diff --git a/.curl.metadata b/.curl.metadata
new file mode 100644
index 0000000..c2a3f04
--- /dev/null
+++ b/.curl.metadata
@@ -0,0 +1 @@
+d38ab79ef7a6d92df91ca8dfcf9a5eaf7e25b725 SOURCES/curl-7.76.1.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e076830
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/curl-7.76.1.tar.xz
diff --git a/SOURCES/0001-curl-7.76.1-resource-leaks.patch b/SOURCES/0001-curl-7.76.1-resource-leaks.patch
new file mode 100644
index 0000000..3fd4f40
--- /dev/null
+++ b/SOURCES/0001-curl-7.76.1-resource-leaks.patch
@@ -0,0 +1,133 @@
+From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 30 Apr 2021 18:14:45 +0200
+Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
+
+... detected by Coverity:
+
+Error: RESOURCE_LEAK (CWE-772):
+lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
+lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+
+Closes #6986
+
+Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index ce9a0d3..d5ba89b 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
+ CURLU *u = curl_url();
+ CURLUcode uc;
+ char *url;
++ int rc = 0;
+
+ v = curl_pushheader_byname(hp, ":scheme");
+ if(v) {
+ uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
+- if(uc)
+- return 1;
++ if(uc) {
++ rc = 1;
++ goto fail;
++ }
+ }
+
+ v = curl_pushheader_byname(hp, ":authority");
+ if(v) {
+ uc = curl_url_set(u, CURLUPART_HOST, v, 0);
+- if(uc)
+- return 2;
++ if(uc) {
++ rc = 2;
++ goto fail;
++ }
+ }
+
+ v = curl_pushheader_byname(hp, ":path");
+ if(v) {
+ uc = curl_url_set(u, CURLUPART_PATH, v, 0);
+- if(uc)
+- return 3;
++ if(uc) {
++ rc = 3;
++ goto fail;
++ }
+ }
+
+ uc = curl_url_get(u, CURLUPART_URL, &url, 0);
+ if(uc)
+- return 4;
++ rc = 4;
++ fail:
+ curl_url_cleanup(u);
++ if(rc)
++ return rc;
+
+ if(data->state.url_alloc)
+ free(data->state.url);
+--
+2.30.2
+
+
+From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 30 Apr 2021 18:18:02 +0200
+Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
+
+... detected by Coverity:
+
+Error: RESOURCE_LEAK (CWE-772):
+lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
+lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
+lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
+lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
+
+Closes #6986
+
+Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index d5ba89b..d0f69ea 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
+
+ rv = set_transfer_url(newhandle, &heads);
+ if(rv) {
++ (void)Curl_close(&newhandle);
+ rv = CURL_PUSH_DENY;
+ goto fail;
+ }
+--
+2.30.2
+
diff --git a/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch b/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch
new file mode 100644
index 0000000..691850b
--- /dev/null
+++ b/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch
@@ -0,0 +1,31 @@
+From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Fri, 7 May 2021 13:09:57 +0200
+Subject: [PATCH] telnet: check sscanf() for correct number of matches
+
+CVE-2021-22898
+
+Bug: https://curl.se/docs/CVE-2021-22898.html
+
+Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index f96a4cb..4551435 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data)
+ size_t tmplen = (strlen(v->data) + 1);
+ /* Add the variable only if it fits */
+ if(len + tmplen < (int)sizeof(temp)-6) {
+- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+ msnprintf((char *)&temp[len], sizeof(temp) - len,
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+ CURL_NEW_ENV_VALUE, varval);
+--
+2.31.1
+
diff --git a/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch b/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch
new file mode 100644
index 0000000..1af7204
--- /dev/null
+++ b/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch
@@ -0,0 +1,1012 @@
+From c8210a16e8b61704da7bbf4bb0992ecbb1c7746d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 17 May 2021 08:54:00 +0200
+Subject: [PATCH 1/3] conn: add 'attach' to protocol handler, make libssh2 use
+ it
+
+The libssh2 backend has SSH session associated with the connection but
+the callback context is the easy handle, so when a connection gets
+attached to a transfer, the protocol handler now allows for a custom
+function to get used to set things up correctly.
+
+Reported-by: Michael O'Farrell
+Fixes #6898
+Closes #7078
+
+Upstream-commit: 0c55fbab45bedb761766109d41c3da49c4bc66c6
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_rtmp.c | 6 ++++++
+ lib/dict.c | 1 +
+ lib/file.c | 1 +
+ lib/ftp.c | 2 ++
+ lib/gopher.c | 2 ++
+ lib/http.c | 2 ++
+ lib/http2.c | 2 ++
+ lib/imap.c | 2 ++
+ lib/ldap.c | 2 ++
+ lib/mqtt.c | 1 +
+ lib/multi.c | 2 ++
+ lib/openldap.c | 2 ++
+ lib/pop3.c | 2 ++
+ lib/rtsp.c | 1 +
+ lib/smb.c | 2 ++
+ lib/smtp.c | 2 ++
+ lib/telnet.c | 1 +
+ lib/tftp.c | 1 +
+ lib/url.c | 1 +
+ lib/urldata.h | 4 ++++
+ lib/vssh/libssh.c | 2 ++
+ lib/vssh/libssh2.c | 20 ++++++++++++++++++++
+ lib/vssh/ssh.h | 3 +++
+ lib/vssh/wolfssh.c | 2 ++
+ 24 files changed, 66 insertions(+)
+
+diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
+index 1360f33..2fa0267 100644
+--- a/lib/curl_rtmp.c
++++ b/lib/curl_rtmp.c
+@@ -79,6 +79,7 @@ const struct Curl_handler Curl_handler_rtmp = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMP, /* defport */
+ CURLPROTO_RTMP, /* protocol */
+ CURLPROTO_RTMP, /* family */
+@@ -101,6 +102,7 @@ const struct Curl_handler Curl_handler_rtmpt = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMPT, /* defport */
+ CURLPROTO_RTMPT, /* protocol */
+ CURLPROTO_RTMPT, /* family */
+@@ -123,6 +125,7 @@ const struct Curl_handler Curl_handler_rtmpe = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMP, /* defport */
+ CURLPROTO_RTMPE, /* protocol */
+ CURLPROTO_RTMPE, /* family */
+@@ -145,6 +148,7 @@ const struct Curl_handler Curl_handler_rtmpte = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMPT, /* defport */
+ CURLPROTO_RTMPTE, /* protocol */
+ CURLPROTO_RTMPTE, /* family */
+@@ -167,6 +171,7 @@ const struct Curl_handler Curl_handler_rtmps = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMPS, /* defport */
+ CURLPROTO_RTMPS, /* protocol */
+ CURLPROTO_RTMP, /* family */
+@@ -189,6 +194,7 @@ const struct Curl_handler Curl_handler_rtmpts = {
+ rtmp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTMPS, /* defport */
+ CURLPROTO_RTMPTS, /* protocol */
+ CURLPROTO_RTMPT, /* family */
+diff --git a/lib/dict.c b/lib/dict.c
+index 4319dad..7b27f79 100644
+--- a/lib/dict.c
++++ b/lib/dict.c
+@@ -89,6 +89,7 @@ const struct Curl_handler Curl_handler_dict = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_DICT, /* defport */
+ CURLPROTO_DICT, /* protocol */
+ CURLPROTO_DICT, /* family */
+diff --git a/lib/file.c b/lib/file.c
+index 1d174e5..10d8f05 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -111,6 +111,7 @@ const struct Curl_handler Curl_handler_file = {
+ file_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ 0, /* defport */
+ CURLPROTO_FILE, /* protocol */
+ CURLPROTO_FILE, /* family */
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 5bf44f1..5ef1e2e 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -175,6 +175,7 @@ const struct Curl_handler Curl_handler_ftp = {
+ ftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_FTP, /* defport */
+ CURLPROTO_FTP, /* protocol */
+ CURLPROTO_FTP, /* family */
+@@ -205,6 +206,7 @@ const struct Curl_handler Curl_handler_ftps = {
+ ftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_FTPS, /* defport */
+ CURLPROTO_FTPS, /* protocol */
+ CURLPROTO_FTP, /* family */
+diff --git a/lib/gopher.c b/lib/gopher.c
+index a39cc7e..f61232f 100644
+--- a/lib/gopher.c
++++ b/lib/gopher.c
+@@ -74,6 +74,7 @@ const struct Curl_handler Curl_handler_gopher = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_GOPHER, /* defport */
+ CURLPROTO_GOPHER, /* protocol */
+ CURLPROTO_GOPHER, /* family */
+@@ -97,6 +98,7 @@ const struct Curl_handler Curl_handler_gophers = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_GOPHER, /* defport */
+ CURLPROTO_GOPHERS, /* protocol */
+ CURLPROTO_GOPHER, /* family */
+diff --git a/lib/http.c b/lib/http.c
+index 02c81c4..91da200 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -133,6 +133,7 @@ const struct Curl_handler Curl_handler_http = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_HTTP, /* defport */
+ CURLPROTO_HTTP, /* protocol */
+ CURLPROTO_HTTP, /* family */
+@@ -160,6 +161,7 @@ const struct Curl_handler Curl_handler_https = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_HTTPS, /* defport */
+ CURLPROTO_HTTPS, /* protocol */
+ CURLPROTO_HTTP, /* family */
+diff --git a/lib/http2.c b/lib/http2.c
+index d0f69ea..1eb4e89 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -319,6 +319,7 @@ static const struct Curl_handler Curl_handler_http2 = {
+ http2_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ http2_conncheck, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_HTTP, /* defport */
+ CURLPROTO_HTTP, /* protocol */
+ CURLPROTO_HTTP, /* family */
+@@ -341,6 +342,7 @@ static const struct Curl_handler Curl_handler_http2_ssl = {
+ http2_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ http2_conncheck, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_HTTP, /* defport */
+ CURLPROTO_HTTPS, /* protocol */
+ CURLPROTO_HTTP, /* family */
+diff --git a/lib/imap.c b/lib/imap.c
+index e887357..e50d7fd 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_imap = {
+ imap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_IMAP, /* defport */
+ CURLPROTO_IMAP, /* protocol */
+ CURLPROTO_IMAP, /* family */
+@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_imaps = {
+ imap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_IMAPS, /* defport */
+ CURLPROTO_IMAPS, /* protocol */
+ CURLPROTO_IMAP, /* family */
+diff --git a/lib/ldap.c b/lib/ldap.c
+index 860a4a8..d632a7e 100644
+--- a/lib/ldap.c
++++ b/lib/ldap.c
+@@ -149,6 +149,7 @@ const struct Curl_handler Curl_handler_ldap = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_LDAP, /* defport */
+ CURLPROTO_LDAP, /* protocol */
+ CURLPROTO_LDAP, /* family */
+@@ -176,6 +177,7 @@ const struct Curl_handler Curl_handler_ldaps = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_LDAPS, /* defport */
+ CURLPROTO_LDAPS, /* protocol */
+ CURLPROTO_LDAP, /* family */
+diff --git a/lib/mqtt.c b/lib/mqtt.c
+index 2134409..d88fa73 100644
+--- a/lib/mqtt.c
++++ b/lib/mqtt.c
+@@ -86,6 +86,7 @@ const struct Curl_handler Curl_handler_mqtt = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_MQTT, /* defport */
+ CURLPROTO_MQTT, /* protocol */
+ CURLPROTO_MQTT, /* family */
+diff --git a/lib/multi.c b/lib/multi.c
+index be3e41f..e624bc3 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -890,6 +890,8 @@ void Curl_attach_connnection(struct Curl_easy *data,
+ data->conn = conn;
+ Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data,
+ &data->conn_queue);
++ if(conn->handler->attach)
++ conn->handler->attach(data, conn);
+ }
+
+ static int waitconnect_getsock(struct connectdata *conn,
+diff --git a/lib/openldap.c b/lib/openldap.c
+index b6980c5..b515554 100644
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -107,6 +107,7 @@ const struct Curl_handler Curl_handler_ldap = {
+ ldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_LDAP, /* defport */
+ CURLPROTO_LDAP, /* protocol */
+ CURLPROTO_LDAP, /* family */
+@@ -134,6 +135,7 @@ const struct Curl_handler Curl_handler_ldaps = {
+ ldap_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_LDAPS, /* defport */
+ CURLPROTO_LDAPS, /* protocol */
+ CURLPROTO_LDAP, /* family */
