Roll out cURL 8.11.1

[cmb69]

cURL 8.11.0 has been released, fixing CVE-2024-9681. Given that is a low severity issue, it might not be necessary to update stable branches right away (should wait after GA at least). I've already pushed the update to master, and did quick testing as usual, and found that now Websocket support is enabled by default. Probably not a problem, since that seems to require special support in ext/curl; otherwise I'd be wary to roll it out to stable versions.

Note that nghttp2 1.64.0 is available to be built as prerequisite for the cURL update.

@nielsdos, any thoughts about the update?

[cmb69]

Ah forgot: if we roll 8.11.0 out with Websocket support, we need to apply the following patch to php-src:

 ext/curl/tests/check_win_config.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/curl/tests/check_win_config.phpt b/ext/curl/tests/check_win_config.phpt
index b3beb044a7..8330a95564 100644
--- a/ext/curl/tests/check_win_config.phpt
+++ b/ext/curl/tests/check_win_config.phpt
@@ -54,7 +54,7 @@
 ZSTD => No
 HSTS => Yes
 GSASL => No
-Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
+Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp%r(, ws, wss)?%r
 Host => %s-pc-win32
 SSL Version => OpenSSL/%s
 ZLib Version => %s

[nielsdos]

Let's wait until after GA and then make sure the next release uses the update.

Ah forgot: if we roll 8.11.0 out with Websocket support, we need to apply the following patch to php-src:

This likely needs to happen anyway for the Linux users who receive the update via their distro.

[cmb69]

Let's wait until after GA and then make sure the next release uses the update.

Fine. I'll keep an eye on it.

This likely needs to happen anyway for the Linux users who receive the update via their distro.

The test is Windows only. :)

[nielsdos]

Fine. I'll keep an eye on it.

Thanks!

The test is Windows only. :)

Ah oops, I missed that. EDIT: duh, it even says win in the title... 🤦

[cmb69]

I guess we want to wait for cURL 8.11.1: https://curl.se/mail/lib-2024-11/0019.html

[cmb69]

I've pushed cURL 8.11.1 (which fixes another low severity vulnerability) to master. Test build showed no further issues.

I suggest to wait with rolling out until PHP GA's have been released (scheduled for Dec 19th), and then first push staging to stable (we're behind with this for a couple of months). Afterwards we can roll out new releases.