diff --git a/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch
new file mode 100644
index 0000000..769a0fd
--- /dev/null
+++ b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch
@@ -0,0 +1,40 @@
+From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+
+Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index cd5756a..9b9f683 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+ /* report back which name we used */
+ *hostp = hostname;
+
+- /* put the number first so that the hostname gets cut off if too long */
+- msnprintf(buf, len, "%ld%s", port, hostname);
++ /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++ msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ }
+
+ /* Returns number of connections currently held in the connection cache.
+--
+2.34.1
+
diff --git a/SOURCES/0020-curl-7.76.1-openldap-rebase.patch b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch
new file mode 100644
index 0000000..65870b5
--- /dev/null
+++ b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch
@@ -0,0 +1,186 @@
+From c2acc48854be9f8590e57a7b44b649fb8537bed4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 May 2021 16:14:13 +0200
+Subject: [PATCH] openldap: replace ldap_ prefix on private functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
+least) there's a symbol collision because of that.
+
+The private functions now use the 'oldap_' prefix where it previously
+used 'ldap_'.
+
+Reported-by: 3eka on github
+Fixes #7004
+Closes #7005
+
+Upstream-commit: 8bdde6b14ce3b5fd71c772a578fcbd4b6fa6df19
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/openldap.c | 67 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/lib/openldap.c b/lib/openldap.c
+index b515554..5a32c74 100644
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -76,16 +76,16 @@ extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url,
+ LDAP **ld);
+ #endif
+
+-static CURLcode ldap_setup_connection(struct Curl_easy *data,
+- struct connectdata *conn);
+-static CURLcode ldap_do(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_done(struct Curl_easy *data, CURLcode, bool);
+-static CURLcode ldap_connect(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_disconnect(struct Curl_easy *data,
+- struct connectdata *conn, bool dead);
++static CURLcode oldap_setup_connection(struct Curl_easy *data,
++ struct connectdata *conn);
++static CURLcode oldap_do(struct Curl_easy *data, bool *done);
++static CURLcode oldap_done(struct Curl_easy *data, CURLcode, bool);
++static CURLcode oldap_connect(struct Curl_easy *data, bool *done);
++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done);
++static CURLcode oldap_disconnect(struct Curl_easy *data,
++ struct connectdata *conn, bool dead);
+
+-static Curl_recv ldap_recv;
++static Curl_recv oldap_recv;
+
+ /*
+ * LDAP protocol handler.
+@@ -93,18 +93,18 @@ static Curl_recv ldap_recv;
+
+ const struct Curl_handler Curl_handler_ldap = {
+ "LDAP", /* scheme */
+- ldap_setup_connection, /* setup_connection */
+- ldap_do, /* do_it */
+- ldap_done, /* done */
++ oldap_setup_connection, /* setup_connection */
++ oldap_do, /* do_it */
++ oldap_done, /* done */
+ ZERO_NULL, /* do_more */
+- ldap_connect, /* connect_it */
+- ldap_connecting, /* connecting */
++ oldap_connect, /* connect_it */
++ oldap_connecting, /* connecting */
+ ZERO_NULL, /* doing */
+ ZERO_NULL, /* proto_getsock */
+ ZERO_NULL, /* doing_getsock */
+ ZERO_NULL, /* domore_getsock */
+ ZERO_NULL, /* perform_getsock */
+- ldap_disconnect, /* disconnect */
++ oldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
+ ZERO_NULL, /* attach connection */
+@@ -121,18 +121,18 @@ const struct Curl_handler Curl_handler_ldap = {
+
+ const struct Curl_handler Curl_handler_ldaps = {
+ "LDAPS", /* scheme */
+- ldap_setup_connection, /* setup_connection */
+- ldap_do, /* do_it */
+- ldap_done, /* done */
++ oldap_setup_connection, /* setup_connection */
++ oldap_do, /* do_it */
++ oldap_done, /* done */
+ ZERO_NULL, /* do_more */
+- ldap_connect, /* connect_it */
+- ldap_connecting, /* connecting */
++ oldap_connect, /* connect_it */
++ oldap_connecting, /* connecting */
+ ZERO_NULL, /* doing */
+ ZERO_NULL, /* proto_getsock */
+ ZERO_NULL, /* doing_getsock */
+ ZERO_NULL, /* domore_getsock */
+ ZERO_NULL, /* perform_getsock */
+- ldap_disconnect, /* disconnect */
++ oldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
+ ZERO_NULL, /* attach connection */
+@@ -173,8 +173,8 @@ struct ldapreqinfo {
+ int nument;
+ };
+
+-static CURLcode ldap_setup_connection(struct Curl_easy *data,
+- struct connectdata *conn)
++static CURLcode oldap_setup_connection(struct Curl_easy *data,
++ struct connectdata *conn)
+ {
+ struct ldapconninfo *li;
+ LDAPURLDesc *lud;
+@@ -209,7 +209,7 @@ static CURLcode ldap_setup_connection(struct Curl_easy *data,
+ static Sockbuf_IO ldapsb_tls;
+ #endif
+
+-static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
++static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -257,7 +257,7 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -356,14 +356,15 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
+
+ if(info)
+ ldap_memfree(info);
+- conn->recv[FIRSTSOCKET] = ldap_recv;
++ conn->recv[FIRSTSOCKET] = oldap_recv;
+ *done = TRUE;
+
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_disconnect(struct Curl_easy *data,
+- struct connectdata *conn, bool dead_connection)
++static CURLcode oldap_disconnect(struct Curl_easy *data,
++ struct connectdata *conn,
++ bool dead_connection)
+ {
+ struct ldapconninfo *li = conn->proto.ldapc;
+ (void) dead_connection;
+@@ -384,7 +385,7 @@ static CURLcode ldap_disconnect(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_do(struct Curl_easy *data, bool *done)
++static CURLcode oldap_do(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -429,8 +430,8 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
+- bool premature)
++static CURLcode oldap_done(struct Curl_easy *data, CURLcode res,
++ bool premature)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapreqinfo *lr = data->req.p.ldap;
+@@ -452,8 +453,8 @@ static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
+ return CURLE_OK;
+ }
+
+-static ssize_t ldap_recv(struct Curl_easy *data, int sockindex, char *buf,
+- size_t len, CURLcode *err)
++static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf,
++ size_t len, CURLcode *err)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+--
+2.35.3
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 8853ea2..3660f44 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
-Release: 14%{?dist}.5
+Release: 19%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@@ -35,6 +35,9 @@ Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch
# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch
+# fix bad local IPv6 connection reuse (CVE-2022-27775)
+Patch11: 0011-curl-7.76.1-CVE-2022-27775.patch
+
# fix auth/cookie leak on redirect (CVE-2022-27776)
Patch12: 0012-curl-7.76.1-CVE-2022-27776.patch
@@ -56,6 +59,9 @@ Patch17: 0017-curl-7.76.1-CVE-2022-32206.patch
# fix unpreserved file permissions (CVE-2022-32207)
Patch19: 0019-curl-7.76.1-CVE-2022-32207.patch
+# fix build failure caused by openldap rebase (#2094159)
+Patch20: 0020-curl-7.76.1-openldap-rebase.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -241,6 +247,7 @@ be installed.
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
@@ -248,6 +255,7 @@ be installed.
%patch16 -p1
%patch17 -p1
%patch19 -p1
+%patch20 -p1
# Fedora patches
%patch101 -p1
@@ -468,23 +476,24 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
-* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.5
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
- fix unpreserved file permissions (CVE-2022-32207)
- fix HTTP compression denial of service (CVE-2022-32206)
- fix FTP-KRB bad message verification (CVE-2022-32208)
-* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.4
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-18
- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
-* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.3
+* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-17
- fix leak of SRP credentials in redirects (CVE-2022-27774)
-* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.2
+* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-16
- add missing tests to Makefile
-* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.1
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-15
- fix credential leak on redirect (CVE-2022-27774)
- fix auth/cookie leak on redirect (CVE-2022-27776)
+- fix bad local IPv6 connection reuse (CVE-2022-27775)
- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14