diff --git a/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch b/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch
new file mode 100644
index 0000000..90c94c7
--- /dev/null
+++ b/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch
@@ -0,0 +1,148 @@
+From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+
+Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c | 10 ++++++++++
+ lib/strcase.h | 2 ++
+ lib/url.c | 13 ++++++++++++-
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1..692a3f1 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+ } while(*src++ && --n);
+ }
+
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ return !a && !b;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b628656..382b80a 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index adef2cd..94e3406 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
+ Curl_safefree(conn->passwd);
+ Curl_safefree(conn->sasl_authzid);
+ Curl_safefree(conn->options);
++ Curl_safefree(conn->oauth_bearer);
+ Curl_dyn_free(&conn->trailer);
+ Curl_safefree(conn->host.rawalloc); /* host name buffer */
+ Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
+ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd)) {
++ strcmp(needle->passwd, check->passwd) ||
++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+ /* one of them was different */
+ continue;
+ }
+@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+ }
+ }
+
++ if(data->set.str[STRING_BEARER]) {
++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++ if(!conn->oauth_bearer) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto out;
++ }
++ }
++
+ #ifdef USE_UNIX_SOCKETS
+ if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+ conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index cc8a600..03da59a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -991,6 +991,7 @@ struct connectdata {
+ char *passwd; /* password string, allocated */
+ char *options; /* options string, allocated */
+ char *sasl_authzid; /* authorisation identity string, allocated */
++ char *oauth_bearer; /* OAUTH2 bearer, allocated */
+ unsigned char httpversion; /* the HTTP version*10 reported by the server */
+ struct curltime now; /* "current" time */
+ struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba..a40ac06 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+ return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+
+-static bool safecmp(char *a, char *b)
+-{
+- if(a && b)
+- return !strcmp(a, b);
+- else if(!a && !b)
+- return TRUE; /* match */
+- return FALSE; /* no match */
+-}
+-
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ (data->verifystatus == needle->verifystatus) &&
+ blobcmp(data->cert_blob, needle->cert_blob) &&
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+- safecmp(data->CApath, needle->CApath) &&
+- safecmp(data->CAfile, needle->CAfile) &&
+- safecmp(data->issuercert, needle->issuercert) &&
+- safecmp(data->clientcert, needle->clientcert) &&
+- safecmp(data->random_file, needle->random_file) &&
+- safecmp(data->egdsocket, needle->egdsocket) &&
++ Curl_safecmp(data->CApath, needle->CApath) &&
++ Curl_safecmp(data->CAfile, needle->CAfile) &&
++ Curl_safecmp(data->issuercert, needle->issuercert) &&
++ Curl_safecmp(data->clientcert, needle->clientcert) &&
++ Curl_safecmp(data->random_file, needle->random_file) &&
++ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
+--
+2.34.1
+
diff --git a/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch
new file mode 100644
index 0000000..769a0fd
--- /dev/null
+++ b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch
@@ -0,0 +1,40 @@
+From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+
+Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index cd5756a..9b9f683 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+ /* report back which name we used */
+ *hostp = hostname;
+
+- /* put the number first so that the hostname gets cut off if too long */
+- msnprintf(buf, len, "%ld%s", port, hostname);
++ /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++ msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ }
+
+ /* Returns number of connections currently held in the connection cache.
+--
+2.34.1
+
diff --git a/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch b/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch
new file mode 100644
index 0000000..7dd5fdf
--- /dev/null
+++ b/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch
@@ -0,0 +1,243 @@
+From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+
+Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 33 +++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 30 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 799d4fb..0791dcf 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++ struct connectdata *conn = data->conn;
++ return (!data->state.this_is_a_follow ||
++ data->set.allow_auth_to_other_hosts ||
++ (data->state.first_host &&
++ strcasecompare(data->state.first_host, conn->host.name) &&
++ (data->state.first_remote_port == conn->remote_port) &&
++ (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+ * Curl_http_output_auth() setups the authentication headers for the
+ * host/proxy and the correct authentication
+@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data,
+ with it */
+ authproxy->done = TRUE;
+
+- /* To prevent the user+password to get sent to other than the original
+- host due to a location-follow, we do some weirdo checks here */
+- if(!data->state.this_is_a_follow ||
+- conn->bits.netrc ||
+- !data->state.first_host ||
+- data->set.allow_auth_to_other_hosts ||
+- strcasecompare(data->state.first_host, conn->host.name)) {
++ /* To prevent the user+password to get sent to other than the original host
++ due to a location-follow */
++ if(allow_auth_to_host(data)
++ || conn->bits.netrc)
+ result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+- }
+ else
+ authhost->done = TRUE;
+
+@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+ checkprefix("Cookie:", compare)) &&
+ /* be careful of sending this potentially sensitive header to
+ other hosts */
+- (data->state.this_is_a_follow &&
+- data->state.first_host &&
+- !data->set.allow_auth_to_other_hosts &&
+- !strcasecompare(data->state.first_host, conn->host.name)))
++ !allow_auth_to_host(data))
+ ;
+ else {
+ #ifdef USE_HYPER
+@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+ return CURLE_OUT_OF_MEMORY;
+
+ data->state.first_remote_port = conn->remote_port;
++ data->state.first_remote_protocol = conn->handler->protocol;
+ }
+ Curl_safefree(data->state.aptr.host);
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 03da59a..f92052a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1336,14 +1336,16 @@ struct UrlState {
+ char *ulbuf; /* allocated upload buffer or NULL */
+ curl_off_t current_speed; /* the ProgressShow() function sets this,
+ bytes / second */
+- char *first_host; /* host name of the first (not followed) request.
+- if set, this should be the host name that we will
+- sent authorization to, no else. Used to make Location:
+- following not keep sending user+password... This is
+- strdup() data.
