fix speed limiting fix for 32bit systems

Resolves: #2301597

.gitignore

@@ -2,5 +2,4 @@
 /curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
 /curl-[0-9.]*.tar.xz.asc
-/curl-[0-9]*.[0-9]*.[0-9]*/
-/*.src.rpm
+/curl-[0-9].[0-9].[0-9]/

0001-curl-8.6.0-remove-duplicate-content.patch

@@ -0,0 +1,108 @@
+From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 1 Feb 2024 12:56:31 +0100
+Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1
+
+This will be resolved in next release by:
+https://github.com/curl/curl/pull/12818
+
+see also: https://github.com/curl/curl/issues/12840
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ docs/curl-config.1 | 82 ----------------------------------------------
+ 1 file changed, 82 deletions(-)
+
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 186ba3a..c142cb9 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command?
+ .fi
+ .SH SEE ALSO
+ .BR curl (1)
+-.\" generated by cd2nroff 0.1 from curl-config.md
+-.TH curl-config 1 "January 26 2024" curl-config
+-.SH NAME
+-curl\-config \- Get information about a libcurl installation
+-.SH SYNOPSIS
+-\fBcurl\-config [options]\fP
+-.SH DESCRIPTION
+-\fBcurl\-config\fP
+-displays information about the curl and libcurl installation.
+-.SH OPTIONS
+-.IP --ca
+-Displays the built\-in path to the CA cert bundle this libcurl uses.
+-.IP --cc
+-Displays the compiler used to build libcurl.
+-.IP --cflags
+-Set of compiler options (CFLAGS) to use when compiling files that use
+-libcurl. Currently that is only the include path to the curl include files.
+-.IP "--checkfor [version]"
+-Specify the oldest possible libcurl version string you want, and this
+-script will return 0 if the current installation is new enough or it
+-returns 1 and outputs a text saying that the current version is not new
+-enough. (Added in 7.15.4)
+-.IP --configure
+-Displays the arguments given to configure when building curl.
+-.IP --feature
+-Lists what particular main features the installed libcurl was built with. At
+-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume
+-any particular order. The keywords will be separated by newlines. There may be
+-none, one, or several keywords in the list.
+-.IP --help
+-Displays the available options.
+-.IP --libs
+-Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl.
+-.IP --prefix
+-This is the prefix used when libcurl was installed. Libcurl is then installed
+-in $prefix/lib and its header files are installed in $prefix/include and so
+-on. The prefix is set with "configure \--prefix".
+-.IP --protocols
+-Lists what particular protocols the installed libcurl was built to support. At
+-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE,
+-TELNET, LDAP, DICT and many more. Do not assume any particular order. The
+-protocols will be listed using uppercase and are separated by newlines. There
+-may be none, one, or several protocols in the list. (Added in 7.13.0)
+-.IP --ssl-backends
+-Lists the SSL backends that were enabled when libcurl was built. It might be
+-no, one or several names. If more than one name, they will appear
+-comma\-separated. (Added in 7.58.0)
+-.IP --static-libs
+-Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
+-.IP --version
+-Outputs version information about the installed libcurl.
+-.IP --vernum
+-Outputs version information about the installed libcurl, in numerical mode.
+-This shows the version number, in hexadecimal, using 8 bits for each part:
+-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and
+-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be
+-omitted. (This option was broken in the 7.15.0 release.)
+-.SH EXAMPLES
+-What linker options do I need when I link with libcurl?
+-.nf
+-  $ curl-config --libs
+-.fi
+-What compiler options do I need when I compile using libcurl functions?
+-.nf
+-  $ curl-config --cflags
+-.fi
+-How do I know if libcurl was built with SSL support?
+-.nf
+-  $ curl-config --feature | grep SSL
+-.fi
+-What\(aqs the installed libcurl version?
+-.nf
+-  $ curl-config --version
+-.fi
+-How do I build a single file with a one\-line command?
+-.nf
+-  $ `curl-config --cc --cflags` -o example source.c `curl-config --libs`
+-.fi
+-.SH SEE ALSO
+-.BR curl (1)
+-- 
+2.43.0
+

