new upstream release - 8.18.0

Related: #2408809

.gitignore

@@ -1,2 +1,6 @@
 /curl-[0-9.]*.tar.lzma
+/curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
+/curl-[0-9.]*.tar.xz.asc
+/curl-[0-9]*.[0-9]*.[0-9]*/
+/*.src.rpm

0001-curl-7.76.1-resource-leaks.patch

@@ -1,133 +0,0 @@
-From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 30 Apr 2021 18:14:45 +0200
-Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
-
-... detected by Coverity:
-
-Error: RESOURCE_LEAK (CWE-772):
-lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
-
-Error: RESOURCE_LEAK (CWE-772):
-lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
-
-Error: RESOURCE_LEAK (CWE-772):
-lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
-
-Error: RESOURCE_LEAK (CWE-772):
-lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
-lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
-
-Closes #6986
-
-Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/http2.c | 24 +++++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/lib/http2.c b/lib/http2.c
-index ce9a0d3..d5ba89b 100644
---- a/lib/http2.c
-+++ b/lib/http2.c
-@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
-   CURLU *u = curl_url();
-   CURLUcode uc;
-   char *url;
-+  int rc = 0;
- 
-   v = curl_pushheader_byname(hp, ":scheme");
-   if(v) {
-     uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
--    if(uc)
--      return 1;
-+    if(uc) {
-+      rc = 1;
-+      goto fail;
-+    }
-   }
- 
-   v = curl_pushheader_byname(hp, ":authority");
-   if(v) {
-     uc = curl_url_set(u, CURLUPART_HOST, v, 0);
--    if(uc)
--      return 2;
-+    if(uc) {
-+      rc = 2;
-+      goto fail;
-+    }
-   }
- 
-   v = curl_pushheader_byname(hp, ":path");
-   if(v) {
-     uc = curl_url_set(u, CURLUPART_PATH, v, 0);
--    if(uc)
--      return 3;
-+    if(uc) {
-+      rc = 3;
-+      goto fail;
-+    }
-   }
- 
-   uc = curl_url_get(u, CURLUPART_URL, &url, 0);
-   if(uc)
--    return 4;
-+    rc = 4;
-+  fail:
-   curl_url_cleanup(u);
-+  if(rc)
-+    return rc;
- 
-   if(data->state.url_alloc)
-     free(data->state.url);
--- 
-2.30.2
-
-
-From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 30 Apr 2021 18:18:02 +0200
-Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
-
-... detected by Coverity:
-
-Error: RESOURCE_LEAK (CWE-772):
-lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
-lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
-lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
-lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
-
-Closes #6986
-
-Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/http2.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/http2.c b/lib/http2.c
-index d5ba89b..d0f69ea 100644
---- a/lib/http2.c
-+++ b/lib/http2.c
-@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
- 
-     rv = set_transfer_url(newhandle, &heads);
-     if(rv) {
-+      (void)Curl_close(&newhandle);
-       rv = CURL_PUSH_DENY;
-       goto fail;
-     }
--- 
-2.30.2
-

0002-curl-7.76.1-CVE-2021-22898.patch

@@ -1,31 +0,0 @@
-From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001
-From: Harry Sintonen <sintonen@iki.fi>
-Date: Fri, 7 May 2021 13:09:57 +0200
-Subject: [PATCH] telnet: check sscanf() for correct number of matches
-
-CVE-2021-22898
-
-Bug: https://curl.se/docs/CVE-2021-22898.html
-
-Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/telnet.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/telnet.c b/lib/telnet.c
-index f96a4cb..4551435 100644
---- a/lib/telnet.c
-+++ b/lib/telnet.c
-@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data)
-         size_t tmplen = (strlen(v->data) + 1);
-         /* Add the variable only if it fits */
-         if(len + tmplen < (int)sizeof(temp)-6) {
--          if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
-+          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
-             msnprintf((char *)&temp[len], sizeof(temp) - len,
-                       "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
-                       CURL_NEW_ENV_VALUE, varval);
--- 
-2.31.1
-

0004-curl-7.76.1-ldaps-segv.patch

@@ -1,44 +0,0 @@
-From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Fri, 23 Apr 2021 00:33:46 +0200
-Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure
-
-Fixes the segfault in ldaps disconnect.
-
-Reported-by: Illarion Taev
-Fixes #6934
-Closes #6937
-
-Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/vtls.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index 22cfb88..fa8a6fa 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
- 
-   if(!result)
-     Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
-+  else
-+    conn->ssl[sockindex].use = FALSE;
- 
-   return result;
- }
-@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
-   /* mark this is being ssl requested from here on. */
-   conn->ssl[sockindex].use = TRUE;
-   result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
--  if(!result && *done)
-+  if(result)
-+    conn->ssl[sockindex].use = FALSE;
-+  else if(*done)
-     Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
-   return result;
- }
--- 
-2.31.1
-

