Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak

... because F36 URLs are no longer available.

.gitignore

@@ -2,5 +2,3 @@
 /curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
 /curl-[0-9.]*.tar.xz.asc
-/curl-[0-9]*.[0-9]*.[0-9]*/
-/*.src.rpm

0001-curl-8.2.1-CVE-2023-38039.patch

@@ -0,0 +1,217 @@
+From 831c077c6d3a9466417f8a7b310177fca946a4cc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Aug 2023 23:34:48 +0200
+Subject: [PATCH] http: return error when receiving too large header set
+
+To avoid abuse. The limit is set to 300 KB for the accumulated size of
+all received HTTP headers for a single response. Incomplete research
+suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
+1MB.
+
+Closes #11582
+
+(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/c-hyper.c     | 12 +++++++-----
+ lib/cf-h1-proxy.c |  4 +++-
+ lib/http.c        | 34 ++++++++++++++++++++++++++++++----
+ lib/http.h        |  9 +++++++++
+ lib/pingpong.c    |  4 +++-
+ lib/urldata.h     | 17 ++++++++---------
+ 6 files changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/lib/c-hyper.c b/lib/c-hyper.c
+index c29983c0b..0b9d9ab47 100644
+--- a/lib/c-hyper.c
++++ b/lib/c-hyper.c
+@@ -182,8 +182,11 @@ static int hyper_each_header(void *userdata,
+     }
+   }
+ 
+-  data->info.header_size += (curl_off_t)len;
+-  data->req.headerbytecount += (curl_off_t)len;
++  result = Curl_bump_headersize(data, len, FALSE);
++  if(result) {
++    data->state.hresult = result;
++    return HYPER_ITER_BREAK;
++  }
+   return HYPER_ITER_CONTINUE;
+ }
+ 
+@@ -313,9 +316,8 @@ static CURLcode status_line(struct Curl_easy *data,
+     if(result)
+       return result;
+   }
+-  data->info.header_size += (curl_off_t)len;
+-  data->req.headerbytecount += (curl_off_t)len;
+-  return CURLE_OK;
++  result = Curl_bump_headersize(data, len, FALSE);
++  return result;
+ }
+ 
+ /*
+diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c
+index c9b157c9b..b1d8cb618 100644
+--- a/lib/cf-h1-proxy.c
++++ b/lib/cf-h1-proxy.c
+@@ -587,7 +587,9 @@ static CURLcode recv_CONNECT_resp(struct Curl_cfilter *cf,
+         return result;
+     }
+ 
+-    data->info.header_size += (long)perline;
++    result = Curl_bump_headersize(data, perline, TRUE);
++    if(result)
++      return result;
+ 
+     /* Newlines are CRLF, so the CR is ignored as the line isn't
+        really terminated until the LF comes. Treat a following CR
+diff --git a/lib/http.c b/lib/http.c
+index e611d2789..ebf48660d 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3918,6 +3918,29 @@ static CURLcode verify_header(struct Curl_easy *data)
+   return CURLE_OK;
+ }
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only)
++{
++  size_t bad = 0;
++  if(delta < MAX_HTTP_RESP_HEADER_SIZE) {
++    if(!connect_only)
++      data->req.headerbytecount += (unsigned int)delta;
++    data->info.header_size += (unsigned int)delta;
++    if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE)
++      bad = data->info.header_size;
++  }
++  else
++    bad = data->info.header_size + delta;
++  if(bad) {
++    failf(data, "Too large response headers: %zu > %zu",
++          bad, MAX_HTTP_RESP_HEADER_SIZE);
++    return CURLE_RECV_ERROR;
++  }
++  return CURLE_OK;
++}
++
++
+ /*
+  * Read any HTTP header lines from the server and pass them to the client app.
+  */
+@@ -4165,8 +4188,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+       if(result)
+         return result;
+ 
+-      data->info.header_size += (long)headerlen;
+-      data->req.headerbytecount += (long)headerlen;
++      result = Curl_bump_headersize(data, headerlen, FALSE);
++      if(result)
++        return result;
+ 
+       /*
+        * When all the headers have been parsed, see if we should give
+@@ -4488,8 +4512,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+     if(result)
+       return result;
+ 
+-    data->info.header_size += Curl_dyn_len(&data->state.headerb);
+-    data->req.headerbytecount += Curl_dyn_len(&data->state.headerb);
++    result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb),
++                                  FALSE);
++    if(result)
++      return result;
+ 
+     Curl_dyn_reset(&data->state.headerb);
+   }
+diff --git a/lib/http.h b/lib/http.h
+index df3b4e38b..4aeabc345 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -64,6 +64,10 @@ extern const struct Curl_handler Curl_handler_wss;
+ 
+ struct dynhds;
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only);
++
+ /* Header specific functions */
+ bool Curl_compareheader(const char *headerline,  /* line to check */
+                         const char *header,   /* header keyword _with_ colon */
+@@ -183,6 +187,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data);
+ #define EXPECT_100_THRESHOLD (1024*1024)
+ #endif
+ 
++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers
++   combined that libcurl allows for a single HTTP response, any HTTP
++   version. This count includes CONNECT response headers. */
++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024)
++
+ #endif /* CURL_DISABLE_HTTP */
+ 
+ /****************************************************************************
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index f3f7cb93c..523bbec18 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data,
+       ssize_t clipamount = 0;
+       bool restart = FALSE;
+ 
+-      data->req.headerbytecount += (long)gotbytes;
++      result = Curl_bump_headersize(data, gotbytes, FALSE);
++      if(result)
++        return result;
+ 
+       pp->nread_resp += gotbytes;
+       for(i = 0; i < gotbytes; ptr++, i++) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index c45913b31..ddb2938d7 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -629,17 +629,16 @@ struct SingleRequest {
+   curl_off_t bytecount;         /* total number of bytes read */
+   curl_off_t writebytecount;    /* number of bytes written */
+ 
+-  curl_off_t headerbytecount;   /* only count received headers */
+-  curl_off_t deductheadercount; /* this amount of bytes doesn't count when we
+-                                   check if anything has been transferred at
+-                                   the end of a connection. We use this
+-                                   counter to make only a 100 reply (without a
+-                                   following second response code) result in a
+-                                   CURLE_GOT_NOTHING error code */
+-
+   curl_off_t pendingheader;      /* this many bytes left to send is actually
+                                     header and not body */
+   struct curltime start;         /* transfer started at this time */
++  unsigned int headerbytecount;  /* only count received headers */
++  unsigned int deductheadercount; /* this amount of bytes doesn't count when
++                                     we check if anything has been transferred
++                                     at the end of a connection. We use this
++                                     counter to make only a 100 reply (without
++                                     a following second response code) result
++                                     in a CURLE_GOT_NOTHING error code */
+   enum {
+     HEADER_NORMAL,              /* no bad header at all */
+     HEADER_PARTHEADER,          /* part of the chunk is a bad header, the rest
+@@ -1089,7 +1088,6 @@ struct PureInfo {
+   int httpversion; /* the http version number X.Y = X*10+Y */
+   time_t filetime; /* If requested, this is might get set. Set to -1 if the
+                       time was unretrievable. */
+-  curl_off_t header_size;  /* size of read header(s) in bytes */
+   curl_off_t request_size; /* the amount of bytes sent in the request(s) */
+   unsigned long proxyauthavail; /* what proxy auth types were announced */
+   unsigned long httpauthavail;  /* what host auth types were announced */
+@@ -1097,6 +1095,7 @@ struct PureInfo {
+   char *contenttype; /* the content type of the object */
+   char *wouldredirect; /* URL this would've been redirected to if asked to */
+   curl_off_t retry_after; /* info from Retry-After: header */
++  unsigned int header_size;  /* size of read header(s) in bytes */
+ 
+   /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip'
+      and, 'conn_local_port' are copied over from the connectdata struct in
+-- 
+2.41.0
+