+diff --git a/lib/pop3.c b/lib/pop3.c
+index ccfebd0..6168b12 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -131,6 +131,7 @@ const struct Curl_handler Curl_handler_pop3 = {
+ pop3_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_POP3, /* defport */
+ CURLPROTO_POP3, /* protocol */
+ CURLPROTO_POP3, /* family */
+@@ -159,6 +160,7 @@ const struct Curl_handler Curl_handler_pop3s = {
+ pop3_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_POP3S, /* defport */
+ CURLPROTO_POP3S, /* protocol */
+ CURLPROTO_POP3, /* family */
+diff --git a/lib/rtsp.c b/lib/rtsp.c
+index 3029ff5..cdd49dc 100644
+--- a/lib/rtsp.c
++++ b/lib/rtsp.c
+@@ -109,6 +109,7 @@ const struct Curl_handler Curl_handler_rtsp = {
+ rtsp_disconnect, /* disconnect */
+ rtsp_rtp_readwrite, /* readwrite */
+ rtsp_conncheck, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_RTSP, /* defport */
+ CURLPROTO_RTSP, /* protocol */
+ CURLPROTO_RTSP, /* family */
+diff --git a/lib/smb.c b/lib/smb.c
+index 183bc12..9f65cfd 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -88,6 +88,7 @@ const struct Curl_handler Curl_handler_smb = {
+ smb_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SMB, /* defport */
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+@@ -114,6 +115,7 @@ const struct Curl_handler Curl_handler_smbs = {
+ smb_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SMBS, /* defport */
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+diff --git a/lib/smtp.c b/lib/smtp.c
+index be4cd67..1defb25 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_smtp = {
+ smtp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SMTP, /* defport */
+ CURLPROTO_SMTP, /* protocol */
+ CURLPROTO_SMTP, /* family */
+@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_smtps = {
+ smtp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SMTPS, /* defport */
+ CURLPROTO_SMTPS, /* protocol */
+ CURLPROTO_SMTP, /* family */
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 4551435..fdd137f 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -185,6 +185,7 @@ const struct Curl_handler Curl_handler_telnet = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_TELNET, /* defport */
+ CURLPROTO_TELNET, /* protocol */
+ CURLPROTO_TELNET, /* family */
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 76d3ff4..bf499f3 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -182,6 +182,7 @@ const struct Curl_handler Curl_handler_tftp = {
+ tftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_TFTP, /* defport */
+ CURLPROTO_TFTP, /* protocol */
+ CURLPROTO_TFTP, /* family */
+diff --git a/lib/url.c b/lib/url.c
+index 19fcfb8..9f2c9f2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -292,6 +292,7 @@ static const struct Curl_handler Curl_handler_dummy = {
+ ZERO_NULL, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ 0, /* defport */
+ 0, /* protocol */
+ 0, /* family */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fec8756..2bb7d81 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -791,12 +791,16 @@ struct Curl_handler {
+ struct connectdata *conn,
+ unsigned int checks_to_perform);
+
++ /* attach() attaches this transfer to this connection */
++ void (*attach)(struct Curl_easy *data, struct connectdata *conn);
++
+ int defport; /* Default port. */
+ unsigned int protocol; /* See CURLPROTO_* - this needs to be the single
+ specific protocol bit */
+ unsigned int family; /* single bit for protocol family; basically the
+ non-TLS name of the protocol this is */
+ unsigned int flags; /* Extra particular characteristics, see PROTOPT_* */
++
+ };
+
+ #define PROTOPT_NONE 0 /* nothing extra */
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 4644f4c..450ab28 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -159,6 +159,7 @@ const struct Curl_handler Curl_handler_scp = {
+ scp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SSH, /* defport */
+ CURLPROTO_SCP, /* protocol */
+ CURLPROTO_SCP, /* family */
+@@ -185,6 +186,7 @@ const struct Curl_handler Curl_handler_sftp = {
+ sftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SSH, /* defport */
+ CURLPROTO_SFTP, /* protocol */
+ CURLPROTO_SFTP, /* family */
+diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
+index 9d188d0..0a468dd 100644
+--- a/lib/vssh/libssh2.c
++++ b/lib/vssh/libssh2.c
+@@ -121,6 +121,7 @@ static int ssh_getsock(struct Curl_easy *data, struct connectdata *conn,
+ curl_socket_t *sock);
+ static CURLcode ssh_setup_connection(struct Curl_easy *data,
+ struct connectdata *conn);
++static void ssh_attach(struct Curl_easy *data, struct connectdata *conn);
+
+ /*
+ * SCP protocol handler.
+@@ -142,6 +143,7 @@ const struct Curl_handler Curl_handler_scp = {
+ scp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ssh_attach,
+ PORT_SSH, /* defport */
+ CURLPROTO_SCP, /* protocol */
+ CURLPROTO_SCP, /* family */
+@@ -170,6 +172,7 @@ const struct Curl_handler Curl_handler_sftp = {
+ sftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ssh_attach,
+ PORT_SSH, /* defport */
+ CURLPROTO_SFTP, /* protocol */
+ CURLPROTO_SFTP, /* family */
+@@ -3607,4 +3610,21 @@ size_t Curl_ssh_version(char *buffer, size_t buflen)
+ return msnprintf(buffer, buflen, "libssh2/%s", LIBSSH2_VERSION);
+ }
+
++/* The SSH session is associated with the *CONNECTION* but the callback user
++ * pointer is an easy handle pointer. This function allows us to reassign the
++ * user pointer to the *CURRENT* (new) easy handle.
++ */
++static void ssh_attach(struct Curl_easy *data, struct connectdata *conn)
++{
++ DEBUGASSERT(data);
++ DEBUGASSERT(conn);
++ if(conn->handler->protocol & PROTO_FAMILY_SSH) {
++ struct ssh_conn *sshc = &conn->proto.sshc;
++ if(sshc->ssh_session) {
++ /* only re-attach if the session already exists */
++ void **abstract = libssh2_session_abstract(sshc->ssh_session);
++ *abstract = data;
++ }
++ }
++}
+ #endif /* USE_LIBSSH2 */
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 52e1ee6..505b078 100644
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -263,9 +263,12 @@ extern const struct Curl_handler Curl_handler_sftp;
+ CURLcode Curl_ssh_init(void);
+ void Curl_ssh_cleanup(void);
+ size_t Curl_ssh_version(char *buffer, size_t buflen);
++void Curl_ssh_attach(struct Curl_easy *data,
++ struct connectdata *conn);
+ #else
+ /* for non-SSH builds */
+ #define Curl_ssh_cleanup()
++#define Curl_ssh_attach(x,y)
+ #endif
+
+ #endif /* HEADER_CURL_SSH_H */
+diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c
+index de0b1c7..8aa8067 100644
+--- a/lib/vssh/wolfssh.c
++++ b/lib/vssh/wolfssh.c
+@@ -91,6 +91,7 @@ const struct Curl_handler Curl_handler_scp = {
+ wscp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SSH, /* defport */
+ CURLPROTO_SCP, /* protocol */
+ PROTOPT_DIRLOCK | PROTOPT_CLOSEACTION
+@@ -119,6 +120,7 @@ const struct Curl_handler Curl_handler_sftp = {
+ wsftp_disconnect, /* disconnect */
+ ZERO_NULL, /* readwrite */
+ ZERO_NULL, /* connection_check */
++ ZERO_NULL, /* attach connection */
+ PORT_SSH, /* defport */
+ CURLPROTO_SFTP, /* protocol */
+ CURLPROTO_SFTP, /* family */
+--
+2.31.1
+
+
+From b5971f4854aab00fcd7810aa9a425c0a6790e050 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Wed, 5 May 2021 13:42:26 +0200
+Subject: [PATCH 2/3] openssl: associate/detach the transfer from connection
+
+CVE-2021-22901
+
+Bug: https://curl.se/docs/CVE-2021-22901.html
+
+Upstream-commit: 7f4a9a9b2a49547eae24d2e19bc5c346e9026479
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/multi.c | 5 +-
+ lib/vtls/gskit.c | 4 +-
+ lib/vtls/gtls.c | 4 +-
+ lib/vtls/mbedtls.c | 4 +-
+ lib/vtls/mesalink.c | 4 +-
+ lib/vtls/nss.c | 4 +-
+ lib/vtls/openssl.c | 146 +++++++++++++++++++++++++++++++------------
+ lib/vtls/rustls.c | 4 +-
+ lib/vtls/schannel.c | 4 +-
+ lib/vtls/sectransp.c | 2 +
+ lib/vtls/vtls.c | 23 ++++++-
+ lib/vtls/vtls.h | 12 ++++
+ lib/vtls/wolfssl.c | 4 +-
+ 13 files changed, 171 insertions(+), 49 deletions(-)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index e624bc3..2228264 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -872,8 +872,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi)
+ void Curl_detach_connnection(struct Curl_easy *data)
+ {
+ struct connectdata *conn = data->conn;
+- if(conn)
++ if(conn) {
+ Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
++ Curl_ssl_detach_conn(data, conn);
++ }
+ data->conn = NULL;
+ }
+
+@@ -892,6 +894,7 @@ void Curl_attach_connnection(struct Curl_easy *data,
+ &data->conn_queue);
+ if(conn->handler->attach)
+ conn->handler->attach(data, conn);
++ Curl_ssl_associate_conn(data, conn);
+ }
+
+ static int waitconnect_getsock(struct connectdata *conn,
+diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
+index b0c7343..3fe54c1 100644
+--- a/lib/vtls/gskit.c
++++ b/lib/vtls/gskit.c
+@@ -1281,7 +1281,9 @@ const struct Curl_ssl Curl_ssl_gskit = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- NULL /* sha256sum */
++ NULL, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_GSKIT */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index e3fad7f..ea54fe3 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1645,7 +1645,9 @@ const struct Curl_ssl Curl_ssl_gnutls = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- gtls_sha256sum /* sha256sum */
++ gtls_sha256sum, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_GNUTLS */
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 4b36f2d..0a9f7b4 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -1113,7 +1113,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- mbedtls_sha256sum /* sha256sum */
++ mbedtls_sha256sum, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_MBEDTLS */
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index 5d6a149..0a41dd3 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -667,7 +667,9 @@ const struct Curl_ssl Curl_ssl_mesalink = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- NULL /* sha256sum */
++ NULL, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index a9f6959..ae3945c 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2442,7 +2442,9 @@ const struct Curl_ssl Curl_ssl_nss = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ nss_false_start, /* false_start */
+- nss_sha256sum /* sha256sum */
++ nss_sha256sum, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_NSS */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 6583300..2404393 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -246,6 +246,10 @@ struct ssl_backend_data {
+ #endif
+ };
+
++static void ossl_associate_connection(struct Curl_easy *data,
++ struct connectdata *conn,
++ int sockindex);
++
+ /*
+ * Number of bytes to read from the random number seed file. This must be
+ * a finite value (because some entropy "files" like /dev/urandom have
+@@ -2528,6 +2532,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ curl_socket_t sockfd = conn->sock[sockindex];
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ ctx_option_t ctx_options = 0;
++ void *ssl_sessionid = NULL;
+
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ bool sni;
+@@ -3209,46 +3214,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ }
+ #endif
+
+- /* Check if there's a cached ID we can/should use here! */
+- if(SSL_SET_OPTION(primary.sessionid)) {
+- void *ssl_sessionid = NULL;
+- int data_idx = ossl_get_ssl_data_index();
+- int connectdata_idx = ossl_get_ssl_conn_index();
+- int sockindex_idx = ossl_get_ssl_sockindex_index();
+- int proxy_idx = ossl_get_proxy_index();
+-
+- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
+- proxy_idx >= 0) {
+- /* Store the data needed for the "new session" callback.
