol on Windows
+    - schannel: cap the maximum allowed size for loading cert
+    - schannel: fix memory leak of cert_store_path on four error paths
+    - schannel: replace atoi() with curlx_str_number()
+    - schannel: use Win8 'CERT_NAME_SEARCH_ALL_NAMES_FLAG' with old SDKs
+    - schannel_verify: fix a memory leak of cert_context
+    - scripts: fix shellcheck SC2046 warnings
+    - scripts: use end-of-options marker in 'find -exec' commands
+    - setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
+    - setopt: when setting bad protocols, don't store them
+    - sftp: fix range downloads in both SSH backends
+    - slist: constify Curl_slist_append_nodup() string argument
+    - smb: fix a size check to be overflow safe
+    - socketpair: drop redundant '_WIN32' branch and include
+    - socks_sspi: use free() not FreeContextBuffer()
+    - source: misc typos
+    - speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE
+    - speedlimit: also reset on send unpausing
+    - src: drop redundant definition of 'BIT()'
+    - src: fix formatting nits
+    - ssh: tracing and better pollset handling
+    - sspi: fix memory leaks on error paths in 'Curl_create_sspi_identity()'
+    - sws: fix binding to unix socket on Windows
+    - synctime: tidy up, make it work on all platforms
+    - telnet: abort on bad suboption sequence
+    - telnet: replace atoi for BINARY handling with curlx_str_number
+    - tftp: release filename if conn_get_remote_addr fails
+    - tftpd: fix/tidy up 'open()' mode flags
+    - tidy-up: avoid '(())', clang-format fixes and more
+    - tidy-up: move 'CURL_UNCONST()' out from macro 'curl_unicodefree()'
+    - tidy-up: URLs (cont.) and mdlinkcheck
+    - tidy-up: URLs
+    - tool: consider (some) curl_easy_setopt errors fatal
+    - tool: log when loading .curlrc in verbose mode
+    - tool_cfgable: free ssl-sessions at exit
+    - tool_doswin: clear pointer when thread takes ownership
+    - tool_doswin: increase allowable length of path sanitizer
+    - tool_doswin: remove the max length check
+    - tool_getparam: simplify the --rate parser
+    - tool_getparam: use memdup0() instead of malloc + copy
+    - tool_getparam: verify that a file exists for some options
+    - tool_help: add checks to avoid unsigned wrap around
+    - tool_ipfs: check return codes better
+    - tool_msgs: make voutf() use stack instead of heap
+    - tool_operate: exit on curl_share_setopt errors
+    - tool_operate: fix a case of ignoring return code in operate()
+    - tool_operate: fix case of ignoring return code in single_transfer
+    - tool_operate: remove redundant condition
+    - tool_operate: return error for OOM in append2query
+    - tool_operate: use curlx_str_number instead of atoi
+    - tool_paramhlp: refuse --proto remove all protocols
+    - tool_paramhlp: remove a malloc+free from proto2num()
+    - tool_paramhlp: simplify number parsing
+    - tool_progress: fix large time outputs and decimal size display
+    - tool_urlglob: acknowledge OOM in peek_ipv6
+    - tool_urlglob: clean up used memory on errors better
+    - tool_urlglob: constify an argument
+    - tool_urlglob: fix propagating OOM error from 'sanitize_file_name()'
+    - tool_urlglob: support globs as long as config line lengths
+    - tool_writeout: bail out proper on OOM
+    - url: fix return code for OOM in parse_proxy()
+    - url: if curl_url_get() fails due to OOM, error out properly
+    - url: if OOM in parse_proxy() return error
+    - url: return error at once when OOM in netrc handling
+    - urlapi: fix mem-leaks in curl_url_get error paths
+    - urlapi: handle OOM properly when setting URL
+    - urlapi: return OOM correctly from parse_hostname_login()
+    - verify-release: update to avoid shellcheck warning SC2034
+    - vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+    - vquic: do not pass invalid mode flags to 'open()' (Windows)
+    - vquic: do_sendmsg full init
+    - vquic: ignore 0-length UDP packets
+    - vquic: initialize new callback in nghttp3 1.14.0+
+    - vtls: drop unused 'use_alpn' from 'ssl_connect_data' struct
+    - vtls: fix CURLOPT_CAPATH use
+    - vtls: handle possible malicious certs_num from peer
+    - vtls: pinned key check
+    - wcurl: import v2025.11.09
+    - wcurl: import v2026.01.05
+    - ws: replace a cast by matching the format string
+    - x509asn1: drop unused 'hostcheck.h', 'vtls_int.h' includes
+  * Rebase patches:
+    - libcurl-ocloexec.patch
+    - curl-secure-getenv.patch
+  * Remove patch curl-vtls-fix-CURLOPT_CAPATH-use.patch
 
