diff --git a/SOURCES/0020-curl-7.61.1-openssl-engines.patch b/SOURCES/0020-curl-7.61.1-openssl-engines.patch
new file mode 100644
index 0000000..d8c5579
--- /dev/null
+++ b/SOURCES/0020-curl-7.61.1-openssl-engines.patch
@@ -0,0 +1,33 @@
+From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Sep 2018 08:26:58 +0200
+Subject: [PATCH] openssl: load built-in engines too
+
+Regression since 38203f1
+
+Reported-by: Jean Fabrice
+Fixes #3023
+Closes #3040
+
+Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 78970d1..d8bcc4f 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
+ 
+   OPENSSL_load_builtin_modules();
+ 
+-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
++#ifdef USE_OPENSSL_ENGINE
+   ENGINE_load_builtin_engines();
+ #endif
+ 
+-- 
+2.25.4
+
diff --git a/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
new file mode 100644
index 0000000..388e0c4
--- /dev/null
+++ b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
@@ -0,0 +1,59 @@
+From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_cb_hdr.c   | 13 ++++---------
+ src/tool_getparam.c |  5 +++++
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+       filename = parse_filename(p, len);
+       if(filename) {
+         if(outs->stream) {
+-          /* already opened and possibly written to */
+-          if(outs->fopened)
+-            fclose(outs->stream);
+-          outs->stream = NULL;
+-
+-          /* rename the initial file name to the new file name */
+-          rename(outs->filename, filename);
+-          if(outs->alloc_filename)
+-            free(outs->filename);
++          /* indication of problem, get out! */
++          free(filename);
++          return failure;
+         }
++
+         outs->is_cd_filename = TRUE;
+         outs->s_isreg = TRUE;
+         outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+       }
+       break;
+     case 'i':
++      if(config->content_disposition) {
++        warnf(global,
++              "--include and --remote-header-name cannot be combined.\n");
++        return PARAM_BAD_USE;
++      }
+       config->show_headers = toggle; /* show the headers as well in the
+                                         general output stream */
+       break;
+-- 
+2.21.3
+
diff --git a/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
new file mode 100644
index 0000000..6d0c10c
--- /dev/null
+++ b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
@@ -0,0 +1,143 @@
+From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c    |  3 +--
+ lib/multi.c   |  5 +++--
+ lib/url.c     |  2 +-
+ lib/urldata.h |  2 +-
+ 5 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 41f2202..f724646 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
+ }
+ 
+ struct connfind {
+-  struct connectdata *tofind;
+-  bool found;
++  long id_tofind;
++  struct connectdata *found;
+ };
+ 
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+   struct connfind *f = (struct connfind *)param;
+-  if(conn == f->tofind) {
+-    f->found = TRUE;
++  if(conn->connection_id == f->id_tofind) {
++    f->found = conn;
+     return 1;
+   }
+   return 0;
+@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+    * - that is associated with a multi handle, and whose connection
+    *   was detached with CURLOPT_CONNECT_ONLY
+    */
+-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+-    struct connectdata *c = data->state.lastconnect;
++  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++    struct connectdata *c;
+     struct connfind find;
+-    find.tofind = data->state.lastconnect;
+-    find.found = FALSE;
++    find.id_tofind = data->state.lastconnect_id;
++    find.found = NULL;
+ 
+     Curl_conncache_foreach(data, data->multi_easy?
+                            &data->multi_easy->conn_cache:
+                            &data->multi->conn_cache, &find, conn_is_conn);
+ 
+     if(!find.found) {
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+       return CURL_SOCKET_BAD;
+     }
+ 
++    c = find.found;
+     if(connp) {
+       /* only store this if the caller cares for it */
+       *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 027d0be..fe61cdd 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+ 
+   /* the connection cache is setup on demand */
+   outcurl->state.conn_cache = NULL;
+-
+-  outcurl->state.lastconnect = NULL;
++  outcurl->state.lastconnect_id = -1;
+ 
+   outcurl->progress.flags    = data->progress.flags;
+   outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index 0caf943..0f57fd5 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+     data->state.conn_cache = &data->share->conn_cache;
+   else
+     data->state.conn_cache = &multi->conn_cache;
++  data->state.lastconnect_id = -1;
+ 
+ #ifdef USE_LIBPSL
+   /* Do the same for PSL. */
+@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
+     /* the connection is no longer in use by this transfer */
+     if(Curl_conncache_return_conn(conn)) {
+       /* remember the most recently used connection */
+-      data->state.lastconnect = conn;
++      data->state.lastconnect_id = conn->connection_id;
+       infof(data, "%s\n", buffer);
+     }
+     else
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+   }
+ 
+   *connp = NULL; /* to make the caller of this function better detect that
+diff --git a/lib/url.c b/lib/url.c
+index dcc6cc8..d65d17d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+       Curl_initinfo(data);
+ 
+       /* most recent connection is not yet defined */
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+ 
+       data->progress.flags |= PGRS_HIDE;
+       data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 67db3b2..4b70cc5 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1219,7 +1219,7 @@ struct UrlState {
+   /* buffers to store authentication data in, as parsed from input options */
+   struct curltime keeps_speed; /* for the progress meter really */
+ 
+-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++  long lastconnect_id; /* The last connection, -1 if undefined */
+ 
+   char *headerbuff; /* allocated buffer to store headers in */
+   size_t headersize;   /* size of the allocation */
+-- 
+2.25.4
+
diff --git a/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
new file mode 100644
index 0000000..f6bcb01
--- /dev/null
+++ b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
@@ -0,0 +1,60 @@
+From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
+Date: Thu, 27 Aug 2020 23:09:56 +0200
+Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+
+... in case NO_PROXY takes an effect
+
+Without this patch, the following command crashes:
+
+    $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+        git clone https://github.com/curl/curl.git
+
+Minimal libcurl-based reproducer:
+
+    #include <curl/curl.h>
+
+    int main() {
+      CURL *curl = curl_easy_init();
+      if(curl) {
+        CURLcode ret;
+        curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+        curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+        /* set the proxy type */
+        curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+        curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+        ret = curl_easy_perform(curl);
+        curl_easy_cleanup(curl);
+        return ret;
+      }
+      return -1;
+    }
+
+Assisted-by: Kamil Dudka
+Bug: https://bugzilla.redhat.com/1873327
+Closes #5902
+
+Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index d65d17d..e77f391 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
+     conn->bits.socksproxy = FALSE;
+     conn->bits.proxy_user_passwd = FALSE;
+     conn->bits.tunnel_proxy = FALSE;
++    /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
++       to signal that CURLPROXY_HTTPS is not used for this connection */
++    conn->http_proxy.proxytype = CURLPROXY_HTTP;
+   }
+ 
+ out:
+-- 
+2.25.4
+
diff --git a/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch b/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
new file mode 100644
index 0000000..5b7044c
--- /dev/null
+++ b/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
@@ -0,0 +1,291 @@
+From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 2 Dec 2019 10:45:55 +0100
+Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
+
+Have intermediate certificates in the trust store be treated as
+trust-anchors, in the same way as self-signed root CA certificates
+are. This allows users to verify servers using the intermediate cert
+only, instead of needing the whole chain.
+
+Other TLS backends already accept partial chains.
+
+Reported-by: Jeffrey Walton
+Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
+
+Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index d8bcc4f..8e791b9 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     infof(data, "  CRLfile: %s\n", ssl_crlfile);
+   }
+ 
+-  /* Try building a chain using issuers in the trusted store first to avoid
+-  problems with server-sent legacy intermediates.
+-  Newer versions of OpenSSL do alternate chain checking by default which
+-  gives us the same fix without as much of a performance hit (slight), so we
+-  prefer that if available.
+-  https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+-  */
+-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+   if(verifypeer) {
++    /* Try building a chain using issuers in the trusted store first to avoid
++       problems with server-sent legacy intermediates.  Newer versions of
++       OpenSSL do alternate chain checking by default which gives us the same
++       fix without as much of a performance hit (slight), so we prefer that if
++       available.
++       https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
++    */
++#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+     X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                          X509_V_FLAG_TRUSTED_FIRST);
+-  }
+ #endif
++#ifdef X509_V_FLAG_PARTIAL_CHAIN
++    /* Have intermediate certificates in the trust store be treated as
++       trust-anchors, in the same way as self-signed root CA certificates
++       are. This allows users to verify servers using the intermediate cert
++       only, instead of needing the whole chain. */
++    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
++                         X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++  }
+ 
+   /* SSL always tries to verify the peer, this only says whether it should
+    * fail to connect if the verification fails, or if it should continue
+-- 
+2.26.2
+
+
+From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 2 Dec 2019 10:55:33 +0100
+Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
+ cert chains
+
+Closes #4655
+
+Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
+ docs/libcurl/symbols-in-versions        |  1 +
+ include/curl/curl.h                     |  4 +++
+ lib/setopt.c                            |  1 +
+ lib/urldata.h                           |  1 +
+ lib/vtls/openssl.c                      | 14 +++++----
+ 6 files changed, 36 insertions(+), 25 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+index d781434..6286a64 100644
+--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
++++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
+ 
+ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
+ .SH DESCRIPTION
+-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
+-
+-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
+-workarounds for a security flaw in the SSL3 and TLS1.0 protocols.  If this
+-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
+-work-around for this flaw although it might cause interoperability problems
+-with some (older) SSL implementations. WARNING: avoiding this work-around
+-lessens the security, and by setting this option to 1 you ask for exactly that.
+-This option is only supported for DarwinSSL, NSS and OpenSSL.
+-
+-Added in 7.44.0:
+-
+-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
+-checks for those SSL backends where such behavior is present. \fBCurrently this
+-option is only supported for WinSSL (the native Windows SSL library), with an
+-exception in the case of Windows' Untrusted Publishers blacklist which it seems
+-can't be bypassed.\fP This option may have broader support to accommodate other
+-SSL backends in the future.
+-https://curl.haxx.se/docs/ssl-compared.html
++Pass a long with a bitmask to tell libcurl about specific SSL
++behaviors. Available bits:
++.IP CURLSSLOPT_ALLOW_BEAST
++Tells libcurl to not attempt to use any workarounds for a security flaw in the
++SSL3 and TLS1.0 protocols.  If this option isn't used or this bit is set to 0,
++the SSL layer libcurl uses may use a work-around for this flaw although it
++might cause interoperability problems with some (older) SSL
++implementations. WARNING: avoiding this work-around lessens the security, and
++by setting this option to 1 you ask for exactly that.  This option is only
++supported for DarwinSSL, NSS and OpenSSL.
