Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2026-03-14 22:20:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Sat Mar 14 22:20:14 2026 rev:222 rq:1338280 version:8.19.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2026-01-08 15:26:17.082206370 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new.8177/curl.changes 2026-03-14 22:20:16.499863949 +0100 @@ -1,0 +2,112 @@ +Wed Mar 11 08:52:27 UTC 2026 - Pedro Monreal <[email protected]> + +- Update to 8.19.0: + * Security fixes: + - CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) + - CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) + - CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) + - CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) + * Changes: + - BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 + - cmake: add 'CURL_BUILD_EVERYTHING' option + - mqtt: initial support for MQTTS + - tool: support fractions for --limit-rate and --max-filesize + - tool_cb_hdr: with -J, use the redirect name as a backup + - vquic: drop support for OpenSSL-QUIC + * Bugfixes: + - altsvc: only accept 17 byte dates from files + - asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails + - build: move curl stat struct type to the curlx namespace + - build: require POSIX 'strdup()' + - build: tidy up and dedupe 'strdup' functions + - cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks + - cf-socket: use SOCK_CLOEXEC in socket_open when available + - cmake: reference OpenSSL and ZLIB imported targets only when enabled + - cmake: skip binutils ld hack if zlib/openssl target is not 'IMPORTED' + - config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST + - curl: add -I and -i to -h important + - curl_setup.h: simplify curl memory macro mappings + - curlx: drop unused 'curlx_saferealloc()' + - digest: escape double quotes and backslashes in realm and nonce + - digest: fix memory leak in auth_create_digest_http_message() + - digest: handle quotes in the path + - easy: reset errorbuf on eyeballing success + - easy: reset pausing when resetting request + - ftp: replace a 'curlx_free()' with 'curlx_dyn_free()' + - ftp: split ftp_state_use_port into sub functions + - GOVERNANCE.md: Post-Daniel BDFL + - gss: exclude verbose error logic from non-verbose builds + - h2+h3: align stream close handling + - hostip.c: fix leak of addrinfo + - hostip6: remove debug-only code + - hostip: fix unreachable code in rare build configuration + - http/3: add description for known server error codes + - http1: fix potential NULL dereference in 'Curl_h1_req_parse_read()' + - http: only send bearer if auth is allowed + - imap: add a check for Curl_meta_get() + - imap: check 'imap_sendf()' printf masks at compile-time + - imap: skip literals inside quoted strings + - include: mask computed auth/proto bitmasks to 32 bits + - lib: disable websockets early if no http + - lib: make sigpipe handling more lazy + - lib: reorder protocol functions to avoid forward declarations (email,ftp, misc, ssh) + - lib: separate scheme info from protocol implementation + - lib: use (u)int64_t instead of long long + - mbedtls: guard TLS 1.3 + session tickets usage inside ifdef + - mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + - md4, md5: drop redundant forward declarations + - md4, md5: replace custom types with 'uint32_t' + - mimepost: allocate main struct on-demand + - mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos + - mqtt: better too-big-message-check + - mqtt: fix EOF handling + - mqtt: verify Remaining Length for CONNACK and PUBACK + - multi: avoid a theoretical 32-bit wrap + - multi: probe for IPv6 functionality in multi_init() + - noproxy: simplify, don't mix const non-const in strchr() + - openldap: avoid forward declarations in ldaps code + - openssl+ech: workaround for insecure handshakes + - openssl: adapt to OpenSSL master adding const to more APIs + - OpenSSL: check reuse of sessions for verify status + - openssl: disable local keylog feature if built-in upstream + - openssl: fix compiler warning with OpenSSL master + - openssl: fix potential OOB read in debug/verbose logging + - quiche: use PRIu64 for outputting the stream id + - request.h: rename parameter 'buf' to 'req' in Curl_req_send + - rtsp: fix