0005-curl-7.76.1-CVE-2021-22924.patch

@@ -1,279 +0,0 @@
-From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 19 Jun 2021 00:42:28 +0200
-Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
- sensitivity
-
-CVE-2021-22924
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2021-22924.html
-
-Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/url.c          | 10 ++++++----
- lib/urldata.h      |  4 ++--
- lib/vtls/gtls.c    | 10 +++++-----
- lib/vtls/nss.c     |  4 ++--
- lib/vtls/openssl.c | 18 +++++++++---------
- lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
- 6 files changed, 45 insertions(+), 27 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 9f2c9f2..bdcb095 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
-   */
-   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
-   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
-+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
-+  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
-   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
-   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
-   data->set.ssl.primary.cipher_list =
-@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.primary.pinned_key =
-     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
-   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
-+  data->set.proxy_ssl.primary.issuercert =
-+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
-+  data->set.proxy_ssl.primary.issuercert_blob =
-+    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
-   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
--  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
-   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
-   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
-   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
-@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
- #endif
-   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
--  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
-   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
-   data->set.ssl.key = data->set.str[STRING_KEY];
-   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
-@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
- #endif
- #endif
--
-   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
--  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
- 
-   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
-                                     &conn->ssl_config)) {
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 2bb7d81..7cf63d0 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -246,6 +246,7 @@ struct ssl_primary_config {
-   long version_max;      /* max supported version the client wants to use*/
-   char *CApath;          /* certificate dir (doesn't work on windows) */
-   char *CAfile;          /* certificate to verify peer against */
-+  char *issuercert;      /* optional issuer certificate filename */
-   char *clientcert;
-   char *random_file;     /* path to file containing "random" data */
-   char *egdsocket;       /* path to file containing the EGD daemon socket */
-@@ -253,6 +254,7 @@ struct ssl_primary_config {
-   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
-   char *pinned_key;
-   struct curl_blob *cert_blob;
-+  struct curl_blob *issuercert_blob;
-   char *curves;          /* list of curves to use */
-   BIT(verifypeer);       /* set TRUE if this is desired */
-   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
-@@ -264,8 +266,6 @@ struct ssl_config_data {
-   struct ssl_primary_config primary;
-   long certverifyresult; /* result from the certificate verification */
-   char *CRLfile;   /* CRL to check certificate revocation */
--  char *issuercert;/* optional issuer certificate filename */
--  struct curl_blob *issuercert_blob;
-   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
-   void *fsslctxp;        /* parameter for call back */
-   char *cert_type; /* format for certificate (default: PEM)*/
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index ea54fe3..ccc5ce8 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
-   if(!chainp) {
-     if(SSL_CONN_CONFIG(verifypeer) ||
-        SSL_CONN_CONFIG(verifyhost) ||
--       SSL_SET_OPTION(issuercert)) {
-+       SSL_CONN_CONFIG(issuercert)) {
- #ifdef HAVE_GNUTLS_SRP
-       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
-          && SSL_SET_OPTION(username) != NULL
-@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
-        gnutls_x509_crt_t format */
-     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
- 
--  if(SSL_SET_OPTION(issuercert)) {
-+  if(SSL_CONN_CONFIG(issuercert)) {
-     gnutls_x509_crt_init(&x509_issuer);
--    issuerp = load_file(SSL_SET_OPTION(issuercert));
-+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
-     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
-     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
-     gnutls_x509_crt_deinit(x509_issuer);
-     unload_file(issuerp);
-     if(rc <= 0) {
-       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
--            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
-+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
-       gnutls_x509_crt_deinit(x509_cert);
-       return CURLE_SSL_ISSUER_ERROR;
-     }
-     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
--          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
-+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
-   }
- 
-   size = sizeof(certname);
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index ae3945c..b0b1e8c 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
-   if(result)
-     goto error;
- 
--  if(SSL_SET_OPTION(issuercert)) {
-+  if(SSL_CONN_CONFIG(issuercert)) {
-     SECStatus ret = SECFailure;
--    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
-+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
-     if(nickname) {
-       /* we support only nicknames in case of issuercert for now */
-       ret = check_issuer_cert(backend->handle, nickname);
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 2404393..be7b811 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
-        deallocating the certificate. */
- 
-     /* e.g. match issuer name with provided issuer certificate */
--    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
--      if(SSL_SET_OPTION(issuercert_blob))
--        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
--                             (int)SSL_SET_OPTION(issuercert_blob)->len);
-+    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
-+      if(SSL_CONN_CONFIG(issuercert_blob))
-+        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
-+                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
-       else {
-         fp = BIO_new(BIO_s_file());
-         if(fp == NULL) {
-@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
-           return CURLE_OUT_OF_MEMORY;
-         }
- 
--        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
-+        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
-           if(strict)
-             failf(data, "SSL: Unable to open issuer cert (%s)",
--                  SSL_SET_OPTION(issuercert));
-+                  SSL_CONN_CONFIG(issuercert));
-           BIO_free(fp);
-           X509_free(backend->server_cert);
-           backend->server_cert = NULL;
-@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
-       if(!issuer) {
-         if(strict)
-           failf(data, "SSL: Unable to read issuer cert (%s)",
--                SSL_SET_OPTION(issuercert));
-+                SSL_CONN_CONFIG(issuercert));
-         BIO_free(fp);
-         X509_free(issuer);
-         X509_free(backend->server_cert);
-@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
-       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
-         if(strict)
-           failf(data, "SSL: Certificate issuer check failed (%s)",
--                SSL_SET_OPTION(issuercert));
-+                SSL_CONN_CONFIG(issuercert));
-         BIO_free(fp);
-         X509_free(issuer);
-         X509_free(backend->server_cert);
-@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
-       }
- 
-       infof(data, " SSL certificate issuer check ok (%s)\n",
--            SSL_SET_OPTION(issuercert));
-+            SSL_CONN_CONFIG(issuercert));
-       BIO_free(fp);
-       X509_free(issuer);
-     }
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index fa8a6fa..1aa6fc8 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
-   return !memcmp(first->data, second->data, first->len); /* same data */
- }
- 
-+static bool safecmp(char *a, char *b)
-+{
-+  if(a && b)
-+    return !strcmp(a, b);
-+  else if(!a && !b)
-+    return TRUE; /* match */
-+  return FALSE; /* no match */
-+}
-+
-+
- bool
- Curl_ssl_config_matches(struct ssl_primary_config *data,
-                         struct ssl_primary_config *needle)
-@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
-      (data->verifyhost == needle->verifyhost) &&
-      (data->verifystatus == needle->verifystatus) &&
-      blobcmp(data->cert_blob, needle->cert_blob) &&
--     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
--     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
--     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
--     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
--     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
-+     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
-+     safecmp(data->CApath, needle->CApath) &&
-+     safecmp(data->CAfile, needle->CAfile) &&
-+     safecmp(data->issuercert, needle->issuercert) &&
-+     safecmp(data->clientcert, needle->clientcert) &&
-+     safecmp(data->random_file, needle->random_file) &&
-+     safecmp(data->egdsocket, needle->egdsocket) &&
-      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
-      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
-      Curl_safe_strcasecompare(data->curves, needle->curves) &&
-@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
-   dest->sessionid = source->sessionid;
- 
-   CLONE_BLOB(cert_blob);
-+  CLONE_BLOB(issuercert_blob);
-   CLONE_STRING(CApath);
-   CLONE_STRING(CAfile);
-+  CLONE_STRING(issuercert);
-   CLONE_STRING(clientcert);
-   CLONE_STRING(random_file);
-   CLONE_STRING(egdsocket);
-@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
- {
-   Curl_safefree(sslc->CApath);
-   Curl_safefree(sslc->CAfile);
-+  Curl_safefree(sslc->issuercert);
-   Curl_safefree(sslc->clientcert);
-   Curl_safefree(sslc->random_file);
-   Curl_safefree(sslc->egdsocket);
-@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
-   Curl_safefree(sslc->cipher_list13);
-   Curl_safefree(sslc->pinned_key);
-   Curl_safefree(sslc->cert_blob);
-+  Curl_safefree(sslc->issuercert_blob);
-   Curl_safefree(sslc->curves);
- }
- 
--- 
-2.31.1
-

0006-curl-7.76.1-CVE-2021-22925.patch

@@ -1,47 +0,0 @@
-From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 12 Jun 2021 18:25:15 +0200
-Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
-
-CVE-2021-22925
-
-Reported-by: Red Hat Product Security
-Bug: https://curl.se/docs/CVE-2021-22925.html
-
-Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/telnet.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/lib/telnet.c b/lib/telnet.c
-index fdd137f..567c22c 100644
---- a/lib/telnet.c
-+++ b/lib/telnet.c
-@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
-         size_t tmplen = (strlen(v->data) + 1);
-         /* Add the variable only if it fits */
-         if(len + tmplen < (int)sizeof(temp)-6) {
--          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
--            msnprintf((char *)&temp[len], sizeof(temp) - len,
--                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
--                      CURL_NEW_ENV_VALUE, varval);
--            len += tmplen;
--          }
-+          int rv;
-+          char sep[2] = "";
-+          varval[0] = 0;
-+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
-+          if(rv == 1)
-+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
-+                             "%c%s", CURL_NEW_ENV_VAR, varname);
-+          else if(rv >= 2)
-+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
-+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
-+                             CURL_NEW_ENV_VALUE, varval);
-         }
-       }
-       msnprintf((char *)&temp[len], sizeof(temp) - len,
--- 
-2.31.1
-

0007-curl-7.76.1-CVE-2021-22945.patch

@@ -1,33 +0,0 @@
-From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
-From: z2_ on hackerone <>
-Date: Tue, 24 Aug 2021 09:50:33 +0200
-Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
-
-CVE-2021-22945
-
-Bug: https://curl.se/docs/CVE-2021-22945.html
-
-Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/mqtt.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/mqtt.c b/lib/mqtt.c
-index d88fa73..f3fc045 100644
---- a/lib/mqtt.c
-+++ b/lib/mqtt.c
-@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
-     mq->sendleftovers = sendleftovers;
-     mq->nsend = nsend;
-   }
-+  else {
-+    mq->sendleftovers = NULL;
-+    mq->nsend = 0;
-+  }
-   return result;
- }
- 
--- 
-2.31.1
-