++.IP CURLSSLOPT_NO_REVOKE
++Tells libcurl to disable certificate revocation checks for those SSL backends
++where such behavior is present. This option is only supported for Schannel
++(the native Windows SSL library), with an exception in the case of Windows'
++Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
++7.44.0)
++.IP CURLSSLOPT_NO_PARTIALCHAIN
++Tells libcurl to not accept "partial" certificate chains, which it otherwise
++does by default. This option is only supported for OpenSSL and will fail the
++certificate verification if the chain ends with an intermediate certificate
++and not with a root cert. (Added in 7.68.0)
+ .SH DEFAULT
+ 0
+ .SH PROTOCOLS
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 3b3861f..54923d0 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL           7.34.0        -           7.38.1
+ CURLSSLBACKEND_SCHANNEL         7.34.0
+ CURLSSLBACKEND_WOLFSSL          7.49.0
+ CURLSSLOPT_ALLOW_BEAST          7.25.0
++CURLSSLOPT_NO_PARTIALCHAIN      7.68.0
+ CURLSSLOPT_NO_REVOKE            7.44.0
+ CURLSSLSET_NO_BACKENDS          7.56.0
+ CURLSSLSET_OK                   7.56.0
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 8f473e2..75f9384 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -795,6 +795,10 @@ typedef enum {
+    SSL backends where such behavior is present. */
+ #define CURLSSLOPT_NO_REVOKE (1<<1)
+ 
++/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
++   if possible. The OpenSSL backend has this ability. */
++#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
++
+ /* The default connection attempt delay in milliseconds for happy eyeballs.
+    CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
+    this value, keep them in sync. */
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 5c5f4b3..4f04962 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+     arg = va_arg(param, long);
+     data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
++    data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+     break;
+ 
+   case CURLOPT_PROXY_SSL_OPTIONS:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 4b70cc5..c70290a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -235,6 +235,7 @@ struct ssl_config_data {
+   bool enable_beast; /* especially allow this flaw for interoperability's
+                         sake*/
+   bool no_revoke;    /* disable SSL certificate revocation checks */
++  bool no_partialchain;  /* don't accept partial certificate chains */
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+   char *issuercert;/* optional issuer certificate filename */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 8e791b9..87f6c4c 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+                          X509_V_FLAG_TRUSTED_FIRST);
+ #endif
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+-    /* Have intermediate certificates in the trust store be treated as
+-       trust-anchors, in the same way as self-signed root CA certificates
+-       are. This allows users to verify servers using the intermediate cert
+-       only, instead of needing the whole chain. */
+-    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+-                         X509_V_FLAG_PARTIAL_CHAIN);
++    if(!SSL_SET_OPTION(no_partialchain)) {
++      /* Have intermediate certificates in the trust store be treated as
++         trust-anchors, in the same way as self-signed root CA certificates
++         are. This allows users to verify servers using the intermediate cert
++         only, instead of needing the whole chain. */
++      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
++                           X509_V_FLAG_PARTIAL_CHAIN);
++    }
+ #endif
+   }
+ 
+-- 
+2.26.2
+
+
+From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 May 2020 23:00:31 +0200
+Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
+ CURLSSLOPT_NO_PARTIALCHAIN
+
+... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
+
+Reported-by: Michael Kaufmann
+Fixes #5374
+Closes #5376
+
+Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
+ lib/vtls/openssl.c                  |  8 ++++++--
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
+index 080caa7..f111585 100644
+--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
++++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
+ occurs during the SSL exchange.
+ 
+ When curl is built to use NSS or GnuTLS, there is no way to influence the use
+-of CRL passed to help in the verification process. When libcurl is built with
+-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
+-set, requiring CRL check against all the elements of the certificate chain if
+-a CRL file is passed.
++of CRL passed to help in the verification process.
++
++When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
++X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
++elements of the certificate chain if a CRL file is passed. Also note that
++\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
++\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
+ 
+ This option makes sense only when used in combination with the
+ \fICURLOPT_SSL_VERIFYPEER(3)\fP option.
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 87f6c4c..9476773 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+                          X509_V_FLAG_TRUSTED_FIRST);
+ #endif
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+-    if(!SSL_SET_OPTION(no_partialchain)) {
++    if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
+       /* Have intermediate certificates in the trust store be treated as
+          trust-anchors, in the same way as self-signed root CA certificates
+          are. This allows users to verify servers using the intermediate cert
+-         only, instead of needing the whole chain. */
++         only, instead of needing the whole chain.
++
++         Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
++         cannot do partial chains with CRL check.
++      */
+       X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                            X509_V_FLAG_PARTIAL_CHAIN);
+     }
+-- 
+2.26.2
+
diff --git a/SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch b/SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
new file mode 100644
index 0000000..674753e
--- /dev/null
+++ b/SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
@@ -0,0 +1,208 @@
+From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 24 Nov 2020 14:56:57 +0100
+Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
+
+The command line tool also independently sets --ftp-skip-pasv-ip by
+default.
+
+Ten test cases updated to adapt the modified --libcurl output.
