c-ares
- Update to version 1.19.1
  Security:
  * CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
    (bsc#1211604)
  * CVE-2023-31147 Moderate. Insufficient randomness in generation
    of DNS query IDs (bsc#1211605)
  * CVE-2023-31130. Moderate. Buffer Underwrite in
    ares_inet_net_pton() (bsc#1211606)
  * CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
    during cross compilation (bsc#1211607)
  Bug fixes:
  * Fix uninitialized memory warning in test
  * ares_getaddrinfo() should allow a port of 0
  * Fix memory leak in ares_send() on error
  * Fix comment style in ares_data.h
  * Fix typo in ares_init_options.3
  * Sync ax_pthread.m4 with upstream
  * Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
containerd
- unversion to golang requires to always use the current default go. (bsc#1210298)
cups
- cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324
  "/Heap buffer overflow in cupsd"/
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
  bsc#1211643
curl
  * [bsc#1211230, CVE-2023-28319] use-after-free in SSH sha256
    fingerprint check.
  - Add curl-CVE-2023-28319.patch
  * [bsc#1211231, CVE-2023-28320] siglongjmp race condition
  - Add curl-CVE-2023-28320.patch
  * [bsc#1211232, CVE-2023-28321] IDN wildcard matching
  - Add curl-CVE-2023-28321.patch
  * [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
  - Add curl-CVE-2023-28322.patch
- Update to 8.0.1: [jsc#PED-2580]
  * Rebase curl-secure-getenv.patch
  * Remove patches fixed in the update:
  - curl-CVE-2022-22576.patch curl-CVE-2022-27776.patch
  - curl-CVE-2022-27781.patch curl-CVE-2022-27782.patch
  - curl-CVE-2022-32206.patch curl-CVE-2022-32208.patch
  - curl-CVE-2022-32221.patch curl-CVE-2022-35252.patch
  - curl-CVE-2022-43552.patch curl-CVE-2023-23916.patch
  - curl-CVE-2022-27774.patch curl-CVE-2022-27774-2.patch
  - curl-CVE-2022-27774-disabletest-1568.patch
  - curl-CVE-2022-27775.patch curl-CVE-2022-32205.patch
  - curl-CVE-2022-32207.patch curl-CVE-2022-42916.patch
  - curl-CVE-2022-43551.patch curl-CVE-2023-23914-23915.patch
  - curl-CVE-2023-27533.patch curl-CVE-2023-27533-no-sscanf.patch
  - curl-CVE-2023-27534.patch curl-CVE-2023-27535.patch
  - curl-CVE-2023-27536.patch curl-CVE-2023-27538.patch
- Update to 8.0.1:
  * Bugfixes:
  - fix crash in curl_easy_cleanup
- Update to 8.0.0:
  * Security fixes:
  - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
  - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
  - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
  - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
  - HSTS double-free [bsc#1209213, CVE-2023-27537]
  - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
  * Changes:
  - build: remove support for curl_off_t < 8 bytes
  * Bugfixes:
  - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
  - BINDINGS: add Fortran binding
  - cf-socket: use port 80 when resolving name for local bind
  - cookie: don't load cookies again when flushing
  - curl_path: create the new path with dynbuf
  - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
  - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
  - ftp: active mode with SSL, add the filter
  - hostip: avoid sscanf and extra buffer copies
  - http2: fix for http2-prior-knowledge when reusing connections
  - http2: fix handling of RST and GOAWAY to recognize partial transfers
  - http: don't send 100-continue for short PUT requests
  - http: fix unix domain socket use in https connects
  - libssh: use dynbuf instead of realloc
  - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
  - sectransp: make read_cert() use a dynbuf when loading
  - telnet: only accept option arguments in ascii
  - telnet: parse telnet options without sscanf
  - url: fix the SSH connection reuse check
  - url: only reuse connections with same GSS delegation
  - urlapi: '%' is illegal in host names
  - ws: keep the socket non-blocking
  * Rebase libcurl-ocloexec.patch
- Security fixes:
- Update to 7.88.1:
  * Bugfix release
- Drop upstreamed patch:
  * curl-fix-uninitialized-value-in-tests.patch
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
  * Security fixes:
  - CVE-2023-23914: HSTS ignored on multiple requests
  - CVE-2023-23915: HSTS amnesia with --parallel
  - CVE-2023-23916: HTTP multi-header compression denial of service
  * Changes:
  - curl.h: add CURL_HTTP_VERSION_3ONLY
  - share: add sharing of HSTS cache among handles
  - src: add --http3-only
  - tool_operate: share HSTS between handles
  - urlapi: add CURLU_PUNYCODE
  - writeout: add %{certs} and %{num_certs}
  * Bugfixes:
  - cf-socket: keep sockaddr local in the socket filters
  - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
  - curl.h: allow up to 10M buffer size
  - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
  - curl/websockets.h: extend the websocket frame struct
  - curl: output warning at --verbose output for debug-enabled version
  - curl_free.3: fix return type of `curl_free`
  - curl_log: for failf/infof and debug logging implementations
  - dict: URL decode the entire path always
  - docs/DEPRECATE.md: deprecate gskit
  - easyoptions: fix header printing in generation script
  - haxproxy: send before TLS handhshake
  - hsts.d: explain hsts more
  - hsts: handle adding the same host name again
  - HTTP/[23]: continue upload when state.drain is set
  - http: decode transfer encoding first
  - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
  - http_proxy: do not assign data->req.p.http use local copy
  - lib: connect/h2/h3 refactor
  - libssh2: try sha2 algos for hostkey methods
  - md4: fix build with GnuTLS + OpenSSL v1
  - ngtcp2: replace removed define and stop using removed function
  - noproxy: support for space-separated names is deprecated
  - nss: implement data_pending method
  - openldap: fix missing sasl symbols at build in specific configs
  - openssl: adapt to boringssl's error code type
  - openssl: don't ignore CA paths when using Windows CA store (redux)
  - openssl: don't log raw record headers
  - openssl: make the BIO_METHOD a local variable in the connection filter
  - openssl: only use CA_BLOB if verifying peer
  - openssl: remove attached easy handles from SSL instances
  - openssl: store the CA after first send (ClientHello)
  - setopt: use >, not >=, when checking if uarg is larger than uint-max
  - smb: return error on upload without size
  - socketpair: allow localhost MITM sniffers
  - strdup: name it Curl_strdup
  - tool_getparam: fix hiding of command line secrets
  - tool_operate: fix error codes on bad URL & OOM
  - tool_operate: repair --rate
  - transfer: break the read loop when RECV is cleared
  - typecheck: accept expressions for option/info parameters
  - urlapi: avoid Curl_dyn_addf() for hex outputs
  - urlapi: skip path checks if path is just "//"/
  - urlapi: skip the extra dedotdot alloc if no dot in path
  - urldata: cease storing TLS auth type
  - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
  - urldata: make set.http200aliases conditional on HTTP being present
  - urldata: move the cookefilelist to the 'set' struct
  - urldata: remove unused struct fields, made more conditional
  - vquic: stabilization and improvements
  - vtls: fix hostname handling in filters
  - vtls: manage current easy handle in nested cfilter calls
  - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
  * Rebase libcurl-ocloexec.patch
  * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
  - runtests: fix "/uninitialized value $port"/
  - Add curl-fix-uninitialized-value-in-tests.patch
- Update to 7.87.0:
  * Security fixes:
  - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
  - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
  * Changes
  - curl: add --url-query
  - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
  - lib: add CURL_WRITEFUNC_ERROR to signal write callback error
  - openssl: reduce CA certificate bundle reparsing by caching
  - version: add a feature names array to curl_version_info_data
  * Bugfixes
  - altsvc: fix rejection of negative port numbers
  - aws_sigv4: consult x-%s-content-sha256 for payload hash
  - aws_sigv4: fix typos in aws_sigv4.c
  - base64: better alloc size
  - base64: encode without using snprintf
  - base64: faster base64 decoding