0008-curl-7.76.1-CVE-2021-22946.patch

@@ -1,331 +0,0 @@
-From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Wed, 8 Sep 2021 11:56:22 +0200
-Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
-
-In imap and pop3, check if TLS is required even when capabilities
-request has failed.
-
-In ftp, ignore preauthentication (230 status of server greeting) if TLS
-is required.
-
-Bug: https://curl.se/docs/CVE-2021-22946.html
-
-CVE-2021-22946
-
-Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/ftp.c               |  9 ++++---
- lib/imap.c              | 24 ++++++++----------
- lib/pop3.c              | 33 +++++++++++-------------
- tests/data/Makefile.inc |  2 ++
- tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
- tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
- 7 files changed, 195 insertions(+), 36 deletions(-)
- create mode 100644 tests/data/test984
- create mode 100644 tests/data/test985
- create mode 100644 tests/data/test986
-
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 5ef1e2e..71f998e 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
-     /* we have now received a full FTP server response */
-     switch(ftpc->state) {
-     case FTP_WAIT220:
--      if(ftpcode == 230)
--        /* 230 User logged in - already! */
--        return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      if(ftpcode == 230) {
-+        /* 230 User logged in - already! Take as 220 if TLS required. */
-+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
-+           conn->bits.ftp_use_control_ssl)
-+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      }
-       else if(ftpcode != 220) {
-         failf(data, "Got a %03d ftp-server response when 220 was expected",
-               ftpcode);
-diff --git a/lib/imap.c b/lib/imap.c
-index e50d7fd..feb7445 100644
---- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
-       line += wordlen;
-     }
-   }
--  else if(imapcode == IMAP_RESP_OK) {
--    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
--      /* We don't have a SSL/TLS connection yet, but SSL is requested */
--      if(imapc->tls_supported)
--        /* Switch to TLS connection now */
--        result = imap_perform_starttls(data, conn);
--      else if(data->set.use_ssl == CURLUSESSL_TRY)
--        /* Fallback and carry on with authentication */
--        result = imap_perform_authentication(data, conn);
--      else {
--        failf(data, "STARTTLS not supported.");
--        result = CURLE_USE_SSL_FAILED;
--      }
-+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-+    /* PREAUTH is not compatible with STARTTLS. */
-+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
-+      /* Switch to TLS connection now */
-+      result = imap_perform_starttls(data, conn);
-     }
--    else
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-       result = imap_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STARTTLS not available.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
-   else
-     result = imap_perform_authentication(data, conn);
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 6168b12..7698d1c 100644
---- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
-       }
-     }
-   }
--  else if(pop3code == '+') {
--    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
--      /* We don't have a SSL/TLS connection yet, but SSL is requested */
--      if(pop3c->tls_supported)
--        /* Switch to TLS connection now */
--        result = pop3_perform_starttls(data, conn);
--      else if(data->set.use_ssl == CURLUSESSL_TRY)
--        /* Fallback and carry on with authentication */
--        result = pop3_perform_authentication(data, conn);
--      else {
--        failf(data, "STLS not supported.");
--        result = CURLE_USE_SSL_FAILED;
--      }
--    }
--    else
--      result = pop3_perform_authentication(data, conn);
--  }
-   else {
-     /* Clear text is supported when CAPA isn't recognised */
--    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
-+    if(pop3code != '+')
-+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- 
--    result = pop3_perform_authentication(data, conn);
-+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
-+      result = pop3_perform_authentication(data, conn);
-+    else if(pop3code == '+' && pop3c->tls_supported)
-+      /* Switch to TLS connection now */
-+      result = pop3_perform_starttls(data, conn);
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-+      /* Fallback and carry on with authentication */
-+      result = pop3_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STLS not supported.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
- 
-   return result;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index d083baf..163ce59 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
- test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- \
-+test984 test985 test986 \
-+\
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
- test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
-diff --git a/tests/data/test984 b/tests/data/test984
-new file mode 100644
-index 0000000..e573f23
---- /dev/null
-+++ b/tests/data/test984
-@@ -0,0 +1,56 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPABILITY A001 BAD Not implemented
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test985 b/tests/data/test985
-new file mode 100644
-index 0000000..d0db4aa
---- /dev/null
-+++ b/tests/data/test985
-@@ -0,0 +1,54 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPA -ERR Not implemented
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+CAPA
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test986 b/tests/data/test986
-new file mode 100644
-index 0000000..a709437
---- /dev/null
-+++ b/tests/data/test986
-@@ -0,0 +1,53 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY welcome 230 Welcome
-+REPLY AUTH 500 unknown command
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP require STARTTLS while preauthenticated
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+AUTH TLS
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.31.1
-

0009-curl-7.76.1-CVE-2021-22947.patch

@@ -1,354 +0,0 @@
-From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Tue, 7 Sep 2021 13:26:42 +0200
-Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
- pipelining
-
-If a server pipelines future responses within the STARTTLS response, the
-former are preserved in the pingpong cache across TLS negotiation and
-used as responses to the encrypted commands.
-
-This fix detects pipelined STARTTLS responses and rejects them with an
-error.
-
-CVE-2021-22947
-
-Bug: https://curl.se/docs/CVE-2021-22947.html
-
-Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/ftp.c               |  3 +++
- lib/imap.c              |  4 +++
- lib/pop3.c              |  4 +++
- lib/smtp.c              |  4 +++
- tests/data/Makefile.inc |  2 +-
- tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
- tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
- tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
- 9 files changed, 236 insertions(+), 1 deletion(-)
- create mode 100644 tests/data/test980
- create mode 100644 tests/data/test981
- create mode 100644 tests/data/test982
- create mode 100644 tests/data/test983
-
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 71f998e..e920138 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
-     case FTP_AUTH:
-       /* we have gotten the response to a previous AUTH command */
- 
-+      if(pp->cache_size)
-+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
-+
-       /* RFC2228 (page 5) says:
-        *
-        * If the server is willing to accept the named security mechanism,
-diff --git a/lib/imap.c b/lib/imap.c
-index feb7445..09bc5d6 100644
---- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
- 
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.imapc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(imapcode != IMAP_RESP_OK) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 7698d1c..dccfced 100644
---- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
-   CURLcode result = CURLE_OK;
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.pop3c.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(pop3code != '+') {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/smtp.c b/lib/smtp.c
-index 1defb25..1f89777 100644
---- a/lib/smtp.c
-+++ b/lib/smtp.c
-@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
-   CURLcode result = CURLE_OK;
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.smtpc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(smtpcode != 220) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied, code %d", smtpcode);
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 163ce59..42b0569 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
- test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- \
--test984 test985 test986 \
-+test980 test981 test982 test983 test984 test985 test986 \
- \
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
-diff --git a/tests/data/test980 b/tests/data/test980
-new file mode 100644
-index 0000000..97567f8
---- /dev/null
-+++ b/tests/data/test980
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+SMTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+AUTH PLAIN
-+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
-+REPLY AUTH 535 5.7.8 Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+smtp
-+</server>
-+ <name>
-+SMTP STARTTLS pipelined server response
-+ </name>
-+<stdin>
-+mail body
-+</stdin>
-+ <command>
-+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+EHLO %TESTNUMBER
-+STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test981 b/tests/data/test981
-new file mode 100644
-index 0000000..2b98ce4
---- /dev/null
-+++ b/tests/data/test981
-@@ -0,0 +1,59 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
-+REPLY LOGIN A003 BAD Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP STARTTLS pipelined server response
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+A002 STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test982 b/tests/data/test982
-new file mode 100644
-index 0000000..9e07cc0
---- /dev/null
-+++ b/tests/data/test982
-@@ -0,0 +1,57 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STLS USER
-+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
-+REPLY PASS -ERR Authentication credentials invalid
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 STARTTLS pipelined server response
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+CAPA
-+STLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test983 b/tests/data/test983
-new file mode 100644
-index 0000000..300ec45
---- /dev/null
-+++ b/tests/data/test983
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
-+REPLY PASS 530 Login incorrect
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP STARTTLS pipelined server response
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.31.1
-