+
+Bug: https://curl.se/docs/CVE-2020-8284.html
+CVE-2020-8284
+
+Reported-by: Varnavas Papaioannou
+
+Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/cmdline-opts/ftp-skip-pasv-ip.d         | 2 ++
+ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
+ lib/url.c                                    | 1 +
+ src/tool_cfgable.c                           | 1 +
+ tests/data/test1400                          | 1 +
+ tests/data/test1401                          | 1 +
+ tests/data/test1402                          | 1 +
+ tests/data/test1403                          | 1 +
+ tests/data/test1404                          | 1 +
+ tests/data/test1405                          | 1 +
+ tests/data/test1406                          | 1 +
+ tests/data/test1407                          | 1 +
+ tests/data/test1420                          | 1 +
+ 13 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+index da6ab11..4be8b43 100644
+--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
++++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
+ will re-use the same IP address it already uses for the control
+ connection.
+ 
++Since curl 7.74.0 this option is enabled by default.
++
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+index 4d3026a..4227ed6 100644
+--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
++++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
+ number from the 227-response.
+ 
+ This option thus allows libcurl to work around broken server installations
+-that due to NATs, firewalls or incompetence report the wrong IP address back.
++that due to NATs, firewalls or incompetence report the wrong IP address
++back. Setting the option also reduces the risk for various sorts of client
++abuse by malicious servers.
+ 
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+ .SH DEFAULT
+-0
++1 since 7.74.0, was 0 before then.
+ .SH PROTOCOLS
+ FTP
+ .SH EXAMPLE
+diff --git a/lib/url.c b/lib/url.c
+index e77f391..b18db25 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
+   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
+   set->ftp_filemethod = FTPFILE_MULTICWD;
++  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
+ 
+   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
+ 
+diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
+index 81e16c1..110191e 100644
+--- a/src/tool_cfgable.c
++++ b/src/tool_cfgable.c
+@@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
+   config->proto_default = NULL;
+   config->tcp_nodelay = TRUE; /* enabled by default */
+   config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
++  config->ftp_skip_ip = TRUE;
+ }
+ 
+ static void free_config_fields(struct OperationConfig *config)
+diff --git a/tests/data/test1400 b/tests/data/test1400
+index 10faef3..9d18a30 100644
+--- a/tests/data/test1400
++++ b/tests/data/test1400
+@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1401 b/tests/data/test1401
+index f330931..99cb0cb 100644
+--- a/tests/data/test1401
++++ b/tests/data/test1401
+@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
+                                            (long)CURLPROTO_FTP |
+diff --git a/tests/data/test1402 b/tests/data/test1402
+index 9a94283..ef55bd6 100644
+--- a/tests/data/test1402
++++ b/tests/data/test1402
+@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1403 b/tests/data/test1403
+index 79cdf49..78932c2 100644
+--- a/tests/data/test1403
++++ b/tests/data/test1403
+@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1404 b/tests/data/test1404
+index 9c6f2e7..8ea5e04 100644
+--- a/tests/data/test1404
++++ b/tests/data/test1404
+@@ -144,6 +144,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1405 b/tests/data/test1405
+index 73769ee..5a83b6e 100644
+--- a/tests/data/test1405
++++ b/tests/data/test1405
+@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
+   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1406 b/tests/data/test1406
+index 796dd22..c941e00 100644
+--- a/tests/data/test1406
++++ b/tests/data/test1406
+@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
+   curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
+   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
+diff --git a/tests/data/test1407 b/tests/data/test1407
+index 9800eee..ddba7b7 100644
+--- a/tests/data/test1407
++++ b/tests/data/test1407
+@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1420 b/tests/data/test1420
+index a5e1c52..72fb353 100644
+--- a/tests/data/test1420
++++ b/tests/data/test1420
+@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;UID=1");
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+-- 
+2.26.2
+
diff --git a/SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch b/SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
new file mode 100644
index 0000000..703287e
--- /dev/null
+++ b/SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
@@ -0,0 +1,258 @@
+From 22b3d1cf0216f4369f01678c587da265c2e465af Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 28 Nov 2020 00:27:21 +0100
+Subject: [PATCH] ftp: make wc_statemach loop instead of recurse
+
+CVE-2020-8285
+
+Fixes #6255
+Bug: https://curl.se/docs/CVE-2020-8285.html
+Reported-by: xnynx on github
+
+Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c | 204 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 103 insertions(+), 101 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 7dbf080..482ab3a 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3786,130 +3786,132 @@ static CURLcode init_wc_data(struct connectdata *conn)
+   return result;
+ }
+ 
+-/* This is called recursively */
+ static CURLcode wc_statemach(struct connectdata *conn)
+ {
+   struct WildcardData * const wildcard = &(conn->data->wildcard);
+   CURLcode result = CURLE_OK;
+ 
+-  switch(wildcard->state) {
+-  case CURLWC_INIT:
+-    result = init_wc_data(conn);
+-    if(wildcard->state == CURLWC_CLEAN)
+-      /* only listing! */
+-      break;
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
+-    break;
++  for(;;) {
++    switch(wildcard->state) {
++    case CURLWC_INIT:
++      result = init_wc_data(conn);
++      if(wildcard->state == CURLWC_CLEAN)
++        /* only listing! */
++        return result;
++      wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
++      return result;
+ 
+-  case CURLWC_MATCHING: {
+-    /* In this state is LIST response successfully parsed, so lets restore
