Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still

Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use
Resolves: CVE-2023-27535 - fix FTP too eager connection reuse
2023-03-24 14:27:32 +01:00 · 2023-03-24 14:23:06 +01:00 · 2023-03-24 14:19:54 +01:00 · 2023-03-24 14:16:37 +01:00 · 2023-03-24 14:13:14 +01:00 · 2023-02-16 10:15:22 +01:00
33 changed files with 7076 additions and 23 deletions
--- a/0001-curl-7.82.0-openssl-spurious-oom.patch
+++ b/0001-curl-7.82.0-openssl-spurious-oom.patch
@ -0,0 +1,36 @@
+From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Mar 2022 13:38:13 +0100
+Subject: [PATCH] openssl: fix CN check error code
+
+Due to a missing 'else' this returns error too easily.
+
+Regressed in: d15692ebb
+
+Reported-by: Kristoffer Gleditsch
+Fixes #8559
+Closes #8560
+
+Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 616a510..1bafe96 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
+               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
+               peer_CN[peerlen] = '\0';
+             }
+-            result = CURLE_OUT_OF_MEMORY;
+            else
+              result = CURLE_OUT_OF_MEMORY;
+           }
+         }
+         else /* not a UTF8 name */
+-- 
+2.34.1
+
--- a/0002-curl-7.82.0-CVE-2022-22576.patch
+++ b/0002-curl-7.82.0-CVE-2022-22576.patch
@ -0,0 +1,148 @@
+From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+
+Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c   | 10 ++++++++++
+ lib/strcase.h   |  2 ++
+ lib/url.c       | 13 ++++++++++++-
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1..692a3f1 100644
+--- a/lib/strcase.c
+++ b/lib/strcase.c
+@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+   } while(*src++ && --n);
+ }
+ 
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
+ * null pointers. Return true if arguments match.
+ */
+bool Curl_safecmp(char *a, char *b)
+{
+  if(a && b)
+    return !strcmp(a, b);
+  return !a && !b;
+}
+
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b628656..382b80a 100644
+--- a/lib/strcase.h
+++ b/lib/strcase.h
+@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+bool Curl_safecmp(char *a, char *b);
+
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index adef2cd..94e3406 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn)
+   Curl_safefree(conn->passwd);
+   Curl_safefree(conn->sasl_authzid);
+   Curl_safefree(conn->options);
+  Curl_safefree(conn->oauth_bearer);
+   Curl_dyn_free(&conn->trailer);
+   Curl_safefree(conn->host.rawalloc); /* host name buffer */
+   Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data,
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(strcmp(needle->user, check->user) ||
+-           strcmp(needle->passwd, check->passwd)) {
+           strcmp(needle->passwd, check->passwd) ||
+           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
+           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+           /* one of them was different */
+           continue;
+         }
+@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+     }
+   }
+ 
+  if(data->set.str[STRING_BEARER]) {
+    conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
+    if(!conn->oauth_bearer) {
+      result = CURLE_OUT_OF_MEMORY;
+      goto out;
+    }
+  }
+
+ #ifdef USE_UNIX_SOCKETS
+   if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+     conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index cc8a600..03da59a 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -984,6 +984,7 @@ struct connectdata {
+   char *passwd;  /* password string, allocated */
+   char *options; /* options string, allocated */
+   char *sasl_authzid;     /* authorisation identity string, allocated */
+  char *oauth_bearer; /* OAUTH2 bearer, allocated */
+   unsigned char httpversion; /* the HTTP version*10 reported by the server */
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba..a40ac06 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+   return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+ 
+-static bool safecmp(char *a, char *b)
+-{
+-  if(a && b)
+-    return !strcmp(a, b);
+-  else if(!a && !b)
+-    return TRUE; /* match */
+-  return FALSE; /* no match */
+-}
+-
+ 
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      blobcmp(data->cert_blob, needle->cert_blob) &&
+      blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
+      blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+-     safecmp(data->CApath, needle->CApath) &&
+-     safecmp(data->CAfile, needle->CAfile) &&
+-     safecmp(data->issuercert, needle->issuercert) &&
+-     safecmp(data->clientcert, needle->clientcert) &&
+-     safecmp(data->random_file, needle->random_file) &&
+-     safecmp(data->egdsocket, needle->egdsocket) &&
+     Curl_safecmp(data->CApath, needle->CApath) &&
+     Curl_safecmp(data->CAfile, needle->CAfile) &&
+     Curl_safecmp(data->issuercert, needle->issuercert) &&
+     Curl_safecmp(data->clientcert, needle->clientcert) &&
+     Curl_safecmp(data->random_file, needle->random_file) &&
+     Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
+-- 
+2.34.1
+
--- a/0003-curl-7.82.0-CVE-2022-27775.patch
+++ b/0003-curl-7.82.0-CVE-2022-27775.patch
@ -0,0 +1,40 @@
+From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+
+Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index cd5756a..9b9f683 100644
+--- a/lib/conncache.c
+++ b/lib/conncache.c
+@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+     /* report back which name we used */
+     *hostp = hostname;
+ 
+-  /* put the number first so that the hostname gets cut off if too long */
+-  msnprintf(buf, len, "%ld%s", port, hostname);
+  /* put the numbers first so that the hostname gets cut off if too long */
+#ifdef ENABLE_IPV6
+  msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
+#else
+  msnprintf(buf, len, "%ld/%s", port, hostname);
+#endif
+   Curl_strntolower(buf, buf, len);
+ }
+ 
+-- 
+2.34.1
+
--- a/0004-curl-7.82.0-CVE-2022-27776.patch
+++ b/0004-curl-7.82.0-CVE-2022-27776.patch
@ -0,0 +1,246 @@
+From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+
+Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c    | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 799d4fb..0791dcf 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+   return CURLE_OK;
+ }
+ 
+/*
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+ * data" can (still) be sent to this host.
+ */
+static bool allow_auth_to_host(struct Curl_easy *data)
+{
+  struct connectdata *conn = data->conn;
+  return (!data->state.this_is_a_follow ||
+          data->set.allow_auth_to_other_hosts ||
+          (data->state.first_host &&
+           strcasecompare(data->state.first_host, conn->host.name) &&
+           (data->state.first_remote_port == conn->remote_port) &&
+           (data->state.first_remote_protocol == conn->handler->protocol)));
+}
+
+ /**
+  * Curl_http_output_auth() setups the authentication headers for the
+  * host/proxy and the correct authentication
+@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
+        with it */
+     authproxy->done = TRUE;
+ 
+-  /* To prevent the user+password to get sent to other than the original
+-     host due to a location-follow, we do some weirdo checks here */
+-  if(!data->state.this_is_a_follow ||
+  /* To prevent the user+password to get sent to other than the original host
+     due to a location-follow */
+  if(allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+-     conn->bits.netrc ||
+     || conn->bits.netrc
+ #endif
+-     !data->state.first_host ||
+-     data->set.allow_auth_to_other_hosts ||
+-     strcasecompare(data->state.first_host, conn->host.name)) {
+    )
+     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+-  }
+   else
+     authhost->done = TRUE;
+ 
+@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  (data->state.this_is_a_follow &&
+-                   data->state.first_host &&
+-                   !data->set.allow_auth_to_other_hosts &&
+-                   !strcasecompare(data->state.first_host, conn->host.name)))
+                  !allow_auth_to_host(data))
+             ;
+           else {
+ #ifdef USE_HYPER
+@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+       return CURLE_OUT_OF_MEMORY;
+ 
+     data->state.first_remote_port = conn->remote_port;
+    data->state.first_remote_protocol = conn->handler->protocol;
+   }
+   Curl_safefree(data->state.aptr.host);
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 03da59a..f92052a 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1329,14 +1329,16 @@ struct UrlState {
+   char *ulbuf; /* allocated upload buffer or NULL */
+   curl_off_t current_speed;  /* the ProgressShow() function sets this,
+                                 bytes / second */
+-  char *first_host; /* host name of the first (not followed) request.
+-                       if set, this should be the host name that we will
+-                       sent authorization to, no else. Used to make Location:
+-                       following not keep sending user+password... This is
+-                       strdup() data.
+-                    */
+
+  /* host name, port number and protocol of the first (not followed) request.
+     if set, this should be the host name that we will sent authorization to,
+     no else. Used to make Location: following not keep sending user+password.
+     This is strdup()ed data. */
+  char *first_host;
+  int first_remote_port;
+  unsigned int first_remote_protocol;
+
+   int retrycount; /* number of retries on a new connection */
+-  int first_remote_port; /* remote port of the first (not followed) request */
+   struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+   long sessionage;                  /* number of the most recent session */
+   struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
+-- 
+2.34.1
+
+
+From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:47 +0200
+Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
+
+Do not pass on Authorization headers on redirects to another port
+
+Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test898      | 90 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test898
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 59d46bc..7ae2cf8 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
+ test863 test864 test865 test866 test867 test868 test869 test870 test871 \
+ test872 test873 test874 test875 test876 test877 test878 test879 test880 \
+ test881 test882 test883 test884 test885 test886 test887 test888 test889 \
+-test890 test891 test892 test893 test894 test895 test896 test897 \
+test890 test891 test892 test893 test894 test895 test896 test897 test898 \
+ \
+ test900 test901 test902 test903 test904 test905 test906 test907 test908 \
+ test909 test910 test911 test912 test913 test914 test915 test916 test917 \
+diff --git a/tests/data/test898 b/tests/data/test898
+new file mode 100644
+index 0000000..5cbb7d8
+--- /dev/null
+++ b/tests/data/test898
+@@ -0,0 +1,90 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location
+Authorization
+Cookie
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with custom auth and cookies redirected to HTTP on a diff port
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: Basic am9lOnNlY3JldA==
+Cookie: userpwd=am9lOnNlY3JldA==
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
+-- 
+2.34.1
+
--- a/0005-curl-7.82.0-CVE-2022-27774.patch
+++ b/0005-curl-7.82.0-CVE-2022-27774.patch
@ -0,0 +1,636 @@
+From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+
+Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 64f9511..7518807 100644
+--- a/lib/connect.c
+++ b/lib/connect.c
+@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+   data->info.conn_scheme = conn->handler->scheme;
+   data->info.conn_protocol = conn->handler->protocol;
+   data->info.conn_primary_port = conn->port;
+  data->info.conn_remote_port = conn->remote_port;
+   data->info.conn_local_port = local_port;
+ }
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f92052a..5218f76 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1160,7 +1160,11 @@ struct PureInfo {
+      reused, in the connection cache. */
+ 
+   char conn_primary_ip[MAX_IPADR_LEN];
+-  int conn_primary_port;
+  int conn_primary_port; /* this is the destination port to the connection,
+                            which might have been a proxy */
+  int conn_remote_port;  /* this is the "remote port", which is the port
+                            number of the used URL, independent of proxy or
+                            not */
+   char conn_local_ip[MAX_IPADR_LEN];
+   int conn_local_port;
+   const char *conn_scheme;
+-- 
+2.34.1
+
+
+From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
+ auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+
+Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 1f8019b..752fe14 100644
+--- a/lib/transfer.c
+++ b/lib/transfer.c
+@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       return CURLE_OUT_OF_MEMORY;
+   }
+   else {
+-
+     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+
+    /* Clear auth if this redirects to a different port number or protocol,
+       unless permitted */
+    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
+      char *portnum;
+      int port;
+      bool clear = FALSE;
+
+      if(data->set.use_port && data->state.allow_port)
+        /* a custom port is used */
+        port = (int)data->set.use_port;
+      else {
+        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
+                          CURLU_DEFAULT_PORT);
+        if(uc) {
+          free(newurl);
+          return Curl_uc_to_curlcode(uc);
+        }
+        port = atoi(portnum);
+        free(portnum);
+      }
+      if(port != data->info.conn_remote_port) {
+        infof(data, "Clear auth, redirects to port from %u to %u",
+              data->info.conn_remote_port, port);
+        clear = TRUE;
+      }
+      else {
+        char *scheme;
+        const struct Curl_handler *p;
+        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
+        if(uc) {
+          free(newurl);
+          return Curl_uc_to_curlcode(uc);
+        }
+
+        p = Curl_builtin_scheme(scheme);
+        if(p && (p->protocol != data->info.conn_protocol)) {
+          infof(data, "Clear auth, redirects scheme from %s to %s",
+                data->info.conn_scheme, scheme);
+          clear = TRUE;
+        }
+        free(scheme);
+      }
+      if(clear) {
+        Curl_safefree(data->state.aptr.user);
+        Curl_safefree(data->state.aptr.passwd);
+      }
+    }
+   }
+ 
+   if(type == FOLLOW_FAKE) {
+-- 
+2.34.1
+
+
+From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
+
+ - Test 973 redirects from HTTP to FTP, clear auth
+ - Test 974 redirects from HTTP to HTTP different port, clear auth
+ - Test 975 redirects from HTTP to FTP, permitted to keep auth
+ - Test 976 redirects from HTTP to HTTP different port, permitted to keep
+   auth
+
+Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test973      | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test974      | 87 ++++++++++++++++++++++++++++++++++++++++
+ tests/data/test975      | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test976      | 88 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 352 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test973
+ create mode 100644 tests/data/test974
+ create mode 100644 tests/data/test975
+ create mode 100644 tests/data/test976
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7ae2cf8..175fc43 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+-test972 \
+test972 test973 test974 test975 test976 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test973 b/tests/data/test973
+new file mode 100644
+index 0000000..6ced107
+--- /dev/null
+++ b/tests/data/test973
+@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+FTP
+--location
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+data
+    to
+      see
+that FTP
+works
+  so does it?