+- * The sockindex is stored as a pointer to an array element. */
+- SSL_set_ex_data(backend->handle, data_idx, data);
+- SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
+-#ifndef CURL_DISABLE_PROXY
+- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+- NULL);
+-#else
+- SSL_set_ex_data(backend->handle, proxy_idx, NULL);
+-#endif
+-
+- }
++ ossl_associate_connection(data, conn, sockindex);
+
+- Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
+- &ssl_sessionid, NULL, sockindex)) {
+- /* we got a session id, use it! */
+- if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+- Curl_ssl_sessionid_unlock(data);
+- failf(data, "SSL: SSL_set_session failed: %s",
+- ossl_strerror(ERR_get_error(), error_buffer,
+- sizeof(error_buffer)));
+- return CURLE_SSL_CONNECT_ERROR;
+- }
+- /* Informational message */
+- infof(data, "SSL re-using session ID\n");
++ Curl_ssl_sessionid_lock(data);
++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
++ /* we got a session id, use it! */
++ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
++ Curl_ssl_sessionid_unlock(data);
++ failf(data, "SSL: SSL_set_session failed: %s",
++ ossl_strerror(ERR_get_error(), error_buffer,
++ sizeof(error_buffer)));
++ return CURLE_SSL_CONNECT_ERROR;
+ }
+- Curl_ssl_sessionid_unlock(data);
++ /* Informational message */
++ infof(data, "SSL re-using session ID\n");
+ }
++ Curl_ssl_sessionid_unlock(data);
+
+ #ifndef CURL_DISABLE_PROXY
+ if(conn->proxy_ssl[sockindex].use) {
+@@ -4474,6 +4456,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl,
+ (void *)backend->ctx : (void *)backend->handle;
+ }
+
++static void ossl_associate_connection(struct Curl_easy *data,
++ struct connectdata *conn,
++ int sockindex)
++{
++ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
++ struct ssl_backend_data *backend = connssl->backend;
++
++ /* If we don't have SSL context, do nothing. */
++ if(!backend->handle)
++ return;
++
++ if(SSL_SET_OPTION(primary.sessionid)) {
++ int data_idx = ossl_get_ssl_data_index();
++ int connectdata_idx = ossl_get_ssl_conn_index();
++ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++
++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++ proxy_idx >= 0) {
++ /* Store the data needed for the "new session" callback.
++ * The sockindex is stored as a pointer to an array element. */
++ SSL_set_ex_data(backend->handle, data_idx, data);
++ SSL_set_ex_data(backend->handle, connectdata_idx, conn);
++ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++ NULL);
++#else
++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++ }
++ }
++}
++
++/*
++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after
++ * the handshake. If the transfer that sets up the callback gets killed before
++ * this callback arrives, we must make sure to properly clear the data to
++ * avoid UAF problems. A future optimization could be to instead store another
++ * transfer that might still be using the same connection.
++ */
++
++static void ossl_disassociate_connection(struct Curl_easy *data,
++ int sockindex)
++{
++ struct connectdata *conn = data->conn;
++ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
++ struct ssl_backend_data *backend = connssl->backend;
++
++ /* If we don't have SSL context, do nothing. */
++ if(!backend->handle)
++ return;
++
++ if(SSL_SET_OPTION(primary.sessionid)) {
++ bool isproxy = FALSE;
++ bool incache;
++ void *old_ssl_sessionid = NULL;
++ int data_idx = ossl_get_ssl_data_index();
++ int connectdata_idx = ossl_get_ssl_conn_index();
++ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++
++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++ proxy_idx >= 0) {
++ /* Invalidate the session cache entry, if any */
++ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE;
++
++ /* Disable references to data in "new session" callback to avoid
++ * accessing a stale pointer. */
++ SSL_set_ex_data(backend->handle, data_idx, NULL);
++ SSL_set_ex_data(backend->handle, connectdata_idx, NULL);
++ SSL_set_ex_data(backend->handle, sockindex_idx, NULL);
++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++ }
++
++ Curl_ssl_sessionid_lock(data);
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
++ if(incache)
++ Curl_ssl_delsessionid(data, old_ssl_sessionid);
++ Curl_ssl_sessionid_unlock(data);
++ }
++}
++
+ const struct Curl_ssl Curl_ssl_openssl = {
+ { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */
+
+@@ -4508,10 +4574,12 @@ const struct Curl_ssl Curl_ssl_openssl = {
+ ossl_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+ #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
+- ossl_sha256sum /* sha256sum */
++ ossl_sha256sum, /* sha256sum */
+ #else
+- NULL /* sha256sum */
++ NULL, /* sha256sum */
+ #endif
++ ossl_associate_connection, /* associate_connection */
++ ossl_disassociate_connection /* disassociate_connection */
+ };
+
+ #endif /* USE_OPENSSL */
+diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c
+index e4f589d..fb8d634 100644
+--- a/lib/vtls/rustls.c
++++ b/lib/vtls/rustls.c
+@@ -554,7 +554,9 @@ const struct Curl_ssl Curl_ssl_rustls = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- NULL /* sha256sum */
++ NULL, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_RUSTLS */
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 961a71f..a80eb50 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -2429,7 +2429,9 @@ const struct Curl_ssl Curl_ssl_schannel = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- schannel_sha256sum /* sha256sum */
++ schannel_sha256sum, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif /* USE_SCHANNEL */
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 9d637da..b24b489 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -3314,6 +3314,8 @@ const struct Curl_ssl Curl_ssl_sectransp = {
+ Curl_none_engines_list, /* engines_list */
+ sectransp_false_start, /* false_start */
+ sectransp_sha256sum /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #ifdef __clang__
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 2e07df0..22cfb88 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
++void Curl_ssl_associate_conn(struct Curl_easy *data,
++ struct connectdata *conn)
++{
++ if(Curl_ssl->associate_connection) {
++ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET);
++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted)
++ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET);
++ }
++}
++
++void Curl_ssl_detach_conn(struct Curl_easy *data,
++ struct connectdata *conn)
++{
++ if(Curl_ssl->disassociate_connection) {
++ Curl_ssl->disassociate_connection(data, FIRSTSOCKET);
++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted)
++ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET);
++ }
++}
+
+ void Curl_ssl_close_all(struct Curl_easy *data)
+ {
+@@ -1207,7 +1226,9 @@ static const struct Curl_ssl Curl_ssl_multi = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- NULL /* sha256sum */
++ NULL, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ const struct Curl_ssl *Curl_ssl =
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 2b43e77..78d1003 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -83,6 +83,11 @@ struct Curl_ssl {
+ bool (*false_start)(void);
+ CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen,
+ unsigned char *sha256sum, size_t sha256sumlen);
++
++ void (*associate_connection)(struct Curl_easy *data,
++ struct connectdata *conn,
++ int sockindex);
++ void (*disassociate_connection)(struct Curl_easy *data, int sockindex);
+ };
+
+ #ifdef USE_SSL
+@@ -277,6 +282,11 @@ bool Curl_ssl_cert_status_request(void);
+
+ bool Curl_ssl_false_start(void);
+
++void Curl_ssl_associate_conn(struct Curl_easy *data,
++ struct connectdata *conn);
++void Curl_ssl_detach_conn(struct Curl_easy *data,
++ struct connectdata *conn);
++
+ #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
+
+ #else /* if not USE_SSL */
+@@ -303,6 +313,8 @@ bool Curl_ssl_false_start(void);
+ #define Curl_ssl_cert_status_request() FALSE
+ #define Curl_ssl_false_start() FALSE
+ #define Curl_ssl_tls13_ciphersuites() FALSE
++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt
++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt
+ #endif
+
+ #endif /* HEADER_CURL_VTLS_H */
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index c6f4280..9c1598b 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -1164,7 +1164,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+- wolfssl_sha256sum /* sha256sum */
++ wolfssl_sha256sum, /* sha256sum */
++ NULL, /* associate_connection */
++ NULL /* disassociate_connection */
+ };
+
+ #endif
+--
+2.31.1
+
+
+From dd657bd43c0dc406a0be442a3b6546b3f97bb13f Mon Sep 17 00:00:00 2001
+From: Koichi Shiraishi <zchee.io@gmail.com>
+Date: Mon, 24 May 2021 20:26:44 +0900
+Subject: [PATCH 3/3] sectransp: fix 7f4a9a9b2a49 commit about missing comma
+
+Follow-up to 7f4a9a9b2a495
+
+Closes #7119
+
+Upstream-commit: 98770344b2d6527c5b504fa740d7bbddbee1728e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/sectransp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index b24b489..f2d7835 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -3313,7 +3313,7 @@ const struct Curl_ssl Curl_ssl_sectransp = {
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ sectransp_false_start, /* false_start */
+- sectransp_sha256sum /* sha256sum */
++ sectransp_sha256sum, /* sha256sum */
+ NULL, /* associate_connection */
+ NULL /* disassociate_connection */
+ };
+--
+2.31.1
+
diff --git a/SOURCES/0004-curl-7.76.1-ldaps-segv.patch b/SOURCES/0004-curl-7.76.1-ldaps-segv.patch
new file mode 100644
index 0000000..23f77b1
--- /dev/null
+++ b/SOURCES/0004-curl-7.76.1-ldaps-segv.patch
@@ -0,0 +1,44 @@
+From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Fri, 23 Apr 2021 00:33:46 +0200
+Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure
+
+Fixes the segfault in ldaps disconnect.