+-       previous WRITEFUNCTION callback and WRITEDATA pointer */
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    conn->data->set.fwrite_func = ftpwc->backup.write_function;
+-    conn->data->set.out = ftpwc->backup.file_descriptor;
+-    ftpwc->backup.write_function = ZERO_NULL;
+-    ftpwc->backup.file_descriptor = NULL;
+-    wildcard->state = CURLWC_DOWNLOADING;
+-
+-    if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
+-      /* error found in LIST parsing */
+-      wildcard->state = CURLWC_CLEAN;
+-      return wc_statemach(conn);
+-    }
+-    if(wildcard->filelist.size == 0) {
+-      /* no corresponding file */
+-      wildcard->state = CURLWC_CLEAN;
+-      return CURLE_REMOTE_FILE_NOT_FOUND;
++    case CURLWC_MATCHING: {
++      /* In this state is LIST response successfully parsed, so lets restore
++         previous WRITEFUNCTION callback and WRITEDATA pointer */
++      struct ftp_wc *ftpwc = wildcard->protdata;
++      conn->data->set.fwrite_func = ftpwc->backup.write_function;
++      conn->data->set.out = ftpwc->backup.file_descriptor;
++      ftpwc->backup.write_function = ZERO_NULL;
++      ftpwc->backup.file_descriptor = NULL;
++      wildcard->state = CURLWC_DOWNLOADING;
++
++      if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
++        /* error found in LIST parsing */
++        wildcard->state = CURLWC_CLEAN;
++        continue;
++      }
++      if(wildcard->filelist.size == 0) {
++        /* no corresponding file */
++        wildcard->state = CURLWC_CLEAN;
++        return CURLE_REMOTE_FILE_NOT_FOUND;
++      }
++      continue;
+     }
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_DOWNLOADING: {
+-    /* filelist has at least one file, lets get first one */
+-    struct ftp_conn *ftpc = &conn->proto.ftpc;
+-    struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
++    case CURLWC_DOWNLOADING: {
++      /* filelist has at least one file, lets get first one */
++      struct ftp_conn *ftpc = &conn->proto.ftpc;
++      struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
+ 
+-    char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
+-    if(!tmp_path)
+-      return CURLE_OUT_OF_MEMORY;
++      char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
++      if(!tmp_path)
++        return CURLE_OUT_OF_MEMORY;
+ 
+-    /* switch default "state.pathbuffer" and tmp_path, good to see
+-       ftp_parse_url_path function to understand this trick */
+-    Curl_safefree(conn->data->state.pathbuffer);
+-    conn->data->state.pathbuffer = tmp_path;
+-    conn->data->state.path = tmp_path;
+-
+-    infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
+-    if(conn->data->set.chunk_bgn) {
+-      long userresponse;
+-      Curl_set_in_callback(conn->data, true);
+-      userresponse = conn->data->set.chunk_bgn(
+-        finfo, wildcard->customptr, (int)wildcard->filelist.size);
+-      Curl_set_in_callback(conn->data, false);
+-      switch(userresponse) {
+-      case CURL_CHUNK_BGN_FUNC_SKIP:
+-        infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
+-              finfo->filename);
+-        wildcard->state = CURLWC_SKIP;
+-        return wc_statemach(conn);
+-      case CURL_CHUNK_BGN_FUNC_FAIL:
+-        return CURLE_CHUNK_FAILED;
++      /* switch default "state.pathbuffer" and tmp_path, good to see
++         ftp_parse_url_path function to understand this trick */
++      Curl_safefree(conn->data->state.pathbuffer);
++      conn->data->state.pathbuffer = tmp_path;
++      conn->data->state.path = tmp_path;
++
++      infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
++      if(conn->data->set.chunk_bgn) {
++        long userresponse;
++        Curl_set_in_callback(conn->data, true);
++        userresponse = conn->data->set.chunk_bgn(
++          finfo, wildcard->customptr, (int)wildcard->filelist.size);
++        Curl_set_in_callback(conn->data, false);
++        switch(userresponse) {
++        case CURL_CHUNK_BGN_FUNC_SKIP:
++          infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
++                finfo->filename);
++          wildcard->state = CURLWC_SKIP;
++          continue;
++        case CURL_CHUNK_BGN_FUNC_FAIL:
++          return CURLE_CHUNK_FAILED;
++        }
+       }
+-    }
+ 
+-    if(finfo->filetype != CURLFILETYPE_FILE) {
+-      wildcard->state = CURLWC_SKIP;
+-      return wc_statemach(conn);
+-    }
++      if(finfo->filetype != CURLFILETYPE_FILE) {
++        wildcard->state = CURLWC_SKIP;
++        continue;
++      }
+ 
+-    if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
+-      ftpc->known_filesize = finfo->size;
++      if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
++        ftpc->known_filesize = finfo->size;
+ 
+-    result = ftp_parse_url_path(conn);
+-    if(result)
+-      return result;
++      result = ftp_parse_url_path(conn);
++      if(result)
++        return result;
+ 
+-    /* we don't need the Curl_fileinfo of first file anymore */
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
++      /* we don't need the Curl_fileinfo of first file anymore */
++      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+ 
+-    if(wildcard->filelist.size == 0) { /* remains only one file to down. */
+-      wildcard->state = CURLWC_CLEAN;
+-      /* after that will be ftp_do called once again and no transfer
+-         will be done because of CURLWC_CLEAN state */
+-      return CURLE_OK;
++      if(wildcard->filelist.size == 0) { /* remains only one file to down. */
++        wildcard->state = CURLWC_CLEAN;
++        /* after that will be ftp_do called once again and no transfer
++           will be done because of CURLWC_CLEAN state */
++        return CURLE_OK;
++      }
++      return result;
+     }
+-  } break;
+ 
+-  case CURLWC_SKIP: {
+-    if(conn->data->set.chunk_end) {
+-      Curl_set_in_callback(conn->data, true);
+-      conn->data->set.chunk_end(conn->data->wildcard.customptr);
+-      Curl_set_in_callback(conn->data, false);
++    case CURLWC_SKIP: {
++      if(conn->data->set.chunk_end) {
++        Curl_set_in_callback(conn->data, true);
++        conn->data->set.chunk_end(conn->data->wildcard.customptr);
++        Curl_set_in_callback(conn->data, false);
++      }
++      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
++      wildcard->state = (wildcard->filelist.size == 0) ?
