make zsh completion work again

`git apply` fails silently unless `git init` is invoked first.

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,6 +1,2 @@
 /curl-[0-9.]*.tar.lzma
-/curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
-/curl-[0-9.]*.tar.xz.asc
-/curl-[0-9]*.[0-9]*.[0-9]*/
-/*.src.rpm

0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch

@@ -0,0 +1,29 @@
+From 1b02cb2b51148915b2ba025bb262ef34f369fa4b Mon Sep 17 00:00:00 2001
+From: dasimx <g9264140@trbvm.com>
+Date: Wed, 14 Mar 2018 11:02:05 +0100
+Subject: [PATCH] FTP: fix typo in recursive callback detection for seeking
+
+Fixes #2380
+
+Upstream-commit: 920f73a6906dce87c6ee87c32b109a287189965d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index e2cc38b..0cc583b 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -1621,7 +1621,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn,
+       Curl_set_in_callback(data, true);
+       seekerr = conn->seek_func(conn->seek_client, data->state.resume_from,
+                                 SEEK_SET);
+-      Curl_set_in_callback(data, true);
++      Curl_set_in_callback(data, false);
+     }
+ 
+     if(seekerr != CURL_SEEKFUNC_OK) {
+-- 
+2.14.3
+

0002-curl-7.59.0-CVE-2018-1000301.patch

@@ -0,0 +1,48 @@
+From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is
+ parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+
+Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 841f6cc..dc10f5f 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
++  ssize_t onread = *nread;
++  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
++          *nread = onread;
++          k->str = ostr;
++          return CURLE_OK;
+         }
+         break;
+       }
+-- 
+2.14.3
+

0003-curl-7.59.0-CVE-2018-1000300.patch

@@ -0,0 +1,39 @@
+From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 23 Mar 2018 23:30:04 +0100
+Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow
+
+Response data for a handle with a large buffer might be cached and then
+used with the "closure" handle when it has a smaller buffer and then the
+larger cache will be copied and overflow the new smaller heap based
+buffer.
+
+Reported-by: Dario Weisser
+CVE: CVE-2018-1000300
+Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
+
+Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/pingpong.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index 438856a..ad370ee 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
+        * it would have been populated with something of size int to begin
+        * with, even though its datatype may be larger than an int.
+        */
+-      DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
++      if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
++        failf(data, "cached response data too big to handle");
++        return CURLE_RECV_ERROR;
++      }
+       memcpy(ptr, pp->cache, pp->cache_size);
+       gotbytes = (ssize_t)pp->cache_size;
+       free(pp->cache);    /* free the cache */
+-- 
+2.14.3
+

0004-curl-7.59.0-http2-GOAWAY.patch

@@ -0,0 +1,137 @@
+From 84ddda3994c1f12d79946780dee9111b3cf1c308 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 19 Apr 2018 20:03:30 +0200
+Subject: [PATCH] http2: handle GOAWAY properly
+
+When receiving REFUSED_STREAM, mark the connection for close and retry
+streams accordingly on another/fresh connection.
+
+Reported-by: Terry Wu
+Fixes #2416
+Fixes #1618
+Closes #2510
+
+Upstream-commit: d122df5972fc01e39ae28e6bca705237d7e3318a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c    | 17 ++++++++++++-----
+ lib/multi.c    |  4 +++-
+ lib/transfer.c | 17 +++++++++++++++--
+ lib/urldata.h  |  2 +-
+ 4 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index b2c34e9..fba4d70 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -1078,7 +1078,6 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
+   struct http_conn *httpc = &conn->proto.httpc;
+ 
+   if(http->header_recvbuf) {
+-    H2BUGF(infof(data, "free header_recvbuf!!\n"));
+     Curl_add_buffer_free(http->header_recvbuf);
+     http->header_recvbuf = NULL; /* clear the pointer */
+     Curl_add_buffer_free(http->trailer_recvbuf);
+@@ -1351,7 +1350,15 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn,
+ 
+   /* Reset to FALSE to prevent infinite loop in readwrite_data function. */
+   stream->closed = FALSE;
+-  if(httpc->error_code != NGHTTP2_NO_ERROR) {
++  if(httpc->error_code == NGHTTP2_REFUSED_STREAM) {
++    H2BUGF(infof(data, "REFUSED_STREAM (%d), try again on a new connection!\n",
++                 stream->stream_id));
++    connclose(conn, "REFUSED_STREAM"); /* don't use this anymore */
++    data->state.refused_stream = TRUE;
++    *err = CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */
++    return -1;
++  }
++  else if(httpc->error_code != NGHTTP2_NO_ERROR) {
+     failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)",
+           stream->stream_id, Curl_http2_strerror(httpc->error_code),
+           httpc->error_code);
+@@ -1579,9 +1586,9 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+       }
+ 
+       if(nread == 0) {
+-        failf(data, "Unexpected EOF");
+-        *err = CURLE_RECV_ERROR;
+-        return -1;
++        H2BUGF(infof(data, "end of stream\n"));
++        *err = CURLE_OK;
++        return 0;
+       }
+ 
+       H2BUGF(infof(data, "nread=%zd\n", nread));
+diff --git a/lib/multi.c b/lib/multi.c
+index 98e5fca..d69e5f9 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -541,7 +541,9 @@ static CURLcode multi_done(struct connectdata **connp,
+   if(conn->send_pipe.size || conn->recv_pipe.size) {
+     /* Stop if pipeline is not empty . */
+     data->easy_conn = NULL;
+-    DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n"));
++    DEBUGF(infof(data, "Connection still in use %d/%d, "
++                 "no more multi_done now!\n",
++                 conn->send_pipe.size, conn->recv_pipe.size));
+     return CURLE_OK;
+   }
+ 
+diff --git a/lib/transfer.c b/lib/transfer.c
+index fd9af31..5c29cc9 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1926,7 +1926,7 @@ CURLcode Curl_retry_request(struct connectdata *conn,
+                             char **url)
+ {
+   struct Curl_easy *data = conn->data;
+-
++  bool retry = FALSE;
+   *url = NULL;
+ 
+   /* if we're talking upload, we can't do the checks below, unless the protocol
+@@ -1939,7 +1939,7 @@ CURLcode Curl_retry_request(struct connectdata *conn,
+       conn->bits.reuse &&
+       (!data->set.opt_no_body
+         || (conn->handler->protocol & PROTO_FAMILY_HTTP)) &&
+-      (data->set.rtspreq != RTSPREQ_RECEIVE)) {
++      (data->set.rtspreq != RTSPREQ_RECEIVE))
+     /* We got no data, we attempted to re-use a connection. For HTTP this
+        can be a retry so we try again regardless if we expected a body.
+        For other protocols we only try again only if we expected a body.
+@@ -1947,6 +1947,19 @@ CURLcode Curl_retry_request(struct connectdata *conn,
+        This might happen if the connection was left alive when we were
+        done using it before, but that was closed when we wanted to read from
+        it again. Bad luck. Retry the same request on a fresh connect! */
++    retry = TRUE;
++  else if(data->state.refused_stream &&
++          (data->req.bytecount + data->req.headerbytecount == 0) ) {
++    /* This was sent on a refused stream, safe to rerun. A refused stream
++       error can typically only happen on HTTP/2 level if the stream is safe
++       to issue again, but the nghttp2 API can deliver the message to other
++       streams as well, which is why this adds the check the data counters
++       too. */
++    infof(conn->data, "REFUSED_STREAM, retrying a fresh connect\n");
++    data->state.refused_stream = FALSE; /* clear again */
++    retry = TRUE;
++  }
++  if(retry) {
+     infof(conn->data, "Connection died, retrying a fresh connect\n");
+     *url = strdup(conn->data->change.url);
+     if(!*url)
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 3d7b9e5..6a36ee9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1225,7 +1225,7 @@ struct UrlState {
+   curl_off_t current_speed;  /* the ProgressShow() function sets this,
+                                 bytes / second */
+   bool this_is_a_follow; /* this is a followed Location: request */
+-
++  bool refused_stream; /* this was refused, try again */
+   char *first_host; /* host name of the first (not followed) request.
+                        if set, this should be the host name that we will
+                        sent authorization to, no else. Used to make Location:
+-- 
+2.14.4
+

