# OpenSSL ENGINE support # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] # HTTP/3 support # This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's # experimental native OpenSSL 3.5 support. %bcond http3 %[0%{?fedora} >= 43] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: libcurl-gnutls Version: 8.18.0 Release: 6%{?dist} License: curl Source0: https://curl.se/download/curl-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/curl-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc # update timer unconditionally in multi_remove_handle # rubygem-ethon: FTBFS in Fedora Rawhide # https://bugzilla.redhat.com/show_bug.cgi?id=2405328 Patch001: 0001-curl-8.18.0-multi-update-timer-unconditionally-in-multi_remove_h.patch # Fix `Could not find digest algorithm UNDEF (NID 0)` # https://bugzilla.redhat.com/show_bug.cgi?id=2438170 Patch002: 0002-curl-8.18.0-openssl-channel_binding-lookup-digest-algorithm-with.patch # Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) Patch003: 0003-curl-8.18.0-CVE-2026-1965.patch # Fix token leak with redirect and netrc (CVE-2026-3783) Patch004: 0004-curl-8.18.0-CVE-2026-3783.patch # Fix wrong proxy connection reuse with credentials (CVE-2026-3784) Patch005: 0005-curl-8.18.0-CVE-2026-3784.patch # Fix use after free in SMB connection reuse (CVE-2026-3805) Patch006: 0006-curl-8.18.0-CVE-2026-3805.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch # debian patch from # https://sources.debian.org/patches/curl/ Patch290: ZZZgnutls-build-8.18.0.patch BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel %if %{with http3} BuildRequires: libnghttp3-devel %endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make %if %{with http3} BuildRequires: ngtcp2-crypto-ossl-devel %endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command BuildRequires: python3-devel BuildRequires: sed BuildRequires: zlib-devel # For gpg verification of source tarball BuildRequires: gnupg2 # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) # needed for generation of shell completions BuildRequires: perl(Getopt::Long) BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) # needed for test1560 to succeed BuildRequires: glibc-langpack-en # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils # for ZZZgnutls-build.patch BuildRequires: gnutls-devel # hostname(1) is used by the test-suite but it is missing in armv7hl buildroot BuildRequires: hostname # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite BuildRequires: nghttp2 # perl modules used in the test suite BuildRequires: perl(B) BuildRequires: perl(base) BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) BuildRequires: perl(POSIX) BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} # needed for upstream test 1451 BuildRequires: python3-impacket %endif # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known # to be less reliable, in order to avoid unnecessary build failures (see RHBZ # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. %ifarch x86_64 BuildRequires: valgrind %endif # stunnel is used by upstream tests but it does not seem to work reliably # on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) %ifnarch aarch64 s390x BuildRequires: stunnel %endif # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} # Define OPENSSL_NO_ENGINE to avoid inclusion of %if %{without openssl_engine_support} %global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE %endif # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) # require at least the version of libnghttp3 that we were built against, # to ensure that we have the necessary symbols available %global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) # require at least the version of libssh that we were built against, # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) # require at least the version of ngtcp2 that we were built against, # to ensure that we have the necessary symbols available %global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) # require at least the version of gnutls libs that we were built against, # to ensure that we have the necessary symbols available %global gnutls_version %(pkg-config --modversion gnutls 2>/dev/null || echo 0) Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} %if %{with http3} Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} %endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} %if %{with http3} Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} %endif Requires: gnutls%{?_isa} >= %{gnutls_version} %description This package provides libcurl-gnutls required by some VSTs %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -n curl-%{version_no_tilde} -p1 # disable test 1801 # printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ -i tests/libtest/lib3026.c %endif # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 # use localhost6 instead of ip6-localhost in the curl test-suite ( # avoid glob expansion in the trace output of `bash -x` { set +x; } 2>/dev/null cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" printf "+ %s\n" "$cmd" >&2 eval "$cmd" ) # avoid unnecessary arch-dependent line in the processed file sed -e '/# Used in @libdir@/d' \ -i curl-config.in %build # regenerate the configure script and Makefile.in files autoreconf -fiv mkdir build-gnutls export common_configure_opts=" \ --cache-file=../config.cache \ --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ --enable-symbol-hiding \ --enable-threaded-resolver \ --without-zstd \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure # configure gnutls build ( cd build-gnutls %configure $common_configure_opts \ --disable-dict \ --disable-gopher \ --disable-imap \ --disable-ldap \ --disable-ldaps \ --disable-manual \ --disable-mqtt \ --disable-ntlm \ --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ --disable-smtp \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ --disable-websockets \ --without-brotli \ --without-libpsl \ --without-libssh \ --with-gnutls \ --disable-symbol-hiding \ --enable-versioned-symbols ) # avoid using rpath sed -e 's/^runpath_var=.*/runpath_var=/' \ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ -i build-gnutls/libtool %make_build V=1 -C build-gnutls #%%check removed %install # install and rename the library that will be packaged as libcurl-gnutls %make_install -C build-gnutls/lib rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl-gnutls.{la,so,so.4} rename libcurl-gnutls.so libcurl3-gnutls.so ${RPM_BUILD_ROOT}%{_libdir}/libcurl-gnutls.so.4.[0-9].[0-9] pushd ${RPM_BUILD_ROOT}%{_libdir} for i in `ls -1`; do ln -s $i libcurl3-gnutls.so ln -s $i libcurl3-gnutls.so.4 done popd %ldconfig_scriptlets -n libcurl-gnutls %files %license COPYING %{_libdir}/libcurl3-gnutls.so %{_libdir}/libcurl3-gnutls.so.4 %{_libdir}/libcurl3-gnutls.so.4.[0-9].[0-9] %{_libdir}/libcurl-gnutls.so.4 %changelog * Tue Apr 28 2026 Patrick Laimbock - 8.18.0-6 - sync with koji - rebuild for F44