++        CURLWC_CLEAN : CURLWC_DOWNLOADING;
++      continue;
+     }
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+-    wildcard->state = (wildcard->filelist.size == 0) ?
+-                      CURLWC_CLEAN : CURLWC_DOWNLOADING;
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_CLEAN: {
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    result = CURLE_OK;
+-    if(ftpwc)
+-      result = Curl_ftp_parselist_geterror(ftpwc->parser);
++    case CURLWC_CLEAN: {
++      struct ftp_wc *ftpwc = wildcard->protdata;
++      result = CURLE_OK;
++      if(ftpwc)
++        result = Curl_ftp_parselist_geterror(ftpwc->parser);
+ 
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
+-  } break;
++      wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
++      return result;
++    }
+ 
+-  case CURLWC_DONE:
+-  case CURLWC_ERROR:
+-  case CURLWC_CLEAR:
+-    if(wildcard->dtor)
+-      wildcard->dtor(wildcard->protdata);
+-    break;
++    case CURLWC_DONE:
++    case CURLWC_ERROR:
++    case CURLWC_CLEAR:
++      if(wildcard->dtor)
++        wildcard->dtor(wildcard->protdata);
++      return result;
++    }
+   }
+-
+-  return result;
++  /* UNREACHABLE */
+ }
+ 
+ /***********************************************************************
+-- 
+2.26.2
+
diff --git a/SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch b/SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
new file mode 100644
index 0000000..5180971
--- /dev/null
+++ b/SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
@@ -0,0 +1,129 @@
+From 2470bc91f62cc9b0ab1deac60a67f87b7cc95f6e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Dec 2020 23:01:11 +0100
+Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
+
+CVE-2020-8286
+
+Reported by anonymous
+
+Bug: https://curl.se/docs/CVE-2020-8286.html
+
+Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 29 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 9476773..35cd652 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -1659,6 +1659,11 @@ static CURLcode verifystatus(struct connectdata *conn,
+   OCSP_BASICRESP *br = NULL;
+   X509_STORE     *st = NULL;
+   STACK_OF(X509) *ch = NULL;
++  X509 *cert;
++  OCSP_CERTID *id = NULL;
++  int cert_status, crl_reason;
++  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  int ret;
+ 
+   long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
+ 
+@@ -1727,43 +1732,63 @@ static CURLcode verifystatus(struct connectdata *conn,
+     goto end;
+   }
+ 
+-  for(i = 0; i < OCSP_resp_count(br); i++) {
+-    int cert_status, crl_reason;
+-    OCSP_SINGLERESP *single = NULL;
+-
+-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  /* Compute the certificate's ID */
++  cert = SSL_get_peer_certificate(BACKEND->handle);
++  if(!cert) {
++    failf(data, "Error getting peer certficate");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    single = OCSP_resp_get0(br, i);
+-    if(!single)
+-      continue;
++  for(i = 0; i < sk_X509_num(ch); i++) {
++    X509 *issuer = sk_X509_value(ch, i);
++    if(X509_check_issued(issuer, cert) == X509_V_OK) {
++      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
++      break;
++    }
++  }
++  X509_free(cert);
+ 
+-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+-                                          &thisupd, &nextupd);
++  if(!id) {
++    failf(data, "Error computing OCSP ID");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+-      failf(data, "OCSP response has expired");
+-      result = CURLE_SSL_INVALIDCERTSTATUS;
+-      goto end;
+-    }
++  /* Find the single OCSP response corresponding to the certificate ID */
++  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
++                              &thisupd, &nextupd);
++  OCSP_CERTID_free(id);
++  if(ret != 1) {
++    failf(data, "Could not find certificate ID in OCSP response");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    infof(data, "SSL certificate status: %s (%d)\n",
+-          OCSP_cert_status_str(cert_status), cert_status);
++  /* Validate the corresponding single OCSP response */
++  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
++    failf(data, "OCSP response has expired");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    switch(cert_status) {
+-      case V_OCSP_CERTSTATUS_GOOD:
+-        break;
++  infof(data, "SSL certificate status: %s (%d)\n",
++        OCSP_cert_status_str(cert_status), cert_status);
+ 
+-      case V_OCSP_CERTSTATUS_REVOKED:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
++  switch(cert_status) {
++  case V_OCSP_CERTSTATUS_GOOD:
++    break;
+ 
+-        failf(data, "SSL certificate revocation reason: %s (%d)",
