Resolves: CVE-2025-9086 - Out of bounds read for cookie path

The final /usr/bin/curl-config file had a comment like
"prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib",
depending on the arch. This causes the following error on upgrades from f40
for people who have both libcurl-devel.i686 and libcurl-devel.x86_64
installed:

  Transaction failed: Rpm transaction failed.
    - file /usr/bin/curl-config conflicts between attempted installs of
      libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64

The comment is actually not useful at all after the variable is expanded,
since it's not clear what is meant by "used in /usr/lib64". Just drop it.

With this change, the packages are constinstallable again.

.gitignore

@@ -2,5 +2,5 @@
 /curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
 /curl-[0-9.]*.tar.xz.asc
-/curl-[0-9]*.[0-9]*.[0-9]*/
+/curl-[0-9].[0-9].[0-9]/
 /*.src.rpm

0001-curl-8.9.1-sigpipe.patch

@@ -0,0 +1,32 @@
+From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 5 Aug 2024 00:17:17 +0200
+Subject: [PATCH] sigpipe: init the struct so that first apply ignores
+
+Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
+init ignores the signal (unless CURLOPT_NOSIGNAL) is set.
+
+I have read the existing code multiple times now and I think it gets the
+initial state reversed this missing to ignore.
+
+Regression from 17e6f06ea37136c36d27
+
+Reported-by: Rasmus Thomsen
+Fixes #14344
+Closes #14390
+---
+ lib/sigpipe.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/sigpipe.h b/lib/sigpipe.h
+index b91a2f51333956..d78afd905d3414 100644
+--- a/lib/sigpipe.h
++++ b/lib/sigpipe.h
+@@ -39,6 +39,7 @@ struct sigpipe_ignore {
+ static void sigpipe_init(struct sigpipe_ignore *ig)
+ {
+   memset(ig, 0, sizeof(*ig));
++  ig->no_signal = TRUE;
+ }
+ 
+ /*

0002-curl-8.10.1-CVE-2024-9681.patch

@@ -0,0 +1,115 @@
+From dd2859d77ddaf29516b8dce300b0b1fd4839d3f5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Oct 2024 11:20:40 +0200
+Subject: [PATCH] hsts: avoid the local buffer and memcpy on lookup
+
+Closes #15190
+
+(cherry picked from commit 60d8663afb0fb7f113604404c50840dfe9320039)
+
+hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+  match
+
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+
+Closes #15210
+
+(cherry picked from commit a94973805df96269bf3f3bf0a20ccb9887313316)
+---
+ lib/hsts.c          | 30 ++++++++++++++++--------------
+ tests/data/test1660 |  2 +-
+ 2 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 8cd77ae3c..b4cced857 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -249,24 +249,23 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+-    char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+-    memcpy(buffer, hostname, hlen);
+     if(hostname[hlen-1] == '.')
+       /* remove the trailing dot */
+       --hlen;
+-    buffer[hlen] = 0;
+-    hostname = buffer;
+ 
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
++      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -274,20 +273,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++      ntail = strlen(sts->host);
++      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
++        size_t offs = hlen - ntail;
++        if((hostname[offs-1] == '.') &&
++           strncasecompare(&hostname[offs], sts->host, ntail) &&
++           (ntail > blen)) {
++          /* save the tail match with the longest tail */
++          bestsub = sts;
++          blen = ntail;
+         }
+       }
+-      if(strcasecompare(hostname, sts->host))
++      /* avoid strcasecompare because the host name is not null terminated */
++      if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+ 
+ /*
+@@ -439,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same hostname, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d19..4b6f9615c 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
+-- 
+2.47.1
+

0003-curl-8.9.1-CVE-2025-9086.patch

@@ -0,0 +1,53 @@
+From 5dd433a190c1003bd78cc5a3e9f8a5827cd97516 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300)
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index b0d8d84be..1db308372 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -317,7 +317,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
++  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -1076,7 +1076,7 @@ Curl_cookie_add(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
++        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1085,8 +1085,9 @@ Curl_cookie_add(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
++        DEBUGASSERT(clist->spath[0]);
++        if(clist->spath[0])
++          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+-- 
+2.51.0
+

