curl-8.14.1-160000.2.2

- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]
  * tool_getparam: fix --ftp-pasv [5f805ee]
  * Add curl-fix--ftp-pasv.patch

- Disable insecure NTLM authentication support [bsc#1245491, jsc#PED-12960]

- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]
  * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error
    when building the curl-mini package in SLE.
  * Add libssh minimum version requirements.
  * Use ldconfig_scriptlets when available.
  * Remove unused option --disable-ntlm-wb.

- Update to 8.14.1:
  * Security fixes:
  - [bsc#1243933, CVE-2025-5399] libcurl can possibly get
    trapped in an endless busy-loop when processing specially
    crafted packets [d1145df2]
  * Bugfixes:
  - asyn-thrdd: fix cleanup when RR fails due to OOM
  - ftp: fix teardown of DATA connection in done
  - http: fail early when rewind of input failed when following redirects
  - multi: fix add_handle resizing
  - tls BIOs: handle BIO_CTRL_EOF correctly
  - tool_getparam: make --no-anyauth not be accepted
  - wolfssl: fix sending of early data
  - ws: handle blocked sends better
  - ws: tests and fixes

- Update to 8.14.0:
  * Security fixes:
  - [CVE-2025-4947, bsc#1243397] QUIC certificate check skip with wolfSSL
  - [CVE-2025-5025, bsc#1243706] No QUIC certificate pinning with wolfSSL
  * Changes:
  - mqtt: send ping at upkeep interval
  - schannel: handle pkcs12 client certificates containing CA certificates
  - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
  - vquic: ngtcp2 + openssl support
  - wcurl: import v2025.04.20 script + docs
  - websocket: add option to disable auto-pong reply
  * Bugfixes:
  - asny-thrdd: fix detach from running thread
  - async-threaded resolver: use ref counter
  - async: DoH improvements
  - build: enable gcc-12/13+, clang-10+ picky warnings
  - build: enable gcc-15 picky warnings
  - certs: drop unused `default_bits` from `.prm` files
  - cf-https-connect: use the passed in dns struct pointer
  - cf-socket: fix FTP accept connect
  - cfilters: remove assert
  - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
  - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
  - cmake: revert `CURL_LTO` behavior for multi-config generators
  - configure: fix --disable-rt
  - CONTRIBUTE: add project guidelines for AI use
  - cpool/cshutdown: force close connections under pressure
  - curl: fix memory leak when -h is used in config file
  - curl_get_line: handle lines ending on the buffer boundary
  - headers: enforce a max number of response header to accept
  - http: fix HTTP/2 handling of TE request header using "trailers"
  - lib: include files using known path
  - lib: unify conversions to/from hex
  - libssh: add NULL check for Curl_meta_get()
  - libssh: fix memory leak
  - mqtt: use conn/easy meta hash
  - multi: do transfer book keeping using mid
  - multi: init_do(): check result
  - netrc: avoid NULL deref on weird input
  - netrc: avoid strdup NULL
  - netrc: deal with null token better
  - openssl-quic: avoid potential `-Wnull-dereference`, add assert
  - openssl-quic: fix shutdown when stream not open
  - openssl: enable builds for *both* engines and providers
  - openssl: set the cipher string before doing private cert
  - progress: avoid integer overflow when gathering total transfer size
  - rand: update comment on Curl_rand_bytes weak random
  - rustls: make max size of cert and key reasonable
  - smb: avoid integer overflow on weird input date
  - urlapi: redirecting to "" is considered fine
  * Remove curl-8.13.0-CloseSocket.patch upstream
  * Rebase libcurl-ocloexec.patch

