Resolves: CVE-2025-10148 - predictable WebSocket mask

Resolves: CVE-2025-9086 - Out of bounds read for cookie path
properly parse 'type=' in -F command line arguments
2025-09-18 10:08:40 +02:00 · 2025-09-17 15:18:13 +02:00 · 2025-06-19 15:01:15 +02:00
12 changed files with 654 additions and 170 deletions
--- a/0001-curl-8.11.1-eventfd.patch
+++ b/0001-curl-8.11.1-eventfd.patch
@ -0,0 +1,31 @@
+From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001
+From: Andy Pan <i@andypan.me>
+Date: Thu, 12 Dec 2024 12:48:56 +0000
+Subject: [PATCH] async-thread: avoid closing eventfd twice
+
+When employing eventfd for socketpair, there is only one file
+descriptor. Closing that fd twice might result in fd corruption.
+Thus, we should avoid closing the eventfd twice, following the
+pattern in lib/multi.c.
+
+Fixes #15725
+---
+ lib/asyn-thread.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
+index a58e4b790494ab..32d496b107cb0a 100644
+--- a/lib/asyn-thread.c
+++ b/lib/asyn-thread.c
+@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd)
+    * close one end of the socket pair (may be done in resolver thread);
+    * the other end (for reading) is always closed in the parent thread.
+    */
+#ifndef USE_EVENTFD
+   if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
+     wakeup_close(tsd->sock_pair[1]);
+   }
+#endif
+ #endif
+   memset(tsd, 0, sizeof(*tsd));
+ }
--- a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch
+++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch
@ -0,0 +1,227 @@
+From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 17 Jan 2025 11:57:00 +0100
+Subject: [PATCH] TLS: check connection for SSL use, not handler
+
+Protocol handler option PROTOPT_SSL is used to setup a connection
+filters. Once that is done, used `Curl_conn_is_ssl()` to check if
+a connection uses SSL.
+
+There may be other reasons to add SSL to a connection, e.g. starttls.
+
+Closes #16034
+
+(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2)
+---
+ lib/cf-socket.c      |  2 +-
+ lib/ftp.c            |  2 +-
+ lib/http.c           |  8 ++++----
+ lib/http_negotiate.c |  3 ++-
+ lib/imap.c           |  2 +-
+ lib/ldap.c           |  3 ++-
+ lib/openldap.c       |  2 +-
+ lib/pop3.c           |  2 +-
+ lib/smb.c            |  2 +-
+ lib/smtp.c           |  2 +-
+ lib/url.c            | 12 ++++++------
+ 11 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/lib/cf-socket.c b/lib/cf-socket.c
+index 497a3b965..de0c8a3ba 100644
+--- a/lib/cf-socket.c
+++ b/lib/cf-socket.c
+@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data,
+ 
+     rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen);
+ #elif defined(MSG_FASTOPEN) /* old Linux */
+-    if(cf->conn->given->flags & PROTOPT_SSL)
+    if(Curl_conn_is_ssl(cf->conn, cf->sockindex))
+       rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen);
+     else
+       rc = 0; /* Do nothing */
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 16ab0af0d..5137ddca4 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data,
+ 
+   PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp);
+ 
+-  if(conn->handler->flags & PROTOPT_SSL) {
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
+     /* BLOCKING */
+     result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done);
+     if(result)
+diff --git a/lib/http.c b/lib/http.c
+index 35e708551..8e9f0a52e 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
+     goto fail;
+   }
+ 
+-  if(!(conn->handler->flags&PROTOPT_SSL) &&
+  if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) &&
+      conn->httpversion < 20 &&
+      (data->state.httpwant == CURL_HTTP_VERSION_2)) {
+     /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done
+@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data,
+   case 'A':
+ #ifndef CURL_DISABLE_ALTSVC
+     v = (data->asi &&
+-         ((data->conn->handler->flags & PROTOPT_SSL) ||