assertion failure on zero-length RTP payload + - rtspd: fix to check 'realloc()' result + - setopt: refuse blobs with zero length + - ssh: dedupe state change function + - tftp: correct the filename length check + - timeout handling: auto-detect effective timeout + - tls: add new SSLSUPP flags for several options + - tls: remove checks for DEFAULT + - tool: enable header separation for HTTPS proxies + - tool_cb_hdr: suppress header output when --out-null + - tool_operate: reset the URL --url-query between --next + - url: fix reuse of connections using HTTP Negotiate + - urlapi: use U_CURLU_URLDECODE when toggling it off unsigned + - urldata: byebye 'conn->hostname_resolve' + - urldata: change 'keep_post' into three distinct bitfields + - urldata: convert 'long' fields to fixed variable types + - urldata: switch to uint* types + - usercertinmem: use the correct cert BIO + - vquic: handle SOCKEMSGSIZE correctly + - vtls: dedupe common on-session-reuse logic + - vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests + - VULN-DISCLOSURE-POLICY.md: push reports to the web form + - VULN-DISCLOSURE-POLICY.md: use hackerone + - x509asn1: make encodeOID stop on too long input + * Remove now unrecognized option --with-openssl-quic + * Rebase patches: + - curl-disabled-redirect-protocol-message.patch + - dont-mess-with-rpmoptflags.patch + - libcurl-ocloexec.patch + +------------------------------------------------------------------- +Tue Mar 10 10:25:25 UTC 2026 - Jan Engelhardt <[email protected]> + +- Build with --enable-ntlm. Certain Exchange Server endpoints + oddly permit NTLM but not Basic-type authentication. + +------------------------------------------------------------------- Old: ---- curl-8.18.0.tar.xz curl-8.18.0.tar.xz.asc New: ---- curl-8.19.0.tar.xz curl-8.19.0.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.prq2To/_old 2026-03-14 22:20:17.475904353 +0100 +++ /var/tmp/diff_new_pack.prq2To/_new 2026-03-14 22:20:17.479904519 +0100 @@ -36,7 +36,7 @@ %endif Name: curl%{?psuffix} -Version: 8.18.0 +Version: 8.19.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -60,6 +60,7 @@ BuildRequires: pkgconfig(libnghttp2) %if %{with quic} BuildRequires: pkgconfig(libnghttp3) +BuildRequires: pkgconfig(libngtcp2_crypto_ossl) %endif BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libzstd) @@ -183,7 +184,7 @@ --with-nghttp2 \ %if %{with quic} --with-nghttp3 \ - --with-openssl-quic \ + --with-ngtcp2 \ %endif --enable-docs \ %if %{with mini} @@ -207,7 +208,7 @@ --with-libssh \ %endif --enable-symbol-hiding \ - --disable-ntlm \ + --enable-ntlm \ --disable-static \ --enable-threaded-resolver \ --with-zsh-functions-dir=%{_datadir}/zsh/site-functions/ \ ++++++ curl-8.18.0.tar.xz -> curl-8.19.0.tar.xz ++++++ ++++ 155624 lines of diff (skipped) ++++++ curl-disabled-redirect-protocol-message.patch ++++++ --- /var/tmp/diff_new_pack.prq2To/_old 2026-03-14 22:20:20.004009008 +0100 +++ /var/tmp/diff_new_pack.prq2To/_new 2026-03-14 22:20:20.008009173 +0100 @@ -1,8 +1,8 @@ -Index: curl-7.82.0/lib/url.c +Index: curl-8.19.0-rc2/lib/url.c =================================================================== ---- curl-7.82.0.orig/lib/url.c -+++ curl-7.82.0/lib/url.c -@@ -1832,9 +1832,13 @@ static CURLcode findprotocol(struct Curl +--- curl-8.19.0-rc2.orig/lib/url.c ++++ curl-8.19.0-rc2/lib/url.c +@@ -1552,9 +1552,13 @@ static CURLcode findprotocol(struct Curl /* it is allowed for "normal" request, now do an extra check if this is the result of a redirect */ if(data->state.this_is_a_follow && @@ -17,5 +17,5 @@ + } else { /* Perform setup complement if some. */ - conn->handler = conn->given = p; + conn->scheme = conn->given = p; ++++++ dont-mess-with-rpmoptflags.patch ++++++ --- /var/tmp/diff_new_pack.prq2To/_old 2026-03-14 22:20:20.080012154 +0100 +++ /var/tmp/diff_new_pack.prq2To/_new 2026-03-14 22:20:20.088012484 +0100 @@ -1,9 +1,9 @@ -Index: curl-8.12.0/configure.ac +Index: curl-8.19.0-rc2/configure.ac =================================================================== ---- curl-8.12.0.orig/configure.ac -+++ curl-8.12.0/configure.ac -@@ -502,11 +502,6 @@ if test "$curl_cv_native_windows" = "yes - esac +--- curl-8.19.0-rc2.orig/configure.ac ++++ curl-8.19.0-rc2/configure.ac +@@ -602,11 +602,6 @@ if test "$curl_cv_native_windows" = "yes + ]) fi -CURL_SET_COMPILER_BASIC_OPTS ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.prq2To/_old 2026-03-14 22:20:20.116013644 +0100 +++ /var/tmp/diff_new_pack.prq2To/_new 2026-03-14 22:20:20.120013810 +0100 @@ -7,20 +7,20 @@ compile time is not enough. -Index: curl-8.18.0/lib/file.c +Index: curl-8.19.0-rc2/lib/file.c =================================================================== ---- curl-8.18.0.orig/lib/file.c -+++ curl-8.18.0/lib/file.c -@@ -258,7 +258,7 @@ static CURLcode file_connect(struct Curl +--- curl-8.19.0-rc2.orig/lib/file.c ++++ curl-8.19.0-rc2/lib/file.c +@@ -228,7 +228,7 @@ static CURLcode file_connect(struct Curl } } - #else + #else - fd = curlx_open(real_path, O_RDONLY); + fd = curlx_open(real_path, O_RDONLY|O_CLOEXEC); file->path = real_path; - #endif #endif -@@ -339,9 +339,9 @@ static CURLcode file_upload(struct Curl_ + #endif +@@ -296,9 +296,9 @@ static CURLcode file_upload(struct Curl_ data->set.new_file_perms & (_S_IREAD | _S_IWRITE)); #elif (defined(ANDROID) || defined(__ANDROID__)) && \ (defined(__i386__) || defined(__arm__)) @@ -32,24 +32,24 @@ #endif if(fd < 0) { failf(data, "cannot open %s for writing", file->path); -Index: curl-8.18.0/lib/if2ip.c +Index: curl-8.19.0-rc2/lib/if2ip.c =================================================================== ---- curl-8.18.0.orig/lib/if2ip.c -+++ curl-8.18.0/lib/if2ip.c +--- curl-8.19.0-rc2.orig/lib/if2ip.c ++++ curl-8.19.0-rc2/lib/if2ip.c @@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; - dummy = CURL_SOCKET(AF_INET, SOCK_STREAM, 0); + dummy = CURL_SOCKET(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0); - if(CURL_SOCKET_BAD == dummy) + if(dummy == CURL_SOCKET_BAD) return IF2IP_NOT_FOUND; -Index: curl-8.18.0/configure.ac +Index: curl-8.19.0-rc2/configure.ac =================================================================== ---- curl-8.18.0.orig/configure.ac -+++ curl-8.18.0/configure.ac -@@ -504,6 +504,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [ +--- curl-8.19.0-rc2.orig/configure.ac ++++ curl-8.19.0-rc2/configure.ac +@@ -507,6 +507,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [ # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -58,35 +58,35 @@ dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-8.18.0/lib/hostip.c +Index: curl-8.19.0-rc2/lib/hostip.c =================================================================== ---- curl-8.18.0.orig/lib/hostip.c -+++ curl-8.18.0/lib/hostip.c +--- curl-8.19.0-rc2.orig/lib/hostip.c ++++ curl-8.19.0-rc2/lib/hostip.c @@ -43,6 +43,7 @@ #include <setjmp.h> /* for sigjmp_buf, sigsetjmp() */ #include <signal.h> +#include <fcntl.h> #include "urldata.h" + #include "curl_addrinfo.h" #include "curl_trc.h" - #include "connect.h" -@@ -689,7 +690,7 @@ bool Curl_ipv6works(struct Curl_easy *da - else { - int ipv6_works = -1; - /* probe to see if we have a working IPv6 stack */ -- curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM, 0); -+ curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); - if(s == CURL_SOCKET_BAD) - /* an IPv6 address was requested but we cannot get/use one */ - ipv6_works = 0; -Index: curl-8.18.0/lib/cf-socket.c +@@ -752,7 +753,7 @@ static struct Curl_addrinfo *get_localho + CURLcode Curl_probeipv6(struct Curl_multi *multi) + { + /* probe to see if we have a working IPv6 stack */ +- curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM, 0); ++ curl_socket_t s = CURL_SOCKET(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); + multi->ipv6_works = FALSE; + if(s == CURL_SOCKET_BAD) { + if(SOCKERRNO == SOCKENOMEM) +Index: curl-8.19.0-rc2/lib/cf-socket.c =================================================================== ---- curl-8.18.0.orig/lib/cf-socket.c -+++ curl-8.18.0/lib/cf-socket.c -@@ -345,7 +345,8 @@ static CURLcode socket_open(struct Curl_ - } - else { - /* opensocket callback not set, so simply create the socket now */ +--- curl-8.19.0-rc2.orig/lib/cf-socket.c ++++ curl-8.19.0-rc2/lib/cf-socket.c +@@ -342,7 +342,8 @@ static CURLcode socket_open(struct Curl_ + return CURLE_COULDNT_CONNECT; + } + #endif - *sockfd = CURL_SOCKET(addr->family, addr->socktype, addr->protocol); + *sockfd = CURL_SOCKET(addr->family, addr->socktype|SOCK_CLOEXEC, + addr->protocol);