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+data
+    to
+      see
+that FTP
+works
+  so does it?
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+ftp
+</server>
+ <name>
+HTTP with auth redirected to FTP w/o auth
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD a
+CWD path
+EPSV
+TYPE I
+SIZE %TESTNUMBER0002
+RETR %TESTNUMBER0002
+QUIT
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test974 b/tests/data/test974
+new file mode 100644
+index 0000000..ac4e641
+--- /dev/null
+++ b/tests/data/test974
+@@ -0,0 +1,87 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with auth redirected to HTTP on a diff port w/o auth
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test975 b/tests/data/test975
+new file mode 100644
+index 0000000..85e03e4
+--- /dev/null
+++ b/tests/data/test975
+@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+FTP
+--location-trusted
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+data
+    to
+      see
+that FTP
+works
+  so does it?
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
+
+data
+    to
+      see
+that FTP
+works
+  so does it?
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+ftp
+</server>
+ <name>
+HTTP with auth redirected to FTP allowing auth to continue
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+
+USER joe
+PASS secret
+PWD
+CWD a
+CWD path
+EPSV
+TYPE I
+SIZE %TESTNUMBER0002
+RETR %TESTNUMBER0002
+QUIT
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test976 b/tests/data/test976
+new file mode 100644
+index 0000000..c4dd61e
+--- /dev/null
+++ b/tests/data/test976
+@@ -0,0 +1,88 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+--location-trusted
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</data2>
+
+<datacheck>
+HTTP/1.1 301 redirect
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Connection: close
+Content-Type: text/html
+
+hey
+</datacheck>
+
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with auth redirected to HTTP on a diff port --location-trusted
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.com/ HTTP/1.1
+Host: firsthost.com
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
+Host: firsthost.com:9999
+Authorization: Basic am9lOnNlY3JldA==
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
+-- 
+2.34.1
+
+
+From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 17:59:15 +0200
+Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
+ either
+
+Follow-up to 620ea21410030
+
+Reported-by: Harry Sintonen
+Closes #8751
+
+Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c         | 10 +++++-----
+ lib/http.h         |  6 ++++++
+ lib/vtls/openssl.c |  3 ++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 0791dcf..4433824 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
+ }
+ 
+ /*
+- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+  */
+-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   return (!data->state.this_is_a_follow ||
+@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
+ 
+   /* To prevent the user+password to get sent to other than the original host
+      due to a location-follow */
+-  if(allow_auth_to_host(data)
+  if(Curl_allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+      || conn->bits.netrc
+ #endif
+@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  !allow_auth_to_host(data))
+                  !Curl_allow_auth_to_host(data))
+             ;
+           else {
+ #ifdef USE_HYPER
+diff --git a/lib/http.h b/lib/http.h
+index 07e963d..9000bae 100644
+--- a/lib/http.h
+++ b/lib/http.h
+@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
+                       bool proxytunnel); /* TRUE if this is the request setting
+                                             up the proxy tunnel */
+ 
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
+ #endif /* HEADER_CURL_HTTP_H */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1bafe96..97c5666 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -2894,7 +2894,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+ 
+ #ifdef USE_OPENSSL_SRP
+-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+     Curl_allow_auth_to_host(data)) {
+     char * const ssl_username = SSL_SET_OPTION(username);
+ 
+     infof(data, "Using TLS-SRP username: %s", ssl_username);
+-- 
+2.34.1
+
--- a/0006-curl-7.82.0-CVE-2022-27780.patch
+++ b/0006-curl-7.82.0-CVE-2022-27780.patch
@ -0,0 +1,69 @@
+From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:19:38 +0200
+Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator
+ bytes
+
+CVE-2022-27780
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-27780.html
+Closes #8826
+
+Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/urlapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index ff00ee4..00222fc 100644
+--- a/lib/urlapi.c
+++ b/lib/urlapi.c
+@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
+ #endif
+   }
+   else {
+-    /* letters from the second string is not ok */
+-    len = strcspn(hostname, " \r\n");
+    /* letters from the second string are not ok */
+    len = strcspn(hostname, " \r\n\t/:#?!@");
+     if(hlen != len)
+       /* hostname with bad content */
+       return CURLUE_BAD_HOSTNAME;
+-- 
+2.34.1
+
+
+From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:19:38 +0200
+Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix
+
+Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/libtest/lib1560.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 7614849..84ee933 100644
+--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
+@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={
+ 
+ static const struct urltestcase get_url_list[] = {
+   /* percent encoded host names */
+  {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+   {"https://%this", "https://%25this/", 0, 0, CURLUE_OK},
+   {"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK},
+   {"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK},
+-- 
+2.34.1
+
--- a/0007-curl-7.82.0-CVE-2022-30115.patch
+++ b/0007-curl-7.82.0-CVE-2022-30115.patch
@ -0,0 +1,273 @@
+From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:13:54 +0200
+Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
+
+Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test440      | 72 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test441      | 72 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 146 insertions(+)
+ create mode 100644 tests/data/test440
+ create mode 100644 tests/data/test441
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 175fc43..a5b8dc2 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -72,6 +72,8 @@ test409 test410 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+test440 test441 \
+\
+ test490 test491 test492 test493 test494 \
+ \
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+diff --git a/tests/data/test440 b/tests/data/test440
+new file mode 100644
+index 0000000..c640b02
+--- /dev/null
+++ b/tests/data/test440
+@@ -0,0 +1,72 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HSTS
+trailing-dot
+</keywords>
+</info>
+
+<reply>
+
+# we use this as response to a CONNECT
+<connect nocheck="yes">
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+-foo-
+</connect>
+</reply>
+
+<client>
+<server>
+http
+</server>
+<features>
+HSTS
+proxy
+https
+</features>
+
+# no trailing dot in the file only in the URL
+<file name="log/input%TESTNUMBER">
+this.hsts.example "99991001 04:47:41"
+</file>
+
+<name>
+HSTS with trailing-dot host name in URL but none in hsts file
+</name>
+<command>
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
+</command>
+</client>
+
+<verify>
+# we let it CONNECT to the server to confirm HSTS but deny from there
+<protocol>
+CONNECT this.hsts.example.:443 HTTP/1.1
+Host: this.hsts.example.:443
+User-Agent: curl/%VERSION
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<stdout>
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+https://this.hsts.example./%TESTNUMBER
+</stdout>
+# Proxy CONNECT aborted
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
+diff --git a/tests/data/test441 b/tests/data/test441
+new file mode 100644
+index 0000000..7f5245b
+--- /dev/null
+++ b/tests/data/test441
+@@ -0,0 +1,72 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HSTS
+trailing-dot
+</keywords>
+</info>
+
+<reply>
+
+# we use this as response to a CONNECT
+<connect nocheck="yes">
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+-foo-
+</connect>
+</reply>
+
+<client>
+<server>
+http
+</server>
+<features>
+HSTS
+proxy
+https
+</features>
+
+# no trailing dot in the file only in the URL
+<file name="log/input%TESTNUMBER">
+this.hsts.example. "99991001 04:47:41"
+</file>
+
+<name>
+HSTS with no t-dot host name in URL but t-dot in file
+</name>
+<command>
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
+</command>
+</client>
+
+<verify>
+# we let it CONNECT to the server to confirm HSTS but deny from there
+<protocol>
+CONNECT this.hsts.example:443 HTTP/1.1
+Host: this.hsts.example:443
+User-Agent: curl/%VERSION
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<stdout>
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+https://this.hsts.example/%TESTNUMBER
+</stdout>
+# Proxy CONNECT aborted
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
+-- 
+2.34.1
+
+
+From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:13:55 +0200
+Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
+
+CVE-2022-30115
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-30115.html
+Closes #8821
+
+Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 03fcc9e..b9fa6f7 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
+                             curl_off_t expires)
+ {
+   struct stsentry *sts = hsts_entry();
+  char *duphost;
+  size_t hlen;
+   if(!sts)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  sts->expires = expires;
+-  sts->includeSubDomains = subdomains;
+-  sts->host = strdup(hostname);
+-  if(!sts->host) {
+  duphost = strdup(hostname);
+  if(!duphost) {
+     free(sts);
+     return CURLE_OUT_OF_MEMORY;
+   }
+
+  hlen = strlen(duphost);
+  if(duphost[hlen - 1] == '.')
+    /* strip off trailing any dot */
+    duphost[--hlen] = 0;
+
+  sts->host = duphost;
+  sts->expires = expires;
+  sts->includeSubDomains = subdomains;
+   Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
+   return CURLE_OK;
+ }
+@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+   if(h) {
+    char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
+
+    if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+      return NULL;
+    memcpy(buffer, hostname, hlen);
+    if(hostname[hlen-1] == '.')
+      /* remove the trailing dot */
+      --hlen;
+    buffer[hlen] = 0;
+    hostname = buffer;
+
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
+       n = e->next;
+@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
+     CURLSTScode sc;
+     DEBUGASSERT(h);
+     do {
+-      char buffer[257];
+      char buffer[MAX_HSTS_HOSTLEN + 1];
+       struct curl_hstsentry e;
+       e.name = buffer;
+       e.namelen = sizeof(buffer)-1;
+-- 
+2.34.1
+
--- a/0008-curl-7.82.0-CVE-2022-27779.patch
+++ b/0008-curl-7.82.0-CVE-2022-27779.patch
@ -0,0 +1,144 @@
+From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD
+
+When PSL is not enabled
+
+Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test977      | 60 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test977
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index a5b8dc2..98d5516 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+-test972 test973 test974 test975 test976 \
+test972 test973 test974 test975 test976 test977 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test977 b/tests/data/test977
+new file mode 100644
+index 0000000..11ff1b7
+--- /dev/null
+++ b/tests/data/test977
+@@ -0,0 +1,60 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Set-Cookie: a=b; Domain=.me.;
+
+</data>
+
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+</server>
+ <name>
+URL with trailing dot and receiving a cookie for the TLD with dot
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.me./ HTTP/1.1
+Host: firsthost.me.
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<file name="log/cookies%TESTNUMBER" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+</file>
+</verify>
+</testcase>
+-- 
+2.34.1
+
+
+From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
+ fine
+
+The check for a dot in the domain must not consider a single trailing
+dot to be fine, as then TLD + trailing dot is fine and curl will accept
+setting cookies for it.
