* [PATCH] curl: Update to version 8.20.0
@ 2026-05-04 17:40 Adolf Belka
2026-05-04 17:40 ` [PATCH] glib: Update to version 2.88.1 Adolf Belka
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Adolf Belka @ 2026-05-04 17:40 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 8.19.0 to 8.20.0
- Update of rootfile
- Changelog
8.20.0
Changes:
async-thrdd: use thread queue for resolving
build: make NTLM disabled by default
cmake: drop support for CMake 3.17 and older
lib: add thread pool and queue
lib: drop support for < c-ares 1.16.0
lib: make SMB support opt-in
multi.h: add CURLMNWC_CLEAR_ALL
rtmp: drop support
Bugfixes:
altsvc: cap the list at 5,000 entries
altsvc: drop the prio field from the struct
altsvc: skip expired entries read from file
asyn-ares: connect async
asyn-ares: drop orphaned variable references
asyn-ares: fix HTTPS-lookup when not on port 443
asyn-thrdd: drop redundant `result` check
asyn-thrdd: fix clang-tidy unused value warning
async-ares: fix query counter handling
autotools: limit checksrc target to ignore non-repo test sources
badwords-all: exit with correct code on errors
badwords: combine the whitelisting into a single regex
badwords: detect the the and with with
badwords: only check comments and strings in source code
badwords: rework exceptions, fix many of them
boringssl: fix more coexist cases with Schannel/WinCrypt
build: adjust/add casts to fix `-Wformat-signedness`
build: assume `snprintf()` in `mprintf`, drop feature check
build: compiler warning silencing tidy-ups
build: drop `openssl` module dependency for BoringSSL from `libcurl.pc`
build: drop duplicate `pthread.h` includes
build: drop redundant `USE_QUICHE` guards
build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues
build: fix `-Wformat-signedness` by adjusting printf masks
build: link `bcrypt.lib` via vcxproj files
build: skip detecting `pipe2()` for Apple targets
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
cf-ip-happy: limit concurrent attempts
cf-socket: avoid low risk integer overflow on ancient Solaris
cfilters: fix Curl_pollset_poll() return code mixup
clang-tidy: avoid assignments in `if` expressions
clang-tidy: enable more checks, fix fallouts
cmake: add CMake Config-based dependency detection
cmake: add CMake Config-based dependency detection for c-ares, wolfSSL
cmake: document functions used from Windows system DLLs
cmake: enable pthreads for BoringSSL/AWS-LC
cmake: resolve targets recursively when generating `libcurl.pc`
cmake: rework binutils ld hack to not read `LOCATION` property
cmake: silence bad library `Threads::Threads` warning
cmake: use `AIX` built-in variable (with CMake 4.0+)
config2setopts: make --capath work in proxy disabled builds
configure: fix `--with-ngtcp2=<path>` option for crypto libs
configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
configure: prefer dependency-specific variables over `$withval`
configure: remove superfluous experimental warning for HTTP/3
configure: silence useless clang warnings in C89 builds
configure: tidy up comments
connect: fix typo on error message
cookie: fix rejection when tabs in value
curl-wolfssl.m4: fix to use the correct value for pkg-config directory
curl.h: replace macros with C++-friendly method to enforce 3 args
curl_ctype.h: fix spelling in a couple of locally used macros
curl_get_line: error out on read errors
curl_get_line: fix potential infinite loop when filename is a directory
curl_ngtcp2: extend and update callbacks for 1.22.0+
curl_ntlm_core: drop redundant PP condition
curl_ntlm_core: use wolfCrypt DES API with wolfSSL
curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard
curl_sha512_256: support delegating to wolfSSL API
curl_version_info.md: clarify age details
CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format
CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers"
CURLOPT_RTSP_SESSION_ID.md: expand the comment
CURLOPT_RTSP_SESSION_ID.md: minor language fix
CURLOPT_SOCKS5_AUTH.md: an access property
CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse
CURLOPT_UPLOAD_FLAGS.md: expand
curlx_now(), prevent zero timestamp
DEPRECATE: fix minor release number typo
digest: pass in the username quoted (as well)
dns: https-eyeballing async
dnscache: own source file, improvements
docs/cmdline-opts: tidy up retry-connrefused
docs/lib: fix typos
docs/libcurl: improve easy setopt examples
docs: clarify retry-max-time timing
docs: CURLOPT_LOGIN_OPTIONS is a login property
docs: enable more compiler warnings for C snippets, fix 3 finds
docs: list more dependencies for running Python HTTP tests
docs: mention more zip bomb precautions
docs: minor wording tweaks
docs: noproxy wants the punycoded hostname version
docs: SSH host verification is done at connect time
docs: use the correct CURLOPT_WRITEFUNCTION signature
doh: fix memory-leak when doing a second DoH resolve
doh: remove superfluous doh_req check
examples/websocket: fix to sleep more on Windows
examples: drop warning silencers no longer hit
examples: fix typo in comment
file: init fd to -1 to prevent close fd 0 on early failure
fopen: for temp files, inherit permissions only for owner
ftp: do not strdup DATA hostname
ftp: make the MDTM date parser stricter (again)
ftp: reject PWD responses containing control characters
gcc: guard `#pragma diagnostic` in core code for <4.6
generate.bat: remove extra % from VC11 and VC12 runs
genserv.pl: make external calls safe
getinfo: initialize `PureInfo` field `used_proxy`
getinfo: repair CURLINFO_TLS_SESSION
gnutls: fix clang-tidy warning with !verbose
gtls: fail for large files in `load_file()`
h3: HTTPS-RR use in HTTP/3
Happy Eyeballs: add resolution time delay
haproxy: use correct ip version on client supplied address
hostip: clear the sockaddr_in6 structure before use
hostip: init the curl_jmpenv_lock appropriately
hostip: resolve user supplied ip addresses
HSTS: cap the list
hsts: make the HSTS read callback handle name dupes
hsts: skip expired HSTS entries read from file
hsts: when a dupe host adds subdomains, use that
http2: clear the h2 session at delete
http2: prevent secure schemes pushed over insecure connections
http2: return error on OOM in push headers
HTTP3.md: drop outdated mentions of OpenSSL-QUIC
http: clear credentials better on redirect
http: clear digest nonce on cross-origin redirect
http: clear the proxy credentials as well on port or scheme change
http: fix auth_used and auth_avail
http: fix Curl_compareheader for multi value headers
http: make Curl_compareheader handle multiple commas in header
http: on 303, switch to GET
