pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2026Q1] pkgsrc/www/curl
Module Name: pkgsrc
Committed By: maya
Date: Thu May 7 22:32:38 UTC 2026
Modified Files:
pkgsrc/www/curl [pkgsrc-2026Q1]: Makefile.common PLIST distinfo
Log Message:
Pullup ticket #7096 - requested by taca
www/curl: Security fix
Revisions pulled up:
- www/curl/Makefile.common 1.36
- www/curl/PLIST 1.108
- www/curl/distinfo 1.224
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Apr 29 07:05:49 UTC 2026
Modified Files:
pkgsrc/www/curl: Makefile.common PLIST distinfo
Log Message:
curl: update to 8.20.0.
This release includes the following changes:
o async-thrdd: use thread queue for resolving [144]
o build: make NTLM disabled by default [90]
o cmake: drop support for CMake 3.17 and older [108]
o lib: add thread pool and queue [74]
o lib: drop support for < c-ares 1.16.0 [64]
o lib: make SMB support opt-in [18]
o multi.h: add CURLMNWC_CLEAR_ALL [127]
o rtmp: drop support [91]
This release includes the following bugfixes:
o altsvc: cap the list at 5,000 entries [183]
o altsvc: drop the prio field from the struct [185]
o altsvc: skip expired entries read from file [187]
o asyn-ares: connect async [220]
o asyn-ares: drop orphaned variable references [86]
o asyn-ares: fix HTTPS-lookup when not on port 443 [100]
o asyn-thrdd: drop redundant `result` check [291]
o asyn-thrdd: fix clang-tidy unused value warning [125]
o async-ares: fix query counter handling [195]
o autotools: limit checksrc target to ignore non-repo test sources [12]
o badwords-all: exit with correct code on errors [50]
o badwords: combine the whitelisting into a single regex [1]
o badwords: detect the the and with with [51]
o badwords: only check comments and strings in source code [61]
o badwords: rework exceptions, fix many of them [15]
o boringssl: fix more coexist cases with Schannel/WinCrypt [170]
o build: adjust/add casts to fix `-Wformat-signedness` [218]
o build: assume `snprintf()` in `mprintf`, drop feature check [107]
o build: compiler warning silencing tidy-ups [4]
o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33]
o build: drop duplicate `pthread.h` includes [158]
o build: drop redundant `USE_QUICHE` guards [159]
o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84]
o build: fix `-Wformat-signedness` by adjusting printf masks [226]
o build: link `bcrypt.lib` via vcxproj files [239]
o build: skip detecting `pipe2()` for Apple targets [227]
o build: stop building and installing `runtests.1` and `testcurl.1` [235]
o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132]
o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63]
o cf-ip-happy: limit concurrent attempts [191]
o cf-socket: avoid low risk integer overflow on ancient Solaris [56]
o cfilters: fix Curl_pollset_poll() return code mixup [206]
o clang-tidy: avoid assignments in `if` expressions [175]
o clang-tidy: enable more checks, fix fallouts [254]
o cmake: add CMake Config-based dependency detection [87]
o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134]
o cmake: do not install `wcurl` when `BUILD_CURL_EXE=OFF` [265]
o cmake: do not install shell completions when `BUILD_CURL_EXE=OFF` [263]
o cmake: document functions used from Windows system DLLs [103]
o cmake: enable pthreads for BoringSSL/AWS-LC [196]
o cmake: resolve targets recursively when generating `libcurl.pc` [45]
o cmake: rework binutils ld hack to not read `LOCATION` property [41]
o cmake: silence bad library `Threads::Threads` warning [131]
o cmake: use `AIX` built-in variable (with CMake 4.0+) [163]
o config2setopts: make --capath work in proxy disabled builds [113]
o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26]
o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3]
o configure: prefer dependency-specific variables over `$withval` [35]
o configure: remove superfluous experimental warning for HTTP/3 [169]