+
+CVE-2022-27779
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-27779.html
+Closes #8820
+
+Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index d418efa..1b8c8f9 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
+ /* Make sure domain contains a dot or is localhost. */
+ static bool bad_domain(const char *domain)
+ {
+-  return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+  if(strcasecompare(domain, "localhost"))
+    return FALSE;
+  else {
+    /* there must be a dot present, but that dot must not be a trailing dot */
+    char *dot = strchr(domain, '.');
+    if(dot)
+      return dot[1] ? FALSE : TRUE;
+  }
+  return TRUE;
+ }
+ 
+ /*
+-- 
+2.34.1
+
--- a/0009-curl-7.82.0-CVE-2022-27782.patch
+++ b/0009-curl-7.82.0-CVE-2022-27782.patch
@ -0,0 +1,659 @@
+From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Thu, 17 Mar 2022 15:31:10 -0400
+Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP
+
+Prior to this change if, at build time, the GnuTLS backend was found to
+have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
+via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
+
+Bug: https://curl.se/mail/lib-2022-03/0046.html
+Reported-by: Robert Brose
+
+Closes https://github.com/curl/curl/pull/8604
+
+Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/gtls.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5749376..bc8ef68 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -55,6 +55,14 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
+#ifdef HAVE_GNUTLS_SRP
+/* the function exists */
+#ifdef USE_TLS_SRP
+/* the functionality is not disabled */
+#define USE_GNUTLS_SRP
+#endif
+#endif
+
+ /* Enable GnuTLS debugging by defining GTLSDEBUG */
+ /*#define GTLSDEBUG */
+ 
+@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE;
+ struct ssl_backend_data {
+   gnutls_session_t session;
+   gnutls_certificate_credentials_t cred;
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   gnutls_srp_client_credentials_t srp_client_cred;
+ #endif
+ };
+@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data,
+     return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+     infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+ 
+@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data,
+   if(result)
+     return result;
+ 
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   /* Only add SRP to the cipher list if SRP is requested. Otherwise
+    * GnuTLS will disable TLS 1.3 support. */
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ #endif
+     infof(data, "GnuTLS ciphers: %s", prioritylist);
+     rc = gnutls_priority_set_direct(session, prioritylist, &err);
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   }
+ #endif
+ 
+@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data,
+     }
+   }
+ 
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   /* put the credentials to the current session */
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+         failf(data, "failed to get server cert");
+         *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
+         return CURLE_PEER_FAILED_VERIFICATION;
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+       }
+ #endif
+     }
+@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl)
+     gnutls_certificate_free_credentials(backend->cred);
+     backend->cred = NULL;
+   }
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   if(backend->srp_client_cred) {
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+     backend->srp_client_cred = NULL;
+@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+   }
+   gnutls_certificate_free_credentials(backend->cred);
+ 
+-#ifdef HAVE_GNUTLS_SRP
+#ifdef USE_GNUTLS_SRP
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+      && SSL_SET_OPTION(username) != NULL)
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+-- 
+2.35.3
+
+
+From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c       | 29 +++++++++++++++++------------
+ lib/url.c          | 23 ++++++++++++++++-------
+ lib/urldata.h      | 13 +++++++------
+ lib/vtls/gtls.c    | 32 +++++++++++++++++---------------
+ lib/vtls/mbedtls.c |  2 +-
+ lib/vtls/nss.c     |  6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c    | 21 +++++++++++++++++++++
+ 8 files changed, 87 insertions(+), 49 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 8e1bf12..7aa6fdb 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ 
+   case CURLOPT_SSL_OPTIONS:
+     arg = va_arg(param, long);
+    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_SSL_OPTIONS:
+     arg = va_arg(param, long);
+    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+       !data->set.ssl.primary.authtype)
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+       !data->set.proxy_ssl.primary.authtype)
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
+                                                                  SRP */
+     break;
+ #endif
+   case CURLOPT_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+       !data->set.ssl.primary.authtype)
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+       !data->set.proxy_ssl.primary.authtype)
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+ #endif
+   case CURLOPT_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #endif
+ #endif
+diff --git a/lib/url.c b/lib/url.c
+index 94e3406..5ebf5e2 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ssl.primary.verifypeer = TRUE;
+   set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+-  set->ssl.authtype = CURL_TLSAUTH_NONE;
+  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+  conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
+ #ifndef CURL_DISABLE_PROXY
+   conn->proxy_ssl_config.verifystatus =
+     data->set.proxy_ssl.primary.verifystatus;
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+  conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
+ #endif
+   conn->ip_version = data->set.ipver;
+   conn->bits.connect_only = data->set.connect_only;
+@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.primary.issuercert_blob =
+     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+  data->set.proxy_ssl.primary.CRLfile =
+    data->set.str[STRING_SSL_CRLFILE_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+   data->set.ssl.key = data->set.str[STRING_KEY];
+   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
+  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+  data->set.proxy_ssl.primary.username =
+    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+  data->set.proxy_ssl.primary.password =
+    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5218f76..e006495 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -253,10 +253,17 @@ struct ssl_primary_config {
+   char *cipher_list;     /* list of ciphers to use */
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
+  char *CRLfile;         /* CRL to check certificate revocation */
+   struct curl_blob *cert_blob;
+   struct curl_blob *ca_info_blob;
+   struct curl_blob *issuercert_blob;
+#ifdef USE_TLS_SRP
+  char *username; /* TLS username (for, e.g., SRP) */
+  char *password; /* TLS password (for, e.g., SRP) */
+  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+#endif
+   char *curves;          /* list of curves to use */
+  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -266,7 +273,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+-  char *CRLfile;   /* CRL to check certificate revocation */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert_type; /* format for certificate (default: PEM)*/
+@@ -274,11 +280,6 @@ struct ssl_config_data {
+   struct curl_blob *key_blob;
+   char *key_type; /* format for private key (default: PEM) */
+   char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+-  char *username; /* TLS username (for, e.g., SRP) */
+-  char *password; /* TLS password (for, e.g., SRP) */
+-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+   BIT(certinfo);     /* gather lots of certificate info */
+   BIT(falsestart);
+   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5749376..ec6be16 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+ 
+ #ifdef USE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+-    infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+    infof(data, "Using TLS-SRP username: %s",
+          SSL_SET_OPTION(primary.username));
+ 
+     rc = gnutls_srp_allocate_client_credentials(
+            &backend->srp_client_cred);
+@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data,
+     }
+ 
+     rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
+-                                           SSL_SET_OPTION(username),
+-                                           SSL_SET_OPTION(password));
+                                           SSL_SET_OPTION(primary.username),
+                                           SSL_SET_OPTION(primary.password));
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_set_client_cred() failed: %s",
+             gnutls_strerror(rc));
+@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+ #endif
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+  if(SSL_SET_OPTION(primary.CRLfile)) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(backend->cred,
+-                                              SSL_SET_OPTION(CRLfile),
+                                              SSL_SET_OPTION(primary.CRLfile),
+                                               GNUTLS_X509_FMT_PEM);
+     if(rc < 0) {
+       failf(data, "error reading crl file %s (%s)",
+-            SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
+            SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+       return CURLE_SSL_CRL_BADFILE;
+     }
+     else
+       infof(data, "found %d CRL in %s",
+-            rc, SSL_SET_OPTION(CRLfile));
+            rc, SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   /* Initialize TLS session as a client */
+@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ #ifdef USE_GNUTLS_SRP
+   /* Only add SRP to the cipher list if SRP is requested. Otherwise
+    * GnuTLS will disable TLS 1.3 support. */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     size_t len = strlen(prioritylist);
+ 
+     char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
+@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ 
+ #ifdef USE_GNUTLS_SRP
+   /* put the credentials to the current session */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                                 backend->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_GNUTLS_SRP
+-      if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-         && SSL_SET_OPTION(username) != NULL
+      if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+         && SSL_SET_OPTION(primary.username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+          && gnutls_cipher_get(session)) {
+         /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+         failf(data, "server certificate verification failed. CAfile: %s "
+               "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+               "none",
+-              SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
+              SSL_SET_OPTION(primary.CRLfile) ?
+              SSL_SET_OPTION(primary.CRLfile) : "none");
+         return CURLE_PEER_FAILED_VERIFICATION;
+       }
+       else
+@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+   gnutls_certificate_free_credentials(backend->cred);
+ 
+ #ifdef USE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-     && SSL_SET_OPTION(username) != NULL)
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+     && SSL_SET_OPTION(primary.username) != NULL)
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+ #endif
+ 
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index b9fd26a..bd4ad8f 100644
+--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
+@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   const char * const hostname = SSL_HOST_NAME();
+ #ifndef CURL_DISABLE_VERBOSE_STRINGS
+   const long int port = SSL_HOST_PORT();
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 558e3be..892e7d8 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+     }
+   }
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+-    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
+  if(SSL_SET_OPTION(primary.CRLfile)) {
+    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+     if(rv) {
+       result = rv;
+       goto error;
+     }
+-    infof(data, "  CRLfile: %s", SSL_SET_OPTION(CRLfile));
+    infof(data, "  CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   if(SSL_SET_OPTION(primary.clientcert)) {
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 97c5666..a4ef9d1 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+   const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_OPENSSL_SRP
+-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
+  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+     (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   char error_buffer[256];
+   struct ssl_backend_data *backend = connssl->backend;
+   bool imported_native_ca = false;
+@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #ifdef USE_OPENSSL_SRP
+   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    char * const ssl_username = SSL_SET_OPTION(username);
+-
+    char * const ssl_username = SSL_SET_OPTION(primary.username);
+    char * const ssl_password = SSL_SET_OPTION(primary.password);
+     infof(data, "Using TLS-SRP username: %s", ssl_username);
+ 
+     if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
+       failf(data, "Unable to set SRP user name");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+-    if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
+    if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
+       failf(data, "failed setting SRP password");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a40ac06..e2d3438 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ {
+   if((data->version == needle->version) &&
+      (data->version_max == needle->version_max) &&
+     (data->ssl_options == needle->ssl_options) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      Curl_safecmp(data->clientcert, needle->clientcert) &&
+      Curl_safecmp(data->random_file, needle->random_file) &&
+      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+#ifdef USE_TLS_SRP
+     Curl_safecmp(data->username, needle->username) &&
+     Curl_safecmp(data->password, needle->password) &&
+     (data->authtype == needle->authtype) &&
+#endif
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
+     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+     return TRUE;
+ 
+@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->verifyhost = source->verifyhost;
+   dest->verifystatus = source->verifystatus;
+   dest->sessionid = source->sessionid;
+  dest->ssl_options = source->ssl_options;
+#ifdef USE_TLS_SRP
+  dest->authtype = source->authtype;
+#endif
+ 
+   CLONE_BLOB(cert_blob);
+   CLONE_BLOB(ca_info_blob);
+@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   CLONE_STRING(cipher_list13);
+   CLONE_STRING(pinned_key);
+   CLONE_STRING(curves);
+  CLONE_STRING(CRLfile);
+#ifdef USE_TLS_SRP
+  CLONE_STRING(username);
+  CLONE_STRING(password);
+#endif
+ 
+   return TRUE;
+ }
+@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+   Curl_safefree(sslc->ca_info_blob);
+   Curl_safefree(sslc->issuercert_blob);
+   Curl_safefree(sslc->curves);
+  Curl_safefree(sslc->CRLfile);
+#ifdef USE_TLS_SRP
+  Curl_safefree(sslc->username);
+  Curl_safefree(sslc->password);
+#endif
+ }
+ 
+ #ifdef USE_SSL
+-- 
+2.34.1
+
+
+From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 3/3] url: check SSH config match on connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c      | 11 +++++++++++
+ lib/vssh/ssh.h |  6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 5ebf5e2..c713e54 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+   }
+ }
+ 
+static bool ssh_config_matches(struct connectdata *one,
+                               struct connectdata *two)
+{
+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+}
+ /*
+  * Given one filled in connection struct (named needle), this function should
+  * detect if there already is one that has all the significant details
+@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
+      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+        if(!ssh_config_matches(needle, check))
+          continue;
+      }
+
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 7972081..30d82e5 100644
+--- a/lib/vssh/ssh.h
+++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -131,8 +131,8 @@ struct ssh_conn {
+ 
+   /* common */
+   const char *passphrase;     /* pass-phrase to use */
+-  char *rsa_pub;              /* path name */
+-  char *rsa;                  /* path name */
+  char *rsa_pub;              /* strdup'ed public key file */
+  char *rsa;                  /* strdup'ed private key file */
+   bool authed;                /* the connection has been authenticated fine */
+   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
+                                  quote command fails) */
+-- 
+2.34.1
+
--- a/0010-curl-7.82.0-CVE-2022-32208.patch
+++ b/0010-curl-7.82.0-CVE-2022-32208.patch
@ -0,0 +1,70 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
+++ b/lib/krb5.c
+@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
+  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
+  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
+    if(len > CURL_MAX_INPUT_LENGTH)
+      len = 0;
+    else
+      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
+  nread = conn->mech->decode(conn->app_data, buf->data, len,
+                             conn->data_prot, conn);
+  if(nread < 0)
+    return CURLE_RECV_ERROR;
+  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
+-- 
+2.35.3
+
--- a/0011-curl-7.82.0-CVE-2022-32206.patch
+++ b/0011-curl-7.82.0-CVE-2022-32206.patch
@ -0,0 +1,144 @@
+From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH 1/2] content_encoding: return error on too many compression
+ steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
+@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
+   return NULL;
+ }
+ 
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+      if(++counter >= MAX_ENCODE_STACK) {
+        failf(data, "Reject response due to %u content encodings",
+              counter);
+        return CURLE_BAD_CONTENT_ENCODING;
+      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(data, encoding, k->writer_stack);
+       if(!writer)
+-- 
+2.35.3
+
+
+From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:29:07 +0200
+Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
+
+Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test387      | 53 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test387
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 98d5516..9b5f4fb 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \
+ test361 test362 test363 test364 test365 test366 test367 test368 test369 \
+ test370 test371 test372 test373 test374 \
+ \
+-test380 test381 test383 test384 test385 test386 \
+test380 test381 test383 test384 test385 test386 test387 \
+ \
+ test392 test393 test394 test395 test396 test397 \
+ \
+diff --git a/tests/data/test387 b/tests/data/test387
+new file mode 100644
+index 0000000..015ec25
+--- /dev/null
+++ b/tests/data/test387
+@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+gzip
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Response with overly long compression chain
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+
+# CURLE_BAD_CONTENT_ENCODING is 61
+<errorcode>
+61
+</errorcode>
+<stderr mode="text">
+curl: (61) Reject response due to 5 content encodings
+</stderr>
+</verify>
+</testcase>
+-- 
+2.35.3
+
--- a/0012-curl-7.82.0-CVE-2022-32205.patch
+++ b/0012-curl-7.82.0-CVE-2022-32205.patch
--- a/0013-curl-7.82.0-CVE-2022-32207.patch
+++ b/0013-curl-7.82.0-CVE-2022-32207.patch
@ -0,0 +1,428 @@
+From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   2 +
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 154 insertions(+), 15 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b77de6d..a0bfaad 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
+check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d431870..7433bb9 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
+  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index e8f110f..5139b03 100644
+--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
+@@ -133,6 +133,7 @@ LIB_CFILES =         \
+   escape.c           \
+   file.c             \
+   fileinfo.c         \
+  fopen.c            \
+   formdata.c         \
+   ftp.c              \
+   ftplistparser.c    \
+@@ -263,6 +264,7 @@ LIB_HFILES =         \
+   escape.h           \
+   file.h             \
+   fileinfo.h         \
+  fopen.h            \
+   formdata.h         \
+   ftp.h              \
+   ftplistparser.h    \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 8a6aa1a..cb0c03b 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -96,8 +96,8 @@ Example set of cookies:
+ #include "curl_get_line.h"
+ #include "curl_memrchr.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
+#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return CURLE_OUT_OF_MEMORY;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out) {
+-      error = CURLE_WRITE_ERROR;
+    error = Curl_fopen(data, filename, &out, &tempstore);
+    if(error)
+       goto error;
+-    }
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
+    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       error = CURLE_WRITE_ERROR;
+       goto error;
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index d2a0f43..c254359 100644
+--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
+@@ -157,6 +157,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
+/* Define to 1 if you have the `fchmod' function. */
+#cmakedefine HAVE_FCHMOD 1
+
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
+++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+  !defined(CURL_DISABLE_HSTS)
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#include "urldata.h"
+#include "rand.h"
+#include "fopen.h"
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+#include "memdebug.h"
+
+/*
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
+ * to the final name when completed. If there is an existing file using this
+ * name at the time of the open, this function will clone the mode from that
+ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
+ * written.
