diff --git a/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
new file mode 100644
index 0000000..990d32f
--- /dev/null
+++ b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
@@ -0,0 +1,662 @@
+From 74ba80e293eb2521d28916b24c3be59b3baf688a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 18 Feb 2021 10:13:56 +0100
+Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names
+
+It doesn't provide any useful info but only makes the names longer.
+
+Closes #6624
+
+Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 32 ++++++++++++++++----------------
+ lib/url.c | 32 ++++++++++++++++----------------
+ lib/urldata.h | 28 ++++++++++++++--------------
+ lib/vtls/cyassl.c | 2 +-
+ lib/vtls/darwinssl.c | 4 ++--
+ lib/vtls/gskit.c | 2 +-
+ lib/vtls/gtls.c | 2 +-
+ lib/vtls/mbedtls.c | 2 +-
+ lib/vtls/nss.c | 2 +-
+ lib/vtls/openssl.c | 2 +-
+ lib/vtls/polarssl.c | 2 +-
+ lib/vtls/schannel.c | 2 +-
+ 12 files changed, 56 insertions(+), 56 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 4f04962..b07ccfe 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -133,7 +133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ break;
+ case CURLOPT_SSL_CIPHER_LIST:
+ /* set a list of cipher we want to use in the SSL connection */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_SSL_CIPHER_LIST:
+@@ -145,7 +145,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ case CURLOPT_TLS13_CIPHERS:
+ if(Curl_ssl_tls13_ciphersuites()) {
+ /* set preferred list of TLS 1.3 cipher suites */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],
+ va_arg(param, char *));
+ }
+ else
+@@ -1532,7 +1532,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * String that holds file name of the SSL certificate to use
+ */
+- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_CERT],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_SSLCERT:
+@@ -1546,7 +1546,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * String that holds file type of the SSL certificate to use
+ */
+- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_SSLCERTTYPE:
+@@ -1560,7 +1560,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * String that holds file name of the SSL key to use
+ */
+- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_KEY],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_SSLKEY:
+@@ -1574,7 +1574,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * String that holds file type of the SSL key to use
+ */
+- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_SSLKEYTYPE:
+@@ -1588,7 +1588,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * String that holds the SSL or SSH private key password.
+ */
+- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_KEYPASSWD:
+@@ -1815,7 +1815,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ */
+ #ifdef USE_SSL
+ if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)
+- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+ va_arg(param, char *));
+ else
+ #endif
+@@ -1838,7 +1838,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ /*
+ * Set CA info for SSL connection. Specify file name of the CA certificate
+ */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_CAINFO:
+@@ -1857,7 +1857,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ #ifdef USE_SSL
+ if(Curl_ssl->supports & SSLSUPP_CA_PATH)
+ /* This does not work on windows. */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],
+ va_arg(param, char *));
+ else
+ #endif
+@@ -1882,7 +1882,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ * Set CRL file info for SSL connection. Specify file name of the CRL
+ * to check certificates revocation
+ */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_PROXY_CRLFILE:
+@@ -1898,7 +1898,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ * Set Issuer certificate file
+ * to check certificates issuer
+ */
+- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
+ va_arg(param, char *));
+ break;
+ case CURLOPT_TELNETOPTIONS:
+@@ -2449,9 +2449,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ break;
+ #ifdef USE_TLS_SRP
+ case CURLOPT_TLSAUTH_USERNAME:
+- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+ data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
+ case CURLOPT_PROXY_TLSAUTH_USERNAME:
+@@ -2462,9 +2462,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
+ case CURLOPT_TLSAUTH_PASSWORD:
+- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+ data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
+ case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+diff --git a/lib/url.c b/lib/url.c
+index bb9d107..a6bc012 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -496,7 +496,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+ */
+ if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
+ #if defined(CURL_CA_BUNDLE)
+- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
++ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
+ if(result)
+ return result;
+
+@@ -506,7 +506,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+ return result;
+ #endif
+ #if defined(CURL_CA_PATH)
+- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);
++ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);
+ if(result)
+ return result;
+
+@@ -4333,9 +4333,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+ that will be freed as part of the Curl_easy struct, but all cloned
+ copies will be separately allocated.
