Package: curl / 8.17.0-2

Metadata

Package Version Patches format
curl 8.17.0-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
ZZZgnutls build.patch | (download)

configure.ac | 12 11 + 1 - 0 !
docs/examples/Makefile.am | 2 1 + 1 - 0 !
lib/Makefile.am | 63 62 + 1 - 0 !
src/Makefile.am | 2 1 + 1 - 0 !
tests/libtest/Makefile.am | 2 1 + 1 - 0 !
tests/tunit/Makefile.am | 4 2 + 2 - 0 !
6 files changed, 78 insertions(+), 7 deletions(-)

 
 build with gnutls.
build Divide mit krb5 gssapi link flags between LDFLAGS a.patch | (download)

configure.ac | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 
 build: divide mit-krb5-gssapi link flags between ldflags and libs

From the comments nearby about not having --libs-only-L, it looks as
though the intention was to apply a split like this to all dependency
libraries where possible, and the only reason it was not done for
Kerberos is that krb5-config doesn't have that feature and pkg-config
was originally not supported here. For example, zlib, libssh and librtmp
all have their flags from pkg-config split in this way.

Now that pkg-config is supported here, we can do the intended split.

Signed-off-by: Simon McVittie <smcv@collabora.com>
11_omit directories from config.patch | (download)

curl-config.in | 16 3 + 13 - 0 !
1 file changed, 3 insertions(+), 13 deletions(-)

 
 omit directories embedding arch info from curl-config

In order to (partially) multi-arch-ify curl-config, remove all
mention of @includedir@ and @libdir@ from the script.  On Debian, the actual
header and library directories are architecture-dependent, but will always be
in the C compiler's default search path, so -I and -L options are not
necessary (and may be harmful in multi-arch environments.)
wcurl CVE 2025 11563.patch | (download)

scripts/wcurl | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 [patch] wcurl: really fix cve-2025-11563

When we pass a string to is_safe_percent_encode, it always begins with
"%'.  But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.

Also update the test suite to fix the false positive.

Signed-off-by: Xi Ruoyao <xry111@xry111.site>

Backported-by: Samuel Henrique <samueloph@debian.org>
 * Modify wcurl patch to apply on curl sources by changing the location of the
   wcurl script from wcurl to scripts/wcurl.
 * Drop changes to wcurl's tests as they are not in the curl sources.