From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dwXv421rHz34Mc for ; Tue, 20 Jan 2026 16:33:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dwXv02D73z332b for ; Tue, 20 Jan 2026 16:33:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dwXtz64gJz1FW; Tue, 20 Jan 2026 16:33:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1768926795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R2hjNUdVPm+SvznVw3QASrKgnLcstQuxC1yDlpmI7SE=; b=rCrQ+tLmlWWif26K1J+eH1C1Wlva1CfiSDRsWCR1vhkJvxI6t1iXLUm7s/Nl8OtP8u6lwI qN4zU0mRt9BX6CBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1768926795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R2hjNUdVPm+SvznVw3QASrKgnLcstQuxC1yDlpmI7SE=; b=U/2utQ61dATWrrUe4uKDWJqQ5zHFddl37gTsDZFcv3gCzLE+kzKNt3USZkvjEniFsTtDMy Hnnt7d9p+mLxCNwvSAiT64hTfa+Fyu6Bg9PBRRIA7f78qRfm49PC5vdxZKh5sw0vDikcrO jXd+GsCgxCt72NmdHFTEcFWbwxPDVP96sFR3abPyAoxzhuMJftIavd1q5KKHtDUOX+Ue8N OzoEN6k+L9LguMDCm+THrueJJlTADWNJ8+GvduHVbH2MrMh+DO6JADH+qM9OVzalkS7eU1 tCpU7Koppo98Opwy+WPGa/p3JBJPBUROsmingHxGdITB3aZMTET+NLn74ajvSQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] curl: Update to version 8.18.0 Date: Tue, 20 Jan 2026 17:33:07 +0100 Message-ID: <20260120163311.3763307-5-adolf.belka@ipfire.org> In-Reply-To: <20260120163311.3763307-1-adolf.belka@ipfire.org> References: <20260120163311.3763307-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit - Update from version 8.17.0 to 8.18.0 - No change to rootfile - Changelog 8.18.0 Changes: build: drop support for VS2008 (Windows) build: drop Windows CE / CeGCC support gnutls: drop support for GnuTLS < 3.6.5 gnutls: implement CURLOPT_CAINFO_BLOB openssl: bump minimum OpenSSL version to 3.0.0 Bugfixes: _PROGRESS.md: add the E unit, mention kibibyte alt-svc: more flexibility on same destination altsvc: accept ma/persist per alternative entry altsvc: make it one malloc instead of three per entry AmigaOS: increase minimum stack size for tool_main apple sectrust: fix ancient evaluation apple-sectrust: always ask when `native_ca_store` is in use asyn-ares: handle Curl_dnscache_mk_entry() OOM error asyn-ares: remove hostname free on OOM asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo asyn-thrdd: release rrname if ares_init_options fails auth: always treat Curl_auth_ntlm_get() returning NULL as OOM autotools: add nettle library detection via pkg-config (for GnuTLS) autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr) autotools: fix LargeFile feature display on Windows (after prev patch) autotools: tidy-up `if` expressions badwords: add fist -> first, fix fallouts badwords: catch and fix threading-related words badwords: fix issues found in scripts and other files badwords: fix issues found in tests build: add build-level `CURL_DISABLE_TYPECHECK` options build: exclude clang prereleases from compiler warning options build: replace `-pedantic` with `-Wpedantic` when supported build: set `-Wno-format-signedness` build: tidy-up MSVC CRT warning suppression macros ccsidcurl: make curl_mime_data_ccsid() use the converted size cf-h1-proxy: support folded headers in CONNECT responses cf-https-connect: allocate ctx at first in cf_hc_create() cf-socket: drop feature check for `IPV6_V6ONLY` on Windows cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime cf-socket: return OOM error if socket() fails due to OOM cf-socket: trace ignored errors cfilters: make conn_forget_socket a private libssh function checksrc.pl: detect assign followed by more than one space cmake: adjust defaults for target platforms not supporting shared libs cmake: define dependencies as `IMPORTED` interface targets cmake: delete unused file `CMake/CMakeConfigurableFile.in` cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` cmake: fix `ws2_32` reference in `curl-config.cmake` cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET` cmake: replace deprecated `OPENSSL_FOUND` with `OpenSSL_FOUND` cmake: replace deprecated `PERL_FOUND` with `Perl_FOUND` cmake: save and restore `CMAKE_MODULE_PATH` in `curl-config.cmake` cmake: set found status to OFF when not found (for compression deps) code: minor indent fixes before closing braces CODE_STYLE.md: sync banned function list with