Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2026-05-04 12:48:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Mon May 4 12:48:27 2026 rev:224 rq:1350194 version:8.20.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2026-03-28 20:14:31.412326289 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new.30200/curl.changes 2026-05-04 12:49:02.018403824 +0200 @@ -1,0 +2,163 @@ +Wed Apr 29 13:45:19 UTC 2026 - Lucas Mulling <[email protected]> + +- Update to 8.20.0: + * Security fixes: + - CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631) + - CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632) + - CVE-2026-5773: wrong reuse of SMB connection (bsc#1262633) + - CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635) + - CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636) + - CVE-2026-6429: curl: netrc credential leak with reused proxy connection (bsc#1262638) + * Changes: + - async-thrdd: use thread queue for resolving + - lib: add thread pool and queue + - lib: drop support for < c-ares 1.16.0 + - lib: make SMB support opt-in + - multi.h: add CURLMNWC_CLEAR_ALL + - rtmp: drop support + * Bugfixes: + - altsvc: cap the list at 5,000 entries + - altsvc: drop the prio field from the struct + - altsvc: skip expired entries read from file + - asyn-ares: connect async + - asyn-ares: drop orphaned variable references + - asyn-ares: fix HTTPS-lookup when not on port 443 + - asyn-thrdd: drop redundant `result` check + - asyn-thrdd: fix clang-tidy unused value warning + - async-ares: fix query counter handling + - cf-ip-happy: limit concurrent attempts + - cf-socket: avoid low risk integer overflow on ancient Solaris + - cfilters: fix Curl_pollset_poll() return code mixup + - config2setopts: make --capath work in proxy disabled builds + - cookie: fix rejection when tabs in value + - curl.h: replace macros with C++-friendly method to enforce 3 args + - curl_ctype.h: fix spelling in a couple of locally used macros + - curl_get_line: error out on read errors + - curl_get_line: fix potential infinite loop when filename is a directory + - curl_ngtcp2: extend and update callbacks for 1.22.0+ + - curl_ntlm_core: drop redundant PP condition + - curl_ntlm_core: use wolfCrypt DES API with wolfSSL + - curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard + - curl_sha512_256: support delegating to wolfSSL API + - curlx_now(), prevent zero timestamp + - digest: pass in the username quoted (as well) + - dns: https-eyeballing async + - dnscache: own source file, improvements + - doh: fix memory-leak when doing a second DoH resolve + - doh: remove superfluous doh_req check + - file: init fd to -1 to prevent close fd 0 on early failure + - fopen: for temp files, inherit permissions only for owner + - ftp: do not strdup DATA hostname + - ftp: make the MDTM date parser stricter (again) + - ftp: reject PWD responses containing control characters + - generate.bat: remove extra % from VC11 and VC12 runs + - genserv.pl: make external calls safe + - getinfo: initialize `PureInfo` field `used_proxy` + - getinfo: repair CURLINFO_TLS_SESSION + - h3: HTTPS-RR use in HTTP/3 + - Happy Eyeballs: add resolution time delay + - hostip: clear the sockaddr_in6 structure before use + - hostip: init the curl_jmpenv_lock appropriately + - hostip: resolve user supplied ip addresses + - HSTS: cap the list + - hsts: make the HSTS read callback handle name dupes + - hsts: skip expired HSTS entries read from file + - hsts: when a dupe host adds subdomains, use that + - http2: clear the h2 session at delete + - http2: prevent secure schemes pushed over insecure connections + - http2: return error on OOM in push headers + - http: clear credentials better on redirect + - http: clear digest nonce on cross-origin redirect + - http: clear the proxy credentials as well on port or scheme change + - http: fix auth_used and auth_avail + - http: fix Curl_compareheader for multi value headers + - http: make Curl_compareheader handle multiple commas in header + - http: on 303, switch to GET + - http: use header_has_value() instead of duplicate code + - imap: reset the UIDVALIDITY state between transfers + - lib: accept larger input to md5/hmac/sha256/sha512 functions + - lib: always use Curl_1st_fatal instead of Curl_1st_err + - lib: make resolving HTTPS DNS records reliable: + - lib: move request specific allocations