0005-curl-7.59.0-CVE-2018-0500.patch

@@ -0,0 +1,40 @@
+From 7a5d2b67b8bee753735d4b03f66c4054d9b812f9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 13 Jun 2018 12:24:40 +0200
+Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc
+
+... not the read buffer size, as that can be set smaller and thus cause
+a buffer overflow! CVE-2018-0500
+
+Reported-by: Peter Wu
+Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
+
+Upstream-commit: ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smtp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/smtp.c b/lib/smtp.c
+index 3f3b45a..400ad54 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
+   if(!scratch || data->set.crlf) {
+     oldscratch = scratch;
+ 
+-    scratch = newscratch = malloc(2 * data->set.buffer_size);
++    scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE);
+     if(!newscratch) {
+       failf(data, "Failed to alloc scratch buffer!");
+ 
+       return CURLE_OUT_OF_MEMORY;
+     }
+   }
++  DEBUGASSERT(UPLOAD_BUFSIZE >= nread);
+ 
+   /* Have we already sent part of the EOB? */
+   eob_sent = smtp->eob;
+-- 
+2.14.4
+

0006-curl-7.59.0-pkcs11.patch

@@ -0,0 +1,225 @@
+From cf48e08b1a7c480e43d6e66154e94c5029c0d335 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Mon, 19 Feb 2018 14:31:06 +0100
+Subject: [PATCH] ssl: set engine implicitly when a PKCS#11 URI is provided
+
+This allows the use of PKCS#11 URI for certificates and keys without
+setting the corresponding type as "ENG" and the engine as "pkcs11"
+explicitly. If a PKCS#11 URI is provided for certificate, key,
+proxy_certificate or proxy_key, the corresponding type is set as "ENG"
+if not provided and the engine is set to "pkcs11" if not provided.
+
+Acked-by: Nikos Mavrogiannopoulos
+Closes #2333
+
+Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/cmdline-opts/cert.d |  7 ++++++
+ docs/cmdline-opts/key.d  |  7 ++++++
+ lib/vtls/openssl.c       | 38 ++++++++++++++++++++++++++++
+ src/tool_getparam.c      |  2 +-
+ src/tool_operate.c       | 53 ++++++++++++++++++++++++++++++++++++++++
+ tests/unit/unit1394.c    |  3 +++
+ 6 files changed, 109 insertions(+), 1 deletion(-)
+
+diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d
+index 0cd5d53..ae6fe2f 100644
+--- a/docs/cmdline-opts/cert.d
++++ b/docs/cmdline-opts/cert.d
+@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not
+ recognized as password delimiter.  If the nickname contains "\\", it needs to
+ be escaped as "\\\\" so that it is not recognized as an escape character.
+ 
++If curl is built against OpenSSL library, and the engine pkcs11 is available,
++then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
++a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
++as "pkcs11" if none was provided and the --cert-type option will be set as
++"ENG" if none was provided.
++
+ (iOS and macOS only) If curl is built against Secure Transport, then the
+ certificate string can either be the name of a certificate/private key in the
+ system or user keychain, or the path to a PKCS#12-encoded certificate and
+diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d
+index fbf583a..4877b42 100644
+--- a/docs/cmdline-opts/key.d
++++ b/docs/cmdline-opts/key.d
+@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate
+ file. For SSH, if not specified, curl tries the following candidates in order:
+ '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'.
+ 
++If curl is built against OpenSSL library, and the engine pkcs11 is available,
++then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a
++PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
++as "pkcs11" if none was provided and the --key-type option will be set as
++"ENG" if none was provided.
++
+ If this option is used several times, the last one will be used.
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 2a6b3cf..5f16dbd 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -532,8 +532,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis)
+   }
+   return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
+ }
++
++/*
++ * Check if a given string is a PKCS#11 URI
++ */
++static bool is_pkcs11_uri(const char *string)
++{
++  if(strncasecompare(string, "pkcs11:", 7)) {
++    return TRUE;
++  }
++  else {
++    return FALSE;
++  }
++}
++
+ #endif
+ 
++static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
++                                     const char *engine);
++
+ static
+ int cert_stuff(struct connectdata *conn,
+                SSL_CTX* ctx,
+@@ -596,6 +613,16 @@ int cert_stuff(struct connectdata *conn,
+     case SSL_FILETYPE_ENGINE:
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
+       {