+- */
++
++ /* host name, port number and protocol of the first (not followed) request.
++ if set, this should be the host name that we will sent authorization to,
++ no else. Used to make Location: following not keep sending user+password.
++ This is strdup()ed data. */
++ char *first_host;
++ int first_remote_port;
++ unsigned int first_remote_protocol;
++
+ int retrycount; /* number of retries on a new connection */
+- int first_remote_port; /* remote port of the first (not followed) request */
+ struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+ long sessionage; /* number of the most recent session */
+ struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
+--
+2.34.1
+
+
+From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:47 +0200
+Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
+
+Do not pass on Authorization headers on redirects to another port
+
+Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test898
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 59d46bc..7ae2cf8 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
+ test863 test864 test865 test866 test867 test868 test869 test870 test871 \
+ test872 test873 test874 test875 test876 test877 test878 test879 test880 \
+ test881 test882 test883 test884 test885 test886 test887 test888 test889 \
+-test890 test891 test892 test893 test894 test895 test896 \
++test890 test891 test892 test893 test894 test895 test896 test898 \
+ \
+ test900 test901 test902 test903 test904 test905 test906 test907 test908 \
+ test909 test910 test911 test912 test913 test914 test915 test916 test917 \
+diff --git a/tests/data/test898 b/tests/data/test898
+new file mode 100644
+index 0000000..5cbb7d8
+--- /dev/null
++++ b/tests/data/test898
+@@ -0,0 +1,90 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location
++Authorization
++Cookie
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with custom auth and cookies redirected to HTTP on a diff port
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++Authorization: Basic am9lOnNlY3JldA==
++Cookie: userpwd=am9lOnNlY3JldA==
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+--
+2.34.1
+
diff --git a/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch b/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch
new file mode 100644
index 0000000..a911611
--- /dev/null
+++ b/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch
@@ -0,0 +1,635 @@
+From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+
+Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 64f9511..7518807 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+ data->info.conn_scheme = conn->handler->scheme;
+ data->info.conn_protocol = conn->handler->protocol;
+ data->info.conn_primary_port = conn->port;
++ data->info.conn_remote_port = conn->remote_port;
+ data->info.conn_local_port = local_port;
+ }
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f92052a..5218f76 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1167,7 +1167,11 @@ struct PureInfo {
+ reused, in the connection cache. */
+
+ char conn_primary_ip[MAX_IPADR_LEN];
+- int conn_primary_port;
++ int conn_primary_port; /* this is the destination port to the connection,
++ which might have been a proxy */
++ int conn_remote_port; /* this is the "remote port", which is the port
++ number of the used URL, independent of proxy or
++ not */
+ char conn_local_ip[MAX_IPADR_LEN];
+ int conn_local_port;
+ const char *conn_scheme;
+--
+2.34.1
+
+
+From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
+ auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+
+Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 1f8019b..752fe14 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+-
+ uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
++
++ /* Clear auth if this redirects to a different port number or protocol,
++ unless permitted */
++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++ char *portnum;
++ int port;
++ bool clear = FALSE;
++
++ if(data->set.use_port && data->state.allow_port)
++ /* a custom port is used */
++ port = (int)data->set.use_port;
++ else {
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++ port = atoi(portnum);
++ free(portnum);
++ }
++ if(port != data->info.conn_remote_port) {
++ infof(data, "Clear auth, redirects to port from %u to %u",
++ data->info.conn_remote_port, port);
++ clear = TRUE;
++ }
++ else {
++ char *scheme;
++ const struct Curl_handler *p;
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++
++ p = Curl_builtin_scheme(scheme);
++ if(p && (p->protocol != data->info.conn_protocol)) {
++ infof(data, "Clear auth, redirects scheme from %s to %s",
++ data->info.conn_scheme, scheme);
++ clear = TRUE;
++ }
++ free(scheme);
++ }
++ if(clear) {
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
++ }
++ }
+ }
+
+ if(type == FOLLOW_FAKE) {
+--
+2.34.1
+
+
+From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
+
+ - Test 973 redirects from HTTP to FTP, clear auth
+ - Test 974 redirects from HTTP to HTTP different port, clear auth
+ - Test 975 redirects from HTTP to FTP, permitted to keep auth
+ - Test 976 redirects from HTTP to HTTP different port, permitted to keep
+ auth
+
+Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc | 1 +
+ tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
+ tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 352 insertions(+)
+ create mode 100644 tests/data/test973
+ create mode 100644 tests/data/test974
+ create mode 100644 tests/data/test975
+ create mode 100644 tests/data/test976
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7ae2cf8..175fc43 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
++test973 test974 test975 test976 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test973 b/tests/data/test973
+new file mode 100644
+index 0000000..6ced107
+--- /dev/null
++++ b/tests/data/test973
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++FTP
++--location
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++data
++ to
++ see
++that FTP
++works
++ so does it?
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++data
++ to
++ see
++that FTP
++works
++ so does it?
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++ftp
++</server>
++ <name>
++HTTP with auth redirected to FTP w/o auth
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD a
++CWD path
++EPSV
++TYPE I
++SIZE %TESTNUMBER0002
++RETR %TESTNUMBER0002
++QUIT
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test974 b/tests/data/test974
+new file mode 100644
+index 0000000..ac4e641
+--- /dev/null
++++ b/tests/data/test974
+@@ -0,0 +1,87 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with auth redirected to HTTP on a diff port w/o auth
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test975 b/tests/data/test975
+new file mode 100644
+index 0000000..85e03e4
+--- /dev/null
++++ b/tests/data/test975
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++FTP
++--location-trusted
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++data
++ to
++ see
++that FTP
++works
++ so does it?
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++data
++ to
++ see
++that FTP
++works
++ so does it?
