Merge pull request #1254 from flatcar/krnowak/curl-bump

net-misc/curl: Update to 8.4.0

changelog/security/2023-10-11-curl-update.md

@@ -0,0 +1 @@
+- curl ([CVE-2023-38545](https://nvd.nist.gov/vuln/detail/CVE-2023-38545), [CVE-2023-38546](https://nvd.nist.gov/vuln/detail/CVE-2023-38546))

changelog/updates/2023-10-11-curl-update.md

@@ -0,0 +1 @@
+- curl ([8.4.0](https://curl.se/changes.html#8_4_0))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -56,9 +56,6 @@
 =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64
 
-# Required for addressing CVE-2023-38039.
-=net-misc/curl-8.3.0 ~amd64 ~arm64
-
 # Required to allow us to override the sftp subsystem in sshd config.
 =net-misc/openssh-9.4_p1 ~amd64 ~arm64
 

sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest

@@ -1,8 +1,6 @@
-DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d
-DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf
-DIST curl-8.1.2.tar.xz 2612652 BLAKE2B 66d0828912bb9971dac99025aa8b5c1c2fac1f8b568f2a8a97bd9f66986bdb164b603b539ec3e123cd6a26ea65829e58c90fc9852be88b42074cf40c89c566d1 SHA512 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4
-DIST curl-8.1.2.tar.xz.asc 488 BLAKE2B 304dbdb51aa113c0b70b2662e29b1be3294b04f5f00264ce60703756363999cd567dcd0301e27b294d1d53f16ecc016ba429fcbea240949b372750f7e6e7375a SHA512 d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3
 DIST curl-8.2.1.tar.xz 2631932 BLAKE2B 77c0b067935397afb3961378f2fe349fa988c6379c1ab7437c5d5f967710b2e9ba7aec91df8fe58a8b26c00c0164d4db9bd095ca27d1bf52b768c8d83cc0ecaf SHA512 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094
 DIST curl-8.2.1.tar.xz.asc 488 BLAKE2B 569a7c8d338f7175b5035fa281861b57cce7f5327ec6437d79e215e5a806619c9432d7960687e5463787f681cc408371c1eb1f0db7fb8678b8ef34ec50ef69d0 SHA512 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084
 DIST curl-8.3.0.tar.xz 2641764 BLAKE2B 6875b20e27ed86f9b6ab256210d85e9fb3b39645e8be710b2e6fe29fba40220f870e06bc21e8a92244670fed0a08c7716e4806a267ede49c4ed6d66e03f5fcd4 SHA512 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51
 DIST curl-8.3.0.tar.xz.asc 488 BLAKE2B ef5a749e579710d45db9f73da0cbcb58d77a9dfe73be622536496997fa792fe5cbd0331a31f01e21cbdb36c6384dca44baa647c9f3d20effabb5bfc275b1b491 SHA512 b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4
+DIST curl-8.4.0.tar.xz 2658376 BLAKE2B ea5ebecc3c1aeac3ae8fd0cf7d8ff3298149b9c4c556fb85ed8d9310e3613228eb6fca133b0dfb9268988f93d694779fab8d53510cfa5710c1320bb6638f05eb SHA512 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b
+DIST curl-8.4.0.tar.xz.asc 488 BLAKE2B 0fd4ea46a0942b9bc440e91e8f9323bba6d0eb02fbc87c227004c90e5be14cc644446bc235ab67f857b617975cdeada6ce38a647da9e0bd783e57d58f354cdb4 SHA512 b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.2.1.ebuild

@@ -17,7 +17,7 @@ else
 		https://curl.se/download/${P}.tar.xz
 		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
 	"
-	KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
@@ -338,10 +338,11 @@ multilib_src_test() {
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
 	# Note: we don't run the testsuite for cross-compilation.
-	# Upstream recommend 7*nproc as a starting point for parallel tests.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((7*$(makeopts_jobs))) !241 !1083"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
 }
 
 multilib_src_install() {

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.3.0-r1.ebuild

@@ -4,7 +4,7 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
-inherit autotools multilib-minimal prefix verify-sig
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
 