++        /* Implicitly use pkcs11 engine if none was provided and the
++         * cert_file is a PKCS#11 URI */
++        if(!data->state.engine) {
++          if(is_pkcs11_uri(cert_file)) {
++            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
++              return 0;
++            }
++          }
++        }
++
+         if(data->state.engine) {
+           const char *cmd_name = "LOAD_CERT_CTRL";
+           struct {
+@@ -762,6 +789,17 @@ int cert_stuff(struct connectdata *conn,
+ #ifdef HAVE_OPENSSL_ENGINE_H
+       {                         /* XXXX still needs some work */
+         EVP_PKEY *priv_key = NULL;
++
++        /* Implicitly use pkcs11 engine if none was provided and the
++         * key_file is a PKCS#11 URI */
++        if(!data->state.engine) {
++          if(is_pkcs11_uri(key_file)) {
++            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
++              return 0;
++            }
++          }
++        }
++
+         if(data->state.engine) {
+           UI_METHOD *ui_method =
+             UI_create_method((char *)"curl user interface");
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 7ce9c28..6628247 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -337,7 +337,7 @@ void parse_cert_parameter(const char *cert_parameter,
+    * looks like a RFC7512 PKCS#11 URI which can be used as-is.
+    * Also if cert_parameter contains no colon nor backslash, this
+    * means no passphrase was given and no characters escaped */
+-  if(!strncmp(cert_parameter, "pkcs11:", 7) ||
++  if(curl_strnequal(cert_parameter, "pkcs11:", 7) ||
+      !strpbrk(cert_parameter, ":\\")) {
+     *certname = strdup(cert_parameter);
+     return;
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index e8b434a..fa44c70 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code)
+   return FALSE;
+ }
+ 
++/*
++ * Check if a given string is a PKCS#11 URI
++ */
++static bool is_pkcs11_uri(const char *string)
++{
++  if(curl_strnequal(string, "pkcs11:", 7)) {
++    return TRUE;
++  }
++  else {
++    return FALSE;
++  }
++}
++
+ #ifdef __VMS
+ /*
+  * get_vms_file_size does what it takes to get the real size of the file
+@@ -1057,6 +1070,46 @@ static CURLcode operate_do(struct GlobalConfig *global,
+           my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
+ 
+         if(curlinfo->features & CURL_VERSION_SSL) {
++          /* Check if config->cert is a PKCS#11 URI and set the
++           * config->cert_type if necessary */
++          if(config->cert) {
++            if(!config->cert_type) {
++              if(is_pkcs11_uri(config->cert)) {
++                config->cert_type = strdup("ENG");
++              }
++            }
++          }
++
++          /* Check if config->key is a PKCS#11 URI and set the
++           * config->key_type if necessary */
++          if(config->key) {
++            if(!config->key_type) {
++              if(is_pkcs11_uri(config->key)) {
++                config->key_type = strdup("ENG");
++              }
++            }
++          }
++
++          /* Check if config->proxy_cert is a PKCS#11 URI and set the
++           * config->proxy_type if necessary */
++          if(config->proxy_cert) {
++            if(!config->proxy_cert_type) {
++              if(is_pkcs11_uri(config->proxy_cert)) {
++                config->proxy_cert_type = strdup("ENG");
++              }
++            }
++          }
++
++          /* Check if config->proxy_key is a PKCS#11 URI and set the
++           * config->proxy_key_type if necessary */
++          if(config->proxy_key) {
++            if(!config->proxy_key_type) {
++              if(is_pkcs11_uri(config->proxy_key)) {
++                config->proxy_key_type = strdup("ENG");
++              }
++            }
++          }
++
+           my_setopt_str(curl, CURLOPT_SSLCERT, config->cert);
+           my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert);
+           my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type);
+diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c
+index 667991d..010f052 100644
+--- a/tests/unit/unit1394.c
++++ b/tests/unit/unit1394.c
+@@ -56,6 +56,9 @@ UNITTEST_START
+     "foo:bar\\\\",            "foo",                "bar\\\\",
+     "foo:bar:",               "foo",                "bar:",
+     "foo\\::bar\\:",          "foo:",               "bar\\:",
++    "pkcs11:foobar",          "pkcs11:foobar",      NULL,
++    "PKCS11:foobar",          "PKCS11:foobar",      NULL,
++    "PkCs11:foobar",          "PkCs11:foobar",      NULL,
+ #ifdef WIN32
+     "c:\\foo:bar:baz",        "c:\\foo",            "bar:baz",
+     "c:\\foo\\:bar:baz",      "c:\\foo:bar",        "baz",
+-- 
+2.17.1
+