 -------------------------------------------------------------------
-Fri Jan  2 01:09:49 UTC 2026 - Lucas Mulling <lucas.mulling@suse.com>
+Wed Nov 19 13:07:46 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 
-- Security fixes:
-  * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer
-  * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth
-  * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
-  * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file
-  * Add patches:
-    - curl-CVE-2025-14524.patch
-    - curl-CVE-2025-15224.patch
-    - curl-CVE-2025-14819.patch
-    - curl-CVE-2025-15079.patch
+- Fix a regression in curl 8.17.0: [bsc#1253116]
+  * Builds with no CURL_CA_PATH ignore CURLOPT_CAPATH
+  * vtls: fix CURLOPT_CAPATH use [gh#curl/curl#19401]
+  * Add upstream curl-vtls-fix-CURLOPT_CAPATH-use.patch
 
 -------------------------------------------------------------------
-Wed Nov 19 14:19:19 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+Wed Nov  5 08:45:52 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 
-- Security fix: [bsc#1253757, CVE-2025-11563]
-  * curl: wcurl path traversal with percent-encoded slashes
-  * Add curl-CVE-2025-11563.patch
+- Update to 8.17.0:
+  * Security fixes:
+    - [bsc#1252859, CVE-2025-10966] curl: missing SFTP host
+      verification with wolfSSH
+    - [bsc#1253757, CVE-2025-11563] curl: wcurl path traversal with
+      percent-encoded slashes
+  * Changes:
+    - krb5: drop support for Kerberos FTP
+    - multi: add notifications API
+    - ssl: support Apple SecTrust configurations
+    - tool_getparam: add --knownhosts
+    - vssh: drop support for wolfSSH
+    - wcurl: import v2025.11.04
+  * Bugfixes:
+    - ares: fix leak in tracing
+    - base64: accept zero length argument to base64_encode
+    - c-ares: when resolving failed, persist error
+    - cf-socket: set FD_CLOEXEC on all sockets opened
+    - cf-socket: use the right byte order for ports in bindlocal
+    - conn: fix hostname move on connection reuse
+    - conncache: prevent integer overflow in maxconnects calculation
+    - cookie: avoid saving a cookie file if no transfer was done
+    - curl_easy_getinfo: error code on NULL arg
+    - curl_path: make sure just whitespace is illegal
+    - digest_sspi: fix two memory leaks in error branches
+    - ftp: add extra buffer length check
+    - ftp: check errors on remote ip for data connection
+    - gnutls: check conversion of peer cert chain
+    - gnutls: fix re-handshake comments
+    - gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
+    - gtls: check the return value of gnutls_pubkey_init()
+    - hmac: free memory properly on errors
+    - HTTP3: clarify the status for "old" OpenSSL, not current
+    - kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
+    - krb5_gssapi: fix memory leak on error path
+    - krb5_sspi: the chlg argument is NOT optional
+    - ldap: avoid null ptr deref on failure
+    - ldap: do not base64 encode zero length string
+    - lib: SSL connection reuse
+    - libssh/libssh2: reject quote command lines with too much data
+    - libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
+    - libssh: acknowledge SSH_AGAIN in the SFTP state machine
+    - nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
+    - ngtcp2: close just-opened QUIC stream when submit_request fails
+    - ngtcp2: compare idle timeout in ms to avoid overflow
+    - noproxy: fix the IPV6 network mask pattern match
+    - NTLM: disable if DES support missing from OpenSSL or mbedTLS
+    - openldap: limit max incoming size
+    - openssl: call SSL_get_error() with proper error
+    - openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
+    - openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
+    - openssl: fail the transfer if ossl_certchain() fails
+    - openssl: fix peer certificate leak in channel binding
+    - openssl: fix resource leak in provider error path
+    - openssl: free UI_METHOD on exit path
+    - openssl: only try engine/provider if a cert file/name is provided
+    - openssl: set io_need always
+    - openssl: skip session resumption when verifystatus is set
+    - pop3: fix CAPA response termination detection
+    - quic: fix min TLS version handling
+    - quic: ignore EMSGSIZE on receive
+    - schannel: properly close the certfile on error
+    - schannel_verify: fix mem-leak in Curl_verify_host
+    - socks: avoid UAF risk in error path
+    - socks: deny server basic-auth if not configured
+    - socks_gssapi: reject too long tokens
+    - socks_gssapi: remove the forced "no protection"
+    - thread: errno on thread creation
+    - ws: reject curl_ws_recv called with NULL buffer with a buflen
+  * Rebase libcurl-ocloexec.patch
+  * Remove curl-handle_user-defined_connection_headers.patch upstream
 