http: use header_has_value() instead of duplicate code
imap: reset the UIDVALIDITY state between transfers
include: drop badword from public headers
INSTALL.md: update Cygwin instructions
keylog.h: replace literal number with macro in declaration
keylog: drop unused/redundant includes and guards
ldap: drop duplicate `ldap_set_option()` on Windows
ldap: fix to initialize cleartext connection on Windows
lib1560: fix comment typo
lib1960: fix test failure
lib: accept larger input to md5/hmac/sha256/sha512 functions
lib: always use Curl_1st_fatal instead of Curl_1st_err
lib: fix typos in comments
lib: make resolving HTTPS DNS records reliable:
lib: minor comment typos
lib: move request specific allocations to the request struct
lib: replace `PRI*32` printf masks with C89 ones
libssh2: allocate libssh2-friendly memory in kbd_callback
libssh2: fix error handling on quote errors
libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0
libssh: fix `-Wsign-compare` in 32-bit builds
libssh: path length precaution
libssh: propagate error back in SFTP function
libtest: drop duplicate include
location/follow: mention netrc
man: fix argument type for `CURLSHOPT_[UN]SHARE` options
mbedtls: cleanup more without care for 'initialized'
mbedtls: fix ECJPAKE matching
mbedtls: remove failf() call with first argument as NULL
md4, md5: switch to wolfCrypt API in wolfSSL builds
mime: only allow 40 levels of calls
misc: fix code quality findings
mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s
multi: enhance pending handles fairness
multi: fix connection retry for non-http
multi: improve wakeup and wait code
netrc: find login-less password when user is given in URL
netrc: remove unused parsenetrc() macro for netrc-disabled
netrc: skip malformed macdef lines
openssl channel_binding: lookup digest algorithm without NID
openssl: drop obsolete SSLv2 logic
openssl: fix build with 4.0.0-beta1 no-deprecated
openssl: fix memory leaks in ECH code (OpenSSL 3)
openssl: fix unused variable warnings in !verbose builds
openssl: trace count of found / imported Windows native CA roots
OS400: add new definitions to the ILE/RPG binding.
os400sys: fix typo in comment (symmetry)
parsedate: bsearch the time zones
parsedate: fix wrong treatment of "military time zones"
parsedate: refactor
perl: harden external command invocations
progress: count amount of data "delivered" to application
protocol.h: fix the CURLPROTO_MASK
protocol: disable connection reuse for SMB(S)
protocol: use scheme names lowercase
proxy: chunked response, error code
pytest: add additional quiche check for flaky test_05_01
pytest: check 429 handling
rand: use `BCryptGenRandom()` in UWP builds
ratelimit: reset on start
request: reset resp_trailer in new requests
runtests: skip setting ed25519 SSH key format
rustls: fix memory leak on repeated SSLKEYLOGFILE fails
rustls: handle EOF during initial handshake
schannel: increase renegotiation timeout to 60 seconds
scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl)
scripts: harden / tidy up more Perl `system()` calls
sendf: fix CR detection if no LF is in the chunk
setopt: fix typos in comments
setopt: move CURLOPT_CURLU
setup connection filter: mark as setup
sha256, sha512_256: switch to wolfCrypt API
sha256: support delegating to wolfSSL API
share: concurrency handling, easy updates
share: do bitshifts after the type is checked to be valid
socks: reject zero-length GSSAPI/SSPI tokens from proxy
socks: use dns filter for resolving
spelling: fix typos
src: use ftruncate() unconditionally
sshserver.pl: harden more `system()` calls
sshserver.pl: pass command-line to `system()` safely
strerr: correct the strerror_s() return code condition
sws: fix potential OOB write
synctime: fix off-by-one read and write to a read-only buffer (Windows)
test 766: flag as timing-dependent
test1675: unit tests for URL API helper functions
test459: switch to mode="warn" for stderr check
testcurl.pl: replace shell commands with Perl `rmtree()`
tests/unit/README: describe how to unit test static functions
tests: avoid infinite recursion for `make check`
tests: use %b64[] instead of "raw" base64
tool: check for curlinfo->age when determining if ssh backend
tool: fix memory mixups
tool: fix retries in parallel mode
tool: fix two more allocator mismatches
tool_cb_hdr: only truncate etags output when regular file
tool_cb_rea: make waitfd() return void
tool_cb_wrt: fix no-clobber error handling
tool_cfgable: free the SSL signature algorithms
tool_formparse: propagate my_get_line errors when reading headers
tool_getparam: use correct free function for libcurl memory
tool_ipfs: accept IPFS gateway URL without set port number
tool_msgs: avoid null pointer deref for early errors
tool_operate: actually apply the --parallel-max-host limit
tool_operate: drop the scheme-guessing in the -G handling
tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows)
tool_operate: fix memory-leak on failed uploads
tool_operate: fix minor memory-leak on early error
tool_operate: reset the upload glob counter for next URL
tool_operhlp: fix `add_file_name_to_url()` result on OOM
tool_operhlp: iterate through all slashes to find name
tool_operhlp: propagate low-level OOM in `add_file_name_to_url()`
tool_setopt: return error on OOM correctly
tool_urlglob: fix memory-leak on glob range overflow
top-complexity: prevent filename-based shell injection risk
transfer: clear the old autoreferer
transfer: clear the URL pointer in OOM to avoid UAF
transfer: enable custom methods again on next transfer
transfer: enhance secure check
unit1675: fix `-Wformat-signedness`
url: do not reuse a non-tls starttls connection if new requires TLS
url: improve connection reuse on negotiate
url: init req.no_body in DO so that it works for h2 push
url: set default upload flags to CURLULFLAG_SEEN
url: use the socks type for socks proxy
url: use URL for lowercase URL even in comments
urlapi: fix handling of "file:///"
urlapi: make dedotdotify handle leading dots correctly
urlapi: same origin tests
urlapi: stop extracting hostname from file:// URLs on Windows
urlapi: verify the last letter of a scheme when set explicitly
urldata.h: fix typo and lingering backtick
urldata: connection bit ipv6_ip is wrong
urldata: import port types and conn destination format
urldata: make hstslist only present in HSTS builds
urldata: make speeder_c uint32
urldata: move cookiehost to struct SingleRequest
urldata: remove trailers_state
vquic: fix variable name in fallback code
vtls: fix comment typos and tidy up a type
vtls: log when key logging is enabled.