+
+Reported-by: Illarion Taev
+Fixes #6934
+Closes #6937
+
+Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/vtls.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 22cfb88..fa8a6fa 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
+
+ if(!result)
+ Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
++ else
++ conn->ssl[sockindex].use = FALSE;
+
+ return result;
+ }
+@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
+ /* mark this is being ssl requested from here on. */
+ conn->ssl[sockindex].use = TRUE;
+ result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
+- if(!result && *done)
++ if(result)
++ conn->ssl[sockindex].use = FALSE;
++ else if(*done)
+ Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
+ return result;
+ }
+--
+2.31.1
+
diff --git a/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch b/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch
new file mode 100644
index 0000000..3160b8f
--- /dev/null
+++ b/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch
@@ -0,0 +1,279 @@
+From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 19 Jun 2021 00:42:28 +0200
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
+ sensitivity
+
+CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+
+Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 10 ++++++----
+ lib/urldata.h | 4 ++--
+ lib/vtls/gtls.c | 10 +++++-----
+ lib/vtls/nss.c | 4 ++--
+ lib/vtls/openssl.c | 18 +++++++++---------
+ lib/vtls/vtls.c | 26 +++++++++++++++++++++-----
+ 6 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 9f2c9f2..bdcb095 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+ */
+ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
+ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+ data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+ data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+ data->set.ssl.primary.cipher_list =
+@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.primary.pinned_key =
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+ data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
++ data->set.proxy_ssl.primary.issuercert =
++ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
++ data->set.proxy_ssl.primary.issuercert_blob =
++ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+ data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+ data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+ data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+ data->set.ssl.key = data->set.str[STRING_KEY];
+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+-
+ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+
+ if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+ &conn->ssl_config)) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 2bb7d81..7cf63d0 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -246,6 +246,7 @@ struct ssl_primary_config {
+ long version_max; /* max supported version the client wants to use*/
+ char *CApath; /* certificate dir (doesn't work on windows) */
+ char *CAfile; /* certificate to verify peer against */
++ char *issuercert; /* optional issuer certificate filename */
+ char *clientcert;
+ char *random_file; /* path to file containing "random" data */
+ char *egdsocket; /* path to file containing the EGD daemon socket */
+@@ -253,6 +254,7 @@ struct ssl_primary_config {
+ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
+ char *pinned_key;
+ struct curl_blob *cert_blob;
++ struct curl_blob *issuercert_blob;
+ char *curves; /* list of curves to use */
+ BIT(verifypeer); /* set TRUE if this is desired */
+ BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
+@@ -264,8 +266,6 @@ struct ssl_config_data {
+ struct ssl_primary_config primary;
+ long certverifyresult; /* result from the certificate verification */
+ char *CRLfile; /* CRL to check certificate revocation */
+- char *issuercert;/* optional issuer certificate filename */
+- struct curl_blob *issuercert_blob;
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+ void *fsslctxp; /* parameter for call back */
+ char *cert_type; /* format for certificate (default: PEM)*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index ea54fe3..ccc5ce8 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
+ if(!chainp) {
+ if(SSL_CONN_CONFIG(verifypeer) ||
+ SSL_CONN_CONFIG(verifyhost) ||
+- SSL_SET_OPTION(issuercert)) {
++ SSL_CONN_CONFIG(issuercert)) {
+ #ifdef HAVE_GNUTLS_SRP
+ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(username) != NULL
+@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
+ gnutls_x509_crt_t format */
+ gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+
+- if(SSL_SET_OPTION(issuercert)) {
++ if(SSL_CONN_CONFIG(issuercert)) {
+ gnutls_x509_crt_init(&x509_issuer);
+- issuerp = load_file(SSL_SET_OPTION(issuercert));
++ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+ gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+ rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+ gnutls_x509_crt_deinit(x509_issuer);
+ unload_file(issuerp);
+ if(rc <= 0) {
+ failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+ gnutls_x509_crt_deinit(x509_cert);
+ return CURLE_SSL_ISSUER_ERROR;
+ }
+ infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+ }
+
+ size = sizeof(certname);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ae3945c..b0b1e8c 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
+ if(result)
+ goto error;
+
+- if(SSL_SET_OPTION(issuercert)) {
++ if(SSL_CONN_CONFIG(issuercert)) {
+ SECStatus ret = SECFailure;
+- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+ if(nickname) {
+ /* we support only nicknames in case of issuercert for now */
+ ret = check_issuer_cert(backend->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 2404393..be7b811 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
+ deallocating the certificate. */
+
+ /* e.g. match issuer name with provided issuer certificate */
+- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
+- if(SSL_SET_OPTION(issuercert_blob))
+- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
+- (int)SSL_SET_OPTION(issuercert_blob)->len);
++ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
++ if(SSL_CONN_CONFIG(issuercert_blob))
++ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
++ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
+ else {
+ fp = BIO_new(BIO_s_file());
+ if(fp == NULL) {
+@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+ if(strict)
+ failf(data, "SSL: Unable to open issuer cert (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(backend->server_cert);
+ backend->server_cert = NULL;
+@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
+ if(!issuer) {
+ if(strict)
+ failf(data, "SSL: Unable to read issuer cert (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(issuer);
+ X509_free(backend->server_cert);
+@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
+ if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
+ if(strict)
+ failf(data, "SSL: Certificate issuer check failed (%s)",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(issuer);
+ X509_free(backend->server_cert);
+@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
+ }
+
+ infof(data, " SSL certificate issuer check ok (%s)\n",
+- SSL_SET_OPTION(issuercert));
++ SSL_CONN_CONFIG(issuercert));
+ BIO_free(fp);
+ X509_free(issuer);
+ }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index fa8a6fa..1aa6fc8 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+ return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+
++static bool safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ else if(!a && !b)
++ return TRUE; /* match */
++ return FALSE; /* no match */
++}
++
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ struct ssl_primary_config *needle)
+@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ (data->verifyhost == needle->verifyhost) &&
+ (data->verifystatus == needle->verifystatus) &&
+ blobcmp(data->cert_blob, needle->cert_blob) &&
+- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
++ safecmp(data->CApath, needle->CApath) &&
++ safecmp(data->CAfile, needle->CAfile) &&
++ safecmp(data->issuercert, needle->issuercert) &&
++ safecmp(data->clientcert, needle->clientcert) &&
++ safecmp(data->random_file, needle->random_file) &&
++ safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
+@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ dest->sessionid = source->sessionid;
+
+ CLONE_BLOB(cert_blob);
++ CLONE_BLOB(issuercert_blob);
+ CLONE_STRING(CApath);
+ CLONE_STRING(CAfile);
++ CLONE_STRING(issuercert);
+ CLONE_STRING(clientcert);
+ CLONE_STRING(random_file);
+ CLONE_STRING(egdsocket);
+@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ {
+ Curl_safefree(sslc->CApath);
+ Curl_safefree(sslc->CAfile);
++ Curl_safefree(sslc->issuercert);
+ Curl_safefree(sslc->clientcert);
+ Curl_safefree(sslc->random_file);
+ Curl_safefree(sslc->egdsocket);
+@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ Curl_safefree(sslc->cipher_list13);
+ Curl_safefree(sslc->pinned_key);
+ Curl_safefree(sslc->cert_blob);
++ Curl_safefree(sslc->issuercert_blob);
+ Curl_safefree(sslc->curves);
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch b/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch
new file mode 100644
index 0000000..769f74c
--- /dev/null
+++ b/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch
@@ -0,0 +1,47 @@
+From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVE-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+
+Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index fdd137f..567c22c 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
+ size_t tmplen = (strlen(v->data) + 1);
+ /* Add the variable only if it fits */
+ if(len + tmplen < (int)sizeof(temp)-6) {
+- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+- msnprintf((char *)&temp[len], sizeof(temp) - len,
+- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+- CURL_NEW_ENV_VALUE, varval);
+- len += tmplen;
+- }
++ int rv;
++ char sep[2] = "";
++ varval[0] = 0;
++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++ if(rv == 1)
++ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++ "%c%s", CURL_NEW_ENV_VAR, varname);
++ else if(rv >= 2)
++ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++ CURL_NEW_ENV_VALUE, varval);
+ }
+ }
+ msnprintf((char *)&temp[len], sizeof(temp) - len,
+--
+2.31.1
+
diff --git a/SOURCES/0101-curl-7.32.0-multilib.patch b/SOURCES/0101-curl-7.32.0-multilib.patch
new file mode 100644
index 0000000..46c8986
--- /dev/null
+++ b/SOURCES/0101-curl-7.32.0-multilib.patch
@@ -0,0 +1,91 @@
+From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 12 Apr 2013 12:04:05 +0200
+Subject: [PATCH] prevent multilib conflicts on the curl-config script
+
+---
+ curl-config.in | 23 +++++------------------
+ docs/curl-config.1 | 4 +++-
+ libcurl.pc.in | 1 +
+ 3 files changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/curl-config.in b/curl-config.in
+index 150004d..95d0759 100644
+--- a/curl-config.in
++++ b/curl-config.in
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
+ ;;
+
+ --cc)
+- echo "@CC@"
++ echo "gcc"
+ ;;
+
+ --prefix)
+@@ -155,32 +155,19 @@ while test $# -gt 0; do
+ ;;
+
+ --libs)
+- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+- CURLLIBDIR="-L@libdir@ "
+- else
+- CURLLIBDIR=""
+- fi
+- if test "X@ENABLE_SHARED@" = "Xno"; then
+- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+- else
+- echo ${CURLLIBDIR}-lcurl
+- fi
++ echo -lcurl
+ ;;
+ --ssl-backends)
+ echo "@SSL_BACKENDS@"
+ ;;
+
+ --static-libs)
+- if test "X@ENABLE_STATIC@" != "Xno" ; then
+- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
+- else
+- echo "curl was built with static libraries disabled" >&2
+- exit 1
+- fi
++ echo "curl was built with static libraries disabled" >&2
++ exit 1
+ ;;
+
+ --configure)
+- echo @CONFIGURE_OPTIONS@
++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+ ;;
+
+ *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 14a9d2b..ffcc004 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
+ .IP "--static-libs"
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
++packages do not provide any static libraries, thus cannot be linked statically.