0002-curl-8.2.1-CVE-2023-38545.patch

@@ -0,0 +1,135 @@
+From 6b313d6d3520eb4c7429723babd59dbb63681bcd Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH 1/2] socks: return error if hostname too long for remote
+ resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+
+(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147)
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/socks.c             |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index c492d663c..a7b5ab07e 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+ 
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -903,7 +903,7 @@ CONNECT_RESOLVE_REMOTE:
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index a253b5c6e..cd22f937f 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test728 \
+ \
+ test799 test800 test801 test802 test803 test804 test805 test806 test807 \
+ test808 test809 test810 test811 test812 test813 test814 test815 test816 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 000000000..05bcf2883
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+-- 
+2.41.0
+

0003-curl-8.2.1-CVE-2023-38546.patch

@@ -0,0 +1,134 @@
+From 9b837dd18c44bedf28054ba498e94740e1533d69 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH 2/2] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4345a84c6..e39c89a94 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-          strstore(&co->version, valuep, vlen);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+           /*
+@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data,
+     free(clist->path);
+     free(clist->spath);
+     free(clist->expirestr);
+-    free(clist->version);
+     free(clist->maxage);
+ 
+     *clist = *co;  /* then store all the new data */
+@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+     /*
+      * Initialize the next_expiration time to signal that we don't have enough
+      * information yet.
+@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3c0063b2..41e9e7a69 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;      /* domain = <this> */
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -56,17 +52,16 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;      /* last creation-time used in the jar */
+   bool running;    /* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;      /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+ 
+ /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
+diff --git a/lib/easy.c b/lib/easy.c
+index d034629b5..2c621963d 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -909,9 +909,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;
+-- 
+2.41.0
+

0004-curl-8.2.1-CVE-2023-46218.patch

@@ -0,0 +1,55 @@
+From 053b0d4eb6768563adc55fa936bbb32d19114d49 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH 1/2] cookie: lowercase the domain names before PSL checks
+
+Reported-by: Harry Sintonen
+
+Closes #12387
+
+(cherry picked from commit 2b0994c29a721c91c572cff7808c572a24d251eb)
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index e39c89a94..18ed4bb7e 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -1036,15 +1036,23 @@ Curl_cookie_add(struct Curl_easy *data,
+    * dereference it.
+    */
+   if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
+-    const psl_ctx_t *psl = Curl_psl_use(data);
+-    int acceptable;
+-
+-    if(psl) {
+-      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+-      Curl_psl_release(data);
++    bool acceptable = FALSE;
++    char lcase[256];
++    char lcookie[256];
++    size_t dlen = strlen(domain);
++    size_t clen = strlen(co->domain);
++    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
++      const psl_ctx_t *psl = Curl_psl_use(data);
++      if(psl) {
++        /* the PSL check requires lowercase domain name and pattern */
++        Curl_strntolower(lcase, domain, dlen + 1);
++        Curl_strntolower(lcookie, co->domain, clen + 1);
++        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
++        Curl_psl_release(data);
++      }
++      else
++        acceptable = !bad_domain(domain, strlen(domain));
+     }
+-    else
+-      acceptable = !bad_domain(domain, strlen(domain));
+ 
+     if(!acceptable) {
+       infof(data, "cookie '%s' dropped, domain '%s' must not "
+-- 
+2.43.0
+

