diff --git a/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch
new file mode 100644
index 0000000..02ad592
--- /dev/null
+++ b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch
@@ -0,0 +1,43 @@
+From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
+Date: Wed, 23 Jan 2019 23:10:39 +0100
+Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and
+ CURLOPT_SSH_KEYFUNCTION for libssh
+
+CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
+libssh as well. So accepting these options only when compiling with
+libssh2 is wrong here.
+
+Fixes #3493
+Closes #3494
+
+Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index b07ccfe..88a05ff 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+     result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5],
+                             va_arg(param, char *));
+     break;
+-#ifdef HAVE_LIBSSH2_KNOWNHOST_API
++
+   case CURLOPT_SSH_KNOWNHOSTS:
+     /*
+      * Store the file name to read known hosts from.
+@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+      */
+     data->set.ssh_keyfunc_userp = va_arg(param, void *);
+     break;
+-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */
+ #endif /* USE_LIBSSH2 */
+ 
+   case CURLOPT_HTTP_TRANSFER_DECODING:
+-- 
+2.34.1
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 996a372..29634bd 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 22%{?dist}.4
+Release: 25%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -118,6 +118,9 @@ Patch40:  0040-curl-7.61.1-CVE-2022-32208.patch
 # fix HTTP compression denial of service (CVE-2022-32206)
 Patch41:  0041-curl-7.61.1-CVE-2022-32206.patch
 
+# setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
+Patch42:  0042-curl-7.61.1-ssh-known-hosts.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -332,6 +335,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch39 -p1
 %patch40 -p1
 %patch41 -p1
+%patch42 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -494,17 +498,16 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.4
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-25
+- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
 - fix HTTP compression denial of service (CVE-2022-32206)
 - fix FTP-KRB bad message verification (CVE-2022-32208)
 
-* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.3
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-24
 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
-
-* Tue May 04 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.2
 - fix invalid type in printf() argument detected by Coverity
 
-* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.1
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-23
 - fix credential leak on redirect (CVE-2022-27774)
 - fix auth/cookie leak on redirect (CVE-2022-27776)
 - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)