Update to 7.41.0:

Version 7.41.0 (25 Feb 2015)

Daniel Stenberg (25 Feb 2015)
- THANKS: added contributors from the 7.41.0 RELEASE-NOTES

- RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)

Marc Hoersken (25 Feb 2015)
- Revert "telnet.c: fix handling of 0 being returned from custom read function"

  This reverts commit 03fa576833643c67579ae216c4e7350fa9b5f2fe.

- telnet.c: fix invalid use of custom read function if not being set

  obj_count can be 1 if the custom read function is set or the stdin
  handle is a reference to a pipe. Since the pipe should be handled
  using the PeekNamedPipe-check below, the custom read function should
  only be used if it is actually enabled.

- telnet.c: fix handling of 0 being returned from custom read function

  According to [1]: "Returning 0 will signal end-of-file to the library
  and cause it to stop the current transfer."
  This change makes the Windows telnet code handle this case accordingly.

   [1] http://curl.haxx.se/libcurl/c/CURLOPT_READFUNCTION.html

Daniel Stenberg (24 Feb 2015)
- sws: stop logging about TPC_NODELAY nonsense

- lib530: make it less timing sensible

  ... by making sure the first request is completed before doing the
  remainder.

Kamil Dudka (23 Feb 2015)
- connect: wait for IPv4 connection attempts

  ... even if the last IPv6 connection attempt has failed.

  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c4

- connect: avoid skipping an IPv4 address

  ... in case the protocol versions are mixed in a DNS response
  (IPv6 -> IPv4 -> IPv6).

  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c3

Daniel Stenberg (23 Feb 2015)
- RELEASE-NOTES: synced with 5e4395eab839d

- ROADMAP: curl_easy_setopt.3 has already been split up

  Remove cmake as marked for removal. It is in much better state now.

- ROADMAP: extend the HTTP/2 stuff, remove SPDY

- [Julian Ospald brought this change]

  configure: allow both --with-ca-bundle and --with-ca-path

  SSL_CTX_load_verify_locations by default (and if given non-Null
  parameters) searches the CAfile first and falls back to CApath.  This
  allows for CAfile to be a basis (e.g. installed by the package manager)
  and CApath to be a user configured directory.

  This wasn't reflected by the previous configure constraint which this
  patch fixes.

  Bug: https://github.com/bagder/curl/pull/139

- [Ben Boeckel brought this change]

  cmake: install the dll file to the correct directory

- [Alessandro Ghedini brought this change]

  nss: fix NPN/ALPN protocol negotiation

  Correctly check for memcmp() return value (it returns 0 if the strings match).

  This is not really important, since curl is going to use http/1.1 anyway, but
  it's still a bug I guess.

- [Alessandro Ghedini brought this change]

  polarssl: fix ALPN protocol negotiation

  Correctly check for strncmp() return value (it returns 0 if the strings
  match).

- [Sergei Nikulov brought this change]

  CMake: Fix generation of tool_hugehelp.c on windows

  Use "cmake -E echo" instead of "echo".

  Reviewed-by: Brad King <brad.king@kitware.com>

- [Sergei Nikulov brought this change]

  CMake: fix winsock2 detection on windows

  Set CMAKE_REQUIRED_DEFINITIONS to include definitions needed to get
  the winsock2 API from windows.h.  Simplify the order of checks to
  avoid extra conditions.

  Use check_include_file instead of check_include_file_concat to look
  for OpenSSL headers.  They do not need to participate in a sequence
  of dependent system headers.  Also they may cause winsock.h to be
  included before ws2tcpip.h, causing the latter to not be detected
  in the sequence.

  Reviewed-by: Brad King <brad.king@kitware.com>

- [Alessandro Ghedini brought this change]

  gtls: fix build with HTTP2

Steve Holme (16 Feb 2015)
- Makefile.vc6: Corrected typos in rename of darwinssl.obj

Nick Zitzmann (15 Feb 2015)
- By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"

Steve Holme (14 Feb 2015)
- RELEASE-NOTES: Synced with 6f89f86c3d

- tests/README: Updated to reflect email test ranges

- [Alessandro Ghedini brought this change]

  curl.1: --cert-status is also supported by OpenSSL now

- build: Removed Visual Studio SuppressStartupBanner directive for VC8+

  Visual Studio 2005 and above defaults to disabling the startup banner
  for the Compiler, Linker and MIDL tools (with /NOLOGO). As such there
  is no need to explicitly set the SuppressStartupBanner directive, as
  this is a leftover from the VC7 and VC7.1 projects being upgraded to
  VC8 and above.