checksrc.pl compressed.md: might generate a huge amount of bytes config-win32.h: delete obsolete, non-Windows comments config-win32.h: drop unused/obsolete `CURL_HAS_OPENLDAP_LDAPSDK` config2setopts: add space in cookie header with multiple -b config2setopts: bail out if curl_url_get() returns OOM config2setopts: exit if curl_url_set() fails on OOM configure: delete unused variable conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64 conncontrol: reuse handling connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' connection: attached transfer count content_encoding: avoid strcpy cookie. return proper error on OOM cookie: allocate the main struct once cookie is fine cookie: flush better cookie: only keep and use the canonical cleaned up path cookie: propagate errors better, cleanup the internal API cookie: return error on OOM cookie: when parsing a cookie header, delay all allocations until okay cshutdn: acknowledge FD_SETSIZE for shutdown descriptors curl: fix progress meter in parallel mode curl_fopen: do not pass invalid mode flags to `open()` on Windows curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer curl_ntlm_core: fix DES_* symbols for some wolfSSL builds curl_quiche: refuse headers with CR, LF or null bytes curl_sasl: if redirected, require permission to use bearer curl_sasl: make Curl_sasl_decode_mech compare case insensitively curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS` curl_setup.h: drop stray `#undef stat` (Windows) curl_setup.h: drop superfluous parenthesis from `Curl_safefree` macro curl_threads: don't do another malloc if the first fails curl_trc: delete unused DoH remains CURLINFO: remove 'get' and 'get the' from each short desc CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer" CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use CURLOPT_ACCEPT_ENCODING.md: warn about the expansion CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/ CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use CURLOPT_READFUNCTION.md: clarify the size of the buffer CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) curlx/multibyte: stop setting macros for non-Windows curlx/strerr: use `strerror_s()` on Windows curlx: add `curlx_rename()`, fix to support long filenames on Windows curlx: curlx_strcopy() instead of strcpy() curlx: limit use of system allocators to the minimum possible curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) curlx: replace `sprintf` with `snprintf` curlx: use curl alloc in `curlx_win32_stat()` (Windows) curlx: use curlx allocators in non-memdebug builds (Windows) DEPRECATE: add CMake <3.18 deprecation for April 2026 digest: fix OWS and escaped quote handling digest_sspi: fix a memory leak on error path digest_sspi: properly free sspi identity DISTROS.md: add OpenBSD DISTROS: fix a Mageia URL DISTROS: remove broken URLs for buildroot doc: some returned in-memory data may not be altered Dockerfile: update debian:bookworm-slim digest to e899040 docs/libcurl: fix C formatting nits docs: add a note about --compressed to note about binary output docs: clarify how to do unix domain sockets with SOCKS proxy docs: fix checksrc `EQUALSPACE` warnings docs: fix time_posttransfer output unit as seconds docs: mention umask need when curl creates files docs: remove dead URLs docs: rename CURLcode variables to 'result' docs: spell it Rustls with a capital R docs: switch more URLs to https:// docs: use .example URLs for proxies docs: use mresult as variable name for CURLMcode escape: add a length check in curl_easy_escape example: fix formatting nits examples/crawler: fix variable examples/multi-uv: fix invalid req->data access examples/threaded-ssl: delete in favor of `examples/threaded` examples/threaded: fix race condition examples: fix minor typo examples: make functions/data static where missing examples: tidy-up headers and includes examples: use 64-bit `fstat` on Windows FAQ/TODO/KNOWN_BUGS: convert to markdown FAQ: fix hackerone URL file: do not pass invalid mode flags to `open()` on upload (Windows) formdata: validate callback is non-NULL before use ftp: make EPRT connections non-blocking ftp: refactor a piece of code by merging the repeated part