 -------------------------------------------------------------------
-Wed Sep 10 11:09:50 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+Fri Sep 26 07:37:28 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 
-- tool_operate: fix return code when --retry is used but not
-  triggered [bsc#1249367]
-  * Add curl-tool_operate-fix-return-code-when-retry-is-used.patch
+- curl: http: handle user-defined connection headers [bsc#1249448]
+  * Add curl-handle_user-defined_connection_headers.patch
 
 -------------------------------------------------------------------
-Tue Sep  9 08:07:43 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+Wed Sep 10 08:43:19 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 
-- Security fixes:
-  * [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
-  * [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
-  * Add patches:
-    - curl-CVE-2025-9086.patch
-    - curl-CVE-2025-10148.patch
+- Update to 8.16.0:
+  * Security fixes:
+    - [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
+    - [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
+  * Changes:
+    - curl: add --follow and --out-null
+    - curl: add --parallel-max-host to limit concurrent connections per host
+    - curl: make --retry-delay and --retry-max-time accept decimal seconds
+    - hostip: cache negative name resolves
+    - ip happy eyeballing: keep attempts running
+    - multi: add curl_multi_get_offt
+    - multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
+    - netrc: use the NETRC environment variable (first) if set
+    - smtp: allow suffix behind a mail address for RFC 3461
+    - tls: make default TLS version be minimum 1.2
+    - tool_getparam: add support for `--longopt=value`
+    - vquic: drop msh3
+    - websocket: support CURLOPT_READFUNCTION
+  * Bugfixes:
+    - _PROTOCOLS.md: mention file:// is only for absolute paths
+    - acinclude: --with-ca-fallback only works with OpenSSL
+    - bufq: add integer overflow checks before chunk allocations
+    - cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
+    - cmake: fix setting LTO properties on the wrong targets
+    - configure: tidy up internal names in ngtcp2 ossl detection logic
+    - connectdata: remove primary+secondary ip_quadruple
+    - connection: terminate after goaway
+    - cookie: don't treat the leading slash as trailing
+    - cookie: remove expired cookies before listing
+    - curl: tool_read_cb fix of segfault
+    - curl_ossl: extend callback table for nghttp3 1.11.0
+    - DEPRECATE.md: drop old OpenSSL versions
+    - idn: reject conversions that end up as a zero length hostname
+    - ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
+    - ngtcp2: handshake timeout should be equal to --connect-timeout
+    - openssl: add and use `HAVE_OPENSSL3` internal macro
+    - openssl: check SSL_write() length on retries
+    - openssl: clear errors after a failed `d2i_X509()`
+    - openssl: drop redundant `HAVE_OPENSSL_VERSION` macro
+    - openssl: drop single-use interim macro `USE_OPENSSL_SRP`
+    - openssl: output unescaped utf8 x509 issuer/subject DNs
+    - parallel-max: bump the max value to 65535
+    - resolving: dns error tracing
+    - schannel: add an error message for client cert not found
+    - schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN`
+    - schannel: fix renegotiation
+    - schannel: improve handshake procedure
+    - socks: do_SOCKS5: Fix invalid buffer content on short send
+    - threaded-resolver: fix shutdown
+    - tool_getparam: warn on more unicode prefixes
+    - tool_urlglob: add integer overflow protection
+    - urlapi: allow more path characters "raw" when asked to URL encode
+    - urlglob: only accept 255 globs
+    - vtls: set seen http version on successful ALPN
+    - websocket: handling of PONG frames
+    - websocket: improve handling of 0-len frames
+    - websocket: reset upload_done when sending data