Kamil Dudka (12 Feb 2015)
- openssl: fix a compile-time warning

  lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive

Steve Holme (11 Feb 2015)
- openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection

  For consistency with other conditionally compiled code in openssl.c,
  use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
  HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
  not included.

Patrick Monnerat (11 Feb 2015)
- ftp: accept all 2xx responses to the PORT command

Steve Holme (9 Feb 2015)
- openssl: Disable OCSP in old versions of OpenSSL

  Versions of OpenSSL prior to v0.9.8h do not support the necessary
  functions for OCSP stapling.

Daniel Stenberg (9 Feb 2015)
- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix bug that associated stream canceled on PUSH_PROMISE

  Previously we don't ignore PUSH_PROMISE header fields in on_header
  callback.  It makes header values mixed with following HEADERS,
  resulting protocol error.

- [Jay Satiro brought this change]

  polarssl: Fix exclusive SSL protocol version options

  Prior to this change the options for exclusive SSL protocol versions did
  not actually set the protocol exclusive.

  http://curl.haxx.se/mail/lib-2015-01/0002.html
  Reported-by: Dan Fandrich

- [Jay Satiro brought this change]

  gskit: Fix exclusive SSLv3 option

- curl.1: clarify that -X is used for all requests

  Reported-by: Jon Seymour

- curl.1: add warning when using -H and redirects

Steve Holme (7 Feb 2015)
- schannel: Removed curl_ prefix from source files

  Removed the curl_ prefix from the schannel source files as discussed
  with Marc and Daniel at FOSDEM.

Daniel Stenberg (6 Feb 2015)
- md5: use axTLS's own MD5 functions when available

- MD(4|5): make the MD4_* and MD5_* functions static

- axtls: fix conversion from size_t to int warning

Steve Holme (5 Feb 2015)
- ftp: Use 'CURLcode result' for curl result codes

Daniel Stenberg (5 Feb 2015)
- openssl: SSL_SESSION->ssl_version no longer exist

  The struct went private in 1.0.2 so we cannot read the version number
  from there anymore. Use SSL_version() instead!

  Reported-by: Gisle Vanem
  Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html

Dan Fandrich (4 Feb 2015)
- unit1600: Fix compilation when NTLM is disabled

Daniel Stenberg (4 Feb 2015)
- MD5: fix compiler warnings and code style nits

- MD5: replace implementation

  The previous one was "encumbered" by RSA Inc - to avoid the licensing
  restrictions it has being replaced. This is the initial import,
  inserting the md5.c and md5.h files from
  http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5

  Code-by: Alexander Peslyak

- MD4: fix compiler warnings and code style nits

- MD4: replace implementation

  The previous one was "encumbered" by RSA Inc - to avoid the licensing
  restrictions it has being replaced. This is the initial import,
  inserting the md4.c and md4.h files from
  http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4

  Code-by: Alexander Peslyak

Steve Holme (4 Feb 2015)
- telnet: Prefer 'CURLcode result' for curl result codes

- hostasyn: Prefer 'CURLcode result' for curl result codes

- schannel: Prefer 'CURLcode result' for curl result codes

Daniel Stenberg (3 Feb 2015)
- unit1601: MD5 unit tests

- unit1600: unit test for Curl_ntlm_core_mk_nt_hash

- unit1600: NTLM unit test

- tests/README: add a new range, clean up some language

- [Jay Satiro brought this change]

  opts: CURLOPT_CAINFO availability depends on SSL engine

- getpass: protect include with proper #ifdef

  Reported-by: Tamir

- getpass_r: read from stdin, not stdout!

  The file number used was wrong. This bug was introduced over 10 years
  ago, proving this function isn't used much...

  Bug: http://curl.haxx.se/bug/view.cgi?id=1476
  Reported-by: Tamir

- test1135: verify the CURL_EXTERN order in header files

- Makefile.am: fix 'make distcheck'

  ... by removing generated files from the *_DIST variable [*] and instead
  generate them with a .dist suffix, since that is then handled and put
  into the release archive by our generic dist-hook.