0002-curl-8.6.0-ignore-response-body-to-HEAD.patch

@@ -0,0 +1,184 @@
+From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 1 Feb 2024 13:23:12 +0100
+Subject: [PATCH] sendf: ignore response body to HEAD
+
+and mark the stream for close, but return OK since the response this far
+was ok - if headers were received. Partly because this is what curl has
+done traditionally.
+
+Test 499 verifies. Updates test 689.
+
+Reported-by: Sergey Bronnikov
+Bug: https://curl.se/mail/lib-2024-02/0000.html
+Closes #12842
+
+(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/sendf.c             |  3 ++
+ tests/data/Makefile.inc | 44 ++++++++++++++--------------
+ tests/data/test499      | 65 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test689      |  4 +--
+ 4 files changed, 92 insertions(+), 24 deletions(-)
+ create mode 100644 tests/data/test499
+
+diff --git a/lib/sendf.c b/lib/sendf.c
+index db3189a29..60ac0742c 100644
+--- a/lib/sendf.c
++++ b/lib/sendf.c
+@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data,
+     DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes",
+                  nbytes));
+     data->req.download_done = TRUE;
++    if(data->info.header_size)
++      /* if headers have been received, this is fine */
++      return CURLE_OK;
+     return CURLE_WEIRD_SERVER_REPLY;
+   }
+ 
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index c3d496f64..cd393da75 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \
+ test453 test454 test455 test456 test457 test458 test459 test460 test461 \
+ \
+ test490 test491 test492 test493 test494 test495 test496 test497 test498 \
+-\
+-test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+-test509 test510 test511 test512 test513 test514 test515 test516 test517 \
+-test518 test519 test520 test521 test522 test523 test524 test525 test526 \
+-test527 test528 test529 test530 test531 test532 test533 test534 test535 \
+-        test537 test538 test539 test540 test541 test542 test543 test544 \
+-test545 test546 test547 test548 test549 test550 test551 test552 test553 \
+-test554 test555 test556 test557 test558 test559 test560 test561 test562 \
+-test563 test564 test565 test566 test567 test568 test569 test570 test571 \
+-test572 test573 test574 test575 test576 test577 test578 test579 test580 \
+-test581 test582 test583 test584 test585 test586 test587 test588 test589 \
+-test590 test591 test592 test593 test594 test595 test596 test597 test598 \
+-test599 test600 test601 test602 test603 test604 test605 test606 test607 \
+-test608 test609 test610 test611 test612 test613 test614 test615 test616 \
+-test617 test618 test619 test620 test621 test622 test623 test624 test625 \
+-test626 test627 test628 test629 test630 test631 test632 test633 test634 \
+-test635 test636 test637 test638 test639 test640 test641 test642 test643 \
+-test644 test645 test646 test647 test648 test649 test650 test651 test652 \
+-test653 test654 test655 test656 test658 test659 test660 test661 test662 \
+-test663 test664 test665 test666 test667 test668 test669 test670 test671 \
+-test672 test673 test674 test675 test676 test677 test678 test679 test680 \
+-test681 test682 test683 test684 test685 test686 test687 test688 test689 \
++test499 test500 test501 test502 test503 test504 test505 test506 test507 \
++test508 test509 test510 test511 test512 test513 test514 test515 test516 \
++test517 test518 test519 test520 test521 test522 test523 test524 test525 \
++test526 test527 test528 test529 test530 test531 test532 test533 test534 \
++test535         test537 test538 test539 test540 test541 test542 test543 \
++test544 test545 test546 test547 test548 test549 test550 test551 test552 \
++test553 test554 test555 test556 test557 test558 test559 test560 test561 \
++test562 test563 test564 test565 test566 test567 test568 test569 test570 \
++test571 test572 test573 test574 test575 test576 test577 test578 test579 \
++test580 test581 test582 test583 test584 test585 test586 test587 test588 \
++test589 test590 test591 test592 test593 test594 test595 test596 test597 \
++test598 test599 test600 test601 test602 test603 test604 test605 test606 \
++test607 test608 test609 test610 test611 test612 test613 test614 test615 \
++test616 test617 test618 test619 test620 test621 test622 test623 test624 \
++test625 test626 test627 test628 test629 test630 test631 test632 test633 \
++test634 test635 test636 test637 test638 test639 test640 test641 test642 \
++test643 test644 test645 test646 test647 test648 test649 test650 test651 \
++test652 test653 test654 test655 test656 test658 test659 test660 test661 \
++test662 test663 test664 test665 test666 test667 test668 test669 test670 \
++test671 test672 test673 test674 test675 test676 test677 test678 test679 \
++test680 test681 test682 test683 test684 test685 test686 test687 test688 \
++test689 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+diff --git a/tests/data/test499 b/tests/data/test499
+new file mode 100644
+index 000000000..d4040b07c
+--- /dev/null
++++ b/tests/data/test499
+@@ -0,0 +1,65 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data crlf="yes" nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++<datacheck crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++</datacheck>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<name>
++HTTP HEAD to server still sending a body
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++HEAD /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test689 b/tests/data/test689
+index 821556dec..381ae225a 100644
+--- a/tests/data/test689
++++ b/tests/data/test689
+@@ -44,9 +44,9 @@ User-Agent: test567
+ Test-Number: 567
+ 
+ </protocol>
+-# 8 == CURLE_WEIRD_SERVER_REPLY
++# 85 == CURLE_RTSP_CSEQ_ERROR
+ <errorcode>
+-8
++85
+ </errorcode>
+ </verify>
+ 
+-- 
+2.43.0
+