+    - ws: avoid NULL pointer deref in curl_ws_recv
+  * Rebase libcurl-ocloexec.patch
+
+-------------------------------------------------------------------
+Mon Jul 21 08:16:16 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.15.0:
+  * Changes:
+    - TLS: remove support for Secure Transport and BearSSL
+  * Bugfixes:
+    - cf-socket: make socket data_pending a nop
+    - configure: order LDAP after the SSL libraries
+    - curl: improve non-blocking STDIN performance
+    - curl_get_line: make sure lines end with newline
+    - curl_path: make SFTP handle a path like /~ properly.
+    - curlinfo: provide the 'digest' feature
+    - digest: fix build with disabled digest auth
+    - docs: note SSLS-EXPORT feature in -ssl-sessions doc
+    - docs: reflect that delimiter-separated capath is only OpenSSL
+    - docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS
+    - http/3: report handshake with version and cipher as for TCP connections
+    - http2: do not delay RST send on aborted transfer
+    - http_ntlm: protect against null deref
+    - ldap: initial support for --with-ldap option
+    - lib: address singleuse issues
+    - lib: avoid reusing unclean connection
+    - lib: drop two interim macros in favor of native libcurl API calls
+    - lib: stop 'time()' debug overrides at the end of source in altsvc, hsts
+    - lib: unify recv/send function signatures
+    - memdebug.h: #undef 'fclose' before defining it
+    - openssl: enable readahead
+    - openssl: error on SSL_ERROR_SYSCALL
+    - openssl: fix handling of buffered data
+    - openssl: fix openssl engine use
+    - openssl: fix pkcs11 provider available check
+    - quic: implement CURLINFO_TLS_SSL_PTR
+    - schannel: allow partial chains for manual peer verification
+    - SCP/SFTP: avoid busy loop after EAGAIN
+    - socks: fix query when filter context is null
+    - tls: remove Curl_ssl false_start
+    - tool_getparam: fix --ftp-pasv
+    - tool_operate: fix return code when --retry is used but not triggered
+    - top-complexity: lower max allowed complexity threshold to 90
+    - url: fix NULL deref with bad password when no user is provided
+    - urlapi: use uppercase hex encoding
+    - vtls: change send/recv signatures of tls backends
+    - vtls: prefer ciphersuite to cipher in msgs
+    - vtls: prefer rustls-ffi ciphersuite name API
+    - xfer: manage pause bits
+  * Remove patches upstream:
+    - curl-fix--ftp-pasv.patch
+    - fix-return-code-with-retry.patch
 
 -------------------------------------------------------------------
 Mon Jul 14 08:29:01 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
@@ -50,11 +518,28 @@ Mon Jul 14 08:29:01 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
   * tool_getparam: fix --ftp-pasv [5f805ee]
   * Add curl-fix--ftp-pasv.patch
 
+-------------------------------------------------------------------
+Wed Jul  2 20:12:07 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- add fix-return-code-with-retry.patch to fix return code
+  being successful even on failures when using -f --retry
+
 -------------------------------------------------------------------
 Mon Jun 30 09:38:09 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 
 - Disable insecure NTLM authentication support [bsc#1245491, jsc#PED-12960]
 
+-------------------------------------------------------------------
+Mon Jun 23 09:12:46 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- split wcurl into a subpackage so that upgrade works (wcurl
+  used to be a separate package)
+
+-------------------------------------------------------------------
+Fri Jun 20 18:54:44 UTC 2025 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
+
+- Build with experimental OpenSSL based QUIC support to enable --http3
+
 -------------------------------------------------------------------
 Fri Jun  6 08:26:03 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,8 +29,14 @@
 %global psuffix %{nil}
 %endif
 