0101-curl-7.32.0-multilib.patch

@@ -1,7 +1,7 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
+From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001
 From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
-Subject: [PATCH] prevent multilib conflicts on the curl-config script
+Date: Wed, 22 May 2024 13:00:08 +0200
+Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script
 
 ---
  curl-config.in      | 23 +++++------------------
@@ -10,47 +10,47 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index 085bb1ef5..e4700260e 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
+@@ -73,7 +73,7 @@ while test "$#" -gt 0; do
      ;;
  
    --cc)
 -    echo '@CC@'
-+    echo 'gcc'
++    echo "gcc"
      ;;
  
    --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
+@@ -153,16 +153,7 @@ while test "$#" -gt 0; do
      ;;
  
    --libs)
--    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
--      curllibdir="-L@libdir@ "
+-    if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+-      CURLLIBDIR="-L@libdir@ "
 -    else
--      curllibdir=''
+-      CURLLIBDIR=""
 -    fi
--    if test '@ENABLE_SHARED@' = 'no'; then
--      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
+-    if test "X@ENABLE_SHARED@" = "Xno"; then
+-      echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@"
 -    else
--      echo "${curllibdir}-lcurl"
+-      echo "${CURLLIBDIR}-lcurl"
 -    fi
-+    echo '-lcurl'
++    echo -lcurl
      ;;
  
    --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
+@@ -170,16 +161,12 @@ while test "$#" -gt 0; do
      ;;
  
    --static-libs)
--    if test '@ENABLE_STATIC@' != 'no'; then
--      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
+-    if test "X@ENABLE_STATIC@" != "Xno" ; then
+-      echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
 -    else
 -      echo 'curl was built with static libraries disabled' >&2
 -      exit 1
 -    fi
-+    echo 'curl was built with static libraries disabled' >&2
++    echo "curl was built with static libraries disabled" >&2
 +    exit 1
      ;;
  
@@ -61,11 +61,11 @@ index a1c8185875..bb43ca8335 100644
  
    *)
 diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
+index d82725082..a79f816e2 100644
 --- a/docs/curl-config.md
 +++ b/docs/curl-config.md
-@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
+@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated.
+ ## --static-libs
  
  Shows the complete set of libs and other linker options you need in order to
 -link your application with libcurl statically. (Added in 7.17.1)
@@ -73,13 +73,13 @@ index 12ad245b79..fa0e03d273 100644
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
  
- ## `--version`
+ ## --version
  
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index 9db6b0f89..dcac6925a 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -28,6 +28,7 @@ libdir=@libdir@
+@@ -31,6 +31,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
@@ -88,5 +88,5 @@ index c0ba5244a8..f3645e1748 100644
  Name: libcurl
  URL: https://curl.se/
 -- 
-2.52.0
+2.45.1
 

0102-curl-7.84.0-test3026.patch

@@ -0,0 +1,71 @@
+From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 22 May 2024 13:03:43 +0200
+Subject: [PATCH 2/2] test3026: disable valgrind
+
+It fails on x86_64 with:
+```
+ Use --max-threads=INT to specify a larger number of threads
+ and rerun valgrind
+ valgrind: the 'impossible' happened:
+    Max number of threads is too low
+ host stacktrace:
+ ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ sched status:
+   running_tid=1
+ Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
+ ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
+ ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
+ client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
+ valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
+[...]
+```
+---
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/test3026 b/tests/data/test3026
+index ee9b30678..dd582c3e5 100644
+--- a/tests/data/test3026
++++ b/tests/data/test3026
+@@ -41,5 +41,8 @@ none
+ <errorcode>
+ 0
+ </errorcode>
++<valgrind>
++disable
++</valgrind>
+ </verify>
+ </testcase>
+diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
+index 7e914010e..39374f5bc 100644
+--- a/tests/libtest/lib3026.c
++++ b/tests/libtest/lib3026.c
+@@ -145,8 +145,8 @@ CURLcode test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+     if(res) {
+-      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
+-              __FILE__, __LINE__, res);
++      fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n",
++              __FILE__, __LINE__, i, res);
+       tid_count = i;
+       test_failure = (CURLcode)-1;
+       goto cleanup;
+-- 
+2.45.1
+