+ */
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                    FILE **fh, char **tempname)
+{
+  CURLcode result = CURLE_WRITE_ERROR;
+  unsigned char randsuffix[9];
+  char *tempstore = NULL;
+  struct_stat sb;
+  int fd = -1;
+  *tempname = NULL;
+
+  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+    /* a non-regular file, fallback to direct fopen() */
+    *fh = fopen(filename, FOPEN_WRITETEXT);
+    if(*fh)
+      return CURLE_OK;
+    goto fail;
+  }
+
+  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+  if(result)
+    goto fail;
+
+  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+  if(!tempstore) {
+    result = CURLE_OUT_OF_MEMORY;
+    goto fail;
+  }
+
+  result = CURLE_WRITE_ERROR;
+  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
+  if(fd == -1)
+    goto fail;
+
+#ifdef HAVE_FCHMOD
+  {
+    struct_stat nsb;
+    if((fstat(fd, &nsb) != -1) &&
+       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
+      /* if the user and group are the same, clone the original mode */
+      if(fchmod(fd, sb.st_mode) == -1)
+        goto fail;
+    }
+  }
+#endif
+
+  *fh = fdopen(fd, FOPEN_WRITETEXT);
+  if(!*fh)
+    goto fail;
+
+  *tempname = tempstore;
+  return CURLE_OK;
+
+fail:
+  if(fd != -1) {
+    close(fd);
+    unlink(tempstore);
+  }
+
+  free(tempstore);
+
+  *tempname = NULL;
+  return result;
+}
+
+#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
+++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
+#ifndef HEADER_CURL_FOPEN_H
+#define HEADER_CURL_FOPEN_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                    FILE **fh, char **tempname);
+
+#endif
+-- 
+2.35.3
+
+
+From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 2/3] altsvc: use Curl_fopen()
+
+Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/altsvc.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/altsvc.c b/lib/altsvc.c
+index 242733b..4dc4078 100644
+--- a/lib/altsvc.c
+++ b/lib/altsvc.c
+@@ -34,7 +34,7 @@
+ #include "parsedate.h"
+ #include "sendf.h"
+ #include "warnless.h"
+-#include "rand.h"
+#include "fopen.h"
+ #include "rename.h"
+ 
+ /* The last 3 #include files should be in this order */
+@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+   struct Curl_llist_element *n;
+   CURLcode result = CURLE_OK;
+   FILE *out;
+-  char *tempstore;
+-  unsigned char randsuffix[9];
+  char *tempstore = NULL;
+ 
+   if(!altsvc)
+     /* no cache activated */
+@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+     /* marked as read-only, no file or zero length file name */
+     return CURLE_OK;
+ 
+-  if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-    return CURLE_FAILED_INIT;
+-
+-  tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+-  if(!tempstore)
+-    return CURLE_OUT_OF_MEMORY;
+-
+-  out = fopen(tempstore, FOPEN_WRITETEXT);
+-  if(!out)
+-    result = CURLE_WRITE_ERROR;
+-  else {
+  result = Curl_fopen(data, file, &out, &tempstore);
+  if(!result) {
+     fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
+           "# This file was generated by libcurl! Edit at your own risk.\n",
+           out);
+@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+         break;
+     }
+     fclose(out);
+-    if(!result && Curl_rename(tempstore, file))
+    if(!result && tempstore && Curl_rename(tempstore, file))
+       result = CURLE_WRITE_ERROR;
+ 
+-    if(result)
+    if(result && tempstore)
+       unlink(tempstore);
+   }
+   free(tempstore);
+-- 
+2.35.3
+
+
+From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:54 +0200
+Subject: [PATCH 3/3] hsts: use Curl_fopen()
+
+Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index b9fa6f7..9d54c82 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -35,7 +35,7 @@
+ #include "sendf.h"
+ #include "strtoofft.h"
+ #include "parsedate.h"
+-#include "rand.h"
+#include "fopen.h"
+ #include "rename.h"
+ #include "strtoofft.h"
+ 
+@@ -354,8 +354,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+   struct Curl_llist_element *n;
+   CURLcode result = CURLE_OK;
+   FILE *out;
+-  char *tempstore;
+-  unsigned char randsuffix[9];
+  char *tempstore = NULL;
+ 
+   if(!h)
+     /* no cache activated */
+@@ -369,17 +368,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+     /* marked as read-only, no file or zero length file name */
+     goto skipsave;
+ 
+-  if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-    return CURLE_FAILED_INIT;
+-
+-  tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+-  if(!tempstore)
+-    return CURLE_OUT_OF_MEMORY;
+-
+-  out = fopen(tempstore, FOPEN_WRITETEXT);
+-  if(!out)
+-    result = CURLE_WRITE_ERROR;
+-  else {
+  result = Curl_fopen(data, file, &out, &tempstore);
+  if(!result) {
+     fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
+           "# This file was generated by libcurl! Edit at your own risk.\n",
+           out);
+@@ -391,10 +381,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+         break;
+     }
+     fclose(out);
+-    if(!result && Curl_rename(tempstore, file))
+    if(!result && tempstore && Curl_rename(tempstore, file))
+       result = CURLE_WRITE_ERROR;
+ 
+-    if(result)
+    if(result && tempstore)
+       unlink(tempstore);
+   }
+   free(tempstore);
+-- 
+2.35.3
+
--- a/0014-curl-7.82.0-CVE-2022-35252.patch
+++ b/0014-curl-7.82.0-CVE-2022-35252.patch
@ -0,0 +1,136 @@
+From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain)
+   return TRUE;
+ }
+ 
+/*
+  RFC 6265 section 4.1.1 says a server should accept this range:
+
+  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+
+  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
+  fine. The prime reason for filtering out control bytes is that some HTTP
+  servers return 400 for requests that contain such.
