Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libcurl4-8.11.1-1.1 RPM for armv7hl

From OpenSuSE Ports Tumbleweed for armv7hl

Name: libcurl4 Distribution: openSUSE Tumbleweed
Version: 8.11.1 Vendor: openSUSE
Release: 1.1 Build date: Wed Dec 11 08:42:31 2024
Group: Unspecified Build host: reproducible
Size: 758548 Source RPM: curl-8.11.1-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://curl.se
Summary: Library for transferring data from URLs
The cURL shared library for accessing data using different
network protocols.

Provides

Requires

License

curl

Changelog

* Wed Dec 11 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.11.1:
    * Security fixes:
    - netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
    * Bugfixes:
    - build: fix ECH to always enable HTTPS RR
    - cookie: treat cookie name case sensitively
    - curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
    - curl: use realtime in trace timestamps
    - digest: produce a shorter cnonce in Digest headers
    - docs: document default 'User-Agent'
    - docs: suggest --ssl-reqd instead of --ftp-ssl
    - duphandle: also init netrc
    - hostip: don't use the resolver for FQDN localhost
    - http_negotiate: allow for a one byte larger channel binding buffer
    - krb5: fix socket/sockindex confusion, MSVC compiler warnings
    - libssh: use libssh sftp_aio to upload file
    - libssh: when using IPv6 numerical address, add brackets
    - mime: fix reader stall on small read lengths
    - mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
    - mprintf: fix the integer overflow checks
    - multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
    - netrc: address several netrc parser flaws
    - netrc: support large file, longer lines, longer tokens
    - nghttp2: use custom memory functions
    - OpenSSL: improvde error message on expired certificate
    - openssl: remove three "Useless Assignments"
    - openssl: stop using SSL_CTX_ function prefix for our functions
    - pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
    - rtsp: check EOS in the RTSP receive and return an error code
    - schannel: remove TLS 1.3 ciphersuite-list support
    - setopt: fix CURLOPT_HTTP_CONTENT_DECODING
    - setopt: fix missing options for builds without HTTP & MQTT
    - socket: handle binding to "host!<ip>"
    - socketpair: fix enabling 'USE_EVENTFD'
    - strtok: use namespaced 'strtok_r' macro instead of redefining it
    * Remove 0001-duphandle-also-init-netrc.patch upstream
* Wed Nov 13 2024 Björn Bidar <bjorn.bidar@thaodan.de>
  - Add patch to fix libcurl when netrc parsing is enabled.
    curl_easy_duphandle did not init netrc which broke applications such
    as for example git. gh#curl/curl#15496
    * 0001-duphandle-also-init-netrc.patch
* Wed Nov 06 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.11.0:
    * Security fixes: [bsc#1232528, CVE-2024-9681]
    - curl: HSTS subdomain overwrites parent cache entry
    * Changes:
    - curl: --create-dirs works for --dump-header as well
    - gtls: Add P12 format support
    - ipfs: add options to disable
    - TLS: TLSv1.3 earlydata support for curl
    - WebSockets: make support official (non-experimental)
    * Bugfixes:
    - build: clarify CA embed is for curl tool, mark default, improve summary
    - build: show if CA bundle to embed was found
    - build: tidy up and improve versioned-symbols options
    - cmake/FindNGTCP2: use library path as hint for finding crypto module
    - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
    - cmake: rename LDAP dependency config variables to match Find modules
    - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
    - cmake: use OpenSSL for LDAP detection only if available
    - curl: add build options for safe/no CA bundle search (Windows)
    - curl: detect ECH support dynamically, not at build time
    - curl_addrinfo: support operating systems with only getaddrinfo(3)
    - ftp: fix 0-length last write on upload from stdin
    - gnutls: use session cache for QUIC
    - hsts: improve subdomain handling
    - hsts: support "implied LWS" properly around max-age
    - http2: auto reset stream on server eos
    - json.md: cli-option '--json' is an alias of '--data-binary'
    - lib: move curl_path.[ch] into vssh/
    - lib: remove function pointer typecasts for hmac/sha256/md5
    - libssh.c: handle EGAINS during proto-connect correctly
    - libssh2: use the filename buffer when getting the homedir
    - multi.c: warn/assert on stall only without timer
    - negotiate: conditional check around GSS & SSL specific code
    - netrc: cache the netrc file in memory
    - ngtcp2: do not loop on recv
    - ngtcp2: set max window size to 10x of initial (128KB)
    - openssl quic: populate x509 store before handshake
    - openssl: extend the OpenSSL error messages
    - openssl: improve retries on shutdown
    - quic: use send/recvmmsg when available
    - schannel: fix TLS cert verification by IP SAN
    - schannel: ignore error on recv beyond close notify
    - select: use poll() if existing, avoid poll() with no sockets
    - sendf: add condition to max-filesize check
    - server/mqttd: fix two memory leaks
    - setopt: return error for bad input to CURLOPT_RTSP_REQUEST
    - setopt_cptr: make overflow check only done when needed
    - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
    - tool: support --show-headers AND --remote-header-name
    - tool_operate: make --skip-existing work for --parallel
    - url: connection reuse on h3 connections
    - url: use same credentials on redirect
    - urlapi: normalize the IPv6 address
    - version: say quictls in MSH3 builds
    - vquic: fix compiler warning with gcc + MUSL
    - vquic: recv_mmsg, use fewer, but larger buffers
    - vtls: convert Curl_pin_peer_pubkey to use dynbuf
    - vtls: convert pubkey_pem_to_der to use dynbuf
    * Rebase curl-secure-getenv.patch
* Tue Sep 24 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.10.1:
    * Bugfixes:
    - autotools: fix `--with-ca-embed` build rule
    - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
    - cmake: fix MSH3 to appear on the feature list
    - connect: store connection info when really done
    - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
    - http2: when uploading data from stdin, fix eos forwarding
    - http: make max-filesize check not count ignored bodies
    - lib: fix AF_INET6 use outside of USE_IPV6
    - multi: check that the multi handle is valid in curl_multi_assign
    - QUIC: on connect, keep on trying on draining server
    - request: correctly reset the eos_sent flag
    - setopt: remove superfluous use of ternary expressions
    - singleuse: drop `Curl_memrchr()` for no-HTTP builds
    - tool_cb_wrt: use "curl_response" if no file name in URL
    - transfer: fix sendrecv() without interim poll
    - vtls: fix `Curl_ssl_conn_config_match` doc param
* Wed Sep 11 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to version 8.10.0:
    * Security fixes:
    - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
    * Changes:
    - curl: make --rate accept "number of units"
    - curl: make --show-headers the same as --include
    - curl: support --dump-header % to direct to stderr
    - curl: support embedding a CA bundle and --dump-ca-embed
    - curl: support repeated use of the verbose option; -vv etc
    - curl: use libuv for parallel transfers with --test-event
    - vtls: stop offering alpn http/1.1 for http2-prior-knowledge
    * Bugfixes:
    - curl: allow 500MB data URL encode strings
    - curl: warn on unsupported SSL options
    - Curl_rand_bytes to control env override
    - curl_sha512_256: fix symbol collisions with nettle library
    - dist: fix reproducible build from release tarball
    - http2: fix GOAWAY message sent to server
    - http2: improve rate limiting of downloads
    - INSTALL.md: MultiSSL and QUIC are mutually exclusive
    - lib: add eos flag to send methods
    - lib: make SSPI global symbols use Curl_ prefix
    - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
    - lib: remove the final strncpy() calls
    - lib: remove use of RANDOM_FILE
    - Makefile.mk: fixup enabling libidn2
    - max-filesize.md: mention zero disables the limit
    - mime: avoid inifite loop in client reader
    - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
    - openssl quic: fix memory leak
    - openssl: certinfo errors now fail correctly
    - openssl: fix the data race when sharing an SSL session between threads
    - openssl: improve shutdown handling
    - POP3: fix multi-line responses
    - pop3: use the protocol handler ->write_resp
    - progress: ratelimit/progress tweaks
    - rand: only provide weak random when needed
    - sectransp: fix setting tls version
    - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
    - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
    - sigpipe: init the struct so that first apply ignores
    - smb: convert superflous assign into assert
    - smtp: add tracing feature
    - spnego_gssapi: implement TLS channel bindings for openssl
    - src: delete `curlx_m*printf()` aliases
    - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
    - tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
    - tool_paramhlp: bump maximum post data size in memory to 16GB
    - transfer: skip EOS read when download done
    - url: fix connection reuse for HTTP/2 upgrades
    - urlapi: verify URL *decoded* hostname when set
    - urldata: introduce `data->mid`, a unique identifier inside a multi
    - vtls: add SSLSUPP_CIPHER_LIST
    - vtls: fix static function name collisions between TLS backends
    - vtls: init ssl peer only once
    - websocket: introduce blocking sends
    - ws: flags to opcodes should ignore CURLWS_CONT flag
    - x509asn1: raise size limit for x509 certification information
    * Remove curl-sigpipe.patch upstream
    * Rebase curl-secure-getenv.patch
* Mon Aug 12 2024 Pedro Monreal <pmonreal@suse.com>
  - Fix regression introduced in version 8.9.1:
    * sigpipe: init the struct so that first apply ignores
    * Add curl-sigpipe.patch
* Wed Jul 31 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.9.1:
    * Security fixes:
    - curl: ASN.1 date parser overread [bsc#1228535, CVE-2024-7264]
    * Bugfixes:
    - cmake: detect 'libssh' via 'pkg-config'
    - cmake: detect 'nettle' when building with GnuTLS
    - connect: fix connection shutdown for event based processing
    - curl: more defensive socket code for --ip-tos
    - CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching
    - CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe
    - ftpserver.pl: make POP3 LIST serve content from the test file
    - lib: survive some NULL input args
    - os400: build cli manual.