+%if 0%{?suse_version} > 1600
+%bcond_without quic
+%else
+%bcond_with quic
+%endif
+
 Name:           curl%{?psuffix}
-Version:        8.14.1
+Version:        8.18.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -45,26 +51,6 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
-# PATCH-FIX-UPSTREAM bsc#1246197 Fix the --ftp-pasv option in curl v8.14.1
-Patch4:         curl-fix--ftp-pasv.patch
-# PATCH-FIX-UPSTREAM bsc#1249191 CVE-2025-9086: Out of bounds read for cookie path
-Patch5:         curl-CVE-2025-9086.patch
-# PATCH-FIX-UPSTREAM bsc#1249348 CVE-2025-10148: Predictable WebSocket mask
-Patch6:         curl-CVE-2025-10148.patch
-# PATCH-FIX-UPSTREAM bsc#1249367 tool_operate: fix return code when --retry is used but not triggered
-Patch7:         curl-tool_operate-fix-return-code-when-retry-is-used.patch
-# PATCH-FIX-UPSTREAM bsc#1253757 CVE-2025-11563: wcurl path traversal with percent-encoded slashes
-Patch8:         curl-CVE-2025-11563.patch
-# PATCH-FIX-UPSTREAM bsc#1255731 CVE-2025-14524: bearer token leak on cross-protocol redirect
-Patch10:        curl-CVE-2025-14524.patch
-# PATCH-FIX-UPSTREAM bsc#1255734 CVE-2025-15224: libssh key passphrase bypass without agent set
-Patch11:        curl-CVE-2025-15224.patch
-# PATCH-FIX-UPSTREAM bsc#1255732 CVE-2025-14819: openSSL partial chain store policy bypass
-Patch12:        curl-CVE-2025-14819.patch
-# PATCH-FIX-UPSTREAM bsc#1255733 CVE-2025-15079: libssh global knownhost override
-Patch13:        curl-CVE-2025-15079.patch
-# PATCH-FIX-UPSTREAM bsc#1256105 CVE-2025-14017: broken TLS options for threaded LDAPS
-Patch14:        curl-CVE-2025-14017.patch
 BuildRequires:  groff
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -72,6 +58,9 @@ BuildRequires:  pkgconfig(libidn2)
 # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
 # BuildRequires:  pkgconfig(libmetalink)
 BuildRequires:  pkgconfig(libnghttp2)
+%if %{with quic}
+BuildRequires:  pkgconfig(libnghttp3)
+%endif
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(libzstd)
 BuildRequires:  pkgconfig(zlib)
@@ -149,6 +138,17 @@ BuildArch:      noarch
 
 %description zsh-completion
 ZSH command line completion support for %name.
+
+%package -n     wcurl
+Summary:        simple wrapper around curl to easily download files
+Requires:       curl >= %{version}
+Obsoletes:      wcurl >= 2025
+
+%description -n wcurl
+A simple curl wrapper which lets you use curl to download files
+without having to remember any parameters.
+Simply call wcurl with a list of URLs you want to download and
+wcurl will pick sane defaults.
 %endif
 
 %prep
@@ -181,6 +181,10 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure
 %endif
     --with-libidn2 \
     --with-nghttp2 \
+%if %{with quic}
+    --with-nghttp3 \
+    --with-openssl-quic \
+%endif
     --enable-docs \
 %if %{with mini}
     --disable-dict \
@@ -260,6 +264,9 @@ popd
 %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md}
 %{_bindir}/curl
 %{_mandir}/man1/curl.1%{?ext_man}
+
+%files -n wcurl
+%license COPYING
 %{_bindir}/wcurl
 %{_mandir}/man1/wcurl.1%{?ext_man}
 