+ */
+- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
++ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
+ data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
++ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+ data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+ data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+ data->set.proxy_ssl.primary.random_file =
+@@ -4343,34 +4343,34 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+ data->set.proxy_ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+ data->set.ssl.primary.cipher_list =
+- data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
++ data->set.str[STRING_SSL_CIPHER_LIST];
+ data->set.proxy_ssl.primary.cipher_list =
+ data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
+ data->set.ssl.primary.cipher_list13 =
+- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
++ data->set.str[STRING_SSL_CIPHER13_LIST];
+ data->set.proxy_ssl.primary.cipher_list13 =
+ data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
+
+- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
++ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
++ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+ data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
++ data->set.ssl.cert = data->set.str[STRING_CERT];
+ data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
++ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+ data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+- data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
++ data->set.ssl.key = data->set.str[STRING_KEY];
+ data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
++ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+ data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
++ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+ data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
+- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
++ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+ #ifdef USE_TLS_SRP
+- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
++ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+ data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
++ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index c70290a..1f8f364 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1366,9 +1366,9 @@ struct DynamicStatic {
+ struct Curl_multi; /* declared and used only in multi.c */
+
+ enum dupstring {
+- STRING_CERT_ORIG, /* client certificate file name */
++ STRING_CERT, /* client certificate file name */
+ STRING_CERT_PROXY, /* client certificate file name */
+- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/
++ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/
+ STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/
+ STRING_COOKIE, /* HTTP cookie string to send */
+ STRING_COOKIEJAR, /* dump all cookies to this file */
+@@ -1379,11 +1379,11 @@ enum dupstring {
+ STRING_FTP_ACCOUNT, /* ftp account data */
+ STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */
+ STRING_FTPPORT, /* port to send with the FTP PORT command */
+- STRING_KEY_ORIG, /* private key file name */
++ STRING_KEY, /* private key file name */
+ STRING_KEY_PROXY, /* private key file name */
+- STRING_KEY_PASSWD_ORIG, /* plain text private key password */
++ STRING_KEY_PASSWD, /* plain text private key password */
+ STRING_KEY_PASSWD_PROXY, /* plain text private key password */
+- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */
++ STRING_KEY_TYPE, /* format for private key (default: PEM) */
+ STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */
+ STRING_KRB_LEVEL, /* krb security level */
+ STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
+@@ -1393,22 +1393,22 @@ enum dupstring {
+ STRING_SET_RANGE, /* range, if used */
+ STRING_SET_REFERER, /* custom string for the HTTP referer field */
+ STRING_SET_URL, /* what original URL to work on */
+- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */
++ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */
+ STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
+- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
++ STRING_SSL_CAFILE, /* certificate file to verify peer against */
+ STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
+- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
++ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
+ STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
+- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
++ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */
+ STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
+- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
++ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */
+ STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
+ STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
+ STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
+ STRING_USERAGENT, /* User-Agent string */
+- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
++ STRING_SSL_CRLFILE, /* crl file to check certificate */
+ STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
+- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
++ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
+ STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
+ STRING_SSL_ENGINE, /* name of ssl engine */
+ STRING_USERNAME, /* <username>, if used */
+@@ -1433,9 +1433,9 @@ enum dupstring {
+ STRING_MAIL_AUTH,
+
+ #ifdef USE_TLS_SRP
+- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth <username> */
++ STRING_TLSAUTH_USERNAME, /* TLS auth <username> */
+ STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */
+- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth <password> */
++ STRING_TLSAUTH_PASSWORD, /* TLS auth <password> */
+ STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
+ #endif
+ STRING_BEARER, /* <bearer>, if used */
+diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
+index e10398a..ffd116d 100644
+--- a/lib/vtls/cyassl.c
++++ b/lib/vtls/cyassl.c
+@@ -474,7 +474,7 @@ cyassl_connect_step2(struct connectdata *conn,
+ conn->http_proxy.host.dispname : conn->host.dispname;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+
+ conn->recv[sockindex] = cyassl_recv;
+ conn->send[sockindex] = cyassl_send;
+diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
+index 1aea0dc..572e8bf 100644
+--- a/lib/vtls/darwinssl.c
++++ b/lib/vtls/darwinssl.c
+@@ -2449,9 +2449,9 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
+ connssl->connecting_state = ssl_connect_3;
+
+ #ifdef DARWIN_SSL_PINNEDPUBKEY
+- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
++ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
+ CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx,
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+ if(result) {
+ failf(data, "SSL: public key does not match pinned public key!");
+ return result;
+diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
+index a0b4960..b4c7b8a 100644
+--- a/lib/vtls/gskit.c
++++ b/lib/vtls/gskit.c
+@@ -1136,7 +1136,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
+
+ /* Check pinned public key. */
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ if(!result && ptr) {
+ curl_X509certificate x509;
+ curl_asn1Element *p;
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 207b0fd..c5eb948 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1329,7 +1329,7 @@ gtls_connect_step3(struct connectdata *conn,
+ }
+
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ if(ptr) {
+ result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
+ if(result != CURLE_OK) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index d7759dc..48010ae 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -540,7 +540,7 @@ mbed_connect_step2(struct connectdata *conn,
+ const mbedtls_x509_crt *peercert;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+
+ #ifdef HAS_ALPN
+ const char *next_protocol;
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 89f8183..366bf9e 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2067,7 +2067,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+ &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+
+
+ /* check timeout situation */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 35cd652..8c97c1d 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3388,7 +3388,7 @@ static CURLcode servercert(struct connectdata *conn,
+ result = CURLE_OK;
+
+ ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ if(!result && ptr) {
+ result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr);
+ if(result)
+diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
+index 604cb4c..f284ad1 100644
+--- a/lib/vtls/polarssl.c
++++ b/lib/vtls/polarssl.c
+@@ -459,7 +459,7 @@ polarssl_connect_step2(struct connectdata *conn,
+ char buffer[1024];
+ const char * const pinnedpubkey = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+
+
+ char errorbuf[128];
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 8f6c301..95c060b 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -1060,7 +1060,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
+
+ pubkey_ptr = SSL_IS_PROXY() ?