  [*] = 'make distcheck' fails with non-existing files listed there

Steve Holme (2 Feb 2015)
- curl_sasl.c: More code policing

  Better use of 80 character line limit, comment corrections and line
  spacing preferences.

Daniel Stenberg (2 Feb 2015)
- libcurl-symbols: first basic shot for autogenerated docs

- FAQ: minor edit of 3.22

Steve Holme (2 Feb 2015)
- build: Added removal of Visual Studio project files

  Added the removal of the locally generated project files so one
  may revert to a clean repository.

- build: Renamed top level Visual Studio solution files

  In preparation for adding the test suite and examples projects renamed
  the top level "all" solution files to better describe what they are.

  This will also enable us to use "curl" rather than "curlsrc" for the
  command line tool solution and project files, which will simplify some
  of the configuration.

- build: Enabled DEBUGBUILD in Visual Studio debug builds

  Defined the DEBUGBUILD pre-processor variable to allow extra logging,
  which is particularly useful in debug builds, as we use this and Visual
  Studio typically uses _DEBUG.

  We could define DEBUBBUILD, in curl_setup.h, when _MSC_VER and _DEBUG is
  defined but that would also affect the makefile based builds which we
  probably don't want to do.

- build: Removed unused Visual Studio bscmake settings

Daniel Stenberg (2 Feb 2015)
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0

  And modify the text to refer to HTTP 2 as it isn't called "2.0".

  Reported-By: Michael Wallner

Marc Hoersken (31 Jan 2015)
- TODO: moved WinSSL/SChannel todo items into docs

Daniel Stenberg (29 Jan 2015)
- [Michael Kaufmann brought this change]

  CURLOPT_SEEKFUNCTION.3: also when server closes a connection

Steve Holme (29 Jan 2015)
- curl_sasl.c: Fixed compilation warning when cryptography is disabled

  curl_sasl.c:1506: warning: unused variable 'chlg'

- curl_sasl.c: Fixed compilation warning when verbose debug output disabled

  curl_sasl.c:1317: warning: unused parameter 'conn'

- ntlm_core: Use own odd parity function when crypto engine doesn't have one

- ntlm_core: Prefer sizeof(key) rather than hard coded sizes

- ntlm_core: Added consistent comments to DES functions

- des: Added Curl_des_set_odd_parity()

  Added Curl_des_set_odd_parity() for use when cryptography engines
  don't include this functionality.

- tests: Grouped SMTP SASL EXTERNAL tests with other SMTP tests

- tests: Grouped POP3 SASL EXTERNAL tests with other POP3 tests

- tests: Grouped IMAP SASL EXTERNAL tests with other IMAP tests

- sasl: Minor code policing and grammar corrections

Daniel Stenberg (28 Jan 2015)
- [Gisle Vanem brought this change]

  ldap: build with BoringSSL

- security: avoid compiler warning

  Possible access to uninitialised memory '&nread' at line 140 of
  lib/security.c in function 'ftp_send_command'.

  Reported-by: Rich Burridge

- runtests: identify BoringSSL and libressl

Patrick Monnerat (27 Jan 2015)
- docs: cite SASL external authentication.

- sasl: remove XOAUTH2 from default enabled authentication mechanism.

- test: add test cases for sasl external authentication (imap/pop3/smtp).

- imap: remove automatic password setting: it breaks external sasl authentication

- sasl: implement EXTERNAL authentication mechanism.
    Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and
  by not setting the password.

Steve Holme (27 Jan 2015)
- openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE

  Modified the Curl_ossl_cert_status_request() function to return FALSE
  when built with BoringSSL or when OpenSSL is missing the necessary TLS
  extensions.

- openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'

  Fixed the build of openssl.c when OpenSSL is built without the necessary
  TLS extensions for OCSP stapling.

  Reported-by: John E. Malmberg

- [Brad Spencer brought this change]

  curl_setup: Disable SMB/CIFS support when HTTP only

- RELEASE-NOTES: Synced with 37824498a3

Daniel Stenberg (22 Jan 2015)
- configure: remove detection of the old yassl emulation API

  ... as that is ancient history and not used.

- OCSP stapling: disabled when build with BoringSSL

- [Alessandro Ghedini brought this change]

  openssl: add support for the Certificate Status Request TLS extension

  Also known as "status_request" or OCSP stapling, defined in RFC6066
  section 8.