0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch

@@ -0,0 +1,68 @@
+From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 1 Feb 2024 18:15:50 +0100
+Subject: [PATCH] vtls: revert "receive max buffer" + add test case
+
+- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
+  Apache resource that does an unclean TLS shutdown.
+- revert special workarund in openssl.c for suppressing shutdown errors
+  on multiplexed connections
+- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
+
+Fixes #12885
+Fixes #12844
+
+Closes #12848
+
+(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/vtls/vtls.c | 27 ++++++---------------------
+ 1 file changed, 6 insertions(+), 21 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e928ba5d0..f654a9749 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
+ {
+   struct cf_call_data save;
+   ssize_t nread;
+-  size_t ntotal = 0;
+ 
+   CF_DATA_SAVE(save, cf, data);
+   *err = CURLE_OK;
+-  /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
+-  while(!ntotal || (len - ntotal) > (4*1024)) {
++  nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
++  if(nread > 0) {
++    DEBUGASSERT((size_t)nread <= len);
++  }
++  else if(nread == 0) {
++    /* eof */
+     *err = CURLE_OK;
+-    nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
+-    if(nread < 0) {
+-      if(*err == CURLE_AGAIN && ntotal > 0) {
+-        /* we EAGAINed after having reed data, return the success amount */
+-        *err = CURLE_OK;
+-        break;
+-      }
+-      /* we have a an error to report */
+-      goto out;
+-    }
+-    else if(nread == 0) {
+-      /* eof */
+-      break;
+-    }
+-    ntotal += (size_t)nread;
+-    DEBUGASSERT((size_t)ntotal <= len);
+   }
+-  nread = (ssize_t)ntotal;
+-out:
+   CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
+               nread, *err);
+   CF_DATA_RESTORE(cf, save);
+-- 
+2.43.0
+

0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch

@@ -0,0 +1,83 @@
+From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 14 Feb 2024 16:27:23 +0100
+Subject: [PATCH] http_chunks: fix the accounting of consumed bytes
+
+Prior to this change chunks were handled correctly although in verbose
+mode libcurl could incorrectly warn of "Leftovers after chunking" even
+if there were none.
+
+Reported-by: Michael Kaufmann
+
+Fixes https://github.com/curl/curl/issues/12937
+Closes https://github.com/curl/curl/pull/12939
+
+(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/http_chunks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/http_chunks.c b/lib/http_chunks.c
+index 039c179c4..ad1ee9ada 100644
+--- a/lib/http_chunks.c
++++ b/lib/http_chunks.c
+@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+         ch->hexbuffer[ch->hexindex++] = *buf;
+         buf++;
+         blen--;
++        (*pconsumed)++;
+       }
+       else {
+         char *endptr;
+@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+ 
+       buf++;
+       blen--;
++      (*pconsumed)++;
+       break;
+ 
+     case CHUNK_DATA:
+@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+       }
+       buf++;
+       blen--;
++      (*pconsumed)++;
+       break;
+ 
+     case CHUNK_TRAILER:
+@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+       }
+       buf++;
+       blen--;
++      (*pconsumed)++;
+       break;
+ 
+     case CHUNK_TRAILER_CR:
+@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+         ch->state = CHUNK_TRAILER_POSTCR;
+         buf++;
+         blen--;
++        (*pconsumed)++;
+       }
+       else {
+         ch->state = CHUNK_FAILED;
+@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+         /* skip if CR */
+         buf++;
+         blen--;
++        (*pconsumed)++;
+       }
+       /* now wait for the final LF */
+       ch->state = CHUNK_STOP;
+@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data,
+     case CHUNK_STOP:
+       if(*buf == 0x0a) {
+         blen--;
++        (*pconsumed)++;
+         /* Record the length of any data left in the end of the buffer
+            even if there's no more chunks to read */
+         ch->datasize = blen;
+-- 
+2.43.2
+

0005-curl-8.6.0-CVE-2024-2004.patch

@@ -0,0 +1,138 @@
+From c8dac4ba172c145dbdf924a5e309fe7539b3610e Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Tue, 27 Feb 2024 15:43:56 +0100
+Subject: [PATCH 1/2] setopt: Fix disabling all protocols
+
+When disabling all protocols without enabling any, the resulting
+set of allowed protocols remained the default set.  Clearing the
+allowed set before inspecting the passed value from --proto make
+the set empty even in the errorpath of no protocols enabled.
+
+Co-authored-by: Dan Fandrich <dan@telarity.com>
+Reported-by: Dan Fandrich <dan@telarity.com>
+Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+Closes: #13004
+(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/setopt.c            | 16 ++++++++--------
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1474     | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 9 deletions(-)
+ create mode 100644 tests/data/test1474
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index a5270773f..3891eb679 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
+ 
+ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+ {
++  /*
++   * We are asked to cherry-pick protocols, so play it safe and disallow all
++   * protocols to start with, and re-add the wanted ones back in.
++   */
++  *val = 0;
++
+   if(!str)
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+ 
+@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+     return CURLE_OK;
+   }
+ 
+-  *val = 0;
+-
+   do {
+     const char *token = str;
+     size_t tlen;
+@@ -2657,22 +2661,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     break;
+ 
+   case CURLOPT_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.allowed_protocols);
+     if(result)
+       return result;
+-    data->set.allowed_protocols = prot;
+     break;
+   }
+ 
+   case CURLOPT_REDIR_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.redir_protocols);
+     if(result)
+       return result;
+-    data->set.redir_protocols = prot;
+     break;
+   }
+ 
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index cd393da75..011aa4607 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -186,7 +186,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
+ test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
+ test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
+ test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
+-test1471 test1472 test1473          test1475 test1476 test1477 test1478 \
++test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1474 b/tests/data/test1474
+new file mode 100644
+index 000000000..c66fa2810
+--- /dev/null
++++ b/tests/data/test1474
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++--proto
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++http
++</features>
++<name>
++--proto -all disables all protocols
++</name>
++<command>
++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 1 - Protocol "http" disabled
++<errorcode>
++1
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.44.0
+