o configure: silence useless clang warnings in C89 builds [156]
o configure: tidy up comments [202]
o connect: fix typo on error message
o cookie: fix rejection when tabs in value [189]
o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36]
o curl.h: replace macros with C++-friendly method to enforce 3 args [110]
o curl_ctype.h: fix spelling in a couple of locally used macros [28]
o curl_get_line: error out on read errors [9]
o curl_get_line: fix potential infinite loop when filename is a directory [46]
o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165]
o curl_ntlm_core: drop redundant PP condition [140]
o curl_ntlm_core: use wolfCrypt DES API with wolfSSL [200]
o curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard [210]
o curl_sha512_256: support delegating to wolfSSL API [149]
o curl_version_info.md: clarify age details [69]
o CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format [96]
o CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers" [270]
o CURLOPT_RTSP_SESSION_ID.md: expand the comment [267]
o CURLOPT_RTSP_SESSION_ID.md: minor language fix
o CURLOPT_SOCKS5_AUTH.md: an access property [212]
o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105]
o CURLOPT_UPLOAD_FLAGS.md: expand [223]
o curlx_now(), prevent zero timestamp [93]
o DEPRECATE: fix minor release number typo
o digest: pass in the user name quoted (as well) [34]
o dns: https-eyeballing async [229]
o dnscache: own source file, improvements [116]
o docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
o docs/cmdline-opts: tidy up retry-connrefused [190]
o docs/lib: fix typos [53]
o docs/libcurl: improve easy setopt examples [266]
o docs: clarify retry-max-time timing [294]
o docs: CURLOPT_LOGIN_OPTIONS is a login property [228]
o docs: enable more compiler warnings for C snippets, fix 3 finds [71]
o docs: list more dependencies for running Python HTTP tests [123]
o docs: mention more zip bomb precautions [166]
o docs: minor wording tweaks
o docs: noproxy wants the punycoded hostname version [214]
o docs: SSH host verification is done at connect time [197]
o docs: use the correct CURLOPT_WRITEFUNCTION signature [142]
o doh: fix memory-leak when doing a second DoH resolve [55]
o doh: remove superfluous doh_req check [222]
o examples/websocket: fix to sleep more on Windows [92]
o examples: drop warning silencers no longer hit [14]
o examples: fix typo in comment [75]
o file: init fd to -1 to prevent close fd 0 on early failure [40]
o fopen: for temp files, inherit permissions only for owner [146]
o ftp: do not strdup DATA hostname [29]
o ftp: make the MDTM date parser stricter (again) [115]
o ftp: reject PWD responses containing control characters [95]
o gcc: guard `#pragma diagnostic` in core code for <4.6 [94]
o generate.bat: remove extra % from VC11 and VC12 runs
o genserv.pl: make external calls safe [119]
o getinfo: initialize `PureInfo` field `used_proxy` [43]
o getinfo: repair CURLINFO_TLS_SESSION [193]
o gnutls: fix clang-tidy warning with !verbose [126]
o gtls: fail for large files in `load_file()` [174]
o h3: HTTPS-RR use in HTTP/3 [221]
o Happy Eyeballs: add resolution time delay [238]
o haproxy: use correct ip version on client supplied address [275]
o hostip: clear the sockaddr_in6 structure before use [20]
o hostip: init the curl_jmpenv_lock appropriately [278]
o hostip: resolve user supplied ip addresses [259]
o HSTS: cap the list [177]
o hsts: make the HSTS read callback handle name dupes [141]
o hsts: skip expired HSTS entries read from file [188]
o hsts: when a dupe host adds subdomains, use that [130]
o http2: clear the h2 session at delete [99]
o http2: prevent secure schemes pushed over insecure connections [181]
o http2: return error on OOM in push headers [65]
o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2]
o http: clear credentials better on redirect [204]