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++ftp
++</server>
++ <name>
++HTTP with auth redirected to FTP allowing auth to continue
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++
++USER joe
++PASS secret
++PWD
++CWD a
++CWD path
++EPSV
++TYPE I
++SIZE %TESTNUMBER0002
++RETR %TESTNUMBER0002
++QUIT
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test976 b/tests/data/test976
+new file mode 100644
+index 0000000..c4dd61e
+--- /dev/null
++++ b/tests/data/test976
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location-trusted
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with auth redirected to HTTP on a diff port --location-trusted
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+--
+2.34.1
+
+
+From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 17:59:15 +0200
+Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
+ either
+
+Follow-up to 620ea21410030
+
+Reported-by: Harry Sintonen
+Closes #8751
+
+Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 10 +++++-----
+ lib/http.h | 6 ++++++
+ lib/vtls/openssl.c | 3 ++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 0791dcf..4433824 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
+ }
+
+ /*
+- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+- * data" can (still) be sent to this host.
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
+ */
+-static bool allow_auth_to_host(struct Curl_easy *data)
++bool Curl_allow_auth_to_host(struct Curl_easy *data)
+ {
+ struct connectdata *conn = data->conn;
+ return (!data->state.this_is_a_follow ||
+@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
+
+ /* To prevent the user+password to get sent to other than the original host
+ due to a location-follow */
+- if(allow_auth_to_host(data)
++ if(Curl_allow_auth_to_host(data)
+ || conn->bits.netrc)
+ result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+ else
+@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+ checkprefix("Cookie:", compare)) &&
+ /* be careful of sending this potentially sensitive header to
+ other hosts */
+- !allow_auth_to_host(data))
++ !Curl_allow_auth_to_host(data))
+ ;
+ else {
+ #ifdef USE_HYPER
+diff --git a/lib/http.h b/lib/http.h
+index 07e963d..9000bae 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
+ bool proxytunnel); /* TRUE if this is the request setting
+ up the proxy tunnel */
+
++/*
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
++ */
++bool Curl_allow_auth_to_host(struct Curl_easy *data);
++
+ #endif /* HEADER_CURL_HTTP_H */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1bafe96..97c5666 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+
+ #ifdef USE_OPENSSL_SRP
+- if(ssl_authtype == CURL_TLSAUTH_SRP) {
++ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
++ Curl_allow_auth_to_host(data)) {
+ char * const ssl_username = SSL_SET_OPTION(username);
+
+ infof(data, "Using TLS-SRP username: %s\n", ssl_username);
+--
+2.34.1
+
diff --git a/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch b/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch
new file mode 100644
index 0000000..515ebd3
--- /dev/null
+++ b/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch
@@ -0,0 +1,461 @@
+From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Jan 2022 16:48:38 +0100
+Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
+
+Closes #8350
+
+Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 08827d1..9eaa187 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+ data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
++#ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_USERNAME:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+ va_arg(param, char *));
+-#ifndef CURL_DISABLE_PROXY
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+ !data->set.proxy_ssl.authtype)
+ data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+-#endif
+ break;
++#endif
+ case CURLOPT_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+ va_arg(param, char *));
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+ data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
++#ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+ va_arg(param, char *));
+-#ifndef CURL_DISABLE_PROXY
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+ !data->set.proxy_ssl.authtype)
+ data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+-#endif
+ break;
++#endif
+ case CURLOPT_TLSAUTH_TYPE:
+ argptr = va_arg(param, char *);
+ if(!argptr ||
+--
+2.34.1
+
+
+From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 29 +++++++++++++++++------------
+ lib/url.c | 23 ++++++++++++++++-------
+ lib/urldata.h | 13 +++++++------
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c | 21 +++++++++++++++++++++
+ 5 files changed, 66 insertions(+), 30 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 8e1bf12..7aa6fdb 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+
+ case CURLOPT_SSL_OPTIONS:
+ arg = va_arg(param, long);
++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+ data->set.ssl.enable_beast =
+ (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+ data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_SSL_OPTIONS:
+ arg = va_arg(param, long);
++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+ data->set.proxy_ssl.enable_beast =
+ (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+ data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ case CURLOPT_TLSAUTH_USERNAME:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++ !data->set.ssl.primary.authtype)
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_USERNAME:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+ va_arg(param, char *));
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+- !data->set.proxy_ssl.authtype)
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ !data->set.proxy_ssl.primary.authtype)
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
++ SRP */
+ break;
+ #endif
+ case CURLOPT_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++ !data->set.ssl.primary.authtype)
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+ va_arg(param, char *));
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+- !data->set.proxy_ssl.authtype)
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ !data->set.proxy_ssl.primary.authtype)
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+ break;
+ #endif
+ case CURLOPT_TLSAUTH_TYPE:
+ argptr = va_arg(param, char *);
+ if(!argptr ||
+ strncasecompare(argptr, "SRP", strlen("SRP")))
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+ else
+- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_TYPE:
+ argptr = va_arg(param, char *);
+ if(!argptr ||
+ strncasecompare(argptr, "SRP", strlen("SRP")))
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+ else
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ break;
+ #endif
+ #endif
+diff --git a/lib/url.c b/lib/url.c
+index 94e3406..5ebf5e2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+ set->ssl.primary.verifypeer = TRUE;
+ set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+- set->ssl.authtype = CURL_TLSAUTH_NONE;
++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+ set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+ type */
+@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+ conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+ conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #ifndef CURL_DISABLE_PROXY
+ conn->proxy_ssl_config.verifystatus =
+ data->set.proxy_ssl.primary.verifystatus;
+ conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+ conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #endif
+ conn->ip_version = data->set.ipver;
+ conn->bits.connect_only = data->set.connect_only;
+@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.proxy_ssl.primary.issuercert_blob =
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
++ data->set.proxy_ssl.primary.CRLfile =
++ data->set.str[STRING_SSL_CRLFILE_PROXY];