0005-curl-8.2.1-CVE-2023-46219.patch

@@ -0,0 +1,134 @@
+From cca676ef222399591f5a116e1c13889014fad624 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:23:17 +0100
+Subject: [PATCH 2/2] fopen: create short(er) temporary file name
+
+Only using random letters in the name plus a ".tmp" extension. Not by
+appending characters to the final file name.
+
+Reported-by: Maksymilian Arciemowicz
+
+Closes #12388
+
+(cherry picked from commit 73b65e94f3531179de45c6f3c836a610e3d0a846)
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 60 insertions(+), 5 deletions(-)
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+index b6e3caddd..5cd4dde3e 100644
+--- a/lib/fopen.c
++++ b/lib/fopen.c
+@@ -39,6 +39,51 @@
+ #include "curl_memory.h"
+ #include "memdebug.h"
+ 
++/*
++  The dirslash() function breaks a null-terminated pathname string into
++  directory and filename components then returns the directory component up
++  to, *AND INCLUDING*, a final '/'.  If there is no directory in the path,
++  this instead returns a "" string.
++
++  This function returns a pointer to malloc'ed memory.
++
++  The input path to this function is expected to have a file name part.
++*/
++
++#ifdef _WIN32
++#define PATHSEP "\\"
++#define IS_SEP(x) (((x) == '/') || ((x) == '\\'))
++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2)
++#define PATHSEP "\\"
++#define IS_SEP(x) ((x) == '\\')
++#else
++#define PATHSEP "/"
++#define IS_SEP(x) ((x) == '/')
++#endif
++
++static char *dirslash(const char *path)
++{
++  size_t n;
++  struct dynbuf out;
++  DEBUGASSERT(path);
++  Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH);
++  n = strlen(path);
++  if(n) {
++    /* find the rightmost path separator, if any */
++    while(n && !IS_SEP(path[n-1]))
++      --n;
++    /* skip over all the path separators, if any */
++    while(n && IS_SEP(path[n-1]))
++      --n;
++  }
++  if(Curl_dyn_addn(&out, path, n))
++    return NULL;
++  /* if there was a directory, append a single trailing slash */
++  if(n && Curl_dyn_addn(&out, PATHSEP, 1))
++    return NULL;
++  return Curl_dyn_ptr(&out);
++}
++
+ /*
+  * Curl_fopen() opens a file for writing with a temp name, to be renamed
+  * to the final name when completed. If there is an existing file using this
+@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                     FILE **fh, char **tempname)
+ {
+   CURLcode result = CURLE_WRITE_ERROR;
+-  unsigned char randsuffix[9];
++  unsigned char randbuf[41];
+   char *tempstore = NULL;
+   struct_stat sb;
+   int fd = -1;
++  char *dir;
+   *tempname = NULL;
+ 
++  dir = dirslash(filename);
++  if(!dir)
++    goto fail;
++
+   *fh = fopen(filename, FOPEN_WRITETEXT);
+   if(!*fh)
+     goto fail;
+-  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
++  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) {
++    free(dir);
+     return CURLE_OK;
++  }
+   fclose(*fh);
+   *fh = NULL;
+ 
+-  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++  result = Curl_rand_hex(data, randbuf, sizeof(randbuf));
+   if(result)
+     goto fail;
+ 
+-  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++  /* The temp file name should not end up too long for the target file
++     system */
++  tempstore = aprintf("%s%s.tmp", dir, randbuf);
+   if(!tempstore) {
+     result = CURLE_OUT_OF_MEMORY;
+     goto fail;
+@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   if(!*fh)
+     goto fail;
+ 
++  free(dir);
+   *tempname = tempstore;
+   return CURLE_OK;
+ 
+@@ -105,7 +160,7 @@ fail:
+   }
+ 
+   free(tempstore);
+-
++  free(dir);
+   return result;
+ }
+ 
+-- 
+2.43.0
+

