Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2026-07-09 22:17:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Thu Jul 9 22:17:56 2026 rev:226 rq:1361808 version:8.21.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2026-06-04 18:53:10.734062083 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new.1991/curl.changes 2026-07-09 22:17:57.967243039 +0200 @@ -1,0 +2,27 @@ +Wed Jun 24 16:36:24 UTC 2026 - Lucas Mulling <[email protected]> + +- Update to 8.21.0: + * Security fixes: + - CVE-2026-8286: wrong STARTTLS connection reuse (bsc#1268402) + - CVE-2026-8458: wrong reuse for different services (bsc#1268407) + - CVE-2026-8924: traling dot domain super cookie (bsc#1268409) + - CVE-2026-8925: SASL double-free (bsc#1268411) + - CVE-2026-8926: password leak with netrc and user in URL (bsc#1268412) + - CVE-2026-8927: env-set cross-proxy Digest auth state leak (bsc#1268413) + - CVE-2026-8932: incomplete mTLS config matching in conn reuse (bsc#1268414) + - CVE-2026-9079: stale proxy password leak (bsc#1268415) + - CVE-2026-9080: UAF after pause in socket callback (bsc#1268416) + - CVE-2026-9545: exposing HTTP/3 early data (bsc#1268417) + - CVE-2026-9546: sending old referer (bsc#1268419) + - CVE-2026-9547: SSH improper host validation (bsc#1268420) + - CVE-2026-10536: HTTP/2 stream-dependency tree UAF (bsc#1268422) + - CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (bsc#1268423) + - CVE-2026-11564: Native CA trust persist (bsc#1268424) + - CVE-2026-11586: WS Auto-PONG memory exhaustion (bsc#1268425) + - CVE-2026-11856: cross-origin Digest auth state leak (bsc#1268426) + - CVE-2026-12064: proto-default skips SSH verification (bsc#1268427) + * For a complete changelog see: https://curl.se/ch/8.21.0.html +- Remove patches now in upstream: + curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch + +------------------------------------------------------------------- Old: ---- curl-8.20.0.tar.xz curl-8.20.0.tar.xz.asc curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch New: ---- curl-8.21.0.tar.xz curl-8.21.0.tar.xz.asc ----------(Old B)---------- Old:- Remove patches now in upstream: curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch Old:- Remove patches now in upstream: curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.E0AuRB/_old 2026-07-09 22:17:59.315288761 +0200 +++ /var/tmp/diff_new_pack.E0AuRB/_new 2026-07-09 22:17:59.319288897 +0200 @@ -36,7 +36,7 @@ %endif Name: curl%{?psuffix} -Version: 8.20.0 +Version: 8.21.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -49,9 +49,6 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch -# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled -Patch3: curl-disabled-redirect-protocol-message.patch -Patch4: libcurl-fix-wakeup-consumption.patch BuildRequires: groff BuildRequires: libtool BuildRequires: pkgconfig ++++++ curl-8.20.0.tar.xz -> curl-8.21.0.tar.xz ++++++ ++++ 112539 lines of diff (skipped)