+ data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+ data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+ data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+ data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+ data->set.ssl.key = data->set.str[STRING_KEY];
+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
++ data->set.proxy_ssl.primary.username =
++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
++ data->set.proxy_ssl.primary.password =
++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5218f76..e006495 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -253,9 +253,16 @@ struct ssl_primary_config {
+ char *cipher_list; /* list of ciphers to use */
+ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
+ char *pinned_key;
++ char *CRLfile; /* CRL to check certificate revocation */
+ struct curl_blob *cert_blob;
+ struct curl_blob *issuercert_blob;
++#ifdef USE_TLS_SRP
++ char *username; /* TLS username (for, e.g., SRP) */
++ char *password; /* TLS password (for, e.g., SRP) */
++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
++#endif
+ char *curves; /* list of curves to use */
++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
+ BIT(verifypeer); /* set TRUE if this is desired */
+ BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
+ BIT(verifystatus); /* set TRUE if certificate status must be checked */
+@@ -265,7 +272,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+ struct ssl_primary_config primary;
+ long certverifyresult; /* result from the certificate verification */
+- char *CRLfile; /* CRL to check certificate revocation */
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+ void *fsslctxp; /* parameter for call back */
+ char *cert_type; /* format for certificate (default: PEM)*/
+@@ -273,11 +279,6 @@ struct ssl_config_data {
+ struct curl_blob *key_blob;
+ char *key_type; /* format for private key (default: PEM) */
+ char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+- char *username; /* TLS username (for, e.g., SRP) */
+- char *password; /* TLS password (for, e.g., SRP) */
+- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+ BIT(certinfo); /* gather lots of certificate info */
+ BIT(falsestart);
+ BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 97c5666..a4ef9d1 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+ const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_OPENSSL_SRP
+- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+ char error_buffer[256];
+ struct ssl_backend_data *backend = connssl->backend;
+ bool imported_native_ca = false;
+@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #ifdef USE_OPENSSL_SRP
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
+- char * const ssl_username = SSL_SET_OPTION(username);
+-
++ char * const ssl_username = SSL_SET_OPTION(primary.username);
++ char * const ssl_password = SSL_SET_OPTION(primary.password);
+ infof(data, "Using TLS-SRP username: %s\n", ssl_username);
+
+ if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
+ failf(data, "Unable to set SRP user name");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
+ failf(data, "failed setting SRP password");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a40ac06..e2d3438 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ {
+ if((data->version == needle->version) &&
+ (data->version_max == needle->version_max) &&
++ (data->ssl_options == needle->ssl_options) &&
+ (data->verifypeer == needle->verifypeer) &&
+ (data->verifyhost == needle->verifyhost) &&
+ (data->verifystatus == needle->verifystatus) &&
+@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
+ Curl_safecmp(data->random_file, needle->random_file) &&
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
++#ifdef USE_TLS_SRP
++ Curl_safecmp(data->username, needle->username) &&
++ Curl_safecmp(data->password, needle->password) &&
++ (data->authtype == needle->authtype) &&
++#endif
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+ Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+ return TRUE;
+
+@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ dest->verifyhost = source->verifyhost;
+ dest->verifystatus = source->verifystatus;
+ dest->sessionid = source->sessionid;
++ dest->ssl_options = source->ssl_options;
++#ifdef USE_TLS_SRP
++ dest->authtype = source->authtype;
++#endif
+
+ CLONE_BLOB(cert_blob);
+ CLONE_BLOB(issuercert_blob);
+@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ CLONE_STRING(cipher_list13);
+ CLONE_STRING(pinned_key);
+ CLONE_STRING(curves);
++ CLONE_STRING(CRLfile);
++#ifdef USE_TLS_SRP
++ CLONE_STRING(username);
++ CLONE_STRING(password);
++#endif
+
+ return TRUE;
+ }
+@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ Curl_safefree(sslc->cert_blob);
+ Curl_safefree(sslc->issuercert_blob);
+ Curl_safefree(sslc->curves);
++ Curl_safefree(sslc->CRLfile);
++#ifdef USE_TLS_SRP
++ Curl_safefree(sslc->username);
++ Curl_safefree(sslc->password);
++#endif
+ }
+
+ #ifdef USE_SSL
+--
+2.34.1
+
+
+From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 3/3] url: check SSH config match on connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 11 +++++++++++
+ lib/vssh/ssh.h | 6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 5ebf5e2..c713e54 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+ }
+ }
+
++static bool ssh_config_matches(struct connectdata *one,
++ struct connectdata *two)
++{
++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
++}
+ /*
+ * Given one filled in connection struct (named needle), this function should
+ * detect if there already is one that has all the significant details
+@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ }
+
++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++ if(!ssh_config_matches(needle, check))
++ continue;
++ }
++
+ if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+ || !needle->bits.httpproxy || needle->bits.tunnel_proxy
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 7972081..30d82e5 100644
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -131,8 +131,8 @@ struct ssh_conn {
+
+ /* common */
+ const char *passphrase; /* pass-phrase to use */
+- char *rsa_pub; /* path name */
+- char *rsa; /* path name */
++ char *rsa_pub; /* strdup'ed public key file */
++ char *rsa; /* strdup'ed private key file */
+ bool authed; /* the connection has been authenticated fine */
+ bool acceptfail; /* used by the SFTP_QUOTE (continue if
+ quote command fails) */
+--
+2.34.1
+
diff --git a/SOURCES/0015-curl-7.76.1-tests-openssh.patch b/SOURCES/0015-curl-7.76.1-tests-openssh.patch
new file mode 100644
index 0000000..980404a
--- /dev/null
+++ b/SOURCES/0015-curl-7.76.1-tests-openssh.patch
@@ -0,0 +1,101 @@
+From 85a8c0e9992cee271145ecf009f60b9bee9b7a60 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 15 Sep 2021 09:59:14 +0200
+Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1
+
+... by not using options with no argument where an argument is required:
+
+=== Start of file tests/log/ssh_server.log
+curl_sshd_config line 6: no argument after keyword "DenyGroups"
+curl_sshd_config line 7: no argument after keyword "AllowGroups"
+curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
+curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
+curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
+curl_sshd_config line 40: Deprecated option RSAAuthentication
+curl_sshd_config line 41: Deprecated option ServerKeyBits
+curl_sshd_config line 45: Deprecated option UseLogin
+curl_sshd_config line 56: no argument after keyword "AcceptEnv"
+curl_sshd_config: terminating, 3 bad configuration options
+=== End of file tests/log/ssh_server.log
+
+=== Start of file log/sftp_server.log
+curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
+curl_sftp_config line 34: Unsupported option "rsaauthentication"
+curl_sftp_config line 52: no argument after keyword "sendenv"
+curl_sftp_config: terminating, 1 bad configuration options
+Connection closed.