+         (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ||
+ #ifdef DEBUGBUILD
+           /* allow debug builds to circumvent the HTTPS restriction */
+           getenv("CURL_ALTSVC_HTTP")
+@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data,
+ #ifndef CURL_DISABLE_HSTS
+     /* If enabled, the header is incoming and this is over HTTPS */
+     v = (data->hsts &&
+-         ((conn->handler->flags & PROTOPT_SSL) ||
+         (Curl_conn_is_ssl(conn, FIRSTSOCKET) ||
+ #ifdef DEBUGBUILD
+            /* allow debug builds to circumvent the HTTPS restriction */
+            getenv("CURL_HSTS_HTTP")
+@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers,
+       infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme);
+     }
+     else {
+-      scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ?
+      scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ?
+         "https" : "http";
+     }
+   }
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index 5d76bddf7..f031d0abc 100644
+--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
+@@ -27,6 +27,7 @@
+ #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
+ 
+ #include "urldata.h"
+#include "cfilters.h"
+ #include "sendf.h"
+ #include "http_negotiate.h"
+ #include "vauth/vauth.h"
+@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
+ #endif
+   /* Check if the connection is using SSL and get the channel binding data */
+ #if defined(USE_SSL) && defined(HAVE_GSSAPI)
+-  if(conn->handler->flags & PROTOPT_SSL) {
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
+     Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
+     result = Curl_ssl_get_channel_binding(
+       data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
+diff --git a/lib/imap.c b/lib/imap.c
+index e424cdb05..df9dc343b 100644
+--- a/lib/imap.c
+++ b/lib/imap.c
+@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done)
+   struct connectdata *conn = data->conn;
+   struct imap_conn *imapc = &conn->proto.imapc;
+ 
+-  if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) {
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) {
+     bool ssldone = FALSE;
+     result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
+     imapc->ssldone = ssldone;
+diff --git a/lib/ldap.c b/lib/ldap.c
+index 2cbdb9c21..7dd40acef 100644
+--- a/lib/ldap.c
+++ b/lib/ldap.c
+@@ -78,6 +78,7 @@
+ 
+ #include "urldata.h"
+ #include <curl/curl.h>
+#include "cfilters.h"
+ #include "sendf.h"
+ #include "escape.h"
+ #include "progress.h"
+@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+   }
+ 
+   /* Get the URL scheme (either ldap or ldaps) */
+-  if(conn->given->flags & PROTOPT_SSL)
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET))
+     ldap_ssl = 1;
+   infof(data, "LDAP local: trying to establish %s connection",
+         ldap_ssl ? "encrypted" : "cleartext");
+diff --git a/lib/openldap.c b/lib/openldap.c
+index 8c4af22be..9676ad3d0 100644
+--- a/lib/openldap.c
+++ b/lib/openldap.c
+@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
+   ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+ 
+ #ifdef USE_SSL
+-  if(conn->handler->flags & PROTOPT_SSL)
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET))
+     return oldap_ssl_connect(data, OLDAP_SSL);
+ 
+   if(data->set.use_ssl) {
+diff --git a/lib/pop3.c b/lib/pop3.c
+index db6ec04c7..83dd64cda 100644
+--- a/lib/pop3.c
+++ b/lib/pop3.c
+@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done)
+   struct connectdata *conn = data->conn;
+   struct pop3_conn *pop3c = &conn->proto.pop3c;
+ 
+-  if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) {
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) {
+     bool ssldone = FALSE;
+     result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
+     pop3c->ssldone = ssldone;
+diff --git a/lib/smb.c b/lib/smb.c