  - build: assume assert.h is always available
  - build: assume errno.h is always available
  - c-hyper: CONNECT respones are not server responses
  - c-hyper: fix multi-request mechanism
  - CI: Change FreeBSD image from 12.3 to 12.4
  - CI: LGTM.com will be shut down in December 2022
  - ci: Remove zuul fuzzing job as it's superseded by CIFuzz
  - cmake: check for cross-compile, not for toolchain
  - CMake: fix build with `CURL_USE_GSSAPI`
  - cmake: really enable warnings with clang
  - cmake: set the soname on the shared library
  - cmdline-opts/gen.pl: fix the linkifier
  - cmdline-opts/page-footer: remove long option nroff formatting
  - config-mac: define HAVE_SYS_IOCTL_H
  - config-mac: fix typo: size_T -> size_t
  - config-mac: remove HAVE_SYS_SELECT_H
  - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
  - configure: require fork for NTLM-WB
  - contributors.sh: actually use $CURLWWW instead of just setting it
  - cookie: compare cookie prefixes case insensitively
  - cookie: expire cookies at once when max-age is negative
  - cookie: open cookie jar as a binary file
  - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
  - curl-rustls.m4: on macOS, rustls also needs the Security framework
  - curl.h: include <sys/select.h> on SerenityOS
  - curl.h: name all public function parameters
  - curl.h: reword comment to not use deprecated option
  - curl: override the numeric locale and set "/C"/ by force
  - curl: timeout in the read callback
  - curl_endian: remove Curl_write64_le from header
  - curl_get_line: allow last line without newline char
  - curl_path: do not add '/' if homedir ends with one
  - curl_url_get.3: remove spurious backtick
  - curl_url_set.3: document CURLU_DISALLOW_USER
  - curl_url_set.3: fix typo
  - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
  - CURLOPT_COOKIEFILE.3: advice => advise
  - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
  - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "/raw"/
  - CURLOPT_POST.3: Explain setting to 0 changes request type
  - docs/curl_ws_send: Fixed typo in websocket docs
  - docs/EARLY-RELEASE.md: how to determine an early release
  - docs/examples: spell correction ('Retrieve')
  - docs/INSTALL.md: expand on static builds
  - docs/WEBSOCKET.md: explain the URL use
  - docs: add missing parameters for --retry flag
  - docs: add more "/SEE ALSO"/ links to CA related pages
  - docs: explain the noproxy CIDR notation support
  - docs: extend the dump-header documentation
  - docs: remove performance note in CURLOPT_SSL_VERIFYPEER
  - examples/10-at-a-time: fix possible skipped final transfers
  - examples: update descriptions
  - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
  - gen.pl: do not generate CURLHELP bitmask lines > 79 characters
  - GHA: clarify workflows permissions, set least possible privilege
  - GHA: NSS use clang instead of clang-9
  - gnutls: use common gnutls init and verify code for ngtcp2
  - headers: add endif comments
  - HTTP-COOKIES.md: mention that http://localhost is a secure context
  - HTTP-COOKIES.md: update the 6265bis link to draft-11
  - http: do not send PROXY more than once
  - http: fix the ::1 comparison for IPv6 localhost for cookies
  - http: set 'this_is_a_follow' in the Location: logic
  - http: use the IDN decoded name in HSTS checks
  - hyper: classify headers as CONNECT and 1XX
  - hyper: fix handling of hyper_task's when reusing the same address
  - idn: remove Curl_win32_ascii_to_idn
  - INSTALL: update operating systems and CPU archs
  - KNOWN_BUGS: remove eight entries
  - lib1560: add some basic IDN host name tests
  - lib: connection filters (cfilter) addition to curl:
  - lib: feature deprecation warnings in gcc >= 4.3
  - lib: fix some type mismatches and remove unneeded typecasts
  - lib: parse numbers with fixed known base 10
  - lib: remove bad set.opt_no_body assignments
  - lib: rewind BEFORE request instead of AFTER previous
  - lib: sync guard for Curl_getaddrinfo_ex() definition and use
  - lib: use size_t or int etc instead of longs
  - libcurl-errors.3: remove duplicate word
  - libssh2: return error when ssh_hostkeyfunc returns error
  - limit-rate.d: see also --rate
  - log2changes.pl: wrap long lines at 80 columns
  - Makefile.mk: address minor issues
  - Makefile.mk: improve a GNU Make hack
  - Makefile.mk: portable Makefile.m32
  - maketgz: set the right version in lib/libcurl.plist
  - mime: relax easy/mime structures binding
  - misc: Fix incorrect spelling
  - misc: remove duplicated include files
  - misc: typo and grammar fixes
  - negtelnetserver.py: have it call its close() method
  - netrc.d: provide mutext info
  - netware: remove leftover traces
  - noproxy: also match with adjacent comma
  - noproxy: guard against empty hostnames in noproxy check
  - noproxy: tailmatch like in 7.85.0 and earlier
  - nroff-scan.pl: detect double highlights
  - ntlm: improve comment for encrypt_des
  - ntlm: silence ubsan warning about copying from null target_info pointer
  - openssl/mbedtls: use %d for outputing port with failf (int)
  - openssl: prefix errors with '[lib]/[version]: '
  - os400: use platform socklen_t in Curl_getnameinfo_a
  - page-header: grammar improvement (display transfer rate)
  - proxy: refactor haproxy protocol handling as connection filter
  - README.md: remove badges and xmas-tree garnish
  - rtsp: fix RTSP auth
  - runtests: --no-debuginfod now disables DEBUGINFOD_URLS
  - runtests: do CRLF replacements per section only
  - scripts/checksrc.pl: detect duplicated include files
  - sendf: change Curl_read_plain to wrap Curl_recv_plain
  - sendf: remove unnecessary if condition
  - setup: do not require __MRC__ defined for Mac OS 9 builds
  - smb/telnet: do not free the protocol struct in *_done()
  - socks: fix username max size is 255 (0xFF)
  - spellcheck.words: remove 'github' as an accepted word
  - ssl-reqd.d: clarify that this is for upgrading connections only
  - strcase: use curl_str(n)equal for case insensitive matches
  - styled-output.d: this option does not work on Windows
  - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
  - system.h: support 64-bit curl_off_t for NonStop 32-bit
  - test1421: fix typo
  - test3026: reduce runtime in legacy mingw builds
  - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
  - tests: add authorityInfoAccess to generated certs
  - tests: add HTTP/3 test case, custom location for proper nghttpx
  - tls: backends use connection filters for IO, enabling HTTPS-proxy
  - tool: determine the correct fopen option for -D
  - tool_cfgable: free the ssl_ec_curves on exit
  - tool_cfgable: make socks5_gssapi_nec a boolean
  - tool_formparse: avoid clobbering on function params
  - tool_getparam: make --no-get work as the opposite of --get
  - tool_operate: provide better errmsg for -G with bad URL
  - tool_operate: when aborting, make sure there is a non-NULL error buffer
  - tool_paramhlp: free the proto strings on exit
  - url: move back the IDN conversion of proxy names
  - urlapi: reject more bad letters from the host name: &+()
  - urldata: change port num storage to int and unsigned short
  - vms: remove SIZEOF_SHORT
  - vtls: fix build without proxy support
  - vtls: localization of state data in filters
  - WEBSOCKET.md: fix broken link
  - Websocket: fixes for partial frames and buffer updates
  - websockets: fix handling of partial frames
  - windows: fail early with a missing windres in autotools
  - windows: fix linking .rc to shared curl with autotools
  - winidn: drop WANT_IDN_PROTOTYPES
  - ws: if no connection is around, return error
  - ws: return CURLE_NOT_BUILT_IN when websockets not built in
  - x509asn1: avoid freeing unallocated pointers
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
  a bandaid. Curl's 7.86.0 release introduces the use of
  nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
  introduced by nghttp2 1.50.0 release, without introducing a check
  for the function/right version in their build scripts. This will
  make Zypper/cURL unusable in some corner cases where users
  installing something that requires libcurl4 before doing full
  system upgrade, thus updating the cURL stack, but not
  libnghttp2's. Background: boo#1204983, Factory mailing list
  threadd:
  "/? broken dependency in curl and/or *zyp* ?"/, and forums thread:
  Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
- Update to 7.86.0:
  * Security fixes:
  - POST following PUT confusion [bsc#1204383, CVE-2022-32221]
  - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
  - HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
  - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
  * Changes:
  - NPN: remove support for and use of
  - Websockets: initial support
  * Bugfixes:
  - altsvc: reject bad port numbers
  - autotools: reduce brute-force when detecting recv/send arg list
  - aws_sigv4: fix header computation
  - cli tool: do not use disabled protocols
  - connect: change verbose IPv6 address:port to [address]:port
  - connect: fix builds without AF_INET6
  - connect: fix Curl_updateconninfo for TRNSPRT_UNIX
  - connect: fix the wrong error message on connect failures
  - content_encoding: use writer struct subclasses for different encodings
  - cookie: reject cookie names or content with TAB characters
  - curl/add_file_name_to_url: use the libcurl URL parser
  - curl/get_url_file_name: use libcurl URL parser
  - curl: warn for --ssl use, considered insecure
  - docs/libcurl/symbols-in-versions: add several missing symbols
  - ftp: ignore a 550 response to MDTM
  - functypes: provide the recv and send arg and return types
  - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
  - header: define public API functions as extern c
  - headers: reset the requests counter at transfer start
  - hostip: guard PF_INET6 use
  - hostip: lazily wait to figure out if IPv6 works until needed
  - http, vauth: always provide Curl_allow_auth_to_host() functionality
  - http2: make nghttp2 less picky about field whitespace
  - http: try parsing Retry-After: as a number first
  - http_proxy: restore the protocol pointer on error
  - lib: add missing limits.h includes
  - lib: prepare the incoming of additional protocols
  - lib: sanitize conditional exclusion around MIME
  - libssh: if sftp_init fails, don't get the sftp error code
  - mprintf: reject two kinds of precision for the same argument
  - mqtt: return error for too long topic
  - netrc: compare user name case sensitively
  - netrc: replace fgets with Curl_get_line
  - netrc: use the URL-decoded user
  - ngtcp2: fix build errors due to changes in ngtcp2 library
  - noproxy: support proxies specified using cidr notation
  - openssl: make certinfo available for QUIC
  - resolve: make forced IPv4 resolve only use A queries
  - schannel: ban server ALPN change during recv renegotiation
  - schannel: don't reset recv/send function pointers on renegotiation
  - schannel: when importing PFX, disable key persistence
  - setopt: use the handler table for protocol name to number conversions
  - setopt: when POST is set, reset the 'upload' field
  - single_transfer: use the libcurl URL parser when appending query parts
  - smb: replace CURL_WIN32 with WIN32
  - tool: avoid generating ambiguous escaped characters in --libcurl
  - tool_main: exit at once if out of file descriptors
  - tool_operate: more transfer cleanup after parallel transfer fail
  - tool_operate: prevent over-queuing in parallel mode
  - tool_paramhelp: asserts verify maximum sizes for string loading
  - tool_xattr: save the original URL, not the final redirected one
  - url: a zero-length userinfo part in the URL is still a (blank) user
  - url: allow non-HTTPS HSTS-matching for debug builds
  - url: rename function due to name-clash in Watt-32
  - url: use IDN decoded names for HSTS checks
  - urlapi: detect scheme better when not guessing
  - urlapi: fix parsing URL without slash with CURLU_URLENCODE
  - urlapi: reject more bad characters from the host name field
  * Remove patch upstream:
  - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Update connection info when using UNIX socket as endpoint
  connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Change the deprecated configure option --enable-hidden-symbols
  to the new --enable-symbol-hiding.
- Update to 7.85.0:
  * Security fixes: [bsc#1202593, CVE-2022-35252]
  - control code in cookie denial of service
  * Changes:
  - quic: add support via wolfSSL
  - schannel: Add TLS 1.3 support
  - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
  * Bugfixes:
  - asyn-thread: fix socket leak on OOM
  - asyn-thread: make getaddrinfo_complete return CURLcode
  - base64: base64url encoding has no padding
  - configure: fix broken m4 syntax in TLS options
  - configure: if asked to use TLS, fail if no TLS lib was detected
  - connect: add quic connection information
  - connect: set socktype/protocol correctly
  - cookie: reject cookies with "/control bytes"/
  - cookie: treat a blank domain in Set-Cookie: as non-existing
  - curl: output warning when a cookie is dropped due to size
  - Curl_close: call Curl_resolver_cancel to avoid memory-leak
  - digest: fix memory leak, fix not quoted 'opaque'
  - digest: fix missing increment of 'nc' value for auth-int
  - digest: pass over leading spaces in qop values
  - digest: reject broken header with session protocol but without qop
  - doh: use https protocol by default
  - easy_lock.h: include sched.h if available to fix build
  - easy_lock.h: use __asm__ instead of asm to fix build
  - easy_lock: switch to using atomic_int instead of bool
  - ftp: use a correct expire ID for timer expiry
  - h2h3: fix overriding the 'TE: Trailers' header
  - hostip: resolve *.localhost to 127.0.0.1/::1
  - HTTP3.md: update to msh3 v0.4.0
  - hyper: use wakers for curl pause/resume
  - lib3026: reduce the number of threads to 100
  - libssh2: make atime/mtime date overflow return error
  - libssh2: provide symlink name in SFTP dir listing
  - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
  - multi: use larger dns hash table for multi interface
  - multi_wait: fix skipping to populate revents for extra_fds
  - netrc: Use the password from lines without login
  - ngtcp2: Fix build error due to change in nghttp3 prototypes
  - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
  - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
  - openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
  - openssl: add cert path in error message
  - openssl: add details to "/unable to set client certificate"/ error
  - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
  - select: do not return fatal error on EINTR from poll()
  - sendf: fix paused header writes since after the header API
  - sendf: skip storing HTTP headers if HTTP disabled
  - url: really use the user provided in the url when netrc entry exists
  - url: reject URLs with hostnames longer than 65535 bytes
  - url: treat missing usernames in netrc as empty
  - urldata: reduce size of several struct fields
  - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
  * Remove tests-for-32bit.patch fixed in the update
  * Rebase libcurl-ocloexec.patch
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- Update to 7.84.0:
  * Security fixes:
  - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
  - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
  - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
  - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
  * Changes:
  - curl: add --rate to set max request rate per time unit
  - curl: deprecate --random-file and --egd-file
  - curl_version_info: add CURL_VERSION_THREADSAFE
  - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
  - lib: make curl_global_init() threadsafe when possible
  - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
  - opts: deprecate RANDOM_FILE and EGDSOCKET
  - socks: support unix sockets for socks proxy
  * Bugfixes:
  - aws-sigv4: fix potentional NULL pointer arithmetic
  - bindlocal: don't use a random port if port number would wrap
  - c-hyper: mark status line as status for Curl_client_write()
  - ci: avoid `cmake -Hpath`
  - CI: bump FreeBSD 13.0 to 13.1
  - ci: update github actions
  - cmake: add libpsl support
  - cmake: do not add libcurl.rc to the static libcurl library
  - cmake: enable curl.rc for all Windows targets
  - cmake: fix detecting libidn2
  - cmake: support adding a suffix to the OS value
  - configure: skip libidn2 detection when winidn is used
