From: Adolf Belka Date: Tue, 11 Nov 2025 12:02:59 +0000 (+0100) Subject: curl: Update to version 8.17.0 X-Git-Tag: v2.29-core199~17^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b49b2fa0468f8d65680e150afc7e7a964d3faf4;p=ipfire-2.x.git curl: Update to version 8.17.0 - Update from version 8.16.0 to 8.17.0 - Update of rootfile - Changelog 8.17.0 Changes: build: drop Heimdal support build: drop the winbuild build system krb5: drop support for Kerberos FTP libssh2: up the minimum requirement to 1.9.0 multi: add notifications API progress: expand to use 6 characters per size ssl: support Apple SecTrust configurations tool_getparam: add --knownhosts vssh: drop support for wolfSSH wcurl: import v2025.11.04 write-out: make %header{} able to output *all* occurrences of a header Bugfixes: ares: fix leak in tracing asyn-ares: remove wrong comment about the callback argument asyn-ares: use the duped hostname pointer for all calls asyn-thrdd resolver: clear timeout when done asyn-thrdd: drop pthread_cancel autotools: add support for libgsasl auto-detection via pkg-config autotools: capitalize Rustls in the log output autotools: drop detection of ancient OpenSSL libs RSAglue and rsaref autotools: fix duplicate UNIX and BSD flags in buildinfo.txt autotools: fix silly mistake in clang detection for buildinfo.txt autotools: make --enable-code-coverage support llvm/clang autotools: merge `if`s in GnuTLS/OpenSSL feature detection aws-lc: re-enable large read-ahead with v1.61.0 again base64: accept zero length argument to base64_encode build: address some -Weverything warnings, update picky warnings build: avoid overriding system open and stat symbols build: avoid overriding system symbols for fopen functions build: avoid overriding system symbols for socket functions build: show llvm/clang in platform flags and buildinfo.txt c-ares: when resolving failed, persist error cf-h2-proxy: break loop on edge case cf-ip-happy: mention unix domain path, not port number cf-socket: always check Curl_cf_socket_peek() return code cf-socket: check params and remove accept procondition cf-socket: make set_local_ip void, and remove failf() cf-socket: set FD_CLOEXEC on all sockets opened cf-socket: tweak a memcpy() to read better cf-socket: use the right byte order for ports in bindlocal cfilter: unlink and discard cfilters: check return code from Curl_pollset_set_out_only() checksrc: allow disabling warnings on FIXME/TODO comments checksrc: catch banned functions when preceded by ( checksrc: fix possible endless loop when detecting BANNEDFUNC checksrc: fix possible endless loops in the banned function logic checksrc: fix to handle ) predecing a banned function checksrc: reduce directory-specific exceptions CI.md: refresh cmake/FindGSS: dedupe pkg-config module strings cmake/FindGSS: drop wrong header check for GNU GSS cmake/FindGSS: fix pkg-config fallback logic for CMake <3.16 cmake/FindGSS: simplify/de-dupe lib setup cmake/FindGSS: whitespace/formatting cmake: add and use local FindGnuTLS module cmake: add CURL_CODE_COVERAGE option cmake: build the "all" examples source list dynamically cmake: clang detection tidy-ups cmake: drop exclamation in comment looking like a name cmake: fix `HAVE_GNUTLS_SRP` detection after adding local FindGnuTLS module cmake: fix building docs when the base directory contains .3 cmake: fix Linux pre-fill `HAVE_POSIX_STRERROR_R` (when `_CURL_PREFILL=ON`) cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`) cmake: minor Heimdal flavour detection fix cmake: pre-fill three more type sizes on Windows cmake: say 'absolute path' in option descriptions and docs cmake: support building some complicated examples, build them in CI cmake: use modern alternatives for get_filename_component() cmake: use more COMPILER_OPTIONS, LINK_OPTIONS / LINK_FLAGS cmdline-docs: extended, clarified, refreshed cmdline-opts/_PROGRESS.md: explain the suffixes configure: add "-mt" for pthread support on HP-UX conn: fix hostname move on connection reuse conncache: prevent integer overflow in maxconnects calculation connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply connect: remove redundant condition in shutdown start cookie: avoid saving a cookie file if no transfer was done cookie: only count accepted cookies in Curl_cookie_add cookie: remove the temporary file on (all) errors cpool: make bundle->dest an array; fix UB curl.h: remove incorrect comment about CURLOPT_PINNEDPUBLICKEY curl_easy_getinfo: error code on NULL arg curl_easy_setopt.md: add missing CURLOPT_POSTFIELDS curl_mem_undef.h: limit to CURLDEBUG for non-memalloc overrides curl_ngtcp2: fix `-Wunreachable-code` with H3 !verbose !unity clang curl_osslq: error out properly if BIO_ADDR_rawmake() fails curl_path: make sure just whitespace is illegal Curl_resolv: fix comment. 