+index a72ece62a..a2c82df5e 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done)
+ 
+   if(smbc->state == SMB_CONNECTING) {
+ #ifdef USE_SSL
+-    if((conn->handler->flags & PROTOPT_SSL)) {
+    if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
+       bool ssl_done = FALSE;
+       result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done);
+       if(result && result != CURLE_AGAIN)
+diff --git a/lib/smtp.c b/lib/smtp.c
+index d854d364f..c7fb0a4ca 100644
+--- a/lib/smtp.c
+++ b/lib/smtp.c
+@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done)
+   struct connectdata *conn = data->conn;
+   struct smtp_conn *smtpc = &conn->proto.smtpc;
+ 
+-  if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) {
+  if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) {
+     bool ssldone = FALSE;
+     result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
+     smtpc->ssldone = ssldone;
+diff --git a/lib/url.c b/lib/url.c
+index 436edd891..de200e1dd 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata)
+     return FALSE;
+ #endif
+ 
+-  if((needle->handler->flags&PROTOPT_SSL) !=
+-     (conn->handler->flags&PROTOPT_SSL))
+-    /* do not do mixed SSL and non-SSL connections */
+-    if(get_protocol_family(conn->handler) !=
+-       needle->handler->protocol || !conn->bits.tls_upgraded)
+-      /* except protocols that have been upgraded via TLS */
+  if((!(needle->handler->flags&PROTOPT_SSL) !=
+      !Curl_conn_is_ssl(conn, FIRSTSOCKET)) &&
+     !(get_protocol_family(conn->handler) == needle->handler->protocol &&
+       conn->bits.tls_upgraded))
+    /* Deny `conn` if it is not fit for `needle`'s SSL needs,
+     * UNLESS `conn` is the same protocol family and was upgraded to SSL. */
+       return FALSE;
+ 
+ #ifndef CURL_DISABLE_PROXY
+-- 
+2.48.1
+
--- a/0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch
+++ b/0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch
@ -0,0 +1,73 @@
+From 0a4f5c593d785c4cafa322a5976d4c2b08f8cfa1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 17 Dec 2024 07:52:06 +0100
+Subject: [PATCH] tool_formparse: accept digits in --form type= strings
+
+Adjusted test 186 to verify.
+
+Regression in 9664d5a5475fdc66, shipped in 8.11.1
+
+Reported-by: IcedCoffeee on github
+Assisted-by: Jay Satiro
+Fixes #15761
+Closes #15762
+
+(cherry picked from commit f7e065f314f9d307af8f194a16c95cc754fefd4a)
+---
+ src/tool_formparse.c | 5 +++--
+ tests/data/test186   | 6 +++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/tool_formparse.c b/src/tool_formparse.c
+index ddbf1b1a7..814f240e6 100644
+--- a/src/tool_formparse.c
+++ b/src/tool_formparse.c
+@@ -495,14 +495,15 @@ static int get_param_part(struct OperationConfig *config, char endchar,
+       ;
+ 
+     if(!endct && checkprefix("type=", p)) {
+      size_t tlen;
+       for(p += 5; ISSPACE(*p); p++)
+         ;
+       /* set type pointer */
+       type = p;
+ 
+       /* find end of content-type */
+-      while(*p && (ISALPHA(*p) || (*p == '/') || (*p == '-')))
+-        p++;
+      tlen = strcspn(p, "()<>@,;:\\\"[]?=\r\n ");
+      p += tlen;
+       endct = p;
+       sep = *p;
+     }
+diff --git a/tests/data/test186 b/tests/data/test186
+index f5c071946..006de7904 100644
+--- a/tests/data/test186
+++ b/tests/data/test186
+@@ -31,7 +31,7 @@ http
+ HTTP RFC1867-type formposting with types on text fields
+ </name>
+ <command>
+-http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo" -F "html= <body>hello</body>;type=text/html;charset=verymoo"
+http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo-.4" -F "html= <body>hello</body>;type=text/html;charset=verymoo"
+ </command>
+ # We create this file before the command is invoked!
+ </client>
+@@ -46,12 +46,12 @@ POST /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Content-Length: 338
+Content-Length: 341
+ Content-Type: multipart/form-data; boundary=----------------------------212d9006ceb5
+ 