0006-curl-8.6.0-CVE-2024-2398.patch

@@ -0,0 +1,95 @@
+From 62ff9aab364ca19cf858972aa1b1f00042763a8a Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index c3157d1ef..501dc355f 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
+   return CURLE_OK;
+ }
+ 
++static void free_push_headers(struct stream_ctx *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static void http2_data_done(struct Curl_cfilter *cf,
+                             struct Curl_easy *data, bool premature)
+ {
+@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
+   Curl_bufq_free(&stream->recvbuf);
+   Curl_h1_req_parse_free(&stream->h1);
+   Curl_dynhds_free(&stream->resp_trailers);
+-  if(stream->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; stream->push_headers_used > 0; --stream->push_headers_used) {
+-      free(stream->push_headers[stream->push_headers_used - 1]);
+-    }
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-  }
+-
++  free_push_headers(stream);
+   free(stream);
+   H2_STREAM_LCTX(data) = NULL;
+ }
+@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfilter *cf,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     CURLcode result;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = h2_duphandle(cf, data);
+     if(!newhandle) {
+@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfilter *cf,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+       if(stream->push_headers_alloc > 1000) {
+         /* this is beyond crazy many headers, bail out */
+         failf(data_s, "Too many PUSH_PROMISE headers");
+-        Curl_safefree(stream->push_headers);
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+-- 
+2.44.0
+

0007-curl-8.6.0-CVE-2024-6197.patch

@@ -0,0 +1,25 @@
+From 5e1d97ac8d3ffebfaf50afe8641486ffc17ec9ba Mon Sep 17 00:00:00 2001
+From: z2_ <88509734+z2-2z@users.noreply.github.com>
+Date: Fri, 28 Jun 2024 14:45:47 +0200
+Subject: [PATCH] x509asn1: remove superfluous free()
+
+(cherry picked from commit 3a537a4db9e65e545ec45b1b5d5575ee09a2569d)
+---
+ lib/vtls/x509asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index da079361d..2ccf6327a 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -389,7 +389,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
+         if(wc >= 0x00000800) {
+           if(wc >= 0x00010000) {
+             if(wc >= 0x00200000) {
+-              free(buf);
+               /* Invalid char. size for target encoding. */
+               return CURLE_WEIRD_SERVER_REPLY;
+             }
+-- 
+2.45.2
+

0008-curl-8.6.0-speed-throttling-precision-issues.patch

@@ -0,0 +1,45 @@
+From 6db0d23dea968e65091261b9daa69325557e5ad0 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Tue, 5 Mar 2024 11:08:55 +0100
+Subject: [PATCH 1/2] transfer.c: break receive loop in speed limited transfers
+
+- the change breaks looping in transfer.c receive for transfers that are
+  speed limited on having gotten *some* bytes.
+- the overall speed limit timing is done in multi.c
+
+Reported-by: Dmitry Karpov
+Bug: https://curl.se/mail/lib-2024-03/0001.html
+Closes #13050
+
+(cherry picked from commit db5c9f4f9e0779b49624752b135281a0717b277b)
+---
+ lib/transfer.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 3ae4b61c0..6ceefd637 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -492,13 +492,14 @@ static CURLcode readwrite_data(struct Curl_easy *data,
+     buf = data->state.buffer;
+     bytestoread = data->set.buffer_size;
+ 
+-    /* Observe any imposed speed limit */
+     if(bytestoread && data->set.max_recv_speed) {
+-      curl_off_t net_limit = data->set.max_recv_speed - total_received;
+-      if(net_limit <= 0)
++      /* In case of speed limit on receiving: if this loop already got
++       * data, break out. If not, limit the amount of bytes to receive.
++       * The overall, timed, speed limiting is done in multi.c */
++      if(total_received)
+         break;
+-      if((size_t)net_limit < bytestoread)
+-        bytestoread = (size_t)net_limit;
++      if((size_t)data->set.max_recv_speed < bytestoread)
++        bytestoread = (size_t)data->set.max_recv_speed;
+     }
+ 
+     nread = Curl_xfer_recv_resp(data, buf, bytestoread,
+-- 
+2.45.2
+

0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch

@@ -0,0 +1,41 @@
+From 478cab9651d332d1bcb02114895d5a664ce6725a Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 26 Jul 2024 10:38:45 +0200
+Subject: [PATCH 2/2] transfer: speed limiting fix for 32bit systems
+
+When checking if a speed limit on receives applies, compare the receive
+sizes using the large int type to prevent an overflow on systems where
+size_t is 32bit.
+
+Fixes #14272
+Reported-by: Mamoru Tasaka
+Closes #14277
+
+(cherry picked from commit fc273027f16df2dd1eb66ffc7df417f605199e35)
+---
+ lib/transfer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 6ceefd637..66e444aa1 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -492,13 +492,13 @@ static CURLcode readwrite_data(struct Curl_easy *data,
+     buf = data->state.buffer;
+     bytestoread = data->set.buffer_size;
+ 
+-    if(bytestoread && data->set.max_recv_speed) {
++    if(bytestoread && data->set.max_recv_speed > 0) {
+       /* In case of speed limit on receiving: if this loop already got
+        * data, break out. If not, limit the amount of bytes to receive.
+        * The overall, timed, speed limiting is done in multi.c */
+       if(total_received)
+         break;
+-      if((size_t)data->set.max_recv_speed < bytestoread)
++      if(data->set.max_recv_speed < (curl_off_t)bytestoread)
+         bytestoread = (size_t)data->set.max_recv_speed;
+     }
+ 
+-- 
+2.45.2
+