+*/
+static int invalid_octets(const char *p)
+{
+  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
+  static const char badoctets[] = {
+    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
+    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+  };
+  size_t vlen, len;
+  /* scan for all the octets that are *not* in cookie-octet */
+  len = strcspn(p, badoctets);
+  vlen = strlen(p);
+  return (len != vlen);
+}
+
+ /*
+  * Curl_cookie_add
+  *
+@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
+          if(invalid_octets(whatptr) || invalid_octets(name)) {
+            infof(data, "invalid octets in name/value, cookie dropped");
+            badcookie = TRUE;
+            break;
+          }
+         }
+         else if(!len) {
+           /*
+-- 
+2.37.1
+
+
+From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
+
+Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6..8587611 100644
+--- a/tests/data/test8
+++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
+Set-Cookie: cookie1=%hex[%01-junk]hex%
+Set-Cookie: cookie2=%hex[%02-junk]hex%
+Set-Cookie: cookie3=%hex[%03-junk]hex%
+Set-Cookie: cookie4=%hex[%04-junk]hex%
+Set-Cookie: cookie5=%hex[%05-junk]hex%
+Set-Cookie: cookie6=%hex[%06-junk]hex%
+Set-Cookie: cookie7=%hex[%07-junk]hex%
+Set-Cookie: cookie8=%hex[%08-junk]hex%
+Set-Cookie: cookie9=%hex[junk-%09-]hex%
+Set-Cookie: cookie11=%hex[%0b-junk]hex%
+Set-Cookie: cookie12=%hex[%0c-junk]hex%
+Set-Cookie: cookie14=%hex[%0e-junk]hex%
+Set-Cookie: cookie15=%hex[%0f-junk]hex%
+Set-Cookie: cookie16=%hex[%10-junk]hex%
+Set-Cookie: cookie17=%hex[%11-junk]hex%
+Set-Cookie: cookie18=%hex[%12-junk]hex%
+Set-Cookie: cookie19=%hex[%13-junk]hex%
+Set-Cookie: cookie20=%hex[%14-junk]hex%
+Set-Cookie: cookie21=%hex[%15-junk]hex%
+Set-Cookie: cookie22=%hex[%16-junk]hex%
+Set-Cookie: cookie23=%hex[%17-junk]hex%
+Set-Cookie: cookie24=%hex[%18-junk]hex%
+Set-Cookie: cookie25=%hex[%19-junk]hex%
+Set-Cookie: cookie26=%hex[%1a-junk]hex%
+Set-Cookie: cookie27=%hex[%1b-junk]hex%
+Set-Cookie: cookie28=%hex[%1c-junk]hex%
+Set-Cookie: cookie29=%hex[%1d-junk]hex%
+Set-Cookie: cookie30=%hex[%1e-junk]hex%
+Set-Cookie: cookie31=%hex[%1f-junk]hex%
+Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.37.1
+
--- a/0015-curl-7.82.0-CVE-2022-32221.patch
+++ b/0015-curl-7.82.0-CVE-2022-32221.patch
@ -0,0 +1,251 @@
+From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d5e3b50..b8793b4 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -625,6 +625,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
+-- 
+2.37.3
+
+
+From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:23:33 +0200
+Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
+
+Reproduced #9507, verifies the fix
+
+Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc    |  1 +
+ tests/data/test1948        | 73 +++++++++++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc |  5 +++
+ tests/libtest/lib1948.c    | 79 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+)
+ create mode 100644 tests/data/test1948
+ create mode 100644 tests/libtest/lib1948.c
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 818ee08..0cfab9b 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -220,6 +220,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
+ test1916 test1917 test1918 \
+ \
+ test1933 test1934 test1935 test1936 test1937 test1938 test1939 \
+test1948 \
+ \
+ test2000 test2001 test2002 test2003 test2004 \
+ \
+diff --git a/tests/data/test1948 b/tests/data/test1948
+new file mode 100644
+index 0000000..639523d
+--- /dev/null
+++ b/tests/data/test1948
+@@ -0,0 +1,73 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+HTTP PUT
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+</data>
+<datacheck>
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+
+<name>
+CURLOPT_POST after CURLOPT_UPLOAD reusing handle
+</name>
+<tool>
+lib%TESTNUMBER
+</tool>
+
+<command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+PUT /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+Content-Length: 22
+Expect: 100-continue
+
+This is test PUT data
+POST /1948 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+Content-Length: 22
+Content-Type: application/x-www-form-urlencoded
+
+This is test PUT data
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 83a8af4..3192eca 100644
+--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
+@@ -62,6 +62,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
+          lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
+          lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
+  lib1937 lib1938 lib1939 \
+ lib1948 \
+  lib3010 lib3025
+ 
+ chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
+@@ -724,6 +725,10 @@ lib1939_SOURCES = lib1939.c $(SUPPORTFILES)
+ lib1939_LDADD = $(TESTUTIL_LIBS)
+ lib1939_CPPFLAGS = $(AM_CPPFLAGS)
+ 
+lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
+lib1948_LDADD = $(TESTUTIL_LIBS)
+lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
+
+ lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib3010_LDADD = $(TESTUTIL_LIBS)
+ lib3010_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
+new file mode 100644
+index 0000000..7c891a2
+--- /dev/null
+++ b/tests/libtest/lib1948.c
+@@ -0,0 +1,79 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "test.h"
+
+typedef struct
+{
+  char *buf;
+  size_t len;
+} put_buffer;
+
+static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
+{
+  put_buffer *putdata = (put_buffer *)stream;
+  size_t totalsize = size * nmemb;
+  size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
+  memcpy(ptr, putdata->buf, tocopy);
+  putdata->len -= tocopy;
+  putdata->buf += tocopy;
+  return tocopy;
+}
+
+int test(char *URL)
+{
+  CURL *curl;
+  CURLcode res = CURLE_OUT_OF_MEMORY;
+
+  curl_global_init(CURL_GLOBAL_DEFAULT);
+
+  curl = curl_easy_init();
+  if(curl) {
+    const char *testput = "This is test PUT data\n";
+    put_buffer pbuf;
+
+    /* PUT */
+    curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
+    curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
+    curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
+    pbuf.buf = (char *)testput;
+    pbuf.len = strlen(testput);
+    curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
+    curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
+    res = curl_easy_setopt(curl, CURLOPT_URL, URL);
+    if(!res)
+      res = curl_easy_perform(curl);
+    if(!res) {
+      /* POST */
+      curl_easy_setopt(curl, CURLOPT_POST, 1L);
+      curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
+      curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
+      res = curl_easy_perform(curl);
+    }
+    curl_easy_cleanup(curl);
+  }
+
+  curl_global_cleanup();
+  return (int)res;
+}
+-- 
+2.37.3
+
--- a/0016-curl-7.82.0-CVE-2022-35260.patch
+++ b/0016-curl-7.82.0-CVE-2022-35260.patch
@ -0,0 +1,76 @@
+From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+
+Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_get_line.c | 6 +++---
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index 6a26bb2..22e3705 100644
+--- a/lib/curl_get_line.c
+++ b/lib/curl_get_line.c
+@@ -23,7 +23,7 @@
+ #include "curl_setup.h"
+ 
+ #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+-  !defined(CURL_DISABLE_HSTS)
+  !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC)
+ 
+ #include "curl_get_line.h"
+ #include "curl_memory.h"
+@@ -31,8 +31,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
+ * Curl_get_line() makes sure to only return complete whole lines that fit in
+ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 62a6a10..5d17482 100644
+--- a/lib/netrc.c
+++ b/lib/netrc.c
+@@ -31,6 +31,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
+#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -84,7 +85,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
+    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       if(state == MACDEF) {
+         if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r'))
+           state = NOTHING;
+@@ -186,7 +187,7 @@ static int parsenetrc(const char *host,
+ 
+         tok = strtok_r(NULL, " \t\n", &tok_buf);
+       } /* while(tok) */
+-    } /* while fgets() */
+    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
+-- 
+2.37.3
+
--- a/0017-curl-7.82.0-CVE-2022-42915.patch
+++ b/0017-curl-7.82.0-CVE-2022-42915.patch
@ -0,0 +1,154 @@
+From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error
+
+Reported-by: Trail of Bits
+
+Closes #9790
+
+Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http_proxy.c | 6 ++----
+ lib/url.c        | 9 ---------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c..cc20b3a 100644
+--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
+@@ -210,10 +210,8 @@ void Curl_connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* restore the protocol pointer, if not already done */
+-    if(s->prot_save)
+-      data->req.p.http = s->prot_save;
+-    s->prot_save = NULL;
+    /* restore the protocol pointer */
+    data->req.p.http = s->prot_save;
+     data->info.httpcode = 0; /* clear it as it might've been used for the
+                                 proxy */
+     data->req.ignorebody = FALSE;
+diff --git a/lib/url.c b/lib/url.c
+index bfc784f..61c99d2 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -728,15 +728,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+   DEBUGASSERT(data);
+   infof(data, "Closing connection %ld", conn->connection_id);
+ 
+-#ifndef USE_HYPER
+-  if(conn->connect_state && conn->connect_state->prot_save) {
+-    /* If this was closed with a CONNECT in progress, cleanup this temporary
+-       struct arrangement */
+-    data->req.p.http = NULL;
+-    Curl_safefree(conn->connect_state->prot_save);
+-  }
+-#endif
+-
+   /* possible left-overs from the async name resolvers */
+   Curl_resolver_cancel(data);
+ 
+-- 
+2.37.3
+
+
+From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:14:25 +0200
+Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and
+ fix
+
+Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test445      | 61 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test445
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0cfab9b..14c1b0c 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -72,7 +72,7 @@ test409 test410 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+-test440 test441 test442 test443 test444 \
+test440 test441 test442 test443 test444 test445 \
+ \
+ test490 test491 test492 test493 test494 \
+ \
+diff --git a/tests/data/test445 b/tests/data/test445
+new file mode 100644
+index 0000000..0406c0f
+--- /dev/null
+++ b/tests/data/test445
+@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP proxy
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<connect>
+HTTP/1.1 503 no just no
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+
+-foo-
+</connect>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+gopher
+dict
+http
+ftp
+imap
+ldap
+mqtt
+pop3
+rtsp
+scp
+sftp
+smb
+smtp
+</features>
+<server>
+http-proxy
+</server>
+ <name>
+Refuse tunneling protocols through HTTP proxy
+ </name>
+ <command>
+-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# refused in the CONNECT
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
+-- 
+2.37.3
+
--- a/0018-curl-7.82.0-CVE-2022-42916.patch
+++ b/0018-curl-7.82.0-CVE-2022-42916.patch
@ -0,0 +1,137 @@
+From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 61c99d2..6426fa7 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -2003,10 +2003,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     if(!strcasecompare("file", data->state.up.scheme))
+       return CURLE_OUT_OF_MEMORY;
+   }
+  hostname = data->state.up.hostname;
+
+  if(hostname && hostname[0] == '[') {
+    /* This looks like an IPv6 address literal. See if there is an address
+       scope. */
+    size_t hlen;
+    conn->bits.ipv6_ip = TRUE;
+    /* cut off the brackets! */
+    hostname++;
+    hlen = strlen(hostname);
+    hostname[hlen - 1] = 0;
+
+    zonefrom_url(uh, data, conn);
+  }
+
+  /* make sure the connect struct gets its own copy of the host name */
+  conn->host.rawalloc = strdup(hostname ? hostname : "");
+  if(!conn->host.rawalloc)
+    return CURLE_OUT_OF_MEMORY;
+  conn->host.name = conn->host.rawalloc;
+
+  /*************************************************************
+   * IDN-convert the hostnames
+   *************************************************************/
+  result = Curl_idnconvert_hostname(data, &conn->host);
+  if(result)
+    return result;
+  if(conn->bits.conn_to_host) {
+    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+    if(result)
+      return result;
+  }
+#ifndef CURL_DISABLE_PROXY
+  if(conn->bits.httpproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+    if(result)
+      return result;
+  }
+  if(conn->bits.socksproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+    if(result)
+      return result;
+  }
+#endif
+ 
+ #ifndef CURL_DISABLE_HSTS
+  /* HSTS upgrade */
+   if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+-    if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
+    /* This MUST use the IDN decoded name */
+    if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+       char *url;
+       Curl_safefree(data->state.up.scheme);
+       uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2111,26 +2157,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+   (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+ 
+-  hostname = data->state.up.hostname;
+-  if(hostname && hostname[0] == '[') {
+-    /* This looks like an IPv6 address literal. See if there is an address
+-       scope. */
+-    size_t hlen;
+-    conn->bits.ipv6_ip = TRUE;
+-    /* cut off the brackets! */
+-    hostname++;
+-    hlen = strlen(hostname);
+-    hostname[hlen - 1] = 0;
+-
+-    zonefrom_url(uh, data, conn);
+-  }
+-
+-  /* make sure the connect struct gets its own copy of the host name */
+-  conn->host.rawalloc = strdup(hostname ? hostname : "");
+-  if(!conn->host.rawalloc)
+-    return CURLE_OUT_OF_MEMORY;
+-  conn->host.name = conn->host.rawalloc;
+-
+ #ifdef ENABLE_IPV6
+   if(data->set.scope_id)
+     /* Override any scope that was set above.  */
+@@ -3705,29 +3731,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   if(result)
+     goto out;
+ 
+-  /*************************************************************
+-   * IDN-convert the hostnames
+-   *************************************************************/
+-  result = Curl_idnconvert_hostname(data, &conn->host);
+-  if(result)
+-    goto out;
+-  if(conn->bits.conn_to_host) {
+-    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+-    if(result)
+-      goto out;
+-  }
+-#ifndef CURL_DISABLE_PROXY
+-  if(conn->bits.httpproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-  if(conn->bits.socksproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-#endif
+ 
+   /*************************************************************
+    * Check whether the host and the "connect to host" are equal.
+-- 
+2.37.3
+
--- a/0019-curl-7.82.0-http2-whitespace.patch
+++ b/0019-curl-7.82.0-http2-whitespace.patch
@ -0,0 +1,266 @@
+From 99e014bfacfb1f572d3fd710e567faee38bf1c2f Mon Sep 17 00:00:00 2001
+From: lwthiker <lwt@lwthiker.com>
+Date: Sun, 17 Jul 2022 19:11:33 +0300
+Subject: [PATCH 1/3] h2h3: fix overriding the 'TE: Trailers' header
+
+A 'TE: Trailers' header is explicitly replaced by 'te: trailers'
+(lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or
+HTTP/3 headers. However, this is then replaced again by the original
+value due to a bug, resulting in the uppercased version being sent. Some
+HTTP/2 servers reject the whole HTTP/2 stream when this is the case.
+
+Closes #9170
+
+Upstream-commit: b9b6148c45a00d675d5bb261bf4cbb45468ad807
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/h2h3.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/lib/h2h3.c b/lib/h2h3.c
+index cf8d156..bbf4ae5 100644
+--- a/lib/h2h3.c
+++ b/lib/h2h3.c
+@@ -256,9 +256,6 @@ CURLcode Curl_pseudo_headers(struct Curl_easy *data,
+       nva[i].valuelen = (end - hdbuf);
+     }
+ 
+-    nva[i].value = hdbuf;
+-    nva[i].valuelen = (end - hdbuf);
+-
+     ++i;
+   }
+ 
+-- 
+2.37.3
+
+
+From 239ed36b2dcb0234ab1c98fce4abf40fe6ec86b5 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Thu, 25 Aug 2022 03:46:42 -0400
+Subject: [PATCH 2/3] tests: fix http2 tests to use CRLF headers
+
+Prior to this change some tests that rely on nghttpx proxy did not use
+CRLF headers everywhere. A recent change in nghttp2, which updated its
+version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to
+use CRLF headers.