+ ------------------------------212d9006ceb5
+ Content-Disposition: form-data; name="name"
+-Content-Type: moo/foo
+Content-Type: moo/foo-.4
+ 
+ daniel
+ ------------------------------212d9006ceb5
+-- 
+2.49.0
+
--- a/0004-curl-8.11.1-CVE-2025-9086.patch
+++ b/0004-curl-8.11.1-CVE-2025-9086.patch
@ -0,0 +1,53 @@
+From aa1c6961db8df9c50850b48e3d675066c54fa510 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Aug 2025 20:23:05 +0200
+Subject: [PATCH] cookie: don't treat the leading slash as trailing
+
+If there is only a leading slash in the path, keep that. Also add an
+assert to make sure the path is never blank.
+
+Reported-by: Google Big Sleep
+Closes #18266
+
+(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300)
+---
+ lib/cookie.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 773e5357d..7bf8b429f 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -304,7 +304,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+@@ -1007,7 +1007,7 @@ replace_existing(struct Curl_easy *data,
+          clist->spath && co->spath && /* both have paths */
+          clist->secure && !co->secure && !secure) {
+         size_t cllen;
+-        const char *sep;
+        const char *sep = NULL;
+ 
+         /*
+          * A non-secure cookie may not overlay an existing secure cookie.
+@@ -1016,8 +1016,9 @@ replace_existing(struct Curl_easy *data,
+          * "/loginhelper" is ok.
+          */
+ 
+-        sep = strchr(clist->spath + 1, '/');
+-
+        DEBUGASSERT(clist->spath[0]);
+        if(clist->spath[0])
+          sep = strchr(clist->spath + 1, '/');
+         if(sep)
+           cllen = sep - clist->spath;
+         else
+-- 
+2.51.0
+
--- a/0005-curl-8.11.1-CVE-2025-10148.patch
+++ b/0005-curl-8.11.1-CVE-2025-10148.patch
@ -0,0 +1,58 @@
+From 537b89d02f7200b3b81c833548d597a13aaf1ecf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 Sep 2025 14:14:15 +0200
+Subject: [PATCH] ws: get a new mask for each new outgoing frame
+
+Reported-by: Calvin Ruocco
+Closes #18496
+
+(cherry picked from commit 84db7a9eae8468c0445b15aa806fa7fa806fa0f2)
+---
+ lib/ws.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ws.c b/lib/ws.c
+index 3d739a538..d6aadc167 100644
+--- a/lib/ws.c
+++ b/lib/ws.c
+@@ -545,6 +545,7 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   unsigned char firstbyte = 0;
+   unsigned char opcode;
+   unsigned char head[14];
+  CURLcode result;
+   size_t hlen;
+   ssize_t n;
+ 
+@@ -618,6 +619,13 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
+   enc->payload_remain = enc->payload_len = payload_len;
+   ws_enc_info(enc, data, "sending");
+ 
+  /* 4 bytes random */
+
+  result = Curl_rand(data, (unsigned char *)&enc->mask,
+                     sizeof(enc->mask));
+  if(result)
+    return result;
+
+   /* add 4 bytes mask */
+   memcpy(&head[hlen], &enc->mask, 4);
+   hlen += 4;
+@@ -808,14 +816,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data,
+      subprotocol not requested by the client), the client MUST Fail
+      the WebSocket Connection. */
+ 
+-  /* 4 bytes random */
+-
+-  result = Curl_rand(data, (unsigned char *)&ws->enc.mask,
+-                     sizeof(ws->enc.mask));
+-  if(result)
+-    return result;
+-  infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x",
+-        ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]);
+  infof(data, "[WS] Received 101, switch to WebSocket");
+ 
+   /* Install our client writer that decodes WS frames payload */
+   result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode,
+-- 
+2.51.0
+
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -1,6 +1,6 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
+From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001
 From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
+Date: Wed, 11 Dec 2024 09:28:12 +0100
 Subject: [PATCH] prevent multilib conflicts on the curl-config script