0101-curl-7.32.0-multilib.patch

@@ -1,85 +1,84 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
+From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001
 From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
-Subject: [PATCH] prevent multilib conflicts on the curl-config script
+Date: Thu, 1 Feb 2024 13:01:23 +0100
+Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in      | 23 +++++------------------
- docs/curl-config.md |  4 +++-
- libcurl.pc.in       |  1 +
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index 54f92d9..15a60da 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
-     ;;
+@@ -78,7 +78,7 @@ while test $# -gt 0; do
+         ;;
  
-   --cc)
--    echo '@CC@'
-+    echo 'gcc'
-     ;;
+     --cc)
+-        echo "@CC@"
++        echo "gcc"
+         ;;
  
-   --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
-     ;;
+     --prefix)
+@@ -157,32 +157,19 @@ while test $# -gt 0; do
+         ;;
  
-   --libs)
--    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
--      curllibdir="-L@libdir@ "
--    else
--      curllibdir=''
--    fi
--    if test '@ENABLE_SHARED@' = 'no'; then
--      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo "${curllibdir}-lcurl"
--    fi
-+    echo '-lcurl'
-     ;;
+     --libs)
+-        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+-           CURLLIBDIR="-L@libdir@ "
+-        else
+-           CURLLIBDIR=""
+-        fi
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
+-          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+-        else
+-          echo ${CURLLIBDIR}-lcurl
+-        fi
++        echo -lcurl
+         ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
-   --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
-     ;;
+     --static-libs)
+-        if test "X@ENABLE_STATIC@" != "Xno" ; then
+-          echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
+-        else
+-          echo "curl was built with static libraries disabled" >&2
+-          exit 1
+-        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
+         ;;
  
-   --static-libs)
--    if test '@ENABLE_STATIC@' != 'no'; then
--      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo 'curl was built with static libraries disabled' >&2
--      exit 1
--    fi
-+    echo 'curl was built with static libraries disabled' >&2
-+    exit 1
-     ;;
+     --configure)
+-        echo @CONFIGURE_OPTIONS@
++        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+         ;;
  
-   --configure)
--    echo @CONFIGURE_OPTIONS@
-+    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-     ;;
- 
-   *)
-diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
---- a/docs/curl-config.md
-+++ b/docs/curl-config.md
-@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
- 
- Shows the complete set of libs and other linker options you need in order to
--link your application with libcurl statically. (Added in 7.17.1)
-+link your application with libcurl statically. Note that Fedora/RHEL libcurl
+     *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index c142cb9..0e189b4 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear
+ comma\-separated. (Added in 7.58.0)
+ .IP --static-libs
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- 
- ## `--version`
- 
+ .IP --version
+ Outputs version information about the installed libcurl.
+ .IP --vernum
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index 9db6b0f..dcac692 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -28,6 +28,7 @@ libdir=@libdir@
+@@ -31,6 +31,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
@@ -88,5 +87,5 @@ index c0ba5244a8..f3645e1748 100644
  Name: libcurl
  URL: https://curl.se/
 -- 
-2.52.0
+2.43.0
 

0102-curl-7.84.0-test3026.patch

@@ -0,0 +1,71 @@
+From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 27 Jun 2022 16:50:57 +0200
+Subject: [PATCH] test3026: disable valgrind
+
+It fails on x86_64 with:
+```
+ Use --max-threads=INT to specify a larger number of threads
+ and rerun valgrind
+ valgrind: the 'impossible' happened:
+    Max number of threads is too low
+ host stacktrace:
+ ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ sched status:
+   running_tid=1
+ Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
+ ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
+ ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
+ client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
+ valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
+[...]
+```
+---
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/test3026 b/tests/data/test3026
+index fb80cc8..01f2ba5 100644
+--- a/tests/data/test3026
++++ b/tests/data/test3026
+@@ -41,5 +41,8 @@ none
+ <errorcode>
+ 0
+ </errorcode>
++<valgrind>
++disable
++</valgrind>
+ </verify>
+ </testcase>
+diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
+index 43fe335..70cd7a4 100644
+--- a/tests/libtest/lib3026.c
++++ b/tests/libtest/lib3026.c
+@@ -147,8 +147,8 @@ int test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+     if(res) {
+-      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
+-              __FILE__, __LINE__, res);
++      fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n",
++              __FILE__, __LINE__, i, res);
+       tid_count = i;
+       test_failure = -1;
+       goto cleanup;
+-- 
+2.37.1
+