  - configure: use the SED value to invoke sed
  - configure: warn about rustls being experimental
  - content_encoding: return error on too many compression steps
  - cookie: address secure domain overlay
  - cookie: apply limits
  - copyright.pl: parse and use .reuse/dep5 for skips
  - copyright: make repository REUSE compliant
  - curl.1: add a few see also --tls-max
  - curl.1: mention exit code zero too
  - curl: re-enable --no-remote-name
  - curl_easy_pause.3: remove explanation of progress function
  - curl_getdate.3: document that some illegal dates pass through
  - Curl_parsenetrc: don't access local pwbuf outside of scope
  - curl_url_set.3: clarify by default using known schemes only
  - CURLOPT_ALTSVC.3: document the file format
  - CURLOPT_FILETIME.3: fix the protocols this works with
  - CURLOPT_HTTPHEADER.3: improve comment in example
  - CURLOPT_NETRC.3: document the .netrc file format
  - CURLOPT_PORT.3: We discourage using this option
  - CURLOPT_RANGE.3: remove ranged upload advice
  - digest: added detection of more syntax error in server headers
  - digest: tolerate missing "/realm"/
  - digest: unquote realm and nonce before processing
  - DISABLED: disable 1021 for hyper again
  - docs/cmdline-opts: add copyright and license identifier to each file
  - docs/CONTRIBUTE.md: document the 'needs-votes' concept
  - docs: clarify data replacement policy for MIME API
  - doh: remove UNITTEST macro definition
  - examples/crawler.c: use the curl license
  - examples: remove fopen.c and rtsp.c
  - FAQ: Clarify Windows double quote usage
  - fopen: add Curl_fopen() for better overwriting of files
  - ftp: restore protocol state after http proxy CONNECT
  - ftp: when failing to do a secure GSSAPI login, fail hard
  - GHA/hyper: enable debug in the build
  - gssapi: improve handling of errors from gss_display_status
  - gssapi: initialize gss_buffer_desc strings
  - headers api: remove EXPERIMENTAL tag
  - http2: always debug print stream id in decimal with %u
  - http2: reject overly many push-promise headers
  - http: restore header folding behavior
  - hyper: use 'alt-used'
  - krb5: return error properly on decode errors
  - lib: make more protocol specific struct fields #ifdefed
  - libcurl-security.3: add "/Secrets in memory"/
  - libcurl-security.3: document CRLF header injection
  - libssh: skip the fake-close when libssh does the right thing
  - links: update dead links to the curl-wiki
  - log2changes: do not indent empty lines [ci skip]
  - macos9: remove partial support
  - Makefile.am: fix portability issues
  - Makefile.m32: delete obsolete options, improve -On [ci skip]
  - Makefile.m32: delete two obsolete OpenSSL options [ci skip]
  - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
  - max-time.d: clarify max-time sets max transfer time
  - mprintf: ignore clang non-literal format string
  - netrc: check %USERPROFILE% as well on Windows
  - netrc: support quoted strings
  - ngtcp2: allow curl to send larger UDP datagrams
  - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
  - ngtcp2: enable Linux GSO
  - ngtcp2: extend QUIC transport parameters buffer
  - ngtcp2: fix alert_read_func return value
  - ngtcp2: fix typo in preprocessor condition
  - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
  - ngtcp2: send appropriate connection close error code
  - ngtcp2: support boringssl crypto backend
  - ngtcp2: use helper funcs to simplify TLS handshake integration
  - ntlm: provide a fixed fake host name
  - projects: fix third-party SSL library build paths for Visual Studio
  - quic: add Curl_quic_idle
  - quiche: support ca-fallback
  - rand: stop detecting /dev/urandom in cross-builds
  - remote-name.d: mention --output-dir
  - runtests.pl: add the --repeat parameter to the --help output
  - runtests: fix skipping tests not done event-based
  - runtests: skip starting the ssh server if user name is lacking
  - scripts/copyright.pl: fix the exclusion to not ignore man pages
  - sectransp: check for a function defined when __BLOCKS__ is undefined
  - select: return error from "/lethal"/ poll/select errors
  - server/sws: support spaces in the HTTP request path
  - speed-limit/time.d: mention these affect transfers in either direction
  - strcase: some optimisations
  - test 2081: add a valid reply for the second request
  - test 675: add missing CR so the test passes when run through Privoxy
  - test414: add the '--resolve' keyword
  - test681: verify --no-remote-name
  - tests 266, 116 and 1540: add a small write delay
  - tests/data/test1501: kill ftp server after slow LIST response
  - tests/getpart: fix getpartattr to work with "/data"/ and "/data2"/
  - tests/server/sws.c: change the HTTP writedelay unit to milliseconds
  - test{440,441,493,977}: add "/HTTP proxy"/ keywords
  - tool_getparam: fix --parallel-max maximum value constraint
  - tool_operate: make sure --fail-with-body works with --retry
  - transfer: fix potential NULL pointer dereference
  - transfer: maintain --path-as-is after redirects
  - transfer: upload performance; avoid tiny send
  - url: free old conn better on reuse
  - url: remove redundant #ifdefs in allocate_conn()
  - url: URL encode the path when extracted, if spaces were set
  - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
  - urlapi: support CURLU_URLENCODE for curl_url_get()
  - urldata: reduce size of a few struct fields
  - urldata: remove three unused booleans from struct UserDefined
  - urldata: store tcp_keepidle and tcp_keepintvl as ints
  - version: allow stricmp() for sorting the feature list
  - vtls: make curl_global_sslset thread-safe
  - wolfssh.h: removed
  - wolfssl: correct the failf() message when a handle can't be made
  - wolfSSL: explicitly use compatibility layer
  - x509asn1: mark msnprintf return as unchecked
- Update to 7.83.1:
  * Security fixes:
  - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
  - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
  - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
  - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
  - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
  - (bsc#1199220, CVE-2022-27778) removes wrong file on error
  * Bugfixes:
  - altsvc: fix host name matching for trailing dots
  - cirrus: Update to FreeBSD 12.3
  - cirrus: Use pip for Python packages on FreeBSD
  - conn: fix typo 'connnection' -> 'connection' in two function names
  - cookies: make bad_domain() not consider a trailing dot fine
  - curl: free resource in error path
  - curl: guard against size_t wraparound in no-clobber code
  - CURLOPT_DOH_URL.3: mention the known bug
  - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
  - CURLOPT_SSH_AUTH_TYPES.3: fix the default
  - data/test376: set a proper name
  - GHA/mbedtls: enabled nghttp2 in the build
  - gha: build msh3
  - gskit: fixed bogus setsockopt calls
  - gskit: remove unused function set_callback
  - hsts: ignore trailing dots when comparing hosts names
  - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
  - http: move Curl_allow_auth_to_host()
  - http_proxy/hyper: handle closed connections
  - hyper: fix test 357
  - Makefile: fix "/make ca-firefox"/
  - mbedtls: bail out if rng init fails
  - mbedtls: fix compile when h2-enabled
  - mbedtls: fix some error messages
  - misc: use "/autoreconf -fi"/ instead buildconf
  - msh3: get msh3 version from MsH3Version
  - msh3: print boolean value as text representation
  - msh3: psss remote_port to MsH3ConnectionOpen
  - ngtcp2: add ca-fallback support for OpenSSL backend
  - nss: return error if seemingly stuck in a cert loop
  - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
  - post_per_transfer: remove the updated file name
  - sectransp: bail out if SSLSetPeerDomainName fails
  - tests/server: declare variable 'reqlogfile' static
  - tests: fix markdown formatting in README
  - test{898,974,976}: add 'HTTP proxy' keywords
  - tls: check more TLS details for connection reuse
  - url: check SSH config match on connection reuse
  - urlapi: address (harmless) UndefinedBehavior sanitizer warning
  - urlapi: reject percent-decoding host name into separator bytes
  - x509asn1: make do_pubkey handle EC public keys
- Patches rework:
  * Refreshed all patches as -p1.