    - os400: workaround an IBM ASCII run-time library bug
    - transfer: speed limiting fix for 32bit systems
    - vtls: avoid forward declaration in MultiSSL builds
    - x509asn1: unittests and fixes for gtime2str
* Wed Jul 24 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.9.0:
    * Security fixes:
    - [bsc#1227888, CVE-2024-6197] curl: freeing stack buffer
      in utf8asn1str
    - [bsc#1228260, CVE-2024-6874] idn: tweak buffer use when
      converting with macidn
    * Changes:
    - curl: add --ip-tos (IP Type of Service / Traffic Class)
    - curl: add --mptcp
    - curl: add --vlan-priority
    - curl: add -w '%{num_retries}
    - gnutls: support CA caching
    - mbedtls: support CURLOPT_CERTINFO
    - noproxy: patterns need to be comma separated
    - socket: support binding to interface *AND* IP
    - tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt
    - urlapi: add CURLU_NO_GUESS_SCHEME
    - wolfssl: support CA caching
    * Bugfixes:
    - connection: shutdown TLS (for FTP) better
    - curl-config: revert to backticks to support old target envs
    - curl: allow etag and content-disposition for 3xx reply
    - curl: bsearch the --write-out variable name
    - curl: check for --disable case *sensitively*
    - doh: fix leak and zero-length HTTPS RR crash
    - file: separate fake headers and body with a stand-alone CRLF
    - ftp: remove redundant null pointer check in loop condition
    - gnutls: improve TLS shutdown
    - gnutls: pass in SNI name, not hostname when checking cert
    - hostip: skip error check for infallible function call
    - http/3: add shutdown support
    - http/3: resume upload on ack if we have more data to send
    - lib: add a few DEBUGASSERT(data) to aid code analyzers
    - lib: add failure reason on bind errors
    - lib: graceful connection shutdown
    - lib: xfer_setup and non-blocking shutdown
    - multi: add multi->proto_hash, a key-value store for protocol data
    - multi: do a final progress update on connect failure
    - multi: fix multi_wait() timeout handling
    - multi: fix pollset during RESOLVING phase
    - ngtcp2+quictls: fix cert-status use
    - noproxy: test bad ipv6 net size first
    - openssl/gnutls: rectify the TLS version checks for QUIC
    - openssl: fix hostname handling when using ECH
    - openssl: stop duplicate ssl key logging for legacy OpenSSL
    - quic: enable UDP GRO
    - quic: openssl quic, cmake and doc version update to 3.3.0
    - quic: require at least OpenSSL 3.3 for QUIC
    - quic: update to quiche 0.22.0
    - smtp: for starttls, do full upgrade
    - tool_operate: avoid explicitly setting verifypeer to 1
    - tool_writeout: get certinfo only when needing it
    - transfer: avoid polling socket every transfer loop
    - transfer: conn close on paused upload
    - transfer: do not use EXPIRE_NOW while blocked
    - transfer: remove curl_upload_refill_watermark, no longer used
    - transfer: set CSELECT_IN if there is data pending
    - url: allow DoH transfers to override max connection limit
    - x509asn1: add some common ECDSA OIDs
    - x509asn1: ASN1tostr() should fail when 'constructed' is set
    - x509asn1: fallback to dotted OID representation
    - x509asn1: prevent NULL dereference
    - x509asn1: remove superfluous free()
    - x509asn1: remove two static variables
    * Rebase libcurl-ocloexec.patch
    * Remove curl-make-install-curl-config.patch upstream
* Thu Jun 20 2024 Dirk Müller <dmueller@suse.com>
  - add multibuild for minimal libcurl flavored build (useful for
    container environments)
* Thu Jun 20 2024 Dirk Müller <dmueller@suse.com>
  - split zsh and fish completion into subpackages to have
    proper supplements
* Mon Jun 17 2024 Dirk Müller <dmueller@suse.com>
  - remove mozilla-nss code (unsupported since 8.3.0)
* Fri May 24 2024 Pedro Monreal <pmonreal@suse.com>
  - Fix make install for curl-config.1
    * docs/Makefile.am: make curl-config.1 install
    * Fixed upstream in: github.com/curl/curl/pull/13741
    * Add curl-make-install-curl-config.patch
* Wed May 22 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.8.0:
    * Changes:
    - curl_version_info: provide librtmp version
    - file: add support for directory listings
    - lib: add curl_multi_waitfds
    - NTLM_WB: drop support
    - TLS: add support for ECH (Encrypted Client Hello)
    - urlapi: add CURLU_GET_EMPTY for empty queries and fragments
    * Bugfixes:
    - build: prefer "USE_IPV6" macro internally (was: "ENABLE_IPV6")
    - cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set
    - cf-socket: don't try getting local IP without socket
    - cf-socket: remove references to l_ip, l_port
    - configure: make --disable-docs imply --disable-manual
    - curl.h: change CURL_SSLVERSION_* from enum to defines
    - curl_path: make Curl_get_pathname use dynbuf
    - curl_sha512_256: do not use workaround for NetBSD when not needed
    - curl_sha512_256: fix detection of OpenSSL 1.1.1 or later
    - curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY
    - DEPRECATE.md: TLS libraries without 1.3 support
    - digest: replace strcpy for empty string with simple assignment
    - doc: pytest "--repeat" -> "--count"
    - docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd
    - dynbuf: fix returncode on memory error
    - ftp: add tracing support
    - ftp: fix socket leak on rare error
    - gnutls: lazy init the trust settings
    - hsts: explicitly skip blank lines
    - http2 + ngtcp2: pass CURLcode errors from callbacks
    - http2, http3: decouple stream state from easy handle
    - http2: emit RST when client write fails
    - http: HEAD response body tolerance
    - http: reject HTTP major version switch mid connection
    - http: with chunked POST forced, disable length check on read callback
    - idn: make Curl_idnconvert_hostname() use Curl_idn_decode()
    - if2ip: make the buf_size arg a size_t
    - krb5: use dynbuf
    - lib/cf-h1-proxy: silence compiler warnings (gcc 14)
    - lib: add trace support for client reads and writes
    - lib: bump hash sizes to "size_t"
    - lib: clear the easy handle's saved errno before transfer
    - lib: make protocol handlers store scheme name lowercase
    - lib: merge "ENABLE_QUIC" C macro into "USE_HTTP3"
    - libssh2: set length to 0 if strdup failed
    - openssl: do not set SSL_MODE_RELEASE_BUFFERS
    - openssl: revert keylog_callback support for LibreSSL
    - OS400: fix shellcheck warnings in scripts
    - quiche: expire all active transfers on connection close
    - quiche: trust its timeout handling
    - tls: use shared init code for TCP+QUIC
    - tool_cfgable: free {proxy_}cipher13_list on exit
    - url: do not URL decode proxy crendentials
    - url: fix use of an uninitialized variable
    - url: make parse_login_details use memdup0
    - urlapi: allow setting port number zero
    - version: use msnprintf instead of strncpy
    - vtls: TLS session storage overhaul
    - wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC
    - websocket: avoid memory leak in error path
* Wed May 22 2024 Dominique Leuenberger <dimstar@opensuse.org>
  - Add split-provides for libcurl-devel -> libcurl-devel-doc.
* Mon May 20 2024 Jan Engelhardt <jengelh@inai.de>
  - Spin documentation off to libcurl-devel-doc, this saves buildroots
    495 files and time (mandb is run in %posttrans).
* Wed Mar 27 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.7.1:
    * Fixed empty tool_hugehelp.c file
  - Update to 8.7.0:
    * Security fixes:
    - [bsc#1221665, CVE-2024-2004] Usage of disabled protocol
    - [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak
    - [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL
    - [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS
    * Changes:
    - configure: add --disable-docs flag
    - CURLINFO_USED_PROXY: return bool whether the proxy was used
    - digest: support SHA-512/256
    * Bugfixes:
    - asyn-thread: use wakeup_close to close the read descriptor
    - bufq: writing into a softlimit queue cannot be partial
    - cmake: add USE_OPENSSL_QUIC support
    - cookie: if psl fails, reject the cookie
    - curl: exit on config file parser errors
    - digest: add check for hashing error
    - docs/libcurl: add TLS backend info for all TLS options
    - file: use xfer buf for file:// transfers
    - ftp: do lineend conversions in client writer
    - ftp: fix socket wait activity in ftp_domore_getsock
    - http2: memory errors in the push callbacks are fatal
    - http2: push headers better cleanup
    - libssh/libssh2: return error on too big range
    - OpenSSL QUIC: adapt to v3.3.x
    - setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
    - setopt: fix disabling all protocols
    - sha512_256: add support for GnuTLS and OpenSSL
    - smtp: fix STARTTLS
    - strtoofft: fix the overflow check
    - TIMER_STARTTRANSFER: set the same for everyone
    - TLS: start shutdown only when peer did not already close
    - tool_getparam: accept a blank -w ""
    - tool_getparam: handle non-existing (out of range) short-options
    - tool_operate: change precedence of server Retry-After time
    - transfer.c: break receive loop in speed limited transfers
    - version: allow building with ancient libpsl
    - vquic-tls: fix the error code returned for bad CA file
    - vtls: fix tls proxy peer verification
    - vtls: revert "receive max buffer" + add test case
    - VULN-DISCLOSURE-POLICY.md: update detail about CVE requests
    - websocket: fix curl_ws_recv()
    * Remove patch upstream:
    - 0001-vtls-revert-receive-max-buffer-add-test-case.patch
* Tue Mar 12 2024 Pedro Monreal <pmonreal@suse.com>
  - Remove the nghttp2 version requirement as a version guard around
    the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
    function was added in curl 8.0.1.
    * Upstream commit: https://github.com/curl/curl/commit/744dcf22
* Thu Feb 08 2024 Fabian Vogt <fvogt@suse.com>
  - Add patch to fix various TLS related issues including FTP over SSL
    transmission timeouts:
    * 0001-vtls-revert-receive-max-buffer-add-test-case.patch
  - Switch to %autosetup
* Wed Jan 31 2024 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.6.0: [bsc#1219149, CVE-2024-0853]
    * Security fixes:
    - CVE-2024-0853: OCSP verification bypass with TLS session reuse
    * Changes:
    - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T
    * Bugfixes:
    - altsvc: free 'as' when returning error
    - asyn-ares: with modern c-ares, use its default timeout
    - cf-socket: show errno in tcpkeepalive error messages
    - cmdline-opts: update availability for the *-ca-native options
    - configure: when enabling QUIC, check that TLS supports QUIC
    - content_encoding: change return code to typedef'ed enum
    - curl: show ipfs and ipns as supported "protocols"
    - CURLINFO_REFERER.3: clarify that it is the *request* header
    - dist: add tests/errorcodes.pl to the tarball
    - gen.pl: support ## for doing .IP in table-like lists
    - GHA: bump ngtcp2, gnutls, mod_h2, quiche
    - hostip: return error immediately when Curl_ip2addr() fails
    - http3/quiche: fix result code on a stream reset
    - http3: initial support for OpenSSL 3.2 QUIC stack
    - http: check for "Host:" case insensitively
    - http: fix off-by-one error in request method length check
    - http: only act on 101 responses when they are HTTP/1.1
    - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
    - lib: error out on multissl + http3
    - lib: fix variable undeclared error caused by `infof` changes
    - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
    - lib: strndup/memdup instead of malloc, memcpy and null-terminate
    - libssh2: use `libssh2_session_callback_set2()` with v1.11.1
    - ngtcp2: put h3 at the front of alpn
    - openldap: fix an LDAP crash
    - openldap: fix STARTTLS
    - openssl: re-match LibreSSL deinit with init
    - rtsp: deal with borked server responses
    - sasl: make login option string override http auth
    - tool: prepend output_dir in header callback
    - tool_getparam: stop supporting `@filename` style for --cookie
    - transfer: fix upload rate limiting, add test cases
    - url: don't set default CA paths for Secure Transport backend
    - url: for disabled protocols, mention if found in redirect
    - vquic: extract TLS setup into own source
    - websockets: check for negative payload lengths
    * Remove patches fixed upstream:
    - curl-adjust-pollset-fix.patch
    - curl-tests-errorcodes.patch
    * Rebase dont-mess-with-rpmoptflags.patch
* Fri Jan 05 2024 Michael Pujos <pujos.michael@gmail.com>
  - Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming:
    https://github.com/curl/curl/issues/12632
* Wed Dec 06 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.5.0:
    * Security fixes:
    - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
    - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
    * Changes:
    - gnutls: support CURLSSLOPT_NATIVE_CA
    - HTTP3: ngtcp2 builds are no longer experimental
    * Bugfixes:
    - asyn-thread: use pipe instead of socketpair for IPC when available
    - cmake: fix OpenSSL quic detection in quiche builds
    - conncache: use the closure handle when disconnecting surplus connections
    - content_encoding: make Curl_all_content_encodings allocless
    - cookie: lowercase the domain names before PSL checks
    - Curl_http_body: cleanup properly when Curl_getformdata errors
    - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
    - doh: provide better return code for responses w/o addresses
    - doh: use PIPEWAIT when HTTP/2 is attempted
    - duphandle: also free 'outcurl->cookies' in error path
    - duphandle: make dupset() not return with pointers to old alloced data
    - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
    - easy: in duphandle, init the cookies for the new handle
    - easy_lock: add a pthread_mutex_t fallback
    - fopen: create new file using old file's mode
    - fopen: create short(er) temporary file name
    - getenv: PlayStation doesn't have getenv()
    - hostip: show the list of IPs when resolving is done
    - hsts: skip single-dot hostname
    - HTTP/2, HTTP/3: handle detach of onoing transfers
    - http: allow longer HTTP/2 request method names
    - hyper: temporarily remove HTTP/2 support
    - IPFS: fix IPFS_PATH and file parsing
    - multi: during ratelimit multi_getsock should return no sockets
    - multi: use pipe instead of socketpair to *wakeup()
    - ngtcp2: fix races in stream handling
    - ntlm_wb: use pipe instead of socketpair when possible
    - openssl: avoid BN_num_bits() NULL pointer derefs
    - openssl: fix building with v3 `no-deprecated` + add CI test
    - openssl: fix infof() to avoid compiler warning for %s with null
    - openssl: identify the "quictls" backend correctly
    - openssl: include SIG and KEM algorithms in verbose
    - openssl: two multi pointer checks should probably rather be asserts
    - openssl: when a session-ID is reused, skip OCSP stapling
    - quic: make eyeballers connect retries stop at weird replies
    - quic: manage connection idle timeouts
    - setopt: check CURLOPT_TFTP_BLKSIZE range on set
    - socks: better buffer size checks for socks4a user and hostname
    - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
    - tool: fix --capath when proxy support is disabled
    - tool_getparam: limit --rate to be smaller than number of ms
    - transfer: abort pause send when connection is marked for closing
    - transfer: avoid calling the read callback again after EOF
    - transfer: only reset the FTP wildcard engine in CLEAR state
    - url: don't touch the multi handle when closing internal handles
    - urlapi: avoid null deref if setting blank host to url encode
    - urlapi: skip appending NULL pointer query
    - urlapi: when URL encoding the fragment, pass in the right length
    - vtls: cleanup SSL config management
    - vtls: consistently use typedef names for OpenSSL structs
    - vtls: late clone of connection ssl config
    - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
    * Rebase curl-secure-getenv.patch
    * Add curl-tests-errorcodes.patch
* Wed Oct 11 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.4.0:
    * Security fixes:
    - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545]
    - cookie injection with none file [bsc#1215889, CVE-2023-38546]
    * Changes:
    - curl: add support for the IPFS protocols via HTTP gateway
    - curl_multi_get_handles: get easy handles from a multi handle
    - mingw: delete support for legacy mingw.org toolchain
    * Bugfixes:
    - base64: also build for curl
    - cf-socket: simulate slow/blocked receives in debug
    - configure: check for the capath by default
    - connect: expire the timeout when trying next
    - connect: only start the happy eyeballs timer when needed
    - cookie: do not store the expire or max-age strings
    - cookie: remove unnecessary struct fields
    - cookie: set ->running in cookie_init even if data is NULL
    - create-dirs.d: clarify it also uses --output-dirs
    - http2: refused stream handling for retry
    - http: h1/h2 proxy unification
    - http: use per-request counter to check too large headers
    - idn: if idn2_check_version returns NULL, return error
    - lib: enable hmac for digest as well
    - lib: let the max filesize option stop too big transfers too
    - lib: move handling of 'data->req.writer_stack' into Curl_client_write()
    - lib: provide and use Curl_hexencode
    - lib: use wrapper for curl_mime_data fseek callback
    - libssh2: fix error message on failed pubkey-from-file
    - libssh: cap SFTP packet size sent
    - MQTT: improve receive of ACKs
    - multi: do CURLM_CALL_MULTI_PERFORM at two more places
    - multi: round the timeout up to prevent early wakeups
    - openssl: improve ssl shutdown handling
    - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
    - pytest: exclude test_03_goaway in CI runs due to timing dependency
    - quic: set ciphers/curves the same way regular TLS does
    - quiche: fix build error with --with-ca-fallback
    - socks: return error if hostname too long for remote resolve
    - tftpd: always use curl's own tftp.h
    - tool_getparam: accept variable expansion on file names too
    - upload-file.d: describe the file name slash/backslash handling
    - url: fall back to http/https proxy env-variable if ws/wss not set
    - url: fix netrc info message
    - wolfssh: do cleanup in Curl_ssh_cleanup
    - wolfssl: allow capath with CURLOPT_CAINFO_BLOB
    - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
    - wolfssl: ignore errors in CA path
    * Rebase libcurl-ocloexec.patch
* Wed Sep 13 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.3.0: [bsc#1215026, CVE-2023-38039]
    * Changes:
    - curl: make %output{} in -w specify a file to write to
    - gskit: remove
    - lib: --disable-bindlocal builds curl without local binding support
    - nss: remove support for this TLS library
    - tool: add "variable" support
    - trace: make tracing available in non-debug builds
    - url: change default value for CURLOPT_MAXREDIRS to 30
    - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
    * Bugfixes:
    - altsvc: accept and parse IPv6 addresses in response headers
    - asyn-ares: reduce timeout to 2000ms
    - aws-sigv4: canonicalize the query
    - aws-sigv4: fix having date header twice in some cases
    - aws-sigv4: handle no-value user header entries
    - c-hyper: adjust the hyper to curlcode conversion
    - c-hyper: fix memory leaks in `Curl_http`
    - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
    - cf-socket: log successful interface bind
    - cmake: add GnuTLS option
    - cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
    - cmake: detect `SSL_set0_wbio` in OpenSSL
    - configure: trust pkg-config when it's used for zlib
    - configure: use the pkg-config --libs-only-l flag for libssh2
    - connect: stop halving the remaining timeout when less than 600 ms left
    - crypto: ensure crypto initialization works
    - digest: Use hostname to generate spn instead of realm
    - ftp: fix temp write of ipv6 address
    - headers: accept leading whitespaces on first response header
    - http2: fix in h2 proxy tunnel: progress in ingress on sending
    - http3/ngtcp2: shorten handshake, trace cleanup
    - http3: quiche, handshake optimization, trace cleanup
    - http: close the connection after a late 417 is received
    - http: fix sending of large requests
    - http: return error when receiving too large header set
    - lib: fix null ptr derefs and uninitialized vars (h2/h3)
    - lib: move mimepost data from ->req.p.http to ->state
    - list-only.d: mention SFTP as supported protocol
    - ngtcp2: fix handling of large requests
    - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
    - openssl: clear error queue after SSL_shutdown
    - openssl: make aws-lc version support OCSP
    - openssl: Support async cert verify callback
    - openssl: switch to modern init for LibreSSL 2.7.0+
    - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
    - quic: don't set SNI if hostname is an IP address
    - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
    - quiche: enable quiche to handle timeout events
    - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
    - schannel: verify hostname independent of verify cert
    - tool_filetime: make -z work with file dates before 1970
    - tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR
    - tool_operate: make aws-sigv4 not require TLS to be used
    - transfer: also stop the sending on closed connection
    - urlapi: fix heap buffer overflow
    - urlapi: setting a blank URL ("") is not an ok URL
* Fri Jul 28 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.2.1:
    * Bugfixes:
    - cfilters: rename close/connect functions to avoid clashes
    - ciphers.d: put URL in first column
    - cmake: add 'libcurlu'/'libcurltool' for unit tests
    - cmake: update ngtcp2 detection
    - configure: check for nghttp2_session_get_stream_local_window_size
    - docs: mark two TLS options for TLS, not SSL
    - docs: provide more see also for cipher options
    - hostip: return IPv6 first for localhost resolves
    - http2: fix regression on upload EOF handling
    - http: VLH, very large header test and fixes
    - libcurl-errors.3: add CURLUE_OK
    - os400: correct EXPECTED_STRING_LASTZEROTERMINATED
    - quiche: fix lookup of transfer at multi
    - quiche: fix segfault and other things
    - rustls: update rustls-ffi 0.10.0
    - socks: print ipv6 address within brackets
    - src/mkhelp: strip off escape sequences
    - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
    - transfer: do not clear the credentials on redirect to absolute URL
    - unittest: remove unneeded *_LDADD
    - websocket: rename arguments/variables to match docs
* Wed Jul 19 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.2.0 [bsc#1213237, CVE-2023-32001]
    * Security fix:
    - CVE-2023-32001: fopen race condition
    * Changes:
    - curl: add --ca-native and --proxy-ca-native
    - curl: add --trace-ids
    - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
    - haproxy: add --haproxy-clientip flag to set client IPs
    - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
    * Bugfixes:
    - cf-socket: don't bypass fclosesocket callback if cancelled before connect
    - cf-socket: skip getpeername()/getsockname for TFTP
    - curl: count uploaded data to stop at the originally given size
    - curl: return error when asked to use an unsupported HTTP version
    - http2: fix crash in handling stream weights
    - http2: send HEADER & DATA together if possible
    - http3/ngtcp2: upload EAGAIN handling
    - http: rectify the outgoing Cookie: header field size check
    - hyper: fix EOF handling on input
    - imap: Provide method to disable SASL if it is advertised
    - libssh2: provide error message when setting host key type fails
    - libssh2: use custom memory functions
    - ngtcp2: assigning timeout, but value is overwritten before used
    - quiche: avoid NULL deref in debug logging
    - sectransp: fix EOF handling
    - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
    - timeval: use CLOCK_MONOTONIC_RAW if available
    - tls13-ciphers.d: include Schannel
    - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
    - tool_operate: allow cookie lines up to 8200 bytes
    - tool_parsecfg: accept line lengths up to 10M
    - tool_writeout_json: fix encoding of control characters
    - transfer: clear credentials when redirecting to absolute URL
    - urlapi: have *set(PATH) prepend a slash if one is missing
    - urlapi: scheme must start with alpha
    - vtls: avoid memory leak if sha256 call fails
    - websocket-cb: example doing WebSocket download using callback
    - ws: make the curl_ws_meta() return pointer a const
* Tue May 30 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.1.2:
    * Bugfixes:
    - configure: quote the assignments for run-compiler
    - configure: without pkg-config and no custom path, use -lnghttp2
    - curl: cache the --trace-time value for a second
    - http2: fix EOF handling on uploads with auth negotiation
    - http3: send EOF indicator early as possible
    - lib1560: verify more scheme guessing
    - lib: remove unused functions, make single-use static
    - libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
    - libssh: when keyboard-interactive auth fails, try password
    - misc: fix spelling mistakes
    - page-header: mention curl version and how to figure out current release
    - page-header: minor wording polish in the URL segment
    - scripts/singleuse.pl: add more API calls
    - urlapi: remove superfluous host name check
* Tue May 23 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.1.1:
    * Bugfixes:
    - cf-socket: completely remove the disabled
      USE_RECV_BEFORE_SEND_WORKAROUND
    - checksrc: disallow spaces before labels
    - curl_easy_getinfo: clarify on return data types
    - docs: document that curl_url_cleanup(NULL) is a safe no-op
    - hostip: move easy_lock.h include above curl_memory.h
    - http2: double http request parser max line length
    - http2: increase stream window size to 10 MB
    - lib: rename struct 'http_req' to 'httpreq'
    - ngtcp2: proper handling of uint64_t when adjusting send buffer
    - sectransp.c: make the code c89 compatible
    - select: avoid returning an error on EINTR from select() or poll()
    - url: provide better error message when URLs fail to parse
    - urlapi: allow numerical parts in the host name
* Wed May 17 2023 David Anes <david.anes@suse.com>
  - Update to 8.1.0:
    * Security fixes:
    - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319]
    - siglongjmp race condition [bsc#1211231, CVE-2023-28320]