0104-curl-7.88.0-tests-warnings.patch

@@ -0,0 +1,30 @@
+From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 15 Feb 2023 10:42:38 +0100
+Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them"
+
+While it might be useful for upstream developers, it is not so useful
+for downstream consumers.
+
+This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8.
+---
+ tests/runtests.pl | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 71644ad18..0cf85c3fe 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -55,8 +55,7 @@
+ # given, this won't be a problem.
+ 
+ use strict;
+-# Promote all warnings to fatal
+-use warnings FATAL => 'all';
++use warnings;
+ use 5.006;
+ 
+ # These should be the only variables that might be needed to get edited:
+-- 
+2.39.1
+

curl.rpmlintrc

@@ -1,15 +0,0 @@
-# Intentional stuff we're not concerned about
-addFilter("unversioned-explicit-provides webclient")
-addFilter("package-with-huge-docs")
-addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
-
-# This is just plain wrong (%_configure redefinition)
-addFilter("configure-without-libdir-spec")
-
-# Technical term
-addFilter("E: spelling-error \('kerberos',")
-
-# Artefacts of RemovePathPostfixes: .minimal
-addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
-#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
-#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

curl.spec

@@ -1,40 +1,61 @@
-# OpenSSL ENGINE support
-# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41
-# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-# Change the bcond to 0 to turn off ENGINE support by default
-%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10]
-
-# HTTP/3 support
-# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's
-# experimental native OpenSSL 3.5 support.
-%bcond http3 %[0%{?fedora} >= 43]
-
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.18.0
-Release: 1%{?dist}
+Version: 8.6.0
+Release: 10%{?dist}
 License: curl
-Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz
-Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc
+Source0: https://curl.se/download/%{name}-%{version}.tar.xz
+Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # The curl download page ( https://curl.se/download.html ) links
 # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 
+# remove duplicate content from curl-config.1
+Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch
+
+# ignore response bode to HEAD requests
+# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa
+Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch
+
+# revert "receive max buffer" + add test case
+# it breaks pycurl tests suite
+Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch
+
+# Fix: Leftovers after chunking should not be part of the curl buffer output
+Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch
+
+# fix Usage of disabled protocol (CVE-2024-2004)
+Patch005: 0005-curl-8.6.0-CVE-2024-2004.patch
+
+# fix HTTP/2 push headers memory-leak (CVE-2024-2398)
+Patch006: 0006-curl-8.6.0-CVE-2024-2398.patch
+
+# fix freeing stack buffer in utf8asn1str (CVE-2024-6197)
+Patch007: 0007-curl-8.6.0-CVE-2024-6197.patch
+
+# fix speed throttling precision issues in transfer.c
+# https://curl.se/mail/lib-2024-03/0001.html
+Patch008: 0008-curl-8.6.0-speed-throttling-precision-issues.patch
+
+# fix speed limiting fix for 32bit systems
+# https://github.com/curl/curl/issues/14272
+Patch009: 0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
+# test3026: disable valgrind
+Patch102: 0102-curl-7.84.0-test3026.patch
+
+# do not fail on warnings in the upstream test driver
+Patch104: 0104-curl-7.88.0-tests-warnings.patch
+
 Provides: curl-full = %{version}-%{release}
 # do not fail when trying to install curl-minimal after drop
 Provides: curl-minimal = %{version}-%{release}
 Provides: webclient
 URL: https://curl.se/
 
-%if 0%{?fedora}
-# instead of bundled wcurl utility, recommend wcurl package
-Recommends: wcurl
-%endif
-
 # The reason for maintaining two separate packages for curl is no longer valid.
 # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal.
 # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096
@@ -48,24 +69,14 @@ BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
 BuildRequires: libnghttp2-devel
-%if %{with http3}
-BuildRequires: libnghttp3-devel
-%endif
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
 BuildRequires: libtool
 BuildRequires: make
-%if %{with http3}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
-BuildRequires: openssl
 BuildRequires: openssl-devel
-%if %{with openssl_engine_support} && 0%{?fedora} >= 41
-BuildRequires:  openssl-devel-engine
-%endif
 BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
 BuildRequires: python-unversioned-command
@@ -108,7 +119,6 @@ BuildRequires: perl(Exporter)
 BuildRequires: perl(File::Basename)
 BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
-BuildRequires: perl(I18N::Langinfo)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(List::Util)
 BuildRequires: perl(Memoize)
@@ -143,19 +153,10 @@ BuildRequires: stunnel
 # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
 Requires: libcurl%{?_isa} >= %{version}-%{release}
 
-# Define OPENSSL_NO_ENGINE to avoid inclusion of <openssl/engine.h>
-%if %{without openssl_engine_support}
-%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE
-%endif
-
 # require at least the version of libnghttp2 that we were built against,
 # to ensure that we have the necessary symbols available (#2144277)
 %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)
 
-# require at least the version of libnghttp3 that we were built against,
-# to ensure that we have the necessary symbols available
-%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0)
-
 # require at least the version of libpsl that we were built against,
 # to ensure that we have the necessary symbols available (#1631804)
 %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
@@ -164,10 +165,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#525002, #642796)
 %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
 
