Wednesday 10th September 2025
Fedora Project
Updated perl-MCE to 1.902 in F-43 and Rawhide:
Add support for Iterator:: classes
Merged PR#2 for perl-Unicode-UTF8 in Rawhide to use system Module::Install but skip ReadmeFromPod on RHEL
Local Packages
Updated curl to 8.16.0:
- build: Bump minimum required mingw-w64 to v3.0 (from v1.0)
curl: Add --follow
curl: Add --out-null
curl: Add --parallel-max-host to limit concurrent connections per host
curl: Make --retry-delay and --retry-max-time accept decimal seconds
hostip: Cache negative name resolves
- IP happy eyeballing: Keep attempts running
- mbedtls: Bump minimum version required to 3.2.0
multi: Add curl_multi_get_offt
multi: Add CURLMOPT_NETWORK_CHANGED to signal network changed
netrc: Use the NETRC environment variable (first) if set
- smtp: Allow suffix behind a mail address for RFC 3461
- tls: Make default TLS version be minimum 1.2
tool_getparam: Add support for '--longopt=value'
vquic: Drop msh3
websocket: Support CURLOPT_READFUNCTION
writeout: Add %time{}
_PROTOCOLS.md: Mention file:// is only for absolute paths
acinclude: --with-ca-fallback only works with OpenSSL
- alpn: Query filter
- ares: Destroy channel on shutdown
ares: Use 'ares_strerror()' to retrieve error messages
asyn-thrdd: Fix --disable-socketpair builds
asyn-thrdd: Fix Curl_async_pollset without socketpair
asyn-thrdd: Fix no 'HAVE_GETADDRINFO' builds
asyn-thrdd: Manage DEFERRED and locks better
autotools: Make curl-config executable
- aws-lc: Do not use large buffer
BINDINGS.md: Add LibQurl
bufq: Add integer overflow checks before chunk allocations
bufq: Removed "Useless Assignment"
bufq: Simplify condition
build: Allow libtests/clients to use libcurl dependencies directly
build: Disable 'TCP_NODELAY' for emscripten
build: Enable _GNU_SOURCE on GNU/Hurd
build: Extend GNU C guards to clang where applicable, fix fallouts
- build: Fix build errors/warnings in rare configurations
- build: Fix disable-verbose
- build: Fix mingw-w64 version guard for mingw32ce
build: If no perl, fix to use the pre-built hugehelp, if present
- build: Link to Apple frameworks required by static wolfSSL
build: Support LibreSSL native crypto lib with ngtcp2 1.15.0+
- build: Tidy up compiler definition for tests
cf-https-connect: Delete unused declaration
clang-tidy: Disable 'clang-analyzer-security.ArrayBound'
cmake: 'CURL_CA_FALLBACK' only works with OpenSSL
cmake: Capitalize 'Rustls' in the config summary
cmake: Defer building 'unitprotos.h' till a test target needs it
cmake: Define 'WIN32_LEAN_AND_MEAN' for examples
cmake: Drop redundant unity mode for 'curlinfo'
cmake: Enable '-Wall' for MSVC 1944
cmake: Fix 'ENABLE_UNIX_SOCKETS=OFF' with pre-fill enabled on unix
- cmake: Fix setting LTO properties on the wrong targets
- cmake: Fix to disable Schannel and SSPI for non-Windows targets
cmake: Fix to restrict 'SystemConfiguration' to macOS
cmake: Honour 'CMAKE_C_FLAGS' in test 1119 and 1167
- cmake: Improve error message for invalid HTTP/3 MultiSSL configs
- cmake: Keep websockets disabled if HTTP is disabled
cmake: Make 'runtests' targets build the curl tool
cmake: Make the ExternalProject test work
- cmake: Omit linking duplicate/unnecessary libs to tests and examples
- cmake: Re-add simple test target, and name it 'tests'
cmake: Set 'CURL_DIRSUFFIX' automatically in multi-config builds
CODE_STYLE: Sync with recent 'checksrc.pl' updates
config-win32.h: Do not use winsock2 'inet_ntop()'/'inet_pton()'
