curl: Update to version 8.18.0

- Update from version 8.17.0 to 8.18.0
- No change to rootfile
- Changelog
    8.18.0
	Changes:
	    build: drop support for VS2008 (Windows)
	    build: drop Windows CE / CeGCC support
	    gnutls: drop support for GnuTLS < 3.6.5
	    gnutls: implement CURLOPT_CAINFO_BLOB
	    openssl: bump minimum OpenSSL version to 3.0.0
	Bugfixes:
	    _PROGRESS.md: add the E unit, mention kibibyte
	    alt-svc: more flexibility on same destination
	    altsvc: accept ma/persist per alternative entry
	    altsvc: make it one malloc instead of three per entry
	    AmigaOS: increase minimum stack size for tool_main
	    apple sectrust: fix ancient evaluation
	    apple-sectrust: always ask when `native_ca_store` is in use
	    asyn-ares: handle Curl_dnscache_mk_entry() OOM error
	    asyn-ares: remove hostname free on OOM
	    asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
	    asyn-thrdd: release rrname if ares_init_options fails
	    auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
	    autotools: add nettle library detection via pkg-config (for GnuTLS)
	    autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
	    autotools: fix LargeFile feature display on Windows (after prev patch)
	    autotools: tidy-up `if` expressions
	    badwords: add fist -> first, fix fallouts
	    badwords: catch and fix threading-related words
	    badwords: fix issues found in scripts and other files
	    badwords: fix issues found in tests
	    build: add build-level `CURL_DISABLE_TYPECHECK` options
	    build: exclude clang prereleases from compiler warning options
	    build: replace `-pedantic` with `-Wpedantic` when supported
	    build: set `-Wno-format-signedness`
	    build: tidy-up MSVC CRT warning suppression macros
	    ccsidcurl: make curl_mime_data_ccsid() use the converted size
	    cf-h1-proxy: support folded headers in CONNECT responses
	    cf-https-connect: allocate ctx at first in cf_hc_create()
	    cf-socket: drop feature check for `IPV6_V6ONLY` on Windows
	    cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs
	    cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime
	    cf-socket: return OOM error if socket() fails due to OOM
	    cf-socket: trace ignored errors
	    cfilters: make conn_forget_socket a private libssh function
	    checksrc.pl: detect assign followed by more than one space
	    cmake: adjust defaults for target platforms not supporting shared libs
	    cmake: define dependencies as `IMPORTED` interface targets
	    cmake: delete unused file `CMake/CMakeConfigurableFile.in`
	    cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON`
	    cmake: fix `ws2_32` reference in `curl-config.cmake`
	    cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET`
	    cmake: replace deprecated `OPENSSL_FOUND` with `OpenSSL_FOUND`
	    cmake: replace deprecated `PERL_FOUND` with `Perl_FOUND`
	    cmake: save and restore `CMAKE_MODULE_PATH` in `curl-config.cmake`
	    cmake: set found status to OFF when not found (for compression deps)
	    code: minor indent fixes before closing braces
	    CODE_STYLE.md: sync banned function list with checksrc.pl
	    compressed.md: might generate a huge amount of bytes
	    config-win32.h: delete obsolete, non-Windows comments
	    config-win32.h: drop unused/obsolete `CURL_HAS_OPENLDAP_LDAPSDK`
	    config2setopts: add space in cookie header with multiple -b
	    config2setopts: bail out if curl_url_get() returns OOM
	    config2setopts: exit if curl_url_set() fails on OOM
	    configure: delete unused variable
	    conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64
	    conncontrol: reuse handling
	    connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
	    connection: attached transfer count
	    content_encoding: avoid strcpy
	    cookie. return proper error on OOM
	    cookie: allocate the main struct once cookie is fine
	    cookie: flush better
	    cookie: only keep and use the canonical cleaned up path
	    cookie: propagate errors better, cleanup the internal API
	    cookie: return error on OOM
	    cookie: when parsing a cookie header, delay all allocations until okay
	    cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
	    curl: fix progress meter in parallel mode