 DESCRIPTION="A Client that groks URLs"
 HOMEPAGE="https://curl.se/"
@@ -17,36 +17,43 @@ else
 		https://curl.se/download/${P}.tar.xz
 		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
 	"
-	KEYWORDS="~alpha amd64 arm ~arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
 # These select the default SSL implementation
-IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
 IUSE+=" nghttp3"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
 # The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
 REQUIRED_USE="
 	ssl? (
 		^^ (
 			curl_ssl_gnutls
 			curl_ssl_mbedtls
-			curl_ssl_nss
 			curl_ssl_openssl
 			curl_ssl_rustls
 		)
 	)
 	curl_ssl_gnutls? ( gnutls )
 	curl_ssl_mbedtls? ( mbedtls )
-	curl_ssl_nss? ( nss )
 	curl_ssl_openssl? ( openssl )
 	curl_ssl_rustls? ( rustls )
+	nghttp3? ( !openssl )
 "
 
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
 RDEPEND="
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
@@ -56,8 +63,8 @@ RDEPEND="
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
 	ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
-		>=net-libs/nghttp3-0.11.0[${MULTILIB_USEDEP}]
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
-		>=net-libs/ngtcp2-0.15.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
 	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
@@ -71,11 +78,6 @@ RDEPEND="
 			app-misc/ca-certificates
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
-		nss? (
-			app-misc/ca-certificates
-			dev-libs/nss[${MULTILIB_USEDEP}]
-			dev-libs/nss-pem
-		)
 		openssl? (
 			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
@@ -85,13 +87,15 @@ RDEPEND="
 	)
 	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
 "
+
 DEPEND="${RDEPEND}"
+
 BDEPEND="
 	dev-lang/perl
 	virtual/pkgconfig
 	test? (
 		sys-apps/diffutils
-		http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
 		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
 	)
 	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
@@ -121,6 +125,7 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 PATCHES=(
 	"${FILESDIR}"/${PN}-prefix.patch
 	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+	"${FILESDIR}"/${P}-tests-arm-musl.patch
 )
 
 src_prepare() {
@@ -137,8 +142,8 @@ multilib_src_configure() {
 	local myconf=()
 
 	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
-	if use ssl ; then
+	if use ssl; then
-		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
 
 		if use gnutls; then
 			multilib_is_native_abi && einfo "SSL provided by gnutls"
@@ -148,10 +153,6 @@ multilib_src_configure() {
 			multilib_is_native_abi && einfo "SSL provided by mbedtls"
 			myconf+=( --with-mbedtls )
 		fi
-		if use nss; then
-			multilib_is_native_abi && einfo "SSL provided by nss"
-			myconf+=( --with-nss --with-nss-deprecated )
-		fi
 		if use openssl; then
 			multilib_is_native_abi && einfo "SSL provided by openssl"
 			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
@@ -166,9 +167,6 @@ multilib_src_configure() {
 		elif use curl_ssl_mbedtls; then
 			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
 			myconf+=( --with-default-ssl-backend=mbedtls )
-		elif use curl_ssl_nss; then
-			multilib_is_native_abi && einfo "Default SSL provided by nss"
-			myconf+=( --with-default-ssl-backend=nss )
 		elif use curl_ssl_openssl; then
 			multilib_is_native_abi && einfo "Default SSL provided by openssl"
 			myconf+=( --with-default-ssl-backend=openssl )
@@ -177,6 +175,7 @@ multilib_src_configure() {
 			myconf+=( --with-default-ssl-backend=rustls )
 		else
 			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
 		fi
 
 	else
@@ -196,7 +195,12 @@ multilib_src_configure() {
 
 	myconf+=(
 		$(use_enable alt-svc)
-		--enable-crypto-auth
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
 		--enable-dict
 		--disable-ech
 		--enable-file
@@ -241,7 +245,7 @@ multilib_src_configure() {
 		--without-amissl
 		--without-bearssl
 		$(use_with brotli)
-		--without-fish-functions-dir
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
 		$(use_with http2 nghttp2)
 		--without-hyper
 		$(use_with idn libidn2)
@@ -263,6 +267,7 @@ multilib_src_configure() {
 		--without-wolfssl
 		--with-zlib
 		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
 	)
 
 	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
@@ -271,6 +276,12 @@ multilib_src_configure() {
 		)
 	fi
 
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 
 	if ! multilib_is_native_abi; then
@@ -305,6 +316,15 @@ multilib_src_configure() {
 	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
 }
 
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
 # There is also a pytest harness that tests for bugs in some very specific
 # situations; we can rely on upstream for this rather than adding additional test deps.
 multilib_src_test() {
@@ -318,9 +338,20 @@ multilib_src_test() {
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
 	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p !241 !1083"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
 }
 
 multilib_src_install_all() {

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.3.0-r2.ebuild

@@ -4,47 +4,67 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
-inherit autotools multilib-minimal prefix verify-sig
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
 