    - IDN wildcard match [bsc#1211232, CVE-2023-28321]
    - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322]
    - See also: https://curl.se/docs/security.html
    * Changes:
    - curl: add --proxy-http2
    - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
    - hostip: refuse to resolve the .onion TLD
    - tool_writeout: add URL component variables
    * Bugfixes:
    - See full changelog here: https://curl.se/changes.html#8_1_0
* Tue Mar 21 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.0.1:
    * Bugfixes:
    - fix crash in curl_easy_cleanup
* Mon Mar 20 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 8.0.0:
    * Security fixes:
    - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
    - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
    - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
    - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
    - HSTS double-free [bsc#1209213, CVE-2023-27537]
    - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
    * Changes:
    - build: remove support for curl_off_t < 8 bytes
    * Bugfixes:
    - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
    - BINDINGS: add Fortran binding
    - cf-socket: use port 80 when resolving name for local bind
    - cookie: don't load cookies again when flushing
    - curl_path: create the new path with dynbuf
    - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
    - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
    - ftp: active mode with SSL, add the filter
    - hostip: avoid sscanf and extra buffer copies
    - http2: fix for http2-prior-knowledge when reusing connections
    - http2: fix handling of RST and GOAWAY to recognize partial transfers
    - http: don't send 100-continue for short PUT requests
    - http: fix unix domain socket use in https connects
    - libssh: use dynbuf instead of realloc
    - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
    - sectransp: make read_cert() use a dynbuf when loading
    - telnet: only accept option arguments in ascii
    - telnet: parse telnet options without sscanf
    - url: fix the SSH connection reuse check
    - url: only reuse connections with same GSS delegation
    - urlapi: '%' is illegal in host names
    - ws: keep the socket non-blocking
    * Rebase libcurl-ocloexec.patch
* Mon Feb 20 2023 Guillaume GARDET <guillaume.gardet@opensuse.org>
  - Update to 7.88.1:
    * Bugfix release
  - Drop upstreamed patch:
    * curl-fix-uninitialized-value-in-tests.patch
* Wed Feb 15 2023 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
    [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
    * Security fixes:
    - CVE-2023-23914: HSTS ignored on multiple requests
    - CVE-2023-23915: HSTS amnesia with --parallel
    - CVE-2023-23916: HTTP multi-header compression denial of service
    * Changes:
    - curl.h: add CURL_HTTP_VERSION_3ONLY
    - share: add sharing of HSTS cache among handles
    - src: add --http3-only
    - tool_operate: share HSTS between handles
    - urlapi: add CURLU_PUNYCODE
    - writeout: add %{certs} and %{num_certs}
    * Bugfixes:
    - cf-socket: keep sockaddr local in the socket filters
    - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
    - curl.h: allow up to 10M buffer size
    - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
    - curl/websockets.h: extend the websocket frame struct
    - curl: output warning at --verbose output for debug-enabled version
    - curl_free.3: fix return type of `curl_free`
    - curl_log: for failf/infof and debug logging implementations
    - dict: URL decode the entire path always
    - docs/DEPRECATE.md: deprecate gskit
    - easyoptions: fix header printing in generation script
    - haxproxy: send before TLS handhshake
    - hsts.d: explain hsts more
    - hsts: handle adding the same host name again
    - HTTP/[23]: continue upload when state.drain is set
    - http: decode transfer encoding first
    - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
    - http_proxy: do not assign data->req.p.http use local copy
    - lib: connect/h2/h3 refactor
    - libssh2: try sha2 algos for hostkey methods
    - md4: fix build with GnuTLS + OpenSSL v1
    - ngtcp2: replace removed define and stop using removed function
    - noproxy: support for space-separated names is deprecated
    - nss: implement data_pending method
    - openldap: fix missing sasl symbols at build in specific configs
    - openssl: adapt to boringssl's error code type
    - openssl: don't ignore CA paths when using Windows CA store (redux)
    - openssl: don't log raw record headers
    - openssl: make the BIO_METHOD a local variable in the connection filter
    - openssl: only use CA_BLOB if verifying peer
    - openssl: remove attached easy handles from SSL instances
    - openssl: store the CA after first send (ClientHello)
    - setopt: use >, not >=, when checking if uarg is larger than uint-max
    - smb: return error on upload without size
    - socketpair: allow localhost MITM sniffers
    - strdup: name it Curl_strdup
    - tool_getparam: fix hiding of command line secrets
    - tool_operate: fix error codes on bad URL & OOM
    - tool_operate: repair --rate
    - transfer: break the read loop when RECV is cleared
    - typecheck: accept expressions for option/info parameters
    - urlapi: avoid Curl_dyn_addf() for hex outputs
    - urlapi: skip path checks if path is just "/"
    - urlapi: skip the extra dedotdot alloc if no dot in path
    - urldata: cease storing TLS auth type
    - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
    - urldata: make set.http200aliases conditional on HTTP being present
    - urldata: move the cookefilelist to the 'set' struct
    - urldata: remove unused struct fields, made more conditional
    - vquic: stabilization and improvements
    - vtls: fix hostname handling in filters
    - vtls: manage current easy handle in nested cfilter calls
    - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
    * Rebase libcurl-ocloexec.patch
    * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
    - runtests: fix "uninitialized value $port"
    - Add curl-fix-uninitialized-value-in-tests.patch
* Wed Dec 21 2022 David Anes <david.anes@suse.com>
  - Update to 7.87.0:
    * Security fixes:
    - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
    - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
    * Changes
    - curl: add --url-query
    - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
    - lib: add CURL_WRITEFUNC_ERROR to signal write callback error
    - openssl: reduce CA certificate bundle reparsing by caching
    - version: add a feature names array to curl_version_info_data
    * Bugfixes
    - altsvc: fix rejection of negative port numbers
    - aws_sigv4: consult x-%s-content-sha256 for payload hash
    - aws_sigv4: fix typos in aws_sigv4.c
    - base64: better alloc size
    - base64: encode without using snprintf
    - base64: faster base64 decoding
    - build: assume assert.h is always available
    - build: assume errno.h is always available
    - c-hyper: CONNECT respones are not server responses
    - c-hyper: fix multi-request mechanism
    - CI: Change FreeBSD image from 12.3 to 12.4
    - CI: LGTM.com will be shut down in December 2022
    - ci: Remove zuul fuzzing job as it's superseded by CIFuzz
    - cmake: check for cross-compile, not for toolchain
    - CMake: fix build with `CURL_USE_GSSAPI`
    - cmake: really enable warnings with clang
    - cmake: set the soname on the shared library
    - cmdline-opts/gen.pl: fix the linkifier
    - cmdline-opts/page-footer: remove long option nroff formatting
    - config-mac: define HAVE_SYS_IOCTL_H
    - config-mac: fix typo: size_T -> size_t
    - config-mac: remove HAVE_SYS_SELECT_H
    - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
    - configure: require fork for NTLM-WB
    - contributors.sh: actually use $CURLWWW instead of just setting it
    - cookie: compare cookie prefixes case insensitively
    - cookie: expire cookies at once when max-age is negative
    - cookie: open cookie jar as a binary file
    - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
    - curl-rustls.m4: on macOS, rustls also needs the Security framework
    - curl.h: include <sys/select.h> on SerenityOS
    - curl.h: name all public function parameters
    - curl.h: reword comment to not use deprecated option
    - curl: override the numeric locale and set "C" by force
    - curl: timeout in the read callback
    - curl_endian: remove Curl_write64_le from header
    - curl_get_line: allow last line without newline char
    - curl_path: do not add '/' if homedir ends with one
    - curl_url_get.3: remove spurious backtick
    - curl_url_set.3: document CURLU_DISALLOW_USER
    - curl_url_set.3: fix typo
    - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
    - CURLOPT_COOKIEFILE.3: advice => advise
    - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
    - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
    - CURLOPT_POST.3: Explain setting to 0 changes request type
    - docs/curl_ws_send: Fixed typo in websocket docs
    - docs/EARLY-RELEASE.md: how to determine an early release
    - docs/examples: spell correction ('Retrieve')
    - docs/INSTALL.md: expand on static builds
    - docs/WEBSOCKET.md: explain the URL use
    - docs: add missing parameters for --retry flag
    - docs: add more "SEE ALSO" links to CA related pages
    - docs: explain the noproxy CIDR notation support
    - docs: extend the dump-header documentation
    - docs: remove performance note in CURLOPT_SSL_VERIFYPEER
    - examples/10-at-a-time: fix possible skipped final transfers
    - examples: update descriptions
    - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
    - gen.pl: do not generate CURLHELP bitmask lines > 79 characters
    - GHA: clarify workflows permissions, set least possible privilege
    - GHA: NSS use clang instead of clang-9
    - gnutls: use common gnutls init and verify code for ngtcp2
    - headers: add endif comments
    - HTTP-COOKIES.md: mention that http://localhost is a secure context
    - HTTP-COOKIES.md: update the 6265bis link to draft-11
    - http: do not send PROXY more than once
    - http: fix the ::1 comparison for IPv6 localhost for cookies
    - http: set 'this_is_a_follow' in the Location: logic
    - http: use the IDN decoded name in HSTS checks
    - hyper: classify headers as CONNECT and 1XX
    - hyper: fix handling of hyper_task's when reusing the same address
    - idn: remove Curl_win32_ascii_to_idn
    - INSTALL: update operating systems and CPU archs
    - KNOWN_BUGS: remove eight entries
    - lib1560: add some basic IDN host name tests
    - lib: connection filters (cfilter) addition to curl:
    - lib: feature deprecation warnings in gcc >= 4.3
    - lib: fix some type mismatches and remove unneeded typecasts
    - lib: parse numbers with fixed known base 10
    - lib: remove bad set.opt_no_body assignments
    - lib: rewind BEFORE request instead of AFTER previous
    - lib: sync guard for Curl_getaddrinfo_ex() definition and use
    - lib: use size_t or int etc instead of longs
    - libcurl-errors.3: remove duplicate word
    - libssh2: return error when ssh_hostkeyfunc returns error
    - limit-rate.d: see also --rate
    - log2changes.pl: wrap long lines at 80 columns
    - Makefile.mk: address minor issues
    - Makefile.mk: improve a GNU Make hack
    - Makefile.mk: portable Makefile.m32
    - maketgz: set the right version in lib/libcurl.plist
    - mime: relax easy/mime structures binding
    - misc: Fix incorrect spelling
    - misc: remove duplicated include files
    - misc: typo and grammar fixes
    - negtelnetserver.py: have it call its close() method
    - netrc.d: provide mutext info
    - netware: remove leftover traces
    - noproxy: also match with adjacent comma
    - noproxy: guard against empty hostnames in noproxy check
    - noproxy: tailmatch like in 7.85.0 and earlier
    - nroff-scan.pl: detect double highlights
    - ntlm: improve comment for encrypt_des
    - ntlm: silence ubsan warning about copying from null target_info pointer
    - openssl/mbedtls: use %d for outputing port with failf (int)
    - openssl: prefix errors with '[lib]/[version]: '
    - os400: use platform socklen_t in Curl_getnameinfo_a
    - page-header: grammar improvement (display transfer rate)
    - proxy: refactor haproxy protocol handling as connection filter
    - README.md: remove badges and xmas-tree garnish
    - rtsp: fix RTSP auth
    - runtests: --no-debuginfod now disables DEBUGINFOD_URLS
    - runtests: do CRLF replacements per section only
    - scripts/checksrc.pl: detect duplicated include files
    - sendf: change Curl_read_plain to wrap Curl_recv_plain
    - sendf: remove unnecessary if condition
    - setup: do not require __MRC__ defined for Mac OS 9 builds
    - smb/telnet: do not free the protocol struct in *_done()
    - socks: fix username max size is 255 (0xFF)
    - spellcheck.words: remove 'github' as an accepted word
    - ssl-reqd.d: clarify that this is for upgrading connections only
    - strcase: use curl_str(n)equal for case insensitive matches
    - styled-output.d: this option does not work on Windows
    - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
    - system.h: support 64-bit curl_off_t for NonStop 32-bit
    - test1421: fix typo
    - test3026: reduce runtime in legacy mingw builds
    - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
    - tests: add authorityInfoAccess to generated certs
    - tests: add HTTP/3 test case, custom location for proper nghttpx
    - tls: backends use connection filters for IO, enabling HTTPS-proxy
    - tool: determine the correct fopen option for -D
    - tool_cfgable: free the ssl_ec_curves on exit
    - tool_cfgable: make socks5_gssapi_nec a boolean
    - tool_formparse: avoid clobbering on function params
    - tool_getparam: make --no-get work as the opposite of --get
    - tool_operate: provide better errmsg for -G with bad URL
    - tool_operate: when aborting, make sure there is a non-NULL error buffer
    - tool_paramhlp: free the proto strings on exit
    - url: move back the IDN conversion of proxy names
    - urlapi: reject more bad letters from the host name: &+()
    - urldata: change port num storage to int and unsigned short
    - vms: remove SIZEOF_SHORT
    - vtls: fix build without proxy support
    - vtls: localization of state data in filters
    - WEBSOCKET.md: fix broken link
    - Websocket: fixes for partial frames and buffer updates
    - websockets: fix handling of partial frames
    - windows: fail early with a missing windres in autotools
    - windows: fix linking .rc to shared curl with autotools
    - winidn: drop WANT_IDN_PROTOTYPES
    - ws: if no connection is around, return error
    - ws: return CURLE_NOT_BUILT_IN when websockets not built in
    - x509asn1: avoid freeing unallocated pointers
* Wed Nov 16 2022 Luciano Santos <luc14n0@opensuse.org>
  - Add 1.50.0 as the minimum libnghttp2 build requirement version as
    a bandaid. Curl's 7.86.0 release introduces the use of
    nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
    introduced by nghttp2 1.50.0 release, without introducing a check
    for the function/right version in their build scripts. This will
    make Zypper/cURL unusable in some corner cases where users
    installing something that requires libcurl4 before doing full
    system upgrade, thus updating the cURL stack, but not
    libnghttp2's. Background: boo#1204983, Factory mailing list
    threadd:
    "? broken dependency in curl and/or *zyp* ?", and forums thread:
    Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
* Wed Oct 26 2022 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.86.0:
    * Security fixes:
    - POST following PUT confusion [bsc#1204383, CVE-2022-32221]
    - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
    - HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
    - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
    * Changes:
    - NPN: remove support for and use of
    - Websockets: initial support
    * Bugfixes:
    - altsvc: reject bad port numbers
    - autotools: reduce brute-force when detecting recv/send arg list
    - aws_sigv4: fix header computation
    - cli tool: do not use disabled protocols
    - connect: change verbose IPv6 address:port to [address]:port
    - connect: fix builds without AF_INET6
    - connect: fix Curl_updateconninfo for TRNSPRT_UNIX
    - connect: fix the wrong error message on connect failures
    - content_encoding: use writer struct subclasses for different encodings
    - cookie: reject cookie names or content with TAB characters
    - curl/add_file_name_to_url: use the libcurl URL parser
    - curl/get_url_file_name: use libcurl URL parser
    - curl: warn for --ssl use, considered insecure
    - docs/libcurl/symbols-in-versions: add several missing symbols
    - ftp: ignore a 550 response to MDTM
    - functypes: provide the recv and send arg and return types
    - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
    - header: define public API functions as extern c
    - headers: reset the requests counter at transfer start
    - hostip: guard PF_INET6 use
    - hostip: lazily wait to figure out if IPv6 works until needed
    - http, vauth: always provide Curl_allow_auth_to_host() functionality
    - http2: make nghttp2 less picky about field whitespace
    - http: try parsing Retry-After: as a number first
    - http_proxy: restore the protocol pointer on error
    - lib: add missing limits.h includes
    - lib: prepare the incoming of additional protocols
    - lib: sanitize conditional exclusion around MIME
    - libssh: if sftp_init fails, don't get the sftp error code
    - mprintf: reject two kinds of precision for the same argument
    - mqtt: return error for too long topic
    - netrc: compare user name case sensitively
    - netrc: replace fgets with Curl_get_line
    - netrc: use the URL-decoded user
    - ngtcp2: fix build errors due to changes in ngtcp2 library
    - noproxy: support proxies specified using cidr notation
    - openssl: make certinfo available for QUIC
    - resolve: make forced IPv4 resolve only use A queries
    - schannel: ban server ALPN change during recv renegotiation
    - schannel: don't reset recv/send function pointers on renegotiation
    - schannel: when importing PFX, disable key persistence
    - setopt: use the handler table for protocol name to number conversions
    - setopt: when POST is set, reset the 'upload' field
    - single_transfer: use the libcurl URL parser when appending query parts
    - smb: replace CURL_WIN32 with WIN32
    - tool: avoid generating ambiguous escaped characters in --libcurl
    - tool_main: exit at once if out of file descriptors
    - tool_operate: more transfer cleanup after parallel transfer fail
    - tool_operate: prevent over-queuing in parallel mode
    - tool_paramhelp: asserts verify maximum sizes for string loading
    - tool_xattr: save the original URL, not the final redirected one
    - url: a zero-length userinfo part in the URL is still a (blank) user
    - url: allow non-HTTPS HSTS-matching for debug builds
    - url: rename function due to name-clash in Watt-32
    - url: use IDN decoded names for HSTS checks
    - urlapi: detect scheme better when not guessing
    - urlapi: fix parsing URL without slash with CURLU_URLENCODE
    - urlapi: reject more bad characters from the host name field
    * Remove patch upstream:
    - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Sat Oct 08 2022 Vasily Ulyanov <vasily.ulyanov@suse.com>
  - Update connection info when using UNIX socket as endpoint
    connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
* Fri Sep 30 2022 Pedro Monreal <pmonreal@suse.com>
  - Change the deprecated configure option --enable-hidden-symbols
    to the new --enable-symbol-hiding.
* Wed Aug 31 2022 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.85.0:
    * Security fixes: [bsc#1202593, CVE-2022-35252]
    - control code in cookie denial of service
    * Changes:
    - quic: add support via wolfSSL
    - schannel: Add TLS 1.3 support
    - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
    * Bugfixes:
    - asyn-thread: fix socket leak on OOM
    - asyn-thread: make getaddrinfo_complete return CURLcode
    - base64: base64url encoding has no padding
    - configure: fix broken m4 syntax in TLS options
    - configure: if asked to use TLS, fail if no TLS lib was detected
    - connect: add quic connection information
    - connect: set socktype/protocol correctly
    - cookie: reject cookies with "control bytes"
    - cookie: treat a blank domain in Set-Cookie: as non-existing
    - curl: output warning when a cookie is dropped due to size
    - Curl_close: call Curl_resolver_cancel to avoid memory-leak
    - digest: fix memory leak, fix not quoted 'opaque'
    - digest: fix missing increment of 'nc' value for auth-int
    - digest: pass over leading spaces in qop values
    - digest: reject broken header with session protocol but without qop
    - doh: use https protocol by default
    - easy_lock.h: include sched.h if available to fix build
    - easy_lock.h: use __asm__ instead of asm to fix build
    - easy_lock: switch to using atomic_int instead of bool
    - ftp: use a correct expire ID for timer expiry
    - h2h3: fix overriding the 'TE: Trailers' header
    - hostip: resolve *.localhost to 127.0.0.1/::1
    - HTTP3.md: update to msh3 v0.4.0
    - hyper: use wakers for curl pause/resume
    - lib3026: reduce the number of threads to 100
    - libssh2: make atime/mtime date overflow return error
    - libssh2: provide symlink name in SFTP dir listing
    - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
    - multi: use larger dns hash table for multi interface
    - multi_wait: fix skipping to populate revents for extra_fds
    - netrc: Use the password from lines without login
    - ngtcp2: Fix build error due to change in nghttp3 prototypes
    - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
    - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
    - openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
    - openssl: add cert path in error message
    - openssl: add details to "unable to set client certificate" error
    - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
    - select: do not return fatal error on EINTR from poll()
    - sendf: fix paused header writes since after the header API
    - sendf: skip storing HTTP headers if HTTP disabled
    - url: really use the user provided in the url when netrc entry exists
    - url: reject URLs with hostnames longer than 65535 bytes
    - url: treat missing usernames in netrc as empty
    - urldata: reduce size of several struct fields
    - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
    * Remove tests-for-32bit.patch fixed in the update
    * Rebase libcurl-ocloexec.patch
* Sun Jul 24 2022 Dirk Müller <dmueller@suse.com>
  - add tests-for-32bit.patch to fix testsuite on 32bit platforms
* Mon Jun 27 2022 David Anes <david.anes@suse.com>
  - Update to 7.84.0:
    * Security fixes:
    - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
    - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
    - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
    - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
    * Changes:
    - curl: add --rate to set max request rate per time unit
    - curl: deprecate --random-file and --egd-file
    - curl_version_info: add CURL_VERSION_THREADSAFE
    - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
    - lib: make curl_global_init() threadsafe when possible
    - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
    - opts: deprecate RANDOM_FILE and EGDSOCKET
    - socks: support unix sockets for socks proxy
    * Bugfixes:
    - aws-sigv4: fix potentional NULL pointer arithmetic
    - bindlocal: don't use a random port if port number would wrap
    - c-hyper: mark status line as status for Curl_client_write()
    - ci: avoid `cmake -Hpath`
    - CI: bump FreeBSD 13.0 to 13.1
    - ci: update github actions
    - cmake: add libpsl support
    - cmake: do not add libcurl.rc to the static libcurl library
    - cmake: enable curl.rc for all Windows targets
    - cmake: fix detecting libidn2
    - cmake: support adding a suffix to the OS value
    - configure: skip libidn2 detection when winidn is used
    - configure: use the SED value to invoke sed
    - configure: warn about rustls being experimental
    - content_encoding: return error on too many compression steps
    - cookie: address secure domain overlay
    - cookie: apply limits
    - copyright.pl: parse and use .reuse/dep5 for skips
    - copyright: make repository REUSE compliant
    - curl.1: add a few see also --tls-max
    - curl.1: mention exit code zero too
    - curl: re-enable --no-remote-name
    - curl_easy_pause.3: remove explanation of progress function
    - curl_getdate.3: document that some illegal dates pass through
    - Curl_parsenetrc: don't access local pwbuf outside of scope
    - curl_url_set.3: clarify by default using known schemes only
    - CURLOPT_ALTSVC.3: document the file format
    - CURLOPT_FILETIME.3: fix the protocols this works with
    - CURLOPT_HTTPHEADER.3: improve comment in example
    - CURLOPT_NETRC.3: document the .netrc file format
    - CURLOPT_PORT.3: We discourage using this option
    - CURLOPT_RANGE.3: remove ranged upload advice
    - digest: added detection of more syntax error in server headers
    - digest: tolerate missing "realm"
    - digest: unquote realm and nonce before processing
    - DISABLED: disable 1021 for hyper again
    - docs/cmdline-opts: add copyright and license identifier to each file
    - docs/CONTRIBUTE.md: document the 'needs-votes' concept
    - docs: clarify data replacement policy for MIME API
    - doh: remove UNITTEST macro definition
    - examples/crawler.c: use the curl license
    - examples: remove fopen.c and rtsp.c
    - FAQ: Clarify Windows double quote usage
    - fopen: add Curl_fopen() for better overwriting of files
    - ftp: restore protocol state after http proxy CONNECT
    - ftp: when failing to do a secure GSSAPI login, fail hard
    - GHA/hyper: enable debug in the build
    - gssapi: improve handling of errors from gss_display_status
    - gssapi: initialize gss_buffer_desc strings
    - headers api: remove EXPERIMENTAL tag
    - http2: always debug print stream id in decimal with %u
    - http2: reject overly many push-promise headers
    - http: restore header folding behavior
    - hyper: use 'alt-used'
    - krb5: return error properly on decode errors
    - lib: make more protocol specific struct fields #ifdefed
    - libcurl-security.3: add "Secrets in memory"
    - libcurl-security.3: document CRLF header injection