+-              OCSP_crl_reason_str(crl_reason), crl_reason);
+-        goto end;
++  case V_OCSP_CERTSTATUS_REVOKED:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    failf(data, "SSL certificate revocation reason: %s (%d)",
++          OCSP_crl_reason_str(crl_reason), crl_reason);
++    goto end;
+ 
+-      case V_OCSP_CERTSTATUS_UNKNOWN:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+-        goto end;
+-    }
++  case V_OCSP_CERTSTATUS_UNKNOWN:
++  default:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
+   }
+ 
+ end:
+-- 
+2.26.2
+
diff --git a/SOURCES/0028-curl-7.61.1-http-auth-payload.patch b/SOURCES/0028-curl-7.61.1-http-auth-payload.patch
new file mode 100644
index 0000000..c4662b4
--- /dev/null
+++ b/SOURCES/0028-curl-7.61.1-http-auth-payload.patch
@@ -0,0 +1,63 @@
+From 5a51924c2505c1d5616904aa732fdaedd74d3ffe Mon Sep 17 00:00:00 2001
+From: Marc Schlatter <mschlatter@gestour.com>
+Date: Mon, 11 Mar 2019 17:15:34 +0100
+Subject: [PATCH] http: send payload when (proxy) authentication is done
+
+The check that prevents payload from sending in case of authentication
+doesn't check properly if the authentication is done or not.
+
+They're cases where the proxy respond "200 OK" before sending
+authentication challenge. This change takes care of that.
+
+Fixes #2431
+Closes #3669
+
+Upstream-commit: dd8a19f8a05b59394d1ab33c09497e8db884742a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c          | 3 ++-
+ tests/data/test1097 | 5 +++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index e727ed8..26eb52d 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1991,7 +1991,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
+   if(result)
+     return result;
+ 
+-  if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
++  if(((data->state.authhost.multipass && !data->state.authhost.done)
++      || (data->state.authproxy.multipass && !data->state.authproxy.done)) &&
+      (httpreq != HTTPREQ_GET) &&
+      (httpreq != HTTPREQ_HEAD)) {
+     /* Auth is required and we are not authenticated yet. Make a PUT or POST
+diff --git a/tests/data/test1097 b/tests/data/test1097
+index 7512a2e..7eb7b5f 100644
+--- a/tests/data/test1097
++++ b/tests/data/test1097
+@@ -60,7 +60,7 @@ http://test.a.galaxy.far.far.away.1097:%HTTPPORT/1097 --proxy http://%HOSTIP:%HT
+ <strip>
+ ^User-Agent: curl/.*
+ </strip>
+-<protocol>
++<protocol nonewline="yes">
+ CONNECT test.a.galaxy.far.far.away.1097:%HTTPPORT HTTP/1.1
+ Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
+ Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
+@@ -71,9 +71,10 @@ POST /1097 HTTP/1.1
+ User-Agent: curl/7.19.5-CVS (i686-pc-linux-gnu) libcurl/7.19.5-CVS OpenSSL/0.9.8g zlib/1.2.3.3 c-ares/1.6.1-CVS libidn/1.12 libssh2/1.0.1_CVS
+ Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
+ Accept: */*
+-Content-Length: 0
++Content-Length: 11
+ Content-Type: application/x-www-form-urlencoded
+ 
++dummy=value
+ </protocol>
+ 
+ </verify>
+-- 
+2.26.2
+
diff --git a/SOURCES/0105-curl-7.61.1-test-ports.patch b/SOURCES/0105-curl-7.61.1-test-ports.patch
new file mode 100644
index 0000000..e536586
--- /dev/null
+++ b/SOURCES/0105-curl-7.61.1-test-ports.patch
@@ -0,0 +1,71 @@
+From e6507a9abbfd4ac93ea3053c8f3385a2405f19d8 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 29 Jan 2021 11:34:49 +0100
+Subject: [PATCH] tests: do not hard-wire ports of test servers
+
+---
+ tests/data/test1448 | 4 ++--
+ tests/data/test651  | 2 +-
+ tests/data/test653  | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tests/data/test1448 b/tests/data/test1448
+index e04f47b..5022ef9 100644
+--- a/tests/data/test1448
++++ b/tests/data/test1448
+@@ -17,7 +17,7 @@ HTTP/1.1 302 OK swsbounce
+ Date: Thu, 09 Nov 2010 14:49:00 GMT
+ Content-Length: 9
+ Content-Type: text/plain
+-Location: http://åäö.se:8990/14480001
++Location: http://åäö.se:%HTTPPORT/14480001
+ 
+ redirect
+ </data>
+@@ -52,7 +52,7 @@ Redirect following to UTF-8 IDN host name
+  </name>
+ 
+  <command>
+-http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:8990:%HOSTIP:%HTTPPORT
++http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:%HTTPPORT:%HOSTIP:%HTTPPORT
+ </command>
+ </client>
+ 
+diff --git a/tests/data/test651 b/tests/data/test651
+index b00ca5d..8d47c9f 100644
+--- a/tests/data/test651
++++ b/tests/data/test651
+@@ -57,7 +57,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
+ # (5*12) == 60 bytes less
+ <protocol>
+ POST /651 HTTP/1.1
+-Host: 127.0.0.1:8990
++Host: 127.0.0.1:%HTTPPORT
+ Accept: */*
+ Content-Length: 17139
+ Content-Type: multipart/form-data; boundary=----------------------------
+diff --git a/tests/data/test653 b/tests/data/test653
+index d620b57..492d551 100644