o http: clear digest nonce on cross-orgin redirect [269]
o http: clear the proxy credentials as well on port or scheme change [246]
o http: fix auth_used and auth_avail [154]
o http: fix Curl_compareheader for multi value headers [11]
o http: make Curl_compareheader handle multiple commas in header
o http: on 303, switch to GET [208]
o http: use header_has_value() instead of duplicate code [251]
o imap: reset the UIDVALIDITY state between transfers [7]
o include: drop 'will' from public headers [73]
o INSTALL.md: update Cygwin instructions [198]
o keylog.h: replace literal number with macro in declaration [171]
o keylog: drop unused/redundant includes and guards [172]
o ldap: drop duplicate `ldap_set_option()` on Windows [42]
o ldap: fix to initialize cleartext connection on Windows [49]
o lib1560: fix comment typo
o lib1960: fix test failure [255]
o lib: accept larger input to md5/hmac/sha256/sha512 functions [194]
o lib: always use Curl_1st_fatal instead of Curl_1st_err [89]
o lib: fix typos in comments [240]
o lib: make resolving HTTPS DNS records reliable: [176]
o lib: minor comment typos [237]
o lib: move request specific allocations to the request struct [256]
o lib: replace `PRI*32` printf masks with C89 ones [201]
o libssh2: allocate libssh2-friendly memory in kbd_callback [225]
o libssh2: fix error handling on quote errors [21]
o libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 [215]
o libssh: fix `-Wsign-compare` in 32-bit builds [217]
o libssh: path length precaution [164]
o libssh: propagate error back in SFTP function [178]
o libtest: drop duplicate include [111]
o location/follow: mention netrc [138]
o man: fix argument type for `CURLSHOPT_[UN]SHARE` options [211]
o mbedtls: cleanup more without care for 'initialized' [262]
o mbedtls: fix ECJPAKE matching [135]
o mbedtls: remove failf() call with first argument as NULL [249]
o md4, md5: switch to wolfCrypt API in wolfSSL builds [139]
o mime: only allow 40 levels of calls [241]
o misc: fix code quality findings [209]
o mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s [44]
o multi: enhance pending handles fairness [284]
o multi: fix connection retry for non-http [180]
o multi: improve wakeup and wait code [118]
o netrc: find login-less password when user is given in URL [6]
o netrc: remove unused parsenetrc() macro for netrc-disabled [121]
o netrc: skip malformed macdef lines [67]
o openssl channel_binding: lookup digest algorithm without NID [117]
o openssl: drop obsolete SSLv2 logic [27]
o openssl: fix build with 4.0.0-beta1 no-deprecated [184]
o openssl: fix memory leaks in ECH code (OpenSSL 3) [78]
o openssl: fix unused variable warnings in !verbose builds [252]
o openssl: trace count of found / imported Windows native CA roots [8]
o OS400: add new definitions to the ILE/RPG binding. [153]
o os400sys: fix typo in comment (symetry -> symmetry) [58]
o parsedate: bsearch the time zones [232]
o parsedate: fix wrong treatment of "military time zones" [182]
o parsedate: refactor [230]
o perl: harden external command invocations [133]
o progress: count amount of data "delivered" to application [66]
o protocol.h: fix the CURLPROTO_MASK [31]
o protocol: disable connection reuse for SMB(S) [199]
o protocol: use scheme names lowercase [38]
o proxy: chunked response, error code [143]
o pytest: add additional quiche check for flaky test_05_01 [22]
o pytest: check 429 handling [268]
o rand: use `BCryptGenRandom()` in UWP builds [88]
o ratelimit: reset on start [150]
o request: reset resp_trailer in new requests [186]
o runtests: skip setting ed25519 SSH key format [264]
o rustls: fix memory leak on repeated SSLKEYLOGFILE fails [280]
o rustls: handle EOF during initial handshake [203]
o schannel: increase renegotiation timeout to 60 seconds [261]
o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) [109]
o scripts: harden / tidy up more Perl `system()` calls [70]