- fix Leap build add curl-8.13.0-CloseSocket.patch

- Update to 8.13.0:
  * Changes:
  - curl: add write-out variable 'tls_earlydata'
  - curl: make --url support a file with URLs
  - gnutls: set priority via --ciphers
  - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
  - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
  - OpenSSL/quictls: add support for TLSv1.3 early data
  - rustls: add support for CERTINFO
  - rustls: add support for SSLKEYLOGFILE
  - rustls: support ECH w/ DoH lookup for config
  - rustls: support native platform verifier
  - var: add a '64dec' function that can base64 decode a string
  * Bugfixes:
  - conn: fix connection reuse when SSL is optional
  - hash: use single linked list for entries
  - http2: detect session being closed on ingress handling
  - http2: reset stream on response header error
  - http: remove a HTTP method size restriction
  - http: version negotiation
  - httpsrr: fix port detection
  - libssh: fix freeing of resources in disconnect
  - libssh: fix scp large file upload for 32-bit size_t systems
  - openssl-quic: do not iterate over multi handles
  - openssl: check return value of X509_get0_pubkey
  - openssl: drop support for old OpenSSL/LibreSSL versions
  - openssl: fix crash on missing cert password
  - openssl: fix pkcs11 URI checking for key files.
  - openssl: remove bad `goto`s into other scope
  - setopt: illegal CURLOPT_SOCKS5_AUTH should return error
  - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
  - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
  - sshserver: fix excluding obsolete client config lines
  - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
  - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
  - tool_operate: fail SSH transfers without server auth
  - url: call protocol handler's disconnect in Curl_conn_free
  - urlapi: remove percent encoded dot sequences from the URL path
  - urldata: remove 'hostname' from struct Curl_async
  * Rebase patches:
  - libcurl-ocloexec.patch
  - curl-secure-getenv.patch

- Update to 8.12.1:
  * Bugfixes:
  - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
  - asyn-thread: fix HTTPS RR crash
  - asyn-thread: fix the returned bitmask from Curl_resolver_getsock
  - asyn-thread: survive a c-ares channel set to NULL
  - cmake: always reference OpenSSL and ZLIB via imported targets
  - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
  - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
  - content_encoding: #error on too old zlib
  - imap: TLS upgrade fix
  - ldap: drop support for legacy Novell LDAP SDK
  - libssh2: comparison is always true because rc <= -1
  - libssh2: raise lowest supported version to 1.2.8
  - libssh: drop support for libssh older than 0.9.0
  - openssl-quic: ignore ciphers for h3
  - pop3: TLS upgrade fix
  - runtests: fix the disabling of the memory tracking
  - runtests: quote commands to support paths with spaces
  - scache: add magic checks
  - smb: silence '-Warray-bounds' with gcc 13+
  - smtp: TLS upgrade fix
  - tool_cfgable: sort struct fields by size, use bitfields for booleans
  - tool_getparam: add "TLS required" flag for each such option
  - vtls: fix multissl-init
  - wakeup_write: make sure the eventfd write sends eight bytes