  * Use autopatch macro.
  * Renamed:
  - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
  * Removed (already upstream):
  - curl-fix-verifyhost.patch
- Update to 7.83.0:
  * Security fixes:
  - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
  - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
  - (bsc#1198608, CVE-2022-27774) Credential leak on redirect
  - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
  * Changes:
  - curl: add %header{name} experimental support in -w handling
  - curl: add %{header_json} experimental support in -w handling
  - curl: add --no-clobber
  - curl: add --remove-on-error
  - header api: add curl_easy_header and curl_easy_nextheader
  - msh3: add support for QUIC and HTTP/3 using msh3
  * Bugfixes:
  - appveyor: add Cygwin build
  - appveyor: only add MSYS2 to PATH where required
  - BearSSL: add CURLOPT_SSL_CIPHER_LIST support
  - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
  - BINDINGS.md: add Hollywood binding
  - CI: Do not use buildconf. Instead, just use: autoreconf -fi
  - CI: install Python package impacket to run SMB test 1451
  - configure.ac: move -pthread CFLAGS setting back where it used to be
  - configure: bump the copyright year range int the generated output
  - conncache: include the zone id in the "/bundle"/ hashkey
  - connecache: remove duplicate connc->closure_handle check
  - connect: make Curl_getconnectinfo work with conn cache from share handle
  - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
  - cookie.d: clarify when cookies are sent
  - cookies: improve errorhandling for reading cookiefile
  - curl/system.h: update ifdef condition for MCST-LCC compiler
  - curl: error out if -T and -d are used for the same URL
  - curl: error out when options need features not present in libcurl
  - curl: escape '?' in generated --libcurl code
  - curl: fix segmentation fault for empty output file names.
  - curl_easy_header: fix typos in documentation
  - CURLINFO_PRIMARY_PORT.3: clarify which port this is
  - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
  - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
  - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
  - CURLOPT_PROGRESSFUNCTION.3: fix typo in example
  - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
  - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
  - docs/HYPER.md: updated to reflect current hyper build needs
  - docs/opts: Mention Schannel client cert type is P12
  - docs: Fix missing semicolon in example code
  - docs: lots of minor language polish
  - English: use American spelling consistently
  - fail.d: tweak the description
  - firefox-db2pem.sh: make the shell script safer
  - ftp: fix error message for partial file upload
  - gen.pl: change wording for mutexed options
  - GHA: add openssl3 jobs moved over from zuul
  - GHA: build hyper with nightly rustc
  - GHA: move bearssl jobs over from zuul
  - gha: move the event-based test over from Zuul
  - gtls: fix build for disabled TLS-SRP
  - http2: handle DONE called for the paused stream
  - http2: RST the stream if we stop it on our own will
  - http: avoid auth/cookie on redirects same host diff port
  - http: close the stream (not connection) on time condition abort
  - http: reject header contents with nul bytes
  - http: return error on colon-less HTTP headers
  - http: streamclose "/already downloaded"/
  - hyper: fix status_line() return code
  - hyper: fix tests 580 and 581 for hyper
  - hyper: no h2c support
  - infof: consistent capitalization of warning messages
  - ipv4/6.d: clarify that they are about using IP addresses
  - json.d: fix typo (overriden -> overridden)
  - keepalive-time.d: It takes many probes to detect brokenness
  - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
  - lib670: avoid double check result
  - lib: #ifdef on USE_HTTP2 better
  - lib: fix some misuse of curlx_convert_wchar_to_UTF8
  - lib: remove exclamation marks
  - libssh2: compare sha256 strings case sensitively
  - libssh2: make the md5 comparison fail if wrong length
  - libssh: fix build with old libssh versions
  - libssh: fix double close
  - libssh: Improve fix for missing SSH_S_ stat macros
  - libssh: unstick SFTP transfers when done event-based
  - macos: set .plist version in autoconf
  - mbedtls: remove 'protocols' array from backend when ALPN is not used
  - mbedtls: remove server_fd from backend
  - mk-ca-bundle.pl: Use stricter logic to process the certificates
  - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
  - mlc_config.json: add file to ignore known troublesome URLs
  - mqtt: better handling of TCP disconnect mid-message
  - ngtcp2: add client certificate authentication for OpenSSL
  - ngtcp2: avoid busy loop in low CWND situation
  - ngtcp2: deal with sub-millisecond timeout
  - ngtcp2: disconnect the QUIC connection proper
  - ngtcp2: enlarge H3_SEND_SIZE
  - ngtcp2: fix HTTP/3 upload stall and avoid busy loop
  - ngtcp2: fix memory leak
  - ngtcp2: fix QUIC_IDLE_TIMEOUT
  - ngtcp2: make curl 1ms faster
  - ngtcp2: remove remote_addr which is not used in a meaningful way
  - ngtcp2: update to work after recent ngtcp2 updates
  - ngtcp2: use token when detecting :status header field
  - nonblock: restore setsockopt method to curlx_nonblock
  - openssl: check SSL_get_peer_cert_chain return value
  - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
  - openssl: fix CN check error code
  - options: remove mistaken space before paren in prototype
  - perl: removed a double semicolon at end of line
  - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
  - projects/README: converted to markdown
  - projects: Update VC version names for VS2017, VS2022
  - rtsp: don't let CSeq error override earlier errors
  - runtests: add 'bearssl' as testable feature
  - runtests: make 'oldlibssh' be before 0.9.4
  - schannel: remove dead code that will never run
  - scripts/copyright.pl: ignore the new mlc_config.json file
  - scripts: move three scripts from lib/ to scripts/
  - test1135: sync with recent API updates
  - test1459: disable for oldlibssh
  - test375: fix line endings on Windows
  - test386: Fix an incorrect test markup tag
  - test718: edited slightly to return better HTTP
  - tests/server/util.h: align WIN32 condition with util.c
  - tests: refactor server/socksd.c to support --unix-socket
  - timediff.[ch]: add curlx helper functions for timeval conversions
  - tls: make mbedtls and NSS check for h2, not nghttp2
  - tool and tests: force flush of all buffers at end of program
  - tool_cb_hdr: Turn the Location: into a terminal hyperlink
  - tool_getparam: error out on missing -K file
  - tool_listhelp.c: uppercase URL
  - tool_operate: fix a scan-build warning
  - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
  - transfer: redirects to other protocols or ports clear auth
  - unit1620: call global_init before calling Curl_open
  - url: check sasl additional parameters for connection reuse.