+
+Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8
+
+Fixes https://github.com/curl/curl/issues/9364
+Closes https://github.com/curl/curl/pull/9365
+
+Upstream-commit: ef121401d6eabed204a716f16b2776ededc75c0e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test1700 | 34 +++++++++++++++++-----------------
+ tests/data/test1701 | 22 +++++++++++-----------
+ tests/data/test358  | 16 ++++++++--------
+ tests/data/test359  | 16 ++++++++--------
+ 4 files changed, 44 insertions(+), 44 deletions(-)
+
+diff --git a/tests/data/test1700 b/tests/data/test1700
+index 9cf8739..2815775 100644
+--- a/tests/data/test1700
+++ b/tests/data/test1700
+@@ -11,26 +11,26 @@ HTTP/2
+ # Server-side
+ <reply>
+ <data nocheck="yes">
+-HTTP/1.1 200 OK
+-Date: Tue, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+ -foo-
+ </data>
+ <data1>
+-HTTP/1.1 200 OK
+-Date: Tue, 09 Nov 2010 14:49:00 GMT
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+
+ -maa-
+ </data1>
+ </reply>
+diff --git a/tests/data/test1701 b/tests/data/test1701
+index c4687d9..5859cff 100644
+--- a/tests/data/test1701
+++ b/tests/data/test1701
+@@ -11,17 +11,17 @@ HTTP/2
+ # Server-side
+ <reply>
+ <data nocheck="yes">
+-HTTP/1.1 200 OK
+-Date: Tue, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+ -foo-
+ </data>
+ </reply>
+diff --git a/tests/data/test358 b/tests/data/test358
+index d1ddc1b..ce20b17 100644
+--- a/tests/data/test358
+++ b/tests/data/test358
+@@ -12,14 +12,14 @@ HTTP/2
+ # Server-side
+ <reply>
+ <data nocheck="yes">
+-HTTP/1.1 200 OK
+-Date: Tue, 09 Nov 2010 14:49:00 GMT
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+
+ -foo-
+ </data>
+ </reply>
+diff --git a/tests/data/test359 b/tests/data/test359
+index c1b1cb8..e624f7d 100644
+--- a/tests/data/test359
+++ b/tests/data/test359
+@@ -12,14 +12,14 @@ HTTP/2
+ # Server-side
+ <reply>
+ <data nocheck="yes">
+-HTTP/1.1 200 OK
+-Date: Tue, 09 Nov 2010 14:49:00 GMT
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+
+ -foo-
+ </data>
+ </reply>
+-- 
+2.37.3
+
+
+From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 7 Sep 2022 15:41:03 +0200
+Subject: [PATCH 3/3] http2: make nghttp2 less picky about field whitespace
+
+In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
+header fields according to language in the recently shipped RFC 9113.
+
+nghttp2 1.50.0 introduces an option to switch off this strict check and
+this change enables this option by default which should make curl behave
+more similar to how it did with nghttp2 1.48.0 and earlier.
+
+We might want to consider making this an option in the future.
+
+Closes #9448
+
+Upstream-commit: eafc2b14ac9e40377168b46cab3f1d90c3f32f45
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index f6364d0..3a70528 100644
+--- a/lib/http2.c
+++ b/lib/http2.c
+@@ -1258,6 +1258,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   }
+ }
+ 
+static int client_new(struct connectdata *conn,
+                      nghttp2_session_callbacks *callbacks)
+{
+#if NGHTTP2_VERSION_NUM < 0x013200
+  /* before 1.50.0 */
+  return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn);
+#else
+  nghttp2_option *o;
+  int rc = nghttp2_option_new(&o);
+  if(rc)
+    return rc;
+  /* turn off RFC 9113 leading and trailing white spaces validation against
+     HTTP field value. */
+  nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1);
+  rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn,
+                                   o);
+  nghttp2_option_del(o);
+  return rc;
+#endif
+}
+
+ /*
+  * Initialize nghttp2 for a Curl connection
+  */
+@@ -1298,7 +1319,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn)
+     nghttp2_session_callbacks_set_error_callback(callbacks, error_callback);
+ 
+     /* The nghttp2 session is not yet setup, do it */
+-    rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn);
+    rc = client_new(conn, callbacks);
+ 
+     nghttp2_session_callbacks_del(callbacks);
+ 
+-- 
+2.37.3
+
--- a/0020-curl-7.85.0-CVE-2022-43551.patch
+++ b/0020-curl-7.85.0-CVE-2022-43551.patch
@ -0,0 +1,35 @@
+From 3fe91ee75b9f663b7a303ef14e07e28184d1450c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH] http: use the IDN decoded name in HSTS checks
+
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #10111
+
+Upstream-commit: 9e71901634e276dd050481c4320f046bebb1bc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index b0ad28e..8b18e8d 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
+      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
+-- 
+2.38.1
+
--- a/0021-curl-7.85.0-CVE-2022-43552.patch
+++ b/0021-curl-7.85.0-CVE-2022-43552.patch
@ -0,0 +1,81 @@
+From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -939,14 +937,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -1246,9 +1246,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.38.1
+
--- a/0022-curl-7.82.0-CVE-2023-23916.patch
+++ b/0022-curl-7.82.0-CVE-2023-23916.patch
@ -0,0 +1,566 @@
+From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 1 Dec 2022 09:21:04 +0100
+Subject: [PATCH 1/3] runtests: do CRLF replacements per section only
+
+The `crlf="yes"` attribute and "hyper mode" are now only applied on a
+subset of dedicated sections: data, datacheck, stdout and protocol.
+
+Updated test 2500 accordingly.
+
+Also made test1 use crlf="yes" for <protocol>, mostly because it is
+often used as a template test case. Going forward, using this attribute
+we should be able to write test cases using linefeeds only and avoid
+mixed line ending encodings.
+
+Follow-up to ca15b7512e8d11
+
+Fixes #10009
+Closes #10010
+
+Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 22 ++++++++++++++------
+ tests/data/test1    | 14 ++++++-------
+ tests/runtests.pl   | 49 +++++++++++++++++++++++++++++++++++++++++----
+ 3 files changed, 68 insertions(+), 17 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index c1fbc57..dcb5695 100644
+--- a/tests/FILEFORMAT.md
+++ b/tests/FILEFORMAT.md
+@@ -188,7 +188,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for
+ 'hyper mode' to kick in and make line ending checks work for tests.
+ ## `<reply>`
+ 
+-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
+### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"] [crlf="yes"]>`
+ 
+ data to be sent to the client on its request and later verified that it
+ arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
+@@ -217,12 +217,16 @@ and used as "raw" data.
+ `nonewline=yes` means that the last byte (the trailing newline character)
+ should be cut off from the data before sending or comparing it.
+ 
+`crlf=yes` forces *header* newlines to become CRLF even if not written so in
+the source file. Note that this makes runtests.pl parse and "guess" what is a
+header and what is not in order to apply the CRLF line endings appropriately.
+
+ For FTP file listings, the `<data>` section will be used *only* if you make
+ sure that there has been a CWD done first to a directory named `test-[num]`
+ where [num] is the test case number. Otherwise the ftp server can't know from
+ which test file to load the list content.
+ 
+-### `<dataNUM>`
+### `<dataNUM [crlf="yes"]>`
+ 
+ Send back this contents instead of the <data> one. The num is set by:
+ 
+@@ -249,7 +253,7 @@ a connect prefix.
+ ### `<socks>`
+ Address type and address details as logged by the SOCKS proxy.
+ 
+-### `<datacheck [mode="text"] [nonewline="yes"]>`
+### `<datacheck [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ if the data is sent but this is what should be checked afterwards. If
+ `nonewline=yes` is set, runtests will cut off the trailing newline from the
+ data before comparing with the one actually received by the client.
+@@ -257,7 +261,7 @@ data before comparing with the one actually received by the client.
+ Use the `mode="text"` attribute if the output is in text mode on platforms
+ that have a text/binary difference.
+ 
+-### `<datacheckNUM [nonewline="yes"] [mode="text"]>`
+### `<datacheckNUM [nonewline="yes"] [mode="text"] [crlf="yes"]>`
+ The contents of numbered datacheck sections are appended to the non-numbered
+ one.
+ 
+@@ -540,13 +544,16 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"]>`
+### `<protocol [nonewline="yes"] crlf="yes">`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+ sent by the client The `<strip>` and `<strippart>` rules are applied before
+ comparisons are made.
+ 
+`crlf=yes` forces the newlines to become CRLF even if not written so in the
+test.
+
+ ### `<proxy [nonewline="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+@@ -563,7 +570,7 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
+-### `<stdout [mode="text"] [nonewline="yes"]>`
+### `<stdout [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ This verifies that this data was passed to stdout.
+ 
+ Use the mode="text" attribute if the output is in text mode on platforms that
+@@ -572,6 +579,9 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
+`crlf=yes` forces the newlines to become CRLF even if not written so in the
+test.
+
+ ### `<file name="log/filename" [mode="text"]>`
+ The file's contents must be identical to this after the test is complete.  Use
+ the mode="text" attribute if the output is in text mode on platforms that have
+diff --git a/tests/data/test1 b/tests/data/test1
+index f39a08b..700bed8 100644
+--- a/tests/data/test1
+++ b/tests/data/test1
+@@ -9,7 +9,7 @@ HTTP GET
+ #
+ # Server-side
+ <reply>
+-<data>
+<data crlf="yes">
+ HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+ #
+ # Verify data after the test has been "shot"
+ <verify>
+-<protocol>
+-GET /%TESTNUMBER HTTP/1.1
+-Host: %HOSTIP:%HTTPPORT
+-User-Agent: curl/%VERSION
+-Accept: */*
+-
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+ </protocol>
+ </verify>
+ </testcase>
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 72a9989..b12a42d 100755
+--- a/tests/runtests.pl
+++ b/tests/runtests.pl
+@@ -3462,7 +3462,13 @@ sub subBase64 {
+ 
+ my $prevupdate;
+ sub subNewlines {
+-    my ($thing) = @_;
+    my ($force, $thing) = @_;
+
+    if($force) {
+        # enforce CRLF newline
+        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
+        return;
+    }
+ 
+     # When curl is built with Hyper, it gets all response headers delivered as
+     # name/value pairs and curl "invents" the newlines when it saves the
+@@ -3476,7 +3482,7 @@ sub subNewlines {
+         # skip curl error messages
+         ($$thing !~ /^curl: \(\d+\) /))) {
+         # enforce CRLF newline
+-        $$thing =~ s/\x0a/\x0d\x0a/;
+        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
+         $prevupdate = 1;
+     }
+     else {
+@@ -3548,6 +3554,7 @@ sub prepro {
+     my (@entiretest) = @_;
+     my $show = 1;
+     my @out;
+    my $data_crlf;
+     for my $s (@entiretest) {
+         my $f = $s;
+         if($s =~ /^ *%if (.*)/) {
+@@ -3571,10 +3578,19 @@ sub prepro {
+             next;
+         }
+         if($show) {
+            # The processor does CRLF replacements in the <data*> sections if
+            # necessary since those parts might be read by separate servers.
+            if($s =~ /^ *<data(.*)\>/) {
+                if($1 =~ /crlf="yes"/ || $has_hyper) {
+                    $data_crlf = 1;
+                }
+            }
+            elsif(($s =~ /^ *<\/data/) && $data_crlf) {
+                $data_crlf = 0;
+            }
+             subVariables(\$s, $testnum, "%");
+             subBase64(\$s);
+-            subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} ||
+-                                               $keywords{"HTTPS"}));
+            subNewlines(0, \$s) if($data_crlf);
+             push @out, $s;
+         }
+     }
+@@ -3890,6 +3906,11 @@ sub singletest {
+                     # of the datacheck
+                     chomp($replycheckpart[$#replycheckpart]);
+                 }
+                if($replycheckpartattr{'crlf'} ||
+                   ($has_hyper && ($keywords{"HTTP"}
+                                   || $keywords{"HTTPS"}))) {
+                    map subNewlines(0, \$_), @replycheckpart;
+                }
+                 push(@reply, @replycheckpart);
+             }
+         }
+@@ -3911,6 +3932,11 @@ sub singletest {
+             map s/\r\n/\n/g, @reply;
+             map s/\n/\r\n/g, @reply;
+         }
+        if($replyattr{'crlf'} ||
+           ($has_hyper && ($keywords{"HTTP"}
+                           || $keywords{"HTTPS"}))) {
+            map subNewlines(0, \$_), @reply;
+        }
+     }
+ 
+     # this is the valid protocol blurb curl should generate
+@@ -4366,6 +4392,12 @@ sub singletest {
+             chomp($validstdout[$#validstdout]);
+         }
+ 
+        if($hash{'crlf'} ||
+           ($has_hyper && ($keywords{"HTTP"}
+                           || $keywords{"HTTPS"}))) {
+            map subNewlines(0, \$_), @validstdout;
+        }
+
+         $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout);
+         if($res) {
+             return $errorreturncode;
+@@ -4466,6 +4498,10 @@ sub singletest {
+             }
+         }
+ 
+        if($hash{'crlf'}) {
+            map subNewlines(1, \$_), @protstrip;
+        }
+
+         if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) {
+             logmsg "\n $testnum: protocol FAILED!\n".