  Thanks-to: Joe Mason
  - for the work-around for the OpenSSL bug.

- BoringSSL: fix build for non-configure builds

  HAVE_BORINGSSL gets defined now by configure and should be defined by
  other build systems in case a BoringSSL build is desired.

- configure: fix BoringSSL detection and detect libresssl

Steve Holme (22 Jan 2015)
- curl_sasl: Reinstate the sasl_ prefix for locally scoped functions

  Commit 7a8b2885e2 made some functions static and removed the public
  Curl_ prefix. Unfortunately, it also removed the sasl_ prefix, which
  is the naming convention we use in this source file.

- curl_sasl: Minor code policing following recent commits

Daniel Stenberg (22 Jan 2015)
- [John Malmberg brought this change]

  openvms: Handle openssl/0.8.9zb version parsing

  packages/vms/gnv_link_curl.com was assuming only a single letter suffix
  in the openssl version.  That assumption has been fixed for 7.40.

- BoringSSL: detected by configure, switches off NTLM

- BoringSSL: no PKCS12 support nor ERR_remove_state

- [Leith Bade brought this change]

  BoringSSL: fix build

Steve Holme (20 Jan 2015)
- curl_sasl.c: chlglen is not used when cryptography is disabled

- curl_sasl.c: Fixed compilation warning when cyptography is disabled

  curl_sasl.c:1453: warning C4101: 'serverdata' : unreferenced local
                    variable

- curl_sasl.c: Fixed compilation error when USE_WINDOWS_SSPI defined

  curl_sasl.c:1221: error C2065: 'mechtable' : undeclared identifier

  This error could also happen for non-SSPI builds when cryptography is
  disabled (CURL_DISABLE_CRYPTO_AUTH is defined).

Patrick Monnerat (20 Jan 2015)
- SASL: make some procedures local-scoped

- SASL: common state engine for imap/pop3/smtp

- SASL: common URL option and auth capabilities decoders for all protocols

- IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.

Daniel Stenberg (20 Jan 2015)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6

  Reported-by: Chris Young

- [Chris Young brought this change]

  timeval: typecast for better type (on Amiga)

  There is an issue with conflicting "struct timeval" definitions with
  certain AmigaOS releases and C libraries, depending on what gets
  included when.  It's a minor difference - the OS one is unsigned,
  whereas the common structure has signed elements.  If the OS one ends up
  getting defined, this causes a timing calculation error in curl.

  It's easy enough to resolve this at the curl end, by casting the
  potentially errorneous calculation to a signed long.

- openssl: do public key pinning check independently

  ... of the other cert verification checks so that you can set verifyhost
  and verifypeer to FALSE and still check the public key.

  Bug: http://curl.haxx.se/bug/view.cgi?id=1471
  Reported-by: Kyle J. McKay

Patrick Monnerat (19 Jan 2015)
- OS400: CURLOPT_SSL_VERIFYSTATUS for ILE/RPG too.

Steve Holme (18 Jan 2015)
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP

  For consistency with other USE_WIN32_ defines as well as the
  USE_OPENLDAP define.

- http_negotiate: Use dynamic buffer for SPN generation

  Use a dynamicly allocated buffer for the temporary SPN variable similar
  to how the SASL GSS-API code does, rather than using a fixed buffer of
  2048 characters.

- sasl_gssapi: Make Curl_sasl_build_gssapi_spn() public

- sasl_gssapi: Fixed memory leak with local SPN variable

Daniel Stenberg (17 Jan 2015)
- http_negotiate.c: unused variable 'ret'

Steve Holme (17 Jan 2015)
- gskit.h: Code policing of function pointer arguments

- vtls: Removed unimplemented overrides of curlssl_close_all()

  Carrying on from commit 037cd0d991, removed the following unimplemented
  instances of curlssl_close_all():

  Curl_axtls_close_all()
  Curl_darwinssl_close_all()
  Curl_cyassl_close_all()
  Curl_gskit_close_all()
  Curl_gtls_close_all()
  Curl_nss_close_all()
  Curl_polarssl_close_all()

- vtls: Separate the SSL backend definition from the API setup

  Slight code cleanup as the SSL backend #define is mixed up with the API
  function setup.