0104-curl-7.88.0-tests-warnings.patch

@@ -0,0 +1,30 @@
+From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 24 Jul 2024 15:15:11 +0200
+Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them"
+
+While it might be useful for upstream developers, it is not so useful
+for downstream consumers.
+
+This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8.
+---
+ tests/runtests.pl | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 9cc9ef1..c9a1c5d 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -57,8 +57,7 @@
+ # given, this won't be a problem.
+ 
+ use strict;
+-# Promote all warnings to fatal
+-use warnings FATAL => 'all';
++use warnings;
+ use 5.006;
+ use POSIX qw(strftime);
+ 
+-- 
+2.45.2
+

curl.rpmlintrc

@@ -1,15 +0,0 @@
-# Intentional stuff we're not concerned about
-addFilter("unversioned-explicit-provides webclient")
-addFilter("package-with-huge-docs")
-addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
-
-# This is just plain wrong (%_configure redefinition)
-addFilter("configure-without-libdir-spec")
-
-# Technical term
-addFilter("E: spelling-error \('kerberos',")
-
-# Artefacts of RemovePathPostfixes: .minimal
-addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
-#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
-#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

curl.spec

@@ -2,39 +2,45 @@
 # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41
 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
 # Change the bcond to 0 to turn off ENGINE support by default
-%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10]
-
-# HTTP/3 support
-# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's
-# experimental native OpenSSL 3.5 support.
-%bcond http3 %[0%{?fedora} >= 43]
+%bcond openssl_engine_support 1
 
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.18.0
-Release: 1%{?dist}
+Version: 8.9.1
+Release: 4%{?dist}
 License: curl
-Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz
-Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc
+Source0: https://curl.se/download/%{name}-%{version}.tar.xz
+Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # The curl download page ( https://curl.se/download.html ) links
 # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 
+# fix crashes with transmission due to SIGPIPE
+# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970
+Patch001: 0001-curl-8.9.1-sigpipe.patch
+
+# fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681)
+Patch002: 0002-curl-8.10.1-CVE-2024-9681.patch
+
+# fix Out of bounds read for cookie path (CVE-2025-9086)
+Patch003: 0003-curl-8.9.1-CVE-2025-9086.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
+# test3026: disable valgrind
+Patch102: 0102-curl-7.84.0-test3026.patch
+
+# do not fail on warnings in the upstream test driver
+Patch104: 0104-curl-7.88.0-tests-warnings.patch
+
 Provides: curl-full = %{version}-%{release}
 # do not fail when trying to install curl-minimal after drop
 Provides: curl-minimal = %{version}-%{release}
 Provides: webclient
 URL: https://curl.se/
 
-%if 0%{?fedora}
-# instead of bundled wcurl utility, recommend wcurl package
-Recommends: wcurl
-%endif
-
 # The reason for maintaining two separate packages for curl is no longer valid.
 # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal.
 # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096
@@ -48,22 +54,15 @@ BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
 BuildRequires: libnghttp2-devel
-%if %{with http3}
-BuildRequires: libnghttp3-devel
-%endif
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
 BuildRequires: libtool
 BuildRequires: make
-%if %{with http3}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
-BuildRequires: openssl
 BuildRequires: openssl-devel
-%if %{with openssl_engine_support} && 0%{?fedora} >= 41
+%if %{with openssl_engine_support}
 BuildRequires:  openssl-devel-engine
 %endif
 BuildRequires: perl-interpreter
@@ -108,7 +107,6 @@ BuildRequires: perl(Exporter)
 BuildRequires: perl(File::Basename)
 BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
-BuildRequires: perl(I18N::Langinfo)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(List::Util)
 BuildRequires: perl(Memoize)
@@ -152,10 +150,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#2144277)
 %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)
 