vtls_scache: check reentrancy
vtls_scache: include cert_blob independently of verifypeer
wolfssl: document v5.0.0 (2021-11-01) as minimum required
wolfssl: fix `-Wmissing-prototypes`
wolfssl: fix handling of abrupt connection close
ws: fix a blocking curl_ws_send() to report written length correctly
x509asn1: fix to return error in an error case from `encodeOID()`
x509asn1: fixed and adapted for ASN1tostr unit testing
x509asn1: improve encodeOID
8.19.0
Changes:
BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
cmake: add `CURL_BUILD_EVERYTHING` option
mqtt: initial support for MQTTS
tool: support fractions for --limit-rate and --max-filesize
tool_cb_hdr: with -J, use the redirect name as a backup
vquic: drop support for OpenSSL-QUIC
windows: add build option to use the native CA store
windows: bump minimum to Vista (from XP)
Bugfixes:
altsvc: only accept 17 byte dates from files
asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
async-ares: blocking resolve timeout handling, better
badwords: move into ./scripts, speed up
build: add missing `GENERATEDCERTS` files
build: adjust minimum version for some clang picky warnings
build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
build: constify `memchr()`/`strchr()`/etc result variables (cont.)
build: detect and include `inttypes.h` again
build: do not include wolfSSL header in `curl_setup.h`
build: drop duplicate C includes
build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
build: drop unused `snprintf()` feature check on Windows
build: fix `-Wunused-macros` warnings, and related tidy-ups
build: fix building rare combinations
build: fully omit verbose strings and code when disabled
build: globally suppress DJGPP warnings in `FD_SET()`
build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
build: move curl stat struct type to the curlx namespace
build: opt-in MSVC to C99-style verbose logging logic
build: require POSIX `strdup()`
build: tidy up and dedupe `strdup` functions
cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks
cf-socket: use SOCK_CLOEXEC in socket_open when available
checksrc-all.pl: skip non-repository files
checksrc: do not apply `BANNEDFUNC` to struct member functions
checksrc: warn for leading spaces before the preprocessor hash
clang-tidy: add missing and delete redundant parentheses
clang-tidy: add more missing parentheses in macro values
clang-tidy: avoid/silence `bugprone-not-null-terminated-result`
clang-tidy: check `bugprone-macro-parentheses`, fix fallouts
clang-tidy: drop redundant conditions reported by `misc-redundant-expression`
clang-tidy: enable `bugprone-signed-char-misuse`, fix fallouts
clang-tidy: enable more checks
clang-tidy: enable scanning headers
clang-tidy: fix issues found with build-fuzzing
clang-tidy: silence more minor issues found by v22
cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` 4.0.0
cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
cmake: add native clang-tidy support for tests, with concatenated sources
cmake: always build curlu and curltool test libs in unity mode
cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
cmake: convert `curl_add_clang_tidy_test_target()` macro to function
cmake: enable binutils ld workaround for all toolchains at build-time
cmake: fix `LOCATION` property access condition (debug)
cmake: fix `LOCATION` property read errors in target debug function
cmake: fix building with `CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON`
cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
cmake: fix logic for openssl/zlib binutils ld workaround
cmake: fix passing system header directories to clang-tidy for tests
cmake: fix system include directory position for clang-tidy in tests
cmake: improve clang-tidy test command-line reproduction
cmake: minor fixes to test targets after prev
cmake: normalize uppercase hex winver (for display)
cmake: omit `curl.rc` from curltool lib
cmake: reference OpenSSL and ZLIB imported targets only when enabled
cmake: replace internal option with a new `tt` (test tools) target
cmake: silence potential unused var warnings in C++ test snippet
cmake: silence silly Apple clang warnings in C89 mode, test in CI
cmake: silence useless compiler warnings triggered by the FASTBuild generator
cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values
cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
config-plan9: set `HAVE_STDINT_H` again
config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
config2setopts: fix for --disable-aws build configuration
configure: drop always true `if` check (Windows)
content_encoding: return 'identity' if none other exists
curl: add -I and -i to -h important
curl: limit Windows-specific code to Windows builds, other tidy-ups
curl_easy_nextheader.md: a new transfer invalidates 'prev'
curl_get_line: drop single-use macro
curl_multi_perform.md: resolve inconsistency
curl_ntlm_core: merge two `#if` blocks
curl_setup.h: drop extra header guard for internal include
curl_setup.h: merge back single-use internal header `curl_setup_once.h`
curl_setup.h: simplify curl memory macro mappings
curl_setup_once: allow CURL_DEBUGASSERT for customization
CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
curlx: drop unused `curlx_saferealloc()`
digest: escape double quotes and backslashes in realm and nonce
digest: fix memory leak in auth_create_digest_http_message()
digest: handle quotes in the path
docs/INSTALL: update configure details
docs/libcurl: unify WARNING use
docs: add LibreELEC to DISTROS.md
docs: add reproducible example for generating man page
docs: avoid starting sentences with However,
docs: avoid using the word 'magic'
docs: clarify --ipv4 and --ipv6
docs: document the need for a 64-bit type and stdint.h
docs: drop basically
docs: explicitly call out Slowloris as not a security flaw
docs: fix grammar nitpicks
docs: handle error in `curl_global_init*` examples
docs: replace instances of the vague qualifier 'quite'
docs: reword explanation of --variable option
docs: some nitpicks
docs: use dot instead of comma at end of sentences
easy: reset errorbuf on eyeballing success
easy: reset pausing when resetting request
examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA
examples: improve OpenSSL certificate examples
examples: omit forward declarations, apply misc fixes
FAQ: syntax improvements
fopen.h: simplify curl memory macro mappings
ftp: replace a `curlx_free()` with `curlx_dyn_free()`
ftp: split ftp_state_use_port into sub functions
GOVERNANCE.md: Post-Daniel BDFL
gss: exclude verbose error logic from non-verbose builds
h2+h3: align stream close handling
hostip.c: fix leak of addrinfo
hostip6: remove debug-only code
hostip: fix unreachable code in rare build configuration
http/3: add description for known server error codes
http1: fix potential NULL dereference in `Curl_h1_req_parse_read()`
http: only send bearer if auth is allowed
http_aws_sigv4: fix query normalization of %2b
imap: add a check for Curl_meta_get()
imap: check `imap_sendf()` printf masks at compile-time
imap: skip literals inside quoted strings
include: avoid recursive macros
include: mask computed auth/proto bitmasks to 32 bits
INSTALL-CMAKE.md: document Apple framework options
INSTALL.md: fix typo
INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
ldap: silence clang-tidy v22 warning
ldap: silence potential unused variable warning (OS400)
lib: delete unused local includes
lib: disable websockets early if no http
lib: make sigpipe handling more lazy
lib: reorder protocol functions to avoid forward declarations (email)
lib: reorder protocol functions to avoid forward declarations (ftp)
lib: reorder protocol functions to avoid forward declarations (misc cont.)