+Connection closed
+=== End of file log/sftp_server.log
+
+Closes #7724
+
+Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/sshserver.pl | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/tests/sshserver.pl b/tests/sshserver.pl
+index 9441939..2afaace 100644
+--- a/tests/sshserver.pl
++++ b/tests/sshserver.pl
+@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) {
+ # ssh daemon configuration file options we might use and version support
+ #
+ # AFSTokenPassing : OpenSSH 1.2.1 and later [1]
+-# AcceptEnv : OpenSSH 3.9.0 and later
+ # AddressFamily : OpenSSH 4.0.0 and later
+-# AllowGroups : OpenSSH 1.2.1 and later
+ # AllowTcpForwarding : OpenSSH 2.3.0 and later
+ # AllowUsers : OpenSSH 1.2.1 and later
+ # AuthorizedKeysFile : OpenSSH 2.9.9 and later
+@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
+ # ClientAliveCountMax : OpenSSH 2.9.0 and later
+ # ClientAliveInterval : OpenSSH 2.9.0 and later
+ # Compression : OpenSSH 3.3.0 and later
+-# DenyGroups : OpenSSH 1.2.1 and later
+ # DenyUsers : OpenSSH 1.2.1 and later
+ # ForceCommand : OpenSSH 4.4.0 and later [3]
+ # GatewayPorts : OpenSSH 2.1.0 and later
+@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
+ push @cfgarr, "AllowUsers $username";
+ }
+
+-push @cfgarr, 'DenyGroups';
+-push @cfgarr, 'AllowGroups';
+-push @cfgarr, '#';
+ push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
+ push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
+ push @cfgarr, "HostKey $hstprvkeyf_config";
+@@ -684,9 +678,6 @@ push @cfgarr, '#';
+ #***************************************************************************
+ # Options that might be supported or not in sshd OpenSSH 2.9.9 and later
+ #
+-if(sshd_supports_opt('AcceptEnv','')) {
+- push @cfgarr, 'AcceptEnv';
+-}
+ if(sshd_supports_opt('AddressFamily','any')) {
+ # Address family must be specified before ListenAddress
+ splice @cfgarr, 14, 0, 'AddressFamily any';
+@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
+ # RemoteForward : OpenSSH 1.2.1 and later [3]
+ # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
+ # RSAAuthentication : OpenSSH 1.2.1 and later
+-# SendEnv : OpenSSH 3.9.0 and later
+ # ServerAliveCountMax : OpenSSH 3.8.0 and later
+ # ServerAliveInterval : OpenSSH 3.8.0 and later
+ # SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
+@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
+ push @cfgarr, 'RekeyLimit 1G';
+ }
+
+-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
+- push @cfgarr, 'SendEnv';
+-}
+-
+ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
+ (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
+ push @cfgarr, 'ServerAliveCountMax 3';
+--
+2.34.1
+
diff --git a/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch b/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch
new file mode 100644
index 0000000..9c2c836
--- /dev/null
+++ b/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch
@@ -0,0 +1,70 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
+ enc.value = buf;
+ enc.length = len;
+ maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+- if(maj != GSS_S_COMPLETE) {
+- if(len >= 4)
+- strcpy(buf, "599 ");
++ if(maj != GSS_S_COMPLETE)
+ return -1;
+- }
+
+ memcpy(buf, dec.value, dec.length);
+ len = curlx_uztosi(dec.length);
+@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+ int len;
+ CURLcode result;
++ int nread;
+
+ result = socket_read(fd, &len, sizeof(len));
+ if(result)
+@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn,
+ if(len) {
+ /* only realloc if there was a length */
+ len = ntohl(len);
+- buf->data = Curl_saferealloc(buf->data, len);
++ if(len > CURL_MAX_INPUT_LENGTH)
++ len = 0;
++ else
++ buf->data = Curl_saferealloc(buf->data, len);
+ }
+ if(!len || !buf->data)
+ return CURLE_OUT_OF_MEMORY;
+@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn,
+ result = socket_read(fd, buf->data, len);
+ if(result)
+ return result;
+- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+- conn->data_prot, conn);
++ nread = conn->mech->decode(conn->app_data, buf->data, len,
++ conn->data_prot, conn);
++ if(nread < 0)
++ return CURLE_RECV_ERROR;
++ buf->size = (size_t)nread;
+ buf->index = 0;
+ return CURLE_OK;
+ }
+--
+2.35.3
+
diff --git a/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch b/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch
new file mode 100644
index 0000000..43812a1
--- /dev/null
+++ b/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch
@@ -0,0 +1,143 @@
+From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH 1/2] content_encoding: return error on too many compression
+ steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name,
+ return NULL;
+ }
+
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+ * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+ const char *enclist, int maybechunked)
+ {
+ struct SingleRequest *k = &data->req;
++ int counter = 0;
+
+ do {
+ const char *name;
+@@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+ if(!encoding)
+ encoding = &error_encoding; /* Defer error at stack use. */
+
++ if(++counter >= MAX_ENCODE_STACK) {
++ failf(data, "Reject response due to %u content encodings",
++ counter);
++ return CURLE_BAD_CONTENT_ENCODING;
++ }
+ /* Stack the unencoding stage. */
+ writer = new_unencoding_writer(data, encoding, k->writer_stack);