-# require at least the version of libnghttp3 that we were built against,
-# to ensure that we have the necessary symbols available
-%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0)
-
 # require at least the version of libpsl that we were built against,
 # to ensure that we have the necessary symbols available (#1631804)
 %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
@@ -164,10 +158,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#525002, #642796)
 %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
 
-# require at least the version of ngtcp2 that we were built against,
-# to ensure that we have the necessary symbols available
-%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0)
-
 # require at least the version of openssl-libs that we were built against,
 # to ensure that we have the necessary symbols available (#1462184, #1462211)
 # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
@@ -184,14 +174,8 @@ resume, proxy tunneling and a busload of other useful tricks.
 %package -n libcurl
 Summary: A library for getting files from web servers
 Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
-%if %{with http3}
-Requires: libnghttp3%{?_isa} >= %{libnghttp3_version}
-%endif
 Requires: libpsl%{?_isa} >= %{libpsl_version}
 Requires: libssh%{?_isa} >= %{libssh_version}
-%if %{with http3}
-Requires: ngtcp2%{?_isa} >= %{ngtcp2_version}
-%endif
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl-full = %{version}-%{release}
 Provides: libcurl-full%{?_isa} = %{version}-%{release}
@@ -236,7 +220,7 @@ be installed.
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version_no_tilde} -p1
+%autosetup -p1
 
 # disable test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
@@ -281,7 +265,7 @@ export common_configure_opts="          \
     --with-gssapi                       \
     --with-libidn2                      \
     --with-nghttp2                      \
-    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
+    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
     --with-zsh-functions-dir"
 
 %global _configure ../configure
@@ -297,6 +281,7 @@ export common_configure_opts="          \
         --disable-ldaps                 \
         --disable-mqtt                  \
         --disable-ntlm                  \
+        --disable-ntlm-wb               \
         --disable-pop3                  \
         --disable-rtsp                  \
         --disable-smb                   \
@@ -321,6 +306,7 @@ export common_configure_opts="          \
         --enable-ldaps                  \
         --enable-mqtt                   \
         --enable-ntlm                   \
+        --enable-ntlm-wb                \
         --enable-pop3                   \
         --enable-rtsp                   \
         --enable-smb                    \
@@ -331,11 +317,7 @@ export common_configure_opts="          \
         --enable-websockets             \
         --with-brotli                   \
         --with-libpsl                   \
-        --with-libssh                   \
-%if %{with http3}
-        --with-nghttp3                  \
-        --with-ngtcp2                   \
-%endif
+        --with-libssh
 )
 
 # avoid using rpath
@@ -397,24 +379,18 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
 
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
-# do not install bundled wcurl utility
-# it is provided by the wcurl package
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl
-rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
-
 %ldconfig_scriptlets -n libcurl
 
 %ldconfig_scriptlets -n libcurl-minimal
 
 %files
-%doc CHANGES.md
+%doc CHANGES
 %doc README
 %doc docs/BUGS.md
 %doc docs/DISTROS.md
-%doc docs/FAQ.md
+%doc docs/FAQ
 %doc docs/FEATURES.md
-%doc docs/KNOWN_BUGS.md
-%doc docs/TODO.md
+%doc docs/TODO
 %doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
@@ -442,139 +418,11 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Wed Jan 07 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-1
-- new upstream release
+* Wed Sep 17 2025 Jan Macku <jamacku@redhat.com> - 8.9.1-4
+- fix Out of bounds read for cookie path (CVE-2025-9086)
 