ftp: remove #ifdef for define that is always defined ftp: return better on OOM in two places ftp: return from ftp_state_use_port immediately on OOM getenv: drop internal 1-to-1 wrapper getinfo: improve perf in debug mode gnutls: add PROFILE_MEDIUM as default gnutls: report accurate error when TLS-SRP is not built-in gtls: add return checks and optimize the code gtls: Call keylog_close in cleanup gtls: skip session resumption when verifystatus is set h2/h3: handle methods with spaces headers: add length argument to Curl_headers_push() hostcheck: fail wildcard match if host starts with a dot hostip.h: drop redundant `setjmp.h` include hostip: don't store negative lookup on OOM hostip: make more functions return CURLcode hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST hsts: propagate and error out correctly on OOM hsts: use one malloc instead of two per entry http: acknowledge OOM errors from Curl_input_ntlm http: avoid two strdup()s and do minor simplifications http: error on OOM when creating range header http: fix OOM exit in Curl_http_follow http: handle oom error from Curl_input_digest() http: replace atoi use in Curl_http_follow with curlx_str_number http: return OOM errors from hsts properly http: the :authority header should never contain user+password http: unfold response headers earlier idn: avoid allocations and wcslen on Windows idn: clarify null-termination on Windows idn: fix memory leak in `win32_ascii_to_idn()` idn: use curlx allocators on Windows imap: check buffer length before accessing it imap: make sure Curl_pgrsSetDownloadSize() does not overflow inet_ntop: avoid the strlen() INSTALL-CMAKE.md: document static option defaults more krb5: fix detecting channel binding feature krb5_sspi: unify a part of error handling ldap: call ldap_init() before setting the options ldap: drop PP logic for old, unsupported, Windows SDKs ldap: improve detection of Apple LDAP ldap: provide version for "legacy" ldap as well lib/sendf.h: forward declare two structs lib: cleanup for some typos about spaces and code style lib: create unitprotos.h in the builddir, not srcdir lib: drop unused or duplicate `curlx/timeval.h` includes lib: drop unused protocol headers lib: eliminate size_t casts lib: error for OOM when extracting URL query lib: fix formatting nits (part 2) lib: fix formatting nits (part 3) lib: fix formatting nits lib: fix gssapi.h include on IBMi lib: name the main CURLMcode variable 'mresult' lib: refactor the type of funcs which have useless return and checks lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) lib: timer stats improvements lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible libssh2: add paths to error messages for quote commands libssh2: cleanup ssh_force_knownhost_key_type libssh2: consider strdup() failures OOM and return correctly libssh2: replace atoi() in ssh_force_knownhost_key_type libssh: fix state machine loop to progress as it should libssh: properly free sftp_attributes libssh: require private key or user-agent for public key auth libssh: set both knownhosts options to the same file libtests: replace `atoi()` with `curlx_str_number()` limit-rate: add example using --limit-rate and --max-time together localtime: detect thread-safe alternatives and use them m4/sectrust: fix test(1) operator manage: expand the 'libcurl support required' message mbedTLS: cleanup insecure/deprecated code mbedtls: fix potential use of uninitialized `nread` mbedtls: sync format across log messages mbedtls_threadlock: avoid calloc, use array mdlinkcheck: ignore IP numbers, allow '@' in raw URLs mdlinkcheck: only look for markdown links in markdown files memdebug: add mutex for thread safety memdebug: fix realloc logging mk-ca-bundle.md: the file format docs URL is permaredirected mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option mk-ca-bundle.pl: use `open()` with argument list to replace backticks mqtt: reject overly big messages mqtt: return error when a too large packet is decoded multi: make max_total_* members size_t multi: remove MSTATE_TUNNELING multi: simplify admin handle processing multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds ngtcp2+openssl: fix leak of