o sectrust: fail on missing OCSP stapling [250]
o sendf: fix CR detection if no LF is in the chunk [219]
o setopt: clear proxy auth properties when switching [192]
o setopt: fix typos in comments [257]
o setopt: move CURLOPT_CURLU [260]
o setup connection filter: mark as setup [234]
o sha256, sha512_256: switch to wolfCrypt API [147]
o sha256: support delegating to wolfSSL API [148]
o share: concurrency handling, easy updates [104]
o share: do bitshifts after the type is checked to be valid [216]
o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157]
o socks: use dns filter for resolving [244]
o spelling: fix typos [173]
o src: use ftruncate() unconditionally [128]
o sshserver.pl: harden more `system()` calls [81]
o sshserver.pl: pass command-line to `system()` safely [82]
o strerr: correct the strerror_s() return code condition [25]
o sws: fix potential OOB write [80]
o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85]
o test 766: flag as timing-dependent [136]
o test1675: unit tests for URL API helper functions [248]
o test459: switch to mode="warn" for stderr check [5]
o testcurl.pl: replace shell commands with Perl `rmtree()` [76]
o tests/unit/README: describe how to unit test static functions [60]
o tests: avoid infinite recursion for `make check` [253]
o tests: use %b64[] instead of "raw" base64 [245]
o tool: check for curlinfo->age when determining if ssh backend [77]
o tool: fix memory mixups [106]
o tool: fix retries in parallel mode [137]
o tool: fix two more allocator mismatches [155]
o tool_cb_hdr: only truncate etags output when regular file [129]
o tool_cb_rea: make waitfd() return void [168]
o tool_cb_wrt: fix no-clobber error handling [39]
o tool_cfgable: free the SSL signature algorithms [62]
o tool_dirhie: fix to create drive-relative directory [276]
o tool_formparse: propagate my_get_line errors when reading headers [102]
o tool_getparam: use correct free function for libcurl memory [68]
o tool_ipfs: accept IPFS gateway URL without set port number [13]
o tool_msgs: avoid null pointer deref for early errors [98]
o tool_operate: actually apply the --parallel-max-host limit [167]
o tool_operate: drop the scheme-guessing in the -G handling [54]
o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79]
o tool_operate: fix memory-leak on failed uploads [124]
o tool_operate: fix minor memory-leak on early error [23]
o tool_operate: reset the upload glob counter for next URL [162]
o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32]
o tool_operhlp: iterate through all slashes to find name [114]
o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112]
o tool_setopt: return error on OOM correctly [152]
o tool_urlglob: fix memory-leak on glob range overflow [19]
o top-complexity: prevent filename-based shell injection risk [101]
o transfer: clear the old autoreferer [236]
o transfer: clear the URL pointer in OOM to avoid UAF [179]
o transfer: enable custom methods again on next transfer [30]
o transfer: enhance secure check [10]
o unit1675: fix `-Wformat-signedness` [274]
o url: do not reuse a non-tls starttls connection if new requires TLS [145]
o url: improve connection reuse on negotiate [160]
o url: init req.no_body in DO so that it works for h2 push [161]
o url: set default upload flags to CURLULFLAG_SEEN [224]
o url: use the socks type for socks proxy [47]
o url: use URL for url even in comments [52]
o urlapi: fix handling of "file:///" [122]
o urlapi: make dedotdotify handle leading dots correctly [97]
o urlapi: same origin tests [213]
o urlapi: stop extracting hostname from file:// URLs on Windows [247]
o urlapi: verify the last letter of a scheme when set explicitly [16]
o urldata.h: fix typo and lingering backtick [279]
o urldata: connection bit ipv6_ip is wrong [59]
o urldata: import port types and conn destination format [57]
o urldata: make hstslist only present in HSTS builds [120]