-* Mon Jan 05 2026 Jan Macku <jamacku@redhat.com> - 8.18.0~rc3-1
-- new upstream release candidate
-
-* Tue Dec 16 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc2-1
-- new upstream release candidate
-- reenable valgrind on test 616
-
-* Tue Dec 09 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc1-1
-- new upstream release candidate
-- drop upstreamed patches
-
-* Sun Dec 07 2025 Aleksei Bavshin <alebastr@fedoraproject.org> - 8.17.0-5
-- Enable HTTP/3 support with ngtcp2
-
-* Thu Dec 04 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-4
-- apply upstream patches for valgrind issues in HTTP/3 (#2408809)
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-3
-- recommend wcurl package instead of bundled wcurl utility
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-2
-- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead
-
-* Mon Nov 10 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-1
-- new upstream release
-
-* Thu Oct 30 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc3-1
-- new upstream release candidate
-
-* Tue Oct 21 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc2-1
-- new upstream release candidate
-
-* Mon Oct 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc1-1
-- new upstream release candidate
-
-* Wed Sep 10 2025 Jan Macku <jamacku@redhat.com> - 8.16.0-1
-- new upstream release
-
-* Wed Sep 03 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc3-1
-- new upstream release candidate
-
-* Tue Aug 26 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc2-1
-- new upstream release candidate
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Jan Macku <jamacku@redhat.com> - 8.15.0-1
-- new upstream release
-
-* Thu Jul 10 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc3-1
-- new upstream release candidate
-
-* Mon Jun 30 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc2-1
-- new upstream release candidate
-
-* Mon Jun 23 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc1-1
-- new upstream release candidate
-
-* Wed Jun 04 2025 Jan Macku <jamacku@redhat.com> - 8.14.1-1
-- new upstream release
-- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed)
-
-* Wed May 28 2025 Jan Macku <jamacku@redhat.com> - 8.14.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-5025 - No QUIC certificate pinning with wolfSSL
-    CVE-2025-4947 - QUIC certificate check skip with wolfSSL
-- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles
-
-* Fri May 02 2025 Jan Macku <jamacku@redhat.com> - 8.14.0~rc1-1
-- new upstream release candidate
-- new utility: wcurl which lets you download URLs without having to remember any parameters
-
-* Wed Apr 02 2025 Jan Macku <jamacku@redhat.com> - 8.13.0-1
-- new upstream release
-- add build time dependency on openssl (required by tests)
-
-* Wed Mar 26 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc3-1
-- new upstream release candidate
-- drop: 0102-curl-7.84.0-test3026.patch (no longer needed)
-
-* Tue Mar 18 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc2-1
-- new upstream release candidate
-
-* Thu Mar 13 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-2
-- fix --cert parameter (#2351531)
-
-* Mon Mar 10 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-1
-- new upstream release candidate
-
-* Wed Feb 05 2025 Jan Macku <jamacku@redhat.com> - 8.12.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-0725 - gzip integer overflow
-    CVE-2025-0665 - eventfd double close
-    CVE-2025-0167 - netrc and default credential leak
-- drop upstreamed patches
-
-* Fri Jan 31 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-4
-- TLS: check connection for SSL use, not handler (#2324130#c7)
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.11.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Sun Dec 15 2024 Paul Howarth <paul@city-fan.org> - 8.11.1-2
-- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350)
-  - https://github.com/curl/curl/issues/15725
-  - https://github.com/curl/curl/pull/15727
-
-* Wed Dec 11 2024 Jan Macku <jamacku@redhat.com> - 8.11.1-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-11053 - netrc and redirect credential leak
-
-* Wed Nov 06 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 8.11.0-2
-- Disable engine support on RHEL 10+
-
-* Wed Nov 06 2024 Jan Macku <jamacku@redhat.com> - 8.11.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2024-9681 - HSTS subdomain overwrites parent cache entry
-
-* Tue Sep 24 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-2
-- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564)
-
-* Wed Sep 18 2024 Jan Macku <jamacku@redhat.com> - 8.10.1-1
-- new upstream release
-
-* Wed Sep 11 2024 Jan Macku <jamacku@redhat.com> - 8.10.0-1
-- new upstream release
-
-* Wed Aug 21 2024 Jacek Migacz <jmigacz@redhat.com> - 8.9.1-3
-- Retire deprecated ntlm-wb configure option
+* Thu Dec 12 2024 Jan Macku <jamacku@redhat.com> - 8.9.1-3
+- fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681)
 
 * Mon Aug 5 2024 voidanix <voidanix@keyedlimepie.org> - 8.9.1-2
 - Apply SIGPIPE-related patch due to upstream regression

sources

@@ -1,2 +1,2 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7
+SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b

tests/non-root-user-download/runtest.sh

@@ -31,9 +31,9 @@
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"