++(Added in 7.17.1)
+ .IP "--version"
+ Outputs version information about the installed libcurl.
+ .IP "--vernum"
+diff --git a/libcurl.pc.in b/libcurl.pc.in
+index 2ba9c39..f8f8b00 100644
+--- a/libcurl.pc.in
++++ b/libcurl.pc.in
+@@ -29,6 +29,7 @@ libdir=@libdir@
+ includedir=@includedir@
+ supported_protocols="@SUPPORT_PROTOCOLS@"
+ supported_features="@SUPPORT_FEATURES@"
++configure_options=@CONFIGURE_OPTIONS@
+
+ Name: libcurl
+ URL: https://curl.se/
+--
+2.26.2
+
diff --git a/SOURCES/0102-curl-7.36.0-debug.patch b/SOURCES/0102-curl-7.36.0-debug.patch
new file mode 100644
index 0000000..c096d67
--- /dev/null
+++ b/SOURCES/0102-curl-7.36.0-debug.patch
@@ -0,0 +1,61 @@
+From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 31 Oct 2012 11:38:30 +0100
+Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
+ (#496778)
+
+---
+ m4/curl-compilers.m4 | 26 ++++++--------------------
+ 1 file changed, 6 insertions(+), 20 deletions(-)
+
+diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
+index c64db4bc6..d115a4aed 100644
+--- a/m4/curl-compilers.m4
++++ b/m4/curl-compilers.m4
+@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
+ clangvhi=`echo $clangver | cut -d . -f1`
+ clangvlo=`echo $clangver | cut -d . -f2`
+ compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+ flags_dbg_off=""
+- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
+- flags_opt_yes="-Os"
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+ else
+ AC_MSG_RESULT([no])
+@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+ gccvhi=`echo $gccver | cut -d . -f1`
+ gccvlo=`echo $gccver | cut -d . -f2`
+ compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+ flags_dbg_off=""
+- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+- flags_opt_yes="-O2"
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+ CURL_CHECK_DEF([_WIN32], [], [silent])
+ else
+--
+1.7.1
+
diff --git a/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
new file mode 100644
index 0000000..f492ac5
--- /dev/null
+++ b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
@@ -0,0 +1,39 @@
+From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 4 Feb 2019 17:32:56 +0100
+Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
+
+... to prevent valgrind from reporting false positives on x86_64:
+
+Conditional jump or move depends on uninitialised value(s)
+ at 0x10BCAA: part2id (lib1560.c:489)
+ by 0x10BCAA: updateurl (lib1560.c:521)
+ by 0x10BCAA: set_parts (lib1560.c:630)
+ by 0x10BCAA: test (lib1560.c:802)
+ by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
+
+Conditional jump or move depends on uninitialised value(s)
+ at 0x10BCC3: part2id (lib1560.c:491)
+ by 0x10BCC3: updateurl (lib1560.c:521)
+ by 0x10BCC3: set_parts (lib1560.c:630)
+ by 0x10BCC3: test (lib1560.c:802)
+ by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
+---
+ tests/libtest/Makefile.inc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 080421b..ea3b806 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1559_LDADD = $(TESTUTIL_LIBS)
+
+ lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
++lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
+ lib1560_LDADD = $(TESTUTIL_LIBS)
+
+ lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+--
+2.17.2
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
new file mode 100644
index 0000000..14d8917
--- /dev/null
+++ b/SPECS/curl.spec
@@ -0,0 +1,1932 @@
+Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
+Name: curl
+Version: 7.76.1
+Release: 11%{?dist}
+License: MIT
+Source: https://curl.se/download/%{name}-%{version}.tar.xz
+
+# http2: fix resource leaks detected by Coverity
+Patch1: 0001-curl-7.76.1-resource-leaks.patch
+
+# fix TELNET stack contents disclosure (CVE-2021-22898)
+Patch2: 0002-curl-7.76.1-CVE-2021-22898.patch
+
+# fix TLS session caching disaster (CVE-2021-22901)
+Patch3: 0003-curl-7.76.1-CVE-2021-22901.patch
+
+# fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)
+Patch4: 0004-curl-7.76.1-ldaps-segv.patch
+
+# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+Patch5: 0005-curl-7.76.1-CVE-2021-22924.patch
+
+# fix TELNET stack contents disclosure again (CVE-2021-22925)
+Patch6: 0006-curl-7.76.1-CVE-2021-22925.patch
+
+# patch making libcurl multilib ready
+Patch101: 0101-curl-7.32.0-multilib.patch
+
+# prevent configure script from discarding -g in CFLAGS (#496778)
+Patch102: 0102-curl-7.36.0-debug.patch
+
+# prevent valgrind from reporting false positives on x86_64
+Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch
+
+Provides: curl-full = %{version}-%{release}
+Provides: webclient
+URL: https://curl.se/
+BuildRequires: automake
+BuildRequires: brotli-devel
+BuildRequires: coreutils
+BuildRequires: gcc
+BuildRequires: groff
+BuildRequires: krb5-devel
+BuildRequires: libidn2-devel
+BuildRequires: libnghttp2-devel
+BuildRequires: libpsl-devel
+BuildRequires: libssh-devel
+BuildRequires: libtool
+BuildRequires: make
+BuildRequires: openldap-devel
+BuildRequires: openssh-clients
+BuildRequires: openssh-server
+BuildRequires: openssl-devel
+BuildRequires: perl-interpreter
+BuildRequires: pkgconfig
+BuildRequires: python-unversioned-command
+BuildRequires: python3-devel
+BuildRequires: sed
+BuildRequires: zlib-devel
+
+# needed to compress content of tool_hugehelp.c after changing curl.1 man page
+BuildRequires: perl(IO::Compress::Gzip)
+
+# needed for generation of shell completions
+BuildRequires: perl(Getopt::Long)
+BuildRequires: perl(Pod::Usage)
+BuildRequires: perl(strict)
+BuildRequires: perl(warnings)
+
+# gnutls-serv is used by the upstream test-suite
+BuildRequires: gnutls-utils
+
+# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot
+BuildRequires: hostname
+
+# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
+BuildRequires: nghttp2
+
+# perl modules used in the test suite
+BuildRequires: perl(Cwd)
+BuildRequires: perl(Digest::MD5)
+BuildRequires: perl(Exporter)
+BuildRequires: perl(File::Basename)
+BuildRequires: perl(File::Copy)
+BuildRequires: perl(File::Spec)
+BuildRequires: perl(IPC::Open2)
+BuildRequires: perl(MIME::Base64)
+BuildRequires: perl(Time::Local)
+BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(vars)
+
+%if 0%{?fedora}
+# needed for upstream test 1451
+BuildRequires: python3-impacket
+%endif
+
+# The test-suite runs automatically through valgrind if valgrind is available
+# on the system. By not installing valgrind into mock's chroot, we disable
+# this feature for production builds on architectures where valgrind is known
+# to be less reliable, in order to avoid unnecessary build failures (see RHBZ
+# #810992, #816175, and #886891). Nevertheless developers are free to install
+# valgrind manually to improve test coverage on any architecture.
+%ifarch x86_64
+BuildRequires: valgrind
+%endif
+
+# stunnel is used by upstream tests but it does not seem to work reliably
+# on s390x and occasionally breaks some tests (mainly 1561 and 1562)
+%ifnarch s390x
+BuildRequires: stunnel
+%endif
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+# require at least the version of libpsl that we were built against,
+# to ensure that we have the necessary symbols available (#1631804)
+%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
+
+# require at least the version of libssh that we were built against,
+# to ensure that we have the necessary symbols available (#525002, #642796)
+%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
+
+# require at least the version of openssl-libs that we were built against,
+# to ensure that we have the necessary symbols available (#1462184, #1462211)
+# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
+%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|')
+
+%description
+curl is a command line tool for transferring data with URL syntax, supporting
+FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
+SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
+uploading, HTTP form based upload, proxies, cookies, user+password
+authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
+resume, proxy tunneling and a busload of other useful tricks.
+
+%package -n libcurl
+Summary: A library for getting files from web servers
+Requires: libpsl%{?_isa} >= %{libpsl_version}
+Requires: libssh%{?_isa} >= %{libssh_version}
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl-full = %{version}-%{release}
+Provides: libcurl-full%{?_isa} = %{version}-%{release}
+
+%description -n libcurl
+libcurl is a free and easy-to-use client-side URL transfer library, supporting
+FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
+SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,
+FTP uploading, HTTP form based upload, proxies, cookies, user+password
+authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer
+resume, http proxy tunneling and more.
+
+%package -n libcurl-devel
+Summary: Files needed for building applications with libcurl
+Requires: libcurl%{?_isa} = %{version}-%{release}
+
+Provides: curl-devel = %{version}-%{release}
+Provides: curl-devel%{?_isa} = %{version}-%{release}
+Obsoletes: curl-devel < %{version}-%{release}
+
+%description -n libcurl-devel
+The libcurl-devel package includes header files and libraries necessary for
+developing programs which use the libcurl library. It contains the API
+documentation of the library, too.