+--- a/tests/data/test653
++++ b/tests/data/test653
+@@ -67,7 +67,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
+ # (5*12) == 60 bytes less
+ <protocol>
+ POST /653 HTTP/1.1
+-Host: 127.0.0.1:8990
++Host: 127.0.0.1:%HTTPPORT
+ Accept: */*
+ Content-Length: 150
+ Content-Type: multipart/form-data; boundary=----------------------------
+@@ -78,7 +78,7 @@ Content-Disposition: form-data; name="name"
+ short value
+ --------------------------------
+ POST /653 HTTP/1.1
+-Host: 127.0.0.1:8990
++Host: 127.0.0.1:%HTTPPORT
+ Accept: */*
+ Content-Length: 167
+ Content-Type: multipart/form-data; boundary=----------------------------
+-- 
+2.26.2
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 707664f..8f28ad1 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 12%{?dist}
+Release: 18%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -52,6 +52,33 @@ Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch
 # double free due to subsequent call of realloc() (CVE-2019-5481)
 Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch
 
+# load built-in openssl engines (#1854369)
+Patch20:  0020-curl-7.61.1-openssl-engines.patch
+
+# avoid overwriting a local file with -J (CVE-2020-8177)
+Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch
+
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch22:  0022-curl-7.61.1-CVE-2020-8231.patch
+
+# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+Patch23:  0023-curl-7.61.1-no-https-proxy-crash.patch
+
+# validate an ssl connection using an intermediate certificate (#1895355)
+Patch24:  0024-curl-7.61.1-openssl-partial-chain.patch
+
+# curl: trusting FTP PASV responses (CVE-2020-8284)
+Patch25:  0025-curl-7.61.1-CVE-2020-8284.patch
+
+# libcurl: FTP wildcard stack overflow (CVE-2020-8285)
+Patch26:  0026-curl-7.61.1-CVE-2020-8285.patch
+
+# curl: Inferior OCSP verification (CVE-2020-8286)
+Patch27:  0027-curl-7.61.1-CVE-2020-8286.patch
+
+# http: send payload when (proxy) authentication is done (#1918692)
+Patch28:  0028-curl-7.61.1-http-auth-payload.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -64,6 +91,9 @@ Patch103: 0103-curl-7.59.0-python3.patch
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch
 
+# tests: do not hard-wire ports of test servers
+Patch105: 0105-curl-7.61.1-test-ports.patch
+
 Provides: curl-full = %{version}-%{release}
 Provides: webclient
 URL: https://curl.haxx.se/
@@ -195,7 +225,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl = %{version}-%{release}
 Provides: libcurl%{?_isa} = %{version}-%{release}
-Conflicts: libcurl
+Conflicts: libcurl%{?_isa}
 RemovePathPostfixes: .minimal
 # needed for RemovePathPostfixes to work with shared libraries
 %undefine __brp_ldconfig
@@ -230,10 +260,24 @@ git apply %{PATCH4}
 %patch103 -p1
 %patch104 -p1
 
+# use different port range for 32bit and 64bit builds, thus make it possible
+# to run both the builds in parallel on the same machine
+%patch105 -p1
+sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
+
 # upstream patches
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -326,7 +370,10 @@ export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
 export OPENSSL_CONF=
 
 # run the upstream test-suite
-srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+# use different port range for 32bit and 64bit builds, thus make it possible
+# to run both the builds in parallel on the same machine
+export srcdir=../../tests
+perl -I${srcdir} ${srcdir}/runtests.pl -b%{?__isa_bits}90 -a -p -v '!flaky'
 
 %install
 # install and rename the library that will be packaged as libcurl-minimal
@@ -394,6 +441,28 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18
+- http: send payload when (proxy) authentication is done (#1918692)
+- curl: Inferior OCSP verification (CVE-2020-8286)
+- libcurl: FTP wildcard stack overflow (CVE-2020-8285)
+- curl: trusting FTP PASV responses (CVE-2020-8284)
+
+* Thu Nov 12 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-17
+- validate an ssl connection using an intermediate certificate (#1895355)
+
+* Fri Nov 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-16
+- fix multiarch conflicts in libcurl-minimal (#1895391)
+
+* Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15
+- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
+* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
+- avoid overwriting a local file with -J (CVE-2020-8177)
+
+* Wed Jul 15 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-13
+- load built-in openssl engines (#1854369)
+
 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
 - double free due to subsequent call of realloc() (CVE-2019-5481)
 - fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)