'entry' argument is not optional curl_slist_append.md: clarify that a NULL pointer is not acceptable curl_threads: delete WinCE fallback branch CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded CURLOPT_COPYPOSTFIELDS.md: used with MQTT and RTSP as well CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1 CURLOPT_MAXLIFETIME_CONN: make default 24 hours CURLOPT_POSTFIELDSIZE*: these also work for MQTT and RTSP CURLOPT_SERVER_RESPONSE_TIMEOUT*: add default and see-also CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options CURLOPT_TIMECONDITION.md: works for FILE and FTP as well cw-out: fix EAGAIN handling on pause cw-out: unify the error handling pattern in cw_out_do_write digest_sspi: fix two memory leaks in error branches dist: do not distribute CI.md docs/cmdline-opts: drop double quotes from GLOBBING and URL examples docs/libcurl: clarify some timeout option behavior docs/libcurl: remove ancient version references docs/libcurl: use lowercase must docs: expand on quoting rules for file names in SFTP quote docs: fix/tidy code fences doh: cleanup resources on error paths doswin: CloseHandle the thread on shutdown easy_getinfo: check magic, Curl_close safety ECH.md: make OpenSSL branch clone instructions work examples/chkspeed: portable printing when outputting curl_off_t values examples/http2-serverpush: fix file handle leaks examples/sessioninfo: cast printf string mask length to int examples/sessioninfo: do not disable security examples/synctime: fix null termination assumptions examples/synctime: make the sscanf not overflow the local buffer examples/usercertinmem: avoid stripping const examples/websocket: fix use of uninitialized rlen examples: call curl_global_cleanup() where missing examples: check more errors, fix cleanups, scope variables examples: drop unused curl/mprintf.h includes examples: fix build issues in 'complicated' examples examples: fix more potential resource leaks, and more examples: fix two build issues surfaced with WinCE examples: fix two issues found by CodeQL examples: fix two more cases of stat() TOCTOU examples: improve global init, error checks and returning errors examples: replace casts with `curl_off_t` printf masks examples: return curl_easy_perform() results firefox-db2pem.sh: add macOS support, tidy-ups form.md: drop reference to MANUAL ftp: add extra buffer length check ftp: check errors on remote ip for data connection ftp: fix ftp_do_more returning with *completep unset ftp: fix port number range loop for PORT commands ftp: fix the 213 scanner memchr buffer limit argument ftp: improve fragile check for first digit > 3 ftp: reduce size of some struct fields ftp: remove 'newhost' and 'newport' from the ftp_conn struct ftp: remove misleading comments ftp: remove the retr_size_saved struct field ftp: remove the state_saved struct field ftp: replace strstr() in ;type= handling ftp: simplify the 150/126 size scanner gnutls: check conversion of peer cert chain gnutls: fix re-handshake comments gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG gtls: avoid potential use of uninitialized variable in trace output gtls: check the return value of gnutls_pubkey_init() header.md: see-also --proxy-header and vice versa hmac: free memory properly on errors hostip: don't store negative resolves due unrelated errors hostip: fix infof() output for non-ipv6 builds using IPv6 address hostip: remove leftover INT_MAX check in Curl_dnscache_prune http2: check push header names by length first http2: cleanup pushed newhandle on fail http2: ingress handling edge cases HTTP3: clarify the status for "old" OpenSSL, not current http: check the return value of strdup http: fix `-Wunreachable-code` in !websockets !unity builds http: fix `-Wunused-variable` in !alt-svc !proxy !ws builds http: handle user-defined connection headers http: look for trailing 'type=' in ftp:// without strstr http: make Content-Length parser more WHATWG http: only accept ';' as a separator for custom headers http: return error for a second Location: header http_aws_sigv4: check the return value of curl_maprintf() http_proxy: fix adding custom proxy headers httpsrr: free old pointers when storing new httpsrr: send HTTPS query to the right target imap: fix custom FETCH commands to handle literal responses imap: parse and use UIDVALIDITY as a number imap: treat capabilities case insensitively INSTALL-CMAKE.md: add manual configuration examples INSTALL-CMAKE.md: document useful build targets INSTALL-CMAKE.md: fix descriptions for LDAP dependency options INSTALL: update the list of known operating systems INTERNALS: drop Winsock 2.2 from the dependency list ip-happy: do not set unnecessary timeout ip-happy: prevent event-based stall on retry kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic kerberos: drop logic for MIT Kerberos <1.2.3 (pre-2002) versions kerberos: stop including gssapi/gssapi_generic.h krb5: fix output_token allocators in the GSS debug stub (Windows) krb5: return appropriate error on send failures krb5_gssapi: fix memory leak on error path krb5_sspi: the chlg argument is NOT optional ldap: avoid null ptr deref on failure ldap: do not base64 encode zero length string ldap: do not pass a \n to failf() ldap: tidy-up types, fix error code confusion lib1514: fix return code mixup lib: delete unused crypto header includes lib: drop unused include and duplicate guards lib: fix build error with verbose strings disabled lib: remove newlines from failf() calls lib: remove personal names from comments lib: SSL connection reuse lib: stop NULL-checking conn->passwd and ->user lib: upgrade/multiplex handling libcurl-multi.md: added curl_multi_get_offt mention libcurl-security.md: mention long-running connections libssh/libssh2: reject quote command lines with too much data libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume libssh2/sftp_realpath: change state consistently libssh2: avoid risking using an uninitialized local struct field libssh2: bail out on chgrp and chown number parsing errors libssh2: clarify that sshp->path is always at least one byte libssh2: drop two redundant null-terminations libssh2: error check and null-terminate in ssh_state_sftp_readdir_link() libssh2: fix EAGAIN return in ssh_state_auth_agent libssh2: fix return code for EAGAIN libssh2: use sockindex consistently libssh: acknowledge SSH_AGAIN in the SFTP state machine libssh: catch a resume point larger than the size libssh: clarify myssh_block2waitfor libssh: drop two unused assignments libssh: error on bad chgrp number libssh: error on bad chown number and store the value libssh: fix range parsing error handling mistake libssh: make atime and mtime cap the timestamp instead of wrap libssh: react on errors from ssh_scp_read libssh: return out of memory correctly if aprintf fails libssh: return the proper error for readdir problems Makefile.example: bump default example from FTP to HTTPS Makefile.example: fix option order Makefile.example: make default options more likely to work Makefile.example: simplify and make it configurable managen: ignore version mentions < 7.66.0 managen: render better manpage references/links managen: strict protocol check managen: verify the options used in example lines mbedtls: add support for 4.0.0 mbedtls: check result of setting ALPN mbedtls: fix building with <3.6.1 mbedtls: fix building with sha-256 missing from PSA mbedtls: handle WANT_WRITE from mbedtls_ssl_read() md4: drop mbedtls implementation (not available in mbedtls v3+) mdlinkcheck: reject URLs containing quotes memdup0: handle edge case mime: fix unpausing of readers mime: fix use of fseek() multi.h: add CURLMINFO_LASTENTRY multi: check the return value of strdup() multi_ev: remove unnecessary data check that confuses analysers netrc: when the cached file is discarded, unmark it as loaded nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header ngtcp2: add a comment explaining write result handling ngtcp2: adopt ngtcp2_conn_get_stream_user_data if available ngtcp2: check error code on connect failure ngtcp2: close just-opened QUIC stream when submit_request fails ngtcp2: compare idle timeout in ms to avoid overflow ngtcp2: fix early return ngtcp2: fix handling of blocked stream data ngtcp2: fix returns when TLS verify failed ngtcp2: overwrite rate-limits defaults noproxy: fix the IPV6 network mask pattern match NTLM: disable if DES support missing from OpenSSL or mbedTLS ntlm: improved error path on bad incoming NTLM TYPE3 message openldap/ldap; check for binary attribute case insensitively openldap: avoid indexing the result at -1 for blank responses openldap: check ber_sockbuf_add_io() return code openldap: check ldap_get_option() return codes openldap: do not pass newline to infof() openldap: fix memory-leak in error path openldap: fix memory-leak on oldap_do's exit path openldap: limit max incoming size openssl-quic: check results better openssl-quic: handle error in SSL_get_stream_read_error_code openssl-quic: ignore unexpected streams opened by server openssl: better return code checks when logging cert data openssl: call SSL_get_error() with proper error openssl: check CURL_SSLVERSION_MAX_DEFAULT properly openssl: clear retry flag on x509 error openssl: combine all the x509-store flags openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs openssl: fail the transfer if ossl_certchain() fails openssl: fix build for v1.0.2 openssl: fix peer certificate leak in channel binding openssl: fix resource leak in provider error path openssl: fix unable do