 DESCRIPTION="A Client that groks URLs"
 HOMEPAGE="https://curl.se/"
-SRC_URI="
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	SRC_URI="
 		https://curl.se/download/${P}.tar.xz
 		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
-"
+	"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+# These select the default SSL implementation
-IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
 IUSE+=" nghttp3"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
+# The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
 REQUIRED_USE="
 	ssl? (
 		^^ (
 			curl_ssl_gnutls
 			curl_ssl_mbedtls
-			curl_ssl_nss
 			curl_ssl_openssl
 			curl_ssl_rustls
 		)
 	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	nghttp3? ( !openssl )
 "
 
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
 RDEPEND="
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
-	http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
 	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
-	ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
+	ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
-		net-libs/nghttp3[${MULTILIB_USEDEP}]
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
-		net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
 	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
@@ -58,11 +78,6 @@ RDEPEND="
 			app-misc/ca-certificates
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
-		nss? (
-			app-misc/ca-certificates
-			dev-libs/nss[${MULTILIB_USEDEP}]
-			dev-libs/nss-pem
-		)
 		openssl? (
 			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
@@ -72,13 +87,15 @@ RDEPEND="
 	)
 	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
 "
+
 DEPEND="${RDEPEND}"
+
 BDEPEND="
 	dev-lang/perl
 	virtual/pkgconfig
 	test? (
 		sys-apps/diffutils
-		http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
 		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
 	)
 	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
@@ -108,9 +125,9 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 PATCHES=(
 	"${FILESDIR}"/${PN}-prefix.patch
 	"${FILESDIR}"/${PN}-respect-cflags-3.patch
-
+	"${FILESDIR}"/${P}-tests-arm-musl.patch
-	# Backports
+	"${FILESDIR}"/${P}-CVE-2023-38545.patch
-	"${FILESDIR}"/${PN}-8.0.1-onion-resolution.patch
+	"${FILESDIR}"/${P}-CVE-2023-38546.patch
 )
 
 src_prepare() {
@@ -127,47 +144,40 @@ multilib_src_configure() {
 	local myconf=()
 
 	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
-	#myconf+=( --without-default-ssl-backend )
+	if use ssl; then
-	if use ssl ; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
-		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
 
-		if use gnutls || use curl_ssl_gnutls; then
+		if use gnutls; then
-			einfo "SSL provided by gnutls"
+			multilib_is_native_abi && einfo "SSL provided by gnutls"
 			myconf+=( --with-gnutls )
 		fi
-		if use mbedtls || use curl_ssl_mbedtls; then
+		if use mbedtls; then
-			einfo "SSL provided by mbedtls"
+			multilib_is_native_abi && einfo "SSL provided by mbedtls"
 			myconf+=( --with-mbedtls )
 		fi
-		if use nss || use curl_ssl_nss; then
+		if use openssl; then
-			einfo "SSL provided by nss"
+			multilib_is_native_abi && einfo "SSL provided by openssl"
-			myconf+=( --with-nss --with-nss-deprecated )
-		fi
-		if use openssl || use curl_ssl_openssl; then
-			einfo "SSL provided by openssl"
 			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
 		fi
-		if use rustls || use curl_ssl_rustls; then
+		if use rustls; then
-			einfo "SSL provided by rustls"
+			multilib_is_native_abi && einfo "SSL provided by rustls"
 			myconf+=( --with-rustls )
 		fi
 		if use curl_ssl_gnutls; then
-			einfo "Default SSL provided by gnutls"
+			multilib_is_native_abi && einfo "Default SSL provided by gnutls"
 			myconf+=( --with-default-ssl-backend=gnutls )
 		elif use curl_ssl_mbedtls; then
-			einfo "Default SSL provided by mbedtls"
+			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
 			myconf+=( --with-default-ssl-backend=mbedtls )
-		elif use curl_ssl_nss; then
-			einfo "Default SSL provided by nss"
-			myconf+=( --with-default-ssl-backend=nss )
 		elif use curl_ssl_openssl; then
-			einfo "Default SSL provided by openssl"
+			multilib_is_native_abi && einfo "Default SSL provided by openssl"
 			myconf+=( --with-default-ssl-backend=openssl )
 		elif use curl_ssl_rustls; then
-			einfo "Default SSL provided by rustls"
+			multilib_is_native_abi && einfo "Default SSL provided by rustls"
 			myconf+=( --with-default-ssl-backend=rustls )
 		else
 			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
 		fi
 