+ if(!writer)
+--
+2.35.3
+
+
+From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:29:07 +0200
+Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
+
+Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc | 1 +
+ tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 tests/data/test387
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 98d5516..9b5f4fb 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \
+ test352 test353 test354 test355 test356 test357 test358 test359 test360 \
+ test361 test362 \
+ \
++test387 \
+ test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+diff --git a/tests/data/test387 b/tests/data/test387
+new file mode 100644
+index 0000000..015ec25
+--- /dev/null
++++ b/tests/data/test387
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with overly long compression chain
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to 5 content encodings
++</stderr>
++</verify>
++</testcase>
+--
+2.35.3
+
diff --git a/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch b/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch
new file mode 100644
index 0000000..3d858d3
--- /dev/null
+++ b/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch
@@ -0,0 +1,425 @@
+From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ CMakeLists.txt | 1 +
+ configure.ac | 1 +
+ lib/Makefile.inc | 2 +
+ lib/cookie.c | 17 ++----
+ lib/curl_config.h.cmake | 3 ++
+ lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h | 30 +++++++++++
+ 7 files changed, 154 insertions(+), 13 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b77de6d..a0bfaad 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -982,6 +982,7 @@ elseif(HAVE_LIBSOCKET)
+ set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+
++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d431870..7433bb9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4516,6 +4516,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+
+
+ AC_CHECK_FUNCS([fnmatch \
++ fchmod \
+ geteuid \
+ getpass_r \
+ getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index e8f110f..5139b03 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -130,6 +130,7 @@ LIB_CFILES = \
+ escape.c \
+ file.c \
+ fileinfo.c \
++ fopen.c \
+ formdata.c \
+ ftp.c \
+ ftplistparser.c \
+@@ -261,6 +262,7 @@ LIB_HFILES = \
+ escape.h \
+ file.h \
+ fileinfo.h \
++ fopen.h \
+ formdata.h \
+ ftp.h \
+ ftplistparser.h \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 8a6aa1a..cb0c03b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -97,8 +97,8 @@ Example set of cookies:
+ #include "curl_memrchr.h"
+ #include "inet_pton.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1537,17 +1537,8 @@ static int cookie_output(struct Curl_easy *data,
+ use_stdout = TRUE;
+ }
+ else {
+- unsigned char randsuffix[9];
+-
+- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+- return 2;
+-
+- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+- if(!tempstore)
+- return 1;
+-
+- out = fopen(tempstore, FOPEN_WRITETEXT);
+- if(!out)
++ error = Curl_fopen(data, filename, &out, &tempstore);
++ if(error)
+ goto error;
+ }
+
+@@ -1594,7 +1585,7 @@ static int cookie_output(struct Curl_easy *data,
+ if(!use_stdout) {
+ fclose(out);
+ out = NULL;
+- if(Curl_rename(tempstore, filename)) {
++ if(tempstore && Curl_rename(tempstore, filename)) {
+ unlink(tempstore);
+ goto error;
+ }
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index d2a0f43..c254359 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -148,6 +148,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
++ defined(USE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include <fcntl.h>
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file. if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++ FILE **fh, char **tempname)
++{
++ CURLcode result = CURLE_WRITE_ERROR;
++ unsigned char randsuffix[9];
++ char *tempstore = NULL;
++ struct_stat sb;
++ int fd = -1;
++ *tempname = NULL;
++
++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++ /* a non-regular file, fallback to direct fopen() */
++ *fh = fopen(filename, FOPEN_WRITETEXT);
++ if(*fh)
++ return CURLE_OK;
++ goto fail;
++ }
++
++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++ if(result)
++ goto fail;
++
++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++ if(!tempstore) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto fail;
++ }
++
++ result = CURLE_WRITE_ERROR;
++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++ if(fd == -1)
++ goto fail;
++
++#ifdef HAVE_FCHMOD
++ {
++ struct_stat nsb;
++ if((fstat(fd, &nsb) != -1) &&
++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++ /* if the user and group are the same, clone the original mode */
++ if(fchmod(fd, sb.st_mode) == -1)
++ goto fail;
++ }
++ }
++#endif
++
++ *fh = fdopen(fd, FOPEN_WRITETEXT);
++ if(!*fh)
++ goto fail;
++
++ *tempname = tempstore;
++ return CURLE_OK;
++
++fail:
++ if(fd != -1) {
++ close(fd);
++ unlink(tempstore);
++ }
++
++ free(tempstore);
++
++ *tempname = NULL;
++ return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++ FILE **fh, char **tempname);
++
++#endif
+--
+2.35.3
+
+
+From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 2/3] altsvc: use Curl_fopen()
+
+Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/altsvc.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/altsvc.c b/lib/altsvc.c