typo in failf() calls openssl: free UI_METHOD on exit path openssl: make the asn1_object_dump name null terminated openssl: only try engine/provider if a cert file/name is provided openssl: set io_need always openssl: skip session resumption when verifystatus is set os400: document threads handling in code. OS400: fix a use-after-free/double-free case osslq: set idle timeout to 0 pingpong: remove two old leftover debug infof() calls pop3: check for CAPA responses case insensitively pop3: fix CAPA response termination detection pop3: function could get the ->transfer field wrong pytest: skip specific tests for no-verbose builds quic: fix min TLS version handling quic: ignore EMSGSIZE on receive quic: improve UDP GRO receives quic: remove data_idle handling quiche: fix possible leaks on teardown quiche: fix verbose message when ip quadruple cannot be obtained. quiche: handle tls fail correctly quiche: when ingress processing fails, return that error code rtsp: use explicit postfieldsize if specified runtests: tag tests that require curl verbose strings rustls: exit on error rustls: fix clang-tidy warning rustls: fix comment describing cr_recv() rustls: limit snprintf proper in cr_keylog_log_cb() rustls: make read_file_into not reject good files rustls: pass the correct result to rustls_failf rustls: typecast variable for safer trace output rustls: use %zu for size_t in failf() format string sasl: clear canceled mechanism instead of toggling it schannel: assign result before using it schannel: fix memory leak schannel: handle Curl_conn_cf_send() errors better schannel: lower the maximum allowed time to block to 7 seconds schannel: properly close the certfile on error schannel_verify: do not call infof with an appended \n schannel_verify: fix mem-leak in Curl_verify_host schannel_verify: use more human friendly error messages scp/sftp: fix disconnect scripts: pass -- before passing xargs setopt: accept *_SSL_VERIFYHOST set to 2L setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1 setopt: fix unused variable warning in minimal build setopt: make CURLOPT_MAXREDIRS accept -1 (again) singleuse.pl: fix string warning smb: adjust buffer size checks smb: transfer debugassert to real check smtp: check EHLO responses case insensitively smtp: fix EOB handling smtp: return value ignored socks: advance iobuf instead of reset socks: avoid UAF risk in error path socks: deny server basic-auth if not configured socks: handle error in verbose trace gracefully socks: handle premature close socks: make Curl_blockread_all return CURLcode socks: properly maintain the status of 'done' socks: rewwork, cleaning up socks state handling socks_gssapi: also reset buffer length after free socks_gssapi: make the gss_context a local variable socks_gssapi: reject too long tokens socks_gssapi: remove superfluous releases of the gss_recv_token socks_gssapi: remove the forced "no protection" socks_gssapi: replace `gss_release_buffer()` with curl free socks_sspi: bail out on too long fields socks_sspi: fix memory cleanup calls socks_sspi: remove the enforced mode clearing socks_sspi: restore non-blocking socket on error paths socks_sspi: use the correct free function socksd: remove --bindonly mention, there is no such option spelling: fix new finds by typos-cli 1.39.0 src/var: remove dead code ssl-session-cache: check use on config and availability ssl-sessions.md: mark option experimental strerror: drop workaround for SalfordC win32 header bug sws: fix checking sscanf() return value sws: pass in socket reference to allow function to close it tcp-nodelay.md: expand the documentation telnet: ignore empty suboptions telnet: make bad_option() consider NULL a bad option too telnet: make printsub require another byte input telnet: print DISPlay LOCation in printsub without mutating buffer telnet: refuse IAC codes in content telnet: return error if WSAEventSelect fails telnet: return error on crazy TTYPE or XDISPLOC lengths telnet: send failure logged but not returned telnet: use pointer[0] for "unknown" option instead of pointer[i] test1100: fix missing `` section tests/libtest/cli*: fix init/deinit, leaks, and more tests/server: drop pointless memory allocation overrides tests/server: drop unsafe open() override in signal handler (Windows) tftp: check and act on tftp_set_timeouts() returning error tftp: check for trailing ";mode=" in URL without strstr tftp: default timeout per block is now 15 seconds tftp: error requests for blank filenames tftp: handle tftp_multi_statemach() return code tftp: pin the first used address tftp: propagate expired timer from tftp_state_timeout() tftp: return error if it hits an illegal state tftp: return error when sendto() fails thread: errno on thread creation tidy-up: assortment of small fixes