	    curl_fopen: do not pass invalid mode flags to `open()` on Windows
	    curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
	    curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
	    curl_quiche: refuse headers with CR, LF or null bytes
	    curl_sasl: if redirected, require permission to use bearer
	    curl_sasl: make Curl_sasl_decode_mech compare case insensitively
	    curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS`
	    curl_setup.h: drop stray `#undef stat` (Windows)
	    curl_setup.h: drop superfluous parenthesis from `Curl_safefree` macro
	    curl_threads: don't do another malloc if the first fails
	    curl_trc: delete unused DoH remains
	    CURLINFO: remove 'get' and 'get the' from each short desc
	    CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
	    CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
	    CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
	    CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
	    CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
	    CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
	    CURLOPT_READFUNCTION.md: clarify the size of the buffer
	    CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
	    curlx/fopen: replace open CRT functions their with `_s` counterparts
		(Windows)
	    curlx/multibyte: stop setting macros for non-Windows
	    curlx/strerr: use `strerror_s()` on Windows
	    curlx: add `curlx_rename()`, fix to support long filenames on Windows
	    curlx: curlx_strcopy() instead of strcpy()
	    curlx: limit use of system allocators to the minimum possible
	    curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows)
	    curlx: replace `sprintf` with `snprintf`
	    curlx: use curl alloc in `curlx_win32_stat()` (Windows)
	    curlx: use curlx allocators in non-memdebug builds (Windows)
	    DEPRECATE: add CMake <3.18 deprecation for April 2026
	    digest: fix OWS and escaped quote handling
	    digest_sspi: fix a memory leak on error path
	    digest_sspi: properly free sspi identity
	    DISTROS.md: add OpenBSD
	    DISTROS: fix a Mageia URL
	    DISTROS: remove broken URLs for buildroot
	    doc: some returned in-memory data may not be altered
	    Dockerfile: update debian:bookworm-slim digest to e899040
	    docs/libcurl: fix C formatting nits
	    docs: add a note about --compressed to note about binary output
	    docs: clarify how to do unix domain sockets with SOCKS proxy
	    docs: fix checksrc `EQUALSPACE` warnings
	    docs: fix time_posttransfer output unit as seconds
	    docs: mention umask need when curl creates files
	    docs: remove dead URLs
	    docs: rename CURLcode variables to 'result'
	    docs: spell it Rustls with a capital R
	    docs: switch more URLs to https://
	    docs: use .example URLs for proxies
	    docs: use mresult as variable name for CURLMcode
	    escape: add a length check in curl_easy_escape
	    example: fix formatting nits
	    examples/crawler: fix variable
	    examples/multi-uv: fix invalid req->data access
	    examples/threaded-ssl: delete in favor of `examples/threaded`
	    examples/threaded: fix race condition
	    examples: fix minor typo
	    examples: make functions/data static where missing
	    examples: tidy-up headers and includes
	    examples: use 64-bit `fstat` on Windows
	    FAQ/TODO/KNOWN_BUGS: convert to markdown
	    FAQ: fix hackerone URL
	    file: do not pass invalid mode flags to `open()` on upload (Windows)
	    formdata: validate callback is non-NULL before use
	    ftp: make EPRT connections non-blocking
	    ftp: refactor a piece of code by merging the repeated part
	    ftp: remove #ifdef for define that is always defined
	    ftp: return better on OOM in two places
	    ftp: return from ftp_state_use_port immediately on OOM
	    getenv: drop internal 1-to-1 wrapper
	    getinfo: improve perf in debug mode
	    gnutls: add PROFILE_MEDIUM as default
	    gnutls: report accurate error when TLS-SRP is not built-in
	    gtls: add return checks and optimize the code
	    gtls: Call keylog_close in cleanup
	    gtls: skip session resumption when verifystatus is set
	    h2/h3: handle methods with spaces
	    headers: add length argument to Curl_headers_push()
	    hostcheck: fail wildcard match if host starts with a dot