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ if(pubkey_ptr) {
+ result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
+ if(result) {
+--
+2.31.1
+
+
+From 040fa4f60f9b809972d51184dfa4980ba44d8b6b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 19 Jun 2021 00:42:28 +0200
+Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and
+ case sensitivity
+
+CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+
+Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 5 +++--
+ lib/urldata.h | 2 +-
+ lib/vtls/gtls.c | 10 +++++-----
+ lib/vtls/nss.c | 4 ++--
+ lib/vtls/openssl.c | 12 ++++++------
+ lib/vtls/vtls.c | 21 ++++++++++++++++-----
+ 6 files changed, 33 insertions(+), 21 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a6bc012..4803653 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -4337,6 +4337,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+ data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++ data->set.proxy_ssl.primary.issuercert =
++ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+ data->set.proxy_ssl.primary.random_file =
+ data->set.str[STRING_SSL_RANDOM_FILE];
+@@ -4353,8 +4356,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.ssl.cert = data->set.str[STRING_CERT];
+ data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1f8f364..72a36fb 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -223,6 +223,7 @@ struct ssl_primary_config {
+ bool sessionid; /* cache session IDs or not */
+ char *CApath; /* certificate dir (doesn't work on windows) */
+ char *CAfile; /* certificate to verify peer against */
++ char *issuercert; /* optional issuer certificate filename */
+ char *clientcert;
+ char *random_file; /* path to file containing "random" data */
+ char *egdsocket; /* path to file containing the EGD daemon socket */
+@@ -238,7 +239,6 @@ struct ssl_config_data {
+ bool no_partialchain; /* don't accept partial certificate chains */
+ long certverifyresult; /* result from the certificate verification */
+ char *CRLfile; /* CRL to check certificate revocation */
+- char *issuercert;/* optional issuer certificate filename */
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+ void *fsslctxp; /* parameter for call back */
+ bool certinfo; /* gather lots of certificate info */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index c5eb948..0cb59c8 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1002,7 +1002,7 @@ gtls_connect_step3(struct connectdata *conn,
+ if(!chainp) {
+ if(SSL_CONN_CONFIG(verifypeer) ||
+ SSL_CONN_CONFIG(verifyhost) ||
+- SSL_SET_OPTION(issuercert)) {
++ SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(username) != NULL
+@@ -1184,21 +1184,21 @@ gtls_connect_step3(struct connectdata *conn,
+ gnutls_x509_crt_t format */
+ gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+
+- if(SSL_SET_OPTION(issuercert)) {
++ if(SSL_CONN_CONFIG(issuercert)) {
+ gnutls_x509_crt_init(&x509_issuer);
+- issuerp = load_file(SSL_SET_OPTION(issuercert));
++ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+ gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+ rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+ gnutls_x509_crt_deinit(x509_issuer);
+ unload_file(issuerp);
+ if(rc <= 0) {
+ failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+ gnutls_x509_crt_deinit(x509_cert);
+ return CURLE_SSL_ISSUER_ERROR;
+ }
+ infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+ }
+
+ size = sizeof(certbuf);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 366bf9e..2d9581d 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2095,9 +2095,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+ if(result)
+ goto error;
+
+- if(SSL_SET_OPTION(issuercert)) {
++ if(SSL_CONN_CONFIG(issuercert)) {
+ SECStatus ret = SECFailure;
+- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+ if(nickname) {
+ /* we support only nicknames in case of issuercert for now */
+ ret = check_issuer_cert(BACKEND->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 8c97c1d..28eaa6d 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3311,11 +3311,11 @@ static CURLcode servercert(struct connectdata *conn,
+ deallocating the certificate. */
+
+ /* e.g. match issuer name with provided issuer certificate */
+- if(SSL_SET_OPTION(issuercert)) {
+- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++ if(SSL_CONN_CONFIG(issuercert)) {
++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+ if(strict)