 	else
@@ -187,7 +197,12 @@ multilib_src_configure() {
 
 	myconf+=(
 		$(use_enable alt-svc)
-		--enable-crypto-auth
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
 		--enable-dict
 		--disable-ech
 		--enable-file
@@ -232,7 +247,7 @@ multilib_src_configure() {
 		--without-amissl
 		--without-bearssl
 		$(use_with brotli)
-		--without-fish-functions-dir
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
 		$(use_with http2 nghttp2)
 		--without-hyper
 		$(use_with idn libidn2)
@@ -254,6 +269,7 @@ multilib_src_configure() {
 		--without-wolfssl
 		--with-zlib
 		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
 	)
 
 	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
@@ -262,6 +278,12 @@ multilib_src_configure() {
 		)
 	fi
 
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 
 	if ! multilib_is_native_abi; then
@@ -296,6 +318,17 @@ multilib_src_configure() {
 	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
 }
 
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
 multilib_src_test() {
 	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
 	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
@@ -306,7 +339,21 @@ multilib_src_test() {
 	# -p: print logs if test fails
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
 }
 
 multilib_src_install_all() {

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.3.0.ebuild

@@ -337,10 +337,11 @@ multilib_src_test() {
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
 	# Note: we don't run the testsuite for cross-compilation.
-	# Upstream recommend 7*nproc as a starting point for parallel tests.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((7*$(makeopts_jobs))) !241 !1083"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
 }
 
 multilib_src_install() {

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.4.0.ebuild

@@ -0,0 +1,363 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	SRC_URI="
+		https://curl.se/download/${P}.tar.xz
+		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
+	"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+LICENSE="BSD curl ISC test? ( BSD-4 )"
+SLOT="0"
+IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3"
+IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+# These select the default SSL implementation
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
+RESTRICT="!test? ( test )"
+
+# Only one default ssl provider can be enabled
+# The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
+REQUIRED_USE="
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	nghttp3? (
+		!openssl
+		alt-svc )
+"
+
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
+RDEPEND="
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
+	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
+	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	nghttp3? (
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
+	)
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
+		)
+		openssl? (
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
+		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-prefix.patch
+	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	if use ssl; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
+
+		if use gnutls; then
+			multilib_is_native_abi && einfo "SSL provided by gnutls"
+			myconf+=( --with-gnutls )
+		fi
+		if use mbedtls; then
+			multilib_is_native_abi && einfo "SSL provided by mbedtls"
+			myconf+=( --with-mbedtls )
+		fi
+		if use openssl; then
+			multilib_is_native_abi && einfo "SSL provided by openssl"
+			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+		fi
+		if use rustls; then
+			multilib_is_native_abi && einfo "SSL provided by rustls"
+			myconf+=( --with-rustls )
+		fi
+		if use curl_ssl_gnutls; then
+			multilib_is_native_abi && einfo "Default SSL provided by gnutls"
+			myconf+=( --with-default-ssl-backend=gnutls )
+		elif use curl_ssl_mbedtls; then
+			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
+			myconf+=( --with-default-ssl-backend=mbedtls )
+		elif use curl_ssl_openssl; then
+			multilib_is_native_abi && einfo "Default SSL provided by openssl"
+			myconf+=( --with-default-ssl-backend=openssl )
+		elif use curl_ssl_rustls; then
+			multilib_is_native_abi && einfo "Default SSL provided by rustls"
+			myconf+=( --with-default-ssl-backend=rustls )
+		else
+			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
+		fi
+
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organized alphabetically
+	# within each category.  This should make it easier if we
+	# ever decide to make any of them contingent on USE flags:
+	# 1) protocols first.  To see them all do
+	# 'grep SUPPORT_PROTOCOLS configure.ac'
+	# 2) --enable/disable options second.
+	# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+	# 3) --with/without options third.
+	# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+	myconf+=(
+		$(use_enable alt-svc)
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
+		--enable-dict
+		--disable-ech
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		$(use_enable hsts)
+		--enable-http
+		$(use_enable imap)
+		$(use_enable ldap)
+		$(use_enable ldap ldaps)
+		--enable-ntlm
+		--disable-ntlm-wb
+		$(use_enable pop3)
+		--enable-rt
+		--enable-rtsp
+		$(use_enable samba smb)
+		$(use_with ssh libssh2)
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		--enable-tls-srp
+		$(use_enable adns ares)
+		--enable-cookies
+		--enable-dateparse
+		--enable-dnsshuffle
+		--enable-doh
+		--enable-symbol-hiding
+		--enable-http-auth
+		--enable-ipv6
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-netrc
+		$(use_enable progress-meter)
+		--enable-proxy
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-pthreads
+		--enable-threaded-resolver
+		--disable-versioned-symbols
+		--without-amissl
+		--without-bearssl
+		$(use_with brotli)
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
+		$(use_with http2 nghttp2)
+		--without-hyper
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		--without-libgsasl
+		--without-libpsl
+		--without-msh3
+		$(use_with nghttp3)
+		$(use_with nghttp3 ngtcp2)
+		--without-quiche
+		$(use_with rtmp librtmp)
+		--without-schannel
+		--without-secure-transport
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+		$(use_enable websockets)
+		--without-winidn
+		--without-wolfssl
+		--with-zlib
+		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
+	)
+
+	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+	# Fix up the pkg-config file to be more robust.
+	# https://github.com/curl/curl/issues/864
+	local priv=() libs=()
+	# We always enable zlib.
+	libs+=( "-lz" )
+	priv+=( "zlib" )
+	if use http2; then
+		libs+=( "-lnghttp2" )
+		priv+=( "libnghttp2" )
+	fi
+	if use nghttp3; then
+		libs+=( "-lnghttp3" "-lngtcp2" )
+		priv+=( "libnghttp3" "libngtcp2" )
+	fi
+	if use ssl && use curl_ssl_openssl; then
+		libs+=( "-lssl" "-lcrypto" )
+		priv+=( "openssl" )
+	fi
+	grep -q Requires.private libcurl.pc && die "need to update ebuild"
+	libs=$(printf '|%s' "${libs[@]}")
+	sed -i -r \
+		-e "/^Libs.private/s:(${libs#|})( |$)::g" \
+		libcurl.pc || die
+	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
+}
+
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything which breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-9999.ebuild

