Resolves: CVE-2023-38546 - cookie injection with none file

... because F36 URLs are no longer available.

.gitignore

@@ -1,6 +1,2 @@
-/curl-[0-9.]*.tar.lzma
-/curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
 /curl-[0-9.]*.tar.xz.asc
-/curl-[0-9]*.[0-9]*.[0-9]*/
-/*.src.rpm

0001-curl-7.85.0-CVE-2022-32221.patch

@@ -0,0 +1,253 @@
+From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d5e3b50..b8793b4 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -696,6 +696,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
+-- 
+2.37.3
+
+
+From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:23:33 +0200
+Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
+
+Reproduced #9507, verifies the fix
+
+Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc    |  2 +-
+ tests/data/test1948        | 73 +++++++++++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc |  6 ++-
+ tests/libtest/lib1948.c    | 79 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1948
+ create mode 100644 tests/libtest/lib1948.c
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 818ee08..0cfab9b 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -224,7 +224,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
+ test1916 test1917 test1918 test1919 \
+ \
+ test1933 test1934 test1935 test1936 test1937 test1938 test1939 test1940 \
+-test1941 test1942 test1943 test1944 test1945 test1946 \
++test1941 test1942 test1943 test1944 test1945 test1946 test1948 \
+ \
+ test2000 test2001 test2002 test2003 test2004 \
+ \
+diff --git a/tests/data/test1948 b/tests/data/test1948
+new file mode 100644
+index 0000000..639523d
+--- /dev/null
++++ b/tests/data/test1948
+@@ -0,0 +1,73 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP POST
++HTTP PUT
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++</data>
++<datacheck>
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++
++<name>
++CURLOPT_POST after CURLOPT_UPLOAD reusing handle
++</name>
++<tool>
++lib%TESTNUMBER
++</tool>
++
++<command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++PUT /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++Content-Length: 22
++Expect: 100-continue
++
++This is test PUT data
++POST /1948 HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++Content-Length: 22
++Content-Type: application/x-www-form-urlencoded
++
++This is test PUT data
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 83a8af4..3192eca 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -64,7 +64,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
+          lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
+          lib1915 lib1916 lib1917 lib1918 lib1919 \
+  lib1933 lib1934 lib1935 lib1936 lib1937 lib1938 lib1939 lib1940 \
+- lib1945 lib1946 \
++ lib1945 lib1946 lib1948 \
+  lib3010 lib3025 lib3026
+ 
+ chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
+@@ -748,6 +748,10 @@ lib1946_SOURCES = lib1940.c $(SUPPORTFILES)
+ lib1946_LDADD = $(TESTUTIL_LIBS)
+ lib1946_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1946
+ 
++lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
++lib1948_LDADD = $(TESTUTIL_LIBS)
++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
++
+ lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib3010_LDADD = $(TESTUTIL_LIBS)
+ lib3010_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
+new file mode 100644
+index 0000000..7c891a2
+--- /dev/null
++++ b/tests/libtest/lib1948.c
+@@ -0,0 +1,79 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "test.h"
++
++typedef struct
++{
++  char *buf;
++  size_t len;
++} put_buffer;
++
++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
++{
++  put_buffer *putdata = (put_buffer *)stream;
++  size_t totalsize = size * nmemb;
++  size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
++  memcpy(ptr, putdata->buf, tocopy);
++  putdata->len -= tocopy;
++  putdata->buf += tocopy;
++  return tocopy;
++}
++
++int test(char *URL)
++{
++  CURL *curl;
++  CURLcode res = CURLE_OUT_OF_MEMORY;
++
++  curl_global_init(CURL_GLOBAL_DEFAULT);
++
++  curl = curl_easy_init();
++  if(curl) {
++    const char *testput = "This is test PUT data\n";
++    put_buffer pbuf;
++
++    /* PUT */
++    curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
++    curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
++    curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
++    pbuf.buf = (char *)testput;
++    pbuf.len = strlen(testput);
++    curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
++    curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
++    res = curl_easy_setopt(curl, CURLOPT_URL, URL);
++    if(!res)
++      res = curl_easy_perform(curl);
++    if(!res) {
++      /* POST */
++      curl_easy_setopt(curl, CURLOPT_POST, 1L);
++      curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
++      curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
++      res = curl_easy_perform(curl);
++    }
++    curl_easy_cleanup(curl);
++  }
++
++  curl_global_cleanup();
++  return (int)res;
++}
+-- 
+2.37.3
+

0002-curl-7.85.0-CVE-2022-35260.patch

@@ -0,0 +1,76 @@
+From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+
+Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_get_line.c | 6 +++---
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index 6a26bb2..22e3705 100644
+--- a/lib/curl_get_line.c
++++ b/lib/curl_get_line.c
+@@ -25,7 +25,7 @@
+ #include "curl_setup.h"
+ 
+ #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+-  !defined(CURL_DISABLE_HSTS)
++  !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC)
+ 
+ #include "curl_get_line.h"
+ #include "curl_memory.h"
+@@ -33,8 +33,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
++ * Curl_get_line() makes sure to only return complete whole lines that fit in
++ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 62a6a10..5d17482 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -33,6 +33,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
++#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -84,7 +85,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
++    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       char *tok;
+       char *tok_end;
+       bool quoted;
+@@ -243,7 +244,7 @@ static int parsenetrc(const char *host,
+         } /* switch (state) */
+         tok = ++tok_end;
+       }
+-    } /* while fgets() */
++    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
+-- 
+2.37.3
+

0003-curl-7.85.0-CVE-2022-42915.patch

@@ -0,0 +1,154 @@
+From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error
+
+Reported-by: Trail of Bits
+
+Closes #9790
+
+Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http_proxy.c | 6 ++----
+ lib/url.c        | 9 ---------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c..cc20b3a 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* restore the protocol pointer, if not already done */
+-    if(s->prot_save)
+-      data->req.p.http = s->prot_save;
+-    s->prot_save = NULL;
++    /* restore the protocol pointer */
++    data->req.p.http = s->prot_save;
+     data->info.httpcode = 0; /* clear it as it might've been used for the
+                                 proxy */
+     data->req.ignorebody = FALSE;
+diff --git a/lib/url.c b/lib/url.c
+index bfc784f..61c99d2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -746,15 +746,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+   DEBUGASSERT(data);
+   infof(data, "Closing connection %ld", conn->connection_id);
+ 
+-#ifndef USE_HYPER
+-  if(conn->connect_state && conn->connect_state->prot_save) {
+-    /* If this was closed with a CONNECT in progress, cleanup this temporary
+-       struct arrangement */
+-    data->req.p.http = NULL;
+-    Curl_safefree(conn->connect_state->prot_save);
+-  }
+-#endif
+-
+   /* possible left-overs from the async name resolvers */
+   Curl_resolver_cancel(data);
+ 
+-- 
+2.37.3
+
+
+From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:14:25 +0200
+Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and
+ fix
+
+Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test445      | 61 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test445
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0cfab9b..14c1b0c 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+-test440 test441 test442 test443 test444 \
++test440 test441 test442 test443 test444 test445 \
+ \
+ test490 test491 test492 test493 test494 \
+ \
+diff --git a/tests/data/test445 b/tests/data/test445
+new file mode 100644
+index 0000000..0406c0f
+--- /dev/null
++++ b/tests/data/test445
+@@ -0,0 +1,61 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 503 no just no
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++
++-foo-
++</connect>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++gopher
++dict
++http
++ftp
++imap
++ldap
++mqtt
++pop3
++rtsp
++scp
++sftp
++smb
++smtp
++</features>
++<server>
++http-proxy
++</server>
++ <name>
++Refuse tunneling protocols through HTTP proxy
++ </name>
++ <command>
++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# refused in the CONNECT
++<errorcode>
++56
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.37.3
+

0004-curl-7.85.0-CVE-2022-42916.patch

@@ -0,0 +1,137 @@
+From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 61c99d2..6426fa7 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2024,10 +2024,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN);
+     return CURLE_URL_MALFORMAT;
+   }
++  hostname = data->state.up.hostname;
++
++  if(hostname && hostname[0] == '[') {
++    /* This looks like an IPv6 address literal. See if there is an address
++       scope. */
++    size_t hlen;
++    conn->bits.ipv6_ip = TRUE;
++    /* cut off the brackets! */
++    hostname++;
++    hlen = strlen(hostname);
++    hostname[hlen - 1] = 0;
++
++    zonefrom_url(uh, data, conn);
++  }
++
++  /* make sure the connect struct gets its own copy of the host name */
++  conn->host.rawalloc = strdup(hostname ? hostname : "");
++  if(!conn->host.rawalloc)
++    return CURLE_OUT_OF_MEMORY;
++  conn->host.name = conn->host.rawalloc;
++
++  /*************************************************************
++   * IDN-convert the hostnames
++   *************************************************************/
++  result = Curl_idnconvert_hostname(data, &conn->host);
++  if(result)
++    return result;
++  if(conn->bits.conn_to_host) {
++    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
++    if(result)
++      return result;
++  }
++#ifndef CURL_DISABLE_PROXY
++  if(conn->bits.httpproxy) {
++    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
++    if(result)
++      return result;
++  }
++  if(conn->bits.socksproxy) {
++    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
++    if(result)
++      return result;
++  }
++#endif
+ 
+ #ifndef CURL_DISABLE_HSTS
++  /* HSTS upgrade */
+   if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+-    if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
++    /* This MUST use the IDN decoded name */
++    if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+       char *url;
+       Curl_safefree(data->state.up.scheme);
+       uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2133,26 +2179,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+   (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+ 
+-  hostname = data->state.up.hostname;
+-  if(hostname && hostname[0] == '[') {
+-    /* This looks like an IPv6 address literal. See if there is an address
+-       scope. */
+-    size_t hlen;
+-    conn->bits.ipv6_ip = TRUE;
+-    /* cut off the brackets! */
+-    hostname++;
+-    hlen = strlen(hostname);
+-    hostname[hlen - 1] = 0;
+-
+-    zonefrom_url(uh, data, conn);
+-  }
+-
+-  /* make sure the connect struct gets its own copy of the host name */
+-  conn->host.rawalloc = strdup(hostname ? hostname : "");
+-  if(!conn->host.rawalloc)
+-    return CURLE_OUT_OF_MEMORY;
+-  conn->host.name = conn->host.rawalloc;
+-
+ #ifdef ENABLE_IPV6
+   if(data->set.scope_id)
+     /* Override any scope that was set above.  */
+@@ -3781,29 +3807,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   if(result)
+     goto out;
+ 
+-  /*************************************************************
+-   * IDN-convert the hostnames
+-   *************************************************************/
+-  result = Curl_idnconvert_hostname(data, &conn->host);
+-  if(result)
+-    goto out;
+-  if(conn->bits.conn_to_host) {
+-    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+-    if(result)
+-      goto out;
+-  }
+-#ifndef CURL_DISABLE_PROXY
+-  if(conn->bits.httpproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-  if(conn->bits.socksproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-#endif
+ 
+   /*************************************************************
+    * Check whether the host and the "connect to host" are equal.
+-- 
+2.37.3
+

0005-curl-7.85.0-http2-whitespace.patch

@@ -0,0 +1,66 @@
+From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 7 Sep 2022 15:41:03 +0200
+Subject: [PATCH] http2: make nghttp2 less picky about field whitespace
+
+In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
+header fields according to language in the recently shipped RFC 9113.
+
+nghttp2 1.50.0 introduces an option to switch off this strict check and
+this change enables this option by default which should make curl behave
+more similar to how it did with nghttp2 1.48.0 and earlier.
+
+We might want to consider making this an option in the future.
+
+Closes #9448
+
+Upstream-commit: eafc2b14ac9e40377168b46cab3f1d90c3f32f45
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index f6364d0..3a70528 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -1277,6 +1277,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   }
+ }
+ 
++static int client_new(struct connectdata *conn,
++                      nghttp2_session_callbacks *callbacks)
++{
++#if NGHTTP2_VERSION_NUM < 0x013200
++  /* before 1.50.0 */
++  return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn);
++#else
++  nghttp2_option *o;
++  int rc = nghttp2_option_new(&o);
++  if(rc)
++    return rc;
++  /* turn off RFC 9113 leading and trailing white spaces validation against
++     HTTP field value. */
++  nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1);
++  rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn,
++                                   o);
++  nghttp2_option_del(o);
++  return rc;
++#endif
++}
++
+ /*
+  * Initialize nghttp2 for a Curl connection
+  */
+@@ -1317,7 +1338,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn)
+     nghttp2_session_callbacks_set_error_callback(callbacks, error_callback);
+ 
+     /* The nghttp2 session is not yet setup, do it */
+-    rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn);
++    rc = client_new(conn, callbacks);
+ 
+     nghttp2_session_callbacks_del(callbacks);
+ 
+-- 
+2.37.3
+

0006-curl-7.85.0-hsts-CVEs.patch

@@ -0,0 +1,843 @@
+From fcd651bcfe1982f55e591d47521f509a2ee98975 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 1 Dec 2022 09:21:04 +0100
+Subject: [PATCH 1/6] runtests: do CRLF replacements per section only
+
+The `crlf="yes"` attribute and "hyper mode" are now only applied on a
+subset of dedicated sections: data, datacheck, stdout and protocol.
+
+Updated test 2500 accordingly.
+
+Also made test1 use crlf="yes" for <protocol>, mostly because it is
+often used as a template test case. Going forward, using this attribute
+we should be able to write test cases using linefeeds only and avoid
+mixed line ending encodings.
+
+Follow-up to ca15b7512e8d11
+
+Fixes #10009
+Closes #10010
+
+Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 22 ++++++++++++++------
+ tests/data/test1    | 14 ++++++-------
+ tests/runtests.pl   | 49 +++++++++++++++++++++++++++++++++++++++++----
+ 3 files changed, 68 insertions(+), 17 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index dc1092b..159a3cf 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -195,7 +195,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for
+ 'hyper mode' to kick in and make line ending checks work for tests.
+ ## `<reply>`
+ 
+-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
++### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"] [crlf="yes"]>`
+ 
+ data to be sent to the client on its request and later verified that it
+ arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
+@@ -224,12 +224,16 @@ and used as "raw" data.
+ `nonewline=yes` means that the last byte (the trailing newline character)
+ should be cut off from the data before sending or comparing it.
+ 
++`crlf=yes` forces *header* newlines to become CRLF even if not written so in
++the source file. Note that this makes runtests.pl parse and "guess" what is a
++header and what is not in order to apply the CRLF line endings appropriately.
++
+ For FTP file listings, the `<data>` section will be used *only* if you make
+ sure that there has been a CWD done first to a directory named `test-[num]`
+ where [num] is the test case number. Otherwise the ftp server can't know from
+ which test file to load the list content.
+ 
+-### `<dataNUM>`
++### `<dataNUM [crlf="yes"]>`
+ 
+ Send back this contents instead of the <data> one. The num is set by:
+ 
+@@ -256,7 +260,7 @@ a connect prefix.
+ ### `<socks>`
+ Address type and address details as logged by the SOCKS proxy.
+ 
+-### `<datacheck [mode="text"] [nonewline="yes"]>`
++### `<datacheck [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ if the data is sent but this is what should be checked afterwards. If
+ `nonewline=yes` is set, runtests will cut off the trailing newline from the
+ data before comparing with the one actually received by the client.
+@@ -264,7 +268,7 @@ data before comparing with the one actually received by the client.
+ Use the `mode="text"` attribute if the output is in text mode on platforms
+ that have a text/binary difference.
+ 
+-### `<datacheckNUM [nonewline="yes"] [mode="text"]>`
++### `<datacheckNUM [nonewline="yes"] [mode="text"] [crlf="yes"]>`
+ The contents of numbered datacheck sections are appended to the non-numbered
+ one.
+ 
+@@ -549,13 +553,16 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"]>`
++### `<protocol [nonewline="yes"] crlf="yes">`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+ sent by the client The `<strip>` and `<strippart>` rules are applied before
+ comparisons are made.
+ 
++`crlf=yes` forces the newlines to become CRLF even if not written so in the
++test.
++
+ ### `<proxy [nonewline="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+@@ -572,7 +579,7 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
+-### `<stdout [mode="text"] [nonewline="yes"]>`
++### `<stdout [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ This verifies that this data was passed to stdout.
+ 
+ Use the mode="text" attribute if the output is in text mode on platforms that
+@@ -581,6 +588,9 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
++`crlf=yes` forces the newlines to become CRLF even if not written so in the
++test.
++
+ ### `<file name="log/filename" [mode="text"]>`
+ The file's contents must be identical to this after the test is complete.  Use
+ the mode="text" attribute if the output is in text mode on platforms that have
+diff --git a/tests/data/test1 b/tests/data/test1
+index f39a08b..700bed8 100644
+--- a/tests/data/test1
++++ b/tests/data/test1
+@@ -9,7 +9,7 @@ HTTP GET
+ #
+ # Server-side
+ <reply>
+-<data>
++<data crlf="yes">
+ HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+ #
+ # Verify data after the test has been "shot"
+ <verify>
+-<protocol>
+-GET /%TESTNUMBER HTTP/1.1
+-Host: %HOSTIP:%HTTPPORT
+-User-Agent: curl/%VERSION
+-Accept: */*
+-
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
+ </protocol>
+ </verify>
+ </testcase>
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 7eeabfc..88fc799 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -3501,7 +3501,13 @@ sub subBase64 {
+ 
+ my $prevupdate;
+ sub subNewlines {
+-    my ($thing) = @_;
++    my ($force, $thing) = @_;
++
++    if($force) {
++        # enforce CRLF newline
++        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
++        return;
++    }
+ 
+     # When curl is built with Hyper, it gets all response headers delivered as
+     # name/value pairs and curl "invents" the newlines when it saves the
+@@ -3515,7 +3521,7 @@ sub subNewlines {
+         # skip curl error messages
+         ($$thing !~ /^curl: \(\d+\) /))) {
+         # enforce CRLF newline
+-        $$thing =~ s/\x0a/\x0d\x0a/;
++        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
+         $prevupdate = 1;
+     }
+     else {
+@@ -3587,6 +3593,7 @@ sub prepro {
+     my (@entiretest) = @_;
+     my $show = 1;
+     my @out;
++    my $data_crlf;
+     for my $s (@entiretest) {
+         my $f = $s;
+         if($s =~ /^ *%if (.*)/) {
+@@ -3610,10 +3617,19 @@ sub prepro {
+             next;
+         }
+         if($show) {
++            # The processor does CRLF replacements in the <data*> sections if
++            # necessary since those parts might be read by separate servers.
++            if($s =~ /^ *<data(.*)\>/) {
++                if($1 =~ /crlf="yes"/ || $has_hyper) {
++                    $data_crlf = 1;
++                }
++            }
++            elsif(($s =~ /^ *<\/data/) && $data_crlf) {
++                $data_crlf = 0;
++            }
+             subVariables(\$s, $testnum, "%");
+             subBase64(\$s);
+-            subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} ||
+-                                               $keywords{"HTTPS"}));
++            subNewlines(0, \$s) if($data_crlf);
+             push @out, $s;
+         }
+     }
+@@ -3929,6 +3945,11 @@ sub singletest {
+                     # of the datacheck
+                     chomp($replycheckpart[$#replycheckpart]);
+                 }
++                if($replycheckpartattr{'crlf'} ||
++                   ($has_hyper && ($keywords{"HTTP"}
++                                   || $keywords{"HTTPS"}))) {
++                    map subNewlines(0, \$_), @replycheckpart;
++                }
+                 push(@reply, @replycheckpart);
+             }
+         }
+@@ -3950,6 +3971,11 @@ sub singletest {
+             map s/\r\n/\n/g, @reply;
+             map s/\n/\r\n/g, @reply;
+         }
++        if($replyattr{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"}
++                           || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @reply;
++        }
+     }
+ 
+     # this is the valid protocol blurb curl should generate
+@@ -4406,6 +4432,12 @@ sub singletest {
+             chomp($validstdout[$#validstdout]);
+         }
+ 
++        if($hash{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"}
++                           || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @validstdout;
++        }
++
+         $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout);
+         if($res) {
+             return $errorreturncode;
+@@ -4506,6 +4538,10 @@ sub singletest {
+             }
+         }
+ 
++        if($hash{'crlf'}) {
++            map subNewlines(1, \$_), @protstrip;
++        }
++
+         if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) {
+             logmsg "\n $testnum: protocol FAILED!\n".
+                 " There was no content at all in the file $SERVERIN.\n".
+@@ -4637,6 +4673,11 @@ sub singletest {
+                 map s/\r\n/\n/g, @outfile;
+                 map s/\n/\r\n/g, @outfile;
+             }
++            if($hash{'crlf'} ||
++               ($has_hyper && ($keywords{"HTTP"}
++                               || $keywords{"HTTPS"}))) {
++                map subNewlines(0, \$_), @outfile;
++            }
+ 
+             my $strip;
+             for $strip (@stripfile) {
+-- 
+2.39.1
+
+
+From 117fce3d4fe11c36a20403cd4d6850e5b8771b41 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:20 +0100
+Subject: [PATCH 2/6] share: add sharing of HSTS cache among handles
+
+Closes #10138
+
+Upstream-commit: 076a2f629119222aeeb50f5a03bf9f9052fabb9a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLSHOPT_SHARE.3 |  4 +++
+ docs/libcurl/symbols-in-versions    |  1 +
+ include/curl/curl.h                 |  1 +
+ lib/hsts.c                          | 15 +++++++++
+ lib/hsts.h                          |  2 ++
+ lib/setopt.c                        | 48 ++++++++++++++++++++++++-----
+ lib/share.c                         | 32 +++++++++++++++++--
+ lib/share.h                         |  6 +++-
+ lib/transfer.c                      |  3 ++
+ lib/url.c                           |  6 +++-
+ lib/urldata.h                       |  2 ++
+ 11 files changed, 109 insertions(+), 11 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3
+index 92783b6..b15af82 100644
+--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3
++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3
+@@ -79,6 +79,10 @@ Added in 7.61.0.
+ 
+ Note that when you use the multi interface, all easy handles added to the same
+ multi handle will share PSL cache by default without using this option.
++.IP CURL_LOCK_DATA_HSTS
++The in-memory HSTS cache.
++
++Added in 7.88.0
+ .SH PROTOCOLS
+ All
+ .SH EXAMPLE
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 5ee245d..41fffc3 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -67,6 +67,7 @@ CURL_LOCK_ACCESS_SINGLE         7.10.3
+ CURL_LOCK_DATA_CONNECT          7.10.3
+ CURL_LOCK_DATA_COOKIE           7.10.3
+ CURL_LOCK_DATA_DNS              7.10.3
++CURL_LOCK_DATA_HSTS             7.88.0
+ CURL_LOCK_DATA_NONE             7.10.3
+ CURL_LOCK_DATA_PSL              7.61.0
+ CURL_LOCK_DATA_SHARE            7.10.4
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 139df99..5758e3b 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -2882,6 +2882,7 @@ typedef enum {
+   CURL_LOCK_DATA_SSL_SESSION,
+   CURL_LOCK_DATA_CONNECT,
+   CURL_LOCK_DATA_PSL,
++  CURL_LOCK_DATA_HSTS,
+   CURL_LOCK_DATA_LAST
+ } curl_lock_data;
+ 
+diff --git a/lib/hsts.c b/lib/hsts.c
+index c449120..339237b 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -39,6 +39,7 @@
+ #include "parsedate.h"
+ #include "fopen.h"
+ #include "rename.h"
++#include "share.h"
+ #include "strtoofft.h"
+ 
+ /* The last 3 #include files should be in this order */
+@@ -552,4 +553,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h)
+   return CURLE_OK;
+ }
+ 
++void Curl_hsts_loadfiles(struct Curl_easy *data)
++{
++  struct curl_slist *l = data->set.hstslist;
++  if(l) {
++    Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE);
++
++    while(l) {
++      (void)Curl_hsts_loadfile(data, data->hsts, l->data);
++      l = l->next;
++    }
++    Curl_share_unlock(data, CURL_LOCK_DATA_HSTS);
++  }
++}
++
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+diff --git a/lib/hsts.h b/lib/hsts.h
+index 0e36a77..3da7574 100644
+--- a/lib/hsts.h
++++ b/lib/hsts.h
+@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data,
+                             struct hsts *h, const char *file);
+ CURLcode Curl_hsts_loadcb(struct Curl_easy *data,
+                           struct hsts *h);
++void Curl_hsts_loadfiles(struct Curl_easy *data);
+ #else
+ #define Curl_hsts_cleanup(x)
+ #define Curl_hsts_loadcb(x,y) CURLE_OK
+ #define Curl_hsts_save(x,y,z)
++#define Curl_hsts_loadfiles(x)
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+ #endif /* HEADER_CURL_HSTS_H */
+diff --git a/lib/setopt.c b/lib/setopt.c
+index b77e95b..f71a606 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2283,9 +2283,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+         data->cookies = NULL;
+ #endif
+ 
++#ifndef CURL_DISABLE_HSTS
++      if(data->share->hsts == data->hsts)
++        data->hsts = NULL;
++#endif
++#ifdef USE_SSL
+       if(data->share->sslsession == data->state.session)
+         data->state.session = NULL;
+-
++#endif
+ #ifdef USE_LIBPSL
+       if(data->psl == &data->share->psl)
+         data->psl = data->multi? &data->multi->psl: NULL;
+@@ -2319,10 +2324,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+         data->cookies = data->share->cookies;
+       }
+ #endif   /* CURL_DISABLE_HTTP */
++#ifndef CURL_DISABLE_HSTS
++      if(data->share->hsts) {
++        /* first free the private one if any */
++        Curl_hsts_cleanup(&data->hsts);
++        data->hsts = data->share->hsts;
++      }
++#endif   /* CURL_DISABLE_HTTP */
++#ifdef USE_SSL
+       if(data->share->sslsession) {
+         data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions;
+         data->state.session = data->share->sslsession;
+       }
++#endif
+ #ifdef USE_LIBPSL
+       if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL))
+         data->psl = &data->share->psl;
+@@ -3071,19 +3085,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_HSTSWRITEDATA:
+     data->set.hsts_write_userp = va_arg(param, void *);
+     break;
+-  case CURLOPT_HSTS:
++  case CURLOPT_HSTS: {
++    struct curl_slist *h;
+     if(!data->hsts) {
+       data->hsts = Curl_hsts_init();
+       if(!data->hsts)
+         return CURLE_OUT_OF_MEMORY;
+     }
+     argptr = va_arg(param, char *);
+-    result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
+-    if(result)
+-      return result;
+-    if(argptr)
+-      (void)Curl_hsts_loadfile(data, data->hsts, argptr);
++    if(argptr) {
++      result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
++      if(result)
++        return result;
++      /* this needs to build a list of file names to read from, so that it can
++         read them later, as we might get a shared HSTS handle to load them
++         into */
++      h = curl_slist_append(data->set.hstslist, argptr);
++      if(!h) {
++        curl_slist_free_all(data->set.hstslist);
++        data->set.hstslist = NULL;
++        return CURLE_OUT_OF_MEMORY;
++      }
++      data->set.hstslist = h; /* store the list for later use */
++    }
++    else {
++      /* clear the list of HSTS files */
++      curl_slist_free_all(data->set.hstslist);
++      data->set.hstslist = NULL;
++      if(!data->share || !data->share->hsts)
++        /* throw away the HSTS cache unless shared */
++        Curl_hsts_cleanup(&data->hsts);
++    }
+     break;
++  }
+   case CURLOPT_HSTS_CTRL:
+     arg = va_arg(param, long);
+     if(arg & CURLHSTS_ENABLE) {
+diff --git a/lib/share.c b/lib/share.c
+index 1a083e7..69ee00b 100644
+--- a/lib/share.c
++++ b/lib/share.c
+@@ -29,9 +29,11 @@
+ #include "share.h"
+ #include "psl.h"
+ #include "vtls/vtls.h"
+-#include "curl_memory.h"
++#include "hsts.h"
+ 
+-/* The last #include file should be: */
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
+ #include "memdebug.h"
+ 
+ struct Curl_share *
+@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...)
+ #endif
+       break;
+ 
++    case CURL_LOCK_DATA_HSTS:
++#ifndef CURL_DISABLE_HSTS
++      if(!share->hsts) {
++        share->hsts = Curl_hsts_init();
++        if(!share->hsts)
++          res = CURLSHE_NOMEM;
++      }
++#else   /* CURL_DISABLE_HSTS */
++      res = CURLSHE_NOT_BUILT_IN;
++#endif
++      break;
++
+     case CURL_LOCK_DATA_SSL_SESSION:
+ #ifdef USE_SSL
+       if(!share->sslsession) {
+@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...)
+ #endif
+       break;
+ 
++    case CURL_LOCK_DATA_HSTS:
++#ifndef CURL_DISABLE_HSTS
++      if(share->hsts) {
++        Curl_hsts_cleanup(&share->hsts);
++      }
++#else   /* CURL_DISABLE_HSTS */
++      res = CURLSHE_NOT_BUILT_IN;
++#endif
++      break;
++
+     case CURL_LOCK_DATA_SSL_SESSION:
+ #ifdef USE_SSL
+       Curl_safefree(share->sslsession);
+@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *share)
+   Curl_cookie_cleanup(share->cookies);
+ #endif
+ 
++#ifndef CURL_DISABLE_HSTS
++  Curl_hsts_cleanup(&share->hsts);
++#endif
++
+ #ifdef USE_SSL
+   if(share->sslsession) {
+     size_t i;
+diff --git a/lib/share.h b/lib/share.h
+index 32be416..2449730 100644
+--- a/lib/share.h
++++ b/lib/share.h
+@@ -59,10 +59,14 @@ struct Curl_share {
+ #ifdef USE_LIBPSL
+   struct PslCache psl;
+ #endif
+-
++#ifndef CURL_DISABLE_HSTS
++  struct hsts *hsts;
++#endif
++#ifdef USE_SSL
+   struct Curl_ssl_session *sslsession;
+   size_t max_ssl_sessions;
+   long sessionage;
++#endif
+ };
+ 
+ CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data,
+diff --git a/lib/transfer.c b/lib/transfer.c
+index ba0410f..d433117 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1469,6 +1469,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
+   if(data->state.resolve)
+     result = Curl_loadhostpairs(data);
+ 
++  /* If there is a list of hsts files to read */
++  Curl_hsts_loadfiles(data);
++
+   if(!result) {
+     /* Allow data->set.use_port to set which port to use. This needs to be
+      * disabled for example when we follow Location: headers to URLs using
+diff --git a/lib/url.c b/lib/url.c
+index 3ab63a0..831ae06 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -435,7 +435,11 @@ CURLcode Curl_close(struct Curl_easy **datap)
+   Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]);
+   Curl_altsvc_cleanup(&data->asi);
+   Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]);
+-  Curl_hsts_cleanup(&data->hsts);
++#ifndef CURL_DISABLE_HSTS
++  if(!data->share || !data->share->hsts)
++    Curl_hsts_cleanup(&data->hsts);
++  curl_slist_free_all(data->set.hstslist); /* clean up list */
++#endif
+ #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+   Curl_http_auth_cleanup_digest(data);
+ #endif
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 3d7545c..5b4b34f 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1672,6 +1672,8 @@ struct UserDefined {
+ 
+   void *seek_client;    /* pointer to pass to the seek callback */
+ #ifndef CURL_DISABLE_HSTS
++  struct curl_slist *hstslist; /* list of HSTS files set by
++                                  curl_easy_setopt(HSTS) calls */
+   curl_hstsread_callback hsts_read;
+   void *hsts_read_userp;
+   curl_hstswrite_callback hsts_write;
+-- 
+2.39.1
+
+
+From 32066a5fa8f649da2aa7a4e4e86bc0b73d32212f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 3/6] tool_operate: share HSTS between handles
+
+Upstream-commit: 0bf8b796a0ea98395b390c7807187982215f5c11
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_operate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 79db063..a5b024e 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -2698,6 +2698,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[])
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT);
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL);
++        curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS);
+ 
+         /* Get the required arguments for each operation */
+         do {
+-- 
+2.39.1
+
+
+From fe6b64ac33a0994e5f50ef8b3d0916b3a248a7e8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 4/6] hsts: handle adding the same host name again
+
+It will then use the largest expire time of the two entries.
+
+Upstream-commit: ca02a77f05bd5cef20618c8f741aa48b7be0a648
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 339237b..8d6723e 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -427,14 +427,23 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+   if(2 == rc) {
+     time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) :
+       TIME_T_MAX;
+-    CURLcode result;
++    CURLcode result = CURLE_OK;
+     char *p = host;
+     bool subdomain = FALSE;
++    struct stsentry *e;
+     if(p[0] == '.') {
+       p++;
+       subdomain = TRUE;
+     }
+-    result = hsts_create(h, p, subdomain, expires);
++    /* only add it if not already present */
++    e = Curl_hsts(h, p, subdomain);
++    if(!e)
++      result = hsts_create(h, p, subdomain, expires);
++    else {
++      /* the same host name, use the largest expire time */
++      if(expires > e->expires)
++        e->expires = expires;
++    }
+     if(result)
+       return result;
+   }
+-- 
+2.39.1
+
+
+From c52b93434c65ec8a44193a6f2b833a1efec8f643 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 5/6] runtests: support crlf="yes" for verify/proxy
+
+Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 4 ++--
+ tests/runtests.pl   | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index 8143967..be11167 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -553,7 +553,7 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"] crlf="yes">`
++### `<protocol [nonewline="yes"][crlf="yes"]>`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+@@ -563,7 +563,7 @@ comparisons are made.
+ `crlf=yes` forces the newlines to become CRLF even if not written so in the
+ test.
+ 
+-### `<proxy [nonewline="yes"]>`
++### `<proxy [nonewline="yes"][crlf="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+ server is used), if 'nonewline' is set, we will cut off the trailing newline
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index c6a739e..f49e385 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -4634,6 +4634,11 @@ sub singletest {
+             }
+         }
+ 
++        if($hash{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @protstrip;
++        }
++
+         $res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
+         if($res) {
+             return $errorreturncode;
+-- 
+2.39.1
+
+
+From e428f66157caedc1f58ff5206915842937b0950e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 6/6] test446: verify hsts with two URLs
+
+Upstream-commit: ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test446      | 84 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test446
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3e0221a..fb51cd6 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+-test440 test441 test442 test443 test444 test445 \
++test440 test441 test442 test443 test444 test445 test446 \
+ \
+ test490 test491 test492 test493 test494 \
+ \
+diff --git a/tests/data/test446 b/tests/data/test446
+new file mode 100644
+index 0000000..0e2dfdc
+--- /dev/null
++++ b/tests/data/test446
+@@ -0,0 +1,84 @@
++<?xml version="1.0" encoding="ISO-8859-1"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++HSTS
++trailing-dot
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 200 OK
++
++</connect>
++<data crlf="yes">
++HTTP/1.1 200 OK
++Content-Length: 6
++Strict-Transport-Security: max-age=604800
++
++-foo-
++</data>
++<data2 crlf="yes">
++HTTP/1.1 200 OK
++Content-Length: 6
++Strict-Transport-Security: max-age=6048000
++
++-baa-
++</data2>
++</reply>
++
++<client>
++<server>
++https
++http-proxy
++</server>
++<features>
++HSTS
++proxy
++https
++debug
++</features>
++<setenv>
++CURL_HSTS_HTTP=yes
++CURL_TIME=2000000000
++</setenv>
++
++<name>
++HSTS with two URLs
++</name>
++<command>
++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002
++</command>
++</client>
++
++<verify>
++# we let it CONNECT to the server to confirm HSTS but deny from there
++<proxy crlf="yes">
++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1
++Host: this.hsts.example.
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1
++Host: another.example.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</proxy>
++
++<file name="log/hsts%TESTNUMBER" mode="text">
++# Your HSTS cache. https://curl.se/docs/hsts.html
++# This file was generated by libcurl! Edit at your own risk.
++this.hsts.example "20330525 03:33:20"
++another.example.com "20330727 03:33:20"
++</file>
++
++</verify>
++</testcase>
+-- 
+2.39.1
+

0007-curl-7.85.0-CVE-2023-23916.patch

@@ -0,0 +1,243 @@
+From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Test 418 verifies
+
+Closes #10492
+
+Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   1 +
+ tests/data/test387      |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test418
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index bfc13e2..94344d6 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5b4b34f..8c8c20b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -682,6 +682,7 @@ struct SingleRequest {
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+   unsigned char setcookies;
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index fb51cd6..86b6f85 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -68,6 +68,7 @@ test380 test381 test383 test384 test385 test386 test387 test388 test389 \
+ test390 test391 test392 test393 test394 test395 test396 test397 test398 \
+ test399 test400 test401 test402 test403 test404 test405 test406 test407 \
+ test408 test409 test410 test411 test412 test413 test414 \
++        test418 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+diff --git a/tests/data/test387 b/tests/data/test387
+index 015ec25..644fc7f 100644
+--- a/tests/data/test387
++++ b/tests/data/test387
+@@ -47,7 +47,7 @@ Accept: */*
+ 61
+ </errorcode>
+ <stderr mode="text">
+-curl: (61) Reject response due to 5 content encodings
++curl: (61) Reject response due to more than 5 content encodings
+ </stderr>
+ </verify>
+ </testcase>
+diff --git a/tests/data/test418 b/tests/data/test418
+new file mode 100644
+index 0000000..50e974e
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
+-- 
+2.39.1
+

0008-curl-7.85.0-extern-c-header.patch

@@ -0,0 +1,46 @@
+From ff61b969e41a4c9c7f337c905712d84d9ae1da5b Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 7 Sep 2022 03:07:28 -0400
+Subject: [PATCH] header: define public API functions as extern c
+
+Prior to this change linker errors would occur if curl_easy_header or
+curl_easy_nextheader was called from a C++ unit.
+
+Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007
+Reported-by: Andrew Lambert
+
+Closes https://github.com/curl/curl/pull/9446
+
+Upstream-commit: 9c822a99944fd185ba58d8bca935ad5c5e6cd3e1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ include/curl/header.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/include/curl/header.h b/include/curl/header.h
+index 6af29c0..1598c6f 100644
+--- a/include/curl/header.h
++++ b/include/curl/header.h
+@@ -24,6 +24,10 @@
+  *
+  ***************************************************************************/
+ 
++#ifdef  __cplusplus
++extern "C" {
++#endif
++
+ struct curl_header {
+   char *name;    /* this might not use the same case */
+   char *value;
+@@ -63,4 +67,8 @@ CURL_EXTERN struct curl_header *curl_easy_nextheader(CURL *easy,
+                                                      int request,
+                                                      struct curl_header *prev);
+ 
++#ifdef __cplusplus
++} /* end of extern "C" */
++#endif
++
+ #endif /* CURLINC_HEADER_H */
+-- 
+2.39.2
+

0020-curl-7.85.0-CVE-2022-43551.patch

@@ -0,0 +1,35 @@
+From 3fe91ee75b9f663b7a303ef14e07e28184d1450c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH] http: use the IDN decoded name in HSTS checks
+
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #10111
+
+Upstream-commit: 9e71901634e276dd050481c4320f046bebb1bc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index b0ad28e..8b18e8d 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3654,7 +3654,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
++      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
+-- 
+2.38.1
+

0021-curl-7.85.0-CVE-2022-43552.patch

@@ -0,0 +1,81 @@
+From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -62,8 +62,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -78,7 +76,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -105,7 +103,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.38.1
+

0023-curl-7.87.0-CVE-2023-27533.patch

@@ -0,0 +1,59 @@
+From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 22bc81e..baea885 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
++static bool str_is_nonascii(const char *str)
++{
++  size_t len = strlen(str);
++  while(len--) {
++    if(*str & 0x80)
++      return TRUE;
++    str++;
++  }
++  return FALSE;
++}
++
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(data->state.aptr.user) {
++   if(str_is_nonascii(data->conn->user))
++     return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   for(head = data->set.telnet_options; head; head = head->next) {
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
++      if(str_is_nonascii(option_arg))
++        continue;
+ 
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+-- 
+2.39.2
+

0025-curl-7.85.0-CVE-2023-27535.patch

@@ -0,0 +1,237 @@
+From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c | 22 ++++++++++++++++++++++
+ lib/strcase.h |  1 +
+ 2 files changed, 23 insertions(+)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index f932485..c73907d 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -179,6 +179,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index d245929..11a67a1 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -52,5 +52,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+-- 
+2.39.2
+
+
+From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 16 +++++++++++++++-
+ lib/urldata.h |  4 ++--
+ 5 files changed, 49 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 9442832..df15bc0 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4107,6 +4107,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
+   }
+ 
+   freedirs(ftpc);
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
+   Curl_safefree(ftpc->prevpath);
+   Curl_safefree(ftpc->server_os);
+   Curl_pp_disconnect(pp);
+@@ -4374,11 +4376,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ {
+   char *type;
+   struct FTP *ftp;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(!ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  data->req.p.ftp = ftp;
++
+   ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+ 
+   /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4413,7 +4435,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+   /* get some initial data into the ftp struct */
+   ftp->transfer = PPTRANSFER_BODY;
+   ftp->downloadsize = 0;
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 7f6f432..3f33e27 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -119,6 +119,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char *file;    /* url-decoded file name (or path) */
+   char **dirs;   /* realloc()ed array for path components */
+@@ -148,6 +150,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 3339a67..6fc111d 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2374,7 +2374,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index 61ba832..4e21838 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1378,10 +1378,24 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++#ifdef USE_SSH
++      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
++#endif
++#ifndef CURL_DISABLE_FTP
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+ 
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 9d9ca92..4e2f5b9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1760,8 +1760,6 @@ struct UserDefined {
+ #ifndef CURL_DISABLE_NETRC
+   unsigned char use_netrc;        /* enum CURL_NETRC_OPTION values  */
+ #endif
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   unsigned int new_file_perms;      /* when creating remote files */
+   unsigned int new_directory_perms; /* when creating remote dirs */
+   int ssh_auth_types;    /* allowed SSH auth types */
+@@ -1820,6 +1818,8 @@ struct UserDefined {
+   BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
+                                 recipients */
+ #endif
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+   BIT(is_fread_set); /* has read callback been set to non-NULL? */
+ #ifndef CURL_DISABLE_TFTP
+   BIT(tftp_no_options); /* do not send TFTP options requests */
+-- 
+2.39.2
+

0026-curl-7.85.0-CVE-2023-27536.patch

@@ -0,0 +1,54 @@
+From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3b11b7e..cbbc7f3 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1371,6 +1371,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++        continue;
++
+       /* If multiplexing isn't enabled on the h2 connection and h1 is
+          explicitly requested, handle it: */
+       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1838,6 +1843,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ce90304..9e16f26 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1124,6 +1124,7 @@ struct connectdata {
+   unsigned char transport; /* one of the TRNSPRT_* defines */
+   unsigned char ip_version; /* copied from the Curl_easy at creation time */
+   unsigned char httpversion; /* the HTTP version*10 reported by the server */
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+ 
+ /* The end of connectdata. */
+-- 
+2.39.2
+

0027-curl-7.87.0-CVE-2023-27537.patch

@@ -0,0 +1,40 @@
+From ed7451520fd1b5da62a5371c07db69bed36a5486 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 18:01:34 +0100
+Subject: [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
+
+Reported-by: Hiroki Kurosawa
+Closes #10732
+
+Upstream-commit: dca4cdf071be095bcdc7126eaa77a8946ea4790b
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLSHOPT_SHARE.3 | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3
+index b15af82..4544160 100644
+--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3
++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3
+@@ -57,8 +57,7 @@ implemented until 7.23.0.
+ Put the connection cache in the share object and make all easy handles using
+ this share object share the connection cache.
+ 
+-Note that due to a known bug, it is not safe to share connections this way
+-between multiple concurrent threads.
++It is not supported to share connections between multiple concurrent threads.
+ 
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing only
+ get additional transfers added to them if the existing connection is held by
+@@ -82,6 +81,8 @@ multi handle will share PSL cache by default without using this option.
+ .IP CURL_LOCK_DATA_HSTS
+ The in-memory HSTS cache.
+ 
++It is not supported to share the HSTS between multiple concurrent threads.
++
+ Added in 7.88.0
+ .SH PROTOCOLS
+ All
+-- 
+2.39.2
+

0028-curl-7.87.0-CVE-2023-27538.patch

@@ -0,0 +1,30 @@
+From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 0c31486..3b11b7e 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1384,7 +1384,7 @@ ConnectionExists(struct Curl_easy *data,
+         continue;
+ 
+ #ifdef USE_SSH
+-      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-- 
+2.39.2
+

0029-curl-7.87.0-CVE-2023-28322.patch

@@ -0,0 +1,428 @@
+From 0df9793819c58172595c85c913029e6ae434f6a2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 25 Apr 2023 08:28:01 +0200
+Subject: [PATCH 1/2] lib: unify the upload/method handling
+
+By making sure we set state.upload based on the set.method value and not
+independently as set.upload, we reduce confusion and mixup risks, both
+internally and externally.
+
+Closes #11017
+
+(cherry picked from commit 7815647d6582c0a4900be2e1de6c5e61272c496b)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/curl_rtmp.c    | 4 ++--
+ lib/file.c         | 4 ++--
+ lib/ftp.c          | 8 ++++----
+ lib/http.c         | 4 ++--
+ lib/imap.c         | 6 +++---
+ lib/rtsp.c         | 4 ++--
+ lib/setopt.c       | 6 ++----
+ lib/smb.c          | 4 ++--
+ lib/smtp.c         | 4 ++--
+ lib/tftp.c         | 8 ++++----
+ lib/transfer.c     | 4 ++--
+ lib/urldata.h      | 2 +-
+ lib/vssh/libssh.c  | 6 +++---
+ lib/vssh/libssh2.c | 6 +++---
+ lib/vssh/wolfssh.c | 2 +-
+ 15 files changed, 35 insertions(+), 37 deletions(-)
+
+diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
+index 1932cb4ec..aeb6ed273 100644
+--- a/lib/curl_rtmp.c
++++ b/lib/curl_rtmp.c
+@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done)
+   /* We have to know if it's a write before we send the
+    * connect request packet
+    */
+-  if(data->set.upload)
++  if(data->state.upload)
+     r->Link.protocol |= RTMP_FEATURE_WRITE;
+ 
+   /* For plain streams, use the buffer toggle trick to keep data flowing */
+@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done)
+   if(!RTMP_ConnectStream(r, 0))
+     return CURLE_FAILED_INIT;
+ 
+-  if(data->set.upload) {
++  if(data->state.upload) {
+     Curl_pgrsSetUploadSize(data, data->state.infilesize);
+     Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
+   }
+diff --git a/lib/file.c b/lib/file.c
+index 4ed707883..efb32a5e5 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -229,7 +229,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done)
+   file->freepath = real_path; /* free this when done */
+ 
+   file->fd = fd;
+-  if(!data->set.upload && (fd == -1)) {
++  if(!data->state.upload && (fd == -1)) {
+     failf(data, "Couldn't open file %s", data->state.up.path);
+     file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE);
+     return CURLE_FILE_COULDNT_READ_FILE;
+@@ -411,7 +411,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done)
+ 
+   Curl_pgrsStartNow(data);
+ 
+-  if(data->set.upload)
++  if(data->state.upload)
+     return file_upload(data);
+ 
+   file = data->req.p.file;
+diff --git a/lib/ftp.c b/lib/ftp.c
+index ad85f74f1..9bb465f39 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -1382,7 +1382,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data)
+                                data->set.str[STRING_CUSTOMREQUEST]?
+                                data->set.str[STRING_CUSTOMREQUEST]:
+                                (data->state.list_only?"NLST":"LIST"));
+-      else if(data->set.upload)
++      else if(data->state.upload)
+         result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s",
+                                conn->proto.ftpc.file);
+       else
+@@ -3379,7 +3379,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
+     /* the response code from the transfer showed an error already so no
+        use checking further */
+     ;
+-  else if(data->set.upload) {
++  else if(data->state.upload) {
+     if((-1 != data->state.infilesize) &&
+        (data->state.infilesize != data->req.writebytecount) &&
+        !data->set.crlf &&
+@@ -3656,7 +3656,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep)
+                            connected back to us */
+       }
+     }
+-    else if(data->set.upload) {
++    else if(data->state.upload) {
+       result = ftp_nb_type(data, conn, data->state.prefer_ascii,
+                            FTP_STOR_TYPE);
+       if(result)
+@@ -4245,7 +4245,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
+     ftpc->file = NULL; /* instead of point to a zero byte,
+                             we make it a NULL pointer */
+ 
+-  if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
++  if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
+     /* We need a file name when uploading. Return error! */
+     failf(data, "Uploading to a URL without a file name");
+     free(rawPath);
+diff --git a/lib/http.c b/lib/http.c
+index aab1a8726..f177c0ef5 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2035,7 +2035,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
+   Curl_HttpReq httpreq = (Curl_HttpReq)data->state.httpreq;
+   const char *request;
+   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
+-     data->set.upload)
++     data->state.upload)
+     httpreq = HTTPREQ_PUT;
+ 
+   /* Now set the 'request' pointer to the proper request string */
+@@ -2352,7 +2352,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
+     if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
+        (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
+          http->postsize < 0) ||
+-        ((data->set.upload || httpreq == HTTPREQ_POST) &&
++        ((data->state.upload || httpreq == HTTPREQ_POST) &&
+          data->state.infilesize == -1))) {
+       if(conn->bits.authneg)
+         /* don't enable chunked during auth neg */
+diff --git a/lib/imap.c b/lib/imap.c
+index 12ee2a47e..8e9e93181 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -1507,11 +1507,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status,
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && !imap->custom &&
+-          (imap->uid || imap->mindex || data->set.upload ||
++          (imap->uid || imap->mindex || data->state.upload ||
+           data->set.mimepost.kind != MIMEKIND_NONE)) {
+     /* Handle responses after FETCH or APPEND transfer has finished */
+ 
+-    if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
++    if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
+       state(data, IMAP_FETCH_FINAL);
+     else {
+       /* End the APPEND command first by sending an empty line */
+@@ -1577,7 +1577,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected,
+     selected = TRUE;
+ 
+   /* Start the first command in the DO phase */
+-  if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
++  if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
+     /* APPEND can be executed directly */
+     result = imap_perform_append(data);
+   else if(imap->custom && (selected || !imap->mailbox))
+diff --git a/lib/rtsp.c b/lib/rtsp.c
+index b4edac790..3d73721c7 100644
+--- a/lib/rtsp.c
++++ b/lib/rtsp.c
+@@ -511,7 +511,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
+      rtspreq == RTSPREQ_SET_PARAMETER ||
+      rtspreq == RTSPREQ_GET_PARAMETER) {
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       putsize = data->state.infilesize;
+       data->state.httpreq = HTTPREQ_PUT;
+ 
+@@ -530,7 +530,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
+         result =
+           Curl_dyn_addf(&req_buffer,
+                         "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
+-                        (data->set.upload ? putsize : postsize));
++                        (data->state.upload ? putsize : postsize));
+         if(result)
+           return result;
+       }
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 6fc111dc7..d3d96eb43 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -365,8 +365,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      * We want to sent data to the remote host. If this is HTTP, that equals
+      * using the PUT request.
+      */
+-    data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
+-    if(data->set.upload) {
++    arg = va_arg(param, long);
++    if(arg) {
+       /* If this is HTTP, PUT is what's needed to "upload" */
+       data->set.method = HTTPREQ_PUT;
+       data->set.opt_no_body = FALSE; /* this is implied */
+@@ -696,7 +696,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+-    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
+@@ -944,7 +943,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      */
+     if(va_arg(param, long)) {
+       data->set.method = HTTPREQ_GET;
+-      data->set.upload = FALSE; /* switch off upload */
+       data->set.opt_no_body = FALSE; /* this is implied */
+     }
+     break;
+diff --git a/lib/smb.c b/lib/smb.c
+index f682c1fbc..28790826f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -535,7 +535,7 @@ static CURLcode smb_send_open(struct Curl_easy *data)
+   byte_count = strlen(req->path);
+   msg.name_length = smb_swap16((unsigned short)byte_count);
+   msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
+-  if(data->set.upload) {
++  if(data->state.upload) {
+     msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
+     msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
+   }
+@@ -814,7 +814,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+     smb_m = (const struct smb_nt_create_response*) msg;
+     req->fid = smb_swap16(smb_m->fid);
+     data->req.offset = 0;
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       data->req.size = data->state.infilesize;
+       Curl_pgrsSetUploadSize(data, data->req.size);
+       next_state = SMB_UPLOAD;
+diff --git a/lib/smtp.c b/lib/smtp.c
+index 6ebb41af6..fa70cefff 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1413,7 +1413,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status,
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && data->set.mail_rcpt &&
+-          (data->set.upload || data->set.mimepost.kind)) {
++          (data->state.upload || data->set.mimepost.kind)) {
+     /* Calculate the EOB taking into account any terminating CRLF from the
+        previous line of the email or the CRLF of the DATA command when there
+        is "no mail data". RFC-5321, sect. 4.1.1.4.
+@@ -1506,7 +1506,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected,
+   smtp->eob = 2;
+ 
+   /* Start the first command in the DO phase */
+-  if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
++  if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
+     /* MAIL transfer */
+     result = smtp_perform_mail(data);
+   else
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 9e6d9490e..8faec9fe6 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -369,7 +369,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state,
+ 
+       /* tsize should be ignored on upload: Who cares about the size of the
+          remote file? */
+-      if(!data->set.upload) {
++      if(!data->state.upload) {
+         if(!tsize) {
+           failf(data, "invalid tsize -:%s:- value in OACK packet", value);
+           return CURLE_TFTP_ILLEGAL;
+@@ -450,7 +450,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+       return result;
+     }
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       /* If we are uploading, send an WRQ */
+       setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
+       state->data->req.upload_fromhere =
+@@ -485,7 +485,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+     if(!data->set.tftp_no_options) {
+       char buf[64];
+       /* add tsize option */
+-      if(data->set.upload && (data->state.infilesize != -1))
++      if(data->state.upload && (data->state.infilesize != -1))
+         msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
+                   data->state.infilesize);
+       else
+@@ -539,7 +539,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+     break;
+ 
+   case TFTP_EVENT_OACK:
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       result = tftp_connect_for_tx(state, event);
+     }
+     else {
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 620a4ef8f..9f19af7eb 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1392,6 +1392,7 @@ void Curl_init_CONNECT(struct Curl_easy *data)
+ {
+   data->state.fread_func = data->set.fread_func_set;
+   data->state.in = data->set.in_set;
++  data->state.upload = (data->state.httpreq == HTTPREQ_PUT);
+ }
+ 
+ /*
+@@ -1820,7 +1821,6 @@ CURLcode Curl_follow(struct Curl_easy *data,
+          data->state.httpreq != HTTPREQ_POST_MIME) ||
+         !(data->set.keep_post & CURL_REDIR_POST_303))) {
+       data->state.httpreq = HTTPREQ_GET;
+-      data->set.upload = false;
+       infof(data, "Switch to %s",
+             data->set.opt_no_body?"HEAD":"GET");
+     }
+@@ -1858,7 +1858,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url)
+ 
+   /* if we're talking upload, we can't do the checks below, unless the protocol
+      is HTTP as when uploading over HTTP we will still get a response */
+-  if(data->set.upload &&
++  if(data->state.upload &&
+      !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
+     return CURLE_OK;
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 547e69cc4..69c14eb54 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1494,6 +1494,7 @@ struct UrlState {
+   BIT(url_alloc);   /* URL string is malloc()'ed */
+   BIT(referer_alloc); /* referer string is malloc()ed */
+   BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */
++  BIT(upload);         /* upload request */
+ };
+ 
+ /*
+@@ -1858,7 +1859,6 @@ struct UserDefined {
+   BIT(http_auto_referer); /* set "correct" referer when following
+                              location: */
+   BIT(opt_no_body);    /* as set with CURLOPT_NOBODY */
+-  BIT(upload);         /* upload request */
+   BIT(verbose);        /* output verbosity */
+   BIT(krb);            /* Kerberos connection requested */
+   BIT(reuse_forbid);   /* forbidden to be reused, close after use */
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index a078c464d..33581367b 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -1215,7 +1215,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(data, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(protop->path[strlen(protop->path)-1] == '/')
+@@ -1828,7 +1828,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
+       ssh_set_blocking(sshc->ssh_session, 1);
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -1933,7 +1933,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         break;
+       }
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(data, SSH_SCP_SEND_EOF);
+       else
+         state(data, SSH_SCP_CHANNEL_FREE);
+diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
+index 74b5d1093..2e08b0717 100644
+--- a/lib/vssh/libssh2.c
++++ b/lib/vssh/libssh2.c
+@@ -2004,7 +2004,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(data, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(sshp->path[strlen(sshp->path)-1] == '/')
+@@ -2677,7 +2677,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+         break;
+       }
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -2817,7 +2817,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+     break;
+ 
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(data, SSH_SCP_SEND_EOF);
+       else
+         state(data, SSH_SCP_CHANNEL_FREE);
+diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c
+index c2f85f3fe..36ccb1bf9 100644
+--- a/lib/vssh/wolfssh.c
++++ b/lib/vssh/wolfssh.c
+@@ -556,7 +556,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block)
+       }
+       break;
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(data, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
+-- 
+2.40.1
+

0030-curl-7.87.0-CVE-2023-28321.patch

@@ -0,0 +1,333 @@
+From 2ab6fd56c7e9f71a6771cc815ba1a960c9e3acd9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Apr 2023 21:07:02 +0200
+Subject: [PATCH 2/2] hostcheck: fix host name wildcard checking
+
+The leftmost "label" of the host name can now only match against single
+'*'. Like the browsers have worked for a long time.
+
+- extended unit test 1397 for this
+- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
+
+Reported-by: Hiroki Kurosawa
+Closes #11018
+
+(cherry picked from commit 199f2d440d8659b42670c1b796220792b01a97bf)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/vtls/hostcheck.c    |  50 +++++++--------
+ tests/data/test1397     |  10 ++-
+ tests/unit/Makefile.inc |  19 +++++-
+ tests/unit/unit1397.c   | 134 ++++++++++++++++++++++++----------------
+ 4 files changed, 126 insertions(+), 87 deletions(-)
+
+diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c
+index 2a648f20a..fa66e272e 100644
+--- a/lib/vtls/hostcheck.c
++++ b/lib/vtls/hostcheck.c
+@@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, size_t hostlen,
+  * apparent distinction between a name and an IP. We need to detect the use of
+  * an IP address and not wildcard match on such names.
+  *
++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
++ * "*b".
++ *
+  * Return TRUE on a match. FALSE if not.
++ *
++ * @unittest: 1397
+  */
+ 
+ static bool hostmatch(const char *hostname,
+@@ -79,53 +84,42 @@ static bool hostmatch(const char *hostname,
+                       const char *pattern,
+                       size_t patternlen)
+ {
+-  const char *pattern_label_end, *wildcard, *hostname_label_end;
+-  size_t prefixlen, suffixlen;
++  const char *pattern_label_end;
+ 
+-  /* normalize pattern and hostname by stripping off trailing dots */
++  DEBUGASSERT(pattern);
+   DEBUGASSERT(patternlen);
++  DEBUGASSERT(hostname);
++  DEBUGASSERT(hostlen);
++
++  /* normalize pattern and hostname by stripping off trailing dots */
+   if(hostname[hostlen-1]=='.')
+     hostlen--;
+   if(pattern[patternlen-1]=='.')
+     patternlen--;
+ 
+-  wildcard = memchr(pattern, '*', patternlen);
+-  if(!wildcard)
++  if(strncmp(pattern, "*.", 2))
+     return pmatch(hostname, hostlen, pattern, patternlen);
+ 
+   /* detect IP address as hostname and fail the match if so */
+-  if(Curl_host_is_ipnum(hostname))
++  else if(Curl_host_is_ipnum(hostname))
+     return FALSE;
+ 
+   /* We require at least 2 dots in the pattern to avoid too wide wildcard
+      match. */
+   pattern_label_end = memchr(pattern, '.', patternlen);
+   if(!pattern_label_end ||
+-     (memrchr(pattern, '.', patternlen) == pattern_label_end) ||
+-     strncasecompare(pattern, "xn--", 4))
++     (memrchr(pattern, '.', patternlen) == pattern_label_end))
+     return pmatch(hostname, hostlen, pattern, patternlen);
+-
+-  hostname_label_end = memchr(hostname, '.', hostlen);
+-  if(!hostname_label_end)
+-    return FALSE;
+   else {
+-    size_t skiphost = hostname_label_end - hostname;
+-    size_t skiplen = pattern_label_end - pattern;
+-    if(!pmatch(hostname_label_end, hostlen - skiphost,
+-               pattern_label_end, patternlen - skiplen))
+-      return FALSE;
++    const char *hostname_label_end = memchr(hostname, '.', hostlen);
++    if(hostname_label_end) {
++      size_t skiphost = hostname_label_end - hostname;
++      size_t skiplen = pattern_label_end - pattern;
++      return pmatch(hostname_label_end, hostlen - skiphost,
++                    pattern_label_end, patternlen - skiplen);
++    }
+   }
+-  /* The wildcard must match at least one character, so the left-most
+-     label of the hostname is at least as large as the left-most label
+-     of the pattern. */
+-  if(hostname_label_end - hostname < pattern_label_end - pattern)
+-    return FALSE;
+-
+-  prefixlen = wildcard - pattern;
+-  suffixlen = pattern_label_end - (wildcard + 1);
+-  return strncasecompare(pattern, hostname, prefixlen) &&
+-    strncasecompare(wildcard + 1, hostname_label_end - suffixlen,
+-                    suffixlen) ? TRUE : FALSE;
++  return FALSE;
+ }
+ 
+ /*
+diff --git a/tests/data/test1397 b/tests/data/test1397
+index 84f962abe..f31b2c2a3 100644
+--- a/tests/data/test1397
++++ b/tests/data/test1397
+@@ -2,8 +2,7 @@
+ <info>
+ <keywords>
+ unittest
+-ssl
+-wildcard
++Curl_cert_hostcheck
+ </keywords>
+ </info>
+ 
+@@ -16,9 +15,8 @@ none
+ <features>
+ unittest
+ </features>
+- <name>
+-Check wildcard certificate matching function Curl_cert_hostcheck
+- </name>
++<name>
++Curl_cert_hostcheck unit tests
++</name>
+ </client>
+-
+ </testcase>
+diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc
+index f86cb7c39..1a67c4eca 100644
+--- a/tests/unit/Makefile.inc
++++ b/tests/unit/Makefile.inc
+@@ -37,7 +37,9 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \
+  unit1608 unit1609 unit1610 unit1611 unit1612 \
+  unit1620 unit1621 \
+  unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
+- unit1660 unit1661
++ unit1660 unit1661 \
++ unit2600 unit2601 unit2602 unit2603 \
++ unit3200
+ 
+ unit1300_SOURCES = unit1300.c $(UNITFILES)
+ unit1300_CPPFLAGS = $(AM_CPPFLAGS)
+@@ -162,3 +164,18 @@ unit1660_CPPFLAGS = $(AM_CPPFLAGS)
+ 
+ unit1661_SOURCES = unit1661.c $(UNITFILES)
+ unit1661_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit2600_SOURCES = unit2600.c $(UNITFILES)
++unit2600_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit2601_SOURCES = unit2601.c $(UNITFILES)
++unit2601_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit2602_SOURCES = unit2602.c $(UNITFILES)
++unit2602_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit2603_SOURCES = unit2603.c $(UNITFILES)
++unit2603_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit3200_SOURCES = unit3200.c $(UNITFILES)
++unit3200_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
+index 90ec31c68..0f27fa3d3 100644
+--- a/tests/unit/unit1397.c
++++ b/tests/unit/unit1397.c
+@@ -23,7 +23,6 @@
+  ***************************************************************************/
+ #include "curlcheck.h"
+ 
+-#include "vtls/hostcheck.h" /* from the lib dir */
+ 
+ static CURLcode unit_setup(void)
+ {
+@@ -32,63 +31,94 @@ static CURLcode unit_setup(void)
+ 
+ static void unit_stop(void)
+ {
+-  /* done before shutting down and exiting */
+ }
+ 
+-UNITTEST_START
+-
+ /* only these backends define the tested functions */
+-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
+-
+-  /* here you start doing things and checking that the results are good */
++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
++#include "vtls/hostcheck.h"
++struct testcase {
++  const char *host;
++  const char *pattern;
++  bool match;
++};
+ 
+-fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"),
+-                                STRCONST("www.example.com")), "good 1");
+-fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"),
+-                                STRCONST("www.example.com")),
+-            "good 2");
+-fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"),
+-                                STRCONST("xxxwww.example.com")), "good 3");
+-fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"),
+-                                STRCONST("foo.example.com")), "good 4");
+-fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"),
+-                                STRCONST("192.168.0.0")), "good 5");
++static struct testcase tests[] = {
++  {"", "", FALSE},
++  {"a", "", FALSE},
++  {"", "b", FALSE},
++  {"a", "b", FALSE},
++  {"aa", "bb", FALSE},
++  {"\xff", "\xff", TRUE},
++  {"aa.aa.aa", "aa.aa.bb", FALSE},
++  {"aa.aa.aa", "aa.aa.aa", TRUE},
++  {"aa.aa.aa", "*.aa.bb", FALSE},
++  {"aa.aa.aa", "*.aa.aa", TRUE},
++  {"192.168.0.1", "192.168.0.1", TRUE},
++  {"192.168.0.1", "*.168.0.1", FALSE},
++  {"192.168.0.1", "*.0.1", FALSE},
++  {"h.ello", "*.ello", FALSE},
++  {"h.ello.", "*.ello", FALSE},
++  {"h.ello", "*.ello.", FALSE},
++  {"h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo", " *.e.llo", FALSE},
++  {" h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo", TRUE},
++  {"*.e.llo.", "*.e.llo", TRUE},
++  {"************.e.llo.", "*.e.llo", TRUE},
++  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
++   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
++   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
++   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
++   ".e.llo.", "*.e.llo", TRUE},
++  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo.", TRUE},
++  {"h.e.llo", "*.e.llo.", TRUE},
++  {".h.e.llo", "*.e.llo.", FALSE},
++  {"h.e.llo", "*.*.llo.", FALSE},
++  {"h.e.llo", "h.*.llo", FALSE},
++  {"h.e.llo", "h.e.*", FALSE},
++  {"hello", "*.ello", FALSE},
++  {"hello", "**llo", FALSE},
++  {"bar.foo.example.com", "*.example.com", FALSE},
++  {"foo.example.com", "*.example.com", TRUE},
++  {"baz.example.net", "b*z.example.net", FALSE},
++  {"foobaz.example.net", "*baz.example.net", FALSE},
++  {"xn--l8j.example.local", "x*.example.local", FALSE},
++  {"xn--l8j.example.net", "*.example.net", TRUE},
++  {"xn--l8j.example.net", "*j.example.net", FALSE},
++  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
++  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
++  {"xl8j.example.net", "*.example.net", TRUE},
++  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
++  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
++  {NULL, NULL, FALSE}
++};
+ 
+-fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"),
+-                            STRCONST("www.example.com")), "bad 1");
+-fail_if(Curl_cert_hostcheck(STRCONST("*"),
+-                            STRCONST("www.example.com")),"bad 2");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"),
+-                            STRCONST("www.example.com")), "bad 3");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"),
+-                            STRCONST("baa.foo.example.com")), "bad 4");
+-fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"),
+-                            STRCONST("baa.example.com")), "bad 5");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.com"),
+-                            STRCONST("example.com")), "bad 6");
+-fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"),
+-                            STRCONST("example.com")), "bad 7");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
+-                            STRCONST("www.example.")), "bad 8");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.example."),
+-                            STRCONST("www.example")), "bad 9");
+-fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10");
+-fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11");
+-fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"),
+-                            STRCONST("192.168.0.0")), "bad 12");
+-fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"),
+-                            STRCONST("192.168.0.0")), "bad 13");
+-
+-#ifdef ENABLE_IPV6
+-fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"),
+-                            STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14");
+-fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"),
+-                                STRCONST("fe80::3285:a9ff:fe46:b619")),
+-            "good 6");
+-#endif
++UNITTEST_START
++{
++  int i;
++  for(i = 0; tests[i].host; i++) {
++    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
++                                             strlen(tests[i].pattern),
++                                             tests[i].host,
++                                             strlen(tests[i].host))) {
++      fprintf(stderr,
++              "HOST: %s\n"
++              "PTRN: %s\n"
++              "did %sMATCH\n",
++              tests[i].host,
++              tests[i].pattern,
++              tests[i].match ? "NOT ": "");
++      unitfail++;
++    }
++  }
++}
+ 
+-#endif
++UNITTEST_STOP
++#else
+ 
+-  /* you end the test code like this: */
++UNITTEST_START
+ 
+ UNITTEST_STOP
++#endif
+-- 
+2.40.1
+

0031-curl-7.87.0-CVE-2023-32001.patch

@@ -0,0 +1,40 @@
+From c521ed354ea94b0658a030839df41675fd4913b0 Mon Sep 17 00:00:00 2001
+From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
+Date: Mon, 10 Jul 2023 21:43:28 +0200
+Subject: [PATCH] fopen: optimize
+
+Closes #11419
+
+(cherry picked from commit 0c667188e0c6cda615a036b8a2b4125f2c404dde)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/fopen.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+index ad3691ba9..92f39cf62 100644
+--- a/lib/fopen.c
++++ b/lib/fopen.c
+@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   int fd = -1;
+   *tempname = NULL;
+ 
+-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+-    /* a non-regular file, fallback to direct fopen() */
+-    *fh = fopen(filename, FOPEN_WRITETEXT);
+-    if(*fh)
+-      return CURLE_OK;
++  *fh = fopen(filename, FOPEN_WRITETEXT);
++  if(!*fh)
+     goto fail;
+-  }
++  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
++    return CURLE_OK;
++  fclose(*fh);
++  *fh = NULL;
+ 
+   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+   if(result)
+-- 
+2.41.0
+

0032-curl-7.87.0-CVE-2023-38039.patch

@@ -0,0 +1,203 @@
+From e0ffb54555f4f5199613f7d2db8dd16ffb2d33b3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Aug 2023 23:34:48 +0200
+Subject: [PATCH] http: return error when receiving too large header set
+
+To avoid abuse. The limit is set to 300 KB for the accumulated size of
+all received HTTP headers for a single response. Incomplete research
+suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
+1MB.
+
+Closes #11582
+
+(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/c-hyper.c  | 13 +++++++------
+ lib/http.c     | 34 ++++++++++++++++++++++++++++++----
+ lib/http.h     |  9 +++++++++
+ lib/pingpong.c |  4 +++-
+ lib/urldata.h  | 17 ++++++++---------
+ 5 files changed, 57 insertions(+), 20 deletions(-)
+
+diff --git a/lib/c-hyper.c b/lib/c-hyper.c
+index 58957934f..8fecf997d 100644
+--- a/lib/c-hyper.c
++++ b/lib/c-hyper.c
+@@ -169,8 +169,11 @@ static int hyper_each_header(void *userdata,
+     }
+   }
+ 
+-  data->info.header_size += (long)len;
+-  data->req.headerbytecount += (long)len;
++  result = Curl_bump_headersize(data, len, FALSE);
++  if(result) {
++    data->state.hresult = result;
++    return HYPER_ITER_BREAK;
++  }
+   return HYPER_ITER_CONTINUE;
+ }
+ 
+@@ -298,10 +301,8 @@ static CURLcode status_line(struct Curl_easy *data,
+     if(result)
+       return result;
+   }
+-  data->info.header_size += (long)len;
+-  data->req.headerbytecount += (long)len;
+-  data->req.httpcode = http_status;
+-  return CURLE_OK;
++  result = Curl_bump_headersize(data, len, FALSE);
++  return result;
+ }
+ 
+ /*
+diff --git a/lib/http.c b/lib/http.c
+index f177c0ef5..76ccc5480 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3824,6 +3824,29 @@ static CURLcode verify_header(struct Curl_easy *data)
+   return CURLE_OK;
+ }
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only)
++{
++  size_t bad = 0;
++  if(delta < MAX_HTTP_RESP_HEADER_SIZE) {
++    if(!connect_only)
++      data->req.headerbytecount += (unsigned int)delta;
++    data->info.header_size += (unsigned int)delta;
++    if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE)
++      bad = data->info.header_size;
++  }
++  else
++    bad = data->info.header_size + delta;
++  if(bad) {
++    failf(data, "Too large response headers: %zu > %zu",
++          bad, MAX_HTTP_RESP_HEADER_SIZE);
++    return CURLE_RECV_ERROR;
++  }
++  return CURLE_OK;
++}
++
++
+ /*
+  * Read any HTTP header lines from the server and pass them to the client app.
+  */
+@@ -4057,8 +4080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+       if(result)
+         return result;
+ 
+-      data->info.header_size += (long)headerlen;
+-      data->req.headerbytecount += (long)headerlen;
++      result = Curl_bump_headersize(data, headerlen, FALSE);
++      if(result)
++        return result;
+ 
+       /*
+        * When all the headers have been parsed, see if we should give
+@@ -4358,8 +4382,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+     if(result)
+       return result;
+ 
+-    data->info.header_size += Curl_dyn_len(&data->state.headerb);
+-    data->req.headerbytecount += Curl_dyn_len(&data->state.headerb);
++    result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb),
++                                  FALSE);
++    if(result)
++      return result;
+ 
+     Curl_dyn_reset(&data->state.headerb);
+   }
+diff --git a/lib/http.h b/lib/http.h
+index 2ac287eca..bcf5e0609 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -50,6 +50,10 @@ extern const struct Curl_handler Curl_handler_http;
+ extern const struct Curl_handler Curl_handler_https;
+ #endif
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only);
++
+ /* Header specific functions */
+ bool Curl_compareheader(const char *headerline,  /* line to check */
+                         const char *header,   /* header keyword _with_ colon */
+@@ -163,6 +167,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data);
+ #define EXPECT_100_THRESHOLD (1024*1024)
+ #endif
+ 
++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers
++   combined that libcurl allows for a single HTTP response, any HTTP
++   version. This count includes CONNECT response headers. */
++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024)
++
+ #endif /* CURL_DISABLE_HTTP */
+ 
+ #ifdef USE_NGHTTP3
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index 74a678a1a..aa536ec62 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -340,7 +340,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data,
+       ssize_t clipamount = 0;
+       bool restart = FALSE;
+ 
+-      data->req.headerbytecount += (long)gotbytes;
++      result = Curl_bump_headersize(data, gotbytes, FALSE);
++      if(result)
++        return result;
+ 
+       pp->nread_resp += gotbytes;
+       for(i = 0; i < gotbytes; ptr++, i++) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69c14eb54..512bae24c 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -612,18 +612,17 @@ struct SingleRequest {
+   curl_off_t bytecount;         /* total number of bytes read */
+   curl_off_t writebytecount;    /* number of bytes written */
+ 
+-  curl_off_t headerbytecount;   /* only count received headers */
+-  curl_off_t deductheadercount; /* this amount of bytes doesn't count when we
+-                                   check if anything has been transferred at
+-                                   the end of a connection. We use this
+-                                   counter to make only a 100 reply (without a
+-                                   following second response code) result in a
+-                                   CURLE_GOT_NOTHING error code */
+-
+   curl_off_t pendingheader;      /* this many bytes left to send is actually
+                                     header and not body */
+   struct curltime start;         /* transfer started at this time */
+   struct curltime now;           /* current time */
++  unsigned int headerbytecount;  /* only count received headers */
++  unsigned int deductheadercount; /* this amount of bytes doesn't count when
++                                     we check if anything has been transferred
++                                     at the end of a connection. We use this
++                                     counter to make only a 100 reply (without
++                                     a following second response code) result
++                                     in a CURLE_GOT_NOTHING error code */
+   enum {
+     HEADER_NORMAL,              /* no bad header at all */
+     HEADER_PARTHEADER,          /* part of the chunk is a bad header, the rest
+@@ -1139,7 +1138,6 @@ struct PureInfo {
+   int httpversion; /* the http version number X.Y = X*10+Y */
+   time_t filetime; /* If requested, this is might get set. Set to -1 if the
+                       time was unretrievable. */
+-  curl_off_t header_size;  /* size of read header(s) in bytes */
+   curl_off_t request_size; /* the amount of bytes sent in the request(s) */
+   unsigned long proxyauthavail; /* what proxy auth types were announced */
+   unsigned long httpauthavail;  /* what host auth types were announced */
+@@ -1147,6 +1145,7 @@ struct PureInfo {
+   char *contenttype; /* the content type of the object */
+   char *wouldredirect; /* URL this would've been redirected to if asked to */
+   curl_off_t retry_after; /* info from Retry-After: header */
++  unsigned int header_size;  /* size of read header(s) in bytes */
+ 
+   /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip'
+      and, 'conn_local_port' are copied over from the connectdata struct in
+-- 
+2.41.0
+

0033-curl-7.85.0-CVE-2023-38545.patch

@@ -0,0 +1,135 @@
+From 62a500e504dd361d7d271e23cbfa27ec0937cee1 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH 1/2] socks: return error if hostname too long for remote
+ resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+
+(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147)
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/socks.c             |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index 52c29880a..63abff629 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -538,9 +538,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+ 
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -881,7 +881,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0b1d18265..d669ef36e 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test728 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 000000000..05bcf2883
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+-- 
+2.41.0
+

0034-curl-7.85.0-CVE-2023-38546.patch

@@ -0,0 +1,136 @@
+From ab9756c96992c92637d2d40e7a406ac700972b8e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH 2/2] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8)
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 14 ++++----------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 25 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index ab790a1cd..a418fe8c3 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -118,7 +118,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -712,11 +711,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if(strcasecompare("version", name)) {
+-          strstore(&co->version, whatptr);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if(strcasecompare("max-age", name)) {
+           /*
+@@ -1164,7 +1159,6 @@ Curl_cookie_add(struct Curl_easy *data,
+     free(clist->path);
+     free(clist->spath);
+     free(clist->expirestr);
+-    free(clist->version);
+     free(clist->maxage);
+ 
+     *clist = *co;  /* then store all the new data */
+@@ -1228,9 +1222,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+     /*
+      * Initialize the next_expiration time to signal that we don't have enough
+      * information yet.
+@@ -1384,7 +1375,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1600,7 +1590,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index abc0a2e8a..2093bbb58 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;      /* domain = <this> */
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -56,18 +52,16 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;      /* last creation-time used in the jar */
+   bool running;    /* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;      /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+ 
+ /* This is the maximum line length we accept for a cookie line. RFC 2109
+diff --git a/lib/easy.c b/lib/easy.c
+index 978ea5ac3..660b99056 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -905,9 +905,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;
+-- 
+2.41.0
+

0101-curl-7.32.0-multilib.patch

@@ -1,85 +1,84 @@
-From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
-From: Jan Macku <jamacku@redhat.com>
-Date: Tue, 16 Dec 2025 10:04:40 +0100
+From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in      | 23 +++++------------------
- docs/curl-config.md |  4 +++-
- libcurl.pc.in       |  1 +
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index a1c8185875..bb43ca8335 100644
+index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
-     ;;
+@@ -78,7 +78,7 @@ while test $# -gt 0; do
+         ;;
  
-   --cc)
--    echo '@CC@'
-+    echo 'gcc'
-     ;;
+     --cc)
+-        echo "@CC@"
++        echo "gcc"
+         ;;
  
-   --prefix)
-@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
-     ;;
+     --prefix)
+@@ -157,32 +157,19 @@ while test $# -gt 0; do
+         ;;
  
-   --libs)
--    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
--      curllibdir="-L@libdir@ "
--    else
--      curllibdir=''
--    fi
--    if test '@ENABLE_SHARED@' = 'no'; then
--      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo "${curllibdir}-lcurl"
--    fi
-+    echo '-lcurl'
-     ;;
+     --libs)
+-        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+-           CURLLIBDIR="-L@libdir@ "
+-        else
+-           CURLLIBDIR=""
+-        fi
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
+-          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+-        else
+-          echo ${CURLLIBDIR}-lcurl
+-        fi
++        echo -lcurl
+         ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
-   --ssl-backends)
-@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
-     ;;
+     --static-libs)
+-        if test "X@ENABLE_STATIC@" != "Xno" ; then
+-          echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
+-        else
+-          echo "curl was built with static libraries disabled" >&2
+-          exit 1
+-        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
+         ;;
  
-   --static-libs)
--    if test '@ENABLE_STATIC@' != 'no'; then
--      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
--    else
--      echo 'curl was built with static libraries disabled' >&2
--      exit 1
--    fi
-+    echo 'curl was built with static libraries disabled' >&2
-+    exit 1
-     ;;
+     --configure)
+-        echo @CONFIGURE_OPTIONS@
++        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+         ;;
  
-   --configure)
--    echo @CONFIGURE_OPTIONS@
-+    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-     ;;
- 
-   *)
-diff --git a/docs/curl-config.md b/docs/curl-config.md
-index 12ad245b79..fa0e03d273 100644
---- a/docs/curl-config.md
-+++ b/docs/curl-config.md
-@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
- ## `--static-libs`
- 
- Shows the complete set of libs and other linker options you need in order to
--link your application with libcurl statically. (Added in 7.17.1)
-+link your application with libcurl statically. Note that Fedora/RHEL libcurl
+     *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 14a9d2b..ffcc004 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
+ .IP "--static-libs"
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- 
- ## `--version`
- 
+ .IP "--version"
+ Outputs version information about the installed libcurl.
+ .IP "--vernum"
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index c0ba5244a8..f3645e1748 100644
+index 2ba9c39..f8f8b00 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -28,6 +28,7 @@ libdir=@libdir@
+@@ -31,6 +31,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
@@ -88,5 +87,5 @@ index c0ba5244a8..f3645e1748 100644
  Name: libcurl
  URL: https://curl.se/
 -- 
-2.52.0
+2.26.2
 

0102-curl-7.84.0-test3026.patch

@@ -0,0 +1,71 @@
+From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 27 Jun 2022 16:50:57 +0200
+Subject: [PATCH] test3026: disable valgrind
+
+It fails on x86_64 with:
+```
+ Use --max-threads=INT to specify a larger number of threads
+ and rerun valgrind
+ valgrind: the 'impossible' happened:
+    Max number of threads is too low
+ host stacktrace:
+ ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
+ sched status:
+   running_tid=1
+ Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
+ ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
+ ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
+ ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
+ client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
+ valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
+[...]
+```
+---
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/test3026 b/tests/data/test3026
+index fb80cc8..01f2ba5 100644
+--- a/tests/data/test3026
++++ b/tests/data/test3026
+@@ -41,5 +41,8 @@ none
+ <errorcode>
+ 0
+ </errorcode>
++<valgrind>
++disable
++</valgrind>
+ </verify>
+ </testcase>
+diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
+index 43fe335..70cd7a4 100644
+--- a/tests/libtest/lib3026.c
++++ b/tests/libtest/lib3026.c
+@@ -123,8 +123,8 @@ int test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+     if(res) {
+-      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
+-              __FILE__, __LINE__, res);
++      fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n",
++              __FILE__, __LINE__, i, res);
+       tid_count = i;
+       test_failure = -1;
+       goto cleanup;
+-- 
+2.37.1
+

curl.rpmlintrc

@@ -1,15 +0,0 @@
-# Intentional stuff we're not concerned about
-addFilter("unversioned-explicit-provides webclient")
-addFilter("package-with-huge-docs")
-addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
-
-# This is just plain wrong (%_configure redefinition)
-addFilter("configure-without-libdir-spec")
-
-# Technical term
-addFilter("E: spelling-error \('kerberos',")
-
-# Artefacts of RemovePathPostfixes: .minimal
-addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
-#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
-#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

sources

@@ -1,2 +1,2 @@
-SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
-SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
+SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd
+SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6

tests/non-root-user-download/runtest.sh

@@ -31,9 +31,9 @@
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
-CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM
+CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"