0010-curl-7.76.1-CVE-2022-22576.patch

@@ -1,148 +0,0 @@
-From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Mon, 25 Apr 2022 11:44:05 +0200
-Subject: [PATCH] url: check sasl additional parameters for connection reuse.
-
-Also move static function safecmp() as non-static Curl_safecmp() since
-its purpose is needed at several places.
-
-Bug: https://curl.se/docs/CVE-2022-22576.html
-
-CVE-2022-22576
-
-Closes #8746
-
-Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/strcase.c   | 10 ++++++++++
- lib/strcase.h   |  2 ++
- lib/url.c       | 13 ++++++++++++-
- lib/urldata.h   |  1 +
- lib/vtls/vtls.c | 21 ++++++---------------
- 5 files changed, 31 insertions(+), 16 deletions(-)
-
-diff --git a/lib/strcase.c b/lib/strcase.c
-index dd46ca1..692a3f1 100644
---- a/lib/strcase.c
-+++ b/lib/strcase.c
-@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
-   } while(*src++ && --n);
- }
- 
-+/* Compare case-sensitive NUL-terminated strings, taking care of possible
-+ * null pointers. Return true if arguments match.
-+ */
-+bool Curl_safecmp(char *a, char *b)
-+{
-+  if(a && b)
-+    return !strcmp(a, b);
-+  return !a && !b;
-+}
-+
- /* --- public functions --- */
- 
- int curl_strequal(const char *first, const char *second)
-diff --git a/lib/strcase.h b/lib/strcase.h
-index b628656..382b80a 100644
---- a/lib/strcase.h
-+++ b/lib/strcase.h
-@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
- void Curl_strntoupper(char *dest, const char *src, size_t n);
- void Curl_strntolower(char *dest, const char *src, size_t n);
- 
-+bool Curl_safecmp(char *a, char *b);
-+
- #endif /* HEADER_CURL_STRCASE_H */
-diff --git a/lib/url.c b/lib/url.c
-index adef2cd..94e3406 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
-   Curl_safefree(conn->passwd);
-   Curl_safefree(conn->sasl_authzid);
-   Curl_safefree(conn->options);
-+  Curl_safefree(conn->oauth_bearer);
-   Curl_dyn_free(&conn->trailer);
-   Curl_safefree(conn->host.rawalloc); /* host name buffer */
-   Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
-@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
-         /* This protocol requires credentials per connection,
-            so verify that we're using the same name and password as well */
-         if(strcmp(needle->user, check->user) ||
--           strcmp(needle->passwd, check->passwd)) {
-+           strcmp(needle->passwd, check->passwd) ||
-+           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
-+           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
-           /* one of them was different */
-           continue;
-         }
-@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
-     }
-   }
- 
-+  if(data->set.str[STRING_BEARER]) {
-+    conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
-+    if(!conn->oauth_bearer) {
-+      result = CURLE_OUT_OF_MEMORY;
-+      goto out;
-+    }
-+  }
-+
- #ifdef USE_UNIX_SOCKETS
-   if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
-     conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
-diff --git a/lib/urldata.h b/lib/urldata.h
-index cc8a600..03da59a 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -991,6 +991,7 @@ struct connectdata {
-   char *passwd;  /* password string, allocated */
-   char *options; /* options string, allocated */
-   char *sasl_authzid;     /* authorisation identity string, allocated */
-+  char *oauth_bearer; /* OAUTH2 bearer, allocated */
-   unsigned char httpversion; /* the HTTP version*10 reported by the server */
-   struct curltime now;     /* "current" time */
-   struct curltime created; /* creation time */
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index 03b85ba..a40ac06 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
-   return !memcmp(first->data, second->data, first->len); /* same data */
- }
- 
--static bool safecmp(char *a, char *b)
--{
--  if(a && b)
--    return !strcmp(a, b);
--  else if(!a && !b)
--    return TRUE; /* match */
--  return FALSE; /* no match */
--}
--
- 
- bool
- Curl_ssl_config_matches(struct ssl_primary_config *data,
-@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
-      (data->verifystatus == needle->verifystatus) &&
-      blobcmp(data->cert_blob, needle->cert_blob) &&
-      blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
--     safecmp(data->CApath, needle->CApath) &&
--     safecmp(data->CAfile, needle->CAfile) &&
--     safecmp(data->issuercert, needle->issuercert) &&
--     safecmp(data->clientcert, needle->clientcert) &&
--     safecmp(data->random_file, needle->random_file) &&
--     safecmp(data->egdsocket, needle->egdsocket) &&
-+     Curl_safecmp(data->CApath, needle->CApath) &&
-+     Curl_safecmp(data->CAfile, needle->CAfile) &&
-+     Curl_safecmp(data->issuercert, needle->issuercert) &&
-+     Curl_safecmp(data->clientcert, needle->clientcert) &&
-+     Curl_safecmp(data->random_file, needle->random_file) &&
-+     Curl_safecmp(data->egdsocket, needle->egdsocket) &&
-      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
-      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
-      Curl_safe_strcasecompare(data->curves, needle->curves) &&
--- 
-2.34.1
-

0011-curl-7.76.1-CVE-2022-27775.patch

@@ -1,40 +0,0 @@
-From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 11:48:00 +0200
-Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
-
-Make connections to two separate IPv6 zone ids create separate
-connections.
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27775.html
-Closes #8747
-
-Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/conncache.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/lib/conncache.c b/lib/conncache.c
-index cd5756a..9b9f683 100644
---- a/lib/conncache.c
-+++ b/lib/conncache.c
-@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf,
-     /* report back which name we used */
-     *hostp = hostname;
- 
--  /* put the number first so that the hostname gets cut off if too long */
--  msnprintf(buf, len, "%ld%s", port, hostname);
-+  /* put the numbers first so that the hostname gets cut off if too long */
-+#ifdef ENABLE_IPV6
-+  msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
-+#else
-+  msnprintf(buf, len, "%ld/%s", port, hostname);
-+#endif
- }
- 
- /* Returns number of connections currently held in the connection cache.
--- 
-2.34.1
-

0012-curl-7.76.1-CVE-2022-27776.patch

@@ -1,243 +0,0 @@
-From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 13:05:40 +0200
-Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
-
-CVE-2022-27776
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27776.html
-Closes #8749
-
-Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/http.c    | 33 +++++++++++++++++++++------------
- lib/urldata.h | 16 +++++++++-------
- 2 files changed, 30 insertions(+), 19 deletions(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 799d4fb..0791dcf 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
-   return CURLE_OK;
- }
- 
-+/*
-+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
-+ * data" can (still) be sent to this host.
-+ */
-+static bool allow_auth_to_host(struct Curl_easy *data)
-+{
-+  struct connectdata *conn = data->conn;
-+  return (!data->state.this_is_a_follow ||
-+          data->set.allow_auth_to_other_hosts ||
-+          (data->state.first_host &&
-+           strcasecompare(data->state.first_host, conn->host.name) &&
-+           (data->state.first_remote_port == conn->remote_port) &&
-+           (data->state.first_remote_protocol == conn->handler->protocol)));
-+}
-+
- /**
-  * Curl_http_output_auth() setups the authentication headers for the
-  * host/proxy and the correct authentication
-@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data,
-        with it */
-     authproxy->done = TRUE;
- 
--  /* To prevent the user+password to get sent to other than the original
--     host due to a location-follow, we do some weirdo checks here */
--  if(!data->state.this_is_a_follow ||
--     conn->bits.netrc ||
--     !data->state.first_host ||
--     data->set.allow_auth_to_other_hosts ||
--     strcasecompare(data->state.first_host, conn->host.name)) {
-+  /* To prevent the user+password to get sent to other than the original host
-+     due to a location-follow */
-+  if(allow_auth_to_host(data)
-+     || conn->bits.netrc)
-     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
--  }
-   else
-     authhost->done = TRUE;
- 
-@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
-                    checkprefix("Cookie:", compare)) &&
-                   /* be careful of sending this potentially sensitive header to
-                      other hosts */
--                  (data->state.this_is_a_follow &&
--                   data->state.first_host &&
--                   !data->set.allow_auth_to_other_hosts &&
--                   !strcasecompare(data->state.first_host, conn->host.name)))
-+                  !allow_auth_to_host(data))
-             ;
-           else {
- #ifdef USE_HYPER
-@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
-       return CURLE_OUT_OF_MEMORY;
- 
-     data->state.first_remote_port = conn->remote_port;
-+    data->state.first_remote_protocol = conn->handler->protocol;
-   }
-   Curl_safefree(data->state.aptr.host);
- 
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 03da59a..f92052a 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1336,14 +1336,16 @@ struct UrlState {
-   char *ulbuf; /* allocated upload buffer or NULL */
-   curl_off_t current_speed;  /* the ProgressShow() function sets this,
-                                 bytes / second */
--  char *first_host; /* host name of the first (not followed) request.
--                       if set, this should be the host name that we will
--                       sent authorization to, no else. Used to make Location:
--                       following not keep sending user+password... This is
--                       strdup() data.
--                    */
-+
-+  /* host name, port number and protocol of the first (not followed) request.
-+     if set, this should be the host name that we will sent authorization to,
-+     no else. Used to make Location: following not keep sending user+password.
-+     This is strdup()ed data. */
-+  char *first_host;
-+  int first_remote_port;
-+  unsigned int first_remote_protocol;
-+
-   int retrycount; /* number of retries on a new connection */
--  int first_remote_port; /* remote port of the first (not followed) request */
-   struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
-   long sessionage;                  /* number of the most recent session */
-   struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
--- 
-2.34.1
-
-
-From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 13:05:47 +0200
-Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
-
-Do not pass on Authorization headers on redirects to another port
-
-Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- tests/data/Makefile.inc |  2 +-
- tests/data/test898      | 90 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 91 insertions(+), 1 deletion(-)
- create mode 100644 tests/data/test898
-
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 59d46bc..7ae2cf8 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
- test863 test864 test865 test866 test867 test868 test869 test870 test871 \
- test872 test873 test874 test875 test876 test877 test878 test879 test880 \
- test881 test882 test883 test884 test885 test886 test887 test888 test889 \
--test890 test891 test892 test893 test894 test895 test896 \
-+test890 test891 test892 test893 test894 test895 test896         test898 \
- \
- test900 test901 test902 test903 test904 test905 test906 test907 test908 \
- test909 test910 test911 test912 test913 test914 test915 test916 test917 \
-diff --git a/tests/data/test898 b/tests/data/test898
-new file mode 100644
-index 0000000..5cbb7d8
---- /dev/null
-+++ b/tests/data/test898
-@@ -0,0 +1,90 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+--location
-+Authorization
-+Cookie
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+</data>
-+<data2>
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</data2>
-+
-+<datacheck>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</datacheck>
-+
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+HTTP with custom auth and cookies redirected to HTTP on a diff port
-+ </name>
-+ <command>
-+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol>
-+GET http://firsthost.com/ HTTP/1.1
-+Host: firsthost.com
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+Authorization: Basic am9lOnNlY3JldA==
-+Cookie: userpwd=am9lOnNlY3JldA==
-+
-+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
-+Host: firsthost.com:9999
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.34.1
-