 ---
@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script
 3 files changed, 9 insertions(+), 19 deletions(-)

 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index e89c256..9fb1a33 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
+@@ -75,7 +75,7 @@ while test "$#" -gt 0; do
     ;;
 
   --cc)
@ -22,29 +22,29 @@ index a1c8185875..bb43ca8335 100644
     ;;
 
   --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
+@@ -155,16 +155,7 @@ while test "$#" -gt 0; do
     ;;
 
   --libs)
-    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
-      curllibdir="-L@libdir@ "
+-    if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then
+-      CURLLIBDIR="-L@libdir@ "
 -    else
-      curllibdir=''
+-      CURLLIBDIR=''
 -    fi
-    if test '@ENABLE_SHARED@' = 'no'; then
-      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
+-    if test 'X@ENABLE_SHARED@' = 'Xno'; then
+-      echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
 -    else
-      echo "${curllibdir}-lcurl"
+-      echo "${CURLLIBDIR}-lcurl"
 -    fi
 +    echo '-lcurl'
     ;;
 
   --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
+@@ -172,16 +163,12 @@ while test "$#" -gt 0; do
     ;;
 
   --static-libs)
-    if test '@ENABLE_STATIC@' != 'no'; then
+-    if test 'X@ENABLE_STATIC@' != 'Xno'; then
 -      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
 -    else
 -      echo 'curl was built with static libraries disabled' >&2
@ -61,11 +61,11 @@ index a1c8185875..bb43ca8335 100644
 
   *)
 diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
+index 4dfaab6..f4e847e 100644
 --- a/docs/curl-config.md
 +++ b/docs/curl-config.md
@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
+ ## --static-libs
 
 Shows the complete set of libs and other linker options you need in order to
 -link your application with libcurl statically. (Added in 7.17.1)
@ -73,10 +73,10 @@ index 12ad245b79..fa0e03d273 100644
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
 
- ## `--version`
+ ## --version
 
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index c0ba524..f3645e1 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
@@ -28,6 +28,7 @@ libdir=@libdir@
@ -88,5 +88,5 @@ index c0ba5244a8..f3645e1748 100644
 Name: libcurl
 URL: https://curl.se/
 -- 
-2.52.0
+2.47.1