tidy-up: avoid using the reserved macro namespace tidy-up: fcntl.h includes tidy-up: update MS links, allow long URLs via checksrc tidy-up: URLs time-cond.md: refer to the singular curl_getdate man page TLS: IP address verification, extend test TODO: fix a typo TODO: remove already implemented or bad items tool: fix exponential retry delay tool_cb_hdr: fix fwrite check in header callback tool_cb_hdr: size is always 1 tool_cb_rea: use poll instead of select if available tool_cfgable: remove superfluous free calls tool_doswin: fix to use curl socket functions tool_filetime: cap crazy file times instead of erroring tool_filetime: replace cast with the fitting printf mask (Windows) tool_formparse: rewrite the headers file parser tool_getparam/set_rate: skip the multiplication on overflow tool_getparam: always disable "lib-ids" for tracing tool_getparam: make --fail and --fail-with-body override each other tool_getparam: warn if provided header looks malformed tool_ipfs: check the return value of curl_url_get for gwpath tool_ipfs: simplify the ipfs gateway logic tool_msgs: make errorf() show if --show-error tool_operate: improve wording in retry message tool_operate: keep failed partial download for retry auto-resume tool_operate: keep the progress meter for --out-null tool_operate: move the checks that skip ca cert detection tool_operate: retry on HTTP response codes 522 and 524 tool_operate: return error on strdup() failure tool_paramhlp: remove outdated comment in str2tls_max() tool_parsecfg: detect and error on recursive --config use tool_progress: handle possible integer overflows tool_progress: make max5data() use an algorithm transfer: avoid busy loop with tiny speed limit transfer: fix retry for empty downloads on reuse transfer: reset retry count on each request unit1323: sync time types and printf masks, drop casts unit1664: drop casts, expand masks to full values url: make Curl_init_userdefined return void urldata: FILE is not a list-only protocol urldata: make 'retrycount' a single byte urldata: make redirect counter 16 bit vauth/digest: improve the digest parser version: add GSS backend name and version vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout vquic: fix recvmsg loop for max_pkts vquic: handling of io improvements vquic: sending non-gso packets fix for EAGAIN vtls: alpn setting, check proto parameter vtls: check final cfilter node in find_ssl_filter vtls: drop duplicate `CURL_SHA256_DIGEST_LENGTH` definition vtls: properly handle SSL shutdown timeout vtls: remove call to PKCS12_PBE_add() vtls: unify the error handling in ssl_cf_connect(). vtls_int.h: clarify data_pending vtls_scache: fix race condition wcurl: sync to +dev snapshot windows: replace _beginthreadex() with CreateThread() windows: stop passing unused, optional argument for Win9x compatibility windows: use consistent format when showing error codes windows: use native error code types more wolfssl: check BIO read parameters wolfssl: clear variable to avoid uninitialized use wolfssl: fix error check in shutdown wolfssl: fix resource leak in verify_pinned error paths wolfssl: no double get_error() detail ws: clarify an error message ws: fix some edge cases ws: fix type conversion check ws: reject curl_ws_recv called with NULL buffer with a buflen Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- diff --git a/config/rootfiles/common/curl b/config/rootfiles/common/curl index 42ad12a98..9eb01f389 100644 --- a/config/rootfiles/common/curl +++ b/config/rootfiles/common/curl @@ -113,6 +113,8 @@ usr/lib/libcurl.so.4.8.0 #usr/share/man/man3/CURLMOPT_MAX_PIPELINE_LENGTH.3 #usr/share/man/man3/CURLMOPT_MAX_TOTAL_CONNECTIONS.3 #usr/share/man/man3/CURLMOPT_NETWORK_CHANGED.3 +#usr/share/man/man3/CURLMOPT_NOTIFYDATA.3 +#usr/share/man/man3/CURLMOPT_NOTIFYFUNCTION.3 #usr/share/man/man3/CURLMOPT_PIPELINING.3 #usr/share/man/man3/CURLMOPT_PIPELINING_SERVER_BL.3 #usr/share/man/man3/CURLMOPT_PIPELINING_SITE_BL.3 @@ -490,6 +492,8 @@ usr/lib/libcurl.so.4.8.0 #usr/share/man/man3/curl_multi_get_offt.3 #usr/share/man/man3/curl_multi_info_read.3 #usr/share/man/man3/curl_multi_init.3 +#usr/share/man/man3/curl_multi_notify_disable.3 +#usr/share/man/man3/curl_multi_notify_enable.3 #usr/share/man/man3/curl_multi_perform.3 #usr/share/man/man3/curl_multi_poll.3 #usr/share/man/man3/curl_multi_remove_handle.3 diff --git a/lfs/curl b/lfs/curl index e999ed3e6..33f46881a 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@ include Config -VER = 8.16.0 +VER = 8.17.0 THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 573d56779481abf0b7d20225bba4f068cb726f23f69ce10076438e32cc6c16d1229c211aee05fc5e3e9cb9d78bbfdc5da0d8b73e730c0865879000eb90accf6a +$(DL_FILE)_BLAKE2 = a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba install : $(TARGET)