	    hostip.h: drop redundant `setjmp.h` include
	    hostip: don't store negative lookup on OOM
	    hostip: make more functions return CURLcode
	    hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
	    hsts: propagate and error out correctly on OOM
	    hsts: use one malloc instead of two per entry
	    http: acknowledge OOM errors from Curl_input_ntlm
	    http: avoid two strdup()s and do minor simplifications
	    http: error on OOM when creating range header
	    http: fix OOM exit in Curl_http_follow
	    http: handle oom error from Curl_input_digest()
	    http: replace atoi use in Curl_http_follow with curlx_str_number
	    http: return OOM errors from hsts properly
	    http: the :authority header should never contain user+password
	    http: unfold response headers earlier
	    idn: avoid allocations and wcslen on Windows
	    idn: clarify null-termination on Windows
	    idn: fix memory leak in `win32_ascii_to_idn()`
	    idn: use curlx allocators on Windows
	    imap: check buffer length before accessing it
	    imap: make sure Curl_pgrsSetDownloadSize() does not overflow
	    inet_ntop: avoid the strlen()
	    INSTALL-CMAKE.md: document static option defaults more
	    krb5: fix detecting channel binding feature
	    krb5_sspi: unify a part of error handling
	    ldap: call ldap_init() before setting the options
	    ldap: drop PP logic for old, unsupported, Windows SDKs
	    ldap: improve detection of Apple LDAP
	    ldap: provide version for "legacy" ldap as well
	    lib/sendf.h: forward declare two structs
	    lib: cleanup for some typos about spaces and code style
	    lib: create unitprotos.h in the builddir, not srcdir
	    lib: drop unused or duplicate `curlx/timeval.h` includes
	    lib: drop unused protocol headers
	    lib: eliminate size_t casts
	    lib: error for OOM when extracting URL query
	    lib: fix formatting nits (part 2)
	    lib: fix formatting nits (part 3)
	    lib: fix formatting nits
	    lib: fix gssapi.h include on IBMi
	    lib: name the main CURLMcode variable 'mresult'
	    lib: refactor the type of funcs which have useless return and checks
	    lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows)
	    lib: timer stats improvements
	    lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible
	    libssh2: add paths to error messages for quote commands
	    libssh2: cleanup ssh_force_knownhost_key_type
	    libssh2: consider strdup() failures OOM and return correctly
	    libssh2: replace atoi() in ssh_force_knownhost_key_type
	    libssh: fix state machine loop to progress as it should
	    libssh: properly free sftp_attributes
	    libssh: require private key or user-agent for public key auth
	    libssh: set both knownhosts options to the same file
	    libtests: replace `atoi()` with `curlx_str_number()`
	    limit-rate: add example using --limit-rate and --max-time together
	    localtime: detect thread-safe alternatives and use them
	    m4/sectrust: fix test(1) operator
	    manage: expand the 'libcurl support required' message
	    mbedTLS: cleanup insecure/deprecated code
	    mbedtls: fix potential use of uninitialized `nread`
	    mbedtls: sync format across log messages
	    mbedtls_threadlock: avoid calloc, use array
	    mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
	    mdlinkcheck: only look for markdown links in markdown files
	    memdebug: add mutex for thread safety
	    memdebug: fix realloc logging
	    mk-ca-bundle.md: the file format docs URL is permaredirected
	    mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option
	    mk-ca-bundle.pl: use `open()` with argument list to replace backticks
	    mqtt: reject overly big messages
	    mqtt: return error when a too large packet is decoded
	    multi: make max_total_* members size_t
	    multi: remove MSTATE_TUNNELING
	    multi: simplify admin handle processing
	    multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds
	    ngtcp2+openssl: fix leak of session
	    ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
	    ngtcp2: retune window sizes
	    noproxy: fix build on systems without IPv6
	    noproxy: fix ipv6 handling
	    noproxy: replace atoi with curlx_str_number
	    openssl: exit properly on OOM when getting certchain