lib: reorder protocol functions to avoid forward declarations (misc)
lib: reorder protocol functions to avoid forward declarations (ssh)
lib: separate scheme info from protocol implementation
lib: skip compiling code with features disabled
lib: use (u)int64_t instead of long long
libcurl docs: reduce 'since ...' in descriptions
libcurl-security.md: fix typos and add a point about URLs
libtests: drop two redundant `memset()`s
Makefile.am: delete RPM targets referencing non-existent files
Makefile.am: drop stray VC project files from dist
managen: silence Perl warnings
mbedtls: guard TLS 1.3 + session tickets usage inside ifdef
mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
mbedtls: remove newline from failf() call
mbedtls: split mbed_connect_step1 into sub functions
md4, md5: drop redundant forward declarations
md4, md5: replace custom types with `uint32_t`
memdebug: include `backtrace.h` as system header
mime: drop fallback for unused `R_OK` macro
mimepost: allocate main struct on-demand
mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
mod_curltest: silence unused argument compiler warning
mprintf: drop old sprintf fallback
mprintf: rename internal enum to avoid collision with AmigaOS symbol
mprintf: silence clang-tidy `readability-suspicious-call-argument`
mprintf: use `_snprintf()` when compiled with VS2013 and older
mqtt: better too-big-message-check
mqtt: fix EOF handling
mqtt: verify Remaining Length for CONNACK and PUBACK
msvc: drop exception, make `BIT()` a bitfield with Visual Studio
msvc: VS2026: unlock picky warning in cmake, test in CI
multi: avoid a theoretical 32-bit wrap
multi: fix unreachable code compiler warning
multi: probe for IPv6 functionality in multi_init()
multi: split multi_runsingle into sub functions
multi: update timer unconditionally in multi_remove_handle
ngtcp2: stabilize recv
noproxy: simplify, don't mix const non-const in strchr()
openldap: avoid forward declarations in ldaps code
openssl+ech: workaround for insecure handshakes
openssl: adapt to OpenSSL master adding const to more APIs
OpenSSL: check reuse of sessions for verify status
openssl: disable local keylog feature if built-in upstream
openssl: fix compiler warning with OpenSSL master
openssl: fix potential NULL dereference when loading certs (Windows)
openssl: fix potential OOB read in debug/verbose logging
plan9: drop special build and orphaned references
proxy-auth: additional tests
pytest: remove 03_02
quiche: use PRIu64 for outputting the stream id
rand: drop impossible preprocessor branches (wincrypt)
rand: drop scan-build silencer
ratelimit: download finetune
request.h: rename parameter 'buf' to 'req' in Curl_req_send
REUSE: drop broken reference to `MAIL-ETIQUETTE`
rtsp: fix assertion failure on zero-length RTP payload
rtspd: fix to check `realloc()` result
runtests: pass config filename to stunnel in native format (Windows)
schannel: refactor: reduce variable scopes, fix comment, fix indent
send: drop `CURL_UNCONST()` from buffer argument on most platforms
setopt: fix checking range for CURLOPT_MAXCONNECTS
setopt: refuse blobs with zero length
setup-os400.h: drop no longer used custom type `u_int32_t`
sigpipe: unset SA_SIGINFO since it is using sa_handler
silent.md: also mention it shuts off warning messages
smb: free the path in the request struct properly
smb: include arpa/inet.h for NonStop
socket: check result of SO_NOSIGPIPE
socketpair: clear 'err' when retrying due to EINTR
socketpair: set SO_NOSIGPIPE where possible
socks: ensure DNS is freed in failure cases.
src: simplify declaring `curl_ca_embed`
ssh: dedupe state change function
stop using the word 'just'
sws: prevent "connection monitor" to say disconnect twice
synctime: fix use of uninitialized buffer on non-Windows
system_win32: replace manual init code with `curlx_now_init()` call
tests/server/sockfilt: avoid possible endless loop on Windows
tests/server: drop unused `curlx/version_win32.c`
tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable
tests/server: tidy-up error messages (Windows)
tests: avoid assignment in `if` conditions in `first.h`
tests: convert base64 data to %b64[]
tftp: correct the filename length check
timeout handling: auto-detect effective timeout
tls: add new SSLSUPP flags for several options
tls: remove checks for DEFAULT
tool: enable header separation for HTTPS proxies
tool: improve config error messaging
tool: improve error/warning messages when output filename sanitization fails
tool: rename curl handle and result variable in `--libcurl`-generated code
tool: return code variable consistency
tool_cb_hdr: suppress header output when --out-null
tool_cb_prg: drop duplicate preprocessor logic
tool_dirhie: drop superfluous `F_OK` fallback (Windows)
tool_doswin: avoid memory-leak with CURL_FN_SANITIZE_*
tool_doswin: avoid Windowsisms in socket code (cont.)