0006-curl-8.2.1-CVE-2024-2004.patch

@@ -0,0 +1,138 @@
+From e614d4615943b9d43e4f6db8bc8223a20c66cd44 Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Tue, 27 Feb 2024 15:43:56 +0100
+Subject: [PATCH 1/2] setopt: Fix disabling all protocols
+
+When disabling all protocols without enabling any, the resulting
+set of allowed protocols remained the default set.  Clearing the
+allowed set before inspecting the passed value from --proto make
+the set empty even in the errorpath of no protocols enabled.
+
+Co-authored-by: Dan Fandrich <dan@telarity.com>
+Reported-by: Dan Fandrich <dan@telarity.com>
+Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+Closes: #13004
+
+(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/setopt.c            | 16 ++++++++--------
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1474     | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 8 deletions(-)
+ create mode 100644 tests/data/test1474
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index b05162a55..fb71b7fd4 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -154,6 +154,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
+ 
+ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+ {
++  /*
++   * We are asked to cherry-pick protocols, so play it safe and disallow all
++   * protocols to start with, and re-add the wanted ones back in.
++   */
++  *val = 0;
++
+   if(!str)
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+ 
+@@ -162,8 +168,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+     return CURLE_OK;
+   }
+ 
+-  *val = 0;
+-
+   do {
+     const char *token = str;
+     size_t tlen;
+@@ -2679,22 +2683,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     break;
+ 
+   case CURLOPT_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.allowed_protocols);
+     if(result)
+       return result;
+-    data->set.allowed_protocols = prot;
+     break;
+   }
+ 
+   case CURLOPT_REDIR_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.redir_protocols);
+     if(result)
+       return result;
+-    data->set.redir_protocols = prot;
+     break;
+   }
+ 
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index cd22f937f..da0e8bb0a 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -160,6 +160,7 @@ test1247 test1248 test1249 test1250 test1251 test1252 test1253 test1254 \
+ test1255 test1256 test1257 test1258 test1259 test1260 test1261 test1262 \
+ test1263 test1264 test1265 test1266 test1267 test1268 test1269 test1270 \
+ test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 \
++test1474 \
+ \
+ test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 \
+ test1288 test1289 test1290 test1291 test1292 test1293 test1294 test1295 \
+diff --git a/tests/data/test1474 b/tests/data/test1474
+new file mode 100644
+index 000000000..c66fa2810
+--- /dev/null
++++ b/tests/data/test1474
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++--proto
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++http
++</features>
++<name>
++--proto -all disables all protocols
++</name>
++<command>
++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 1 - Protocol "http" disabled
++<errorcode>
++1
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.44.0
+

0007-curl-8.2.1-CVE-2024-2398.patch

@@ -0,0 +1,95 @@
+From d8c8695a7d10c21c0fb5b871b032716ca9683903 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 6c09ec1..533237d 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -267,6 +267,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
+   return CURLE_OK;
+ }
+ 
++static void free_push_headers(struct stream_ctx *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static void http2_data_done(struct Curl_cfilter *cf,
+                             struct Curl_easy *data, bool premature)
+ {
+@@ -313,15 +322,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
+   Curl_bufq_free(&stream->sendbuf);
+   Curl_bufq_free(&stream->recvbuf);
+   Curl_dynhds_free(&stream->resp_trailers);
+-  if(stream->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; stream->push_headers_used > 0; --stream->push_headers_used) {
+-      free(stream->push_headers[stream->push_headers_used - 1]);
+-    }
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-  }
+-
++  free_push_headers(stream);
+   free(stream);
+   H2_STREAM_LCTX(data) = NULL;
+ }
+@@ -859,7 +860,6 @@ static int push_promise(struct Curl_cfilter *cf,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     CURLcode result;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = h2_duphandle(cf, data);
+     if(!newhandle) {
+@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1357,14 +1353,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+       if(stream->push_headers_alloc > 1000) {
+         /* this is beyond crazy many headers, bail out */
+         failf(data_s, "Too many PUSH_PROMISE headers");
+-        Curl_safefree(stream->push_headers);
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+-- 
+2.44.0
+

0101-curl-7.32.0-multilib.patch

@@ -1,85 +1,84 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
-From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
+From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in      | 23 +++++------------------
- docs/curl-config.md |  4 +++-
- libcurl.pc.in       |  1 +
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
-     ;;
+@@ -78,7 +78,7 @@ while test $# -gt 0; do
+         ;;
  
-   --cc)
--    echo '@CC@'
-+    echo 'gcc'
-     ;;
+     --cc)
+-        echo "@CC@"
++        echo "gcc"
+         ;;
  
-   --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
-     ;;
+     --prefix)
+@@ -157,32 +157,19 @@ while test $# -gt 0; do
+         ;;
  
-   --libs)
--    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
--      curllibdir="-L@libdir@ "
--    else
--      curllibdir=''
--    fi
--    if test '@ENABLE_SHARED@' = 'no'; then
--      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo "${curllibdir}-lcurl"
--    fi
-+    echo '-lcurl'
-     ;;
+     --libs)
+-        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+-           CURLLIBDIR="-L@libdir@ "
+-        else
+-           CURLLIBDIR=""
+-        fi
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
+-          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+-        else
+-          echo ${CURLLIBDIR}-lcurl
+-        fi
++        echo -lcurl
+         ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
-   --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
-     ;;
+     --static-libs)
+-        if test "X@ENABLE_STATIC@" != "Xno" ; then
+-          echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
+-        else
+-          echo "curl was built with static libraries disabled" >&2
+-          exit 1
+-        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
+         ;;
  
-   --static-libs)
--    if test '@ENABLE_STATIC@' != 'no'; then
--      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo 'curl was built with static libraries disabled' >&2
--      exit 1
--    fi
-+    echo 'curl was built with static libraries disabled' >&2
-+    exit 1
-     ;;
+     --configure)
+-        echo @CONFIGURE_OPTIONS@
++        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+         ;;
  