0007-curl-7.61.0-libssh.patch

@@ -0,0 +1,133 @@
+From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 14 Aug 2018 13:14:49 +0200
+Subject: [PATCH 1/2] ssh-libssh: reduce excessive verbose output about pubkey
+ auth
+
+The verbose message "Authentication using SSH public key file" was
+printed each time the ssh_userauth_publickey_auto() was called, which
+meant each time a packet was transferred over network because the API
+operates in non-blocking mode.
+
+This patch makes sure that the verbose message is printed just once
+(when the authentication state is entered by the SSH state machine).
+
+Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh-libssh.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index cecf477ac..f40f074b9 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -607,6 +607,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+         sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
+         if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
+           state(conn, SSH_AUTH_PKEY_INIT);
++          infof(data, "Authentication using SSH public key file\n");
+         }
+         else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) {
+           state(conn, SSH_AUTH_GSSAPI);
+@@ -659,8 +660,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+ 
+       }
+       else {
+-        infof(data, "Authentication using SSH public key file\n");
+-
+         rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL,
+                                          data->set.ssl.key_passwd);
+         if(rc == SSH_AUTH_AGAIN) {
+-- 
+2.17.1
+
+
+From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 14 Aug 2018 12:47:18 +0200
+Subject: [PATCH 2/2] ssh-libssh: fix infinite connect loop on invalid private
+ key
+
+Added test 656 (based on test 604) to verify the fix.
+
+Bug: https://bugzilla.redhat.com/1595135
+
+Closes #2879
+
+Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh-libssh.c        |  1 +
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test656      | 33 +++++++++++++++++++++++++++++++++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test656
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index f40f074b9..12d618cfe 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -652,6 +652,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+         if(rc != SSH_OK) {
+           failf(data, "Could not load private key file %s",
+                 data->set.str[STRING_SSH_PRIVATE_KEY]);
++          MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
+           break;
+         }
+ 
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 20274b37c..518a5a543 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \
+ test626 test627 test628 test629 test630 test631 test632 test633 test634 \
+ test635 test636 test637 test638 test639 test640 test641 test642 \
+ test643 test644 test645 test646 test647 test648 test649 test650 test651 \
+-test652 test653 test654 test655 \
++test652 test653 test654 test655 test656 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 \
+diff --git a/tests/data/test656 b/tests/data/test656
+new file mode 100644
+index 000000000..4107d3d17
+--- /dev/null
++++ b/tests/data/test656
+@@ -0,0 +1,33 @@
++<testcase>
++<info>
++<keywords>
++SFTP
++FAILURE
++</keywords>
++</info>
++
++#
++# Client-side
++<client>
++<server>
++sftp
++</server>
++ <name>
++SFTP retrieval with nonexistent private key file
++ </name>
++ <command>
++--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<valgrind>
++disable
++</valgrind>
++<errorcode>
++67
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.17.1
+

0008-curl-7.59.0-CVE-2018-14618.patch

@@ -0,0 +1,72 @@
+From 114b31ab5b7e6965b629697020a7ce4b6cea340e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 13 Aug 2018 10:35:52 +0200
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
+
+... since it would cause an integer overflow if longer than (max size_t
+/ 2).
+
+This is CVE-2018-14618
+
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
+Closes #2756
+Reported-by: Zhaoyang Wu
+
+Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index e896276..e5c785d 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -143,6 +143,15 @@
+ #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
+ #define NTLMv2_BLOB_LEN       (44 -16 + ntlm->target_info_len + 4)
+ 
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /*
+ * Turns a 56-bit key into being 64-bit wide.
+ */
+@@ -557,8 +566,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
+                                    unsigned char *ntbuffer /* 21 bytes */)
+ {
+   size_t len = strlen(password);
+-  unsigned char *pw = len ? malloc(len * 2) : strdup("");
++  unsigned char *pw;
+   CURLcode result;
++  if(len > SIZE_T_MAX/2) /* avoid integer overflow */
++    return CURLE_OUT_OF_MEMORY;
++  pw = len ? malloc(len * 2) : strdup("");
+   if(!pw)
+     return CURLE_OUT_OF_MEMORY;
+ 
+@@ -646,15 +658,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   return CURLE_OK;
+ }
+ 
+-#ifndef SIZE_T_MAX
+-/* some limits.h headers have this defined, some don't */
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+-#define SIZE_T_MAX 18446744073709551615U
+-#else
+-#define SIZE_T_MAX 4294967295U
+-#endif
+-#endif
+-
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+-- 
+2.17.1
+

0009-curl-7.59.0-test320-gnutls.patch

@@ -0,0 +1,63 @@
+From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 4 Oct 2018 15:34:13 +0200
+Subject: [PATCH] test320: strip out more HTML when comparing
+
+To make the test case work with different gnutls-serv versions better.
+
+Reported-by: Kamil Dudka
+Fixes #3093
+Closes #3094
+
+Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test320 | 24 ++++--------------------
+ 1 file changed, 4 insertions(+), 20 deletions(-)
+
+diff --git a/tests/data/test320 b/tests/data/test320
+index 457a11eb2..87311d4f2 100644
+--- a/tests/data/test320
++++ b/tests/data/test320
+@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
+ HTTP/1.0 200 OK
+ Content-type: text/html
+ 
+-
+-<HTML><BODY>
+-<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GnuTLS</a></H1></CENTER>
+-
+-
+-
+-<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
+-<p>Connected as user 'jsmith'.</p>
+-<P>
+-<TABLE border=1><TR><TD></TD></TR>
+-<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
+-<TR><TD>Compression</TD><TD>NULL</TD></TR>
+-<TR><TD>Cipher</TD><TD>AES-NNN-CBC</TD></TR>
+-<TR><TD>MAC</TD><TD>SHA1</TD></TR>
+-<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_NNN_CBC_SHA1</TD></TR></p></TABLE>
+-<hr><P>Your HTTP header was:<PRE>Host: %HOSTIP:%HTTPTLSPORT
++FINE
+ User-Agent: curl-test-suite
+ Accept: */*
+ 
+-</PRE></P>
+-</BODY></HTML>
+-
+ </file>
+ <stripfile>
+-s/^<p>Session ID:.*//
++s/^<p>Connected as user 'jsmith'.*/FINE/
+ s/Protocol version:.*[0-9]//
+ s/GNUTLS/GnuTLS/
+ s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
++s/^<.*\n//
++s/^\n//
+ </stripfile>
+ </verify>
+ 
+-- 
+2.17.1
+

0010-curl-7.59.0-CVE-2018-16842.patch

@@ -0,0 +1,78 @@
+From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 01:33:23 +0200
+Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to
+ stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+
+Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);
+-- 
+2.17.2
+
+
+From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 10:43:57 +0100
+Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842
+
+Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |   3 ++-
+ tests/data/test2080     | Bin 0 -> 20659 bytes
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2080
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e045748..aa5fff0 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -194,4 +194,5 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
+ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
+ test2064 test2065 test2066 test2067 test2068 test2069 \
+ \
+-test2070 test2071 test2072 test2073
++test2070 test2071 test2072 test2073 \
++test2080
+diff --git a/tests/data/test2080 b/tests/data/test2080
+new file mode 100644
+index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a
+GIT binary patch
+literal 20659
+zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef
+zl6Ca+%<OZ|nCeRHZE>A4K8~q<UAgUD%0ubY=PwtZRG;GL*UIRJ-;Lfy)u}p_A1>dz
+zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk
+zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n!
+z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{
+z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb<b@2q1s}0tg`Rgaqum{m<+P&C93=Ab<b@
+z2q1s}0tg_0z|jf3Ji3V(2mu5TK;StGoIK~3=iL!N0D=D{@VjlsoA=?(>-+Xw`j-8D
+zzg+g?Rt8(G*s;1Sb>n1S94H%G<kGn)tFlRTrA%AW*RoyP3pi(fe!mc3WU^sQd2)l4
+jB)+~1L0rx$OS-AbERTH}TH`mZ^*=|W_vMU!*i-li)g+9V
+
+literal 0
+HcmV?d00001
+
+-- 
+2.17.2
+

0011-curl-7.59.0-CVE-2018-16840.patch

@@ -0,0 +1,39 @@
+From 235f209a0e62edee654be441a50bb0c154edeaa5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 18 Oct 2018 15:07:15 +0200
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+
+Regression from b46cfbc068 (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+
+Upstream-commit: 81d135d67155c5295b1033679c606165d4e28f3f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index f159008..dcc1ecc 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
+        and detach this handle from there. */
+     curl_multi_remove_handle(data->multi, data);
+ 
+-  if(data->multi_easy)
++  if(data->multi_easy) {
+     /* when curl_easy_perform() is used, it creates its own multi handle to
+        use and this is the one */
+     curl_multi_cleanup(data->multi_easy);
++    data->multi_easy = NULL;
++  }
+ 
+   /* Destroy the timeout list that is held in the easy handle. It is
+      /normally/ done by curl_multi_remove_handle() but this is "just in
+-- 
+2.17.2
+

0012-curl-7.59.0-CVE-2018-16839.patch

@@ -0,0 +1,136 @@
+From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Mar 2018 15:15:14 +0100
+Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check
+
+Make the integer overflow check not rely on the undefined behavior that
+a size_t wraps around on overflow.
+
+Detected by lgtm.com
+Closes #2408
+
+Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_ntlm_core.c  | 11 +----------
+ lib/curl_setup.h      |  9 +++++++++
+ lib/vauth/cleartext.c | 14 ++++----------
+ 3 files changed, 14 insertions(+), 20 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index e5c785d..b69c293 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -143,15 +143,6 @@
+ #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
+ #define NTLMv2_BLOB_LEN       (44 -16 + ntlm->target_info_len + 4)
+ 
+-#ifndef SIZE_T_MAX
+-/* some limits.h headers have this defined, some don't */
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+-#define SIZE_T_MAX 18446744073709551615U
+-#else
+-#define SIZE_T_MAX 4294967295U
+-#endif
+-#endif
+-
+ /*
+ * Turns a 56-bit key into being 64-bit wide.
+ */
+diff --git a/lib/curl_setup.h b/lib/curl_setup.h
+index f128696..e4503c6 100644
+--- a/lib/curl_setup.h
++++ b/lib/curl_setup.h
+@@ -447,6 +447,15 @@
+ #  endif
+ #endif
+ 
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /*
+  * Arg 2 type for gethostname in case it hasn't been defined in config file.
+  */
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index a761ae7..5d61ce6 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   ulen = strlen(userp);
+   plen = strlen(passwdp);
+ 
+-  /* Compute binary message length, checking for overflows. */
+-  plainlen = 2 * ulen;
+-  if(plainlen < ulen)
+-    return CURLE_OUT_OF_MEMORY;
+-  plainlen += plen;
+-  if(plainlen < plen)
+-    return CURLE_OUT_OF_MEMORY;
+-  plainlen += 2;
+-  if(plainlen < 2)
++  /* Compute binary message length. Check for overflows. */
++  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
++  plainlen = 2 * ulen + plen + 2;
+ 
+   plainauth = malloc(plainlen);
+   if(!plainauth)
+-- 
+2.17.2
+
+
+From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Sep 2018 16:08:16 +0200
+Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.17.2
+

0013-curl-7.61.1-zsh-completion.patch

@@ -0,0 +1,76 @@
+From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001
+From: Alessandro Ghedini <alessandro@ghedini.me>
+Date: Tue, 5 Feb 2019 20:44:14 +0000
+Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output
+
+The current regex fails to match '<...>' arguments properly (e.g. those
+with spaces in them), which causes an completion script with wrong
+descriptions for some options.
+
+The problem can be reproduced as follows:
+
+% curl --reso<TAB>
+
+Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ scripts/zsh.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/zsh.pl b/scripts/zsh.pl
+index 1257190..941b322 100755
+--- a/scripts/zsh.pl
++++ b/scripts/zsh.pl
+@@ -7,7 +7,7 @@ use warnings;
+ 
+ my $curl = $ARGV[0] || 'curl';
+ 
+-my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)';
++my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)';
+ my @opts = parse_main_opts('--help', $regex);
+ 
+ my $opts_str;
+-- 
+2.17.2
+
+
+From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001
+From: Alessandro Ghedini <alessandro@ghedini.me>
+Date: Tue, 5 Feb 2019 21:06:26 +0000
+Subject: [PATCH 2/2] zsh.pl: escape ':' character
+
+':' is interpreted as separator by zsh, so if used as part of the argument
+or option's description it needs to be escaped.
+
+The problem can be reproduced as follows:
+
+% curl -E <TAB>
+
+Bug: https://bugs.debian.org/921452
+
+Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ scripts/zsh.pl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/zsh.pl b/scripts/zsh.pl
+index 941b322..0f9cbec 100755
+--- a/scripts/zsh.pl
++++ b/scripts/zsh.pl
+@@ -45,9 +45,12 @@ sub parse_main_opts {
+ 
+         my $option = '';
+ 
++        $arg =~ s/\:/\\\:/g if defined $arg;
++
+         $desc =~ s/'/'\\''/g if defined $desc;
+         $desc =~ s/\[/\\\[/g if defined $desc;
+         $desc =~ s/\]/\\\]/g if defined $desc;
++        $desc =~ s/\:/\\\:/g if defined $desc;
+ 
+         $option .= '{' . trim($short) . ',' if defined $short;
+         $option .= trim($long)  if defined $long;
+-- 
+2.17.2
+

0101-curl-7.32.0-multilib.patch

@@ -1,92 +1,89 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
-From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
+From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in      | 23 +++++------------------
- docs/curl-config.md |  4 +++-
- libcurl.pc.in       |  1 +
- 3 files changed, 9 insertions(+), 19 deletions(-)
+ curl-config.in     |   21 +++------------------
+ docs/curl-config.1 |    4 +++-
+ libcurl.pc.in      |    1 +
+ 3 files changed, 7 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
-     ;;
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
+         ;;
  
-   --cc)
--    echo '@CC@'
-+    echo 'gcc'
-     ;;
+     --cc)
+-        echo "@CC@"
++        echo "gcc"
+         ;;
  
-   --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
-     ;;
+     --prefix)
+@@ -143,32 +143,17 @@ while test $# -gt 0; do
+         ;;
  
-   --libs)
--    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
--      curllibdir="-L@libdir@ "
--    else
--      curllibdir=''
--    fi
--    if test '@ENABLE_SHARED@' = 'no'; then
--      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo "${curllibdir}-lcurl"
--    fi
-+    echo '-lcurl'
-     ;;
+     --libs)
+-        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+-           CURLLIBDIR="-L@libdir@ "
+-        else
+-           CURLLIBDIR=""
+-        fi
+-        if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+-        else
+-          echo ${CURLLIBDIR}-lcurl
+-        fi
++        echo -lcurl
+         ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
-   --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
-     ;;
+     --static-libs)
+-        if test "X@ENABLE_STATIC@" != "Xno" ; then
+-          echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
+-        else
+-          echo "curl was built with static libraries disabled" >&2
+-          exit 1
+-        fi
+         ;;
  
-   --static-libs)
--    if test '@ENABLE_STATIC@' != 'no'; then
--      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo 'curl was built with static libraries disabled' >&2
--      exit 1
--    fi
-+    echo 'curl was built with static libraries disabled' >&2
-+    exit 1
-     ;;
+     --configure)
+-        echo @CONFIGURE_OPTIONS@
++        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+         ;;
  
-   --configure)
--    echo @CONFIGURE_OPTIONS@
-+    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-     ;;
- 
-   *)
-diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
---- a/docs/curl-config.md
-+++ b/docs/curl-config.md
-@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
- 
- Shows the complete set of libs and other linker options you need in order to
--link your application with libcurl statically. (Added in 7.17.1)
-+link your application with libcurl statically. Note that Fedora/RHEL libcurl
+     *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 14a9d2b..ffcc004 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
+ .IP "--static-libs"
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- 
- ## `--version`
- 
+ .IP "--version"
+ Outputs version information about the installed libcurl.
+ .IP "--vernum"
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index 2ba9c39..f8f8b00 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -28,6 +28,7 @@ libdir=@libdir@
+@@ -29,6 +29,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
 +configure_options=@CONFIGURE_OPTIONS@
  
  Name: libcurl
- URL: https://curl.se/
+ URL: https://curl.haxx.se/
 -- 
-2.52.0
+2.5.0
 

0102-curl-7.36.0-debug.patch

@@ -0,0 +1,65 @@
+From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 31 Oct 2012 11:38:30 +0100
+Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
+
+---
+ configure            |   13 +++----------
+ m4/curl-compilers.m4 |   13 +++----------
+ 2 files changed, 6 insertions(+), 20 deletions(-)
+
+diff --git a/configure b/configure
+index 8f079a3..53b4774 100755
+--- a/configure
++++ b/configure
+@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; }
+     gccvhi=`echo $gccver | cut -d . -f1`
+     gccvlo=`echo $gccver | cut -d . -f2`
+     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+-    flags_dbg_all="-g -g0 -g1 -g2 -g3"
+-    flags_dbg_all="$flags_dbg_all -ggdb"
+-    flags_dbg_all="$flags_dbg_all -gstabs"
+-    flags_dbg_all="$flags_dbg_all -gstabs+"
+-    flags_dbg_all="$flags_dbg_all -gcoff"
+-    flags_dbg_all="$flags_dbg_all -gxcoff"
+-    flags_dbg_all="$flags_dbg_all -gdwarf-2"
+-    flags_dbg_all="$flags_dbg_all -gvms"
++    flags_dbg_all=""
+     flags_dbg_yes="-g"
+     flags_dbg_off=""
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+-    flags_opt_yes="-O2"
++    flags_opt_all=""
++    flags_opt_yes=""
+     flags_opt_off="-O0"
+ 
+     OLDCPPFLAGS=$CPPFLAGS
+diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
+index 0cbba7a..9175b5b 100644
+--- a/m4/curl-compilers.m4
++++ b/m4/curl-compilers.m4
+@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+     gccvhi=`echo $gccver | cut -d . -f1`
+     gccvlo=`echo $gccver | cut -d . -f2`
+     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+-    flags_dbg_all="-g -g0 -g1 -g2 -g3"
+-    flags_dbg_all="$flags_dbg_all -ggdb"
+-    flags_dbg_all="$flags_dbg_all -gstabs"
+-    flags_dbg_all="$flags_dbg_all -gstabs+"
+-    flags_dbg_all="$flags_dbg_all -gcoff"
+-    flags_dbg_all="$flags_dbg_all -gxcoff"
+-    flags_dbg_all="$flags_dbg_all -gdwarf-2"
+-    flags_dbg_all="$flags_dbg_all -gvms"
++    flags_dbg_all=""
+     flags_dbg_yes="-g"
+     flags_dbg_off=""
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+-    flags_opt_yes="-O2"
++    flags_opt_all=""
++    flags_opt_yes=""
+     flags_opt_off="-O0"
+     CURL_CHECK_DEF([_WIN32], [], [silent])
+   else
+-- 
+1.7.1
+

0104-curl-7.19.7-localhost6.patch

@@ -0,0 +1,51 @@
+diff --git a/tests/data/test1083 b/tests/data/test1083
+index e441278..b0958b6 100644
+--- a/tests/data/test1083
++++ b/tests/data/test1083
+@@ -33,13 +33,13 @@ ipv6
+ http-ipv6
+ </server>
+  <name>
+-HTTP-IPv6 GET with ip6-localhost --interface
++HTTP-IPv6 GET with localhost6 --interface
+  </name>
+  <command>
+--g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
++-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
+ </command>
+ <precheck>
+-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
+ </precheck>
+ </client>
+ 
+diff --git a/tests/data/test241 b/tests/data/test241
+index 46eae1f..4e1632c 100644
+--- a/tests/data/test241
++++ b/tests/data/test241
+@@ -30,13 +30,13 @@ ipv6
+ http-ipv6
+ </server>
+  <name>
+-HTTP-IPv6 GET (using ip6-localhost)
++HTTP-IPv6 GET (using localhost6)
+  </name>
+  <command>
+--g "http://ip6-localhost:%HTTP6PORT/241"
++-g "http://localhost6:%HTTP6PORT/241"
+ </command>
+ <precheck>
+-./server/resolve --ipv6 ip6-localhost
++./server/resolve --ipv6 localhost6
+ </precheck>
+ </client>
+ 
+@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
+ </strip>
+ <protocol>
+ GET /241 HTTP/1.1
+-Host: ip6-localhost:%HTTP6PORT
++Host: localhost6:%HTTP6PORT
+ Accept: */*
+ 
+ </protocol>

0105-curl-7.61.0-tests-ssh-keygen.patch

@@ -0,0 +1,33 @@
+From daded1aff280104d16e405fcd1be1a857c74b191 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 27 Aug 2018 15:53:35 +0200
+Subject: [PATCH] tests: make ssh-keygen always produce PEM format
+
+The default format produced by openssh-7.8p1 cannot be consumed
+by currently available versions of libssh and libssh2.
+---
+ tests/sshserver.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/sshserver.pl b/tests/sshserver.pl
+index 9b3d122..d477a02 100755
+--- a/tests/sshserver.pl
++++ b/tests/sshserver.pl
+@@ -372,12 +372,12 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
+     # Make sure all files are gone so ssh-keygen doesn't complain
+     unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf);
+     logmsg 'generating host keys...' if($verbose);
+-    if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") {
++    if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N '' -m PEM") {
+         logmsg 'Could not generate host key';
+         exit 1;
+     }
+     logmsg 'generating client keys...' if($verbose);
+-    if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") {
++    if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N '' -m PEM") {
+         logmsg 'Could not generate client key';
+         exit 1;
+     }
+-- 
+2.17.1
+

ci.fmf

@@ -1,9 +0,0 @@
-discover:
-  how: fmf
-prepare:
-  how: install
-  exclude:
-    - libcurl-minimal
-    - curl-minimal
-execute:
-  how: tmt

curl-7.59.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce
+EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk
+iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl
++2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC
+skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5
+w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5
+/SNOU/7Qpvhua0GhAfaI/CTwwewy6w==
+=OcVv
+-----END PGP SIGNATURE-----

curl.rpmlintrc

@@ -1,15 +0,0 @@
-# Intentional stuff we're not concerned about
-addFilter("unversioned-explicit-provides webclient")
-addFilter("package-with-huge-docs")
-addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
-
-# This is just plain wrong (%_configure redefinition)
-addFilter("configure-without-libdir-spec")
-
-# Technical term
-addFilter("E: spelling-error \('kerberos',")
-
-# Artefacts of RemovePathPostfixes: .minimal
-addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
-#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
-#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

mykey.asc

@@ -1,77 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2
-
-mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ
-QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV
-0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1
-EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch
-soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje
-f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL
-gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo
-SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2
-m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0
-ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU
-ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w
-i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD
-AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv
-jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb
-XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz
-7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM
-wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+
-dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT
-rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t
-FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9
-OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx
-5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h
-zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O
-poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA
-Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d
-6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8
-tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu
-c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
-EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1
-svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+
-Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv
-+BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh
-Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg
-rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL
-y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP
-BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/
-0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf
-09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG
-6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8
-67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H
-a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr
-LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK
-nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb
-0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb
-2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC
-OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/
-PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC
-8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3
-/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e
-8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk
-bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0
-IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx
-AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN
-2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ
-L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD
-/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6
-UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb
-9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh
-TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k
-IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ
-AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ
-eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8
-sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI
-c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND
-KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j
-4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S
-wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv
-BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF
-PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu
-gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5
-ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb
-j/qx4ytjt5uxt6Jm6IXV9cry8i6x
-=Phs/
------END PGP PUBLIC KEY BLOCK-----