- vtls: Fixed compilation errors when SSL not used

  Fixed the following warning and error from commit 3af90a6e19 when SSL
  is not being used:

  url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
              assuming extern returning int

  error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
                 referenced in function Curl_setopt

- http_negotiate: Added empty decoded challenge message info text

- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int

- http_negotiate_sspi: Prefer use of 'attrs' for context attributes

  Use the same variable name as other areas of SSPI code.

- http_negotiate_sspi: Use correct return type for QuerySecurityPackageInfo()

  Use the SECURITY_STATUS typedef rather than a unsigned long for the
  QuerySecurityPackageInfo() return and rename the variable as per other
  areas of SSPI code.

- http_negotiate_sspi: Use 'CURLcode result' for CURL result code

- curl_endian: Fixed build when 64-bit integers are not supported (Part 2)

  Missed Curl_read64_be() in commit bb12d44471 :(

Daniel Stenberg (16 Jan 2015)
- CURLOPT_SSL_VERIFYSTATUS.3: mention it is added in version 7.41.0

- curlver.h: next release is 7.41.0 due to the changes

- RELEASE-NOTES: mention the new OCSP stapling options, bump version

- opts: add CURLOPT_SSL_VERIFYSTATUS* to docs/Makefile

- help: add --cert-status to --help output

- copyright years: after OCSP stapling changes

- [Alessandro Ghedini brought this change]

  curl: add --cert-status option

  This enables the CURLOPT_SSL_VERIFYSTATUS functionality.

- [Alessandro Ghedini brought this change]

  nss: add support for the Certificate Status Request TLS extension

  Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

  This requires NSS 3.15 or higher.

- [Alessandro Ghedini brought this change]

  gtls: add support for the Certificate Status Request TLS extension

  Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

  This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
  at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
  response verfication to fail even on valid responses.

- [Alessandro Ghedini brought this change]

  url: add CURLOPT_SSL_VERIFYSTATUS option

  This option can be used to enable/disable certificate status verification using
  the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

  This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
  certificate status verification fails, and the Curl_ssl_cert_status_request()
  function, used to check whether the SSL backend supports the status_request
  extension.

- TheArtOfHttpScripting: skip the date at the top, we have git

- TheArtOfHttpScripting: phrase it TLS lib agnostic

Steve Holme (16 Jan 2015)
- TODO: Added some SMB ideas

- RELEASE-NOTES: Synced with 5f09947d28

- build-openssl.bat: Added check for Perl installation

- checksrc.bat: Better detection of Perl installation

- curl_endian: Fixed build when 64-bit integers are not supported

  Bug: http://curl.haxx.se/mail/lib-2015-01/0094.html
  Reported-by: John E. Malmberg

Daniel Stenberg (15 Jan 2015)
- [Yun SangHo brought this change]

  curl.h: remove extra space

- Curl_pretransfer: reset expected transfer sizes

  Reported-by: Mohammad AlSaleh
  Bug: http://curl.haxx.se/mail/lib-2015-01/0065.html

Marc Hoersken (12 Jan 2015)
- curl_schannel.c: mark session as removed from cache if not freed

  If the session is still used by active SSL/TLS connections, it
  cannot be closed yet. Thus we mark the session as not being cached
  any longer so that the reference counting mechanism in
  Curl_schannel_shutdown is used to close and free the session.

  Reported-by: Jean-Francois Durand

Steve Holme (9 Jan 2015)
- RELEASE-NOTES: Synced with d21b66835f

Guenter Knauf (9 Jan 2015)
- Merge pull request #134 from vszakats/mingw-m64

  add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS

- Merge pull request #136 from vszakats/mingw-allow-custom-cflags

  mingw build: allow to pass custom CFLAGS

Daniel Stenberg (9 Jan 2015)
- NSS: fix compiler error when built http2-enabled

Steve Holme (9 Jan 2015)
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions

  Better code reuse and consistency in calls to gss_import_name().

Viktor Szakats (9 Jan 2015)
- mingw build: allow to pass custom CFLAGS

Daniel Stenberg (8 Jan 2015)
- FTP: if EPSV fails on IPV6 connections, bail out

  ... instead of trying PASV, since PASV can't work with IPv6.

  Reported-by: Vojtěch Král

- FTP: fix IPv6 host using link-local address

  ... and make sure we can connect the data connection to a host name that
  is longer than 48 bytes.

  Also simplifies the code somewhat by re-using the original host name
  more, as it is likely still in the DNS cache.