- Update to 8.12.0:
  * Security fixes:
  - [bsc#1234068, CVE-2024-11053] curl could leak the password used
    for the first host to the followed-to host under certain circumstances.
  - [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
  - [bsc#1236589, CVE-2025-0665] eventfd double close
  * Changes:
  - curl: add byte range support to --variable reading from file
  - curl: make --etag-save acknowledge --create-dirs
  - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
  - getinfo: provide info which auth was used for HTTP and proxy
  - hyper: drop support
  - openssl: add support to use keys and certificates from PKCS#11 provider
  - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
  - vtls: feature ssls-export for SSL session im-/export
  * Bugfixes:
  - altsvc: avoid integer overflow in expire calculation
  - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
  - asyn-ares: fix memory leak
  - asyn-ares: initial HTTPS resolve support
  - asyn-thread: use c-ares to resolve HTTPS RR
  - async-thread: avoid closing eventfd twice
  - cd2nroff: do not insist on quoted <> within backticks
  - cd2nroff: support "none" as a TLS backend
  - conncache: count shutdowns against host and max limits
  - content_encoding: drop support for zlib before 1.2.0.4
  - content_encoding: namespace GZIP flag constants
  - content_encoding: put the decomp buffers into the writer structs
  - content_encoding: support use of custom libzstd memory functions
  - cookie: cap expire times to 400 days
  - cookie: parse only the exact expire date
  - curl: return error if etag options are used with multiple URLs
  - curl_multi_fdset: include the shutdown connections in the set
  - curl_sha512_256: rename symbols to the curl namespace
  - curl_url_set.md: adjust the added-in to 7.62.0
  - doh: send HTTPS RR requests for all HTTP(S) transfers
  - easy: allow connect-only handle reuse with easy_perform
  - easy: make curl_easy_perform() return error if connection still there
  - easy_lock: use Sleep(1) for thread yield on old Windows
  - ECH: update APIs to those agreed with OpenSSL maintainers
  - GnuTLS: fix 'time_appconnect' for early data
  - HTTP/2: strip TE request header
  - http2: fix data_pending check
  - http2: fix value stored to 'result' is never read
  - http: ignore invalid Retry-After times
  - http_aws_sigv4: Fix invalid compare function handling zero-length pairs
  - https-connect: start next immediately on failure
  - lib: redirect handling by protocol handler
  - multi: fix curl_multi_waitfds reporting of fd_count
  - netrc: 'default' with no credentials is not a match
  - netrc: fix password-only entries
  - netrc: restore _netrc fallback logic
  - ngtcp2: fix memory leak on connect failure
  - openssl: define `HAVE_KEYLOG_CALLBACK` before use
  - openssl: fix ECH logic
  - osslq: use SSL_poll to determine writeability of QUIC streams
  - sectransp: free certificate on error
  - select: avoid a NULL deref in cwfds_add_sock
  - src: omit hugehelp and ca-embed from libcurltool
  - ssl session cache: change cache dimensions
  - system.h: add 64-bit curl_off_t definitions for NonStop
  - telnet: handle single-byte input option
  - TLS: check connection for SSL use, not handler
  - tool_formparse.c: make curlx_uztoso a static in here
  - tool_formparse: accept digits in --form type= strings
  - tool_getparam: ECH param parsing refix
  - tool_getparam: fail --hostpubsha256 if libssh2 is not used
  - tool_getparam: fix "Ignored Return Value"
  - tool_getparam: fix memory leak on error in parse_ech
  - tool_getparam: fix the ECH parser
  - tool_operate: make --etag-compare always accept a non-existing file
  - transfer: fix CURLOPT_CURLU override logic
  - urlapi: fix redirect to a new fragment or query (only)
  - vquic: make vquic_send_packets not return without setting psent
  - vtls: fix default SSL backend as a fallback
  - vtls: only remember the expiry timestamp in session cache
  - websocket: fix message send corruption
  - x509asn1: add parse recursion limit
  * Rebase pathes:
  - libcurl-ocloexec.patch
  - dont-mess-with-rpmoptflags.patch

- Update to 8.11.1:
  * Security fixes:
  - netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
  * Bugfixes:
  - build: fix ECH to always enable HTTPS RR
  - cookie: treat cookie name case sensitively
  - curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
  - curl: use realtime in trace timestamps
  - digest: produce a shorter cnonce in Digest headers
  - docs: document default 'User-Agent'
  - docs: suggest --ssl-reqd instead of --ftp-ssl
  - duphandle: also init netrc
  - hostip: don't use the resolver for FQDN localhost
  - http_negotiate: allow for a one byte larger channel binding buffer
  - krb5: fix socket/sockindex confusion, MSVC compiler warnings
  - libssh: use libssh sftp_aio to upload file
  - libssh: when using IPv6 numerical address, add brackets
  - mime: fix reader stall on small read lengths
  - mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
  - mprintf: fix the integer overflow checks
  - multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
  - netrc: address several netrc parser flaws
  - netrc: support large file, longer lines, longer tokens
  - nghttp2: use custom memory functions
  - OpenSSL: improvde error message on expired certificate
  - openssl: remove three "Useless Assignments"
  - openssl: stop using SSL_CTX_ function prefix for our functions
  - pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
  - rtsp: check EOS in the RTSP receive and return an error code
  - schannel: remove TLS 1.3 ciphersuite-list support
  - setopt: fix CURLOPT_HTTP_CONTENT_DECODING
  - setopt: fix missing options for builds without HTTP & MQTT
  - socket: handle binding to "host!<ip>"
  - socketpair: fix enabling 'USE_EVENTFD'
  - strtok: use namespaced 'strtok_r' macro instead of redefining it
  * Remove 0001-duphandle-also-init-netrc.patch upstream