Version in base suite: 7.88.1-10+deb12u14 Base version: curl_7.88.1-10+deb12u14 Target version: curl_7.88.1-10+deb12u15 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.88.1-10+deb12u14.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.88.1-10+deb12u15.dsc changelog | 13 ++++ patches/CVE-2025-10148.patch | 82 ++++++++++++++++++++++++++++++ patches/CVE-2025-14524.patch | 44 ++++++++++++++++ patches/CVE-2025-14819.patch | 76 ++++++++++++++++++++++++++++ patches/CVE-2026-3783.patch | 44 ++++++++++++++++ patches/CVE-2026-3784.patch | 58 +++++++++++++++++++++ patches/CVE-2026-5773.patch | 50 ++++++++++++++++++ patches/CVE-2026-7168.patch | 115 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 9 +++ 9 files changed, 491 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpw1utrq_u/curl_7.88.1-10+deb12u14.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpw1utrq_u/curl_7.88.1-10+deb12u15.dsc: no acceptable signature found diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2025-07-19 19:04:59.000000000 +0000 +++ curl-7.88.1/debian/changelog 2026-05-08 14:16:21.000000000 +0000 @@ -1,3 +1,16 @@ +curl (7.88.1-10+deb12u15) bookworm; urgency=medium + + * Fix 7 CVEs: + - CVE-2025-10148 + - CVE-2025-14524 + - CVE-2025-14819 + - CVE-2026-3783 + - CVE-2026-3784 + - CVE-2026-5773 + - CVE-2026-7168 + + -- Samuel Henrique Fri, 08 May 2026 07:16:21 -0700 + curl (7.88.1-10+deb12u14) bookworm; urgency=medium * d/p/0001-http_chunks-reset...: New patch to fix memory leak: diff -Nru curl-7.88.1/debian/patches/CVE-2025-10148.patch curl-7.88.1/debian/patches/CVE-2025-10148.patch --- curl-7.88.1/debian/patches/CVE-2025-10148.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2025-10148.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,82 @@ +From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 Sep 2025 14:14:15 +0200 +Subject: [PATCH] ws: get a new mask for each new outgoing frame + +Reported-by: Calvin Ruocco +Closes #18496 + +Backported-by: Samuel Henrique +Backported-by: Alex +Changes: +* Refresh patch context for lib/ws.c +* Adapt return value to current function return type + +Backported by: Samuel Henrique + +Changes: +* Apply the per-frame mask generation in ws_packethead() (bookworm + 7.88.1) rather than upstream's ws_enc_add_frame() (and trixie's + ws_enc_write_head()), since the bookworm code path that builds the + outgoing frame header is structurally different. On Curl_rand() + failure return 0 -- ws_packethead() already uses 0 as the + soft-error sentinel for buffer-too-small. +* Preserve the DEBUGBUILD CURL_WS_FORCE_ZERO_MASK escape hatch + alongside the new per-frame mask generation, matching upstream. +* Remove the corresponding one-time mask generation in + Curl_ws_accept(), and initialise `result` to CURLE_OK at + declaration since it is no longer unconditionally assigned by the + removed Curl_rand() call. +--- + lib/ws.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/ws.c b/lib/ws.c +index 0fc5e56..992357c 100644 +--- a/lib/ws.c ++++ b/lib/ws.c +@@ -127,7 +127,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data, + struct connectdata *conn = data->conn; + struct websocket *wsp = &data->req.p.http->ws; + struct ws_conn *wsc = &conn->proto.ws; +- CURLcode result; ++ CURLcode result = CURLE_OK; + + /* Verify the Sec-WebSocket-Accept response. + +@@ -148,13 +148,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data, + subprotocol not requested by the client), the client MUST Fail + the WebSocket Connection. */ + +- /* 4 bytes random */ +- result = Curl_rand(data, (unsigned char *)&ws->ws.mask, sizeof(ws->ws.mask)); +- if(result) +- return result; +- +- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x", +- ws->ws.mask[0], ws->ws.mask[1], ws->ws.mask[2], ws->ws.mask[3]); ++ infof(data, "Received 101, switch to WebSocket"); + Curl_dyn_init(&wsc->early, data->set.buffer_size); + if(nread) { + result = Curl_dyn_addn(&wsc->early, mem, nread); +@@ -628,6 +622,20 @@ static size_t ws_packethead(struct Curl_easy *data, + firstbyte); + infof(data, "WS: send payload len %u", (int)len); + ++ /* 4 bytes random */ ++ { ++ CURLcode result = Curl_rand(data, (unsigned char *)&ws->ws.mask, ++ sizeof(ws->ws.mask)); ++ if(result) ++ return 0; ++ } ++ ++#ifdef DEBUGBUILD ++ if(getenv("CURL_WS_FORCE_ZERO_MASK")) ++ /* force the bit mask to 0x00000000, effectively disabling masking */ ++ memset(&ws->ws.mask, 0, sizeof(ws->ws.mask)); ++#endif ++ + /* 4 bytes mask */ + memcpy(&out[outi], &ws->ws.mask, 4); + diff -Nru curl-7.88.1/debian/patches/CVE-2025-14524.patch curl-7.88.1/debian/patches/CVE-2025-14524.patch --- curl-7.88.1/debian/patches/CVE-2025-14524.