+
+%package -n curl-minimal
+Summary: Conservatively configured build of curl for minimal installations
+Provides: curl = %{version}-%{release}
+Conflicts: curl
+RemovePathPostfixes: .minimal
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+%description -n curl-minimal
+This is a replacement of the 'curl' package for minimal installations. It
+comes with a limited set of features compared to the 'curl' package. On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
+%package -n libcurl-minimal
+Summary: Conservatively configured build of libcurl for minimal installations
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl = %{version}-%{release}
+Provides: libcurl%{?_isa} = %{version}-%{release}
+Conflicts: libcurl%{?_isa}
+RemovePathPostfixes: .minimal
+# needed for RemovePathPostfixes to work with shared libraries
+%undefine __brp_ldconfig
+
+%description -n libcurl-minimal
+This is a replacement of the 'libcurl' package for minimal installations. It
+comes with a limited set of features compared to the 'libcurl' package. On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
+%prep
+%setup -q
+
+# upstream patches
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
+# Fedora patches
+%patch101 -p1
+%patch102 -p1
+%patch105 -p1
+
+# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
+# with errno 98: Address already in use' in Koji environment), and test 1801
+# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
+printf "1112\n1455\n1592\n1801\n" >> tests/data/DISABLED
+
+# disable test 1319 on ppc64 (server times out)
+%ifarch ppc64
+echo "1319" >> tests/data/DISABLED
+%endif
+
+# temporarily disable test 582 on s390x (client times out)
+%ifarch s390x
+echo "582" >> tests/data/DISABLED
+%endif
+
+# temporarily disable tests 702 703 716 on armv7hl (#1829180)
+%ifarch armv7hl
+printf "702\n703\n716\n" >> tests/data/DISABLED
+%endif
+
+# adapt test 323 for updated OpenSSL
+sed -e 's|^35$|35,52|' -i tests/data/test323
+
+# use localhost6 instead of ip6-localhost in the curl test-suite
+(
+ # avoid glob expansion in the trace output of `bash -x`
+ { set +x; } 2>/dev/null
+ cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*"
+ printf "+ %s\n" "$cmd" >&2
+ eval "$cmd"
+)
+
+# regenerate the configure script and Makefile.in files
+autoreconf -fiv
+
+%build
+mkdir build-{full,minimal}
+export common_configure_opts=" \
+ --cache-file=../config.cache \
+ --disable-static \
+ --enable-symbol-hiding \
+ --enable-ipv6 \
+ --enable-threaded-resolver \
+ --without-libmetalink \
+ --with-gssapi \
+ --with-nghttp2 \
+ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
+
+%global _configure ../configure
+
+# configure minimal build
+(
+ cd build-minimal
+ %configure $common_configure_opts \
+ --disable-ldap \
+ --disable-ldaps \
+ --disable-manual \
+ --without-brotli \
+ --without-libidn2 \
+ --without-libpsl \
+ --without-libssh
+)
+
+# configure full build
+(
+ cd build-full
+ %configure $common_configure_opts \
+ --enable-ldap \
+ --enable-ldaps \
+ --enable-manual \
+ --with-brotli \
+ --with-libidn2 \
+ --with-libpsl \
+ --with-libssh
+)
+
+# avoid using rpath
+sed -e 's/^runpath_var=.*/runpath_var=/' \
+ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
+ -i build-{full,minimal}/libtool
+
+%make_build V=1 -C build-minimal
+%make_build V=1 -C build-full
+
+%check
+# we have to override LD_LIBRARY_PATH because we eliminated rpath
+LD_LIBRARY_PATH="${PWD}/build-full/lib/.libs"
+export LD_LIBRARY_PATH
+
+# compile upstream test-cases
+cd build-full/tests
+%make_build V=1
+
+# relax crypto policy for the test-suite to make it pass again (#1610888)
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
+export OPENSSL_CONF=
+
+# run the upstream test-suite
+srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+
+%install
+# install and rename the library that will be packaged as libcurl-minimal
+%make_install -C build-minimal/lib
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
+for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
+ mv -v $i $i.minimal
+done
+
+# install and rename the executable that will be packaged as curl-minimal
+%make_install -C build-minimal/src
+mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
+
+# install libcurl.m4
+install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
+install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
+
+# install the executable and library that will be packaged as curl and libcurl
+cd build-full
+%make_install
+
+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+ %make_install -C scripts
+
+# do not install /usr/share/fish/completions/curl.fish which is also installed
+# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
+
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
+
+%ldconfig_scriptlets -n libcurl
+
+%ldconfig_scriptlets -n libcurl-minimal
+
+%files
+%doc CHANGES
+%doc README
+%doc docs/BUGS.md
+%doc docs/FAQ
+%doc docs/FEATURES.md
+%doc docs/TODO
+%doc docs/TheArtOfHttpScripting.md
+%{_bindir}/curl
+%{_mandir}/man1/curl.1*
+%{_datadir}/zsh
+
+%files -n libcurl
+%license COPYING
+%{_libdir}/libcurl.so.4
+%{_libdir}/libcurl.so.4.[0-9].[0-9]
+
+%files -n libcurl-devel
+%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
+%{_bindir}/curl-config*
+%{_includedir}/curl
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man1/curl-config.1*
+%{_mandir}/man3/*
+%{_datadir}/aclocal/libcurl.m4
+
+%files -n curl-minimal
+%{_bindir}/curl.minimal
+%{_mandir}/man1/curl.1*
+
+%files -n libcurl-minimal
+%license COPYING
+%{_libdir}/libcurl.so.4.minimal
+%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-11
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 7.76.1-10
+- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
+
+* Fri Jul 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-9
+- make explicit dependency on openssl work with alpha/beta builds of openssl
+
+* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-8
+- fix TELNET stack contents disclosure again (CVE-2021-22925)
+- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+
+* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-6
+- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065
+
+* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-5
+- build the curl tool without metalink support (#1967213)
+
+* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-4
+- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)
+
+* Wed May 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-3
+- fix TLS session caching disaster (CVE-2021-22901)
+- fix TELNET stack contents disclosure (CVE-2021-22898)
+
+* Mon May 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-2
+- http2: fix resource leaks detected by Coverity
+
+* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-1
+- new upstream release
+
+* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup
+ CVE-2021-22876 - Automatic referer leaks credentials
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.75.0-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Mar 24 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-3
+- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)
+
+* Tue Feb 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-2
+- build-require python3-impacket only on Fedora
+
+* Wed Feb 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-1
+- new upstream release
+
+* Tue Jan 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.74.0-4
+- do not use stunnel for tests on s390x builds to avoid spurious failures
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.74.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-2
+- do not rewrite shebangs in test-suite to use python3 explicitly
+
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2020-8286 - curl: Inferior OCSP verification
+ CVE-2020-8285 - libcurl: FTP wildcard stack overflow
+ CVE-2020-8284 - curl: trusting FTP PASV responses
+
+* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-2
+- prevent upstream test 1451 from being skipped
+
+* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-1
+- new upstream release
+
+* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.72.0-2
+- fix multiarch conflicts in libcurl-minimal (#1877671)
+
+* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
+- new upstream release, which fixes the following vulnerability
+ CVE-2020-8231 - libcurl: wrong connect-only connection
+
+* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
+- setopt: unset NOBODY switches to GET if still HEAD
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2
+- curl: make the --krb option work again (#1833193)
+
+* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1
+- new upstream release
+
+* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
+ CVE-2020-8177 - curl: overwrite local file with -J
+
+* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
+- new upstream release
+
+* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
+- SSH: use new ECDSA key types to check known hosts (#1824926)
+
+* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
+- Prevent discarding of -g when compiling with clang
+
+* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1
+- new upstream release
+
+* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2
+- make Flatpak work again (#1810989)
+
+* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1
+- new upstream release
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1
+- new upstream release
+
+* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2
+- fix infinite loop on upload using a glob (#1771025)
+
+* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1
+- new upstream release
+
+* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2019-5481 - double free due to subsequent call of realloc()
+ CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
+
+* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
+- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
+
+* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
+- improve handling of gss_init_sec_context() failures
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.65.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Jul 20 2019 Paul Howarth <paul@city-fan.org> - 7.65.3-1
+- new upstream release
+
+* Wed Jul 17 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.2-1
+- new upstream release
+
+* Wed Jun 05 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.1-1
+- new upstream release
+
+* Thu May 30 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-2
+- fix spurious timeout events with speed-limit (#1714893)
+
+* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2019-5436 - TFTP receive buffer overflow
+ CVE-2019-5435 - integer overflows in curl_url_set()
+
+* Thu May 09 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-2
+- do not treat failure of gss_init_sec_context() with --negotiate as fatal
+
+* Wed Mar 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-1
+- new upstream release
+
+* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
+- remove verbose "Expire in" ... messages (#1690971)
+
+* Thu Mar 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-5
+- avoid spurious "Could not resolve host: [host name]" error messages
+
+* Wed Feb 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-4
+- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676)
+
+* Mon Feb 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-3
+- prevent NetworkManager from leaking file descriptors (#1680198)
+
+* Mon Feb 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-2
+- make zsh completion work again
+
+* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2019-3823 - SMTP end-of-response out-of-bounds read
+ CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow
+ CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read
+
+* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7
+- prevent valgrind from reporting false positives on x86_64
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.63.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-5
+- xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+
+* Fri Jan 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-4
+- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch
+
+* Wed Dec 19 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-3
+- curl -J: do not append to the destination file (#1658574)
+
+* Fri Dec 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-2
+- revert an upstream commit that broke `fedpkg new-sources` (#1659329)
+
+* Wed Dec 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-1
+- new upstream release
+
+* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-16839 - SASL password overflow via integer overflow
+ CVE-2018-16840 - use-after-free in handle close
+ CVE-2018-16842 - warning message out-of-buffer read
+
+* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
+- enable TLS 1.3 post-handshake auth in OpenSSL
+- update the documentation of --tlsv1.0 in curl(1) man page
+
+* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2
+- enforce versioned libpsl dependency for libcurl (#1631804)
+- test320: update expected output for gnutls-3.6.4
+- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594)
+
+* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1
+- new upstream release, which fixes the following vulnerability
+ CVE-2018-14618 - NTLM password overflow via integer overflow
+
+* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
+- make the --tls13-ciphers option work
+
+* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7
+- tests: make ssh-keygen always produce PEM format (#1622594)
+
+* Wed Aug 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-6
+- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
+
+* Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5
+- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
+
+* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4
+- relax crypto policy for the test-suite to make it pass again (#1610888)
+
+* Tue Jul 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-3
+- disable flaky test 1900, which covers deprecated HTTP pipelining
+- adapt test 323 for updated OpenSSL
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.61.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-1
+- new upstream release, which fixes the following vulnerability
+ CVE-2018-0500 - SMTP send heap buffer overflow
+
+* Tue Jul 10 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-3
+- enable support for brotli compression in libcurl-full
+
+* Wed Jul 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-2
+- do not hard-wire path of the Python 3 interpreter
+
+* Wed May 16 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000300 - FTP shutdown response buffer overflow
+ CVE-2018-1000301 - RTSP bad headers buffer over-read
+
+* Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
+- make the test-suite use Python 3
+
+* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
+- ftp: fix typo in recursive callback detection for seeking
+
+* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
+ CVE-2018-1000121 - LDAP NULL pointer dereference
+ CVE-2018-1000122 - RTSP RTP buffer over-read
+
+* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
+- http2: mark the connection for close on GOAWAY
+
+* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-7
+- Add explicity-used build requirements
+- Fix libcurl soname version number in %%files list to avoid accidental soname
+ bumps
+
+* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-6
+- switch to %%ldconfig_scriptlets
+- drop legacy BuildRoot: and Group: tags
+- enforce versioned libssh dependency for libcurl
+
+* Tue Feb 13 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-5
+- drop temporary workaround for #1540549
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.58.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jan 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-3
+- temporarily work around internal compiler error on x86_64 (#1540549)
+- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again
+
+* Wed Jan 24 2018 Andreas Schneider <asn@redhat.com> - 7.58.0-2
+- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483)
+
+* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
+ CVE-2018-1000007 - curl: HTTP authentication leak in redirects
+
+* Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
+ CVE-2017-8817 - curl: FTP wildcard out of bounds read
+ CVE-2017-8818 - curl: SSL out of buffer access
+
+* Mon Oct 23 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.1-1
+- new upstream release (fixes CVE-2017-1000257)
+
+* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1
+- new upstream release (fixes CVE-2017-1000254)
+
+* Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5
+- apply the patch for the previous commit and fix its name (#1485702)
+
+* Mon Aug 28 2017 Bastien Nocera <bnocera@redhat.com> - 7.55.1-4
+- Fix NetworkManager connectivity check not working (#1485702)
+
+* Tue Aug 22 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-3
+- utilize system wide crypto policies for TLS (#1483972)
+
+* Tue Aug 15 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-2
+- make zsh completion work again
+
+* Mon Aug 14 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-1
+- new upstream release
+
+* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.55.0-1
+- drop multilib fix for libcurl header files no longer needed
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2017-1000099 - FILE buffer read out of bounds
+ CVE-2017-1000100 - TFTP sends more than buffer size
+ CVE-2017-1000101 - URL globbing out of bounds read
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Fri Jul 28 2017 Florian Weimer <fweimer@redhat.com> - 7.54.1-7
+- Rebuild with fixed binutils (#1475636)
+
+* Fri Jul 28 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 7.54.1-6
+- Enable separate debuginfo back
+
+* Thu Jul 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-5
+- rebuild to fix broken linkage of cmake on ppc64le
+
+* Wed Jul 26 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-4
+- avoid build failure caused broken RPM code that produces debuginfo packages
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 19 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-2
+- enforce versioned openssl-libs dependency for libcurl (#1462184)
+
+* Wed Jun 14 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-1
+- new upstream release
+
+* Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-5
+- add *-full provides for curl and libcurl to make them explicitly installable
+
+* Thu May 04 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-4
+- make curl-minimal require a new enough version of libcurl
+
+* Thu Apr 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-3
+- switch the TLS backend back to OpenSSL (#1445153)
+
+* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
+- nss: use libnssckbi.so as the default source of trust
+- nss: do not leak PKCS #11 slot while loading a key (#1444860)
+
+* Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
+- new upstream release (fixes CVE-2017-7468)
+
+* Thu Apr 13 2017 Paul Howarth <paul@city-fan.org> 7.53.1-7
+- add %%post and %%postun scriptlets for libcurl-minimal
+- libcurl-minimal provides both libcurl and libcurl%%{?_isa}
+- remove some legacy spec file cruft
+
+* Wed Apr 12 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-6
+- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl
+
+* Mon Apr 10 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-5
+- disable upstream test 2033 (flaky test for HTTP/1 pipelining)
+
+* Fri Apr 07 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-4
+- fix out of bounds read in curl --write-out (CVE-2017-7407)
+
+* Mon Mar 06 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3
+- make the dependency on nss-pem arch-specific (#1428550)
+
+* Thu Mar 02 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-2
+- re-enable valgrind on ix86 because sqlite is fixed (#1428286)
+
+* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-1
+- new upstream release
+
+* Wed Feb 22 2017 Kamil Dudka <kdudka@redhat.com> 7.53.0-1
+- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)
+- new upstream release (fixes CVE-2017-2629)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.52.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1
+- new upstream release (fixes CVE-2016-9586)
+
+* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
+- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+
+* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
+- stricter host name checking for file:// URLs
+- ssh: check md5 fingerprints case insensitively
+
+* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
+- temporarily disable failing libidn2 test-cases
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2016-8615 - Cookie injection for other servers
+ CVE-2016-8616 - Case insensitive password comparison
+ CVE-2016-8617 - Out-of-bounds write via unchecked multiplication
+ CVE-2016-8618 - Double-free in curl_maprintf
+ CVE-2016-8619 - Double-free in krb5 code
+ CVE-2016-8620 - Glob parser write/read out of bounds
+ CVE-2016-8621 - curl_getdate out-of-bounds read
+ CVE-2016-8622 - URL unescape heap overflow via integer truncation
+ CVE-2016-8623 - Use-after-free via shared cookies
+ CVE-2016-8624 - Invalid URL parsing with '#'
+ CVE-2016-8625 - IDNA 2003 makes curl use wrong host
+
+* Thu Oct 20 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-3
+- drop 0103-curl-7.50.0-stunnel.patch no longer needed
+
+* Fri Oct 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-2
+- use the just built version of libcurl while generating zsh completion
+
+* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-1
+- new upstream release (fixes CVE-2016-7167)
+
+* Wed Sep 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.2-1
+- new upstream release
+
+* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-2
+- work around race condition in PK11_FindSlotByName()
+- fix incorrect use of a previously loaded certificate from file
+ (related to CVE-2016-5420)
+
+* Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-1
+- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421)
+
+* Tue Jul 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-2
+- run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2)
+
+* Thu Jul 21 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-1
+- run HTTP/2 tests only on Intel for now to work around #1358845
+- require nss-pem because it is no longer included in the nss package (#1347336)
+- fix HTTPS and FTPS tests (work around stunnel bug #1358810)
+- new upstream release
+
+* Fri Jun 17 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-3
+- use multilib-rpm-config to install arch-dependent header files
+
+* Fri Jun 03 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-2
+- fix SIGSEGV of the curl tool while parsing URL with too many globs (#1340757)
+
+* Mon May 30 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-1
+- new upstream release
+
+* Wed May 18 2016 Kamil Dudka <kdudka@redhat.com> 7.49.0-1
+- new upstream release
+
+* Wed Mar 23 2016 Kamil Dudka <kdudka@redhat.com> 7.48.0-1
+- new upstream release
+
+* Wed Mar 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-4
+- do not refuse cookies for localhost (#1308791)
+
+* Wed Feb 17 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-3
+- make SCP and SFTP test-cases work with up2date OpenSSH
+
+* Wed Feb 10 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-2
+- enable support for Public Suffix List (#1305701)
+
+* Mon Feb 08 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-1
+- new upstream release
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 7.47.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 27 2016 Kamil Dudka <kdudka@redhat.com> 7.47.0-1
+- new upstream release (fixes CVE-2016-0755)
+
+* Fri Dec 4 2015 Kamil Dudka <kdudka@redhat.com> 7.46.0-2
+- own /usr/share/zsh/site-functions instead of requiring zsh (#1288529)
+
+* Wed Dec 2 2015 Kamil Dudka <kdudka@redhat.com> 7.46.0-1
+- disable silent builds (suggested by Paul Howarth)
+- use default port numbers when running the upstream test-suite
+- install zsh completion script
+- new upstream release