    - libssh: skip the fake-close when libssh does the right thing
    - links: update dead links to the curl-wiki
    - log2changes: do not indent empty lines [ci skip]
    - macos9: remove partial support
    - Makefile.am: fix portability issues
    - Makefile.m32: delete obsolete options, improve -On [ci skip]
    - Makefile.m32: delete two obsolete OpenSSL options [ci skip]
    - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
    - max-time.d: clarify max-time sets max transfer time
    - mprintf: ignore clang non-literal format string
    - netrc: check %USERPROFILE% as well on Windows
    - netrc: support quoted strings
    - ngtcp2: allow curl to send larger UDP datagrams
    - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
    - ngtcp2: enable Linux GSO
    - ngtcp2: extend QUIC transport parameters buffer
    - ngtcp2: fix alert_read_func return value
    - ngtcp2: fix typo in preprocessor condition
    - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
    - ngtcp2: send appropriate connection close error code
    - ngtcp2: support boringssl crypto backend
    - ngtcp2: use helper funcs to simplify TLS handshake integration
    - ntlm: provide a fixed fake host name
    - projects: fix third-party SSL library build paths for Visual Studio
    - quic: add Curl_quic_idle
    - quiche: support ca-fallback
    - rand: stop detecting /dev/urandom in cross-builds
    - remote-name.d: mention --output-dir
    - runtests.pl: add the --repeat parameter to the --help output
    - runtests: fix skipping tests not done event-based
    - runtests: skip starting the ssh server if user name is lacking
    - scripts/copyright.pl: fix the exclusion to not ignore man pages
    - sectransp: check for a function defined when __BLOCKS__ is undefined
    - select: return error from "lethal" poll/select errors
    - server/sws: support spaces in the HTTP request path
    - speed-limit/time.d: mention these affect transfers in either direction
    - strcase: some optimisations
    - test 2081: add a valid reply for the second request
    - test 675: add missing CR so the test passes when run through Privoxy
    - test414: add the '--resolve' keyword
    - test681: verify --no-remote-name
    - tests 266, 116 and 1540: add a small write delay
    - tests/data/test1501: kill ftp server after slow LIST response
    - tests/getpart: fix getpartattr to work with "data" and "data2"
    - tests/server/sws.c: change the HTTP writedelay unit to milliseconds
    - test{440,441,493,977}: add "HTTP proxy" keywords
    - tool_getparam: fix --parallel-max maximum value constraint
    - tool_operate: make sure --fail-with-body works with --retry
    - transfer: fix potential NULL pointer dereference
    - transfer: maintain --path-as-is after redirects
    - transfer: upload performance; avoid tiny send
    - url: free old conn better on reuse
    - url: remove redundant #ifdefs in allocate_conn()
    - url: URL encode the path when extracted, if spaces were set
    - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
    - urlapi: support CURLU_URLENCODE for curl_url_get()
    - urldata: reduce size of a few struct fields
    - urldata: remove three unused booleans from struct UserDefined
    - urldata: store tcp_keepidle and tcp_keepintvl as ints
    - version: allow stricmp() for sorting the feature list
    - vtls: make curl_global_sslset thread-safe
    - wolfssh.h: removed
    - wolfssl: correct the failf() message when a handle can't be made
    - wolfSSL: explicitly use compatibility layer
    - x509asn1: mark msnprintf return as unchecked
* Wed May 11 2022 David Anes <david.anes@suse.com>
  - Update to 7.83.1:
    * Security fixes:
    - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
    - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
    - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
    - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
    - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
    - (bsc#1199220, CVE-2022-27778) removes wrong file on error
    * Bugfixes:
    - altsvc: fix host name matching for trailing dots
    - cirrus: Update to FreeBSD 12.3
    - cirrus: Use pip for Python packages on FreeBSD
    - conn: fix typo 'connnection' -> 'connection' in two function names
    - cookies: make bad_domain() not consider a trailing dot fine
    - curl: free resource in error path
    - curl: guard against size_t wraparound in no-clobber code
    - CURLOPT_DOH_URL.3: mention the known bug
    - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
    - CURLOPT_SSH_AUTH_TYPES.3: fix the default
    - data/test376: set a proper name
    - GHA/mbedtls: enabled nghttp2 in the build
    - gha: build msh3
    - gskit: fixed bogus setsockopt calls
    - gskit: remove unused function set_callback
    - hsts: ignore trailing dots when comparing hosts names
    - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
    - http: move Curl_allow_auth_to_host()
    - http_proxy/hyper: handle closed connections
    - hyper: fix test 357
    - Makefile: fix "make ca-firefox"
    - mbedtls: bail out if rng init fails
    - mbedtls: fix compile when h2-enabled
    - mbedtls: fix some error messages
    - misc: use "autoreconf -fi" instead buildconf
    - msh3: get msh3 version from MsH3Version
    - msh3: print boolean value as text representation
    - msh3: psss remote_port to MsH3ConnectionOpen
    - ngtcp2: add ca-fallback support for OpenSSL backend
    - nss: return error if seemingly stuck in a cert loop
    - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
    - post_per_transfer: remove the updated file name
    - sectransp: bail out if SSLSetPeerDomainName fails
    - tests/server: declare variable 'reqlogfile' static
    - tests: fix markdown formatting in README
    - test{898,974,976}: add 'HTTP proxy' keywords
    - tls: check more TLS details for connection reuse
    - url: check SSH config match on connection reuse
    - urlapi: address (harmless) UndefinedBehavior sanitizer warning
    - urlapi: reject percent-decoding host name into separator bytes
    - x509asn1: make do_pubkey handle EC public keys
* Fri Apr 22 2022 David Anes <david.anes@suse.com>
  - Patches rework:
    * Refreshed all patches as -p1.
    * Use autopatch macro.
    * Renamed:
    - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
    * Removed (already upstream):
    - curl-fix-verifyhost.patch
  - Update to 7.83.0:
    * Security fixes:
    - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
    - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
    - (bsc#1198608, CVE-2022-27774) Credential leak on redirect
    - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
    * Changes:
    - curl: add %header{name} experimental support in -w handling
    - curl: add %{header_json} experimental support in -w handling
    - curl: add --no-clobber
    - curl: add --remove-on-error
    - header api: add curl_easy_header and curl_easy_nextheader
    - msh3: add support for QUIC and HTTP/3 using msh3
    * Bugfixes:
    - appveyor: add Cygwin build
    - appveyor: only add MSYS2 to PATH where required
    - BearSSL: add CURLOPT_SSL_CIPHER_LIST support
    - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
    - BINDINGS.md: add Hollywood binding
    - CI: Do not use buildconf. Instead, just use: autoreconf -fi
    - CI: install Python package impacket to run SMB test 1451
    - configure.ac: move -pthread CFLAGS setting back where it used to be
    - configure: bump the copyright year range int the generated output
    - conncache: include the zone id in the "bundle" hashkey
    - connecache: remove duplicate connc->closure_handle check
    - connect: make Curl_getconnectinfo work with conn cache from share handle
    - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
    - cookie.d: clarify when cookies are sent
    - cookies: improve errorhandling for reading cookiefile
    - curl/system.h: update ifdef condition for MCST-LCC compiler
    - curl: error out if -T and -d are used for the same URL
    - curl: error out when options need features not present in libcurl
    - curl: escape '?' in generated --libcurl code
    - curl: fix segmentation fault for empty output file names.
    - curl_easy_header: fix typos in documentation
    - CURLINFO_PRIMARY_PORT.3: clarify which port this is
    - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
    - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
    - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
    - CURLOPT_PROGRESSFUNCTION.3: fix typo in example
    - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
    - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
    - docs/HYPER.md: updated to reflect current hyper build needs
    - docs/opts: Mention Schannel client cert type is P12
    - docs: Fix missing semicolon in example code
    - docs: lots of minor language polish
    - English: use American spelling consistently
    - fail.d: tweak the description
    - firefox-db2pem.sh: make the shell script safer
    - ftp: fix error message for partial file upload
    - gen.pl: change wording for mutexed options
    - GHA: add openssl3 jobs moved over from zuul
    - GHA: build hyper with nightly rustc
    - GHA: move bearssl jobs over from zuul
    - gha: move the event-based test over from Zuul
    - gtls: fix build for disabled TLS-SRP
    - http2: handle DONE called for the paused stream
    - http2: RST the stream if we stop it on our own will
    - http: avoid auth/cookie on redirects same host diff port
    - http: close the stream (not connection) on time condition abort
    - http: reject header contents with nul bytes
    - http: return error on colon-less HTTP headers
    - http: streamclose "already downloaded"
    - hyper: fix status_line() return code
    - hyper: fix tests 580 and 581 for hyper
    - hyper: no h2c support
    - infof: consistent capitalization of warning messages
    - ipv4/6.d: clarify that they are about using IP addresses
    - json.d: fix typo (overriden -> overridden)
    - keepalive-time.d: It takes many probes to detect brokenness
    - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
    - lib670: avoid double check result
    - lib: #ifdef on USE_HTTP2 better
    - lib: fix some misuse of curlx_convert_wchar_to_UTF8
    - lib: remove exclamation marks
    - libssh2: compare sha256 strings case sensitively
    - libssh2: make the md5 comparison fail if wrong length
    - libssh: fix build with old libssh versions
    - libssh: fix double close
    - libssh: Improve fix for missing SSH_S_ stat macros
    - libssh: unstick SFTP transfers when done event-based
    - macos: set .plist version in autoconf
    - mbedtls: remove 'protocols' array from backend when ALPN is not used
    - mbedtls: remove server_fd from backend
    - mk-ca-bundle.pl: Use stricter logic to process the certificates
    - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
    - mlc_config.json: add file to ignore known troublesome URLs
    - mqtt: better handling of TCP disconnect mid-message
    - ngtcp2: add client certificate authentication for OpenSSL
    - ngtcp2: avoid busy loop in low CWND situation
    - ngtcp2: deal with sub-millisecond timeout
    - ngtcp2: disconnect the QUIC connection proper
    - ngtcp2: enlarge H3_SEND_SIZE
    - ngtcp2: fix HTTP/3 upload stall and avoid busy loop
    - ngtcp2: fix memory leak
    - ngtcp2: fix QUIC_IDLE_TIMEOUT
    - ngtcp2: make curl 1ms faster
    - ngtcp2: remove remote_addr which is not used in a meaningful way
    - ngtcp2: update to work after recent ngtcp2 updates
    - ngtcp2: use token when detecting :status header field
    - nonblock: restore setsockopt method to curlx_nonblock
    - openssl: check SSL_get_peer_cert_chain return value
    - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
    - openssl: fix CN check error code
    - options: remove mistaken space before paren in prototype
    - perl: removed a double semicolon at end of line
    - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
    - projects/README: converted to markdown
    - projects: Update VC version names for VS2017, VS2022
    - rtsp: don't let CSeq error override earlier errors
    - runtests: add 'bearssl' as testable feature
    - runtests: make 'oldlibssh' be before 0.9.4
    - schannel: remove dead code that will never run
    - scripts/copyright.pl: ignore the new mlc_config.json file
    - scripts: move three scripts from lib/ to scripts/
    - test1135: sync with recent API updates
    - test1459: disable for oldlibssh
    - test375: fix line endings on Windows
    - test386: Fix an incorrect test markup tag
    - test718: edited slightly to return better HTTP
    - tests/server/util.h: align WIN32 condition with util.c
    - tests: refactor server/socksd.c to support --unix-socket
    - timediff.[ch]: add curlx helper functions for timeval conversions
    - tls: make mbedtls and NSS check for h2, not nghttp2
    - tool and tests: force flush of all buffers at end of program
    - tool_cb_hdr: Turn the Location: into a terminal hyperlink
    - tool_getparam: error out on missing -K file
    - tool_listhelp.c: uppercase URL
    - tool_operate: fix a scan-build warning
    - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
    - transfer: redirects to other protocols or ports clear auth
    - unit1620: call global_init before calling Curl_open
    - url: check sasl additional parameters for connection reuse.