o urldata: make speeder_c uint32 [37]
o urldata: move cookiehost to struct SingleRequest [242]
o urldata: remove trailers_state [17]
o vquic: fix variable name in fallback code [207]
o vtls: fix comment typos and tidy up a type [285]
o vtls: log when key logging is enabled. [288]
o vtls_scache: check reentrancy [243]
o vtls_scache: include cert_blob independently of verifypeer [231]
o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151]
o wolfssl: fix `-Wmissing-prototypes` [233]
o wolfssl: fix handling of abrupt connection close [24]
o write-out.md: minor language fix [273]
o write-out.md: tls_earlydata was adeded in 8.13.0
o ws: fix a blocking curl_ws_send() to report written length correctly [258]
o x509asn1: fix to return error in an error case from `encodeOID()` [83]
o x509asn1: fixed and adapted for ASN1tostr unit testing [48]
o x509asn1: improve encodeOID [72]
Planned upcoming removals include:
o local crypto implementations
o NTLM
o SMB
o TLS-SRP support
See https://curl.se/dev/deprecate.html
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.2.1 pkgsrc/www/curl/Makefile.common
cvs rdiff -u -r1.107 -r1.107.4.1 pkgsrc/www/curl/PLIST
cvs rdiff -u -r1.223 -r1.223.2.1 pkgsrc/www/curl/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/curl/Makefile.common
diff -u pkgsrc/www/curl/Makefile.common:1.35 pkgsrc/www/curl/Makefile.common:1.35.2.1
--- pkgsrc/www/curl/Makefile.common:1.35 Wed Mar 11 07:08:39 2026
+++ pkgsrc/www/curl/Makefile.common Thu May 7 22:32:38 2026
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.common,v 1.35 2026/03/11 07:08:39 wiz Exp $
+# $NetBSD: Makefile.common,v 1.35.2.1 2026/05/07 22:32:38 maya Exp $
# used by www/libcurl-gnutls/Makefile
-DISTNAME= curl-8.19.0
+DISTNAME= curl-8.20.0
CATEGORIES= www
MASTER_SITES= https://curl.se/download/
EXTRACT_SUFX= .tar.xz
Index: pkgsrc/www/curl/PLIST
diff -u pkgsrc/www/curl/PLIST:1.107 pkgsrc/www/curl/PLIST:1.107.4.1
--- pkgsrc/www/curl/PLIST:1.107 Wed Nov 5 09:30:18 2025
+++ pkgsrc/www/curl/PLIST Thu May 7 22:32:38 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.107 2025/11/05 09:30:18 wiz Exp $
+@comment $NetBSD: PLIST,v 1.107.4.1 2026/05/07 22:32:38 maya Exp $
bin/curl
bin/curl-config
bin/wcurl
@@ -78,6 +78,7 @@ man/man3/CURLINFO_RTSP_CSEQ_RECV.3
man/man3/CURLINFO_RTSP_SERVER_CSEQ.3
man/man3/CURLINFO_RTSP_SESSION_ID.3
man/man3/CURLINFO_SCHEME.3
+man/man3/CURLINFO_SIZE_DELIVERED.3
man/man3/CURLINFO_SIZE_DOWNLOAD.3
man/man3/CURLINFO_SIZE_DOWNLOAD_T.3
man/man3/CURLINFO_SIZE_UPLOAD.3
@@ -116,6 +117,8 @@ man/man3/CURLMOPT_PIPELINING_SERVER_BL.3
man/man3/CURLMOPT_PIPELINING_SITE_BL.3
man/man3/CURLMOPT_PUSHDATA.3
man/man3/CURLMOPT_PUSHFUNCTION.3
+man/man3/CURLMOPT_QUICK_EXIT.3
+man/man3/CURLMOPT_RESOLVE_THREADS_MAX.3
man/man3/CURLMOPT_SOCKETDATA.3
man/man3/CURLMOPT_SOCKETFUNCTION.3
man/man3/CURLMOPT_TIMERDATA.3
Index: pkgsrc/www/curl/distinfo
diff -u pkgsrc/www/curl/distinfo:1.223 pkgsrc/www/curl/distinfo:1.223.2.1
--- pkgsrc/www/curl/distinfo:1.223 Wed Mar 11 07:08:39 2026
+++ pkgsrc/www/curl/distinfo Thu May 7 22:32:38 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.223 2026/03/11 07:08:39 wiz Exp $
+$NetBSD: distinfo,v 1.223.2.1 2026/05/07 22:32:38 maya Exp $
-BLAKE2s (curl-8.19.0.tar.xz) = 40cfa92582bb75ce916510e54539fad4d4aa783996626ce0368a835fe0a38f0c
-SHA512 (curl-8.19.0.tar.xz) = ee97faaf588b255428000599293c47a2f648af11d1a0b7b823db6aec151e2090f5c7b921745ddb2c3818d92b16e0a4c15d7a9b3d1ff45df1f35438504bd16574
-Size (curl-8.19.0.tar.xz) = 2787584 bytes
+BLAKE2s (curl-8.20.0.tar.xz) = 76a07a514760771d7fbde7a8337763cfd95859d9265a0712e25b41a8826773f8
+SHA512 (curl-8.20.0.tar.xz) = edfa5882aaeefcf2226fe03b19246151c0377c3656f9c8cc385bdaf34565e1354e762005b58780917a6d98039ae34085e4a4bcb44255c77e3b0e1d94090c010b
+Size (curl-8.20.0.tar.xz) = 2834456 bytes
Home |
Main Index |
Thread Index |
Old Index