+index 242733b..4dc4078 100644
+--- a/lib/altsvc.c
++++ b/lib/altsvc.c
+@@ -34,7 +34,7 @@
+ #include "parsedate.h"
+ #include "sendf.h"
+ #include "warnless.h"
+-#include "rand.h"
++#include "fopen.h"
+ #include "rename.h"
+
+ /* The last 3 #include files should be in this order */
+@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+ struct Curl_llist_element *n;
+ CURLcode result = CURLE_OK;
+ FILE *out;
+- char *tempstore;
+- unsigned char randsuffix[9];
++ char *tempstore = NULL;
+
+ if(!altsvc)
+ /* no cache activated */
+@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+ /* marked as read-only, no file or zero length file name */
+ return CURLE_OK;
+
+- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+- return CURLE_FAILED_INIT;
+-
+- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+- if(!tempstore)
+- return CURLE_OUT_OF_MEMORY;
+-
+- out = fopen(tempstore, FOPEN_WRITETEXT);
+- if(!out)
+- result = CURLE_WRITE_ERROR;
+- else {
++ result = Curl_fopen(data, file, &out, &tempstore);
++ if(!result) {
+ fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
+ "# This file was generated by libcurl! Edit at your own risk.\n",
+ out);
+@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+ break;
+ }
+ fclose(out);
+- if(!result && Curl_rename(tempstore, file))
++ if(!result && tempstore && Curl_rename(tempstore, file))
+ result = CURLE_WRITE_ERROR;
+
+- if(result)
++ if(result && tempstore)
+ unlink(tempstore);
+ }
+ free(tempstore);
+--
+2.35.3
+
+
+From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:54 +0200
+Subject: [PATCH 3/3] hsts: use Curl_fopen()
+
+Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index b9fa6f7..9d54c82 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -35,7 +35,7 @@
+ #include "sendf.h"
+ #include "strtoofft.h"
+ #include "parsedate.h"
+-#include "rand.h"
++#include "fopen.h"
+ #include "rename.h"
+
+ /* The last 3 #include files should be in this order */
+@@ -316,8 +316,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+ struct Curl_llist_element *n;
+ CURLcode result = CURLE_OK;
+ FILE *out;
+- char *tempstore;
+- unsigned char randsuffix[9];
++ char *tempstore = NULL;
+
+ if(!h)
+ /* no cache activated */
+@@ -331,17 +330,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+ /* marked as read-only, no file or zero length file name */
+ goto skipsave;
+
+- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+- return CURLE_FAILED_INIT;
+-
+- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+- if(!tempstore)
+- return CURLE_OUT_OF_MEMORY;
+-
+- out = fopen(tempstore, FOPEN_WRITETEXT);
+- if(!out)
+- result = CURLE_WRITE_ERROR;
+- else {
++ result = Curl_fopen(data, file, &out, &tempstore);
++ if(!result) {
+ fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
+ "# This file was generated by libcurl! Edit at your own risk.\n",
+ out);
+@@ -353,10 +343,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+ break;
+ }
+ fclose(out);
+- if(!result && Curl_rename(tempstore, file))
++ if(!result && tempstore && Curl_rename(tempstore, file))
+ result = CURLE_WRITE_ERROR;
+
+- if(result)
++ if(result && tempstore)
+ unlink(tempstore);
+ }
+ free(tempstore);
+--
+2.35.3
+
diff --git a/SOURCES/0020-curl-7.76.1-openldap-rebase.patch b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch
new file mode 100644
index 0000000..65870b5
--- /dev/null
+++ b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch
@@ -0,0 +1,186 @@
+From c2acc48854be9f8590e57a7b44b649fb8537bed4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 May 2021 16:14:13 +0200
+Subject: [PATCH] openldap: replace ldap_ prefix on private functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
+least) there's a symbol collision because of that.
+
+The private functions now use the 'oldap_' prefix where it previously
+used 'ldap_'.
+
+Reported-by: 3eka on github
+Fixes #7004
+Closes #7005
+
+Upstream-commit: 8bdde6b14ce3b5fd71c772a578fcbd4b6fa6df19
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/openldap.c | 67 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/lib/openldap.c b/lib/openldap.c
+index b515554..5a32c74 100644
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -76,16 +76,16 @@ extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url,
+ LDAP **ld);
+ #endif
+
+-static CURLcode ldap_setup_connection(struct Curl_easy *data,
+- struct connectdata *conn);
+-static CURLcode ldap_do(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_done(struct Curl_easy *data, CURLcode, bool);
+-static CURLcode ldap_connect(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done);
+-static CURLcode ldap_disconnect(struct Curl_easy *data,
+- struct connectdata *conn, bool dead);
++static CURLcode oldap_setup_connection(struct Curl_easy *data,
++ struct connectdata *conn);
++static CURLcode oldap_do(struct Curl_easy *data, bool *done);
++static CURLcode oldap_done(struct Curl_easy *data, CURLcode, bool);
++static CURLcode oldap_connect(struct Curl_easy *data, bool *done);
++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done);
++static CURLcode oldap_disconnect(struct Curl_easy *data,
++ struct connectdata *conn, bool dead);
+
+-static Curl_recv ldap_recv;
++static Curl_recv oldap_recv;
+
+ /*
+ * LDAP protocol handler.