  Original-Patch-by: Vojtěch Král
  Bug: http://curl.haxx.se/bug/view.cgi?id=1468

Steve Holme (8 Jan 2015)
- [Sam Schanken brought this change]

  winbuild: Added option to build with c-ares

  Added support for a WITH_CARES option to be used when invoking nmake
  via Makefile.vc. This option enables linking against both the DLL and
  static versions of the c-ares libraries, as well as the debug and
  release varients, depending on the value of DEBUG. The USE_ARES
  preprocessor symbol is also defined.

Guenter Knauf (8 Jan 2015)
- NetWare build: added TLS-SRP enabled build.

Steve Holme (8 Jan 2015)
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API

  Bug: http://curl.haxx.se/bug/view.cgi?id=1469
  Reported-by: Thomas Klausner

Viktor Szakats (8 Jan 2015)
- add -m64 clags when targeting mingw64, add -m32/-m64 to LDFLAGS

Daniel Stenberg (8 Jan 2015)
- bump: start working towards 7.40.1

- THANKS: 14 new contributors from the 7.40.0 release notes

5 files changed, 25 insertions, 30 deletions

diff --git a/www/curl/Makefile b/www/curl/Makefile
index 32c37ffb5b4..17e14fc2fa7 100644
--- a/www/curl/Makefile
+++ b/www/curl/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.144 2015/01/08 17:23:07 wiz Exp $
+# $NetBSD: Makefile,v 1.145 2015/03/01 15:01:00 wiz Exp $
 
-DISTNAME=	curl-7.40.0
+DISTNAME=	curl-7.41.0
 CATEGORIES=	www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/
diff --git a/www/curl/PLIST b/www/curl/PLIST
index 8a5d047dade..e2a64014a89 100644
--- a/www/curl/PLIST
+++ b/www/curl/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.46 2015/01/08 17:23:07 wiz Exp $
+@comment $NetBSD: PLIST,v 1.47 2015/03/01 15:01:00 wiz Exp $
 bin/curl
 bin/curl-config
 include/curl/curl.h
@@ -207,6 +207,7 @@ man/man3/CURLOPT_SSL_OPTIONS.3
 man/man3/CURLOPT_SSL_SESSIONID_CACHE.3
 man/man3/CURLOPT_SSL_VERIFYHOST.3
 man/man3/CURLOPT_SSL_VERIFYPEER.3
+man/man3/CURLOPT_SSL_VERIFYSTATUS.3
 man/man3/CURLOPT_STDERR.3
 man/man3/CURLOPT_TCP_KEEPALIVE.3
 man/man3/CURLOPT_TCP_KEEPIDLE.3
@@ -290,6 +291,7 @@ man/man3/libcurl-easy.3
 man/man3/libcurl-errors.3
 man/man3/libcurl-multi.3
 man/man3/libcurl-share.3
+man/man3/libcurl-symbols.3
 man/man3/libcurl-tutorial.3
 man/man3/libcurl.3
 share/aclocal/libcurl.m4
diff --git a/www/curl/distinfo b/www/curl/distinfo
index 5fa29b94a40..e37f4461ddb 100644
--- a/www/curl/distinfo
+++ b/www/curl/distinfo
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.101 2015/01/08 19:23:53 wiz Exp $
+$NetBSD: distinfo,v 1.102 2015/03/01 15:01:00 wiz Exp $
 
-SHA1 (curl-7.40.0.tar.bz2) = 1446603f4df89b6d1cafc4d6a8617c892651b3ff
-RMD160 (curl-7.40.0.tar.bz2) = 5ca0220dc5e866271e3757b21eee14477690e259
-Size (curl-7.40.0.tar.bz2) = 3266944 bytes
-SHA1 (patch-aa) = 54c9f5b1a22743e2714883ae5a2b20366b839e7e
+SHA1 (curl-7.41.0.tar.bz2) = 6784591ed7dc3452a8ef6fba050777c50775c4f1
+RMD160 (curl-7.41.0.tar.bz2) = 8aa31d13947a9f0c13d7445e1da70554555fe67a
+Size (curl-7.41.0.tar.bz2) = 3304508 bytes
+SHA1 (patch-aa) = bb12008145096a963948ae69124746875452afa7
 SHA1 (patch-curl-config.in) = fd87c97b601a6b9269f67fbc066604ee7e22570e
-SHA1 (patch-lib_curl__sasl__gssapi.c) = 63ef03938a2a15ccae86722df776d40fd9bd2c7a
 SHA1 (patch-lib_hostcheck.c) = 9faf94f44703c7d37377fd3af319ca5c27df34c2
diff --git a/www/curl/patches/patch-aa b/www/curl/patches/patch-aa
index 7f2ef2b6922..7abe639c7e7 100644
--- a/www/curl/patches/patch-aa
+++ b/www/curl/patches/patch-aa
@@ -1,11 +1,11 @@
-$NetBSD: patch-aa,v 1.28 2014/09/14 16:43:44 wiz Exp $
+$NetBSD: patch-aa,v 1.29 2015/03/01 15:01:00 wiz Exp $
 