    - vtls: provide a unified APLN-disagree string for all backends
    - vtls: use a backend standard message for "ALPN: offers %s"
    - vtls: use a generic "ALPN, server accepted" message
    - winbuild/README.md: fixup dead link
    - winbuild: Add a Visual Studio example to the README
    - wolfssl: fix compiler error without IPv6
* Fri Mar 11 2022 Pedro Monreal <pmonreal@suse.com>
  - Fix: openssl: fix CN check error code
    * Add curl-fix-verifyhost.patch
* Mon Mar 07 2022 Paolo Stivanin <info@paolostivanin.com>
  - Update to 7.82.0:
    * curl: add --json command line option
    * curl: make it so that sensitive command line arguments do not
      show as easily in the output of ps(1)
    * curl_multi_socket.3: remove callback and typical usage descriptions
    * ftp: provide error message for control bytes in path
    * ldap: return CURLE_URL_MALFORMAT for bad URL
    * lib: remove support for CURL_DOES_CONVERSIONS
    * mqtt: plug some memory leaks
    * multi: allow user callbacks to call curl_multi_assign
    * multi: remember connection_id before returning connection to pool
    * multi: set in_callback for multi interface callbacks
    * netware: remove support
    * ngtcp2: adapt to changed end of headers callback proto
    * openldap: implement SASL authentication
    * openssl: return error if TLS 1.3 is requested when not supported
    * sectransp: mark a 3DES cipher as weak
    * smb: pass socket for writing and reading data instead of FIRSTSOCKET
    * tool_getparam: DNS options that need c-ares now fail without it
    * TPF: drop support
    * url: given a user in the URL, find pwd for that user in netrc
    * url: keep trailing dot in host name
    * urlapi: handle "redirects" smarter
    * urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
    * urldata: remove conn->bits.user_passwd
* Sun Jan 09 2022 Dirk Müller <dmueller@suse.com>
  - update to 7.81.0:
    * mime: use percent-escaping for multipart form field and file names
    * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
    * azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
    * BINDINGS: add cURL client for PostgreSQL
    * BINDINGS: add one from Everything curl and update a link
    * checksrc: detect more kinds of NULL comparisons we avoid
    * CI: build examples for additional code verification
    * CI: bump job to use mbedtls 3.1.0
    * cmake: don't set _USRDLL on a static Windows build
    * cmake: prevent dev warning due to mismatched arg
    * cmake: private identifiers use CURL_ instead of CMAKE_ prefix
    * config.d: update documentation to match the path search
    * configure: add -lm to configure for rustls build.
    * configure: better diagnostics if hyper is built wrong
    * configure: don't enable TLS when --without-* flags are used
    * configure: fix runtime-lib detection on macOS
    * curl.1: require "see also" for every documented option
    * curl: improve error message for --head with -J
    * curl_easy_cleanup.3: remove from multi handle first
    * curl_easy_escape.3: call curl_easy_cleanup in example
    * curl_easy_unescape.3: call curl_easy_cleanup in example
    * curl_multi_init.3: fix EXAMPLE formatting
    * curl_multi_perform/socket_action.3: clarify what errors mean
    * curl_share_setopt.3: split out options into their own manpages
    * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
    * digest: compute user:realm:pass digest w/o userhash
    * docs/checksrc: Add documentation for STRERROR
    * docs/cmdline-opts: do not say "protocols: all"
    * docs/examples: workaround broken -Wno-pedantic-ms-format
    * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
    * docs/INSTALL.md: typo fix : added missing "get" verb
    * docs/URL-SYNTAX.md: space is not fine in a given URL
    * docs: add known bugs list to HTTP3.md
    * docs: address proselint nits
    * docs: consistent manpage SYNOPSIS
    * docs: fix dead links, remove ECH.md
    * docs: fix typo in OpenSSL 3 build instructions
    * docs: Update the Reducing Size section
    * example/progressfunc: remove code for old libcurls
    * examples/multi-single.c: remove WAITMS()
    * FAQ: typo fix : "yout" ➤ "your"
    * ftp: disable warning 4706 in MSVC
    * gen.pl: improve example output format
    * github workflow: add wolfssl (removed from zuul)
    * github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
    * gtls: check return code for gnutls_alpn_set_protocols
    * hash: lazy-alloc the table in Curl_hash_add()
    * http2:set_transfer_url() return early on OOM
    * HTTP3: update quiche build instructions
    * http: enable haproxy support for hyper backend
    * http: Fix CURLOPT_HTTP200ALIASES
    * http_proxy: don't close the socket (too early)
    * insecure.d: detail its use for SFTP and SCP as well
    * insecure.d: expand and clarify
    * libcurl-multi.3: "SOCKS proxy handshakes" are not blocking
    * libcurl-security.3: mention address and URL mitigations
    * libssh2: fix error message for sha256 mismatch
    * libtest: avoid "assignment within conditional expression"
    * lift: ignore is a deprecated config option, use ignoreRules
    * linkcheck.yml: add CI job that checks markdown links
    * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
    * Makefile.m32: rename -winssl option to -schannel and tidy up
    * mbedTLS: add support for CURLOPT_CAINFO_BLOB
    * mbedtls: fix CURLOPT_SSLCERT_BLOB
    * mbedtls: fix private member designations for v3.1.0
    * misc: remove unused doh flags when CURL_DISABLE_DOH is defined
    * misc: s/e-mail/email
    * multi: cleanup the socket hash when destroying it
    * multi: handle errors returned from socket/timer callbacks
    * multi: shut down CONNECT in Curl_detach_connnection
    * netrc.d: edit the .netrc example to look nicer
    * ngtcp2: verify the server cert on connect (quictls)
    * ngtcp2: verify the server certificate for the gnutls case
    * nss:set_cipher don't clobber the cipher list
    * openldap: implement STARTTLS
    * openldap: process search query response messages one by one
    * openldap: several minor improvements
    * openldap: simplify ldif generation code
    * openssl: check the return value of BIO_new()
    * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
    * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
    * openssl: remove usage of deprecated `SSL_get_peer_certificate`
    * openssl: use non-deprecated API to read key parameters
    * page-footer: add a mention of how to report bugs to the man page
    * page-footer: document more environment variables
    * request.d: refer to 'method' rather than 'command'
    * retry-all-errors.d: make the example complete
    * runtests: make the SSH library a testable feature
    * rustls: read of zero bytes might be okay
    * rustls: remove comment about checking handshaking
    * rustls: remove incorrect EOF check
    * sha256/md5: return errors when init fails
    * socks5: use appropriate ATYP for numerical IP address host names
    * test1156: enable for hyper
    * test1156: fixup the stdout check for Windows
    * test1525: tweaked for hyper
    * test1526: enable for hyper
    * test1527: enable for hyper
    * test1528: enable for hyper
    * test1554: adjust for hyper
    * test1556: adjust for hyper
    * test302[12]: run only with the libssh2 backend
    * test661: enable for hyper
    * tests/CI.md: add more information on CI environments
    * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
    * tftp: mark protocol as not possible to do over CONNECT
    * tool_findfile: updated search for a file in the homedir
    * tool_operate: only set SSH related libcurl options for SSH URLs
    * tool_operate: warn if too many output arguments were found
    * url.c: fix the SIGPIPE comment for Curl_close
    * url: check ssl_config when re-use proxy connection
    * url: reduce ssl backend count for CURL_DISABLE_PROXY builds
    * urlapi: accept port number zero
    * urlapi: if possible, shorten given numerical IPv6 addresses
    * urlapi: provide more detailed return codes
    * urlapi: reject short file URLs
    * version_win32: Check build number and platform id
    * vtls/rustls: adapt to the updated rustls_version proto
    * writeout: fix %{http_version} for HTTP/3
    * x509asn1: return early on errors
    * zuul.d: update rustls-ffi to version 0.8.2
    * zuul: fix quiche build pointing to wrong Cargo
* Tue Nov 16 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.80.0:
    * Changes:
    - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
    - CURLOPT_PREREQFUNCTION: add new callback
    - libssh2: add SHA256 fingerprint support
    - urlapi: add curl_url_strerror()
    * Bugfixes:
    - aws-sigv4: make signature work when post data is binary
    - c-hyper: don't abort CONNECT responses early when auth-in-progress
    - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
    - cmake: add CURL_ENABLE_SSL option
    - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
    - configure.ac: replace krb5-config with pkg-config
    - configure: when hyper is selected, deselect nghttp2
    - curl-confopts.m4: remove --enable/disable-hidden-symbols
    - curl-openssl.m4: modify library order for openssl linking
    - curl_ntlm_core: use OpenSSL only if DES is available
    - Curl_updateconninfo: store addresses for QUIC connections too
    - ftp: make the MKD retry to retry once per directory
    - http: fix Basic auth with empty name field in URL
    - http: reject HTTP response codes < 100
    - http: remove assert that breaks hyper
    - http: set content length earlier
    - imap: display quota information
    - libssh2: Get the version at runtime if possible
    - md5: fix compilation with OpenSSL 3.0 API
    - ngtcp2: advertise h3 as well as h3-29
    - ngtcp2: compile with the latest nghttp3
    - ngtcp2: use latest QUIC TLS RFC9001
    - NTLM: use DES_set_key_unchecked with OpenSSL
    - openssl: if verifypeer is not requested, skip the CA loading
    - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
    - schannel: fix memory leak due to failed SSL connection
    - sendf: accept zero-length data in Curl_client_write()
    - sha256: use high-level EVP interface for OpenSSL
    - sws: fix memory leak on exit
    - tool_operate: a failed etag save now only fails that transfer
    - url: check the return value of curl_url()
    - url: set "k->size" -1 at start of request
    - urlapi: skip a strlen(), pass in zero
    - urlapi: URL decode percent-encoded host names
    - vtls: Fix a memory leak if an SSL session cannot be added to the cache
    - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
    * Use --with-openssl configure option, --with-ssl is now deprecated
* Wed Sep 22 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.79.1:
    * Bugfixes:
    - Curl_http2_setup: don't change connection data on repeat invokes
    - curl_multi_fdset: make FD_SET() not operate on sockets out of range
    - dist: provide lib/.checksrc in the tarball
    - FAQ: add GOPHERS + curl works on data, not files
    - hsts: CURLSTS_FAIL from hsts read callback should fail transfer
    - hsts: handle unlimited expiry
    - http: fix the broken >3 digit response code detection
    - strerror: use sys_errlist instead of strerror on Windows
    - test1184: disable: https://github.com/curl/curl/issues/7725
    - tests/sshserver.pl: make it work with openssh-8.7p1
* Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com>
  - Temporarily disable flaky test 1184
    * See https://github.com/curl/curl/issues/7725