-   --configure)
--    echo @CONFIGURE_OPTIONS@
-+    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-     ;;
- 
-   *)
-diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
---- a/docs/curl-config.md
-+++ b/docs/curl-config.md
-@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
- 
- Shows the complete set of libs and other linker options you need in order to
--link your application with libcurl statically. (Added in 7.17.1)
-+link your application with libcurl statically. Note that Fedora/RHEL libcurl
+     *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 14a9d2b..ffcc004 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
+ .IP "--static-libs"
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- 
- ## `--version`
- 
+ .IP "--version"
+ Outputs version information about the installed libcurl.
+ .IP "--vernum"
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index 2ba9c39..f8f8b00 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -28,6 +28,7 @@ libdir=@libdir@
+@@ -31,6 +31,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
@@ -88,5 +87,5 @@ index c0ba5244a8..f3645e1748 100644
  Name: libcurl
  URL: https://curl.se/
 -- 
-2.52.0
+2.26.2
 

0102-curl-7.84.0-test3026.patch

@@ -0,0 +1,71 @@
+From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 27 Jun 2022 16:50:57 +0200
+Subject: [PATCH] test3026: disable valgrind
+
+It fails on x86_64 with:
+```
+ Use --max-threads=INT to specify a larger number of threads
+ and rerun valgrind
+ valgrind: the 'impossible' happened:
+    Max number of threads is too low
+ host stacktrace:
+ ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ sched status:
+   running_tid=1
+ Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
+ ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
+ ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
+ client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
+ valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
+[...]
+```
+---
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/test3026 b/tests/data/test3026
+index fb80cc8..01f2ba5 100644
+--- a/tests/data/test3026
++++ b/tests/data/test3026
+@@ -41,5 +41,8 @@ none
+ <errorcode>
+ 0
+ </errorcode>
++<valgrind>
++disable
++</valgrind>
+ </verify>
+ </testcase>
+diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
+index 43fe335..70cd7a4 100644
+--- a/tests/libtest/lib3026.c
++++ b/tests/libtest/lib3026.c
+@@ -147,8 +147,8 @@ int test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+     if(res) {
+-      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
+-              __FILE__, __LINE__, res);
++      fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n",
++              __FILE__, __LINE__, i, res);
+       tid_count = i;
+       test_failure = -1;
+       goto cleanup;
+-- 
+2.37.1
+

0104-curl-7.88.0-tests-warnings.patch

@@ -0,0 +1,30 @@
+From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 15 Feb 2023 10:42:38 +0100
+Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them"
+
+While it might be useful for upstream developers, it is not so useful
+for downstream consumers.
+
+This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8.
+---
+ tests/runtests.pl | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 71644ad18..0cf85c3fe 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -55,8 +55,7 @@
+ # given, this won't be a problem.
+ 
+ use strict;
+-# Promote all warnings to fatal
+-use warnings FATAL => 'all';
++use warnings;
+ use 5.006;
+ 
+ # These should be the only variables that might be needed to get edited:
+-- 
+2.39.1
+

curl.rpmlintrc

@@ -1,15 +0,0 @@
-# Intentional stuff we're not concerned about
-addFilter("unversioned-explicit-provides webclient")
-addFilter("package-with-huge-docs")
-addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
-
-# This is just plain wrong (%_configure redefinition)
-addFilter("configure-without-libdir-spec")
-
-# Technical term
-addFilter("E: spelling-error \('kerberos',")
-
-# Artefacts of RemovePathPostfixes: .minimal
-addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
-#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
-#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

curl.spec

@@ -1,45 +1,48 @@
-# OpenSSL ENGINE support
-# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41
-# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-# Change the bcond to 0 to turn off ENGINE support by default
-%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10]
-
-# HTTP/3 support
-# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's
-# experimental native OpenSSL 3.5 support.
-%bcond http3 %[0%{?fedora} >= 43]
-
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.18.0
-Release: 1%{?dist}
+Version: 8.2.1
+Release: 5%{?dist}
 License: curl
-Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz
-Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc
+Source0: https://curl.se/download/%{name}-%{version}.tar.xz
+Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # The curl download page ( https://curl.se/download.html ) links
 # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 
+# fix HTTP headers eat all memory (CVE-2023-38039)
+Patch1:   0001-curl-8.2.1-CVE-2023-38039.patch
+
+# fix SOCKS5 heap buffer overflow (CVE-2023-38545)
+Patch2:   0002-curl-8.2.1-CVE-2023-38545.patch
+
+# fix cookie injection with none file (CVE-2023-38546)
+Patch3:   0003-curl-8.2.1-CVE-2023-38546.patch
+
+# fix cookie mixed case PSL bypass (CVE-2023-46218)
+Patch4:   0004-curl-8.2.1-CVE-2023-46218.patch
+
+# fix HSTS long file name clears contents (CVE-2023-46219)
+Patch5:   0005-curl-8.2.1-CVE-2023-46219.patch
+
+# fix Usage of disabled protocol (CVE-2024-2004)
+Patch6:   0006-curl-8.2.1-CVE-2024-2004.patch
+
+# fix HTTP/2 push headers memory-leak
+Patch7:   0007-curl-8.2.1-CVE-2024-2398.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
+# test3026: disable valgrind
+Patch102: 0102-curl-7.84.0-test3026.patch
+
+# do not fail on warnings in the upstream test driver
+Patch104: 0104-curl-7.88.0-tests-warnings.patch
+
 Provides: curl-full = %{version}-%{release}
-# do not fail when trying to install curl-minimal after drop
-Provides: curl-minimal = %{version}-%{release}
 Provides: webclient
 URL: https://curl.se/
-
-%if 0%{?fedora}
-# instead of bundled wcurl utility, recommend wcurl package
-Recommends: wcurl
-%endif
-
-# The reason for maintaining two separate packages for curl is no longer valid.
-# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal.
-# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096
-Obsoletes: curl-minimal < 8.6.0-4
-
 BuildRequires: automake
 BuildRequires: brotli-devel
 BuildRequires: coreutils
@@ -48,24 +51,14 @@ BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
 BuildRequires: libnghttp2-devel
-%if %{with http3}
-BuildRequires: libnghttp3-devel
-%endif
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
 BuildRequires: libtool
 BuildRequires: make
-%if %{with http3}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
-BuildRequires: openssl
 BuildRequires: openssl-devel
-%if %{with openssl_engine_support} && 0%{?fedora} >= 41
-BuildRequires:  openssl-devel-engine
-%endif
 BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
 BuildRequires: python-unversioned-command
@@ -108,7 +101,6 @@ BuildRequires: perl(Exporter)
 BuildRequires: perl(File::Basename)
 BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
-BuildRequires: perl(I18N::Langinfo)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(List::Util)
 BuildRequires: perl(Memoize)
@@ -143,19 +135,10 @@ BuildRequires: stunnel
 # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
 Requires: libcurl%{?_isa} >= %{version}-%{release}
 