session ngtcp2: remove the unused Curl_conn_is_ngtcp2 function ngtcp2: retune window sizes noproxy: fix build on systems without IPv6 noproxy: fix ipv6 handling noproxy: replace atoi with curlx_str_number openssl: exit properly on OOM when getting certchain openssl: fix a potential memory leak of bio_out openssl: fix a potential memory leak of params.cert openssl: fix building against no-dsa openssl openssl: fix building against no-ocsp openssl with Apple SecTrust openssl: no verify failf message unless strict openssl: release ssl_session if sess_reuse_cb fails openssl: remove code handling default version openssl: simplify `HAVE_KEYLOG_CALLBACK` guard openssl: stop checking for `OPENSSL_NO_SHA*` macros openssl: stop checking for `OPENSSL_NO_TLSEXT` macro openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs OS400/makefile.sh: fix shellcheck warning SC2038 os400sys: replace `strcpy()` with `memcpy()` osslq: code readability progress: make it one column narrower progress: narrower time display, multiple fixes progress: show fewer digits projects/README.md: Markdown fixes pytest fixes and improvements pytest: add tests using sshd pytest: disable two H3 earlydata tests for all platforms (was: macOS) pytest: do not ignore server issues pytest: enable OCSP test 17_08 for LibreSSL pytest: fix and improve reliability pytest: improve stragglers pytest: quiche flakiness pytest: skip H2 tests if feature missing from curl quiche: use client writer ratelimit blocking: fix busy loop ratelimit: redesign rtmp: fix double-free on URL parse errors rtmp: precaution for a potential integer truncation rtmp: stop redefining `setsockopt` system symbol on Windows runner.pm: run memanalyzer as a Perl module runtests: add options to set minimum number of tests, use them runtests: detect bad libssh differently for test 1459 runtests: drop Python 2 support remains runtests: enable torture testing with threaded resolver runtests: improve XML prolog check, enable `-w` permanently, fix two tests runtests: make memanalyzer a Perl module (for 1.1-2x speed-up per test run) rustls: fix a potential memory issue rustls: minor adjustment of sizeof() rustls: simplify init err path rustls: verify that verifier_builder is not NULL schannel: cap the maximum allowed size for loading cert schannel: fix memory leak of cert_store_path on four error paths schannel: replace atoi() with curlx_str_number() schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs schannel_verify: fix a memory leak of cert_context scripts: fix shellcheck SC2046 warnings scripts: use end-of-options marker in `find -exec` commands setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL setopt: when setting bad protocols, don't store them sftp: fix range downloads in both SSH backends slist: constify Curl_slist_append_nodup() string argument smb: fix a size check to be overflow safe socketpair: drop redundant `_WIN32` branch and include socks_sspi: use free() not FreeContextBuffer() source: misc typos speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE speedlimit: also reset on send unpausing src: drop redundant definition of `BIT()` src: fix formatting nits ssh: tracing and better pollset handling sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()` sws: fix binding to unix socket on Windows synctime: tidy up, make it work on all platforms telnet: abort on bad suboption sequence telnet: replace atoi for BINARY handling with curlx_str_number TEST-SUITE.md: correct the man page's path test07_22: fix flakiness test1475: consistently use %CR in headers test1498: disable 'HTTP PUT from stdin' test on Windows test2045: replace HTML multi-line comment markup with `#` comments test318: tweak the name a little test3207: enable memdebug for this test again test363: delete stray character (typo) from a section tag test568: fix codespell, catch it next time early in CI test568: remove what looks like an email and a URL test787: fix possible typo `&` -> `%` in curl option test96: fix to accept non-unity memdump content with MSVC tests/data: move `--libcurl` output to external data files tests/data: replace hard-coded test numbers with `%TESTNUMBER` tests/data: support using native