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2025-14524.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,44 @@ +From: Daniel Stenberg +Date: Wed, 10 Dec 2025 11:40:47 +0100 +Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer + +Closes #19933 + +Backported-by: Samuel Henrique + * Refresh patch context for lib/curl_sasl.c + +Backported by: Samuel Henrique + * Refresh line numbers for bookworm 7.88.1: same functions + (Curl_sasl_start and Curl_sasl_continue), -7 line offset. +--- + lib/curl_sasl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index 119fb9b..2dd6b00 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -349,7 +349,10 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; ++ + struct bufref nullmsg; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); +@@ -536,7 +539,10 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; ++ + struct bufref serverdata; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); diff -Nru curl-7.88.1/debian/patches/CVE-2025-14819.patch curl-7.88.1/debian/patches/CVE-2025-14819.patch --- curl-7.88.1/debian/patches/CVE-2025-14819.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2025-14819.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,76 @@ +From: Daniel Stenberg +Date: Wed, 17 Dec 2025 10:54:16 +0100 +Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a + different CA cache + +Reported-by: Stanislav Fort + +Closes #20009 + +Backported-by: Samuel Henrique + * Refresh patch context for lib/vtls/openssl.c + +Backported by: Samuel Henrique + * Bookworm 7.88.1 names the cache struct `multi_ssl_backend_data` + (vs `ossl_x509_share` in 8.14.1+) and the helpers `cached_x509_store_*` + (without the `ossl_` prefix). Apply the same logic against those names. + Replace the upstream `CURL_UNCONST(data)` macro with a plain + `(struct Curl_easy *)data` cast since CURL_UNCONST does not exist in + bookworm. +--- + lib/vtls/openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 6557783..1f2579e 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -302,6 +302,7 @@ struct multi_ssl_backend_data { + char *CAfile; /* CAfile path used to generate X509 store */ + X509_STORE *store; /* cached X509 store or NULL if none */ + struct curltime time; /* when the cached store was created */ ++ BIT(no_partialchain); /* keep partial chain state */ + }; + #endif /* HAVE_SSL_X509_STORE_SHARE */ + +@@ -3339,9 +3340,14 @@ static bool cached_x509_store_expired(const struct Curl_easy *data, + + static bool cached_x509_store_different( + struct Curl_cfilter *cf, ++ const struct Curl_easy *data, + const struct multi_ssl_backend_data *mb) + { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, (struct Curl_easy *)data); ++ if(mb->no_partialchain != ssl_config->no_partialchain) ++ return true; + if(!mb->CAfile || !conn_config->CAfile) + return mb->CAfile != conn_config->CAfile; + +@@ -3358,7 +3364,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, + multi->ssl_backend_data && + multi->ssl_backend_data->store && + !cached_x509_store_expired(data, multi->ssl_backend_data) && +- !cached_x509_store_different(cf, multi->ssl_backend_data)) { ++ !cached_x509_store_different(cf, data, multi->ssl_backend_data)) { + store = multi->ssl_backend_data->store; + } + +@@ -3386,6 +3392,8 @@ static void set_cached_x509_store(struct Curl_cfilter *cf, + + if(X509_STORE_up_ref(store)) { + char *CAfile = NULL; ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, (struct Curl_easy *)data); + + if(conn_config->CAfile) { + CAfile = strdup(conn_config->CAfile); +@@ -3403,6 +3411,7 @@ static void set_cached_x509_store(struct Curl_cfilter *cf, + mbackend->time = Curl_now(); + mbackend->store = store; + mbackend->CAfile = CAfile; ++ mbackend->no_partialchain = ssl_config->no_partialchain; + } + } + diff -Nru curl-7.88.1/debian/patches/CVE-2026-3783.patch curl-7.88.1/debian/patches/CVE-2026-3783.patch --- curl-7.88.1/debian/patches/CVE-2026-3783.