* Wed Sep 15 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
    [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
    * Changes:
    - bearssl: support CURLOPT_CAINFO_BLOB
    - http: consider cookies over localhost to be secure
    - secure transport: support CURLINFO_CERTINFO
    * Bugfixes:
    - CVE-2021-22945: clear the leftovers pointer when sending succeeds
    - CVE-2021-22946: do not ignore --ssl-reqd
    - CVE-2021-22947: reject STARTTLS server response pipelining
    - auth: do not append zero-terminator to authorisation id in kerberos
    - auth: properly handle byte order in kerberos security message
    - auth: use sasl authzid option in kerberos
    - auth: we do not support a security layer after kerberos authentication
    - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
    - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
    - c-hyper: initial step for 100-continue support
    - c-hyper: initial support for "dumping" 1xx HTTP responses
    - curl-openssl.m4: show correct output for OpenSSL v3
    - docs/MQTT: update state of username/password support
    - docs: the security list is reached at security at curl.se now
    - getparameter: fix the --local-port number parser
    - hostip: Make Curl_ipv6works function independent of getaddrinfo
    - http_proxy: fix the User-Agent inclusion in CONNECT
    - http_proxy: fix user-agent and custom headers for CONNECT with hyper
    - http_proxy: only wait for writable socket while sending request
    - mailing lists: move from cool.haxx.se to lists.haxx.se
    - mbedtls: avoid using a large buffer on the stack
    - mbedTLS: initial 3.0.0 support
    - ngtcp2: remove the acked_crypto_offset struct field init
    - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
    - ngtcp2: reset the oustanding send buffer again when drained
    - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
    - ngtcp2: stop buffering crypto data
    - ngtcp2: utilize crypto API functions to simplify
    - openssl: when creating a new context, there cannot be an old one
    - scripts: invoke interpreters through /usr/bin/env
    - tests/runtests.pl: cleanup copy&paste mistakes and unused code
    - tests: be explicit about using 'python3' instead of 'python'
    - tool/tests: fix potential year 2038 issues
    - tool_operate: Fix --fail-early with parallel transfers
    - x509asn1: fix heap over-read when parsing x509 certificates
    * Rebase libcurl-ocloexec.patch
* Wed Jul 21 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.78.0:
    [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
    [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
    * Changes:
    - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
    - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
    - hostip: make 'localhost' return fixed values
    - mbedtls: add support for cert and key blob options
    - metalink: remove all support for it
    - mqtt: add support for username and password
    * Bugfixes:
    - ares: always store IPv6 addresses first
    - c-hyper: abort CONNECT response reading early on non 2xx responses
    - c-hyper: add support for transfer-encoding in the request
    - c-hyper: bail on too long response headers
    - c-hyper: clear NTLM auth buffer when request is issued
    - c-hyper: fix NTLM on closed connection tested with test159
    - conncache: lowercase the hash key for better match
    - curl_multibyte: Remove local encoding fallbacks
    - Curl_ntlm_core_mk_nt_hash: fix OOM in error path
    - Curl_ssl_getsessionid: fail if no session cache exists
    - easy: during upkeep, attach Curl_easy to connections in the cache
    - gnutls: set the preferred TLS versions in correct order
    - hsts: ignore numberical IP address hosts
    - HSTS: not experimental anymore
    - http2: init recvbuf struct for pushed streams
    - http: fix crash in rate-limited upload
    - http: make the haproxy support work with unix domain sockets
    - http_proxy: deal with non-200 CONNECT response with Hyper
    - lib: don't compare fd to FD_SETSIZE when using poll
    - lib: fix compiler warnings with CURL_DISABLE_NETRC
    - lib: fix type of len passed to *printf's %*s
    - lib: more %u for port and int for %*s fixes
    - lib: use %u instead of %ld for port number printf
    - libssh2: limit time a disconnect can take to 1 second
    - mqtt: detect illegal and too large file size
    - msnprintf: return number of printed characters excluding null byte
    - multi: add scan-build-6 work-around in curl_multi_fdset
    - multi: alter transfer timeout ordering
    - multi: do not switch off connect_only flag when closing
    - multi: fix crash in curl_multi_wait / curl_multi_poll
    - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
    - openssl: avoid static variable for seed flag
    - openssl: don't remove session id entry in disassociate
    - socketpair: fix potential hangs
    - socks4: scan for the IPv4 address in resolve results
    - ssl: read pending close notify alert before closing the connection
    - telnet: fix option parser to not send uninitialized contents
    - TLS: prevent shutdown loops to get stuck
    - vtls: exit addsessionid if no cache is inited
    - vtls: fix connection reuse checks for issuer cert and case sensitivity
* Wed May 26 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
    [bsc#1186115, bsc#1185579, CVE-2021-22901]
    * Security fixes:
    - CVE-2021-22297: schannel cipher selection surprise
    - CVE-2021-22298: TELNET stack contents disclosure
    - CVE-2021-22901: TLS session caching disaster
    * Changes:
    - configure: make the TLS library choice(s) explicit
    - curl: ignore options asking for SSLv2 or SSLv3
    - hsts: enable by default
    - SSL: support in-memory CA certs for some backends
    - vtls: refuse setting any SSL version
    * Bugfixes:
    - configure: provide --with-openssl, deprecate --with-ssl
    - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
    - curl: include libmetalink version in --version output
    - data_pending: check only SECONDARY socket for FTP(S) transfers
    - gnutls: don't allow TLS 1.3 for versions that don't support it
    - gnutls: make setting only the MAX TLS allowed version work
    - http2: fix resource leaks in set_transfer_url() and push_promise()
    - http: limit the initial send amount to used upload buffer size
    - rustls: only return CURLE_AGAIN when TLS session is fully drained
    - rustls: use ALPN
    - schannel: Disable auto credentials; add an option to enable it
    - schannel: Support strong crypto option
    - sectransp: allow cipher name to be specified
    - sockfilt: avoid getting stuck waiting for writable socket
* Sun Apr 25 2021 Dirk Müller <dmueller@suse.com>
  - update to 7.76.1:
    - ngtcp2: Use ALPN h3-29 for now
    - TODO: remove 18.22 --fail-with-body
* Wed Mar 31 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.76.0
    * Security fixes:
    - [bsc#1183933, CVE-2021-22876]: strip credentials from the
    auto-referer header field
    - [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
    Curl_ssl_get/addsessionid()
    * Changes:
    - cookies: Support multiple -b parameters
    - curl: add --fail-with-body
    - doh: add options to disable ssl verification
    - http: add support to read and store the referrer header
    - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
    - vtls: initial implementation of rustls backend
    * Bugfixes:
    - CVE-2021-22876: strip credentials from the auto-referer header field
    - CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
    - c-hyper: support automatic content-encoding
    - configure: only add OpenSSL paths if they are defined
    - configure: provide Largefile feature for curl-config
    - curl: set CURLOPT_NEW_FILE_PERMS if requested
    - doh: Fix sharing user's resolve list with DOH handles
    - doh: Inherit CURLOPT_STDERR from user's easy handle
    - dynbuf: bump the max HTTP request to 1MB
    - ftp: add 'list_only' to the transfer state struct
    - ftp: add 'prefer_ascii' to the transfer state struct
    - ftp: allow SIZE to fail when doing (resumed) upload
    - ftp: avoid SIZE when asking for a TYPE A file
    - ftp: fix memory leak in ftp_done
    - ftp: never set data->set.ftp_append outside setopt
    - gnutls: assume nettle crypto support
    - http2: don't set KEEP_SEND when there's no more data to be sent
    - http2: fail if connection terminated without END_STREAM
    - http: do not add a referrer header with empty value
    - http: strip default port from URL sent to proxy
    - http: use credentials from transfer, not connection
    - lib: remove 'conn->data' completely
    - multi: close the connection when h2=>h1 downgrading
    - multi: do once-per-transfer inits in before_perform in DID state
    - multi: rename the multi transfer states
    - multi: update pending list when removing handle
    - ngtcp2: adapt to the new recv_datagram callback
    - ngtcp2: clarify calculation precedence
    - ngtcp2: sync with recent API updates
    - openssl: adapt to v3's new const for a few API calls
    - openssl: ensure to check SSL_CTX_set_alpn_protos return values
    - openssl: remove get_ssl_version_txt in favor of SSL_get_version
    - parse_proxy: fix a memory leak in the OOM path
    - url: fix memory leak if OOM in the HSTS handling
    - url: fix possible use-after-free in default protocol
    - urldata: don't touch data->set.httpversion at run-time
    - urldata: merge "struct DynamicStatic" into "struct UrlState"
    - urldata: remove the 'rtspversion' field
    - urldata: remove the _ORIG suffix from string names
    - wolfssl: don't store a NULL sessionid
* Thu Mar 04 2021 Cristian Rodríguez <crrodriguez@opensuse.org>
  - Harden build, enable full RELRO
  - Never allow undefined symbols anywhere.
* Thu Feb 04 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 7.75.0
    * Changes:
    - curl: add --create-file-mode [mode]
    - curl: add new variables to --write-out
    - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
    - gopher: implement secure gopher protocol
    - http: add Hyper as new optional HTTP backend
    - http: introduce AWS HTTP v4 Signature support
    * Bugfixes:
    - cmake: Add an option to disable libidn2
    - cmake: enable gophers correctly in curl-config
    - cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
    - digest_sspi: Show InitializeSecurityContext errors in verbose mode
    - getinfo: build with disabled HTTP support
    - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
    - http_proxy: Fix CONNECT chunked encoding race condition
    - httpauth: make multi-request auth work with custom port
    - lib: pass in 'struct Curl_easy *' to most functions
    - lib: remove Curl_ prefix from many static functions
    - lib: save a bit of space with some structure packing
    - libssh: avoid plain free() of libssh-memory
    - mime: make sure setting MIMEPOST to NULL resets properly
    - multi_runsingle: bail out early on data->conn == NULL
    - ngtcp2: Fix http3 upload stall
    - ngtcp2: Fix stack buffer overflow
    - openssl: lowercase the hostname before using it for SNI
    - socks: use the download buffer instead
    - speedcheck: exclude paused transfers
    - tooĺ_writeout: fix the -w time output units
    - url: if IDNA conversion fails, fallback to Transitional
  - Refresh libcurl-ocloexec.patch

Files

/usr/lib/libcurl.so.4
/usr/lib/libcurl.so.4.8.0
/usr/share/licenses/libcurl4
/usr/share/licenses/libcurl4/COPYING


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jan 7 23:49:12 2025