	    openssl: fix a potential memory leak of bio_out
	    openssl: fix a potential memory leak of params.cert
	    openssl: fix building against no-dsa openssl
	    openssl: fix building against no-ocsp openssl with Apple SecTrust
	    openssl: no verify failf message unless strict
	    openssl: release ssl_session if sess_reuse_cb fails
	    openssl: remove code handling default version
	    openssl: simplify `HAVE_KEYLOG_CALLBACK` guard
	    openssl: stop checking for `OPENSSL_NO_SHA*` macros
	    openssl: stop checking for `OPENSSL_NO_TLSEXT` macro
	    openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
	    OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs
	    OS400/makefile.sh: fix shellcheck warning SC2038
	    os400sys: replace `strcpy()` with `memcpy()`
	    osslq: code readability
	    progress: make it one column narrower
	    progress: narrower time display, multiple fixes
	    progress: show fewer digits
	    projects/README.md: Markdown fixes
	    pytest fixes and improvements
	    pytest: add tests using sshd
	    pytest: disable two H3 earlydata tests for all platforms (was: macOS)
	    pytest: do not ignore server issues
	    pytest: enable OCSP test 17_08 for LibreSSL
	    pytest: fix and improve reliability
	    pytest: improve stragglers
	    pytest: quiche flakiness
	    pytest: skip H2 tests if feature missing from curl
	    quiche: use client writer
	    ratelimit blocking: fix busy loop
	    ratelimit: redesign
	    rtmp: fix double-free on URL parse errors
	    rtmp: precaution for a potential integer truncation
	    rtmp: stop redefining `setsockopt` system symbol on Windows
	    runner.pm: run memanalyzer as a Perl module
	    runtests: add options to set minimum number of tests, use them
	    runtests: detect bad libssh differently for test 1459
	    runtests: drop Python 2 support remains
	    runtests: enable torture testing with threaded resolver
	    runtests: improve XML prolog check, enable `-w` permanently, fix two tests
	    runtests: make memanalyzer a Perl module (for 1.1-2x speed-up per test run)
	    rustls: fix a potential memory issue
	    rustls: minor adjustment of sizeof()
	    rustls: simplify init err path
	    rustls: verify that verifier_builder is not NULL
	    schannel: cap the maximum allowed size for loading cert
	    schannel: fix memory leak of cert_store_path on four error paths
	    schannel: replace atoi() with curlx_str_number()
	    schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs
	    schannel_verify: fix a memory leak of cert_context
	    scripts: fix shellcheck SC2046 warnings
	    scripts: use end-of-options marker in `find -exec` commands
	    setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
	    setopt: when setting bad protocols, don't store them
	    sftp: fix range downloads in both SSH backends
	    slist: constify Curl_slist_append_nodup() string argument
	    smb: fix a size check to be overflow safe
	    socketpair: drop redundant `_WIN32` branch and include
	    socks_sspi: use free() not FreeContextBuffer()
	    source: misc typos
	    speedcheck: do not trigger low speed cancel on transfers with
		CURL_READFUNC_PAUSE
	    speedlimit: also reset on send unpausing
	    src: drop redundant definition of `BIT()`
	    src: fix formatting nits
	    ssh: tracing and better pollset handling
	    sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
	    sws: fix binding to unix socket on Windows
	    synctime: tidy up, make it work on all platforms
	    telnet: abort on bad suboption sequence
	    telnet: replace atoi for BINARY handling with curlx_str_number
	    TEST-SUITE.md: correct the man page's path
	    test07_22: fix flakiness
	    test1475: consistently use %CR in headers
	    test1498: disable 'HTTP PUT from stdin' test on Windows
	    test2045: replace HTML multi-line comment markup with `#` comments
	    test318: tweak the name a little
	    test3207: enable memdebug for this test again
	    test363: delete stray character (typo) from a section tag
	    test568: fix codespell, catch it next time early in CI
	    test568: remove what looks like an email and a URL
	    test787: fix possible typo `&` -> `%` in curl option
	    test96: fix to accept non-unity memdump content with MSVC