+ failf(data, "SSL: Unable to open issuer cert (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(BACKEND->server_cert);
+ BACKEND->server_cert = NULL;
+@@ -3326,7 +3326,7 @@ static CURLcode servercert(struct connectdata *conn,
+ if(!issuer) {
+ if(strict)
+ failf(data, "SSL: Unable to read issuer cert (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(issuer);
+ X509_free(BACKEND->server_cert);
+@@ -3337,7 +3337,7 @@ static CURLcode servercert(struct connectdata *conn,
+ if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
+ if(strict)
+ failf(data, "SSL: Certificate issuer check failed (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(issuer);
+ X509_free(BACKEND->server_cert);
+@@ -3346,7 +3346,7 @@ static CURLcode servercert(struct connectdata *conn,
+ }
+
+ infof(data, " SSL certificate issuer check ok (%s)\n",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ X509_free(issuer);
+ }
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index b61c640..18672a5 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -82,6 +82,15 @@
+ else \
+ dest->var = NULL;
+
++static bool safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ else if(!a && !b)
++ return TRUE; /* match */
++ return FALSE; /* no match */
++}
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config* data,
+ struct ssl_primary_config* needle)
+@@ -91,11 +100,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+ (data->verifypeer == needle->verifypeer) &&
+ (data->verifyhost == needle->verifyhost) &&
+ (data->verifystatus == needle->verifystatus) &&
+- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++ safecmp(data->CApath, needle->CApath) &&
++ safecmp(data->CAfile, needle->CAfile) &&
++ safecmp(data->clientcert, needle->clientcert) &&
++ safecmp(data->random_file, needle->random_file) &&
++ safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
+ return TRUE;
+@@ -116,6 +125,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+
+ CLONE_STRING(CApath);
+ CLONE_STRING(CAfile);
++ CLONE_STRING(issuercert);
+ CLONE_STRING(clientcert);
+ CLONE_STRING(random_file);
+ CLONE_STRING(egdsocket);
+@@ -129,6 +139,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+ {
+ Curl_safefree(sslc->CApath);
+ Curl_safefree(sslc->CAfile);
++ Curl_safefree(sslc->issuercert);
+ Curl_safefree(sslc->clientcert);
+ Curl_safefree(sslc->random_file);
+ Curl_safefree(sslc->egdsocket);
+--
+2.31.1
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 8f28ad1..b29023a 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
-Release: 18%{?dist}
+Release: 18%{?dist}.1
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@@ -79,6 +79,9 @@ Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch
# http: send payload when (proxy) authentication is done (#1918692)
Patch28: 0028-curl-7.61.1-http-auth-payload.patch
+# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+Patch31: 0031-curl-7.61.1-CVE-2021-22924.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -104,7 +107,6 @@ BuildRequires: gcc
BuildRequires: groff
BuildRequires: krb5-devel
BuildRequires: libidn2-devel
-BuildRequires: libmetalink-devel
BuildRequires: libnghttp2-devel
BuildRequires: libpsl-devel
BuildRequires: libssh-devel
@@ -278,6 +280,7 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
%patch26 -p1
%patch27 -p1
%patch28 -p1
+%patch31 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -314,6 +317,7 @@ export common_configure_opts=" \
--enable-symbol-hiding \
--enable-ipv6 \
--enable-threaded-resolver \
+ --without-libmetalink \
--with-gssapi \
--with-nghttp2 \
--with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
@@ -329,7 +333,6 @@ export common_configure_opts=" \
--disable-manual \
--without-brotli \
--without-libidn2 \
- --without-libmetalink \
--without-libpsl \
--without-libssh
)
@@ -343,7 +346,6 @@ export common_configure_opts=" \
--enable-manual \
--with-brotli \
--with-libidn2 \
- --with-libmetalink \
--with-libpsl \
--with-libssh
)
@@ -441,6 +443,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18.el8_4.1
+- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+- disable metalink support to fix the following vulnerabilities
+ CVE-2021-22923 - metalink download sends credentials
+ CVE-2021-22922 - wrong content via metalink not discarded
+
* Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18
- http: send payload when (proxy) authentication is done (#1918692)
- curl: Inferior OCSP verification (CVE-2020-8286)