libcurl-ocloexec.patch

@@ -7,49 +7,49 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.14.0/lib/file.c
+Index: curl-8.18.0/lib/file.c
 ===================================================================
---- curl-8.14.0.orig/lib/file.c
-+++ curl-8.14.0/lib/file.c
-@@ -270,7 +270,7 @@ static CURLcode file_connect(struct Curl
+--- curl-8.18.0.orig/lib/file.c
++++ curl-8.18.0/lib/file.c
+@@ -258,7 +258,7 @@ static CURLcode file_connect(struct Curl
      }
    }
    #else
--  fd = open(real_path, O_RDONLY);
-+  fd = open(real_path, O_RDONLY|O_CLOEXEC);
+-  fd = curlx_open(real_path, O_RDONLY);
++  fd = curlx_open(real_path, O_RDONLY|O_CLOEXEC);
    file->path = real_path;
    #endif
  #endif
-@@ -349,9 +349,9 @@ static CURLcode file_upload(struct Curl_
- 
- #if (defined(ANDROID) || defined(__ANDROID__)) && \
-     (defined(__i386__) || defined(__arm__))
--  fd = open(file->path, mode, (mode_t)data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
+@@ -339,9 +339,9 @@ static CURLcode file_upload(struct Curl_
+                   data->set.new_file_perms & (_S_IREAD | _S_IWRITE));
+ #elif (defined(ANDROID) || defined(__ANDROID__)) && \
+   (defined(__i386__) || defined(__arm__))
+-  fd = curlx_open(file->path, mode, (mode_t)data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
  #else
--  fd = open(file->path, mode, data->set.new_file_perms);
-+  fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
+-  fd = curlx_open(file->path, mode, data->set.new_file_perms);
++  fd = curlx_open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
  #endif
    if(fd < 0) {
      failf(data, "cannot open %s for writing", file->path);
-Index: curl-8.14.0/lib/if2ip.c
+Index: curl-8.18.0/lib/if2ip.c
 ===================================================================
---- curl-8.14.0.orig/lib/if2ip.c
-+++ curl-8.14.0/lib/if2ip.c
-@@ -209,7 +209,7 @@ if2ip_result_t Curl_if2ip(int af,
+--- curl-8.18.0.orig/lib/if2ip.c
++++ curl-8.18.0/lib/if2ip.c
+@@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
--  dummy = socket(AF_INET, SOCK_STREAM, 0);
-+  dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
+-  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM, 0);
++  dummy = CURL_SOCKET(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.14.0/configure.ac
+Index: curl-8.18.0/configure.ac
 ===================================================================
---- curl-8.14.0.orig/configure.ac
-+++ curl-8.14.0/configure.ac
-@@ -440,6 +440,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
+--- curl-8.18.0.orig/configure.ac
++++ curl-8.18.0/configure.ac
+@@ -504,6 +504,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -58,39 +58,38 @@ Index: curl-8.14.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.14.0/lib/hostip.c
+Index: curl-8.18.0/lib/hostip.c
 ===================================================================
---- curl-8.14.0.orig/lib/hostip.c
-+++ curl-8.14.0/lib/hostip.c
-@@ -46,6 +46,7 @@
+--- curl-8.18.0.orig/lib/hostip.c
++++ curl-8.18.0/lib/hostip.c
+@@ -43,6 +43,7 @@
+ #include <setjmp.h>  /* for sigjmp_buf, sigsetjmp() */
  #include <signal.h>
- #endif
  
 +#include <fcntl.h>
  #include "urldata.h"
- #include "sendf.h"
+ #include "curl_trc.h"
  #include "connect.h"
-@@ -691,7 +692,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -689,7 +690,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
--    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
-+    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+-    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM, 0);
++    curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we cannot get/use one */
        ipv6_works = 0;
-Index: curl-8.14.0/lib/cf-socket.c
+Index: curl-8.18.0/lib/cf-socket.c
 ===================================================================
---- curl-8.14.0.orig/lib/cf-socket.c
-+++ curl-8.14.0/lib/cf-socket.c
-@@ -369,7 +369,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.18.0.orig/lib/cf-socket.c
++++ curl-8.18.0/lib/cf-socket.c
+@@ -345,7 +345,8 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */
--    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+    *sockfd = socket(addr->family,
-+		     addr->socktype|SOCK_CLOEXEC,
-+		     addr->protocol);
+-    *sockfd = CURL_SOCKET(addr->family, addr->socktype, addr->protocol);
++    *sockfd = CURL_SOCKET(addr->family, addr->socktype|SOCK_CLOEXEC,
++                          addr->protocol);
+     if((*sockfd == CURL_SOCKET_BAD) && (SOCKERRNO == SOCKENOMEM))
+       return CURLE_OUT_OF_MEMORY;
    }
- 
-   if(*sockfd == CURL_SOCKET_BAD)