-# Define OPENSSL_NO_ENGINE to avoid inclusion of <openssl/engine.h>
-%if %{without openssl_engine_support}
-%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE
-%endif
-
 # require at least the version of libnghttp2 that we were built against,
 # to ensure that we have the necessary symbols available (#2144277)
 %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)
 
-# require at least the version of libnghttp3 that we were built against,
-# to ensure that we have the necessary symbols available
-%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0)
-
 # require at least the version of libpsl that we were built against,
 # to ensure that we have the necessary symbols available (#1631804)
 %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
@@ -164,10 +147,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#525002, #642796)
 %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
 
-# require at least the version of ngtcp2 that we were built against,
-# to ensure that we have the necessary symbols available
-%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0)
-
 # require at least the version of openssl-libs that we were built against,
 # to ensure that we have the necessary symbols available (#1462184, #1462211)
 # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
@@ -184,14 +163,8 @@ resume, proxy tunneling and a busload of other useful tricks.
 %package -n libcurl
 Summary: A library for getting files from web servers
 Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
-%if %{with http3}
-Requires: libnghttp3%{?_isa} >= %{libnghttp3_version}
-%endif
 Requires: libpsl%{?_isa} >= %{libpsl_version}
 Requires: libssh%{?_isa} >= %{libssh_version}
-%if %{with http3}
-Requires: ngtcp2%{?_isa} >= %{ngtcp2_version}
-%endif
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl-full = %{version}-%{release}
 Provides: libcurl-full%{?_isa} = %{version}-%{release}
@@ -217,6 +190,22 @@ The libcurl-devel package includes header files and libraries necessary for
 developing programs which use the libcurl library. It contains the API
 documentation of the library, too.
 
+%package -n curl-minimal
+Summary: Conservatively configured build of curl for minimal installations
+Provides: curl = %{version}-%{release}
+Conflicts: curl
+Suggests: libcurl-minimal
+RemovePathPostfixes: .minimal
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+%description -n curl-minimal
+This is a replacement of the 'curl' package for minimal installations.  It
+comes with a limited set of features compared to the 'curl' package.  On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
 %package -n libcurl-minimal
 Summary: Conservatively configured build of libcurl for minimal installations
 Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
@@ -236,11 +225,12 @@ be installed.
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version_no_tilde} -p1
+%autosetup -p1
 
+# disable test 420
 # disable test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-printf "1801\n" >>tests/data/DISABLED
+printf "420\n1801\n" >> tests/data/DISABLED
 
 # test3026: avoid pthread_create() failure due to resource exhaustion on i386
 %ifarch %{ix86}
@@ -260,18 +250,13 @@ sed -e 's|^35$|35,52|' -i tests/data/test323
     eval "$cmd"
 )
 
-# avoid unnecessary arch-dependent line in the processed file
-sed -e '/# Used in @libdir@/d' \
-    -i curl-config.in
-
-%build
 # regenerate the configure script and Makefile.in files
 autoreconf -fiv
 
+%build
 mkdir build-{full,minimal}
 export common_configure_opts="          \
     --cache-file=../config.cache        \
-    --disable-manual                    \
     --disable-static                    \
     --enable-hsts                       \
     --enable-ipv6                       \
@@ -281,8 +266,7 @@ export common_configure_opts="          \
     --with-gssapi                       \
     --with-libidn2                      \
     --with-nghttp2                      \
-    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
-    --with-zsh-functions-dir"
+    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
 