tool_doswin: avoid Windowsisms in socket code
tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
tool_operate: remove 'else' for VMS
tool_operate: reset the URL --url-query between --next
typos: silence false positives found in C code
unit3205: suppress two clang-tidy false positives
URL-SYNTAX.md: fix port number mistakes for IMAP and LDAP
url.c: code/comment cleanup around conn creation
url.h: fix `-Wdocumentation`
url: fix reuse of connections using HTTP Negotiate
urlapi: use U_CURLU_URLDECODE when toggling it off unsigned
urldata.h: remove two forward-declared structs not used
urldata: byebye `conn->hostname_resolve`
urldata: change 'keep_post' into three distinct bitfields
urldata: convert 'long' fields to fixed variable types
urldata: switch to uint* types
usercertinmem: use the correct cert BIO
verbose.md: explain the { and } prefixes
vquic: fix unused variable warning reported by clang-tidy
vquic: handle SOCKEMSGSIZE correctly
vtls: dedupe common on-session-reuse logic
vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
VULN-DISCLOSURE-POLICY.md: push reports to the web form
VULN-DISCLOSURE-POLICY.md: use hackerone
winapi: use FormatMessageA instead of FormatMessageW
windows: `USE_WINSOCK` to guard winsock2 code (where missing)
windows: determine `RtlVerifyVersionInfo` address on global init
windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround
wolfssl: fix build without USE_BIO_CHAIN
ws/tftp: include header file even when protocol disabled
x509asn1: make encodeOID stop on too long input
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/curl | 3 +++
lfs/curl | 4 ++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/common/curl b/config/rootfiles/common/curl
index 9eb01f389..96daee9e6 100644
--- a/config/rootfiles/common/curl
+++ b/config/rootfiles/common/curl
@@ -82,6 +82,7 @@ usr/lib/libcurl.so.4.8.0
#usr/share/man/man3/CURLINFO_RTSP_SERVER_CSEQ.3
#usr/share/man/man3/CURLINFO_RTSP_SESSION_ID.3
#usr/share/man/man3/CURLINFO_SCHEME.3
+#usr/share/man/man3/CURLINFO_SIZE_DELIVERED.3
#usr/share/man/man3/CURLINFO_SIZE_DOWNLOAD.3
#usr/share/man/man3/CURLINFO_SIZE_DOWNLOAD_T.3
#usr/share/man/man3/CURLINFO_SIZE_UPLOAD.3
@@ -120,6 +121,8 @@ usr/lib/libcurl.so.4.8.0
#usr/share/man/man3/CURLMOPT_PIPELINING_SITE_BL.3
#usr/share/man/man3/CURLMOPT_PUSHDATA.3
#usr/share/man/man3/CURLMOPT_PUSHFUNCTION.3
+#usr/share/man/man3/CURLMOPT_QUICK_EXIT.3
+#usr/share/man/man3/CURLMOPT_RESOLVE_THREADS_MAX.3
#usr/share/man/man3/CURLMOPT_SOCKETDATA.3
#usr/share/man/man3/CURLMOPT_SOCKETFUNCTION.3
#usr/share/man/man3/CURLMOPT_TIMERDATA.3
diff --git a/lfs/curl b/lfs/curl
index 3498e12fd..3e5b78ecc 100644
--- a/lfs/curl
+++ b/lfs/curl
@@ -24,7 +24,7 @@
include Config
-VER = 8.19.0
+VER = 8.20.0
THISAPP = curl-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = d4a943af9a109893112876784dbe106276317e6cd5a2663f4de143c93abb4e266945fa65b4a5fa842f99240c961b027a1b2492e3e32f5247a91c394895e2b8b0
+$(DL_FILE)_BLAKE2 = 5b61a1099212af9b3c18629fd0b6c93881014e7b02ed5171021a2a074a87786ff8f8e94a47c53c3ca83354cfbe74f7d917cae819c97011c0ff9e4ace014e01c2
install : $(TARGET)
--
2.54.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] glib: Update to version 2.88.1
2026-05-04 17:40 [PATCH] curl: Update to version 8.20.0 Adolf Belka
@ 2026-05-04 17:40 ` Adolf Belka
2026-05-04 17:40 ` [PATCH] gnutls: Update to version 3.8.13 Adolf Belka
2026-05-04 17:40 ` [PATCH] libmicrohttpd: Update to version 1.0.5 Adolf Belka
2 siblings, 0 replies; 4+ messages in thread
From: Adolf Belka @ 2026-05-04 17:40 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 2.88.0 to 2.88.1
- Update of rootfile
- Changelog
2.88.1
* Fix miscompilation with GCC 16 due to GLib’s use of the wrong function
attribute (!5145, work by Sam James)
* Fix flag confusion security issue when using `GRegex` with `G_REGEX_RAW` which
can result in unbounded out-of-bounds heap reads off the start of a regex
input string (#3919, work by linhlhq)
* Fix various minor (low severity) security issues, typically one-to-five-byte
out-of-bounds reads (#3915, #3916, #3917, #3918, #3930) or ones relying on
very specific (and unlikely) API calls (#3925) or ones relying on
discouraged P2P D-Bus configurations (#3931, #3933) (work by linhlhq)
* Bugs fixed:
- #3915 (#YWH-PGM9867-190) Buffer Over-read on GLib through glib/gvariant-
serialiser.c:1253 via gvs_tuple_is_normal() (Philip Withnall)
- #3916 (#YWH-PGM9867-187) OOB Read on GLib through
glib/gmarkup.c:g_markup_escape_text() via
glib/gmarkup.c:append_escaped_text() (Philip Withnall)
- #3917 (#YWH-PGM9867-191) OOB Read on GLib through
glib/gdatetime.c:g_date_time_get_ymd via invalid `GDateTime` (Philip
Withnall)
- #3918 (#YWH-PGM9867-193) Buffer Over-read on GLib's g_regex_replace()
through glib/gregex.c:string_append() via g_utf8_next_char() (Philip
Withnall)
- #3919 (#YWH-PGM9867-194) Buffer Over-read on GLib through
glib/gregex.c:g_regex_split_full() via glib/gutf8.c:g_utf8_prev_char()
(Philip Withnall)
- #3925 (#YWH-PGM9867-199) Buffer Over-read on GLib through glib/giochannel.c
via "g_io_channel_read_line_backend" (Philip Withnall)
- #3930 (#YWH-PGM9867-200) Off-by-one Error on GLib through glib/gkeyfile.c
via "g_key_file_get_locale_string_list" (Philip Withnall)
- #3931 (#YWH-PGM9867-203) Path Traversal on GLib DBus through
glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry,
mechanism_client_data_receive (COOKIE_SHA1 Client Authentication) leads to
Arbitrary File Read (Philip Withnall)