+@@ -93,18 +93,18 @@ static Curl_recv ldap_recv;
+
+ const struct Curl_handler Curl_handler_ldap = {
+ "LDAP", /* scheme */
+- ldap_setup_connection, /* setup_connection */
+- ldap_do, /* do_it */
+- ldap_done, /* done */
++ oldap_setup_connection, /* setup_connection */
++ oldap_do, /* do_it */
++ oldap_done, /* done */
+ ZERO_NULL, /* do_more */
+- ldap_connect, /* connect_it */
+- ldap_connecting, /* connecting */
++ oldap_connect, /* connect_it */
++ oldap_connecting, /* connecting */
+ ZERO_NULL, /* doing */
+ ZERO_NULL, /* proto_getsock */
+ ZERO_NULL, /* doing_getsock */
+ ZERO_NULL, /* domore_getsock */
+ ZERO_NULL, /* perform_getsock */
+- ldap_disconnect, /* disconnect */
++ oldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
+ ZERO_NULL, /* attach connection */
+@@ -121,18 +121,18 @@ const struct Curl_handler Curl_handler_ldap = {
+
+ const struct Curl_handler Curl_handler_ldaps = {
+ "LDAPS", /* scheme */
+- ldap_setup_connection, /* setup_connection */
+- ldap_do, /* do_it */
+- ldap_done, /* done */
++ oldap_setup_connection, /* setup_connection */
++ oldap_do, /* do_it */
++ oldap_done, /* done */
+ ZERO_NULL, /* do_more */
+- ldap_connect, /* connect_it */
+- ldap_connecting, /* connecting */
++ oldap_connect, /* connect_it */
++ oldap_connecting, /* connecting */
+ ZERO_NULL, /* doing */
+ ZERO_NULL, /* proto_getsock */
+ ZERO_NULL, /* doing_getsock */
+ ZERO_NULL, /* domore_getsock */
+ ZERO_NULL, /* perform_getsock */
+- ldap_disconnect, /* disconnect */
++ oldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
+ ZERO_NULL, /* attach connection */
+@@ -173,8 +173,8 @@ struct ldapreqinfo {
+ int nument;
+ };
+
+-static CURLcode ldap_setup_connection(struct Curl_easy *data,
+- struct connectdata *conn)
++static CURLcode oldap_setup_connection(struct Curl_easy *data,
++ struct connectdata *conn)
+ {
+ struct ldapconninfo *li;
+ LDAPURLDesc *lud;
+@@ -209,7 +209,7 @@ static CURLcode ldap_setup_connection(struct Curl_easy *data,
+ static Sockbuf_IO ldapsb_tls;
+ #endif
+
+-static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
++static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -257,7 +257,7 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -356,14 +356,15 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
+
+ if(info)
+ ldap_memfree(info);
+- conn->recv[FIRSTSOCKET] = ldap_recv;
++ conn->recv[FIRSTSOCKET] = oldap_recv;
+ *done = TRUE;
+
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_disconnect(struct Curl_easy *data,
+- struct connectdata *conn, bool dead_connection)
++static CURLcode oldap_disconnect(struct Curl_easy *data,
++ struct connectdata *conn,
++ bool dead_connection)
+ {
+ struct ldapconninfo *li = conn->proto.ldapc;
+ (void) dead_connection;
+@@ -384,7 +385,7 @@ static CURLcode ldap_disconnect(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_do(struct Curl_easy *data, bool *done)
++static CURLcode oldap_do(struct Curl_easy *data, bool *done)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+@@ -429,8 +430,8 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ return CURLE_OK;
+ }
+
+-static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
+- bool premature)
++static CURLcode oldap_done(struct Curl_easy *data, CURLcode res,
++ bool premature)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapreqinfo *lr = data->req.p.ldap;
+@@ -452,8 +453,8 @@ static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
+ return CURLE_OK;
+ }
+
+-static ssize_t ldap_recv(struct Curl_easy *data, int sockindex, char *buf,
+- size_t len, CURLcode *err)
++static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf,
++ size_t len, CURLcode *err)
+ {
+ struct connectdata *conn = data->conn;
+ struct ldapconninfo *li = conn->proto.ldapc;
+--
+2.35.3
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index ac83f47..3660f44 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
-Release: 14%{?dist}
+Release: 19%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@@ -32,6 +32,36 @@ Patch8: 0008-curl-7.76.1-CVE-2021-22946.patch
# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch
+# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch
+
+# fix bad local IPv6 connection reuse (CVE-2022-27775)
+Patch11: 0011-curl-7.76.1-CVE-2022-27775.patch
+
+# fix auth/cookie leak on redirect (CVE-2022-27776)
+Patch12: 0012-curl-7.76.1-CVE-2022-27776.patch
+
+# fix credential leak on redirect (CVE-2022-27774)
+Patch13: 0013-curl-7.76.1-CVE-2022-27774.patch
+
+# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+Patch14: 0014-curl-7.76.1-CVE-2022-27782.patch
+
+# make upstream tests work with openssh-8.7p1
+Patch15: 0015-curl-7.76.1-tests-openssh.patch
+
+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch16: 0016-curl-7.76.1-CVE-2022-32208.patch
+
+# fix HTTP compression denial of service (CVE-2022-32206)
+Patch17: 0017-curl-7.76.1-CVE-2022-32206.patch
+
+# fix unpreserved file permissions (CVE-2022-32207)
+Patch19: 0019-curl-7.76.1-CVE-2022-32207.patch
+
+# fix build failure caused by openldap rebase (#2094159)
+Patch20: 0020-curl-7.76.1-openldap-rebase.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -216,6 +246,16 @@ be installed.
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch19 -p1
+%patch20 -p1
# Fedora patches
%patch101 -p1
@@ -436,6 +476,26 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
+- fix unpreserved file permissions (CVE-2022-32207)
+- fix HTTP compression denial of service (CVE-2022-32206)
+- fix FTP-KRB bad message verification (CVE-2022-32208)
+
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-18
+- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+
+* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-17
+- fix leak of SRP credentials in redirects (CVE-2022-27774)
+
+* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-16
+- add missing tests to Makefile
+
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-15
+- fix credential leak on redirect (CVE-2022-27774)
+- fix auth/cookie leak on redirect (CVE-2022-27776)
+- fix bad local IPv6 connection reuse (CVE-2022-27775)
+- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14
- re-disable HSTS in libcurl as an experimental feature (#2005874)