diff --git a/.gitignore b/.gitignore index cd6f067..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9].[0-9].[0-9]/ +/curl-[0-9]*.[0-9]*.[0-9]*/ /*.src.rpm diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch deleted file mode 100644 index f4f0346..0000000 --- a/0001-curl-8.9.1-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/0002-curl-8.10.1-CVE-2024-9681.patch b/0002-curl-8.10.1-CVE-2024-9681.patch deleted file mode 100644 index 9dff16d..0000000 --- a/0002-curl-8.10.1-CVE-2024-9681.patch +++ /dev/null @@ -1,115 +0,0 @@ -From dd2859d77ddaf29516b8dce300b0b1fd4839d3f5 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 8 Oct 2024 11:20:40 +0200 -Subject: [PATCH] hsts: avoid the local buffer and memcpy on lookup - -Closes #15190 - -(cherry picked from commit 60d8663afb0fb7f113604404c50840dfe9320039) - -hsts: improve subdomain handling - -- on load, only replace existing HSTS entries if there is a full host - match - -- on matching, prefer a full host match and secondary the longest tail - subdomain match - -Closes #15210 - -(cherry picked from commit a94973805df96269bf3f3bf0a20ccb9887313316) ---- - lib/hsts.c | 30 ++++++++++++++++-------------- - tests/data/test1660 | 2 +- - 2 files changed, 17 insertions(+), 15 deletions(-) - -diff --git a/lib/hsts.c b/lib/hsts.c -index 8cd77ae3c..b4cced857 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -249,24 +249,23 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, - struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, - bool subdomain) - { -+ struct stsentry *bestsub = NULL; - if(h) { -- char buffer[MAX_HSTS_HOSTLEN + 1]; - time_t now = time(NULL); - size_t hlen = strlen(hostname); - struct Curl_llist_element *e; - struct Curl_llist_element *n; -+ size_t blen = 0; - - if((hlen > MAX_HSTS_HOSTLEN) || !hlen) - return NULL; -- memcpy(buffer, hostname, hlen); - if(hostname[hlen-1] == '.') - /* remove the trailing dot */ - --hlen; -- buffer[hlen] = 0; -- hostname = buffer; - - for(e = h->list.head; e; e = n) { - struct stsentry *sts = e->ptr; -+ size_t ntail; - n = e->next; - if(sts->expires <= now) { - /* remove expired entries */ -@@ -274,20 +273,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, - hsts_free(sts); - continue; - } -- if(subdomain && sts->includeSubDomains) { -- size_t ntail = strlen(sts->host); -- if(ntail < hlen) { -- size_t offs = hlen - ntail; -- if((hostname[offs-1] == '.') && -- strncasecompare(&hostname[offs], sts->host, ntail)) -- return sts; -+ ntail = strlen(sts->host); -+ if((subdomain && sts->includeSubDomains) && (ntail < hlen)) { -+ size_t offs = hlen - ntail; -+ if((hostname[offs-1] == '.') && -+ strncasecompare(&hostname[offs], sts->host, ntail) && -+ (ntail > blen)) { -+ /* save the tail match with the longest tail */ -+ bestsub = sts; -+ blen = ntail; - } - } -- if(strcasecompare(hostname, sts->host)) -+ /* avoid strcasecompare because the host name is not null terminated */ -+ if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen)) - return sts; - } - } -- return NULL; /* no match */ -+ return bestsub; - } - - /* -@@ -439,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line) - e = Curl_hsts(h, p, subdomain); - if(!e) - result = hsts_create(h, p, subdomain, expires); -- else { -+ else if(strcasecompare(p, e->host)) { - /* the same hostname, use the largest expire time */ - if(expires > e->expires) - e->expires = expires; -diff --git a/tests/data/test1660 b/tests/data/test1660 -index f86126d19..4b6f9615c 100644 ---- a/tests/data/test1660 -+++ b/tests/data/test1660 -@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797 - Input 12: error 43 - Input 13: error 43 - Input 14: error 43 --3.example.com [example.com]: 1569905261 includeSubDomains -+3.example.com [3.example.com]: 1569905261 includeSubDomains - 3.example.com [example.com]: 1569905261 includeSubDomains - foo.example.com [example.com]: 1569905261 includeSubDomains - 'foo.xample.com' is not HSTS --- -2.47.1 - diff --git a/0003-curl-8.9.1-CVE-2025-9086.patch b/0003-curl-8.9.1-CVE-2025-9086.patch deleted file mode 100644 index a5e486b..0000000 --- a/0003-curl-8.9.1-CVE-2025-9086.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 5dd433a190c1003bd78cc5a3e9f8a5827cd97516 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Aug 2025 20:23:05 +0200 -Subject: [PATCH] cookie: don't treat the leading slash as trailing - -If there is only a leading slash in the path, keep that. Also add an -assert to make sure the path is never blank. - -Reported-by: Google Big Sleep -Closes #18266 - -(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300) ---- - lib/cookie.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index b0d8d84be..1db308372 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -317,7 +317,7 @@ static char *sanitize_cookie_path(const char *cookie_path) - } - - /* convert /hoge/ to /hoge */ -- if(len && new_path[len - 1] == '/') { -+ if(len > 1 && new_path[len - 1] == '/') { - new_path[len - 1] = 0x0; - } - -@@ -1076,7 +1076,7 @@ Curl_cookie_add(struct Curl_easy *data, - clist->spath && co->spath && /* both have paths */ - clist->secure && !co->secure && !secure) { - size_t cllen; -- const char *sep; -+ const char *sep = NULL; - - /* - * A non-secure cookie may not overlay an existing secure cookie. -@@ -1085,8 +1085,9 @@ Curl_cookie_add(struct Curl_easy *data, - * "/loginhelper" is ok. - */ - -- sep = strchr(clist->spath + 1, '/'); -- -+ DEBUGASSERT(clist->spath[0]); -+ if(clist->spath[0]) -+ sep = strchr(clist->spath + 1, '/'); - if(sep) - cllen = sep - clist->spath; - else --- -2.51.