configure: If no perl, disable unity and shell completion, related tidy ups
configure: Tidy up internal names in ngtcp2 ossl detection logic
connectdata: Remove primary+secondary ip_quadruple
- connection: Terminate after goaway
contrithanks: Fix for BSD 'sed' tool
cookie: Don't treat the leading slash as trailing (CVE-2025-9086)
- cookie: Remove expired cookies before listing
curl-config: Remove X prefix use
curl/system.h: Fix for GCC 3.3.x and older
curl: Make the URL indexes 64 bit
curl: tool_read_cb fix of segfault
curl_addrinfo: Drop workaround for old-mingw
curl_easy_ssls_export: Make the example more clear
curl_fnmatch, servers: Drop local macros in favour of 'sizeof()'
curl_mime_data_cb.md: Mention what datasize is for
curl_ossl: Extend callback table for nghttp3 1.11.0
curl_setup.h: include 'stdint.h' earlier
CURLINFO_FILETIME*.md: Correct the examples
CURLOPT: Bump 'CURL_REDIR_*' macros to 'long'
CURLOPT: Bump 'CURL_SSLVERSION_*' macros to 'long'
CURLOPT: Bump 'CURLALTSVC_*' macros to 'long'
CURLOPT: Bump 'CURLFTP*' enums to 'long', drop casts
CURLOPT: Bump 'CURLHEADER_*' macros to 'long', drop casts
CURLOPT: Bump 'CURLPROTO_*' macros to 'long'
CURLOPT: Bump 'CURLPROXY_*' enums to 'long', drop casts
CURLOPT: Bump 'CURLWS_NOAUTOPONG', 'CURLWS_RAW_MODE' macros to 'long'
CURLOPT: Bump remaining macros to 'long'
CURLOPT: Drop redundant 'long' casts
CURLOPT: Replace '(long)' cast with 'L' suffix for 'CURLHSTS_*' macros
CURLOPT_HTTP_VERSION: Mention new default value
CURLOPT_SSL_CTX_*: Replace the base64 with XXXX
delta: Fix warnings, fix for non-GNU 'date' tool
DEPRECATE.md: Drop old OpenSSL versions
DEPRECATE.md: Drop support for c-ares versions before 1.16.0
DEPRECATE.md: Drop support for Windows XP/2003
DEPRECATE.md: Remove leftover "nothing"
DISTROS.md: Add Haiku
docs/cmdline-opts: The auth types are not mutually exclusive
docs: Add CURLOPT type change history, drop casts where present
- docs: Add major incident section to vuln disclosure policy
docs: Fix CONTRIBUTE.md link
docs: Fix name in curl_easy_ssls_export man page
docs: Fix typo (staring -> starting)
- docs: Point two broken links to archive.org
docs: Put '<>' within backticks in titles
- doh: Rename symbols to avoid collision with mingw-w64 headers
- easy handle: Check validity on external calls
examples: Drop long cast for 'CURLALTSVC_*'
examples: Make 'CURLPIPE_MULTIPLEX' fallback 'long'
- examples: Remove base64 encoded chunks from examples
examples: Remove href_extractor.c
ftp: Store dir components as start+len instead of memdup'ing
ftp: Use 'conn' instead of 'data->conn'
- gnutls: Fix building with older supported GnuTLS versions
- gnutls: Some small clean-ups
- hmac: Return error if init fails
- hostip: Do DNS cache pruning in milliseconds
HTTP3.md: Avoid 'configure' issue for ngtcp2 1.14.0+ compatibility
http: const up readonly H2_NON_FIELD
- http: Do the cookie list access under lock
http: Silence '-Warray-bounds' with gcc 13+
- idn: Reject conversions that end up as a zero length hostname
inet_pton, inet_ntop: Drop declarations when unused
lib1560: Fix memory leak when run without UTF-8 support
lib1560: Replace an 'int' with 'bool'
lib2700: Use 'testnum'
lib517: Use 'LL' 64-bit literals and re-enable a test case ('time_t')
lib: Drop 'UNUSED_PARAM' macro
libcurl: Reset rewind flag in curl_easy_reset()
libssh: Use sftp_aio instead of sftp_async for sftp_recv