- #3933 Integer overflow in g_dbus_message_bytes_needed() bypasses 128 MiB
size check (pre-auth DoS on P2P connections) (Philip Withnall)
- !5101 Update Serbian translation
- !5105 docs: Expand docs for GLIB_VERSION_MAX_ALLOWED
- !5110 gmarkup: fix type of length parameter of text_validate()
- !5111 Update Russian translation
- !5113 Update Polish translation
- !5114 docs: Remove myself from CODEOWNERS
- !5122 Update Slovak translation
- !5134 Backport various recent security fixes to GVariant, GMarkup, GDateTime
and GRegex to glib-2-88
- !5150 Backport !5145 “gvarianttype: use pure attribute, not inappropriate
const” to glib-2-88
- !5152 Update Slovak translation
- !5154 Update German translation
- !5165 Update Slovak translation
- !5166 Update Slovak translation
- !5169 Update Persian translation
- !5174 Backport !5170 !5171 !5172 !5173 Various security fixes to glib-2-88
* Translation updates:
- German (Christian Kirbach)
- Persian (Danial Behzadi)
- Polish (Victoria Niedzielska)
- Russian (Artur S0)
- Serbian (Марко Костић)
- Slovak (Jose Riha)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/glib | 16 ++++++++--------
lfs/glib | 4 ++--
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/config/rootfiles/common/glib b/config/rootfiles/common/glib
index cd96e6f7a..f9e0ca72a 100644
--- a/config/rootfiles/common/glib
+++ b/config/rootfiles/common/glib
@@ -339,22 +339,22 @@ usr/include/glib-2.0/gio/gdebugcontroller.h
#usr/lib/glib-2.0/include/glibconfig.h
#usr/lib/libgio-2.0.so
usr/lib/libgio-2.0.so.0
-usr/lib/libgio-2.0.so.0.8800.0
+usr/lib/libgio-2.0.so.0.8800.1
#usr/lib/libgirepository-2.0.so
usr/lib/libgirepository-2.0.so.0
-usr/lib/libgirepository-2.0.so.0.8800.0
+usr/lib/libgirepository-2.0.so.0.8800.1
#usr/lib/libglib-2.0.so
usr/lib/libglib-2.0.so.0
-usr/lib/libglib-2.0.so.0.8800.0
+usr/lib/libglib-2.0.so.0.8800.1
#usr/lib/libgmodule-2.0.so
usr/lib/libgmodule-2.0.so.0
-usr/lib/libgmodule-2.0.so.0.8800.0
+usr/lib/libgmodule-2.0.so.0.8800.1
#usr/lib/libgobject-2.0.so
usr/lib/libgobject-2.0.so.0
-usr/lib/libgobject-2.0.so.0.8800.0
+usr/lib/libgobject-2.0.so.0.8800.1
#usr/lib/libgthread-2.0.so
usr/lib/libgthread-2.0.so.0
-usr/lib/libgthread-2.0.so.0.8800.0
+usr/lib/libgthread-2.0.so.0.8800.1
#usr/lib/pkgconfig/gio-2.0.pc
#usr/lib/pkgconfig/gio-unix-2.0.pc
#usr/lib/pkgconfig/girepository-2.0.pc
@@ -377,8 +377,8 @@ usr/lib/libgthread-2.0.so.0.8800.0
#usr/share/gdb/auto-load
#usr/share/gdb/auto-load/usr
#usr/share/gdb/auto-load/usr/lib
-#usr/share/gdb/auto-load/usr/lib/libglib-2.0.so.0.8800.0-gdb.py
-#usr/share/gdb/auto-load/usr/lib/libgobject-2.0.so.0.8800.0-gdb.py
+#usr/share/gdb/auto-load/usr/lib/libglib-2.0.so.0.8800.1-gdb.py
+#usr/share/gdb/auto-load/usr/lib/libgobject-2.0.so.0.8800.1-gdb.py
#usr/share/gettext/its
#usr/share/gettext/its/gschema.its
#usr/share/gettext/its/gschema.loc
diff --git a/lfs/glib b/lfs/glib
index 1b6e2269f..47fe1eb6b 100644
--- a/lfs/glib
+++ b/lfs/glib
@@ -24,7 +24,7 @@
include Config
-VER = 2.88.0
+VER = 2.88.1
# https://download.gnome.org/sources/glib/
THISAPP = glib-$(VER)
@@ -41,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = b540e0f5490f85b44cfad5d819f4a6fd911addc26fed8b8b49852bd6ec322d7d16136b691452030cf5f590374ea06cf8fdb8c9109d5cbe7b68625379bbd40615
+$(DL_FILE)_BLAKE2 = d9a0e54d2c1b5128aee76f1743cbeea84a24af5a2252ba1c649943bbca3fbc5f08896249542526560c92dd0e60cbd8a72498c3cfe1535d1f0bf85316ce37dba1
install : $(TARGET)
--
2.54.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] gnutls: Update to version 3.8.13
2026-05-04 17:40 [PATCH] curl: Update to version 8.20.0 Adolf Belka
2026-05-04 17:40 ` [PATCH] glib: Update to version 2.88.1 Adolf Belka
@ 2026-05-04 17:40 ` Adolf Belka
2026-05-04 17:40 ` [PATCH] libmicrohttpd: Update to version 1.0.5 Adolf Belka
2 siblings, 0 replies; 4+ messages in thread
From: Adolf Belka @ 2026-05-04 17:40 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 3.8.11 to 3.8.13
- Update of rootfile
- 13 CVE Fixes in 3.8.13
- 2 CVE Fixes in 3.8.12
- Changelog
3.8.13
** libgnutls: Add more checks to DTLS reassembly
Previously, gnutls didn't check that DTLS fragments claimed
a consistent message_length value.
Additionally, a crucial array size check was missing,
enabling an attacker to cause a heap overwrite.
Reject fragments with mismatching length and add a missing boundary check.
Independently reported by
Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
[GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]
** libgnutls: Fix qsort comparator in DTLS reassembly
The comparator function used for ordering DTLS packets
by sequence numbers did not follow qsort comparator contracts
in case of packets with duplicate sequence numbers,
which could lead to unstable ordering or undefined behaviour.
Return 0 in such cases makes the sorting stable.
Additionally, discard packets with same sequence numbers
and differing handshake type,
so that they don't end up being sorted in the first place.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009]
** libgnutls: Fix crashing on an underflow with a DTLS datagram
A remotely triggerable underflow in the DTLS reassembly code led to
a heap overrun.
Prevent the underflow from happening.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845]
** libgnutls: Fix RSA-PSK identity truncation
Servers configured with RSA-PSK have wrongfully matched usernames with NUL
character in them to ones truncated to NUL character,
which could lead to an authentication bypass.