	    tests/data: move `--libcurl` output to external data files
	    tests/data: replace hard-coded test numbers with `%TESTNUMBER`
	    tests/data: support using native newlines on disk, drop `.gitattributes`
	    tests/server: do not fall back to original data file in `test2fopen()`
	    tests/server: fix initialization on Windows Vista+
	    tests/server: replace `atoi()` and `atol()` with `curlx_str_number()`
	    tests: add `%AMP` macro, use it in two tests
	    tests: add a standard log line for alloc failures
	    tests: allow 2500-2503 to use ~2MB malloc
	    tests: drop redundant parenthesis from two macro expressions
	    tests: fix formatting nits
	    tests: rename CURLMcode variables to mresult
	    tftp: release filename if conn_get_remote_addr fails
	    tftpd: fix/tidy up `open()` mode flags
	    tidy-up: avoid `(())`, clang-format fixes and more
	    tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()`
	    tidy-up: URLs (cont.) and mdlinkcheck
	    tidy-up: URLs
	    TODO: remove a mandriva.com reference
	    tool: consider (some) curl_easy_setopt errors fatal
	    tool: log when loading .curlrc in verbose mode
	    tool_cfgable: free ssl-sessions at exit
	    tool_doswin: clear pointer when thread takes ownership
	    tool_doswin: increase allowable length of path sanitizer
	    tool_doswin: remove the max length check
	    tool_getparam: simplify the --rate parser
	    tool_getparam: use memdup0() instead of malloc + copy
	    tool_getparam: verify that a file exists for some options
	    tool_help: add checks to avoid unsigned wrap around
	    tool_ipfs: check return codes better
	    tool_msgs: make voutf() use stack instead of heap
	    tool_operate: exit on curl_share_setopt errors
	    tool_operate: fix a case of ignoring return code in operate()
	    tool_operate: fix case of ignoring return code in single_transfer
	    tool_operate: remove redundant condition
	    tool_operate: return error for OOM in append2query
	    tool_operate: use curlx_str_number instead of atoi
	    tool_paramhlp: refuse --proto remove all protocols
	    tool_paramhlp: remove a malloc+free from proto2num()
	    tool_paramhlp: simplify number parsing
	    tool_progress: fix large time outputs and decimal size display
	    tool_urlglob: acknowledge OOM in peek_ipv6
	    tool_urlglob: clean up used memory on errors better
	    tool_urlglob: constify an argument
	    tool_urlglob: fix propagating OOM error from `sanitize_file_name()`
	    tool_urlglob: support globs as long as config line lengths
	    tool_writeout: bail out proper on OOM
	    url: fix return code for OOM in parse_proxy()
	    url: if curl_url_get() fails due to OOM, error out properly
	    url: if OOM in parse_proxy() return error
	    url: return error at once when OOM in netrc handling
	    urlapi: fix mem-leaks in curl_url_get error paths
	    urlapi: handle OOM properly when setting URL
	    urlapi: return OOM correctly from parse_hostname_login()
	    verify-release: update to avoid shellcheck warning SC2034
	    vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
	    vquic: do not pass invalid mode flags to `open()` (Windows)
	    vquic: do_sendmsg full init
	    vquic: ignore 0-length UDP packets
	    vquic: initialize new callback in nghttp3 1.14.0+
	    vtls: drop unused `use_alpn` from `ssl_connect_data` struct
	    vtls: fix CURLOPT_CAPATH use
	    vtls: handle possible malicious certs_num from peer
	    vtls: pinned key check
	    VULN-DISCLOSURE-POLICY.md: CRLF in data
	    wcurl: import v2025.11.09
	    wcurl: import v2026.01.05
	    windows: assume `USE_WIN32_LARGE_FILES`
	    windows: fix `CreateFile()` calls to support long filenames
	    windows: use `_strdup()` instead of `strdup()` where missing
	    wolfSSL: able to differentiate between IP and DNS in alt names
	    wolfssl: avoid NULL dereference in OOM situation
	    wolfssl: fix a potential memory leak of session
	    wolfssl: fix cipher list, skip 5.8.4 regression
	    wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds
	    wolfssl: proof use of wolfSSL_i2d_SSL_SESSION
	    wolfssl: simplify wssl_send_earlydata
	    ws: replace a cast by matching the format string
	    x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/curl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)