@@ -22,10 +22,10 @@ fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3"
+IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
 # These select the default SSL implementation
 IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
-IUSE+=" nghttp3"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
@@ -44,34 +44,37 @@ REQUIRED_USE="
 	curl_ssl_mbedtls? ( mbedtls )
 	curl_ssl_openssl? ( openssl )
 	curl_ssl_rustls? ( rustls )
-	nghttp3? ( !openssl )
+	nghttp3? (
+		!openssl
+		alt-svc )
 "
 
 # cURL's docs and CI/CD are great resources for confirming supported versions
 # particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
-# - https://github.com/curl/curl/blob/master/docs/HTTP3.md
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
-# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2)
 # However 'supported' vs 'works' are two entirely different things; be sane but
 # don't be afraid to require a later version.
 
 RDEPEND="
-	sys-libs/zlib[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
 	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
-	ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
 		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
 		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
-	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
 	ssl? (
 		gnutls? (
 			app-misc/ca-certificates
-			net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
 			dev-libs/nettle:=[${MULTILIB_USEDEP}]
 		)
 		mbedtls? (
@@ -79,7 +82,7 @@ RDEPEND="
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
 		openssl? (
-			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
 		rustls? (
 			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
@@ -337,10 +340,11 @@ multilib_src_test() {
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
 	# Note: we don't run the testsuite for cross-compilation.
-	# Upstream recommend 7*nproc as a starting point for parallel tests.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((7*$(makeopts_jobs))) !241 !1083"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
 }
 
 multilib_src_install() {

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch

@@ -0,0 +1,136 @@
+https://bugs.gentoo.org/915195
+
+From 1e1f915b73ab0895a68348ad1f96a5283a44ffd7 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Mon, 9 Oct 2023 17:45:07 -0400
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+This patch applies to curl versions 8.2.0 - 8.3.0. Other versions
+that are affected take a different patch. Refer to the CVE advisory
+for more information.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+---
+ lib/socks.c             |  8 +++----
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index 25a3578..3d41c93 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+ 
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -904,7 +904,7 @@ CONNECT_RESOLVE_REMOTE:
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8ee1394..3e2094e 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test728 \
+ \
+ test799 test800 test801 test802 test803 test804 test805 test806 test807 \
+ test808 test809 test810 test811 test812 test813 test814 test815 test816 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 0000000..05bcf28
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+-- 
+2.7.4
+