 %global _configure ../configure
 
@@ -295,8 +279,10 @@ export common_configure_opts="          \
         --disable-imap                  \
         --disable-ldap                  \
         --disable-ldaps                 \
+        --disable-manual                \
         --disable-mqtt                  \
         --disable-ntlm                  \
+        --disable-ntlm-wb               \
         --disable-pop3                  \
         --disable-rtsp                  \
         --disable-smb                   \
@@ -304,7 +290,6 @@ export common_configure_opts="          \
         --disable-telnet                \
         --disable-tftp                  \
         --disable-tls-srp               \
-        --disable-websockets            \
         --without-brotli                \
         --without-libpsl                \
         --without-libssh
@@ -319,8 +304,10 @@ export common_configure_opts="          \
         --enable-imap                   \
         --enable-ldap                   \
         --enable-ldaps                  \
+        --enable-manual                 \
         --enable-mqtt                   \
         --enable-ntlm                   \
+        --enable-ntlm-wb                \
         --enable-pop3                   \
         --enable-rtsp                   \
         --enable-smb                    \
@@ -328,14 +315,9 @@ export common_configure_opts="          \
         --enable-telnet                 \
         --enable-tftp                   \
         --enable-tls-srp                \
-        --enable-websockets             \
         --with-brotli                   \
         --with-libpsl                   \
-        --with-libssh                   \
-%if %{with http3}
-        --with-nghttp3                  \
-        --with-ngtcp2                   \
-%endif
+        --with-libssh
 )
 
 # avoid using rpath
@@ -383,6 +365,10 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
     mv -v $i $i.minimal
 done
 
+# install and rename the executable that will be packaged as curl-minimal
+%make_install -C build-minimal/src
+mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
+
 # install libcurl.m4
 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
 install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
@@ -391,30 +377,28 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 cd build-full
 %make_install
 
+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+    %make_install -C scripts
+
 # do not install /usr/share/fish/completions/curl.fish which is also installed
 # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
 rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
 
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
-# do not install bundled wcurl utility
-# it is provided by the wcurl package
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl
-rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
-
 %ldconfig_scriptlets -n libcurl
 
 %ldconfig_scriptlets -n libcurl-minimal
 
 %files
-%doc CHANGES.md
+%doc CHANGES
 %doc README
 %doc docs/BUGS.md
-%doc docs/DISTROS.md
-%doc docs/FAQ.md
+%doc docs/FAQ
 %doc docs/FEATURES.md
-%doc docs/KNOWN_BUGS.md
-%doc docs/TODO.md
+%doc docs/TODO
 %doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
@@ -436,228 +420,30 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
 %{_mandir}/man3/*
 %{_datadir}/aclocal/libcurl.m4
 
+%files -n curl-minimal
+%{_bindir}/curl.minimal
+%{_mandir}/man1/curl.1*
+
 %files -n libcurl-minimal
 %license COPYING
 %{_libdir}/libcurl.so.4.minimal
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Wed Jan 07 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-1
-- new upstream release
+* Wed Apr 03 2024 Jan Macku <jamacku@redhat.com> - 8.2.1-5
+- fix Usage of disabled protocol (CVE-2024-2004)
+- fix HTTP/2 push headers memory-leak (CVE-2024-2398)
 
-* Mon Jan 05 2026 Jan Macku <jamacku@redhat.com> - 8.18.0~rc3-1
-- new upstream release candidate
+* Wed Dec 06 2023 Jan Macku <jamacku@redhat.com> - 8.2.1-4
+- fix HSTS long file name clears contents (CVE-2023-46219)
+- fix cookie mixed case PSL bypass (CVE-2023-46218)
 
-* Tue Dec 16 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc2-1
-- new upstream release candidate
-- reenable valgrind on test 616
+* Wed Oct 11 2023 Jan Macku <jamacku@redhat.com> - 8.2.1-3
+- fix cookie injection with none file (CVE-2023-38546)
+- fix SOCKS5 heap buffer overflow (CVE-2023-38545)
 