to the request struct + - lib: replace `PRI*32` printf masks with C89 ones + - libssh2: allocate libssh2-friendly memory in kbd_callback + - libssh2: fix error handling on quote errors + - libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 + - libssh: path length precaution + - libssh: propagate error back in SFTP function + - location/follow: mention netrc + - man: fix argument type for `CURLSHOPT_[UN]SHARE` options + - md4, md5: switch to wolfCrypt API in wolfSSL builds + - mime: only allow 40 levels of calls + - misc: fix code quality findings + - multi: enhance pending handles fairness + - multi: fix connection retry for non-http + - multi: improve wakeup and wait code + - netrc: find login-less password when user is given in URL + - netrc: remove unused parsenetrc() macro for netrc-disabled + - netrc: skip malformed macdef lines + - openssl channel_binding: lookup digest algorithm without NID + - openssl: drop obsolete SSLv2 logic + - openssl: fix build with 4.0.0-beta1 no-deprecated + - openssl: fix memory leaks in ECH code (OpenSSL 3) + - openssl: fix unused variable warnings in !verbose builds + - openssl: trace count of found / imported Windows native CA roots + - OS400: add new definitions to the ILE/RPG binding. + - parsedate: bsearch the time zones + - parsedate: fix wrong treatment of "military time zones" + - parsedate: refactor + - progress: count amount of data "delivered" to application + - protocol.h: fix the CURLPROTO_MASK + - protocol: disable connection reuse for SMB(S) + - protocol: use scheme names lowercase + - proxy: chunked response, error code + - pytest: add additional quiche check for flaky test_05_01 + - pytest: check 429 handling + - rand: use `BCryptGenRandom()` in UWP builds + - ratelimit: reset on start + - request: reset resp_trailer in new requests + - schannel: increase renegotiation timeout to 60 seconds + - sendf: fix CR detection if no LF is in the chunk + - setopt: move CURLOPT_CURLU + - setup connection filter: mark as setup + - sha256, sha512_256: switch to wolfCrypt API + - sha256: support delegating to wolfSSL API + - share: concurrency handling, easy updates + - share: do bitshifts after the type is checked to be valid + - socks: reject zero-length GSSAPI/SSPI tokens from proxy + - socks: use dns filter for resolving + - src: use ftruncate() unconditionally + - strerr: correct the strerror_s() return code condition + - sws: fix potential OOB write + - synctime: fix off-by-one read and write to a read-only buffer (Windows) + - top-complexity: prevent filename-based shell injection risk + - transfer: clear the old autoreferer + - transfer: clear the URL pointer in OOM to avoid UAF + - transfer: enable custom methods again on next transfer + - transfer: enhance secure check + - url: do not reuse a non-tls starttls connection if new requires TLS + - url: improve connection reuse on negotiate + - url: init req.no_body in DO so that it works for h2 push + - url: set default upload flags to CURLULFLAG_SEEN + - url: use the socks type for socks proxy + - urlapi: fix handling of "file:///" + - urlapi: make dedotdotify handle leading dots correctly + - urlapi: stop extracting hostname from file:// URLs on Windows + - urlapi: verify the last letter of a scheme when set explicitly + - urldata: connection bit ipv6_ip is wrong + - urldata: import port types and conn destination format + - urldata: make hstslist only present in HSTS builds + - urldata: make speeder_c uint32 + - urldata: move cookiehost to struct SingleRequest + - urldata: remove trailers_state + - vquic: fix variable name in fallback code + - vtls: log when key logging is enabled. + - vtls_scache: check reentrancy + - vtls_scache: include cert_blob independently of verifypeer + - ws: fix a blocking curl_ws_send() to report written length correctly + - x509asn1: fix to return error in an error case from `encodeOID()` + - x509asn1: fixed and adapted for ASN1tostr unit testing + - x509asn1: improve encodeOID + * Rebased patches: dont-mess-with-rpmoptflags.patch libcurl-ocloexec.patch + +------------------------------------------------------------------- Old: ---- curl-8.19.0.tar.xz curl-8.19.0.tar.xz.asc New: ---- curl-8.20.0.tar.xz curl-8.20.0.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.AvFQmy/_old 2026-05-04 12:49:02.998444176 +0200 +++ /var/tmp/diff_new_pack.AvFQmy/_new 2026-05-04 12:49:02.998444176 +0200 @@ -36,7 +36,7 @@ %endif Name: curl%{?psuffix} -Version: 8.19.0 +Version: 8.20.