libtests: Update format strings to avoid casts, drop some macros
libtests: Use 'FMT_SOCKET_T', drop more casts
managen: Reset text mode at end of table marker
- mbedtls: Check for feature macros instead of version
mdlinkcheck: Handle links with a leading slash properly
memanalyze: fIx warnings
- memory: Make function overrides work reliably in unity builds
- multi event: Remove only announced
- multi: Don't insert a node into the splay tree twice
multi: Fix assert in multi_getsock()
- multi: Fix bad splay management
- multi: Process pending, one by one
multi: Replace remaining EXPIRE_RUN_NOW
multissl: Initialize when requesting a random number
ngtcp2: Extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
ngtcp2: Handshake timeout should be equal to --connect-timeout
ngtcp2: Use custom mem funcs
openldap: Fix '-Wtentative-definition-compat'
openssl: Add and use 'HAVE_BORINGSSL_LIKE' internal macro
openssl: Add and use 'HAVE_OPENSSL3' internal macro
openssl: Assume 'OPENSSL_VERSION_NUMBER'
- openssl: Auto-pause on verify callback retry
openssl: Check SSL_write() length on retries
openssl: Clear errors after a failed 'd2i_X509()'
- openssl: Drop more legacy cruft
openssl: Drop redundant 'HAVE_OPENSSL_VERSION' macro
- openssl: Drop redundant version check
openssl: Drop single-use interim macro 'USE_OPENSSL_SRP'
openssl: Enable 'HAVE_KEYLOG_CALLBACK' for AWS-LC
openssl: Merge two #if blocks
- openssl: Output unescaped utf8 x509 issuer/subject DNs
- openssl: Remove legacy cruft, document macro guards
- openssl: Save and restore OpenSSL error queue in two functions
- openssl: Some small clean-ups
openssl: Split cert_stuff into smaller sub functions
- openssl: Sync an AWS-LC guard with BoringSSL
openssl: Use 'RSA_flags()' again with BoringSSL
parallel-max: Bump the max value to 65535
parsedate: Make Curl_getdate_capped able to return epoch
processhelp.pm: Fix to use the correct null device on Windows
processhelp.pm: Use 'Win32::Process*' perl modules if available
projects: Drop unused logic from 'generate.bat'
projects: Fix Windows project 'clean' function
pytest: Add SOCKS tests and scoring
pytest: Fix test_17_09_ssl_min_max for BoringSSL
pytest: Increase server KeepAliveTimeout
pytest: Relax error check on test_07_22
- resolving: DNS error tracing
runtests: Assume 'Time::HiRes', drop Perl Win32 dependency
- runtests: Remove warning message
runtests: Replace '--ci' with '--buildinfo', show OS/Perl version again
- runtests: Show still running tests when nothing has happened for a while
- schannel: Add an error message for client cert not found
schannel: Assume 'CERT_CHAIN_REVOCATION_CHECK_CHAIN'
- schannel: Drop fallbacks for 4 macros
schannel: Drop fallbacks for unused 'BCRYPT_*' macros
- schannel: Drop old-mingw special case
- schannel: Fix recent update for mingw32ce
- schannel: Fix renegotiation
- schannel: Improve handshake procedure
- schannel: Not supported with UWP, drop redundant code
schannel: Use if(result) like the code style says
- scripts: Enable strict warnings in Perl where missing, fix fallouts
- scripts: Fix two Perl uninitialized value warnings
sendf: Getting less data than "max allowed" is okay
servers: Convert two macros to scoped static const strings
setopt: Refactor out the booleans from setopt_long to setopt_bool
setopt: Split out cookielist() and cookiefile()
socks: do_SOCKS5: Fix invalid buffer content on short send
socks_sspi: Simplify, clean up Curl_SOCKS5_gssapi_negotiate