-* Tue Dec 09 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc1-1
-- new upstream release candidate
-- drop upstreamed patches
-
-* Sun Dec 07 2025 Aleksei Bavshin <alebastr@fedoraproject.org> - 8.17.0-5
-- Enable HTTP/3 support with ngtcp2
-
-* Thu Dec 04 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-4
-- apply upstream patches for valgrind issues in HTTP/3 (#2408809)
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-3
-- recommend wcurl package instead of bundled wcurl utility
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-2
-- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead
-
-* Mon Nov 10 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-1
-- new upstream release
-
-* Thu Oct 30 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc3-1
-- new upstream release candidate
-
-* Tue Oct 21 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc2-1
-- new upstream release candidate
-
-* Mon Oct 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc1-1
-- new upstream release candidate
-
-* Wed Sep 10 2025 Jan Macku <jamacku@redhat.com> - 8.16.0-1
-- new upstream release
-
-* Wed Sep 03 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc3-1
-- new upstream release candidate
-
-* Tue Aug 26 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc2-1
-- new upstream release candidate
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Jan Macku <jamacku@redhat.com> - 8.15.0-1
-- new upstream release
-
-* Thu Jul 10 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc3-1
-- new upstream release candidate
-
-* Mon Jun 30 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc2-1
-- new upstream release candidate
-
-* Mon Jun 23 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc1-1
-- new upstream release candidate
-
-* Wed Jun 04 2025 Jan Macku <jamacku@redhat.com> - 8.14.1-1
-- new upstream release
-- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed)
-
-* Wed May 28 2025 Jan Macku <jamacku@redhat.com> - 8.14.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-5025 - No QUIC certificate pinning with wolfSSL
-    CVE-2025-4947 - QUIC certificate check skip with wolfSSL
-- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles
-
-* Fri May 02 2025 Jan Macku <jamacku@redhat.com> - 8.14.0~rc1-1
-- new upstream release candidate
-- new utility: wcurl which lets you download URLs without having to remember any parameters
-
-* Wed Apr 02 2025 Jan Macku <jamacku@redhat.com> - 8.13.0-1
-- new upstream release
-- add build time dependency on openssl (required by tests)
-
-* Wed Mar 26 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc3-1
-- new upstream release candidate
-- drop: 0102-curl-7.84.0-test3026.patch (no longer needed)
-
-* Tue Mar 18 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc2-1
-- new upstream release candidate
-
-* Thu Mar 13 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-2
-- fix --cert parameter (#2351531)
-
-* Mon Mar 10 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-1
-- new upstream release candidate
-
-* Wed Feb 05 2025 Jan Macku <jamacku@redhat.com> - 8.12.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-0725 - gzip integer overflow
-    CVE-2025-0665 - eventfd double close
-    CVE-2025-0167 - netrc and default credential leak
-- drop upstreamed patches
-
-* Fri Jan 31 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-4
-- TLS: check connection for SSL use, not handler (#2324130#c7)
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.11.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Sun Dec 15 2024 Paul Howarth <paul@city-fan.org> - 8.11.1-2
-- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350)
-  - https://github.com/curl/curl/issues/15725
-  - https://github.com/curl/curl/pull/15727
-
-* Wed Dec 11 2024 Jan Macku <jamacku@redhat.com> - 8.11.1-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-11053 - netrc and redirect credential leak
-
-* Wed Nov 06 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 8.11.0-2
-- Disable engine support on RHEL 10+
-
-* Wed Nov 06 2024 Jan Macku <jamacku@redhat.com> - 8.11.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-9681 - HSTS subdomain overwrites parent cache entry
-
-* Tue Sep 24 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-2
-- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564)
-
-* Wed Sep 18 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-1
-- new upstream release
-
-* Wed Sep 11 2024 Jan Macku <jamacku@redhat.com> - 8.10.0-1
-- new upstream release
-
-* Wed Aug 21 2024 Jacek Migacz <jmigacz@redhat.com> - 8.9.1-3
-- Retire deprecated ntlm-wb configure option
-
-* Mon Aug 5 2024 voidanix <voidanix@keyedlimepie.org> - 8.9.1-2
-- Apply SIGPIPE-related patch due to upstream regression
-
-* Wed Jul 24 2024 Jan Macku <jamacku@redhat.com> - 8.9.1-1
-- new upstream release
-
-* Wed Jul 24 2024 Jan Macku <jamacku@redhat.com> - 8.9.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-6874 - macidn punycode buffer overread
-    CVE-2024-6197 - freeing stack buffer in utf8asn1str
-- drop upstreamed patches
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.8.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jul 12 2024 Paul Howarth <paul@city-fan.org> - 8.8.0-2
-- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-- added build condition for openssl_engine_support, true by default so as to
-  not change the resulting built package (yet)
-- with openssl_engine_support true, BR: openssl-devel-engine
-- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE
-
-* Wed May 22 2024 Jan Macku <jamacku@redhat.com> - 8.8.0-1
-- new upstream release
-- drop upstreamed patches
-
-* Wed Mar 27 2024 Jan Macku <jamacku@redhat.com> - 8.7.1-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-2004 - Usage of disabled protocol
-    CVE-2024-2379 - QUIC certificate check bypass with wolfSSL
-    CVE-2024-2398 - HTTP/2 push headers memory-leak
-    CVE-2024-2466 - TLS certificate check bypass with mbedTLS
-- drop upstreamed patches
-- reenable test 0313
-- fix zsh completions, use --with-zsh-functions-dir
-- apply upstream patches for 8.7.1 issues and regressions
-
-* Mon Feb 19 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-7
-- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220)
-
-* Mon Feb 12 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-6
-- revert "receive max buffer" + add test case
-- temporarily disable test 0313
-- remove suggests of libcurl-minimal in curl-full
-
-* Mon Feb 12 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-5
-- add Provides to curl-minimal
-
-* Wed Feb 07 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-4
-- drop curl-minimal subpackage in favor of curl-full (#2262096)
-
-* Mon Feb 05 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-3
-- ignore response body to HEAD requests
-
-* Fri Feb 02 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-2
-- don't build manual for curl-full - use man 1 curl instead (#2262373)
-
-* Thu Feb 01 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-0853 - OCSP verification bypass with TLS session reuse
-- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix)
-- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843)
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Dec 06 2023 Jan Macku <jamacku@redhat.com> - 8.5.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2023-46218 - cookie mixed case PSL bypass
-    CVE-2023-46219 - HSTS long file name clears contents
-
-* Wed Oct 11 2023 Jan Macku <jamacku@redhat.com> - 8.4.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2023-38545 - SOCKS5 heap buffer overflow
-    CVE-2023-38546 - cookie injection with none file
-
-* Wed Sep 13 2023 Jan Macku <jamacku@redhat.com> - 8.3.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2023-38039 - HTTP headers eat all memory
-
-* Wed Aug 02 2023 Jan Macku <jamacku@redhat.com> - 8.2.1-2
-- enable websockets (#2224651)
+* Wed Sep 13 2023 Jan Macku <jamacku@redhat.com> - 8.2.1-2
+- fix HTTP headers eat all memory (CVE-2023-38039)
 
 * Wed Jul 26 2023 Lukáš Zaoral <lzaoral@redhat.com> - 8.2.1-1
 - new upstream release (rhbz#2226659)

sources

@@ -1,2 +1,2 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094
+SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084

tests/non-root-user-download/runtest.sh

@@ -31,9 +31,9 @@
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"