0013-curl-7.76.1-CVE-2022-27774.patch

@@ -1,635 +0,0 @@
-From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
-
-To make it available after the connection ended.
-
-Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/connect.c | 1 +
- lib/urldata.h | 6 +++++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/connect.c b/lib/connect.c
-index 64f9511..7518807 100644
---- a/lib/connect.c
-+++ b/lib/connect.c
-@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
-   data->info.conn_scheme = conn->handler->scheme;
-   data->info.conn_protocol = conn->handler->protocol;
-   data->info.conn_primary_port = conn->port;
-+  data->info.conn_remote_port = conn->remote_port;
-   data->info.conn_local_port = local_port;
- }
- 
-diff --git a/lib/urldata.h b/lib/urldata.h
-index f92052a..5218f76 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1167,7 +1167,11 @@ struct PureInfo {
-      reused, in the connection cache. */
- 
-   char conn_primary_ip[MAX_IPADR_LEN];
--  int conn_primary_port;
-+  int conn_primary_port; /* this is the destination port to the connection,
-+                            which might have been a proxy */
-+  int conn_remote_port;  /* this is the "remote port", which is the port
-+                            number of the used URL, independent of proxy or
-+                            not */
-   char conn_local_ip[MAX_IPADR_LEN];
-   int conn_local_port;
-   const char *conn_scheme;
--- 
-2.34.1
-
-
-From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
- auth
-
-... unless explicitly permitted.
-
-Bug: https://curl.se/docs/CVE-2022-27774.html
-Reported-by: Harry Sintonen
-Closes #8748
-
-Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 48 insertions(+), 1 deletion(-)
-
-diff --git a/lib/transfer.c b/lib/transfer.c
-index 1f8019b..752fe14 100644
---- a/lib/transfer.c
-+++ b/lib/transfer.c
-@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
-       return CURLE_OUT_OF_MEMORY;
-   }
-   else {
--
-     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
-     if(uc)
-       return Curl_uc_to_curlcode(uc);
-+
-+    /* Clear auth if this redirects to a different port number or protocol,
-+       unless permitted */
-+    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
-+      char *portnum;
-+      int port;
-+      bool clear = FALSE;
-+
-+      if(data->set.use_port && data->state.allow_port)
-+        /* a custom port is used */
-+        port = (int)data->set.use_port;
-+      else {
-+        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
-+                          CURLU_DEFAULT_PORT);
-+        if(uc) {
-+          free(newurl);
-+          return Curl_uc_to_curlcode(uc);
-+        }
-+        port = atoi(portnum);
-+        free(portnum);
-+      }
-+      if(port != data->info.conn_remote_port) {
-+        infof(data, "Clear auth, redirects to port from %u to %u",
-+              data->info.conn_remote_port, port);
-+        clear = TRUE;
-+      }
-+      else {
-+        char *scheme;
-+        const struct Curl_handler *p;
-+        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
-+        if(uc) {
-+          free(newurl);
-+          return Curl_uc_to_curlcode(uc);
-+        }
-+
-+        p = Curl_builtin_scheme(scheme);
-+        if(p && (p->protocol != data->info.conn_protocol)) {
-+          infof(data, "Clear auth, redirects scheme from %s to %s",
-+                data->info.conn_scheme, scheme);
-+          clear = TRUE;
-+        }
-+        free(scheme);
-+      }
-+      if(clear) {
-+        Curl_safefree(data->state.aptr.user);
-+        Curl_safefree(data->state.aptr.passwd);
-+      }
-+    }
-   }
- 
-   if(type == FOLLOW_FAKE) {
--- 
-2.34.1
-
-
-From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
-
- - Test 973 redirects from HTTP to FTP, clear auth
- - Test 974 redirects from HTTP to HTTP different port, clear auth
- - Test 975 redirects from HTTP to FTP, permitted to keep auth
- - Test 976 redirects from HTTP to HTTP different port, permitted to keep
-   auth
-
-Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- tests/data/Makefile.inc |  1 +
- tests/data/test973      | 88 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test974      | 87 ++++++++++++++++++++++++++++++++++++++++
- tests/data/test975      | 88 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test976      | 88 +++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 352 insertions(+)
- create mode 100644 tests/data/test973
- create mode 100644 tests/data/test974
- create mode 100644 tests/data/test975
- create mode 100644 tests/data/test976
-
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 7ae2cf8..175fc43 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
- test945 test946 test947 test948 test949 test950 test951 test952 test953 \
- test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
-+test973 test974 test975 test976 \
- \
- test980 test981 test982 test983 test984 test985 test986 \
- \
-diff --git a/tests/data/test973 b/tests/data/test973
-new file mode 100644
-index 0000000..6ced107
---- /dev/null
-+++ b/tests/data/test973
-@@ -0,0 +1,88 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+FTP
-+--location
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
-+
-+</data>
-+<data2>
-+data
-+    to
-+      see
-+that FTP
-+works
-+  so does it?
-+</data2>
-+
-+<datacheck>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
-+
-+data
-+    to
-+      see
-+that FTP
-+works
-+  so does it?
-+</datacheck>
-+
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+ftp
-+</server>
-+ <name>
-+HTTP with auth redirected to FTP w/o auth
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol>
-+GET /%TESTNUMBER HTTP/1.1
-+Host: %HOSTIP:%HTTPPORT
-+Authorization: Basic am9lOnNlY3JldA==
-+User-Agent: curl/%VERSION
-+Accept: */*
-+
-+USER anonymous
-+PASS ftp@example.com
-+PWD
-+CWD a
-+CWD path
-+EPSV
-+TYPE I
-+SIZE %TESTNUMBER0002
-+RETR %TESTNUMBER0002
-+QUIT
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test974 b/tests/data/test974
-new file mode 100644
-index 0000000..ac4e641
---- /dev/null
-+++ b/tests/data/test974
-@@ -0,0 +1,87 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+--location
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+</data>
-+<data2>
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</data2>
-+
-+<datacheck>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</datacheck>
-+
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+HTTP with auth redirected to HTTP on a diff port w/o auth
-+ </name>
-+ <command>
-+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol>
-+GET http://firsthost.com/ HTTP/1.1
-+Host: firsthost.com
-+Authorization: Basic am9lOnNlY3JldA==
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+
-+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
-+Host: firsthost.com:9999
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test975 b/tests/data/test975
-new file mode 100644
-index 0000000..85e03e4
---- /dev/null
-+++ b/tests/data/test975
-@@ -0,0 +1,88 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+FTP
-+--location-trusted
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
-+
-+</data>
-+<data2>
-+data
-+    to
-+      see
-+that FTP
-+works
-+  so does it?
-+</data2>
-+
-+<datacheck>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
-+
-+data
-+    to
-+      see
-+that FTP
-+works
-+  so does it?
-+</datacheck>
-+
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+ftp
-+</server>
-+ <name>
-+HTTP with auth redirected to FTP allowing auth to continue
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol>
-+GET /%TESTNUMBER HTTP/1.1
-+Host: %HOSTIP:%HTTPPORT
-+Authorization: Basic am9lOnNlY3JldA==
-+User-Agent: curl/%VERSION
-+Accept: */*
-+
-+USER joe
-+PASS secret
-+PWD
-+CWD a
-+CWD path
-+EPSV
-+TYPE I
-+SIZE %TESTNUMBER0002
-+RETR %TESTNUMBER0002
-+QUIT
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test976 b/tests/data/test976
-new file mode 100644
-index 0000000..c4dd61e
---- /dev/null
-+++ b/tests/data/test976
-@@ -0,0 +1,88 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+--location-trusted
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+</data>
-+<data2>
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</data2>
-+
-+<datacheck>
-+HTTP/1.1 301 redirect
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 0
-+Connection: close
-+Content-Type: text/html
-+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
-+
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Content-Length: 4
-+Connection: close
-+Content-Type: text/html
-+
-+hey
-+</datacheck>
-+
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+HTTP with auth redirected to HTTP on a diff port --location-trusted
-+ </name>
-+ <command>
-+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<protocol>
-+GET http://firsthost.com/ HTTP/1.1
-+Host: firsthost.com
-+Authorization: Basic am9lOnNlY3JldA==
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+
-+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
-+Host: firsthost.com:9999
-+Authorization: Basic am9lOnNlY3JldA==
-+User-Agent: curl/%VERSION
-+Accept: */*
-+Proxy-Connection: Keep-Alive
-+
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.34.1
-
-
-From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 17:59:15 +0200
-Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
- either
-
-Follow-up to 620ea21410030
-
-Reported-by: Harry Sintonen
-Closes #8751
-
-Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/http.c         | 10 +++++-----
- lib/http.h         |  6 ++++++
- lib/vtls/openssl.c |  3 ++-
- 3 files changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 0791dcf..4433824 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
- }
- 
- /*
-- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
-- * data" can (still) be sent to this host.
-+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
-+ * "sensitive data" can (still) be sent to this host.
-  */
--static bool allow_auth_to_host(struct Curl_easy *data)
-+bool Curl_allow_auth_to_host(struct Curl_easy *data)
- {
-   struct connectdata *conn = data->conn;
-   return (!data->state.this_is_a_follow ||
-@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
- 
-   /* To prevent the user+password to get sent to other than the original host
-      due to a location-follow */
--  if(allow_auth_to_host(data)
-+  if(Curl_allow_auth_to_host(data)
-      || conn->bits.netrc)
-     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
-   else
-@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
-                    checkprefix("Cookie:", compare)) &&
-                   /* be careful of sending this potentially sensitive header to
-                      other hosts */
--                  !allow_auth_to_host(data))
-+                  !Curl_allow_auth_to_host(data))
-             ;
-           else {
- #ifdef USE_HYPER
-diff --git a/lib/http.h b/lib/http.h
-index 07e963d..9000bae 100644
---- a/lib/http.h
-+++ b/lib/http.h
-@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
-                       bool proxytunnel); /* TRUE if this is the request setting
-                                             up the proxy tunnel */
- 
-+/*
-+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
-+ * "sensitive data" can (still) be sent to this host.
-+ */
-+bool Curl_allow_auth_to_host(struct Curl_easy *data);
-+
- #endif /* HEADER_CURL_HTTP_H */
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 1bafe96..97c5666 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #endif
- 
- #ifdef USE_OPENSSL_SRP
--  if(ssl_authtype == CURL_TLSAUTH_SRP) {
-+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
-+     Curl_allow_auth_to_host(data)) {
-     char * const ssl_username = SSL_SET_OPTION(username);
- 
-     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
--- 
-2.34.1
-