newlines on disk, drop `.gitattributes` tests/server: do not fall back to original data file in `test2fopen()` tests/server: fix initialization on Windows Vista+ tests/server: replace `atoi()` and `atol()` with `curlx_str_number()` tests: add `%AMP` macro, use it in two tests tests: add a standard log line for alloc failures tests: allow 2500-2503 to use ~2MB malloc tests: drop redundant parenthesis from two macro expressions tests: fix formatting nits tests: rename CURLMcode variables to mresult tftp: release filename if conn_get_remote_addr fails tftpd: fix/tidy up `open()` mode flags tidy-up: avoid `(())`, clang-format fixes and more tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()` tidy-up: URLs (cont.) and mdlinkcheck tidy-up: URLs TODO: remove a mandriva.com reference tool: consider (some) curl_easy_setopt errors fatal tool: log when loading .curlrc in verbose mode tool_cfgable: free ssl-sessions at exit tool_doswin: clear pointer when thread takes ownership tool_doswin: increase allowable length of path sanitizer tool_doswin: remove the max length check tool_getparam: simplify the --rate parser tool_getparam: use memdup0() instead of malloc + copy tool_getparam: verify that a file exists for some options tool_help: add checks to avoid unsigned wrap around tool_ipfs: check return codes better tool_msgs: make voutf() use stack instead of heap tool_operate: exit on curl_share_setopt errors tool_operate: fix a case of ignoring return code in operate() tool_operate: fix case of ignoring return code in single_transfer tool_operate: remove redundant condition tool_operate: return error for OOM in append2query tool_operate: use curlx_str_number instead of atoi tool_paramhlp: refuse --proto remove all protocols tool_paramhlp: remove a malloc+free from proto2num() tool_paramhlp: simplify number parsing tool_progress: fix large time outputs and decimal size display tool_urlglob: acknowledge OOM in peek_ipv6 tool_urlglob: clean up used memory on errors better tool_urlglob: constify an argument tool_urlglob: fix propagating OOM error from `sanitize_file_name()` tool_urlglob: support globs as long as config line lengths tool_writeout: bail out proper on OOM url: fix return code for OOM in parse_proxy() url: if curl_url_get() fails due to OOM, error out properly url: if OOM in parse_proxy() return error url: return error at once when OOM in netrc handling urlapi: fix mem-leaks in curl_url_get error paths urlapi: handle OOM properly when setting URL urlapi: return OOM correctly from parse_hostname_login() verify-release: update to avoid shellcheck warning SC2034 vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally vquic: do not pass invalid mode flags to `open()` (Windows) vquic: do_sendmsg full init vquic: ignore 0-length UDP packets vquic: initialize new callback in nghttp3 1.14.0+ vtls: drop unused `use_alpn` from `ssl_connect_data` struct vtls: fix CURLOPT_CAPATH use vtls: handle possible malicious certs_num from peer vtls: pinned key check VULN-DISCLOSURE-POLICY.md: CRLF in data wcurl: import v2025.11.09 wcurl: import v2026.01.05 windows: assume `USE_WIN32_LARGE_FILES` windows: fix `CreateFile()` calls to support long filenames windows: use `_strdup()` instead of `strdup()` where missing wolfSSL: able to differentiate between IP and DNS in alt names wolfssl: avoid NULL dereference in OOM situation wolfssl: fix a potential memory leak of session wolfssl: fix cipher list, skip 5.8.4 regression wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds wolfssl: proof use of wolfSSL_i2d_SSL_SESSION wolfssl: simplify wssl_send_earlydata ws: replace a cast by matching the format string x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes Signed-off-by: Adolf Belka --- lfs/curl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/curl b/lfs/curl index 33f46881a..eda7cfec1 100644 --- a/lfs/curl +++ b/lfs/curl @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 8.17.0 +VER = 8.18.0 THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba +$(DL_FILE)_BLAKE2 = 16e1539616c1800dfa08a5bd3e38ff75d2906a4a574b1541509c69200aebe680b0a5efdf1b1e0c89f3cccb6001bfe1c1459b9fd815053c964e1a1434be1e2e0e install : $(TARGET) -- 2.52.0