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2026-3783.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,44 @@ +From: Daniel Stenberg +Date: Fri, 6 Mar 2026 23:13:07 +0100 +Subject: [PATCH] http: only send bearer if auth is allowed + +Verify with test 2006 + +Closes #20843 + +Backported-by: Samuel Henrique + * Refresh patch context for lib/http.c + * Adapt the new tests/data/test2006: reuse the + existing test486 as the base (similarity-copy in the diff), keep the + test definition structurally as upstream wants but also drop the two + now-stale "#" comment lines that already differ between upstream's and + our test486. + +Backported by: Samuel Henrique + * Bookworm 7.88.1: same output_auth_headers() function, just at + line 793 (offset +97 vs trixie). Apply only the lib/http.c hunk. + * Drop the test additions: bookworm has neither tests/data/test486 + (which trixie's test2006 was copy-derived from) nor a way to add + it without pulling in a non-trivial amount of unrelated test + infrastructure. The security property is the + Curl_auth_allowed_to_host() guard itself; tests are nice-to-have. +--- + lib/http.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 3829d72..cbed451 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -793,8 +793,9 @@ output_auth_headers(struct Curl_easy *data, + } + if(authstatus->picked == CURLAUTH_BEARER) { + /* Bearer */ +- if((!proxy && data->set.str[STRING_BEARER] && +- !Curl_checkheaders(data, STRCONST("Authorization")))) { ++ if(!proxy && data->set.str[STRING_BEARER] && ++ Curl_auth_allowed_to_host(data) && ++ !Curl_checkheaders(data, STRCONST("Authorization"))) { + auth = "Bearer"; + result = http_output_bearer(data); + if(result) diff -Nru curl-7.88.1/debian/patches/CVE-2026-3784.patch curl-7.88.1/debian/patches/CVE-2026-3784.patch --- curl-7.88.1/debian/patches/CVE-2026-3784.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2026-3784.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,58 @@ +From: Stefan Eissing +Date: Fri, 6 Mar 2026 14:54:09 +0100 +Subject: [PATCH] proxy-auth: additional tests + +Also eliminate the special handling for socks proxy match. + +Closes #20837 + +Backported-by: Samuel Henrique + * Refresh patch context for lib/url.c + +Backported by: Samuel Henrique + * Bookworm 7.88.1: same proxy_info_matches and + socks_proxy_info_matches functions, just at line 863. Bookworm's + proxy_info_matches still uses strcasecompare() (upstream switched + to curl_strequal() at some point post-7.88.1), so leave that + call alone -- only add the new Curl_timestrcmp() user/passwd + check inside it. Keep socks_proxy_info_matches() in place and + switch the call site at line 1214 from socks_proxy_info_matches + to proxy_info_matches, matching the trixie minimal-diff approach. + * Drop the tests/http/test_13_proxy_auth.py and + tests/http/testenv/curl.py hunks: bookworm has no tests/http/ + pytest infrastructure at all (those tests appeared in upstream + later than 7.88.1). +--- + lib/url.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index cf0ad07..5243373 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -865,9 +865,13 @@ proxy_info_matches(const struct proxy_info *data, + { + if((data->proxytype == needle->proxytype) && + (data->port == needle->port) && +- strcasecompare(data->host.name, needle->host.name)) +- return TRUE; ++ strcasecompare(data->host.name, needle->host.name)) { + ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) ++ return FALSE; ++ return TRUE; ++ } + return FALSE; + } + +@@ -1208,8 +1212,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + + if(needle->bits.socksproxy && +- !socks_proxy_info_matches(&needle->socks_proxy, +- &check->socks_proxy)) ++ !proxy_info_matches(&needle->socks_proxy, &check->socks_proxy)) + continue; + #endif + if(needle->bits.conn_to_host != check->bits.conn_to_host) diff -Nru curl-7.88.1/debian/patches/CVE-2026-5773.patch curl-7.88.1/debian/patches/CVE-2026-5773.patch --- curl-7.88.1/debian/patches/CVE-2026-5773.