Fix the check to perform comparison up to the full username length.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]
** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
Domain name comparison during name constraints processing
was case-sensitive, violating RFC 5280 section 7.2.
For excluded name constraints, this could lead to
incorrectly accepting domain names that should've been rejected.
DNS name comparison and the domain part of email names
now perform case-insensitive comparison.
Independently reported by Oleh Konko (1seal) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
** libgnutls: Fix intersecting empty constraints
Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.
Reported by Haruto Kimura (Stella).
[GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011]
** libgnutls: Suppress CN fallback in presence of URI and SRV SAN
Certificates containing URI or SRV Subject Alternative Names
no longer fall back to checking DNS hostnames against Common Name
to avoid potential misuse of such certificates
beyond their original purpose.
Reported by Oleh Konko (1seal).
[GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012]
** libgnutls: Suppress CN fallback for oversized SAN
Validation of certificates with oversized Subject Alternative Names
no longer falls back to checking DNS hostnames against Common Name.
Independently reported by Haruto Kimura (Stella) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013]
** libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin()
with oldpin == NULL for a token lacking a protected authentication path
led to a use-after-free.
Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014]
** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
For a server using an RSA key backed by a PKCS#11 token,
a client sending an extremely short premaster secret
during an RSA key exchange could trigger a short heap overread.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260]
** libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
Appending to a PKCS#12 bag that already contained 32 elements
could write past the bag's internal array.
Reported by Zou Dikai.
[GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015]
** libgnutls: Fix multi-entry OCSP response revocation bypass
When validating a certificate against a multi-entry OCSP response,
the revocation status was always checked for the first entry
instead of the entry matching the certificate,
which could lead to accepting revoked certificates.
Independently reported by Oleh Konko (1seal) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832]
** libgnutls: Fix timing side-channel in PKCS#7 padding removal
The PKCS#7 padding check performed during decryption was not constant-time,
potentially leaking information about the padding bytes
through timing differences.
Rewritten to remove padding in a branch-free manner.
Reported by Doria Tang of Stony Brook University.
[GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419]
** libgnutls: Fix PSK username comparison during rehandshake
Rehandshaking to a username with embedded NUL character could theoretically
allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808).
Reported and fixed by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix OID length check for OCSP delegated signer EKU
The OCSP signing EKU OID was compared without verifying its length,
allowing a shorter OID that shares the same prefix to match.
The check now verifies the length as well (#1810).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix AES keys persisting with pkcs11-provider
When using the pkcs11-provider, AES keys used for cipher operations
were created as persistent objects and accumulating.
They are now ephemeral (#1813).
** libgnutls: Fix missing RSA key coprimality check in verify_params
gnutls_privkey_verify_params overlooked the scenario of p and q
not being co-prime.
It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818).
Reported by Kamil Frankowicz.
** libgnutls: Fix overread when parsing OpenSSL PEM private keys
Insufficient bounds checking on the PEM header length could lead
to short heap overreads on specially crafted inputs (#1854).
Independently reported by Kamil Frankowicz and
Joshua Rogers of AISLE Research Team.
** libgnutls: Fix a theoretical double-free during certificate import
If gnutls_x509_crt_list_import_pkcs11 failed partway through,
the trust list cleanup code would try to free already-deinitialized
certificate entries, leading to a double-free (#1819).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix heap overread in SCT extension parser
The list-length validation didn't account for the 2-byte length field,
allowing a specially crafted SCT extension to cause
a 2-byte overread past the buffer (#1822).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Zeroize shared secret derived during hybrid key exchange
The derived shared secret was not zeroized before being freed (#1841).
Reported by liyue.
** build: Support building with Nettle 4.0
Nettle 4.0 was released in Feburary 2026, with API incompatibile
changes from 3.10. The library can now compile with it, while
Nettle 3.10 is still supported (#1791).
** libgnutls: Support deriving ML-DSA public key from an expanded private key
RFC 9881 defines 3 private key formats for ML-DSA: "seed",
"expandedKey" and both. It is now possible to derive a public key
from a private key in the "expandedKey" format (#1723).
** libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
For compatibility reasons, the library supports two formats for
EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
(DER). Previously, loading a private key in the former format
resulted in a failure, which is now fixed (#1749).
** libgnutls: HPKE (RFC 9180) is now supported as a technology preview
The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
protocol which enables to encrypt arbitrary data to a recipient, by
combining key encapsulation mechanism (KEM) and authenticated
encryption with additional data (AEAD). GnuTLS now includes the
implementation contributed by David Dudas. Given this is a
technology preview, the implementation and the API might suffer
modification in the following period. Use --enable-hpke to turn on
this feature (#1506).
** libgnutls: Fix TLS 1.3 client certificate selection
For servers that send a signature_algorithms extension in CertificateRequest
with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
the client now properly considers RSA when selecting a certificate to send.
This fixes TLS 1.3 interoperability with newer Java servers
when using client certificates.
Contributed by Romain Tartière (#1842).
** libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2
When using kTLS with ChaCha20-Poly1305 under TLS 1.2,
an incorrect value was passed as the IV to the kernel,
causing connections to fail early.
** libgnutls: Allow fetching object type metadata for PKCS#11 keys
A new library function, gnutls_pkcs11_obj_get_pk_algorithm,
has been added to check the public key algorithms of PKCS#11 key objects.
Object types other than CKO_PRIVATE_KEY are currently not supported.
Contributed by Ghadi Elie Rahme (!2074).
** API and ABI modifications:
gnutls_hpke_kem_t: New enum
gnutls_hpke_kdf_t: New enum
gnutls_hpke_aead_t: New enum
gnutls_hpke_mode_t: New enum
gnutls_hpke_role_t: New enum
gnutls_hpke_context_st: New context structure
gnutls_hpke_init: New function
gnutls_hpke_deinit: New function
gnutls_hpke_encap: New function
gnutls_hpke_seal: New function
gnutls_hpke_decap: New function
gnutls_hpke_open: New function
gnutls_hpke_derive_keypair: New function
gnutls_hpke_export: New function
gnutls_pkcs11_obj_get_pk_algorithm: New function
3.8.12
** libgnutls: Fix NULL pointer dereference in PSK binder verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
Reported by Jaehun Lee.
[Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
** libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
Reported by Tim Scheckenbach.
[Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
** libgnutls: Fix multiple unexploitable overflows
Reported by Tim Rühsen (#1783, #1786).
** libgnutls: Fall back to thread-unsafe module initialization
Improve fallback handling for PKCS#11 modules that
don't support thread-safe initialization (#1774).
Also return filename from p11_kit_module_get_name() for unconfigured modules.
** libgnutls: Accept NULL as digest argument for gnutls_hash_output
The accelerated implementation of gnutls_hash_output() now
properly accepts NULL as the digest argument, matching the
behavior of the reference implementation (#1769).
** srptool: Avoid a stack buffer overflow when processing large SRP groups.
Reported and fixed by Mikhail Dmitrichenko (#1777).
** API and ABI modifications:
No changes since last version.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/gnutls | 12 +++++++++++-
lfs/gnutls | 13 ++++++-------
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
index 52c3b6764..c02780dfb 100644
--- a/config/rootfiles/common/gnutls
+++ b/config/rootfiles/common/gnutls
@@ -13,6 +13,7 @@ usr/bin/psktool
#usr/include/gnutls/dtls.h
#usr/include/gnutls/gnutls.h
#usr/include/gnutls/gnutlsxx.h
+#usr/include/gnutls/hpke.h
#usr/include/gnutls/ocsp.h
#usr/include/gnutls/openpgp.h
#usr/include/gnutls/pkcs11.h
@@ -32,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1
#usr/lib/libgnutls.la
#usr/lib/libgnutls.so
usr/lib/libgnutls.so.30
-usr/lib/libgnutls.so.30.41.0
+usr/lib/libgnutls.so.30.42.0
#usr/lib/libgnutlsxx.la
#usr/lib/libgnutlsxx.so
usr/lib/libgnutlsxx.so.30
@@ -395,6 +396,14 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_hmac_init.3
#usr/share/man/man3/gnutls_hmac_output.3
#usr/share/man/man3/gnutls_hmac_set_nonce.3
+#usr/share/man/man3/gnutls_hpke_decap.3
+#usr/share/man/man3/gnutls_hpke_deinit.3
+#usr/share/man/man3/gnutls_hpke_derive_keypair.3
+#usr/share/man/man3/gnutls_hpke_encap.3
+#usr/share/man/man3/gnutls_hpke_export.3
+#usr/share/man/man3/gnutls_hpke_init.3
+#usr/share/man/man3/gnutls_hpke_open.3
+#usr/share/man/man3/gnutls_hpke_seal.3
#usr/share/man/man3/gnutls_idna_map.3
#usr/share/man/man3/gnutls_idna_reverse_map.3
#usr/share/man/man3/gnutls_init.3
@@ -514,6 +523,7 @@ usr/lib/libgnutlsxx.so.30.0.0
#usr/share/man/man3/gnutls_pkcs11_obj_get_exts.3
#usr/share/man/man3/gnutls_pkcs11_obj_get_flags.3
#usr/share/man/man3/gnutls_pkcs11_obj_get_info.3
+#usr/share/man/man3/gnutls_pkcs11_obj_get_pk_algorithm.3
#usr/share/man/man3/gnutls_pkcs11_obj_get_ptr.3
#usr/share/man/man3/gnutls_pkcs11_obj_get_type.3
#usr/share/man/man3/gnutls_pkcs11_obj_import_url.3
diff --git a/lfs/gnutls b/lfs/gnutls
index c869100ba..ac2afb361 100644
--- a/lfs/gnutls
+++ b/lfs/gnutls
@@ -24,7 +24,7 @@
include Config
-VER = 3.8.11
+VER = 3.8.13
THISAPP = gnutls-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6
+$(DL_FILE)_BLAKE2 = 80677a45a7c6f892287020e3e6b0add2432f2c64a4c9a649ce889921ac65b44931504ad0682ccc12e4b6d8f94c1a72e35c50673c9d04bd4e327063b812339380
install : $(TARGET)
@@ -70,11 +70,10 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && \
- ./configure \
- --prefix=/usr \
- --without-p11-kit \
- --disable-openssl-compatibility
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --without-p11-kit \
+ --disable-openssl-compatibility
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
--
2.54.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] libmicrohttpd: Update to version 1.0.5
2026-05-04 17:40 [PATCH] curl: Update to version 8.20.0 Adolf Belka
2026-05-04 17:40 ` [PATCH] glib: Update to version 2.88.1 Adolf Belka
2026-05-04 17:40 ` [PATCH] gnutls: Update to version 3.8.13 Adolf Belka
@ 2026-05-04 17:40 ` Adolf Belka
2 siblings, 0 replies; 4+ messages in thread
From: Adolf Belka @ 2026-05-04 17:40 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Update from version 1.0.3 to 1.0.5
- No change to rootfile
- Changelog
1.0.5
It fixes a additional HTTP request smuggling issues (CWE-444)
1.0.4
It fixes a minor HTTP request smuggling issue (CWE-444).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/libmicrohttpd | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lfs/libmicrohttpd b/lfs/libmicrohttpd
index 1cfc60fc7..2ec042d9a 100644
--- a/lfs/libmicrohttpd
+++ b/lfs/libmicrohttpd
@@ -26,7 +26,7 @@ include Config
SUMMARY = Small C library to easily run an HTTP server as part of an application
-VER = 1.0.3
+VER = 1.0.5
THISAPP = libmicrohttpd-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = libmicrohttpd
-PAK_VER = 2
+PAK_VER = 3
DEPS =
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a739b5b954b94644e586e0323d6da5e6313eefb87a9f85230ed776a92176bae6393f0bf2fd2a45070989b0b193b63017f9c9e76b8409fb5632e4d1f6c6e6b8b1
+$(DL_FILE)_BLAKE2 = dd6ea96a4ab94925d041ef4c45066bf8fb5568c93a727e93295d69db5432ef498d72138f1c64fe157327aca8f97636c9140757c1c048e589d91fddc8ff83a119
install : $(TARGET)
--
2.54.0
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-04 17:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-04 17:40 [PATCH] curl: Update to version 8.20.0 Adolf Belka
2026-05-04 17:40 ` [PATCH] glib: Update to version 2.88.1 Adolf Belka
2026-05-04 17:40 ` [PATCH] gnutls: Update to version 3.8.13 Adolf Belka
2026-05-04 17:40 ` [PATCH] libmicrohttpd: Update to version 1.0.5 Adolf Belka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox