diff --git a/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch
new file mode 100644
index 0000000..dbd2496
--- /dev/null
+++ b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch
@@ -0,0 +1,116 @@
+From 239f8d93866605b05f4e6b551f4327dc7fcb922b Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: [PATCH 1/2] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+
+Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index ecd1063..263b178 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1473,6 +1473,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ /* Location: redirect */
+ bool disallowport = FALSE;
+ bool reachedmax = FALSE;
++ CURLUcode uc;
+
+ if(type == FOLLOW_REDIR) {
+ if((data->set.maxredirs != -1) &&
+@@ -1488,6 +1489,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->set.followlocation++; /* count location-followers */
+
+ if(data->set.http_auto_referer) {
++ CURLU *u;
++ char *referer;
++
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+ not be 100% correct */
+@@ -1497,9 +1501,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->change.referer_alloc = FALSE;
+ }
+
+- data->change.referer = strdup(data->change.url);
+- if(!data->change.referer)
++ /* Make a copy of the URL without crenditals and fragment */
++ u = curl_url();
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
++
++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++ curl_url_cleanup(u);
++
++ if(uc || referer == NULL)
+ return CURLE_OUT_OF_MEMORY;
++ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+ }
+ }
+--
+2.30.2
+
+
+From f7d1d478b87499ce31d6aa3251830b78447ad952 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Mar 2021 09:32:14 +0200
+Subject: [PATCH 2/2] transfer: clear 'referer' in declaration
+
+To silence (false positive) compiler warnings about it.
+
+Follow-up to 7214288898f5625
+
+Reviewed-by: Marcel Raad
+Closes #6810
+
+Upstream-commit: 6bb028dbda6cbfe83f66de773544f71e4813160f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 263b178..ad5a7ba 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1490,7 +1490,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
+
+ if(data->set.http_auto_referer) {
+ CURLU *u;
+- char *referer;
++ char *referer = NULL;
+
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+@@ -1518,7 +1518,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
+
+ curl_url_cleanup(u);
+
+- if(uc || referer == NULL)
++ if(uc || !referer)
+ return CURLE_OUT_OF_MEMORY;
+ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+--
+2.30.2
+
diff --git a/SOURCES/0030-curl-7.61.1-file-head.patch b/SOURCES/0030-curl-7.61.1-file-head.patch
new file mode 100644
index 0000000..e545e8e
--- /dev/null
+++ b/SOURCES/0030-curl-7.61.1-file-head.patch
@@ -0,0 +1,693 @@
+From 87e3d094e0dc00efc1abeb2b142d453024cbca69 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 4 Oct 2018 23:53:32 +0200
+Subject: [PATCH] FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
+
+Now FILE transfers send headers to the header callback like HTTP and
+other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
+work for FILE in the callbacks.
+
+Makes "curl -i file://.." and "curl -I file://.." work like before
+again. Applied the bold header logic to them too.
+
+Regression from c1c2762 (7.61.0)
+
+Reported-by: Shaun Jackman
+Fixes #3083
+Closes #3101
+
+Upstream-commit: e50a2002bd450a4800a165d2874ed79c95b33a07
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/file.c | 27 +++++++++++++--------------
+ lib/getinfo.c | 1 -
+ lib/url.c | 1 +
+ src/tool_cb_hdr.c | 5 +++--
+ tests/data/test1016 | 2 +-
+ tests/data/test1017 | 2 +-
+ tests/data/test1018 | 2 +-
+ tests/data/test1019 | 2 +-
+ tests/data/test1020 | 2 +-
+ tests/data/test1029 | 2 +-
+ tests/data/test1146 | 2 +-
+ tests/data/test1220 | 2 +-
+ tests/data/test200 | 2 +-
+ tests/data/test2000 | 2 +-
+ tests/data/test2001 | 13 +------------
+ tests/data/test2002 | 13 +------------
+ tests/data/test2003 | 26 ++------------------------
+ tests/data/test2004 | 2 +-
+ tests/data/test2006 | 8 ++++++++
+ tests/data/test2007 | 8 ++++++++
+ tests/data/test2008 | 8 ++++++++
+ tests/data/test2009 | 8 ++++++++
+ tests/data/test2010 | 8 ++++++++
+ tests/data/test202 | 2 +-
+ tests/data/test203 | 2 +-
+ tests/data/test204 | 2 +-
+ tests/data/test205 | 2 +-
+ tests/data/test2070 | 2 +-
+ tests/data/test2071 | 2 +-
+ tests/data/test2072 | 2 +-
+ tests/data/test210 | 2 +-
+ tests/data/test231 | 2 +-
+ tests/data/test288 | 2 +-
+ 33 files changed, 82 insertions(+), 86 deletions(-)
+
+diff --git a/lib/file.c b/lib/file.c
+index e50e988..f780658 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -386,7 +386,6 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
+
+ *done = TRUE; /* unconditionally */
+
+- Curl_initinfo(data);
+ Curl_pgrsStartNow(data);
+
+ if(data->set.upload)
+@@ -413,21 +412,18 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
+ }
+ }
+
+- /* If we have selected NOBODY and HEADER, it means that we only want file
+- information. Which for FILE can't be much more than the file size and
+- date. */
+- if(data->set.opt_no_body && data->set.include_header && fstated) {
++ if(fstated) {
+ time_t filetime;
+ struct tm buffer;
+ const struct tm *tm = &buffer;
+ char header[80];
+ snprintf(header, sizeof(header),
+ "Content-Length: %" CURL_FORMAT_CURL_OFF_T "\r\n", expected_size);
+- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0);
+ if(result)
+ return result;
+
+- result = Curl_client_write(conn, CLIENTWRITE_BOTH,
++ result = Curl_client_write(conn, CLIENTWRITE_HEADER,
+ (char *)"Accept-ranges: bytes\r\n", 0);
+ if(result)
+ return result;
+@@ -439,19 +435,22 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
+
+ /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */
+ snprintf(header, sizeof(header),
+- "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n",
++ "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n%s",
+ Curl_wkday[tm->tm_wday?tm->tm_wday-1:6],
+ tm->tm_mday,
+ Curl_month[tm->tm_mon],
+ tm->tm_year + 1900,
+ tm->tm_hour,
+ tm->tm_min,
+- tm->tm_sec);
+- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
+- if(!result)
+- /* set the file size to make it available post transfer */
+- Curl_pgrsSetDownloadSize(data, expected_size);
+- return result;
++ tm->tm_sec,
++ data->set.opt_no_body ? "": "\r\n");
++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0);
++ if(result)
++ return result;
++ /* set the file size to make it available post transfer */
++ Curl_pgrsSetDownloadSize(data, expected_size);
++ if(data->set.opt_no_body)
++ return result;
+ }
+
+ /* Check whether file range has been specified */
+diff --git a/lib/getinfo.c b/lib/getinfo.c
+index 14b4562..54c2c2f 100644
+--- a/lib/getinfo.c
++++ b/lib/getinfo.c
+@@ -85,7 +85,6 @@ CURLcode Curl_initinfo(struct Curl_easy *data)
+ #ifdef USE_SSL
+ Curl_ssl_free_certinfo(data);
+ #endif
+-
+ return CURLE_OK;
+ }
+
+diff --git a/lib/url.c b/lib/url.c
+index b18db25..bb9d107 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -4290,6 +4290,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+ /* this is supposed to be the connect function so we better at least check
+ that the file is present here! */
+ DEBUGASSERT(conn->handler->connect_it);
++ Curl_persistconninfo(conn);
+ result = conn->handler->connect_it(conn, &done);
+
+ /* Setup a "faked" transfer that'll do nothing */
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index e91e8ac..4f21221 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -153,8 +153,9 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ }
+
+ if(hdrcbdata->config->show_headers &&
+- (protocol & (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP))) {
+- /* bold headers only happen for HTTP(S) and RTSP */
++ (protocol &
++ (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP|CURLPROTO_FILE))) {
++ /* bold headers only for selected protocols */
+ char *value = NULL;
+
+ if(!outs->stream && !tool_create_output_file(outs))
+diff --git a/tests/data/test1016 b/tests/data/test1016
+index b404cac..4927f9e 100644
+--- a/tests/data/test1016
++++ b/tests/data/test1016
+@@ -22,7 +22,7 @@ file
+ <name>
+ X-Y range on a file:// URL to stdout
+ </name>
+- <command>
++<command option="no-include">
+ -r 1-4 file://localhost/%PWD/log/test1016.txt
+ </command>
+ <file name="log/test1016.txt">
+diff --git a/tests/data/test1017 b/tests/data/test1017
+index 6fbc38a..cfdd80f 100644
+--- a/tests/data/test1017
++++ b/tests/data/test1017
+@@ -23,7 +23,7 @@ file
+ <name>
+ 0-Y range on a file:// URL to stdout
+ </name>
+- <command>
++<command option="no-include">
+ -r 0-3 file://localhost/%PWD/log/test1017.txt
+ </command>
+ <file name="log/test1017.txt">
+diff --git a/tests/data/test1018 b/tests/data/test1018
+index 28a7027..5748701 100644
+--- a/tests/data/test1018
++++ b/tests/data/test1018
+@@ -22,7 +22,7 @@ file
+ <name>
+ X-X range on a file:// URL to stdout
+ </name>
+- <command>
++<command option="no-include">
+ -r 4-4 file://localhost/%PWD/log/test1018.txt
+ </command>
+ <file name="log/test1018.txt">
+diff --git a/tests/data/test1019 b/tests/data/test1019
+index 4d9872a..054e38d 100644
+--- a/tests/data/test1019
++++ b/tests/data/test1019
+@@ -23,7 +23,7 @@ file
+ <name>
+ X- range on a file:// URL to stdout
+ </name>
+- <command>
++<command option="no-include">
+ -r 7- file://localhost/%PWD/log/test1019.txt
+ </command>
+ <file name="log/test1019.txt">
+diff --git a/tests/data/test1020 b/tests/data/test1020
+index 735871d..e924529 100644
+--- a/tests/data/test1020
++++ b/tests/data/test1020
+@@ -23,7 +23,7 @@ file
+ <name>
+ -Y range on a file:// URL to stdout
+ </name>
+- <command>
++<command option="no-include">
+ -r -9 file://localhost/%PWD/log/test1020.txt
+ </command>
+ <file name="log/test1020.txt">
+diff --git a/tests/data/test1029 b/tests/data/test1029
+index 2ffc7c6..c77209c 100644
+--- a/tests/data/test1029
++++ b/tests/data/test1029
+@@ -29,7 +29,7 @@ http
+ <name>
+ HTTP Location: and 'redirect_url' check
+ </name>
+- <command>
++<command>
+ http://%HOSTIP:%HTTPPORT/we/want/our/1029 -w '%{redirect_url}\n'
+ </command>
+ </client>
+diff --git a/tests/data/test1146 b/tests/data/test1146
+index 43f33b7..636748e 100644
+--- a/tests/data/test1146
++++ b/tests/data/test1146
+@@ -24,7 +24,7 @@ file
+ <name>
+ --proto-default file
+ </name>
+-<command>
++<command option="no-include">
+ --proto-default file %PWD/log/test1146.txt
+ </command>
+ <file name="log/test1146.txt">
+diff --git a/tests/data/test1220 b/tests/data/test1220
+index 959abbf..6752eb5 100644
+--- a/tests/data/test1220
++++ b/tests/data/test1220
+@@ -20,7 +20,7 @@ file
+ <name>
+ file:// URLs with query string
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/test1220.txt?a_query=foobar#afragment
+ </command>
+ <file name="log/test1220.txt">
+diff --git a/tests/data/test200 b/tests/data/test200
+index 8be1de0..c27f7c0 100644
+--- a/tests/data/test200
++++ b/tests/data/test200
+@@ -23,7 +23,7 @@ file
+ <name>
+ basic file:// file
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/test200.txt
+ </command>
+ <file name="log/test200.txt">
+diff --git a/tests/data/test2000 b/tests/data/test2000
+index d3edb16..db1ba13 100644
+--- a/tests/data/test2000
++++ b/tests/data/test2000
+@@ -31,7 +31,7 @@ file
+ <name>
+ FTP RETR followed by FILE
+ </name>
+- <command>
++<command option="no-include">
+ ftp://%HOSTIP:%FTPPORT/2000 file://localhost/%PWD/log/test2000.txt
+ </command>
+ <file name="log/test2000.txt">
+diff --git a/tests/data/test2001 b/tests/data/test2001
+index 68c0df7..88a258e 100644
+--- a/tests/data/test2001
++++ b/tests/data/test2001
+@@ -48,7 +48,7 @@ file
+ <name>
+ HTTP GET followed by FTP RETR followed by FILE
+ </name>
+- <command>
++<command option="no-include">
+ http://%HOSTIP:%HTTPPORT/20010001 ftp://%HOSTIP:%FTPPORT/20010002 file://localhost/%PWD/log/test2001.txt
+ </command>
+ <file name="log/test2001.txt">
+@@ -81,17 +81,6 @@ RETR 20010002
+ QUIT
+ </protocol>
+ <stdout>
+-HTTP/1.1 200 OK
+-Date: Thu, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+ -foo-
+ data
+ to
+diff --git a/tests/data/test2002 b/tests/data/test2002
+index db96bfe..6dd2f93 100644
+--- a/tests/data/test2002
++++ b/tests/data/test2002
+@@ -57,7 +57,7 @@ tftp
+ <name>
+ HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ
+ </name>
+- <command>
++<command option="no-include">
+ http://%HOSTIP:%HTTPPORT/20020001 ftp://%HOSTIP:%FTPPORT/20020002 file://localhost/%PWD/log/test2002.txt tftp://%HOSTIP:%TFTPPORT//20020003
+ </command>
+ <file name="log/test2002.txt">
+@@ -96,17 +96,6 @@ filename: /20020003
+ QUIT
+ </protocol>
+ <stdout>
+-HTTP/1.1 200 OK
+-Date: Thu, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+ -foo-
+ data
+ to
+diff --git a/tests/data/test2003 b/tests/data/test2003
+index 59a743f..09bee8e 100644
+--- a/tests/data/test2003
++++ b/tests/data/test2003
+@@ -57,8 +57,8 @@ tftp
+ <name>
+ HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ then again in reverse order
+ </name>
+- <command>
+-http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001
++<command option="no-include">
++http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001
+ </command>
+ <file name="log/test2003.txt">
+ foo
+@@ -109,17 +109,6 @@ Accept: */*
+ QUIT
+ </protocol>
+ <stdout>
+-HTTP/1.1 200 OK
+-Date: Thu, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+ -foo-
+ data
+ to
+@@ -151,17 +140,6 @@ data
+ that FTP
+ works
+ so does it?
+-HTTP/1.1 200 OK
+-Date: Thu, 09 Nov 2010 14:49:00 GMT
+-Server: test-server/fake
+-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+-ETag: "21025-dc7-39462498"
+-Accept-Ranges: bytes
+-Content-Length: 6
+-Connection: close
+-Content-Type: text/html
+-Funny-head: yesyes
+-
+ -foo-
+ </stdout>
+ </verify>
+diff --git a/tests/data/test2004 b/tests/data/test2004
+index 4773f69..b17890b 100644
+--- a/tests/data/test2004
++++ b/tests/data/test2004
+@@ -29,7 +29,7 @@ sftp
+ <name>
+ TFTP RRQ followed by SFTP retrieval followed by FILE followed by SCP retrieval then again in reverse order
+ </name>
+- <command>
++<command option="no-include">
+ --key curl_client_key --pubkey curl_client_key.pub -u %USER: tftp://%HOSTIP:%TFTPPORT//2004 sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt scp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt tftp://%HOSTIP:%TFTPPORT//2004 --insecure
+ </command>
+ <file name="log/test2004.txt">
+diff --git a/tests/data/test2006 b/tests/data/test2006
+index e25556f..3acbdae 100644
+--- a/tests/data/test2006
++++ b/tests/data/test2006
+@@ -4,6 +4,7 @@
+ Metalink
+ HTTP
+ HTTP GET
++FILE
+ </keywords>
+ </info>
+
+@@ -85,6 +86,10 @@ Accept: */*
+ Some data delivered from an HTTP resource
+ </file1>
+ <file2 name="log/heads2006">
++Content-Length: 496
++Accept-ranges: bytes
++
++
+ HTTP/1.1 200 OK
+ Date: Thu, 21 Jun 2012 14:49:01 GMT
+ Server: test-server/fake
+@@ -105,6 +110,9 @@ Metalink: fetching (log/download2006) from (http://%HOSTIP:%HTTPPORT/2006) OK
+ Metalink: validating (log/download2006)...
+ Metalink: validating (log/download2006) [sha-256] OK
+ </file4>
++<stripfile2>
++s/Last-Modified:.*//
++</stripfile2>
+ <stripfile4>
+ $_ = '' if (($_ !~ /^Metalink: /) && ($_ !~ /error/i) && ($_ !~ /warn/i))
+ </stripfile4>
+diff --git a/tests/data/test2007 b/tests/data/test2007
+index cc4bd8c..b169c49 100644
+--- a/tests/data/test2007
++++ b/tests/data/test2007
+@@ -5,6 +5,7 @@ Metalink
+ HTTP
+ HTTP GET
+ -J
++FILE
+ </keywords>
+ </info>
+
+@@ -85,7 +86,14 @@ Accept: */*
+ <file1 name="log/download2007">
+ Something delivered from an HTTP resource
+ </file1>
++<stripfile2>
++s/Last-Modified:.*//
++</stripfile2>
+ <file2 name="log/heads2007">
++Content-Length: 496
++Accept-ranges: bytes
++
++
+ HTTP/1.1 200 OK
+ Date: Thu, 21 Jun 2012 14:50:02 GMT
+ Server: test-server/fake
+diff --git a/tests/data/test2008 b/tests/data/test2008
+index 5843792..012f221 100644
+--- a/tests/data/test2008
++++ b/tests/data/test2008
+@@ -4,6 +4,7 @@
+ Metalink
+ HTTP
+ HTTP GET
++FILE
+ </keywords>
+ </info>
+
+@@ -77,7 +78,14 @@ Accept: */*
+ <file1 name="log/download2008">
+ Some stuff delivered from an HTTP resource
+ </file1>
++<stripfile2>
++s/Last-Modified:.*//
++</stripfile2>
+ <file2 name="log/heads2008">
++Content-Length: 496
++Accept-ranges: bytes
++
++
+ HTTP/1.1 200 OK
+ Date: Thu, 21 Jun 2012 15:23:48 GMT
+ Server: test-server/fake
+diff --git a/tests/data/test2009 b/tests/data/test2009
+index 84482ce..b0e5c6c 100644
+--- a/tests/data/test2009
++++ b/tests/data/test2009
+@@ -5,6 +5,7 @@ Metalink
+ HTTP
+ HTTP GET
+ -J
++FILE
+ </keywords>
+ </info>
+
+@@ -78,7 +79,14 @@ Accept: */*
+ <file1 name="log/download2009">
+ Some contents delivered from an HTTP resource
+ </file1>
++<stripfile2>
++s/Last-Modified:.*//
++</stripfile2>
+ <file2 name="log/heads2009">
++Content-Length: 496
++Accept-ranges: bytes
++
++
+ HTTP/1.1 200 OK
+ Date: Thu, 21 Jun 2012 16:27:17 GMT
+ Server: test-server/fake
+diff --git a/tests/data/test2010 b/tests/data/test2010
+index 91a83f4..33bb309 100644
+--- a/tests/data/test2010
++++ b/tests/data/test2010
+@@ -4,6 +4,7 @@
+ Metalink
+ HTTP
+ HTTP GET
++FILE
+ </keywords>
+ </info>
+
+@@ -77,7 +78,14 @@ Accept: */*
+ <file1 name="log/download2010">
+ Contents delivered from an HTTP resource
+ </file1>
++<stripfile2>
++s/Last-Modified:.*//
++</stripfile2>
+ <file2 name="log/heads2010">
++Content-Length: 496
++Accept-ranges: bytes
++
++
+ HTTP/1.1 200 OK
+ Date: Thu, 21 Jun 2012 17:37:27 GMT
+ Server: test-server/fake
+diff --git a/tests/data/test202 b/tests/data/test202
+index f863ec5..0b324b1 100644
+--- a/tests/data/test202
++++ b/tests/data/test202
+@@ -19,7 +19,7 @@ file
+ <name>
+ two file:// URLs to stdout
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/test202.txt FILE://localhost/%PWD/log/test202.txt
+ </command>
+ <file name="log/test202.txt">
+diff --git a/tests/data/test203 b/tests/data/test203
+index 366cc2c..3938426 100644
+--- a/tests/data/test203
++++ b/tests/data/test203
+@@ -24,7 +24,7 @@ file
+ <name>
+ file:/path URL with a single slash
+ </name>
+- <command>
++<command option="no-include">
+ file:%PWD/log/test203.txt
+ </command>
+ <file name="log/test203.txt">
+diff --git a/tests/data/test204 b/tests/data/test204
+index 9cc7b01..0ed9451 100644
+--- a/tests/data/test204
++++ b/tests/data/test204
+@@ -15,7 +15,7 @@ file
+ <name>
+ "upload" with file://
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/result204.txt -T log/upload204.txt
+ </command>
+ <file name="log/upload204.txt">
+diff --git a/tests/data/test205 b/tests/data/test205
+index 4af93f6..f83c531 100644
+--- a/tests/data/test205
++++ b/tests/data/test205
+@@ -16,7 +16,7 @@ file
+ <name>
+ "upload" with file://
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/nonexisting/result205.txt -T log/upload205.txt
+ </command>
+ <file name="log/upload205.txt">
+diff --git a/tests/data/test2070 b/tests/data/test2070
+index bc3898a..655cd8a 100644
+--- a/tests/data/test2070
++++ b/tests/data/test2070
+@@ -23,7 +23,7 @@ file
+ <name>
+ basic file:// file with no authority
+ </name>
+- <command>
++<command option="no-include">
+ file:%PWD/log/test2070.txt
+ </command>
+ <file name="log/test2070.txt">
+diff --git a/tests/data/test2071 b/tests/data/test2071
+index 997dfff..eddfa4d 100644
+--- a/tests/data/test2071
++++ b/tests/data/test2071
+@@ -23,7 +23,7 @@ file
+ <name>
+ basic file:// file with "127.0.0.1" hostname
+ </name>
+- <command>
++<command option="no-include">
+ file://127.0.0.1/%PWD/log/test2070.txt
+ </command>
+ <file name="log/test2070.txt">
+diff --git a/tests/data/test2072 b/tests/data/test2072
+index cd26f22..1bab158 100644
+--- a/tests/data/test2072
++++ b/tests/data/test2072
+@@ -23,7 +23,7 @@ file
+ <name>
+ file:// with unix path resolution behavior for the case of extra slashes
+ </name>
+-<command>
++<command option="no-include">
+ file:////%PWD/log/test2072.txt
+ </command>
+ <precheck>
+diff --git a/tests/data/test210 b/tests/data/test210
+index e904567..c6fb703 100644
+--- a/tests/data/test210
++++ b/tests/data/test210
+@@ -22,7 +22,7 @@ ftp
+ <name>
+ Get two FTP files from the same remote dir: no second CWD
+ </name>
+- <command>
++<command option="no-include">
+ ftp://%HOSTIP:%FTPPORT/a/path/210 ftp://%HOSTIP:%FTPPORT/a/path/210
+ </command>
+ <stdout>
+diff --git a/tests/data/test231 b/tests/data/test231
+index 6994957..3d4bc77 100644
+--- a/tests/data/test231
++++ b/tests/data/test231
+@@ -22,7 +22,7 @@ file
+ <name>
+ file:// with resume
+ </name>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/test231.txt -C 10
+ </command>
+ <file name="log/test231.txt">
+diff --git a/tests/data/test288 b/tests/data/test288
+index ff4db6a..9f8f6e1 100644
+--- a/tests/data/test288
++++ b/tests/data/test288
+@@ -30,7 +30,7 @@ file:// with (unsupported) proxy, authentication and range
+ <setenv>
+ all_proxy=http://fake:user@%HOSTIP:%HTTPPORT/
+ </setenv>
+- <command>
++<command option="no-include">
+ file://localhost/%PWD/log/test288.txt
+ </command>
+ <file name="log/test288.txt">
+--
+2.30.2
+
diff --git a/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch
new file mode 100644
index 0000000..42e1ccd
--- /dev/null
+++ b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch
@@ -0,0 +1,31 @@
+From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Fri, 7 May 2021 13:09:57 +0200
+Subject: [PATCH] telnet: check sscanf() for correct number of matches
+
+CVE-2021-22898
+
+Bug: https://curl.se/docs/CVE-2021-22898.html
+
+Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1fc5af1..ea6bc71 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn)
+ size_t tmplen = (strlen(v->data) + 1);
+ /* Add the variable only if it fits */
+ if(len + tmplen < (int)sizeof(temp)-6) {
+- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+ snprintf((char *)&temp[len], sizeof(temp) - len,
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+ CURL_NEW_ENV_VALUE, varval);
+--
+2.31.1
+
diff --git a/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch
new file mode 100644
index 0000000..391abbd
--- /dev/null
+++ b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch
@@ -0,0 +1,47 @@
+From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVE-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+
+Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index ea6bc71..f8428b8 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
+ size_t tmplen = (strlen(v->data) + 1);
+ /* Add the variable only if it fits */
+ if(len + tmplen < (int)sizeof(temp)-6) {
+- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+- snprintf((char *)&temp[len], sizeof(temp) - len,
+- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+- CURL_NEW_ENV_VALUE, varval);
+- len += tmplen;
+- }
++ int rv;
++ char sep[2] = "";
++ varval[0] = 0;
++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++ if(rv == 1)
++ len += snprintf((char *)&temp[len], sizeof(temp) - len,
++ "%c%s", CURL_NEW_ENV_VAR, varname);
++ else if(rv >= 2)
++ len += snprintf((char *)&temp[len], sizeof(temp) - len,
++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++ CURL_NEW_ENV_VALUE, varval);
+ }
+ }
+ snprintf((char *)&temp[len], sizeof(temp) - len,
+--
+2.31.1
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index b29023a..be2443a 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
-Release: 18%{?dist}.1
+Release: 21%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@@ -79,9 +79,21 @@ Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch
# http: send payload when (proxy) authentication is done (#1918692)
Patch28: 0028-curl-7.61.1-http-auth-payload.patch
+# prevent automatic referer from leaking credentials (CVE-2021-22876)
+Patch29: 0029-curl-7.61.1-CVE-2021-22876.patch
+
+# make `curl --head file://` work as expected (#1947493)
+Patch30: 0030-curl-7.61.1-file-head.patch
+
# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
Patch31: 0031-curl-7.61.1-CVE-2021-22924.patch
+# fix TELNET stack contents disclosure (CVE-2021-22898)
+Patch32: 0032-curl-7.61.1-CVE-2021-22898.patch
+
+# fix TELNET stack contents disclosure again (CVE-2021-22925)
+Patch33: 0033-curl-7.61.1-CVE-2021-22925.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -280,7 +292,11 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
%patch26 -p1
%patch27 -p1
%patch28 -p1
+%patch29 -p1
+%patch30 -p1
%patch31 -p1
+%patch32 -p1
+%patch33 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -443,12 +459,21 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
-* Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18.el8_4.1
+* Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-21
+- fix TELNET stack contents disclosure again (CVE-2021-22925)
+- fix TELNET stack contents disclosure (CVE-2021-22898)
- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
- disable metalink support to fix the following vulnerabilities
CVE-2021-22923 - metalink download sends credentials
CVE-2021-22922 - wrong content via metalink not discarded
+* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-20
+- fix a cppcheck's false positive in 0029-curl-7.61.1-CVE-2021-22876.patch
+
+* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-19
+- make `curl --head file://` work as expected (#1947493)
+- prevent automatic referer from leaking credentials (CVE-2021-22876)
+
* Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18
- http: send payload when (proxy) authentication is done (#1918692)
- curl: Inferior OCSP verification (CVE-2020-8286)