* Security fixes:
- [bsc#1256105, CVE-2025-14017] ldap: call ldap_init() before setting the options
- [bsc#1255731, CVE-2025-14524] curl_sasl: if redirected, require permission to use bearer
- [bsc#1255734, CVE-2025-15224] libssh: require private key or user-agent for public key auth
- [bsc#1255732, CVE-2025-14819] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
- [bsc#1255733, CVE-2025-15079] libssh: set both knownhosts options to the same file
* Changes:
- openssl: bump minimum OpenSSL version to 3.0.0
* Bugfixes:
- alt-svc: more flexibility on same destination
- altsvc: accept ma/persist per alternative entry
- altsvc: make it one malloc instead of three per entry
- asyn-ares: handle Curl_dnscache_mk_entry() OOM error
- asyn-ares: remove hostname free on OOM
- asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
- asyn-thrdd: release rrname if ares_init_options fails
- auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
- autotools: add nettle library detection via pkg-config (for GnuTLS)
- autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
- autotools: fix LargeFile feature display on Windows (after prev patch)
- autotools: tidy-up 'if' expressions
- build: add build-level 'CURL_DISABLE_TYPECHECK' options
- build: exclude clang prereleases from compiler warning options
- build: replace '-pedantic' with '-Wpedantic' when supported
- build: set '-Wno-format-signedness'
- build: tidy-up MSVC CRT warning suppression macros
- ccsidcurl: make curl_mime_data_ccsid() use the converted size
- cf-h1-proxy: support folded headers in CONNECT responses
- cf-https-connect: allocate ctx at first in cf_hc_create()
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=420
* Security fixes: [bsc#1252859, CVE-2025-10966]
- curl: missing SFTP host verification with wolfSSH
* Changes:
- krb5: drop support for Kerberos FTP
- multi: add notifications API
- ssl: support Apple SecTrust configurations
- tool_getparam: add --knownhosts
- vssh: drop support for wolfSSH
- wcurl: import v2025.11.04
* Bugfixes:
- ares: fix leak in tracing
- base64: accept zero length argument to base64_encode
- c-ares: when resolving failed, persist error
- cf-socket: set FD_CLOEXEC on all sockets opened
- cf-socket: use the right byte order for ports in bindlocal
- conn: fix hostname move on connection reuse
- conncache: prevent integer overflow in maxconnects calculation
- cookie: avoid saving a cookie file if no transfer was done
- curl_easy_getinfo: error code on NULL arg
- curl_path: make sure just whitespace is illegal
- digest_sspi: fix two memory leaks in error branches
- ftp: add extra buffer length check
- ftp: check errors on remote ip for data connection
- gnutls: check conversion of peer cert chain
- gnutls: fix re-handshake comments
- gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
- gtls: check the return value of gnutls_pubkey_init()
- hmac: free memory properly on errors
- HTTP3: clarify the status for "old" OpenSSL, not current
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=417
- curl: http: handle user-defined connection headers [bsc#1249448]
* Add curl-handle_user-defined_connection_headers.patch
- Update to 8.16.0:
* Security fixes:
- [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
- [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Changes:
- curl: add --follow and --out-null
- curl: add --parallel-max-host to limit concurrent connections per host
- curl: make --retry-delay and --retry-max-time accept decimal seconds
- hostip: cache negative name resolves
- ip happy eyeballing: keep attempts running
- multi: add curl_multi_get_offt
- multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
- netrc: use the NETRC environment variable (first) if set
- smtp: allow suffix behind a mail address for RFC 3461
- tls: make default TLS version be minimum 1.2
- tool_getparam: add support for `--longopt=value`
- vquic: drop msh3
- websocket: support CURLOPT_READFUNCTION
* Bugfixes:
- _PROTOCOLS.md: mention file:// is only for absolute paths
- acinclude: --with-ca-fallback only works with OpenSSL
- bufq: add integer overflow checks before chunk allocations
- cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
- cmake: fix setting LTO properties on the wrong targets
- configure: tidy up internal names in ngtcp2 ossl detection logic
- connectdata: remove primary+secondary ip_quadruple
OBS-URL: https://build.opensuse.org/request/show/1307305
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=219
- Update to 8.16.0:
* Security fixes:
- [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
- [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Changes:
- curl: add --follow and --out-null
- curl: add --parallel-max-host to limit concurrent connections per host
- curl: make --retry-delay and --retry-max-time accept decimal seconds
- hostip: cache negative name resolves
- ip happy eyeballing: keep attempts running
- multi: add curl_multi_get_offt
- multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
- netrc: use the NETRC environment variable (first) if set
- smtp: allow suffix behind a mail address for RFC 3461
- tls: make default TLS version be minimum 1.2
- tool_getparam: add support for `--longopt=value`
- vquic: drop msh3
- websocket: support CURLOPT_READFUNCTION
* Bugfixes:
- _PROTOCOLS.md: mention file:// is only for absolute paths
- acinclude: --with-ca-fallback only works with OpenSSL
- bufq: add integer overflow checks before chunk allocations
- cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
- cmake: fix setting LTO properties on the wrong targets
- configure: tidy up internal names in ngtcp2 ossl detection logic
- connectdata: remove primary+secondary ip_quadruple
- connection: terminate after goaway
- cookie: don't treat the leading slash as trailing
- cookie: remove expired cookies before listing
- curl: tool_read_cb fix of segfault
OBS-URL: https://build.opensuse.org/request/show/1303556
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=414