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f3636dc..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:00:08 +0200 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Tue, 16 Dec 2025 10:04:40 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,47 +10,47 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 085bb1ef5..e4700260e 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -73,7 +73,7 @@ while test "$#" -gt 0; do +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do ;; --cc) - echo '@CC@' -+ echo "gcc" ++ echo 'gcc' ;; --prefix) -@@ -153,16 +153,7 @@ while test "$#" -gt 0; do +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do ;; --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " - else -- CURLLIBDIR="" +- curllibdir='' - fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${CURLLIBDIR}-lcurl" +- echo "${curllibdir}-lcurl" - fi -+ echo -lcurl ++ echo '-lcurl' ;; --ssl-backends) -@@ -170,16 +161,12 @@ while test "$#" -gt 0; do +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do ;; --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 - fi -+ echo "curl was built with static libraries disabled" >&2 ++ echo 'curl was built with static libraries disabled' >&2 + exit 1 ;; @@ -61,11 +61,11 @@ index 085bb1ef5..e4700260e 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index d82725082..a79f816e2 100644 +index 12ad245b79..fa0e03d273 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md -@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## --static-libs +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,13 +73,13 @@ index d82725082..a79f816e2 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## --version + ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f89..dcac6925a 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +88,5 @@ index 9db6b0f89..dcac6925a 100644 Name: libcurl URL: https://curl.se/ -- -2.45.1 +2.52.0 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 82f4642..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 22 May 2024 13:03:43 +0200 -Subject: [PATCH 2/2] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index ee9b30678..dd582c3e5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 7e914010e..39374f5bc 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -145,8 +145,8 @@ CURLcode test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = (CURLcode)-1; - goto cleanup; --- -2.45.1 - diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 0977dee..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 24 Jul 2024 15:15:11 +0200 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 9cc9ef1..c9a1c5d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -57,8 +57,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - use POSIX qw(strftime); - --- -2.45.2 - diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index 157a3e9..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -2,45 +2,39 @@ # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support 1 +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.1 -Release: 4%{?dist} +Version: 8.18.0 +Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - -# fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681) -Patch002: 0002-curl-8.10.1-CVE-2024-9681.patch - -# fix Out of bounds read for cookie path (CVE-2025-9086) -Patch003: 0003-curl-8.9.1-CVE-2025-9086.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch - -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -54,15 +48,22 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel -%if %{with openssl_engine_support} +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter @@ -107,6 +108,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -150,6 +152,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -158,6 +164,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -174,8 +184,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -220,7 +236,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 # disable test 1801 # @@ -265,7 +281,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure @@ -281,7 +297,6 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -306,7 +321,6 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -317,7 +331,11 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -379,18 +397,24 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -418,11 +442,139 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Sep 17 2025 Jan Macku - 8.9.1-4 -- fix Out of bounds read for cookie path (CVE-2025-9086) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Thu Dec 12 2024 Jan Macku - 8.9.1-3 -- fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681) +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression diff --git a/sources b/sources index e35c435..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 -SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"