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch

@@ -0,0 +1,131 @@
+https://bugs.gentoo.org/915195
+https://github.com/curl/curl/commit/61275672b46d9abb3285740467b882e22ed75da8
+
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4345a84c6fd9d..e39c89a94a960 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-          strstore(&co->version, valuep, vlen);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+           /*
+@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data,
+     free(clist->path);
+     free(clist->spath);
+     free(clist->expirestr);
+-    free(clist->version);
+     free(clist->maxage);
+ 
+     *clist = *co;  /* then store all the new data */
+@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+     /*
+      * Initialize the next_expiration time to signal that we don't have enough
+      * information yet.
+@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3c0063b2cfb2..41e9e7a6914e0 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;      /* domain = <this> */
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -56,17 +52,16 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;      /* last creation-time used in the jar */
+   bool running;    /* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;      /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+ 
+ /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
+diff --git a/lib/easy.c b/lib/easy.c
+index 16bbd35251d40..03195481f9780 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.3.0-tests-arm-musl.patch

@@ -0,0 +1,115 @@
+https://github.com/curl/curl/issues/11900
+https://github.com/curl/curl/commit/b226bd679a68b8bf94cbb6d58837f00251560e63
+https://github.com/curl/curl/commit/9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93
+
+From b226bd679a68b8bf94cbb6d58837f00251560e63 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Mon, 25 Sep 2023 13:03:26 +0200
+Subject: [PATCH] configure: sort AC_CHECK_FUNCS
+
+No functional changes.
+---
+ configure.ac | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2fc9f2f01783c..a6f9066a133a4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3583,8 +3583,10 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+           #include <sys/types.h>]])
+ 
+ 
+-AC_CHECK_FUNCS([fnmatch \
++AC_CHECK_FUNCS([\
++  arc4random \
+   fchmod \
++  fnmatch \
+   fork \
+   geteuid \
+   getpass_r \
+@@ -3604,7 +3606,6 @@ AC_CHECK_FUNCS([fnmatch \
+   snprintf \
+   utime \
+   utimes \
+-  arc4random
+ ],[
+ ],[
+   func="$ac_func"
+
+From 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 22 Sep 2023 13:58:49 +0000
+Subject: [PATCH] lib: use wrapper for curl_mime_data fseek callback
+
+fseek uses long offset which does not match with curl_off_t. This leads
+to undefined behavior when calling the callback and caused failure on
+arm 32 bit.
+
+Use a wrapper to solve this and use fseeko which uses off_t instead of
+long.
+
+Thanks to the nice people at Libera IRC #musl for helping finding this
+out.
+
+Fixes #11882
+Fixes #11900
+Closes #11918
+---
+ configure.ac   |  2 ++
+ lib/formdata.c | 17 +++++++++++++++--
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a6f9066a133a4..5fa7c45c47430 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3584,10 +3584,12 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([\
++  _fseeki64 \
+   arc4random \
+   fchmod \
+   fnmatch \
+   fork \
++  fseeko \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/formdata.c b/lib/formdata.c
+index 8984b63223cc0..f370ce6854b5f 100644
+--- a/lib/formdata.c
++++ b/lib/formdata.c
+@@ -789,6 +789,20 @@ static CURLcode setname(curl_mimepart *part, const char *name, size_t len)
+   return res;
+ }
+ 
++/* wrap call to fseeko so it matches the calling convetion of callback */
++static int fseeko_wrapper(void *stream, curl_off_t offset, int whence)
++{
++#if defined(HAVE_FSEEKO)
++  return fseeko(stream, (off_t)offset, whence);
++#elif defined(HAVE__FSEEKI64)
++  return _fseeki64(stream, (__int64)offset, whence);
++#else
++  if(offset > LONG_MAX)
++    return -1;
++  return fseek(stream, (long)offset, whence);
++#endif
++}
++
+ /*
+  * Curl_getformdata() converts a linked list of "meta data" into a mime
+  * structure. The input list is in 'post', while the output is stored in
+@@ -874,8 +888,7 @@ CURLcode Curl_getformdata(struct Curl_easy *data,
+                compatibility: use of "-" pseudo file name should be avoided. */
+             result = curl_mime_data_cb(part, (curl_off_t) -1,
+                                        (curl_read_callback) fread,
+-                                       CURLX_FUNCTION_CAST(curl_seek_callback,
+-                                                           fseek),
++                                       fseeko_wrapper,
+                                        NULL, (void *) stdin);
+           }
+           else
+