spacecheck.pl: When detecting unicode, mention line number
spacecheck: Warn for 3+ empty lines in a row, fix fallouts
- spelling: File system
test1148: Drop redundant 'LC_NUMBER=' env setting
test1557: Pass 'long' type to 'multi_setopt()'
test1560: Set locale/codeset with 'LC_ALL' (was: 'LANG'), test in CI
test1560: Skip some URLs if UTF-8 is not supported
test1: Raise alloc limits
test428: Re-enable for Windows
test436: Fix running on Windows with '_curlrc' present
test: Add 'cygwin' feature and use it (test 1056, 1517)
tests/ech_tests.sh: Indent, if/for style, inline ifs
- tests: constify command-line arguments
- tests: Delete unused commands
tests: Drop unused 'BLANK' envs, unset 'CURL_NOT_SET'
tests: Drop unused 'CURL_FORCEHOST' envs
tests: Fix perl warnings in http2-server, http3-server
tests: Fix prechecks to call the bundle libtest tool
tests: Fix UTF-8 detection, per-test 'LC_*' settings, CI coverage
tests: Merge clients into libtests, drop duplicate code
tests: Remove the QUIT filters
tests: Set 'CURL_ENTROPY' per test, not globally
- tests: Unset some envs instead of blanking them
- threaded-resolver: Fix shutdown
tidy-up: 'Curl_thread_create()' callback return type
- tidy-up: Move literal to the right side of comparisons
tidy-up: Prefer 'ifdef'/'ifndef' for single checks
tls: CURLINFO_TLS_SSL_PTR testing
TODO: Remove session export item
TODO: Remove the expand ~ idea
tool_cb_wrt: Stop alloc/free for every chunk windows console output
tool_filetime: Accept setting negative filetime
tool_getparam: Let --trace-config override -v
tool_getparam: Warn on more unicode prefixes
tool_operate: Avoid superfluous strdup'ing output
tool_operate: Use stricter curl_multi_setopt() arguments
tool_operate: Use the correct config pointer
tool_paramhlp: Fix secs2ms()
tool_parsecfg: Use dynbuf for quoted arguments
tool_urlglob: Add integer overflow protection
tool_urlglob: Polish, clean-ups, improvements
typecheck-gcc: Add type checks for curl_multi_setopt()
unit-tests: Build the unitprotos.h from here
unit2604: Avoid 'UNCONST()'
URL-SYNTAX.md: Drop link to codepoints.net to pass linkcheck
- urlapi: Allow more path characters "raw" when asked to URL encode
urldata: Reduce two long struct fields to unsigned short
- urlglob: Only accept 255 globs
vquic-tls: Fix SSL backend type for QUIC connections using gnutls
vquic: Replace assert
vquic: Use curl_getenv
vtls: Set seen http version on successful ALPN
websocket example: Cast print values to unsigned int
- websocket: Handling of PONG frames
- websocket: Improve handling of 0-len frames
- websocket: Reset upload_done when sending data
windows: Assume 'ADDRESS_FAMILY', drop feature checks
windows: Document toolchain support for 'CERT_NAME_SEARCH_ALL_NAMES_FLAG'
- windows: Document toolchain support for some macros
windows: Drop 'CRYPT_E_*' macro fallbacks, limit one to mingw32ce
- windows: Drop two interim, single-use macros
windows: Drop unused 'curlx/version_win32.h' includes
windows: Fix 'if_nametoindex()' detection with autotools, improve with cmake
windows: include 'wincrypt.h' before 'iphlpapi.h' for mingw-w64 <6
- windows: Target version macro tidy-ups
wolfssl: Rename ML-KEM hybrids to match IETF draft
write-out.md: header_json is not included the json object
ws: Avoid NULL pointer deref in curl_ws_recv
ws: Get a new mask for each new outgoing frame (CVE-2025-10148)
Updated perl-MCE to 1.902 as per the Fedora version