new file mode 100644
@@ -0,0 +1,85 @@
+From 9989d5392e9e61c81fdd3e464511ddd8d73c2f87 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Fri, 31 Jan 2025 23:20:46 +0100
+Subject: [PATCH] build: enable `-Wcast-qual`, fix or silence compiler warnings
+
+The issues found fell into these categories, with the applied fixes:
+
+- const was accidentally stripped.
+ Adjust code to not cast or cast with const.
+
+- const/volatile missing from arguments, local variables.
+ Constify arguments or variables, adjust/delete casts. Small code
+ changes in a few places.
+
+- const must be stripped because an API dependency requires it.
+ Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+ of our control. These happen at API boundaries. Sometimes they depend
+ on dependency version, which this patch handles as necessary. Also
+ enable const support for the zlib API, using `ZLIB_CONST`. Supported
+ by zlib 1.2.5.2 and newer.
+
+- const must be stripped because a curl API requires it.
+ Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+ of our immediate control. For example we promise to send a non-const
+ argument to a callback, though the data is const internally.
+
+- other cases where we may avoid const stripping by code changes.
+ Also silenced with `CURL_UNCONST()`.
+
+- there are 3 places where `CURL_UNCONST()` is cast again to const.
+ To silence this type of warning:
+ ```
+ lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate
+ pointers in cast from 'unsigned char **' to 'const unsigned char **'
+ must be 'const' qualified [-Werror=cast-qual]
+ lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in
+ cast from 'char **' to 'const char **' must be 'const' qualified
+ [-Werror=cast-qual]
+ ```
+ There may be a better solution, but I couldn't find it.
+
+These cases are handled in separate subcommits, but without further
+markup.
+
+If you see a `-Wcast-qual` warning in curl, we appreciate your report
+about it.
+
+Closes #16142
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9989d5392e9e61c81fdd3e464511ddd8d73c2f87]
+
+Picked only header file definition, not complete code refactoring.
+CURL_UNCONST will be probably needed also by further CVE patches due to this rework.
+
+Also later modified by removing VS2008 code per 2e1a045d8985e5daa4d9a4f908ed870a16d8e41e.
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/curl_setup_once.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_setup_once.h b/lib/curl_setup_once.h
+index bf0ee663d3..df5b44c478 100644
+--- a/lib/curl_setup_once.h
++++ b/lib/curl_setup_once.h
+@@ -69,10 +69,18 @@
+ #include <unistd.h>
+ #endif
+
+-#ifdef USE_WOLFSSL
++#if defined(HAVE_STDINT_H) || defined(USE_WOLFSSL)
+ #include <stdint.h>
+ #endif
+
++/* Macro to strip 'const' without triggering a compiler warning.
++ Use* it for APIs that do not or cannot support the const qualifier. */
++#ifdef HAVE_STDINT_H
++# define CURL_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
++#else
++# define CURL_UNCONST(p) ((void *)(p)) /* Fall back to simple cast */
++#endif
++
+ #ifdef USE_SCHANNEL
+ /* Must set this before <schannel.h> is included directly or indirectly by
+ another Windows header. */
new file mode 100644
@@ -0,0 +1,73 @@
+From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 17 Dec 2025 10:54:16 +0100
+Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
+ different CA cache
+
+Reported-by: Stanislav Fort
+
+Closes #20009
+
+CVE: CVE-2025-14819
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vtls/openssl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a7f169d641..7563d9a090 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -317,6 +317,7 @@ struct multi_ssl_backend_data {
+ char *CAfile; /* CAfile path used to generate X509 store */
+ X509_STORE *store; /* cached X509 store or NULL if none */
+ struct curltime time; /* when the cached store was created */
++ BIT(no_partialchain); /* keep partial chain state */
+ };
+ #endif /* HAVE_SSL_X509_STORE_SHARE */
+
+@@ -3378,12 +3379,16 @@ static bool cached_x509_store_expired(const struct Curl_easy *data,
+
+ static bool cached_x509_store_different(
+ struct Curl_cfilter *cf,
++ const struct Curl_easy *data,
+ const struct multi_ssl_backend_data *mb)
+ {
+ struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
++ struct ssl_config_data *ssl_config =
++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
++ if(mb->no_partialchain != ssl_config->no_partialchain)
++ return TRUE;
+ if(!mb->CAfile || !conn_config->CAfile)
+ return mb->CAfile != conn_config->CAfile;
+-
+ return strcmp(mb->CAfile, conn_config->CAfile);
+ }
+
+@@ -3398,7 +3403,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf,
+ multi->ssl_backend_data &&
+ multi->ssl_backend_data->store &&
+ !cached_x509_store_expired(data, multi->ssl_backend_data) &&
+- !cached_x509_store_different(cf, multi->ssl_backend_data)) {
++ !cached_x509_store_different(cf, data, multi->ssl_backend_data)) {
+ store = multi->ssl_backend_data->store;
+ }
+
+@@ -3427,6 +3432,8 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+
+ if(X509_STORE_up_ref(store)) {
+ char *CAfile = NULL;
++ struct ssl_config_data *ssl_config =
++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+
+ if(conn_config->CAfile) {
+ CAfile = strdup(conn_config->CAfile);
+@@ -3444,6 +3451,7 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+ mbackend->time = Curl_now();
+ mbackend->store = store;
+ mbackend->CAfile = CAfile;
++ mbackend->no_partialchain = ssl_config->no_partialchain;
+ }
+ }
+
@@ -26,6 +26,8 @@ SRC_URI = " \
file://CVE-2025-0167.patch \
file://CVE-2025-9086.patch \
file://CVE-2025-14017.patch \
+ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
+ file://CVE-2025-14819.patch \
"
SRC_URI:append:class-nativesdk = " \