  - vtls: provide a unified APLN-disagree string for all backends
  - vtls: use a backend standard message for "/ALPN: offers %s"/
  - vtls: use a generic "/ALPN, server accepted"/ message
  - winbuild/README.md: fixup dead link
  - winbuild: Add a Visual Studio example to the README
  - wolfssl: fix compiler error without IPv6
- Fix: openssl: fix CN check error code
  * Add curl-fix-verifyhost.patch
- Update to 7.82.0:
  * curl: add --json command line option
  * curl: make it so that sensitive command line arguments do not
    show as easily in the output of ps(1)
  * curl_multi_socket.3: remove callback and typical usage descriptions
  * ftp: provide error message for control bytes in path
  * ldap: return CURLE_URL_MALFORMAT for bad URL
  * lib: remove support for CURL_DOES_CONVERSIONS
  * mqtt: plug some memory leaks
  * multi: allow user callbacks to call curl_multi_assign
  * multi: remember connection_id before returning connection to pool
  * multi: set in_callback for multi interface callbacks
  * netware: remove support
  * ngtcp2: adapt to changed end of headers callback proto
  * openldap: implement SASL authentication
  * openssl: return error if TLS 1.3 is requested when not supported
  * sectransp: mark a 3DES cipher as weak
  * smb: pass socket for writing and reading data instead of FIRSTSOCKET
  * tool_getparam: DNS options that need c-ares now fail without it
  * TPF: drop support
  * url: given a user in the URL, find pwd for that user in netrc
  * url: keep trailing dot in host name
  * urlapi: handle "/redirects"/ smarter
  * urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
  * urldata: remove conn->bits.user_passwd
- update to 7.81.0:
  * mime: use percent-escaping for multipart form field and file names
  * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
  * azure: make the "/w/o HTTP/SMTP/IMAP"/ build disable SSL proper
  * BINDINGS: add cURL client for PostgreSQL
  * BINDINGS: add one from Everything curl and update a link
  * checksrc: detect more kinds of NULL comparisons we avoid
  * CI: build examples for additional code verification
  * CI: bump job to use mbedtls 3.1.0
  * cmake: don't set _USRDLL on a static Windows build
  * cmake: prevent dev warning due to mismatched arg
  * cmake: private identifiers use CURL_ instead of CMAKE_ prefix
  * config.d: update documentation to match the path search
  * configure: add -lm to configure for rustls build.
  * configure: better diagnostics if hyper is built wrong
  * configure: don't enable TLS when --without-* flags are used
  * configure: fix runtime-lib detection on macOS
  * curl.1: require "/see also"/ for every documented option
  * curl: improve error message for --head with -J
  * curl_easy_cleanup.3: remove from multi handle first
  * curl_easy_escape.3: call curl_easy_cleanup in example
  * curl_easy_unescape.3: call curl_easy_cleanup in example
  * curl_multi_init.3: fix EXAMPLE formatting
  * curl_multi_perform/socket_action.3: clarify what errors mean
  * curl_share_setopt.3: split out options into their own manpages
  * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
  * digest: compute user:realm:pass digest w/o userhash
  * docs/checksrc: Add documentation for STRERROR
  * docs/cmdline-opts: do not say "/protocols: all"/
  * docs/examples: workaround broken -Wno-pedantic-ms-format
  * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
  * docs/INSTALL.md: typo fix : added missing "/get"/ verb
  * docs/URL-SYNTAX.md: space is not fine in a given URL
  * docs: add known bugs list to HTTP3.md
  * docs: address proselint nits
  * docs: consistent manpage SYNOPSIS
  * docs: fix dead links, remove ECH.md
  * docs: fix typo in OpenSSL 3 build instructions
  * docs: Update the Reducing Size section
  * example/progressfunc: remove code for old libcurls
  * examples/multi-single.c: remove WAITMS()
  * FAQ: typo fix : "/yout"/ ➤ "/your"/
  * ftp: disable warning 4706 in MSVC
  * gen.pl: improve example output format
  * github workflow: add wolfssl (removed from zuul)
  * github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
  * gtls: check return code for gnutls_alpn_set_protocols
  * hash: lazy-alloc the table in Curl_hash_add()
  * http2:set_transfer_url() return early on OOM
  * HTTP3: update quiche build instructions
  * http: enable haproxy support for hyper backend
  * http: Fix CURLOPT_HTTP200ALIASES
  * http_proxy: don't close the socket (too early)
  * insecure.d: detail its use for SFTP and SCP as well
  * insecure.d: expand and clarify
  * libcurl-multi.3: "/SOCKS proxy handshakes"/ are not blocking
  * libcurl-security.3: mention address and URL mitigations
  * libssh2: fix error message for sha256 mismatch
  * libtest: avoid "/assignment within conditional expression"/
  * lift: ignore is a deprecated config option, use ignoreRules
  * linkcheck.yml: add CI job that checks markdown links
  * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
  * Makefile.m32: rename -winssl option to -schannel and tidy up
  * mbedTLS: add support for CURLOPT_CAINFO_BLOB
  * mbedtls: fix CURLOPT_SSLCERT_BLOB
  * mbedtls: fix private member designations for v3.1.0
  * misc: remove unused doh flags when CURL_DISABLE_DOH is defined
  * misc: s/e-mail/email
  * multi: cleanup the socket hash when destroying it
  * multi: handle errors returned from socket/timer callbacks
  * multi: shut down CONNECT in Curl_detach_connnection
  * netrc.d: edit the .netrc example to look nicer
  * ngtcp2: verify the server cert on connect (quictls)
  * ngtcp2: verify the server certificate for the gnutls case
  * nss:set_cipher don't clobber the cipher list
  * openldap: implement STARTTLS
  * openldap: process search query response messages one by one
  * openldap: several minor improvements
  * openldap: simplify ldif generation code
  * openssl: check the return value of BIO_new()
  * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
  * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
  * openssl: remove usage of deprecated `SSL_get_peer_certificate`
  * openssl: use non-deprecated API to read key parameters
  * page-footer: add a mention of how to report bugs to the man page
  * page-footer: document more environment variables
  * request.d: refer to 'method' rather than 'command'
  * retry-all-errors.d: make the example complete
  * runtests: make the SSH library a testable feature
  * rustls: read of zero bytes might be okay
  * rustls: remove comment about checking handshaking
  * rustls: remove incorrect EOF check
  * sha256/md5: return errors when init fails
  * socks5: use appropriate ATYP for numerical IP address host names
  * test1156: enable for hyper
  * test1156: fixup the stdout check for Windows
  * test1525: tweaked for hyper
  * test1526: enable for hyper
  * test1527: enable for hyper
  * test1528: enable for hyper
  * test1554: adjust for hyper
  * test1556: adjust for hyper
  * test302[12]: run only with the libssh2 backend
  * test661: enable for hyper
  * tests/CI.md: add more information on CI environments
  * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
  * tftp: mark protocol as not possible to do over CONNECT
  * tool_findfile: updated search for a file in the homedir
  * tool_operate: only set SSH related libcurl options for SSH URLs
  * tool_operate: warn if too many output arguments were found
  * url.c: fix the SIGPIPE comment for Curl_close
  * url: check ssl_config when re-use proxy connection
  * url: reduce ssl backend count for CURL_DISABLE_PROXY builds
  * urlapi: accept port number zero
  * urlapi: if possible, shorten given numerical IPv6 addresses
  * urlapi: provide more detailed return codes
  * urlapi: reject short file URLs
  * version_win32: Check build number and platform id
  * vtls/rustls: adapt to the updated rustls_version proto
  * writeout: fix %{http_version} for HTTP/3
  * x509asn1: return early on errors
  * zuul.d: update rustls-ffi to version 0.8.2
  * zuul: fix quiche build pointing to wrong Cargo
- Update to 7.80.0:
  * Changes:
  - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
  - CURLOPT_PREREQFUNCTION: add new callback
  - libssh2: add SHA256 fingerprint support
  - urlapi: add curl_url_strerror()
  * Bugfixes:
  - aws-sigv4: make signature work when post data is binary
  - c-hyper: don't abort CONNECT responses early when auth-in-progress
  - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
  - cmake: add CURL_ENABLE_SSL option
  - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
  - configure.ac: replace krb5-config with pkg-config
  - configure: when hyper is selected, deselect nghttp2
  - curl-confopts.m4: remove --enable/disable-hidden-symbols
  - curl-openssl.m4: modify library order for openssl linking
  - curl_ntlm_core: use OpenSSL only if DES is available
  - Curl_updateconninfo: store addresses for QUIC connections too
  - ftp: make the MKD retry to retry once per directory
  - http: fix Basic auth with empty name field in URL
  - http: reject HTTP response codes < 100
  - http: remove assert that breaks hyper
  - http: set content length earlier
  - imap: display quota information
  - libssh2: Get the version at runtime if possible
  - md5: fix compilation with OpenSSL 3.0 API
  - ngtcp2: advertise h3 as well as h3-29
  - ngtcp2: compile with the latest nghttp3
  - ngtcp2: use latest QUIC TLS RFC9001
  - NTLM: use DES_set_key_unchecked with OpenSSL
  - openssl: if verifypeer is not requested, skip the CA loading
  - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
  - schannel: fix memory leak due to failed SSL connection
  - sendf: accept zero-length data in Curl_client_write()
  - sha256: use high-level EVP interface for OpenSSL
  - sws: fix memory leak on exit
  - tool_operate: a failed etag save now only fails that transfer
  - url: check the return value of curl_url()
  - url: set "/k->size"/ -1 at start of request
  - urlapi: skip a strlen(), pass in zero
  - urlapi: URL decode percent-encoded host names
  - vtls: Fix a memory leak if an SSL session cannot be added to the cache
  - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
  * Use --with-openssl configure option, --with-ssl is now deprecated
dracut
- Update to version 055+suse.342.g2e6dce8e:
  fips=1 and separate /boot break s390x (bsc#1204478):
  * fix(fips): move fips-boot script to pre-pivot
  * fix(fips): only unmount /boot if it was mounted by the fips module
  * feat(fips): add progress messages
  * fix(fips): do not blindly remove /boot
  * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)
grub2
- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563)
- Fix PowerVS deployment fails to boot with 90 cores (bsc#1208581)
  * 0001-ieee1275-implement-vec5-for-cas-negotiation.patch
  * 0002-kern-ieee1275-init-Convert-plain-numbers-to-constant.patch
  * 0003-kern-ieee1275-init-Extended-support-in-Vec5.patch
kbd
- Add 'ara' vc keymap (bsc#1210702)
  'ara' is slightly better than 'arabic' as it matches the name of its x11
  layout counterpart. Keep 'arabic' for backward compatibility sake.
librelp
- update to librelp 1.11.0 (bsc#1210649)
  the previous version became incompatible with current rsyslog
  version 8.2106.0
- Important changes per version
  Version 1.11.0 - 2023-01-10
- code cleanup
- AIX: Changed ERRNO handling after connect in tcp.c
- AIX: Add handling for other ERRNO codes in tcp.c
- bugfix/TCP: relpTcpGetRtryDirection onyl needs to check direction if SSL is active.
- AIX: in relpTcpRcv we need to set RETRY_recv if errno is 0
- openssl: fix openssl exit code avoid double free of ctx
- librelp hardening: Fix multiple minor issues causing debugging trouble
- OpenSSL: fix depreacted API issues for OpenSSL 3.x
- bugfix: compatiblity problem with openssl 1.1
- bugfix: Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibName
- bugfix: make relpEngineSetTLSLib debug safe
- bugfix: warnings reported by coverity scan
- gnutls drvr bugfix: library called exit() under some circumstances
  Version 1.10.0 - 2021-02-16
- TLS handling bugfix
  Version 1.9.0 - 2020-11-24
- openssl bugfix: preprocessor check for tlsconfigcmd code
- solaris compatibility fix: add strndup compatibility code
  Version 1.8.0 - 2020-09-29
- gnutls "/bugfix"/: handle receives who break connection on close
- gnutls bugfix: per-session memory leak
- tls bugfix: RETRY not correctly handled in TLS Mode & CI improvement
- bugfix: librelp.h contains duplicate function definition
- removed some more externally visible symbols not being part of API
  Version 1.7.0 - 2020-08-25
- some internal cleanup (const attributes and such)
- bugfix: library did export non-API symbols
- openssl: Fix chained certificate files for older OpenSSL Version.
- fix FD leak when socket shutdown is one-sided
- TLS: Added call to destruct OpenSSL remains to relpEngineDestruct
- fix memory leak on session break
  Version 1.6.0 - 2020-04-21
- fix namespace pollution - some non-API functions were exported
- replsess: fix double free of sendbuf in some cases.
- improve support for libressl
- Modified GnuTLS priority according to standard crypto-policy guideline
- tcp: Missing pUsr Copy to relpTcp Pointer fixed in relpTcpAcceptConnReq
- report io errors for plain tcp connections
  Version 1.5.0 - 2020-01-14
- bugfix: too late termination of relp Engine on shutdown
- build system fix: invalid default in configure help text
- error message on invalid TLS library request added
  Version 1.4.0 - 2019-03-05
- build system: enable openssl by default, this means both TLS drivers
  are now build by default
- support that both GnuTLS and openssl TLS drivers are active together
- portability: use GCC __attribute__ only where supported
- bugfix: build problem when HAVE_STRERROR_R is undefined
- bugfix: openssl driver did not properly handle retries when sending
- bugfix: in openssl mode, cert name validation did not work properly
- bugfix: invalid handling of connection fail could lead to abort
- a couple of minor and cosmetic nitfixes, improvements and cleanup
  Version 1.3.0 - 2018-12-11
- improved error reporting
- bugfix openssl: anon mode did not work with openssl 1.1.0+
- bugfix: do not send multiple open commands
  Version 1.2.18 - 2018-09-18
- added non-standard "/certvalid"/ auth mode to TLS authentication
- bugfix CI: make distcheck did not work
  Version 1.2.17 - 2018-08-02
- added support for openssl
- improve code quality: replace strerror() by portable equivalent
- improve error message on connection failure
- bugfix: 100% CPU utilization due to busy loop
- bugfix: do not expose symbols that are not part of public API
- bugfix: potential segfault when listener could not be bound
  Version 1.2.16 - 2018-05-14
- API changes
  * add new API: relpSrvSetOversizeMode()
  * add new API: relpSrvSetLstnAddr()
- support additional hashes for fingerprint mode
- bugfix: potential memory leak
- bugfix: memory leak on protocol error
- fixed a couple of minor issues:
  * fix memory leak when relp frame construction fails
  * removed unnecessary code
  * fix memory leak
  * fix memory leak on relpSrvRun() error
  * fix memory leak on relp listener construction error
  * also resolved all other issues reported by Coverity scan
libsigc++2
- Add libsigc++2-remove-unnecessary-executable-flag-from-file.patch:
  cancel executable permission for file
  /usr/share/doc/packages/libsigc-2_0-0/NEWS(bsc#1209094,bsc#1209140).
libsolv
- handle learnt rules in solver_alternativeinfo()
- support x86_64_v[234] architecture levels
- implement decision sorting for package decisionlists
- add back findutils requires for the libsolv-tools packagse
  [bsc#1195633]
- bump version to 0.7.24
libzypp
- MediaCurl: Fix endless loop if wrong credentials are stored in
  credentials.cat (bsc#1210870)
  Since libzypp-17.31.7 wrong credentials stored in credentials.cat
  may lead to an endless loop. Rather than asking for the right
  credentials, the stored ones are used again and again.