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2026-5773.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,50 @@ +From: Daniel Stenberg +Date: Sun, 5 Apr 2026 18:23:35 +0200 +Subject: [PATCH] protocol: disable connection reuse for SMB(S) + +Connections should only be reused when using the same "share" (and +perhaps some additional conditions), but instead of fixing this flaw, +this change completely disables connection reuse for SMB. This protocol +is about to get dropped soon anyway. + +Reported-by: Osama Hamad +Closes #21238 + +Backported-by: Samuel Henrique + * Upstream removes PROTOPT_CONN_REUSE from the SMB and SMBS scheme + registrations in lib/protocol.c. That flag (and the lib/protocol.c scheme + registry itself) only exists from upstream commit + feea96851230c7a5a11feaffa0a5e4a4d30e5e63 ("conncontrol: reuse handling", Nov + 2025) onward, so neither is present in 8.14.1. In 8.14.1 SMB connection + reuse is instead controlled at runtime via connkeep() / connclose(), and + lib/smb.c explicitly calls connkeep() in smb_connect() to mark SMB + connections as eligible for reuse. Replace that connkeep() with a + connclose() so SMB connections are marked as not-reusable, achieving the + same effect as the upstream change. + +Backported by: Samuel Henrique + * Bookworm 7.88.1: same connkeep() call in smb_connect() at line + 271. Apply the same connkeep() -> connclose() swap; this version + also lacks PROTOPT_CONN_REUSE so the runtime approach is the + only way to express "do not reuse this connection". +--- + lib/smb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 097874b..24c319c 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -267,8 +267,10 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done) + if(!smbc->recv_buf) + return CURLE_OUT_OF_MEMORY; + +- /* Multiple requests are allowed with this connection */ +- connkeep(conn, "SMB default"); ++ /* SMB does not allow connection reuse: connections should only be reused ++ when using the same "share" (and possibly other conditions), but rather ++ than implementing that, mark every SMB connection as not reusable. */ ++ connclose(conn, "SMB does not allow connection reuse"); + + /* Parse the username, domain, and password */ + slash = strchr(conn->user, '/'); diff -Nru curl-7.88.1/debian/patches/CVE-2026-7168.patch curl-7.88.1/debian/patches/CVE-2026-7168.patch --- curl-7.88.1/debian/patches/CVE-2026-7168.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2026-7168.patch 2026-05-08 14:16:21.000000000 +0000 @@ -0,0 +1,115 @@ +From: Daniel Stenberg +Date: Mon, 27 Apr 2026 09:14:51 +0200 +Subject: [PATCH] setopt: clear proxy auth properties when switching + +Verify with test 1588 + +Closes #21453 + +Backported-by: Samuel Henrique + * lib/setopt.c: upstream's CURLOPT_PROXY case lives in a dedicated + setopt_cptr_proxy() function; in 8.14.1 it is still inline in the + setopt_cptr() switch. The setproxy() helper is added directly + above setopt_cptr() and the inline Curl_setstropt() call is + swapped for setproxy(). + * lib/vauth/vauth.h: upstream's hunk also adds a no-op + Curl_auth_is_digest_supported() macro to the CURL_DISABLE_DIGEST_AUTH + branch, but our 8.14.1 vauth.h has no such #else branch (the file + ends the digest block with a bare #endif). Add only the + Curl_auth_digest_cleanup(x) no-op macro inside a new #else, which + is the part actually needed by setproxy() in disable-digest builds. + * tests/data/test1588: regression test from upstream with two changes: + crlf="headers" -> crlf="yes" so the 8.14.1 test runner correctly + applies CRLF to header lines on both the server-side data and the + expected protocol block; and the "digest" entry in is + dropped because