--- a/0102-curl-7.84.0-test3026.patch
+++ b/0102-curl-7.84.0-test3026.patch
@ -0,0 +1,71 @@
+From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 22 May 2024 13:03:43 +0200
+Subject: [PATCH 2/2] test3026: disable valgrind
+
+It fails on x86_64 with:
+```
+ Use --max-threads=INT to specify a larger number of threads
+ and rerun valgrind
+ valgrind: the 'impossible' happened:
+    Max number of threads is too low
+ host stacktrace:
+ ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ sched status:
+   running_tid=1
+ Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
+ ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
+ ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
+ client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
+ valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
+[...]
+```
+---
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/test3026 b/tests/data/test3026
+index ee9b30678..dd582c3e5 100644
+--- a/tests/data/test3026
+++ b/tests/data/test3026
+@@ -41,5 +41,8 @@ none
+ <errorcode>
+ 0
+ </errorcode>
+<valgrind>
+disable
+</valgrind>
+ </verify>
+ </testcase>
+diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
+index 7e914010e..39374f5bc 100644
+--- a/tests/libtest/lib3026.c
+++ b/tests/libtest/lib3026.c
+@@ -145,8 +145,8 @@ CURLcode test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+     if(res) {
+-      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
+-              __FILE__, __LINE__, res);
+      fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n",
+              __FILE__, __LINE__, i, res);
+       tid_count = i;
+       test_failure = (CURLcode)-1;
+       goto cleanup;
+-- 
+2.45.1
+
--- a/0104-curl-7.88.0-tests-warnings.patch
+++ b/0104-curl-7.88.0-tests-warnings.patch
@ -0,0 +1,30 @@
+From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 24 Jul 2024 15:15:11 +0200
+Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them"
+
+While it might be useful for upstream developers, it is not so useful
+for downstream consumers.
+
+This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8.
+---
+ tests/runtests.pl | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 9cc9ef1..c9a1c5d 100755
+--- a/tests/runtests.pl
+++ b/tests/runtests.pl
+@@ -57,8 +57,7 @@
+ # given, this won't be a problem.
+ 
+ use strict;
+-# Promote all warnings to fatal
+-use warnings FATAL => 'all';
+use warnings;
+ use 5.006;
+ use POSIX qw(strftime);
+ 
+-- 
+2.45.2
+
--- a/0105-curl-8.11.1-test616.patch
+++ b/0105-curl-8.11.1-test616.patch
@ -0,0 +1,48 @@
+From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 11 Dec 2024 13:16:12 +0100
+Subject: [PATCH] test616: disable valgrind
+
+Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35
+But test 616 is still failing under valgrind, so disable valgrind for this test.
+
+```
+ valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1
+==188588==    at 0x484B133: calloc (vg_replace_malloc.c:1675)
+==188588==    by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1)
+==188588==    by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1)
+==188588==    by 0x48EEAFB: myssh_statemach_act (libssh.c:1610)
+==188588==    by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095)
+==188588==    by 0x48BA971: UnknownInlinedFun (multi.c:1643)
+==188588==    by 0x48BA971: UnknownInlinedFun (multi.c:2314)
+==188588==    by 0x48BA971: multi_runsingle (multi.c:2768)
+==188588==    by 0x48BCCA4: curl_multi_perform (multi.c:3016)
+==188588==    by 0x4884E4A: UnknownInlinedFun (easy.c:701)
+==188588==    by 0x4884E4A: UnknownInlinedFun (easy.c:796)
+==188588==    by 0x4884E4A: curl_easy_perform (easy.c:815)
+==188588==    by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902)
+==188588==    by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127)
+==188588==    by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249)
+==188588==    by 0x10C12B: main (tool_main.c:271)
+==188588==
+```
+---
+ tests/data/test616 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/data/test616 b/tests/data/test616
+index f76c68a..0ebc734 100644
+--- a/tests/data/test616
+++ b/tests/data/test616
+@@ -32,5 +32,8 @@ SFTP retrieval of empty file
+ #
+ # Verify data after the test has been "shot"
+ <verify>
+<valgrind>
+disable
+</valgrind>
+ </verify>
+ </testcase>
+-- 
+2.47.1
+
--- a/curl.spec
+++ b/curl.spec
@ -4,37 +4,54 @@
 # Change the bcond to 0 to turn off ENGINE support by default
 %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10]

-# HTTP/3 support
-# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's
-# experimental native OpenSSL 3.5 support.
-%bcond http3 %[0%{?fedora} >= 43]
-
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.18.0
-Release: 1%{?dist}
+Version: 8.11.1
+Release: 6%{?dist}
 License: curl
-Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz
-Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc
+Source0: https://curl.se/download/%{name}-%{version}.tar.xz
+Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # The curl download page ( https://curl.se/download.html ) links
 # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc

+# Fix crash with Unexpected error 9 on netlink descriptor 10
+# https://bugzilla.redhat.com/show_bug.cgi?id=2332350
+# https://github.com/curl/curl/issues/15725
+# https://github.com/curl/curl/pull/15727
+Patch1: 0001-curl-8.11.1-eventfd.patch
+
+# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7
+Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch
+
+# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2373760
+Patch3: 0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch
+
+# Fix Out of bounds read for cookie path (CVE-2025-9086)
+Patch4: 0004-curl-8.11.1-CVE-2025-9086.patch
+
+# Fix predictable WebSocket mask (CVE-2025-10148)
+Patch5: 0005-curl-8.11.1-CVE-2025-10148.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

+# test3026: disable valgrind
+Patch102: 0102-curl-7.84.0-test3026.patch
+
+# do not fail on warnings in the upstream test driver
+Patch104: 0104-curl-7.88.0-tests-warnings.patch
+
+# test616: disable valgrind
+Patch105: 0105-curl-8.11.1-test616.patch
+
 Provides: curl-full = %{version}-%{release}
 # do not fail when trying to install curl-minimal after drop
 Provides: curl-minimal = %{version}-%{release}
 Provides: webclient
 URL: https://curl.se/