+                 " There was no content at all in the file $SERVERIN.\n".
+@@ -4597,6 +4633,11 @@ sub singletest {
+                 map s/\r\n/\n/g, @outfile;
+                 map s/\n/\r\n/g, @outfile;
+             }
+            if($hash{'crlf'} ||
+               ($has_hyper && ($keywords{"HTTP"}
+                               || $keywords{"HTTPS"}))) {
+                map subNewlines(0, \$_), @outfile;
+            }
+ 
+             my $strip;
+             for $strip (@stripfile) {
+-- 
+2.39.1
+
+
+From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 2/3] runtests: support crlf="yes" for verify/proxy
+
+Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 4 ++--
+ tests/runtests.pl   | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index dcb5695..6646793 100644
+--- a/tests/FILEFORMAT.md
+++ b/tests/FILEFORMAT.md
+@@ -544,7 +544,7 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"] crlf="yes">`
+### `<protocol [nonewline="yes"][crlf="yes"]>`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+@@ -554,7 +554,7 @@ comparisons are made.
+ `crlf=yes` forces the newlines to become CRLF even if not written so in the
+ test.
+ 
+-### `<proxy [nonewline="yes"]>`
+### `<proxy [nonewline="yes"][crlf="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+ server is used), if 'nonewline' is set, we will cut off the trailing newline
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index b12a42d..5cdc83d 100755
+--- a/tests/runtests.pl
+++ b/tests/runtests.pl
+@@ -4594,6 +4594,11 @@ sub singletest {
+             }
+         }
+ 
+        if($hash{'crlf'} ||
+           ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) {
+            map subNewlines(0, \$_), @protstrip;
+        }
+
+         $res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
+         if($res) {
+             return $errorreturncode;
+-- 
+2.39.1
+
+
+From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH 3/3] content_encoding: do not reset stage counter for each
+ header
+
+Test 418 verifies
+
+Closes #10492
+
+Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   1 +
+ tests/data/test387      |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test418
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index bfc13e2..94344d6 100644
+--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
+@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
+      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
+        failf(data, "Reject response due to more than %u content encodings",
+              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5b4b34f..8c8c20b 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -708,6 +708,7 @@ struct SingleRequest {
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+   unsigned char setcookies;
+  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index fb51cd6..86b6f85 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -69,6 +69,7 @@ test392 test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 test410 \
+        test418 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+diff --git a/tests/data/test387 b/tests/data/test387
+index 015ec25..644fc7f 100644
+--- a/tests/data/test387
+++ b/tests/data/test387
+@@ -47,7 +47,7 @@ Accept: */*
+ 61
+ </errorcode>
+ <stderr mode="text">
+-curl: (61) Reject response due to 5 content encodings
+curl: (61) Reject response due to more than 5 content encodings
+ </stderr>
+ </verify>
+ </testcase>
+diff --git a/tests/data/test418 b/tests/data/test418
+new file mode 100644
+index 0000000..50e974e
+--- /dev/null
+++ b/tests/data/test418
+@@ -0,0 +1,152 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+gzip
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+Transfer-Encoding: gzip
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Response with multiple Transfer-Encoding headers
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+
+# CURLE_BAD_CONTENT_ENCODING is 61
+<errorcode>
+61
+</errorcode>
+<stderr mode="text">
+curl: (61) Reject response due to more than 5 content encodings
+</stderr>
+</verify>
+</testcase>
+-- 
+2.39.1
+
--- a/0023-curl-7.87.0-CVE-2023-27533.patch
+++ b/0023-curl-7.87.0-CVE-2023-27533.patch
@ -0,0 +1,59 @@
+From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 22bc81e..baea885 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -768,6 +768,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
+static bool str_is_nonascii(const char *str)
+{
+  size_t len = strlen(str);
+  while(len--) {
+    if(*str & 0x80)
+      return TRUE;
+    str++;
+  }
+  return FALSE;
+}
+
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -782,6 +793,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(data->state.aptr.user) {
+   if(str_is_nonascii(data->conn->user))
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -796,6 +809,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   for(head = data->set.telnet_options; head; head = head->next) {
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
+      if(str_is_nonascii(option_arg))
+        continue;
+ 
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+-- 
+2.39.2
+
--- a/0024-curl-7.82.0-CVE-2023-27534.patch
+++ b/0024-curl-7.82.0-CVE-2023-27534.patch
--- a/0025-curl-7.82.0-CVE-2023-27535.patch
+++ b/0025-curl-7.82.0-CVE-2023-27535.patch
@ -0,0 +1,237 @@
+From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c | 22 ++++++++++++++++++++++
+ lib/strcase.h |  1 +
+ 2 files changed, 23 insertions(+)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index f932485..c73907d 100644
+--- a/lib/strcase.c
+++ b/lib/strcase.c
+@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
+/*
+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
+ * function spends is a function of the shortest string, not of the contents.
+ */
+int Curl_timestrcmp(const char *a, const char *b)
+{
+  int match = 0;
+  int i = 0;
+
+  if(a && b) {
+    while(1) {
+      match |= a[i]^b[i];
+      if(!a[i] || !b[i])
+        break;
+      i++;
+    }
+  }
+  else
+    return a || b;
+  return match;
+}
+
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index d245929..11a67a1 100644
+--- a/lib/strcase.h
+++ b/lib/strcase.h
+@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
+int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+-- 
+2.39.2
+
+
+From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 16 +++++++++++++++-
+ lib/urldata.h |  4 ++--
+ 5 files changed, 49 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 9442832..df15bc0 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
+   }
+ 
+   freedirs(ftpc);
+  Curl_safefree(ftpc->account);
+  Curl_safefree(ftpc->alternative_to_user);
+   Curl_safefree(ftpc->prevpath);
+   Curl_safefree(ftpc->server_os);
+   Curl_pp_disconnect(pp);
+@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ {
+   char *type;
+   struct FTP *ftp;
+  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
+  ftp = calloc(sizeof(struct FTP), 1);
+   if(!ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
+  /* clone connection related data that is FTP specific */
+  if(data->set.str[STRING_FTP_ACCOUNT]) {
+    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
+    if(!ftpc->account) {
+      free(ftp);
+      return CURLE_OUT_OF_MEMORY;
+    }
+  }
+  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
+    ftpc->alternative_to_user =
+      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
+    if(!ftpc->alternative_to_user) {
+      Curl_safefree(ftpc->account);
+      free(ftp);
+      return CURLE_OUT_OF_MEMORY;
+    }
+  }
+  data->req.p.ftp = ftp;
+
+   ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+ 
+   /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+   /* get some initial data into the ftp struct */
+   ftp->transfer = PPTRANSFER_BODY;
+   ftp->downloadsize = 0;
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
+  ftpc->known_filesize = -1; /* unknown size for now */
+  ftpc->use_ssl = data->set.use_ssl;
+  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 7f6f432..3f33e27 100644
+--- a/lib/ftp.h
+++ b/lib/ftp.h
+@@ -115,6 +115,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
+  char *account;
+  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char *file;    /* url-decoded file name (or path) */
+   char **dirs;   /* realloc()ed array for path components */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
+  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+                              IMAP or POP3 or others! (type: curl_usessl)*/
+  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 3339a67..6fc111d 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -2290,7 +2290,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
+    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index 61ba832..4e21838 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1353,10 +1353,24 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+#ifdef USE_SSH
+      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+#endif
+#ifndef CURL_DISABLE_FTP
+      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
+        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
+        if(Curl_timestrcmp(needle->proto.ftpc.account,
+                           check->proto.ftpc.account) ||
+           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
+                           check->proto.ftpc.alternative_to_user) ||
+           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
+           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
+          continue;
+      }
+#endif
+ 
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 9d9ca92..4e2f5b9 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1746,8 +1746,6 @@ struct UserDefined {
+   enum CURL_NETRC_OPTION
+        use_netrc;        /* defined in include/curl.h */
+ #endif
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   long new_file_perms;    /* Permissions to use when creating remote files */
+   long new_directory_perms; /* Permissions to use when creating remote dirs */
+   long ssh_auth_types;   /* allowed SSH auth types */
+@@ -1793,6 +1791,8 @@ struct UserDefined {
+   CURLU *uh; /* URL handle for the current parsed URL */
+   void *trailer_data; /* pointer to pass to trailer data callback */
+   curl_trailer_callback trailer_callback; /* trailing data callback */
+  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+                              IMAP or POP3 or others! (type: curl_usessl)*/
+   BIT(is_fread_set); /* has read callback been set to non-NULL? */
+   BIT(is_fwrite_set); /* has write callback been set to non-NULL? */
+   BIT(free_referer); /* set TRUE if 'referer' points to a string we
+-- 
+2.39.2
+
--- a/0026-curl-7.82.0-CVE-2023-27536.patch
+++ b/0026-curl-7.82.0-CVE-2023-27536.patch
@ -0,0 +1,54 @@
+From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3b11b7e..cbbc7f3 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1346,6 +1346,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+      /* GSS delegation differences do not actually affect every connection
+         and auth method, but this check takes precaution before efficiency */
+      if(needle->gssapi_delegation != check->gssapi_delegation)
+        continue;
+
+       /* If multiplexing isn't enabled on the h2 connection and h1 is
+          explicitly requested, handle it: */
+       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1817,6 +1822,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
+  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ce90304..9e16f26 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -989,6 +989,7 @@ struct connectdata {
+   char *sasl_authzid;     /* authorisation identity string, allocated */
+   char *oauth_bearer; /* OAUTH2 bearer, allocated */
+   unsigned char httpversion; /* the HTTP version*10 reported by the server */
+  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+   struct curltime lastused; /* when returned to the connection cache */
+-- 
+2.39.2
+
--- a/0028-curl-7.87.0-CVE-2023-27538.patch
+++ b/0028-curl-7.87.0-CVE-2023-27538.patch
@ -0,0 +1,30 @@
+From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 0c31486..3b11b7e 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1359,7 +1359,7 @@ ConnectionExists(struct Curl_easy *data,
+         continue;
+ 
+ #ifdef USE_SSH
+-      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-- 
+2.39.2
+
--- a/curl-7.81.0.tar.xz.asc
+++ b/curl-7.81.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmHVTjsACgkQXMkI/bce
-EsLAggf/dMpvzTs3GEKddYzD/73UGJt5rqSYEc93KilASwUGWC3LnZ1hwY+wunmf
-z04ULsN6VkUFLDlbVaQvfMA6XyWBXS5QI34ztfHbiTsAtLwqHBtHBAL0uPn+y2bB
-+r6O/rOtd5isPgm5H+MIfPphQWOj5va0vQ9r3e2sr8+Nma8Th1qtFALoCQi6kftK
-6Aa9ZI2BYyosDUwT5PNsrZ941wFHtQJQpcVb1SaEwIWiMUSkTkUKk6dHxFnT9mkV
-uakgAd2AmyJ6O5cAeGlYX7IZxvdhKqd6/+KkmKD4zzgQLKEl2pUtaieTJqsp1zSU
-9kyUFaMR4XzSjdCOtVh5RCxURzMNhg==
-=kV6S
-----END PGP SIGNATURE-----
--- a/curl-7.82.0.tar.xz.asc
+++ b/curl-7.82.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce
+EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4
+Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh
+DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C
+AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv
+yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq
+m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ==
+=/k1v
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.81.0
-Release: 2%{?dist}
+Version: 7.82.0
+Release: 14%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -10,6 +10,87 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc

+# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
+Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch
+
+# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch
+
+# fix bad local IPv6 connection reuse (CVE-2022-27775)
+Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch
+
+# fix auth/cookie leak on redirect (CVE-2022-27776)
+Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch
+
+# fix credential leak on redirect (CVE-2022-27774)
+Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch
+
+# reject percent-encoded path separator in URL host (CVE-2022-27780)
+Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
+
+# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
+Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
+
+# do not accept cookies for TLD with trailing dot (CVE-2022-27779)
+Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
+
+# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
+
+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
+
+# fix HTTP compression denial of service (CVE-2022-32206)
+Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch
+
+# fix Set-Cookie denial of service (CVE-2022-32205)
+Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch
+
+# fix unpreserved file permissions (CVE-2022-32207)
+Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch
+
+# control code in cookie denial of service (CVE-2022-35252)
+Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch
+
+# fix POST following PUT confusion (CVE-2022-32221)
+Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch
+
+# netrc: replace fgets with Curl_get_line (CVE-2022-35260)
+Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch
+
+# http_proxy: restore the protocol pointer on error (CVE-2022-42915)
+Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch
+
+# url: use IDN decoded names for HSTS checks (CVE-2022-42916)
+Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch
+
+# http2: make nghttp2 less picky about field whitespace (#2144277)
+Patch19: 0019-curl-7.82.0-http2-whitespace.patch
+
+# http: use the IDN decoded name in HSTS checks (CVE-2022-43551)
+Patch20:  0020-curl-7.85.0-CVE-2022-43551.patch
+
+# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+Patch21:  0021-curl-7.85.0-CVE-2022-43552.patch
+
+# fix HTTP multi-header compression denial of service (CVE-2023-23916)
+Patch22:  0022-curl-7.82.0-CVE-2023-23916.patch
+
+# fix TELNET option IAC injection (CVE-2023-27533)
+Patch23:  0023-curl-7.87.0-CVE-2023-27533.patch
+
+# fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
+Patch24:  0024-curl-7.82.0-CVE-2023-27534.patch
+
+# fix FTP too eager connection reuse (CVE-2023-27535)
+Patch25:  0025-curl-7.82.0-CVE-2023-27535.patch
+
+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
+Patch26:  0026-curl-7.82.0-CVE-2023-27536.patch
+
+# fix SSH connection too eager reuse still (CVE-2023-27538)
+Patch28:  0028-curl-7.87.0-CVE-2023-27538.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -98,6 +179,10 @@ BuildRequires: stunnel
 # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
 Requires: libcurl%{?_isa} >= %{version}-%{release}

+# require at least the version of libnghttp2 that we were built against,
+# to ensure that we have the necessary symbols available (#2144277)
+%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)
+
 # require at least the version of libpsl that we were built against,
 # to ensure that we have the necessary symbols available (#1631804)
 %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
@ -121,6 +206,7 @@ resume, proxy tunneling and a busload of other useful tricks.