0014-curl-7.76.1-CVE-2022-27782.patch

@@ -1,461 +0,0 @@
-From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 28 Jan 2022 16:48:38 +0100
-Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
-
-Closes #8350
-
-Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/setopt.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 08827d1..9eaa187 100644
---- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -5,7 +5,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
-- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-     break;
-+#ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_TLSAUTH_USERNAME:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
-                             va_arg(param, char *));
--#ifndef CURL_DISABLE_PROXY
-     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
-        !data->set.proxy_ssl.authtype)
-       data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
--#endif
-     break;
-+#endif
-   case CURLOPT_TLSAUTH_PASSWORD:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
-                             va_arg(param, char *));
-     if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-     break;
-+#ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
-                             va_arg(param, char *));
--#ifndef CURL_DISABLE_PROXY
-     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
-        !data->set.proxy_ssl.authtype)
-       data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
--#endif
-     break;
-+#endif
-   case CURLOPT_TLSAUTH_TYPE:
-     argptr = va_arg(param, char *);
-     if(!argptr ||
--- 
-2.34.1
-
-
-From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 23:13:53 +0200
-Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
-
-CVE-2022-27782
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27782.html
-Closes #8825
-
-Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/setopt.c       | 29 +++++++++++++++++------------
- lib/url.c          | 23 ++++++++++++++++-------
- lib/urldata.h      | 13 +++++++------
- lib/vtls/openssl.c | 10 +++++-----
- lib/vtls/vtls.c    | 21 +++++++++++++++++++++
- 5 files changed, 66 insertions(+), 30 deletions(-)
-
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 8e1bf12..7aa6fdb 100644
---- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- 
-   case CURLOPT_SSL_OPTIONS:
-     arg = va_arg(param, long);
-+    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
-     data->set.ssl.enable_beast =
-       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
-     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
-@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- #ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_SSL_OPTIONS:
-     arg = va_arg(param, long);
-+    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
-     data->set.proxy_ssl.enable_beast =
-       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
-     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
-@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-   case CURLOPT_TLSAUTH_USERNAME:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
-                             va_arg(param, char *));
--    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
--      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
-+       !data->set.ssl.primary.authtype)
-+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-     break;
- #ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_TLSAUTH_USERNAME:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
-                             va_arg(param, char *));
-     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
--       !data->set.proxy_ssl.authtype)
--      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+       !data->set.proxy_ssl.primary.authtype)
-+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
-+                                                                  SRP */
-     break;
- #endif
-   case CURLOPT_TLSAUTH_PASSWORD:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
-                             va_arg(param, char *));
--    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
--      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
-+       !data->set.ssl.primary.authtype)
-+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
-     break;
- #ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
-     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
-                             va_arg(param, char *));
-     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
--       !data->set.proxy_ssl.authtype)
--      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+       !data->set.proxy_ssl.primary.authtype)
-+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
-     break;
- #endif
-   case CURLOPT_TLSAUTH_TYPE:
-     argptr = va_arg(param, char *);
-     if(!argptr ||
-        strncasecompare(argptr, "SRP", strlen("SRP")))
--      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
-+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
-     else
--      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
-+      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
-     break;
- #ifndef CURL_DISABLE_PROXY
-   case CURLOPT_PROXY_TLSAUTH_TYPE:
-     argptr = va_arg(param, char *);
-     if(!argptr ||
-        strncasecompare(argptr, "SRP", strlen("SRP")))
--      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
-+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
-     else
--      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
-+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
-     break;
- #endif
- #endif
-diff --git a/lib/url.c b/lib/url.c
-index 94e3406..5ebf5e2 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
-   set->ssl.primary.verifypeer = TRUE;
-   set->ssl.primary.verifyhost = TRUE;
- #ifdef USE_TLS_SRP
--  set->ssl.authtype = CURL_TLSAUTH_NONE;
-+  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
- #endif
-   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
-                                                       type */
-@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
-   conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
-   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
-   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
-+  conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
-+#ifdef USE_TLS_SRP
-+#endif
- #ifndef CURL_DISABLE_PROXY
-   conn->proxy_ssl_config.verifystatus =
-     data->set.proxy_ssl.primary.verifystatus;
-   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
-   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
-+  conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
-+#ifdef USE_TLS_SRP
-+#endif
- #endif
-   conn->ip_version = data->set.ipver;
-   conn->bits.connect_only = data->set.connect_only;
-@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
-     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
-   data->set.proxy_ssl.primary.issuercert_blob =
-     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
--  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
-+  data->set.proxy_ssl.primary.CRLfile =
-+    data->set.str[STRING_SSL_CRLFILE_PROXY];
-   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
-   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
-   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
-@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
-   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
- #endif
--  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
-+  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
-   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
-   data->set.ssl.key = data->set.str[STRING_KEY];
-   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
-   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
-   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
- #ifdef USE_TLS_SRP
--  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
--  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
-+  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
-+  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
- #ifndef CURL_DISABLE_PROXY
--  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
--  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
-+  data->set.proxy_ssl.primary.username =
-+    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
-+  data->set.proxy_ssl.primary.password =
-+    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
- #endif
- #endif