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
  (bsc#1208329)
  Maximum time in seconds that you allow the connection phase to
  the server to take. This only limits the connection phase, it has
  no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- commit: Try to provide /dev fs if not present (fixes #444)
- fix build with boost 1.82.
- version 17.31.11 (22)
- fix build with boost 1.82
- BuildRequires: libsolv-devel >= 0.7.24 for x86_64_v[234]
  support.
- version 17.31.10 (22)
- Workround bsc#1195633 while libsolv <= 0.7.23 is used.
- Fix potential endless loop in new ZYPP_MEDIANETWORK.
- ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors
  parsed from a metalink file.
- multicurl: propagate ssl settings stored in repo url
  (boo#1127591)
  Closes #335.
- Teach MediaNetwork to retry on HTTP2 errors.
- fix CapDetail to return Rel::NONE if an EXPRESSION is used as a
  NAMED cap.
- Capability: support parsing richdeps from string.
- defaultLoadSystem: default to LS_NOREFRESH if not root.
- Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes
  [#439])
  Merges rpm-software-management/rpm#2412: The bit for LZCNT is in
  CPUID 0x80000001, not 1.
- Detect x86_64_v[234] architecture levels (fixes #439)
- Support x86_64_v[234] architecture levels (for #439)
- version 17.31.9 (22)
openssl-1_1
- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch
python-packaging
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Add patch to fix testsuite on big-endian targets
  + fix-big-endian-build.patch
- Ignore python3.6.2 since the test doesn't support it.
- update to 21.3:
  * Add a pp3-none-any tag (gh#pypa/packaging#311)
  * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
    (gh#pypa/packaging#481), (gh#pypa/packaging#486)
  * Fix a spelling mistake (gh#pypa/packaging#479)
- update to 21.2:
  * Update documentation entry for 21.1.
  * Update pin to pyparsing to exclude 3.0.0.
  * PEP 656: musllinux support
  * Drop support for Python 2.7, Python 3.4 and Python 3.5.
  * Replace distutils usage with sysconfig
  * Add support for zip files in ``parse_sdist_filename``
  * Use cached ``_hash`` attribute to short-circuit tag equality comparisons
  * Specify the default value for the ``specifier`` argument to ``SpecifierSet``
  * Proper keyword-only "/warn"/ argument in packaging.tags
  * Correctly remove prerelease suffixes from ~= check
  * Fix type hints for ``Version.post`` and ``Version.dev``
  * Use typing alias ``UnparsedVersion``
  * Improve type inference for ``packaging.specifiers.filter()``
  * Tighten the return type of ``canonicalize_version()``
- Add Provides: for python*dist(packaging): work around boo#1186870
- skip tests failing because of no-legacyversion-warning.patch
- add no-legacyversion-warning.patch to restore compatibility with 20.4
- update to 20.9:
  * Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`)
  * Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`)
  * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``
- update to 20.8:
  * Revert back to setuptools for compatibility purposes for some Linux distros (:issue:`363`)
  * Do not insert an underscore in wheel tags when the interpreter version number
    is more than 2 digits (:issue:`372`)
  * Fix flit configuration, to include LICENSE files (:issue:`357`)
  * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag (:issue:`361`)
  * Add some missing type hints to `packaging.requirements` (issue:`350`)
  * Officially support Python 3.9 (:issue:`343`)
  * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes (:issue:`321`)
  * Handle ``OSError`` on non-dynamic executables when attempting to resolve
    the glibc version string.
- update to 20.4:
  * Canonicalize version before comparing specifiers. (:issue:`282`)
  * Change type hint for ``canonicalize_name`` to return
  ``packaging.utils.NormalizedName``.
  This enables the use of static typing tools (like mypy) to detect mixing of
  normalized and un-normalized names.
systemd
- Import commit 6441bb41141aaa8bfb63559917362748a3044c15
  165ca0d018 udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410)
- Update 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1203141)
  Optimize when hundred workers claim the same symlink with the same priority.
- Update 0005-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch
  Since commit 38f3e20883ff658935aae5c9 (v248), the symlinks /dev/cdrw and
  /dev/dvdrw could have no longer been created. Futhermore the rule added by
  this patch dealing with /dev/cdrom was redundant with the upstream one
- Import commit dad0071f15341be2b24c2c9d073e62617e0b4673 (merge of v249.16)
util-linux
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
util-linux-systemd
- Add upstream patch fix-lib-internal-cache-size.patch
  bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
vim
- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
  * Make xxd conflicting the previous vim packages
xen
- bsc#1209237 - xen-syms doesn't contain debug-info
  643e3810-CONFIG_DEBUG_INFO-no-EXPERT.patch
  6447a8fd-x86-EFI-permit-crash-dump-analysis.patch
- Update to Xen 4.16.4 bug fix release (bsc#1027519)
  xen-4.16.4-testing-src.tar.bz2
  * No upstream changelog found in sources or webpage
- Drop patches contained in new tarball
  63a03e28-x86-high-freq-TSC-overflow.patch
  63c05478-VMX-calculate-model-specific-LBRs-once.patch
  63c05478-VMX-support-CPUs-without-model-specific-LBR.patch
  63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch
  63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch
  63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch
  63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch
  63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch
  641041e8-VT-d-constrain-IGD-check.patch
  6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch
  64199e0c-x86-shadow-account-for-log-dirty-mode.patch
  64199e0d-x86-HVM-bound-number-of-pca-regions.patch
  64199e0e-x86-HVM-serialize-pca-list-manipulation.patch
  64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch
  libxl.fix-guest-kexec-skip-cpuid-policy.patch
- Upstream bug fixes (bsc#1027519)
  63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch
  63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch
  63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch
  63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch
  641041e8-VT-d-constrain-IGD-check.patch
  6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch
- Use "/proper"/ upstream backports:
  64199e0c-x86-shadow-account-for-log-dirty-mode.patch
  64199e0d-x86-HVM-bound-number-of-pca-regions.patch
  64199e0e-x86-HVM-serialize-pca-list-manipulation.patch
  64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch
- ... in place of:
  xsa427.patch
  xsa428-1.patch
  xsa428-2.patch
  xsa429.patch
- bsc#1209245 - fix host-assisted kexec/kdump for HVM domUs
  libxl.fix-guest-kexec-skip-cpuid-policy.patch
zlib
- Fix deflateBound() before deflateInit(), bsc#1210593
  bsc1210593.patch
zypper
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority (fixes #480)
- version 1.14.60