-# require at least the version of ngtcp2 that we were built against,
-# to ensure that we have the necessary symbols available
-%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0)
-
 # require at least the version of openssl-libs that we were built against,
 # to ensure that we have the necessary symbols available (#1462184, #1462211)
 # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
@@ -184,14 +181,8 @@ resume, proxy tunneling and a busload of other useful tricks.
 %package -n libcurl
 Summary: A library for getting files from web servers
 Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
-%if %{with http3}
-Requires: libnghttp3%{?_isa} >= %{libnghttp3_version}
-%endif
 Requires: libpsl%{?_isa} >= %{libpsl_version}
 Requires: libssh%{?_isa} >= %{libssh_version}
-%if %{with http3}
-Requires: ngtcp2%{?_isa} >= %{ngtcp2_version}
-%endif
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl-full = %{version}-%{release}
 Provides: libcurl-full%{?_isa} = %{version}-%{release}
@@ -236,11 +227,14 @@ be installed.
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version_no_tilde} -p1
+%autosetup -p1
 
+# temporarily disable test 0313
+# <https://bugzilla.redhat.com/show_bug.cgi?id=2263877>
+# <https://github.com/curl/curl/pull/11531>
 # disable test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-printf "1801\n" >>tests/data/DISABLED
+printf "313\n1801\n" >> tests/data/DISABLED
 
 # test3026: avoid pthread_create() failure due to resource exhaustion on i386
 %ifarch %{ix86}
@@ -260,14 +254,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323
     eval "$cmd"
 )
 
-# avoid unnecessary arch-dependent line in the processed file
-sed -e '/# Used in @libdir@/d' \
-    -i curl-config.in
-
-%build
 # regenerate the configure script and Makefile.in files
 autoreconf -fiv
 
+%build
 mkdir build-{full,minimal}
 export common_configure_opts="          \
     --cache-file=../config.cache        \
@@ -281,8 +271,7 @@ export common_configure_opts="          \
     --with-gssapi                       \
     --with-libidn2                      \
     --with-nghttp2                      \
-    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
-    --with-zsh-functions-dir"
+    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
 
 %global _configure ../configure
 
@@ -297,6 +286,7 @@ export common_configure_opts="          \
         --disable-ldaps                 \
         --disable-mqtt                  \
         --disable-ntlm                  \
+        --disable-ntlm-wb               \
         --disable-pop3                  \
         --disable-rtsp                  \
         --disable-smb                   \
@@ -321,6 +311,7 @@ export common_configure_opts="          \
         --enable-ldaps                  \
         --enable-mqtt                   \
         --enable-ntlm                   \
+        --enable-ntlm-wb                \
         --enable-pop3                   \
         --enable-rtsp                   \
         --enable-smb                    \
@@ -331,11 +322,7 @@ export common_configure_opts="          \
         --enable-websockets             \
         --with-brotli                   \
         --with-libpsl                   \
-        --with-libssh                   \
-%if %{with http3}
-        --with-nghttp3                  \
-        --with-ngtcp2                   \
-%endif
+        --with-libssh
 )
 
 # avoid using rpath
@@ -391,30 +378,32 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 cd build-full
 %make_install
 
+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+    %make_install -C scripts
+
 # do not install /usr/share/fish/completions/curl.fish which is also installed
 # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
 rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
 
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
-# do not install bundled wcurl utility
-# it is provided by the wcurl package
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl
-rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
+# Don't install man for mk-ca-bundle it's upstream bug
+# should be fixed in next release https://github.com/curl/curl/pull/12843
+rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1*
 
 %ldconfig_scriptlets -n libcurl
 
 %ldconfig_scriptlets -n libcurl-minimal
 
 %files
-%doc CHANGES.md
+%doc CHANGES
 %doc README
 %doc docs/BUGS.md
-%doc docs/DISTROS.md
-%doc docs/FAQ.md
+%doc docs/FAQ
 %doc docs/FEATURES.md
-%doc docs/KNOWN_BUGS.md
-%doc docs/TODO.md
+%doc docs/TODO
 %doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
@@ -442,176 +431,16 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Wed Jan 07 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-1
-- new upstream release
+* Tue Jul 30 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-10
+- fix speed throttling precision issues in transfer.c
+- fix speed limiting fix for 32bit systems
 
-* Mon Jan 05 2026 Jan Macku <jamacku@redhat.com> - 8.18.0~rc3-1
-- new upstream release candidate
+* Thu Jul 25 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-9
+- fix freeing stack buffer in utf8asn1str (CVE-2024-6197)
 