-%if 0%{?fedora}
-# instead of bundled wcurl utility, recommend wcurl package
-Recommends: wcurl
-%endif
-
 # The reason for maintaining two separate packages for curl is no longer valid.
 # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal.
 # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096
@ -48,20 +65,13 @@ BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
 BuildRequires: libnghttp2-devel
-%if %{with http3}
-BuildRequires: libnghttp3-devel
-%endif
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
 BuildRequires: libtool
 BuildRequires: make
-%if %{with http3}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
-BuildRequires: openssl
 BuildRequires: openssl-devel
 %if %{with openssl_engine_support} && 0%{?fedora} >= 41
 BuildRequires:  openssl-devel-engine
@ -152,10 +162,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#2144277)
 %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)

-# require at least the version of libnghttp3 that we were built against,
-# to ensure that we have the necessary symbols available
-%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0)
-
 # require at least the version of libpsl that we were built against,
 # to ensure that we have the necessary symbols available (#1631804)
 %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
@ -164,10 +170,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 # to ensure that we have the necessary symbols available (#525002, #642796)
 %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)

-# require at least the version of ngtcp2 that we were built against,
-# to ensure that we have the necessary symbols available
-%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0)
-
 # require at least the version of openssl-libs that we were built against,
 # to ensure that we have the necessary symbols available (#1462184, #1462211)
 # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
@ -184,14 +186,8 @@ resume, proxy tunneling and a busload of other useful tricks.
 %package -n libcurl
 Summary: A library for getting files from web servers
 Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
-%if %{with http3}
-Requires: libnghttp3%{?_isa} >= %{libnghttp3_version}
-%endif
 Requires: libpsl%{?_isa} >= %{libpsl_version}
 Requires: libssh%{?_isa} >= %{libssh_version}
-%if %{with http3}
-Requires: ngtcp2%{?_isa} >= %{ngtcp2_version}
-%endif
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl-full = %{version}-%{release}
 Provides: libcurl-full%{?_isa} = %{version}-%{release}
@ -236,7 +232,7 @@ be installed.

 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version_no_tilde} -p1
+%autosetup -p1

 # disable test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
@ -331,11 +327,7 @@ export common_configure_opts="          \
        --enable-websockets             \
        --with-brotli                   \
        --with-libpsl                   \
-        --with-libssh                   \
-%if %{with http3}
-        --with-nghttp3                  \
-        --with-ngtcp2                   \
-%endif
+        --with-libssh
 )

 # avoid using rpath
@ -397,11 +389,6 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish

 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

-# do not install bundled wcurl utility
-# it is provided by the wcurl package
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl
-rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
-
 %ldconfig_scriptlets -n libcurl

 %ldconfig_scriptlets -n libcurl-minimal
@ -411,10 +398,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
 %doc README
 %doc docs/BUGS.md
 %doc docs/DISTROS.md
-%doc docs/FAQ.md
+%doc docs/FAQ
 %doc docs/FEATURES.md
-%doc docs/KNOWN_BUGS.md
-%doc docs/TODO.md
+%doc docs/TODO
 %doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
@ -442,105 +428,12 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1*
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
-* Wed Jan 07 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-1
- new upstream release
+* Wed Sep 17 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-6
+- Fix Out of bounds read for cookie path (CVE-2025-9086)
+- Fix predictable WebSocket mask (CVE-2025-10148)