the 8.14.1 curlinfo emits the feature toggle as + "digest-auth" rather than "digest", so the unmodified feature gate + would always SKIP the test on this branch. Other digest-auth tests + (e.g. test1061) similarly do not list "digest" as a required + feature. + * tests/libtest/lib1588.c: rewritten to use the 8.14.1 libtest + harness (test.h / CURLcode test(char *URL) / easy_init / easy_setopt + with goto test_cleanup) instead of upstream's newer first.h-based + one. The init1588() helper also reuses the parent's test_cleanup + label rather than upstream's separate init_failed label, since + 8.14.1's easy_setopt jumps directly to test_cleanup. + +Backported by: Samuel Henrique + * Bookworm 7.88.1: lib/setopt.c is a single Curl_vsetopt() function + with one big switch (no setopt_cptr() sub-switch like trixie). + Add the setproxy() helper just above Curl_vsetopt() instead, and + replace the inline Curl_setstropt() in the CURLOPT_PROXY case + with `result = setproxy(data, va_arg(param, char *));`. + * lib/vauth/vauth.h: bookworm uses CURL_DISABLE_CRYPTO_AUTH (the + pre-split spelling) instead of CURL_DISABLE_DIGEST_AUTH. Add the + no-op Curl_auth_digest_cleanup(x) macro under the matching + #else branch. + * Drop the test additions: bookworm has neither the test1588 + xml-test infrastructure for CONNECT-based digest replay nor the + modern libtest harness (test.h / CURLcode test(char *URL)) the + trixie adaptation rewrote against -- backporting the test would + require touching the test runner setup more aggressively than is + appropriate for a stable update. The security property (proxy + auth state cleared on CURLOPT_PROXY change) is the setproxy() + helper itself. +--- + lib/setopt.c | 18 ++++++++++++++++-- + lib/vauth/vauth.h | 2 ++ + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8862e0c..4a40a09 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -50,6 +50,7 @@ + #include "multiif.h" + #include "altsvc.h" + #include "hsts.h" ++#include "vauth/vauth.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -186,6 +187,20 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + ++#ifndef CURL_DISABLE_PROXY ++static CURLcode setproxy(struct Curl_easy *data, const char *proxy) ++{ ++ if((data->set.str[STRING_PROXY] && proxy) && ++ /* there was one set, is this a new one? */ ++ !strcmp(data->set.str[STRING_PROXY], proxy)) ++ return CURLE_OK; /* same one as before */ ++ ++ Curl_auth_digest_cleanup(&data->state.proxydigest); ++ memset(&data->state.authproxy, 0, sizeof(data->state.authproxy)); ++ return Curl_setstropt(&data->set.str[STRING_PROXY], proxy); ++} ++#endif ++ + /* + * Do not make Curl_vsetopt() static: it is called from + * packages/OS400/ccsidcurl.c. +@@ -1140,8 +1155,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * Setting it to NULL, means no proxy but allows the environment variables + * to decide for us (if CURLOPT_SOCKS_PROXY setting it to NULL). + */ +- result = Curl_setstropt(&data->set.str[STRING_PROXY], +- va_arg(param, char *)); ++ result = setproxy(data, va_arg(param, char *)); + break; + + case CURLOPT_PRE_PROXY: +diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h +index e17d7aa..8c09764 100644 +--- a/lib/vauth/vauth.h ++++ b/lib/vauth/vauth.h +@@ -119,6 +119,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + + /* This is used to clean up the digest specific data */ + void Curl_auth_digest_cleanup(struct digestdata *digest); ++#else ++#define Curl_auth_digest_cleanup(x) + #endif /* !CURL_DISABLE_CRYPTO_AUTH */ + + #ifdef USE_GSASL diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2025-07-19 19:04:59.000000000 +0000 +++ curl-7.88.1/debian/patches/series 2026-05-08 14:16:21.000000000 +0000 @@ -62,6 +62,15 @@ # Patches from 8.12.0. CVE-2025-0167.patch +# Patches from 8.16.0. +CVE-2025-10148.patch +CVE-2025-14524.patch +CVE-2025-14819.patch +CVE-2026-3783.patch +CVE-2026-3784.patch +CVE-2026-5773.patch +CVE-2026-7168.patch + # Fix test issues with port clashes, now each build has a different random seed. runtests.pl-Increase-variance-of-random-seed-used-for-tes.patch