-   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 5218f76..e006495 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -253,9 +253,16 @@ struct ssl_primary_config {
-   char *cipher_list;     /* list of ciphers to use */
-   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
-   char *pinned_key;
-+  char *CRLfile;         /* CRL to check certificate revocation */
-   struct curl_blob *cert_blob;
-   struct curl_blob *issuercert_blob;
-+#ifdef USE_TLS_SRP
-+  char *username; /* TLS username (for, e.g., SRP) */
-+  char *password; /* TLS password (for, e.g., SRP) */
-+  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
-+#endif
-   char *curves;          /* list of curves to use */
-+  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
-   BIT(verifypeer);       /* set TRUE if this is desired */
-   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
-   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
-@@ -265,7 +272,6 @@ struct ssl_primary_config {
- struct ssl_config_data {
-   struct ssl_primary_config primary;
-   long certverifyresult; /* result from the certificate verification */
--  char *CRLfile;   /* CRL to check certificate revocation */
-   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
-   void *fsslctxp;        /* parameter for call back */
-   char *cert_type; /* format for certificate (default: PEM)*/
-@@ -273,11 +279,6 @@ struct ssl_config_data {
-   struct curl_blob *key_blob;
-   char *key_type; /* format for private key (default: PEM) */
-   char *key_passwd; /* plain text private key password */
--#ifdef USE_TLS_SRP
--  char *username; /* TLS username (for, e.g., SRP) */
--  char *password; /* TLS password (for, e.g., SRP) */
--  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
--#endif
-   BIT(certinfo);     /* gather lots of certificate info */
-   BIT(falsestart);
-   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 97c5666..a4ef9d1 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #endif
-   const long int ssl_version = SSL_CONN_CONFIG(version);
- #ifdef USE_OPENSSL_SRP
--  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
-+  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
- #endif
-   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
-   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
-@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
-   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
-   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
-   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
--  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
-+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
-   char error_buffer[256];
-   struct ssl_backend_data *backend = connssl->backend;
-   bool imported_native_ca = false;
-@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #ifdef USE_OPENSSL_SRP
-   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
-      Curl_allow_auth_to_host(data)) {
--    char * const ssl_username = SSL_SET_OPTION(username);
--
-+    char * const ssl_username = SSL_SET_OPTION(primary.username);
-+    char * const ssl_password = SSL_SET_OPTION(primary.password);
-     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
- 
-     if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
-       failf(data, "Unable to set SRP user name");
-       return CURLE_BAD_FUNCTION_ARGUMENT;
-     }
--    if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
-+    if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
-       failf(data, "failed setting SRP password");
-       return CURLE_BAD_FUNCTION_ARGUMENT;
-     }
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index a40ac06..e2d3438 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
- {
-   if((data->version == needle->version) &&
-      (data->version_max == needle->version_max) &&
-+     (data->ssl_options == needle->ssl_options) &&
-      (data->verifypeer == needle->verifypeer) &&
-      (data->verifyhost == needle->verifyhost) &&
-      (data->verifystatus == needle->verifystatus) &&
-@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
-      Curl_safecmp(data->clientcert, needle->clientcert) &&
-      Curl_safecmp(data->random_file, needle->random_file) &&
-      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
-+#ifdef USE_TLS_SRP
-+     Curl_safecmp(data->username, needle->username) &&
-+     Curl_safecmp(data->password, needle->password) &&
-+     (data->authtype == needle->authtype) &&
-+#endif
-      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
-      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
-      Curl_safe_strcasecompare(data->curves, needle->curves) &&
-+     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
-      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
-     return TRUE;
- 
-@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
-   dest->verifyhost = source->verifyhost;
-   dest->verifystatus = source->verifystatus;
-   dest->sessionid = source->sessionid;
-+  dest->ssl_options = source->ssl_options;
-+#ifdef USE_TLS_SRP
-+  dest->authtype = source->authtype;
-+#endif
- 
-   CLONE_BLOB(cert_blob);
-   CLONE_BLOB(issuercert_blob);
-@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
-   CLONE_STRING(cipher_list13);
-   CLONE_STRING(pinned_key);
-   CLONE_STRING(curves);
-+  CLONE_STRING(CRLfile);
-+#ifdef USE_TLS_SRP
-+  CLONE_STRING(username);
-+  CLONE_STRING(password);
-+#endif
- 
-   return TRUE;
- }
-@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
-   Curl_safefree(sslc->cert_blob);
-   Curl_safefree(sslc->issuercert_blob);
-   Curl_safefree(sslc->curves);
-+  Curl_safefree(sslc->CRLfile);
-+#ifdef USE_TLS_SRP
-+  Curl_safefree(sslc->username);
-+  Curl_safefree(sslc->password);
-+#endif
- }
- 
- #ifdef USE_SSL
--- 
-2.34.1
-
-
-From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 23:13:53 +0200
-Subject: [PATCH 3/3] url: check SSH config match on connection reuse
-
-CVE-2022-27782
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27782.html
-Closes #8825
-
-Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/url.c      | 11 +++++++++++
- lib/vssh/ssh.h |  6 +++---
- 2 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 5ebf5e2..c713e54 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
-   }
- }
- 
-+static bool ssh_config_matches(struct connectdata *one,
-+                               struct connectdata *two)
-+{
-+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
-+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
-+}
- /*
-  * Given one filled in connection struct (named needle), this function should
-  * detect if there already is one that has all the significant details
-@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
-         }
-       }
- 
-+      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
-+        if(!ssh_config_matches(needle, check))
-+          continue;
-+      }
-+
-       if((needle->handler->flags&PROTOPT_SSL)
- #ifndef CURL_DISABLE_PROXY
-          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
-diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
-index 7972081..30d82e5 100644
---- a/lib/vssh/ssh.h
-+++ b/lib/vssh/ssh.h
-@@ -7,7 +7,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
-- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -131,8 +131,8 @@ struct ssh_conn {
- 
-   /* common */
-   const char *passphrase;     /* pass-phrase to use */
--  char *rsa_pub;              /* path name */
--  char *rsa;                  /* path name */
-+  char *rsa_pub;              /* strdup'ed public key file */
-+  char *rsa;                  /* strdup'ed private key file */
-   bool authed;                /* the connection has been authenticated fine */
-   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
-                                  quote command fails) */
--- 
-2.34.1
-

0101-curl-7.32.0-multilib.patch

@@ -1,84 +1,85 @@
-From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 12 Apr 2013 12:04:05 +0200
+From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 16 Dec 2025 10:04:40 +0100
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in     | 23 +++++------------------
- docs/curl-config.1 |  4 +++-
- libcurl.pc.in      |  1 +
+ curl-config.in      | 23 +++++------------------
+ docs/curl-config.md |  4 +++-
+ libcurl.pc.in       |  1 +
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index 150004d..95d0759 100644
+index a1c8185875..bb43ca8335 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -76,7 +76,7 @@ while test $# -gt 0; do
-         ;;
+@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
+     ;;
  