-* Mon Jan 05 2026 Jan Macku <jamacku@redhat.com> - 8.18.0~rc3-1
- new upstream release candidate
-
-* Tue Dec 16 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc2-1
- new upstream release candidate
- reenable valgrind on test 616
-
-* Tue Dec 09 2025 Jan Macku <jamacku@redhat.com> - 8.18.0~rc1-1
- new upstream release candidate
- drop upstreamed patches
-
-* Sun Dec 07 2025 Aleksei Bavshin <alebastr@fedoraproject.org> - 8.17.0-5
- Enable HTTP/3 support with ngtcp2
-
-* Thu Dec 04 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-4
- apply upstream patches for valgrind issues in HTTP/3 (#2408809)
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-3
- recommend wcurl package instead of bundled wcurl utility
-
-* Thu Nov 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-2
- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead
-
-* Mon Nov 10 2025 Jan Macku <jamacku@redhat.com> - 8.17.0-1
- new upstream release
-
-* Thu Oct 30 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc3-1
- new upstream release candidate
-
-* Tue Oct 21 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc2-1
- new upstream release candidate
-
-* Mon Oct 13 2025 Jan Macku <jamacku@redhat.com> - 8.17.0~rc1-1
- new upstream release candidate
-
-* Wed Sep 10 2025 Jan Macku <jamacku@redhat.com> - 8.16.0-1
- new upstream release
-
-* Wed Sep 03 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc3-1
- new upstream release candidate
-
-* Tue Aug 26 2025 Jan Macku <jamacku@redhat.com> - 8.16.0~rc2-1
- new upstream release candidate
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Jan Macku <jamacku@redhat.com> - 8.15.0-1
- new upstream release
-
-* Thu Jul 10 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc3-1
- new upstream release candidate
-
-* Mon Jun 30 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc2-1
- new upstream release candidate
-
-* Mon Jun 23 2025 Jan Macku <jamacku@redhat.com> - 8.15.0~rc1-1
- new upstream release candidate
-
-* Wed Jun 04 2025 Jan Macku <jamacku@redhat.com> - 8.14.1-1
- new upstream release
- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed)
-
-* Wed May 28 2025 Jan Macku <jamacku@redhat.com> - 8.14.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-5025 - No QUIC certificate pinning with wolfSSL
-    CVE-2025-4947 - QUIC certificate check skip with wolfSSL
- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles
-
-* Fri May 02 2025 Jan Macku <jamacku@redhat.com> - 8.14.0~rc1-1
- new upstream release candidate
- new utility: wcurl which lets you download URLs without having to remember any parameters
-
-* Wed Apr 02 2025 Jan Macku <jamacku@redhat.com> - 8.13.0-1
- new upstream release
- add build time dependency on openssl (required by tests)
-
-* Wed Mar 26 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc3-1
- new upstream release candidate
- drop: 0102-curl-7.84.0-test3026.patch (no longer needed)
-
-* Tue Mar 18 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc2-1
- new upstream release candidate
-
-* Thu Mar 13 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-2
- fix --cert parameter (#2351531)
-
-* Mon Mar 10 2025 Jan Macku <jamacku@redhat.com> - 8.13.0~rc1-1
- new upstream release candidate
-
-* Wed Feb 05 2025 Jan Macku <jamacku@redhat.com> - 8.12.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2025-0725 - gzip integer overflow
-    CVE-2025-0665 - eventfd double close
-    CVE-2025-0167 - netrc and default credential leak
- drop upstreamed patches
+* Thu Jun 19 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-5
+- properly parse 'type=' in -F command line arguments (#2373760)

 * Fri Jan 31 2025 Jan Macku <jamacku@redhat.com> - 8.11.1-4
 - TLS: check connection for SSL use, not handler (#2324130#c7)
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57
+SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824
--- a/tests/non-root-user-download/runtest.sh
+++ b/tests/non-root-user-download/runtest.sh
@ -31,9 +31,9 @@

 PACKAGE="curl"

-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"
Author	SHA1	Message	Date
Jan Macku	deffa452aa	Resolves: CVE-2025-10148 - predictable WebSocket mask	2025-09-18 10:08:40 +02:00
Jan Macku	38e362ef11	Resolves: CVE-2025-9086 - Out of bounds read for cookie path	2025-09-17 15:18:13 +02:00
Jan Macku	d40689af0b	properly parse 'type=' in -F command line arguments Resolves: #2373760	2025-06-19 15:01:15 +02:00