sources

@@ -1,2 +1 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6

tests/non-root-user-download/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/curl/Sanity/non-root-user-download
+#   Description: various download methods with non-root user
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/curl/Sanity/non-root-user-download
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     various download methods with non-root user" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          curl" >> $(METADATA)
+	@echo "Requires:        curl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/non-root-user-download/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
+Description: various download methods with non-root user
+Author: Karel Srot <ksrot@redhat.com>

tests/non-root-user-download/main.fmf

@@ -1,18 +0,0 @@
-summary: various download methods with non-root user
-description: ''
-contact: Daniel Rusek <drusek@redhat.com>
-component:
-  - curl
-require:
-  - findutils
-  - libselinux-utils
-  - openssh-clients
-  - openssh-server
-  - passwd
-test: ./runtest.sh
-framework: beakerlib
-duration: 5m
-enabled: true
-tier: '1'
-link:
-  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921

tests/non-root-user-download/runtest.sh

@@ -27,13 +27,14 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
+CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"
@@ -46,11 +47,9 @@ rlJournalStart
         rlRun "useradd -m curltester" 0 "Adding the test user"
         rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
         rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
-        rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts
-        rlRun "rm -f $HOME/.ssh/*"
         [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
-        rlRun "rlServiceStart sshd"
-        rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
+        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
+        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
     rlPhaseEnd
 
     rlPhaseStartTest "http download"
@@ -83,7 +82,7 @@ if ! rlIsRHEL 5; then
 fi
 
     rlPhaseStartCleanup
-        rlRun "rlServiceRestore"
+        rlRun "rm -f $HOME/.ssh/known_hosts"
         rlFileRestore
         rlRun "popd"
         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

tests/non-root-user-download/runtest.yml

@@ -0,0 +1,64 @@
+- hosts: '{{ hosts | default("localhost") }}'
+  vars:
+    package: "curl"
+  tasks:
+    - name: "Set Content variables"
+      set_fact:
+        content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
+        password: "pAssw0rd"
+        crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
+    - name: "Create user curltester"
+      user: 
+        name: "curltester"
+        password: "{{ crypt_password }}"
+    - name: "Copy testfile"
+      copy:
+          dest: "/home/curltester/testfile"
+          content: "{{ content }}"
+    - block:
+      - name: "http download"
+        command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
+        args:
+            warn: false
+        register: http
+        become: yes
+        become_user: curltester
+      - name: "Compare http output"
+        fail:
+            msg: "{{ content }} not in {{ http.stdout }}"
+        when: content not in http.stdout
+      - name: "ftp download"
+        command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
+        args:
+            warn: false
+        register: ftp
+        become: yes
+        become_user: curltester
+      - name: "Compare ftp output"
+        fail:
+            msg: "{{ content }} not in {{ ftp.stdout }}"
+        when: content not in ftp.stdout
+      - name: "scp download"
+        command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
+        args:
+            warn: false
+        register: scp
+      - name: "Compare scp output"
+        fail:
+            msg: "{{ content }} not in {{ scp.stdout }}"
+        when: content not in scp.stdout
+      - name: "sftp download"
+        command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
+        args:
+            warn: false
+        register: sftp
+      - name: "Compare sftp output"
+        fail:
+            msg: "{{ content }} not in {{ sftp.stdout }}"
+        when: content not in sftp.stdout
+      always:
+      - name: "Remove user curltester"
+        user: 
+            name: "curltester"
+            remove: yes
+            state: absent

tests/scp-and-sftp-download-test/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
+#   Description: downloads test file through scp and sftp
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     downloads test file through scp and sftp" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          curl" >> $(METADATA)
+	@echo "Requires:        curl openssh" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/scp-and-sftp-download-test/PURPOSE

@@ -0,0 +1,12 @@
+PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
+Description: downloads test file through scp and sftp
+Author: Karel Srot <ksrot@redhat.com>
+
+Test scenario:
+- scp download
+- sftp download
+- scp upload
+- sftp upload
+
+When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
+with empty --pubkey parameter (--pubkey "") or with the paramiter omitted

tests/scp-and-sftp-download-test/main.fmf

@@ -1,20 +0,0 @@
-summary: downloads test file through scp and sftp
-description: |
-    Test scenario:
-    - scp download
-    - sftp download
-    - scp upload
-    - sftp upload
-
-    When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
-    with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
-contact: Daniel Rusek <drusek@redhat.com>
-require:
-  - findutils
-component:
-  - curl
-test: ./runtest.sh
-path: /tests/scp-and-sftp-download-test
-framework: beakerlib
-duration: 10m
-enabled: true

tests/scp-and-sftp-download-test/runtest.sh

@@ -27,7 +27,8 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
+. /usr/bin/rhts-environment.sh
+. /usr/lib/beakerlib/beakerlib.sh
 
 PACKAGE="curl"
 

tests/tests.yml

@@ -0,0 +1,26 @@
+---
+# Tests for Classic
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - scp-and-sftp-download-test
+    - non-root-user-download
+    required_packages:
+    - findutils         # non-root-user-download needs find command
+                        # scp-and-sftp-download-test needs find command
+    - passwd            # non-root-user-download needs passwd command
+    - openssh-clients   # non-root-user-download needs ssh-keyscan command
+
+# Tests for Atomic
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - atomic
+    tests:
+    - scp-and-sftp-download-test
+    - non-root-user-download
+