-     --cc)
--        echo "@CC@"
-+        echo "gcc"
-         ;;
+   --cc)
+-    echo '@CC@'
++    echo 'gcc'
+     ;;
  
-     --prefix)
-@@ -155,32 +155,19 @@ while test $# -gt 0; do
-         ;;
+   --prefix)
+@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
+     ;;
  
-     --libs)
--        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
--           CURLLIBDIR="-L@libdir@ "
--        else
--           CURLLIBDIR=""
--        fi
--        if test "X@ENABLE_SHARED@" = "Xno"; then
--          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
--        else
--          echo ${CURLLIBDIR}-lcurl
--        fi
-+        echo -lcurl
-         ;;
-     --ssl-backends)
-         echo "@SSL_BACKENDS@"
-         ;;
+   --libs)
+-    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
+-      curllibdir="-L@libdir@ "
+-    else
+-      curllibdir=''
+-    fi
+-    if test '@ENABLE_SHARED@' = 'no'; then
+-      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
+-    else
+-      echo "${curllibdir}-lcurl"
+-    fi
++    echo '-lcurl'
+     ;;
  
-     --static-libs)
--        if test "X@ENABLE_STATIC@" != "Xno" ; then
--          echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
--        else
--          echo "curl was built with static libraries disabled" >&2
--          exit 1
--        fi
-+        echo "curl was built with static libraries disabled" >&2
-+        exit 1
-         ;;
+   --ssl-backends)
+@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
+     ;;
  
-     --configure)
--        echo @CONFIGURE_OPTIONS@
-+        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-         ;;
+   --static-libs)
+-    if test '@ENABLE_STATIC@' != 'no'; then
+-      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
+-    else
+-      echo 'curl was built with static libraries disabled' >&2
+-      exit 1
+-    fi
++    echo 'curl was built with static libraries disabled' >&2
++    exit 1
+     ;;
  
-     *)
-diff --git a/docs/curl-config.1 b/docs/curl-config.1
-index 14a9d2b..ffcc004 100644
---- a/docs/curl-config.1
-+++ b/docs/curl-config.1
-@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
- comma-separated. (Added in 7.58.0)
- .IP "--static-libs"
- Shows the complete set of libs and other linker options you will need in order
--to link your application with libcurl statically. (Added in 7.17.1)
-+to link your application with libcurl statically. Note that Fedora/RHEL libcurl
+   --configure)
+-    echo @CONFIGURE_OPTIONS@
++    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+     ;;
+ 
+   *)
+diff --git a/docs/curl-config.md b/docs/curl-config.md
+index 12ad245b79..fa0e03d273 100644
+--- a/docs/curl-config.md
++++ b/docs/curl-config.md
+@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
+ ## `--static-libs`
+ 
+ Shows the complete set of libs and other linker options you need in order to
+-link your application with libcurl statically. (Added in 7.17.1)
++link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- .IP "--version"
- Outputs version information about the installed libcurl.
- .IP "--vernum"
+ 
+ ## `--version`
+ 
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index 2ba9c39..f8f8b00 100644
+index c0ba5244a8..f3645e1748 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -29,6 +29,7 @@ libdir=@libdir@
+@@ -28,6 +28,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
@@ -87,5 +88,5 @@ index 2ba9c39..f8f8b00 100644
  Name: libcurl
  URL: https://curl.se/
 -- 
-2.26.2
+2.52.0
 

0102-curl-7.36.0-debug.patch

@@ -1,61 +0,0 @@
-From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 31 Oct 2012 11:38:30 +0100
-Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
- (#496778)
-
----
- m4/curl-compilers.m4 | 26 ++++++--------------------
- 1 file changed, 6 insertions(+), 20 deletions(-)
-
-diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
-index c64db4bc6..d115a4aed 100644
---- a/m4/curl-compilers.m4
-+++ b/m4/curl-compilers.m4
-@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
-     clangvhi=`echo $clangver | cut -d . -f1`
-     clangvlo=`echo $clangver | cut -d . -f2`
-     compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
--    flags_opt_yes="-Os"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-   else
-     AC_MSG_RESULT([no])
-@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
--    flags_opt_yes="-O2"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-     CURL_CHECK_DEF([_WIN32], [], [silent])
-   else
--- 
-1.7.1
-

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -1,39 +0,0 @@
-From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 4 Feb 2019 17:32:56 +0100
-Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
-
-... to prevent valgrind from reporting false positives on x86_64:
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCAA: part2id (lib1560.c:489)
-   by 0x10BCAA: updateurl (lib1560.c:521)
-   by 0x10BCAA: set_parts (lib1560.c:630)
-   by 0x10BCAA: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCC3: part2id (lib1560.c:491)
-   by 0x10BCC3: updateurl (lib1560.c:521)
-   by 0x10BCC3: set_parts (lib1560.c:630)
-   by 0x10BCC3: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
----
- tests/libtest/Makefile.inc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
-index 080421b..ea3b806 100644
---- a/tests/libtest/Makefile.inc
-+++ b/tests/libtest/Makefile.inc
-@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
- lib1559_LDADD = $(TESTUTIL_LIBS)
- 
- lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
-+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
- lib1560_LDADD = $(TESTUTIL_LIBS)
- 
- lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- 
-2.17.2
-

curl-7.76.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmB2hJEACgkQXMkI/bce
-EsJN2Qf9GFcide66cPmOPEVW9Lu9dYmg5R6g6KanvxCO02CrdlCzD1Z49M7YjJdp
-dU6sP71/BWqI0+IoUd+94O39BR96ARqPgL3TjPf1Fux8x5PeaUP0oD0TaSGq635m
-da930dB1RABlvf5/0L9A5+x+Mkgjk/u+RCeoX1nh6WF0HLZ9RSQmBSBxuInzZgHe
-Q5bAj1DSOrDizHQ2yvNqymmDqUZVeiusIc3QIzTIwsFSg0PbBqG9sYUCSMdeVSjm
-jGcyp5EjyzCyBq7YIzA7VpSRvNTGFr7Q+QP+Sm68kZ6AMCCn/a83jiFUfMyy7H5/
-PEKUqdkKrPScu7DKFWAyqL5DWXt7cA==
-=GTGl
------END PGP SIGNATURE-----

curl.rpmlintrc

@@ -0,0 +1,15 @@
+# Intentional stuff we're not concerned about
+addFilter("unversioned-explicit-provides webclient")
+addFilter("package-with-huge-docs")
+addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
+
+# This is just plain wrong (%_configure redefinition)
+addFilter("configure-without-libdir-spec")
+
+# Technical term
+addFilter("E: spelling-error \('kerberos',")
+
+# Artefacts of RemovePathPostfixes: .minimal
+addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
+#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
+#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

mykey.asc

@@ -0,0 +1,77 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ
+QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV
+0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1
+EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch
+soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje
+f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL
+gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo
+SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2
+m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0
+ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU
+ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w
+i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD
+AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv
+jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb
+XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz
+7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM
+wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+
+dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT
+rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t
+FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9
+OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx
+5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h
+zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O
+poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA
+Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d
+6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8
+tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu
+c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
+EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1
+svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+
+Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv
++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh
+Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg
+rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL
+y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP
+BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/
+0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf
+09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG
+6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8
+67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H
+a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr
+LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK
+nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb
+0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb
+2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC
+OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/
+PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC
+8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3
+/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e
+8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk
+bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0
+IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN
+2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ
+L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD
+/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6
+UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb
+9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh
+TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k
+IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ
+AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ
+eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8
+sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI
+c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND
+KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j
+4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S
+wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv
+BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF
+PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu
+gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5
+ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb
+j/qx4ytjt5uxt6Jm6IXV9cry8i6x
+=Phs/
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (curl-7.76.1.tar.xz) = 5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28
+SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
+SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152

tests/non-root-user-download/runtest.sh

@@ -31,9 +31,9 @@
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
-CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
+CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"