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl ++++++ curl-8.19.0.tar.xz -> curl-8.20.0.tar.xz ++++++ ++++ 105993 lines of diff (skipped) ++++++ dont-mess-with-rpmoptflags.patch ++++++ --- /var/tmp/diff_new_pack.AvFQmy/_old 2026-05-04 12:49:06.242577749 +0200 +++ /var/tmp/diff_new_pack.AvFQmy/_new 2026-05-04 12:49:06.246577914 +0200 @@ -1,8 +1,8 @@ -Index: curl-8.19.0-rc2/configure.ac +Index: curl-8.20.0/configure.ac =================================================================== ---- curl-8.19.0-rc2.orig/configure.ac -+++ curl-8.19.0-rc2/configure.ac -@@ -602,11 +602,6 @@ if test "$curl_cv_native_windows" = "yes +--- curl-8.20.0.orig/configure.ac ++++ curl-8.20.0/configure.ac +@@ -604,11 +604,6 @@ if test "$curl_cv_native_windows" = "yes ]) fi @@ -12,6 +12,6 @@ -CURL_SET_COMPILER_WARNING_OPTS - if test "$compiler_id" = "INTEL_UNIX_C"; then - # if test "$compiler_num" -ge "1000"; then + dnl icc 10.X or later ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.AvFQmy/_old 2026-05-04 12:49:06.290579725 +0200 +++ /var/tmp/diff_new_pack.AvFQmy/_new 2026-05-04 12:49:06.298580055 +0200 @@ -7,11 +7,11 @@ compile time is not enough. -Index: curl-8.19.0-rc2/lib/file.c +Index: curl-8.20.0/lib/file.c =================================================================== ---- curl-8.19.0-rc2.orig/lib/file.c -+++ curl-8.19.0-rc2/lib/file.c -@@ -228,7 +228,7 @@ static CURLcode file_connect(struct Curl +--- curl-8.20.0.orig/lib/file.c ++++ curl-8.20.0/lib/file.c +@@ -230,7 +230,7 @@ static CURLcode file_connect(struct Curl } } #else @@ -20,7 +20,7 @@ file->path = real_path; #endif #endif -@@ -296,9 +296,9 @@ static CURLcode file_upload(struct Curl_ +@@ -298,9 +298,9 @@ static CURLcode file_upload(struct Curl_ data->set.new_file_perms & (_S_IREAD | _S_IWRITE)); #elif (defined(ANDROID) || defined(__ANDROID__)) && \ (defined(__i386__) || defined(__arm__)) @@ -32,10 +32,10 @@ #endif if(fd < 0) { failf(data, "cannot open %s for writing", file->path); -Index: curl-8.19.0-rc2/lib/if2ip.c +Index: curl-8.20.0/lib/if2ip.c =================================================================== ---- curl-8.19.0-rc2.orig/lib/if2ip.c -+++ curl-8.19.0-rc2/lib/if2ip.c +--- curl-8.20.0.orig/lib/if2ip.c ++++ curl-8.20.0/lib/if2ip.c @@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -45,12 +45,12 @@ if(dummy == CURL_SOCKET_BAD) return IF2IP_NOT_FOUND; -Index: curl-8.19.0-rc2/configure.ac +Index: curl-8.20.0/configure.ac =================================================================== ---- curl-8.19.0-rc2.orig/configure.ac -+++ curl-8.19.0-rc2/configure.ac -@@ -507,6 +507,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [ - # Silence warning: ar: 'u' modifier ignored since 'D' is the default +--- curl-8.20.0.orig/configure.ac ++++ curl-8.20.0/configure.ac +@@ -509,6 +509,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [ + dnl Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) +AC_USE_SYSTEM_EXTENSIONS @@ -58,10 +58,10 @@ dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-8.19.0-rc2/lib/hostip.c +Index: curl-8.20.0/lib/hostip.c =================================================================== ---- curl-8.19.0-rc2.orig/lib/hostip.c -+++ curl-8.19.0-rc2/lib/hostip.c +--- curl-8.20.0.orig/lib/hostip.c ++++ curl-8.20.0/lib/hostip.c @@ -43,6 +43,7 @@ #include <setjmp.h> /* for sigjmp_buf, sigsetjmp() */ #include <signal.h> @@ -70,7 +70,7 @@ #include "urldata.h" #include "curl_addrinfo.h" #include "curl_trc.h" -@@ -752,7 +753,7 @@ static struct Curl_addrinfo *get_localho +@@ -293,7 +294,7 @@ static struct Curl_addrinfo *get_localho CURLcode Curl_probeipv6(struct Curl_multi *multi) { /* probe to see if we have a working IPv6 stack */ @@ -79,11 +79,11 @@ multi->ipv6_works = FALSE; if(s == CURL_SOCKET_BAD) { if(SOCKERRNO == SOCKENOMEM) -Index: curl-8.19.0-rc2/lib/cf-socket.c +Index: curl-8.20.0/lib/cf-socket.c =================================================================== ---- curl-8.19.0-rc2.orig/lib/cf-socket.c -+++ curl-8.19.0-rc2/lib/cf-socket.c -@@ -342,7 +342,8 @@ static CURLcode socket_open(struct Curl_ +--- curl-8.20.0.orig/lib/cf-socket.c ++++ curl-8.20.0/lib/cf-socket.c +@@ -338,7 +338,8 @@ static CURLcode socket_open(struct Curl_ return CURLE_COULDNT_CONNECT; } #endif