-* Tue Dec 16 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc2-1
-- new upstream release candidate
-- reenable valgrind on test 616
-
-* Tue Dec 09 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc1-1
-- new upstream release candidate
-- drop upstreamed patches
-
-* Sun Dec 07 2025 Aleksei Bavshin <alebastr@fedoraproject.org> - 8.17.0-5
-- Enable HTTP/3 support with ngtcp2
-
-* Thu Dec 04 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-4
-- apply upstream patches for valgrind issues in HTTP/3 (#2408809)
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-3
-- recommend wcurl package instead of bundled wcurl utility
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-2
-- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead
-
-* Mon Nov 10 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-1
-- new upstream release
-
-* Thu Oct 30 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc3-1
-- new upstream release candidate
-
-* Tue Oct 21 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc2-1
-- new upstream release candidate
-
-* Mon Oct 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc1-1
-- new upstream release candidate
-
-* Wed Sep 10 2025 Jan Macku <jamacku@redhat.com> - 8.16.0-1
-- new upstream release
-
-* Wed Sep 03 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc3-1
-- new upstream release candidate
-
-* Tue Aug 26 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc2-1
-- new upstream release candidate
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Jan Macku <jamacku@redhat.com> - 8.15.0-1
-- new upstream release
-
-* Thu Jul 10 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc3-1
-- new upstream release candidate
-
-* Mon Jun 30 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc2-1
-- new upstream release candidate
-
-* Mon Jun 23 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc1-1
-- new upstream release candidate
-
-* Wed Jun 04 2025 Jan Macku <jamacku@redhat.com> - 8.14.1-1
-- new upstream release
-- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed)
-
-* Wed May 28 2025 Jan Macku <jamacku@redhat.com> - 8.14.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-5025 - No QUIC certificate pinning with wolfSSL
-    CVE-2025-4947 - QUIC certificate check skip with wolfSSL
-- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles
-
-* Fri May 02 2025 Jan Macku <jamacku@redhat.com> - 8.14.0~rc1-1
-- new upstream release candidate
-- new utility: wcurl which lets you download URLs without having to remember any parameters
-
-* Wed Apr 02 2025 Jan Macku <jamacku@redhat.com> - 8.13.0-1
-- new upstream release
-- add build time dependency on openssl (required by tests)
-
-* Wed Mar 26 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc3-1
-- new upstream release candidate
-- drop: 0102-curl-7.84.0-test3026.patch (no longer needed)
-
-* Tue Mar 18 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc2-1
-- new upstream release candidate
-
-* Thu Mar 13 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-2
-- fix --cert parameter (#2351531)
-
-* Mon Mar 10 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-1
-- new upstream release candidate
-
-* Wed Feb 05 2025 Jan Macku <jamacku@redhat.com> - 8.12.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-0725 - gzip integer overflow
-    CVE-2025-0665 - eventfd double close
-    CVE-2025-0167 - netrc and default credential leak
-- drop upstreamed patches
-
-* Fri Jan 31 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-4
-- TLS: check connection for SSL use, not handler (#2324130#c7)
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.11.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Sun Dec 15 2024 Paul Howarth <paul@city-fan.org> - 8.11.1-2
-- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350)
-  - https://github.com/curl/curl/issues/15725
-  - https://github.com/curl/curl/pull/15727
-
-* Wed Dec 11 2024 Jan Macku <jamacku@redhat.com> - 8.11.1-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-11053 - netrc and redirect credential leak
-
-* Wed Nov 06 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 8.11.0-2
-- Disable engine support on RHEL 10+
-
-* Wed Nov 06 2024 Jan Macku <jamacku@redhat.com> - 8.11.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-9681 - HSTS subdomain overwrites parent cache entry
-
-* Tue Sep 24 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-2
-- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564)
-
-* Wed Sep 18 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-1
-- new upstream release
-
-* Wed Sep 11 2024 Jan Macku <jamacku@redhat.com> - 8.10.0-1
-- new upstream release
-
-* Wed Aug 21 2024 Jacek Migacz <jmigacz@redhat.com> - 8.9.1-3
-- Retire deprecated ntlm-wb configure option
-
-* Mon Aug 5 2024 voidanix <voidanix@keyedlimepie.org> - 8.9.1-2
-- Apply SIGPIPE-related patch due to upstream regression
-
-* Wed Jul 24 2024 Jan Macku <jamacku@redhat.com> - 8.9.1-1
-- new upstream release
-
-* Wed Jul 24 2024 Jan Macku <jamacku@redhat.com> - 8.9.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-6874 - macidn punycode buffer overread
-    CVE-2024-6197 - freeing stack buffer in utf8asn1str
-- drop upstreamed patches
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.8.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jul 12 2024 Paul Howarth <paul@city-fan.org> - 8.8.0-2
-- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-- added build condition for openssl_engine_support, true by default so as to
-  not change the resulting built package (yet)
-- with openssl_engine_support true, BR: openssl-devel-engine
-- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE
-
-* Wed May 22 2024 Jan Macku <jamacku@redhat.com> - 8.8.0-1
-- new upstream release
-- drop upstreamed patches
-
-* Wed Mar 27 2024 Jan Macku <jamacku@redhat.com> - 8.7.1-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-2004 - Usage of disabled protocol
-    CVE-2024-2379 - QUIC certificate check bypass with wolfSSL
-    CVE-2024-2398 - HTTP/2 push headers memory-leak
-    CVE-2024-2466 - TLS certificate check bypass with mbedTLS
-- drop upstreamed patches
-- reenable test 0313
-- fix zsh completions, use --with-zsh-functions-dir
-- apply upstream patches for 8.7.1 issues and regressions
+* Wed Apr 03 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-8
+- fix Usage of disabled protocol (CVE-2024-2004)
+- fix HTTP/2 push headers memory-leak (CVE-2024-2398)
 
 * Mon Feb 19 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-7
 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220)

sources

@@ -1,2 +1,2 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036
+SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f

tests/non-root-user-download/runtest.sh

@@ -31,9 +31,9 @@
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"