 builtin krb5-config in platforms such as solaris do not support
 the gssapi option, and need an explicit -lgss
 
---- configure.orig	2014-09-04 20:42:23.000000000 +0000
+--- configure.orig	2015-02-24 23:05:37.000000000 +0000
 +++ configure
-@@ -3640,6 +3640,7 @@ $as_echo "$as_me: $xc_bad_var_msg librar
+@@ -3703,6 +3703,7 @@ $as_echo "$as_me: $xc_bad_var_msg librar
          ;;
      esac
    done
@@ -13,7 +13,7 @@ the gssapi option, and need an explicit -lgss
    if test $xc_bad_var_cflags = yes; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: using CFLAGS: $CFLAGS" >&5
  $as_echo "$as_me: using CFLAGS: $CFLAGS" >&6;}
-@@ -16618,7 +16619,7 @@ squeeze() {
+@@ -16682,7 +16683,7 @@ squeeze() {
  
  
        #
@@ -22,7 +22,7 @@ the gssapi option, and need an explicit -lgss
      #
      if test "$compiler_id" = "GNU_C" ||
        test "$compiler_id" = "CLANG"; then
-@@ -21039,7 +21040,12 @@ $as_echo "yes" >&6; }
+@@ -21128,7 +21129,12 @@ $as_echo "yes" >&6; }
       if test -n "$host_alias" -a -f "$GSSAPI_ROOT/bin/$host_alias-krb5-config"; then
          GSSAPI_INCS=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --cflags gssapi`
       elif test -f "$GSSAPI_ROOT/bin/krb5-config"; then
@@ -36,7 +36,7 @@ the gssapi option, and need an explicit -lgss
       elif test "$GSSAPI_ROOT" != "yes"; then
          GSSAPI_INCS="-I$GSSAPI_ROOT/include"
       fi
-@@ -21212,7 +21218,7 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
+@@ -21301,7 +21307,7 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
          LIBS="-lgss $LIBS"
          ;;
       *)
@@ -45,3 +45,12 @@ the gssapi option, and need an explicit -lgss
          ;;
       esac
    fi
+@@ -24016,7 +24022,7 @@ _ACEOF
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: $capath (capath)" >&5
+ $as_echo "$capath (capath)" >&6; }
+   fi
+-  if test "x$ca" == "xno" && test "x$capath" == "xno"; then
++  if test "x$ca" = "xno" && test "x$capath" = "xno"; then
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+   fi
diff --git a/www/curl/patches/patch-lib_curl__sasl__gssapi.c b/www/curl/patches/patch-lib_curl__sasl__gssapi.c
deleted file mode 100644
index 142507fbf5e..00000000000
--- a/www/curl/patches/patch-lib_curl__sasl__gssapi.c
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-lib_curl__sasl__gssapi.c,v 1.1 2015/01/08 19:23:53 wiz Exp $
-
-Fix build on NetBSD with gssapi.
-
---- lib/curl_sasl_gssapi.c.orig	2015-01-07 21:53:57.000000000 +0000
-+++ lib/curl_sasl_gssapi.c
-@@ -126,7 +126,7 @@ CURLcode Curl_sasl_create_gssapi_user_me
- 
-     /* Import the SPN */
-     gss_major_status = gss_import_name(&gss_minor_status, &spn_token,
--                                       gss_nt_service_name, &krb5->spn);
-+                                       GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
-     if(GSS_ERROR(gss_major_status)) {
-       Curl_gss_log_error(data, gss_minor_status, "gss_import_name() failed: ");
-