 %package -n libcurl
 Summary: A library for getting files from web servers
+Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
 Requires: libpsl%{?_isa} >= %{libpsl_version}
 Requires: libssh%{?_isa} >= %{libssh_version}
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
@ -165,6 +251,7 @@ be installed.

 %package -n libcurl-minimal
 Summary: Conservatively configured build of libcurl for minimal installations
+Requires: libnghttp2%{?_isa} >= %{libnghttp2_version}
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl = %{version}-%{release}
 Provides: libcurl%{?_isa} = %{version}-%{release}
@ -184,6 +271,33 @@ be installed.
 %setup -q

 # upstream patches
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch28 -p1

 # Fedora patches
 %patch101 -p1
@ -203,10 +317,8 @@ echo "1319" >> tests/data/DISABLED
 printf "320\n321\n322\n" >> tests/data/DISABLED
 %endif

-# temporarily disable tests 582 and 1452 on s390x (client times out)
-%ifarch s390x
+# temporarily disable flaky tests 582 and 1452 (client times out)
 printf "582\n1452\n" >> tests/data/DISABLED
-%endif

 # temporarily disable tests 702 703 716 on armv7hl (#1829180)
 %ifarch armv7hl
@ -411,6 +523,65 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.82.0-14
+- fix SSH connection too eager reuse still (CVE-2023-27538)
+- fix GSS delegation too eager connection re-use (CVE-2023-27536)
+- fix FTP too eager connection reuse (CVE-2023-27535)
+- fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
+- fix TELNET option IAC injection (CVE-2023-27533)
+
+* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.82.0-13
+- fix HTTP multi-header compression denial of service (CVE-2023-23916)
+
+* Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-12
+- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+- http: use the IDN decoded name in HSTS checks (CVE-2022-43551)
+
+* Thu Nov 24 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-11
+- enforce versioned libnghttp2 dependency for libcurl (#2144277)
+
+* Mon Nov 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-10
+- http2: make nghttp2 less picky about field whitespace (#2144277)
+
+* Wed Oct 26 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-9
+- url: use IDN decoded names for HSTS checks (CVE-2022-42916)
+- http_proxy: restore the protocol pointer on error (CVE-2022-42915)
+- netrc: replace fgets with Curl_get_line (CVE-2022-35260)
+- fix POST following PUT confusion (CVE-2022-32221)
+
+* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-8
+- control code in cookie denial of service (CVE-2022-35252)
+
+* Mon Jul 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-7
+- fix build failure with gnutls backend enabled
+
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
+- fix unpreserved file permissions (CVE-2022-32207)
+- fix Set-Cookie denial of service (CVE-2022-32205)
+- fix HTTP compression denial of service (CVE-2022-32206)
+- fix FTP-KRB bad message verification (CVE-2022-32208)
+
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
+- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
+- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
+- reject percent-encoded path separator in URL host (CVE-2022-27780)
+
+* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-4
+- fix leak of SRP credentials in redirects (CVE-2022-27774)
+
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-3
+- fix credential leak on redirect (CVE-2022-27774)
+- fix auth/cookie leak on redirect (CVE-2022-27776)
+- fix bad local IPv6 connection reuse (CVE-2022-27775)
+- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+
+* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
+- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
+
+* Sat Mar 05 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-1
+- new upstream release
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.81.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.81.0.tar.xz) = 38355aaee38db04bb2babdc5fd7a88284580c836d15df754f42b104997dd344b7841be8e53b4fc91aea31db170a7d6967c4976833eb4bfe0d265c7275c4800df
+SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57
--- a/tests/non-root-user-download/main.fmf
+++ b/tests/non-root-user-download/main.fmf
@ -7,6 +7,7 @@ require:
  - findutils
  - libselinux-utils
  - openssh-clients
+  - openssh-server
  - passwd
 test: ./runtest.sh
 framework: beakerlib
--- a/tests/non-root-user-download/runtest.sh
+++ b/tests/non-root-user-download/runtest.sh
@ -31,9 +31,9 @@

 PACKAGE="curl"

-FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
+CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"
@ -46,9 +46,11 @@ rlJournalStart
        rlRun "useradd -m curltester" 0 "Adding the test user"
        rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
        rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
+        rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts
+        rlRun "rm -f $HOME/.ssh/*"
        [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
-        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
-        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
+        rlRun "rlServiceStart sshd"
+        rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
    rlPhaseEnd

    rlPhaseStartTest "http download"
@ -81,7 +83,7 @@ if ! rlIsRHEL 5; then
 fi

    rlPhaseStartCleanup
-        rlRun "rm -f $HOME/.ssh/known_hosts"
+        rlRun "rlServiceRestore"
        rlFileRestore
        rlRun "popd"
        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
Author	SHA1	Message	Date
Kamil Dudka	b78b13595e	Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still	2023-03-24 14:27:32 +01:00
Kamil Dudka	96e0b571af	Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use	2023-03-24 14:23:06 +01:00
Kamil Dudka	992b4e3f2a	Resolves: CVE-2023-27535 - fix FTP too eager connection reuse	2023-03-24 14:19:54 +01:00
Kamil Dudka	1b4a536868	Resolves: CVE-2023-27534 - fix SFTP path ~ resolving discrepancy	2023-03-24 14:16:37 +01:00
Kamil Dudka	41d09c2511	Resolves: CVE-2023-27533 - fix TELNET option IAC injection	2023-03-24 14:13:14 +01:00
Kamil Dudka	982e2f0215	Resolves: CVE-2023-23916 - fix HTTP multi-header compression denial of service	2023-02-16 10:15:22 +01:00
Kamil Dudka	7398730392	Resolves: CVE-2022-43552 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel	2022-12-21 15:38:14 +01:00
Kamil Dudka	d59c430b6a	Resolves: CVE-2022-43551 - http: use the IDN decoded name in HSTS checks	2022-12-21 15:36:38 +01:00
Kamil Dudka	484461c3e4	Related: #2144277 - make the package build again on ppc64le ... by disabling flaky upstream tests	2022-11-24 21:31:31 +01:00
Kamil Dudka	a7aa3da71c	Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl	2022-11-24 16:30:55 +01:00
Kamil Dudka	c4c3c415e7	Related: #2144277 - tests: fix http2 tests to use CRLF headers	2022-11-24 13:07:48 +01:00
Kamil Dudka	426affc367	Resolves: #2144277 - http2: make nghttp2 less picky about field whitespace	2022-11-21 14:26:21 +01:00
Kamil Dudka	80974e87a0	Resolves: CVE-2022-42916 - url: use IDN decoded names for HSTS checks	2022-10-26 16:32:13 +02:00
Kamil Dudka	ba028ab793	Resolves: CVE-2022-42915 - http_proxy: restore the protocol pointer on error	2022-10-26 16:32:13 +02:00
Kamil Dudka	ed6e4aba43	Resolves: CVE-2022-35260 - netrc: replace fgets with Curl_get_line	2022-10-26 16:32:13 +02:00
Kamil Dudka	42161392e9	Resolves: CVE-2022-32221 - fix POST following PUT confusion	2022-10-26 16:32:11 +02:00
Kamil Dudka	0bb496969f	Resolves: CVE-2022-35252 - control code in cookie denial of service	2022-09-02 10:35:00 +02:00
Kamil Dudka	f5e5013744	fix build failure with gnutls backend enabled Although Fedora curl packages are compiled with OpenSSL backend, some developers rebuild them with gnutls backend in their own COPRs. This commit makes the source code compile again with gnutls while it does not affect the official Fedora (binary) RPMs.	2022-07-18 12:18:58 +02:00
Kamil Dudka	9b08152998	Resolves: CVE-2022-32207 - fix unpreserved file permissions	2022-06-29 11:06:56 +02:00
Kamil Dudka	45b18a48b4	Resolves: CVE-2022-32205 - fix Set-Cookie denial of service	2022-06-29 11:05:48 +02:00
Kamil Dudka	c76b2a1a9f	Resolves: CVE-2022-32206 - fix HTTP compression denial of service	2022-06-29 11:04:02 +02:00
Kamil Dudka	424d9c193f	Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification	2022-06-29 10:56:13 +02:00
Lukáš Zaoral	c637ed663b	tests/non-root-user-download: fix test failures	2022-05-12 12:37:03 +02:00
Kamil Dudka	a28fa4e5f0	Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections	2022-05-11 10:56:40 +02:00
Kamil Dudka	bd1119154c	Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot	2022-05-11 10:55:31 +02:00
Kamil Dudka	d8e56f956c	Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names	2022-05-11 10:53:45 +02:00
Kamil Dudka	f35a1d48bb	Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host	2022-05-11 10:52:16 +02:00
Kamil Dudka	43690cb3af	Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects	2022-05-02 10:00:34 +02:00
Kamil Dudka	02810cd68e	Resolves: CVE-2022-27774 - fix credential leak on redirect	2022-04-28 10:04:45 +02:00
Kamil Dudka	ee9c88927d	Resolves: CVE-2022-27776 - fix auth/cookie leak on redirect	2022-04-28 09:57:55 +02:00
Kamil Dudka	159cab915b	Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse	2022-04-28 09:56:54 +02:00
Kamil Dudka	fd4baaca6f	Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use	2022-04-28 09:52:56 +02:00
Kamil Dudka	321dbf8171	openssl: fix incorrect CURLE_OUT_OF_MEMORY error ... on CN check failure, which was breaking the test-suite of pycurl. Reported-by: Lukas Zaoral	2022-03-15 14:10:04 +01:00
Kamil Dudka	c8f5ee33a6	new upstream release - 7.82.0	2022-03-05 15:40:16 +01:00