+
+* Wed Oct 7 2015 Paul Howarth <paul@city-fan.org> 7.45.0-1
+- new upstream release
+- drop %%defattr, redundant since rpm 4.4
+
+* Fri Sep 18 2015 Kamil Dudka <kdudka@redhat.com> 7.44.0-2
+- prevent NSS from incorrectly re-using a session (#1104597)
+
+* Wed Aug 12 2015 Kamil Dudka <kdudka@redhat.com> 7.44.0-1
+- new upstream release
+
+* Thu Jul 30 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-3
+- prevent dnf from crashing when using both FTP and HTTP (#1248389)
+
+* Thu Jul 16 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-2
+- build support for the HTTP/2 protocol
+
+* Wed Jun 17 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-1
+- new upstream release (fixes CVE-2015-3236 and CVE-2015-3237)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.42.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Jun 05 2015 Kamil Dudka <kdudka@redhat.com> 7.42.1-2
+- curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)
+
+* Wed Apr 29 2015 Kamil Dudka <kdudka@redhat.com> 7.42.1-1
+- new upstream release (fixes CVE-2015-3153)
+
+* Wed Apr 22 2015 Kamil Dudka <kdudka@redhat.com> 7.42.0-1
+- new upstream release (fixes CVE-2015-3143, CVE-2015-3144, CVE-2015-3145,
+ and CVE-2015-3148)
+- implement public key pinning for NSS backend (#1195771)
+- do not run flaky test-cases in %%check
+
+* Wed Feb 25 2015 Kamil Dudka <kdudka@redhat.com> 7.41.0-1
+- new upstream release
+- include extern-scan.pl to make test1135 succeed (upstream commit 1514b718)
+
+* Mon Feb 23 2015 Kamil Dudka <kdudka@redhat.com> 7.40.0-3
+- fix a spurious connect failure on dual-stacked hosts (#1187531)
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 7.40.0-2
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Thu Jan 08 2015 Kamil Dudka <kdudka@redhat.com> 7.40.0-1
+- new upstream release (fixes CVE-2014-8150)
+
+* Wed Nov 05 2014 Kamil Dudka <kdudka@redhat.com> 7.39.0-1
+- new upstream release (fixes CVE-2014-3707)
+
+* Tue Oct 21 2014 Kamil Dudka <kdudka@redhat.com> 7.38.0-2
+- fix a connection failure when FTPS handle is reused
+
+* Wed Sep 10 2014 Kamil Dudka <kdudka@redhat.com> 7.38.0-1
+- new upstream release (fixes CVE-2014-3613 and CVE-2014-3620)
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.37.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Aug 13 2014 Rex Dieter <rdieter@fedoraproject.org> 7.37.1-2
+- include arch'd Requires/Provides
+
+* Wed Jul 16 2014 Kamil Dudka <kdudka@redhat.com> 7.37.1-1
+- new upstream release
+- fix endless loop with GSSAPI proxy auth (patches by David Woodhouse, #1118751)
+
+* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> 7.37.0-4
+- fix license handling
+
+* Fri Jul 04 2014 Kamil Dudka <kdudka@redhat.com> 7.37.0-3
+- various SSL-related fixes (mainly crash on connection failure)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.37.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 21 2014 Kamil Dudka <kdudka@redhat.com> 7.37.0-1
+- new upstream release
+
+* Fri May 09 2014 Kamil Dudka <kdudka@redhat.com> 7.36.0-4
+- auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348)
+
+* Fri Apr 25 2014 Kamil Dudka <kdudka@redhat.com> 7.36.0-3
+- nss: implement non-blocking SSL handshake
+
+* Wed Apr 02 2014 Kamil Dudka <kdudka@redhat.com> 7.36.0-2
+- extend URL parser to support IPv6 zone identifiers (#680996)
+
+* Wed Mar 26 2014 Kamil Dudka <kdudka@redhat.com> 7.36.0-1
+- new upstream release (fixes CVE-2014-0138)
+
+* Mon Mar 17 2014 Paul Howarth <paul@city-fan.org> 7.35.0-5
+- add all perl build requirements for the test suite, in a portable way
+
+* Mon Mar 17 2014 Kamil Dudka <kdudka@redhat.com> 7.35.0-4
+- add BR for perl-Digest-MD5, which is required by the test-suite
+
+* Wed Mar 05 2014 Kamil Dudka <kdudka@redhat.com> 7.35.0-3
+- avoid spurious failure of test1086 on s390(x) koji builders (#1072273)
+
+* Tue Feb 25 2014 Kamil Dudka <kdudka@redhat.com> 7.35.0-2
+- refresh expired cookie in test172 from upstream test-suite (#1068967)
+
+* Wed Jan 29 2014 Kamil Dudka <kdudka@redhat.com> 7.35.0-1
+- new upstream release (fixes CVE-2014-0015)
+
+* Wed Dec 18 2013 Kamil Dudka <kdudka@redhat.com> 7.34.0-1
+- new upstream release
+
+* Mon Dec 02 2013 Kamil Dudka <kdudka@redhat.com> 7.33.0-2
+- allow to use TLS > 1.0 if built against recent NSS
+
+* Mon Oct 14 2013 Kamil Dudka <kdudka@redhat.com> 7.33.0-1
+- new upstream release
+- fix missing initialization in NTLM code causing test 906 to fail
+- fix missing initialization in SSH code causing test 619 to fail
+
+* Fri Oct 11 2013 Kamil Dudka <kdudka@redhat.com> 7.32.0-3
+- do not limit the speed of SCP upload on a fast connection
+
+* Mon Sep 09 2013 Kamil Dudka <kdudka@redhat.com> 7.32.0-2
+- avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686)
+
+* Mon Aug 12 2013 Kamil Dudka <kdudka@redhat.com> 7.32.0-1
+- new upstream release
+- make sure that NSS is initialized prior to calling PK11_GenerateRandom()
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.31.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jul 09 2013 Kamil Dudka <kdudka@redaht.com> 7.31.0-4
+- mention all option listed in 'curl --help' in curl.1 man page
+
+* Tue Jul 02 2013 Kamil Dudka <kdudka@redhat.com> 7.31.0-3
+- restore the functionality of 'curl -u :'
+
+* Wed Jun 26 2013 Kamil Dudka <kdudka@redhat.com> 7.31.0-2
+- build the curl tool with metalink support
+
+* Sat Jun 22 2013 Kamil Dudka <kdudka@redhat.com> 7.31.0-1
+- new upstream release (fixes CVE-2013-2174)
+
+* Fri Apr 26 2013 Kamil Dudka <kdudka@redhat.com> 7.30.0-2
+- prevent an artificial timeout event due to stale speed-check data (#906031)
+
+* Fri Apr 12 2013 Kamil Dudka <kdudka@redhat.com> 7.30.0-1
+- new upstream release (fixes CVE-2013-1944)
+- prevent test-suite failure due to using non-default port ranges in tests
+
+* Tue Mar 12 2013 Kamil Dudka <kdudka@redhat.com> 7.29.0-4
+- do not ignore poll() failures other than EINTR (#919127)
+- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag (#919127)
+
+* Wed Mar 06 2013 Kamil Dudka <kdudka@redhat.com> 7.29.0-3
+- switch SSL socket into non-blocking mode after handshake
+- drop the hide_selinux.c hack no longer needed in %%check
+
+* Fri Feb 22 2013 Kamil Dudka <kdudka@redhat.com> 7.29.0-2
+- fix a SIGSEGV when closing an unused multi handle (#914411)
+
+* Wed Feb 06 2013 Kamil Dudka <kdudka@redhat.com> 7.29.0-1
+- new upstream release (fixes CVE-2013-0249)
+
+* Tue Jan 15 2013 Kamil Dudka <kdudka@redhat.com> 7.28.1-3
+- require valgrind for build only on i386 and x86_64 (#886891)
+
+* Tue Jan 15 2013 Kamil Dudka <kdudka@redhat.com> 7.28.1-2
+- prevent NSS from crashing on client auth hook failure
+- clear session cache if a client cert from file is used
+- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+
+* Tue Nov 20 2012 Kamil Dudka <kdudka@redhat.com> 7.28.1-1
+- new upstream release
+
+* Wed Oct 31 2012 Kamil Dudka <kdudka@redhat.com> 7.28.0-1
+- new upstream release
+
+* Mon Oct 01 2012 Kamil Dudka <kdudka@redhat.com> 7.27.0-3
+- use the upstream facility to disable problematic tests
+- do not crash if MD5 fingerprint is not provided by libssh2
+
+* Wed Aug 01 2012 Kamil Dudka <kdudka@redhat.com> 7.27.0-2
+- eliminate unnecessary inotify events on upload via file protocol (#844385)
+
+* Sat Jul 28 2012 Kamil Dudka <kdudka@redhat.com> 7.27.0-1
+- new upstream release
+
+* Mon Jul 23 2012 Kamil Dudka <kdudka@redhat.com> 7.26.0-6
+- print reason phrase from HTTP status line on error (#676596)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.26.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sat Jun 09 2012 Kamil Dudka <kdudka@redhat.com> 7.26.0-4
+- fix duplicated SSL handshake with multi interface and proxy (#788526)
+
+* Wed May 30 2012 Karsten Hopp <karsten@redhat.com> 7.26.0-3
+- disable test 1319 on ppc64, server times out
+
+* Mon May 28 2012 Kamil Dudka <kdudka@redhat.com> 7.26.0-2
+- use human-readable error messages provided by NSS (upstream commit 72f4b534)
+
+* Fri May 25 2012 Kamil Dudka <kdudka@redhat.com> 7.26.0-1
+- new upstream release
+
+* Wed Apr 25 2012 Karsten Hopp <karsten@redhat.com> 7.25.0-3
+- valgrind on ppc64 works fine, disable ppc32 only
+
+* Wed Apr 25 2012 Karsten Hopp <karsten@redhat.com> 7.25.0-3
+- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed
+
+* Fri Apr 13 2012 Kamil Dudka <kdudka@redhat.com> 7.25.0-2
+- use NSS_InitContext() to initialize NSS if available (#738456)
+- provide human-readable names for NSS errors (upstream commit a60edcc6)
+
+* Fri Mar 23 2012 Paul Howarth <paul@city-fan.org> 7.25.0-1
+- new upstream release (#806264)
+- fix character encoding of docs with a patch rather than just iconv
+- update debug and multilib patches
+- don't use macros for commands
+- reduce size of %%prep output for readability
+
+* Tue Jan 24 2012 Kamil Dudka <kdudka@redhat.com> 7.24.0-1
+- new upstream release (fixes CVE-2012-0036)
+
+* Thu Jan 05 2012 Paul Howarth <paul@city-fan.org> 7.23.0-6
+- rebuild for gcc 4.7
+
+* Mon Jan 02 2012 Kamil Dudka <kdudka@redhat.com> 7.23.0-5
+- upstream patch that allows to run FTPS tests with nss-3.13 (#760060)
+
+* Tue Dec 27 2011 Kamil Dudka <kdudka@redhat.com> 7.23.0-4
+- allow to run FTPS tests with nss-3.13 (#760060)
+
+* Sun Dec 25 2011 Kamil Dudka <kdudka@redhat.com> 7.23.0-3
+- avoid unnecessary timeout event when waiting for 100-continue (#767490)
+
+* Mon Nov 21 2011 Kamil Dudka <kdudka@redhat.com> 7.23.0-2
+- curl -JO now uses -O name if no C-D header comes (upstream commit c532604)
+
+* Wed Nov 16 2011 Kamil Dudka <kdudka@redhat.com> 7.23.0-1
+- new upstream release (#754391)
+
+* Mon Sep 19 2011 Kamil Dudka <kdudka@redhat.com> 7.22.0-2
+- nss: select client certificates by DER (#733657)
+
+* Tue Sep 13 2011 Kamil Dudka <kdudka@redhat.com> 7.22.0-1
+- new upstream release
+- curl-config now provides dummy --static-libs option (#733956)
+
+* Sun Aug 21 2011 Paul Howarth <paul@city-fan.org> 7.21.7-4
+- actually fix SIGSEGV of curl -O -J given more than one URL (#723075)
+
+* Mon Aug 15 2011 Kamil Dudka <kdudka@redhat.com> 7.21.7-3
+- fix SIGSEGV of curl -O -J given more than one URL (#723075)
+- introduce the --delegation option of curl (#730444)
+- initialize NSS with no database if the selected database is broken (#728562)
+
+* Wed Aug 03 2011 Kamil Dudka <kdudka@redhat.com> 7.21.7-2
+- add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
+
+* Thu Jun 23 2011 Kamil Dudka <kdudka@redhat.com> 7.21.7-1
+- new upstream release (fixes CVE-2011-2192)
+
+* Wed Jun 08 2011 Kamil Dudka <kdudka@redhat.com> 7.21.6-2
+- avoid an invalid timeout event on a reused handle (#679709)
+
+* Sat Apr 23 2011 Paul Howarth <paul@city-fan.org> 7.21.6-1
+- new upstream release
+
+* Mon Apr 18 2011 Kamil Dudka <kdudka@redhat.com> 7.21.5-2
+- fix the output of curl-config --version (upstream commit 82ecc85)
+
+* Mon Apr 18 2011 Kamil Dudka <kdudka@redhat.com> 7.21.5-1
+- new upstream release
+
+* Sat Apr 16 2011 Peter Robinson <pbrobinson@gmail.com> 7.21.4-4
+- no valgrind on ARMv5 arches
+
+* Sat Mar 05 2011 Dennis Gilmore <dennis@ausil.us> 7.21.4-3
+- no valgrind on sparc arches
+
+* Tue Feb 22 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-2
+- do not ignore failure of SSL handshake (upstream commit 7aa2d10)
+
+* Fri Feb 18 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-1
+- new upstream release
+- avoid memory leak on SSL connection failure (upstream commit a40f58d)
+- work around valgrind bug (#678518)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.21.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 12 2011 Kamil Dudka <kdudka@redhat.com> 7.21.3-2
+- build libcurl with --enable-hidden-symbols
+
+* Thu Dec 16 2010 Paul Howarth <paul@city-fan.org> 7.21.3-1
+- update to 7.21.3:
+ - added --noconfigure switch to testcurl.pl
+ - added --xattr option
+ - added CURLOPT_RESOLVE and --resolve
+ - added CURLAUTH_ONLY
+ - added version-check.pl to the examples dir
+ - check for libcurl features for some command line options
+ - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
+ - http_chunks: remove debug output
+ - URL-parsing: consider ? a divider
+ - SSH: avoid using the libssh2_ prefix
+ - SSH: use libssh2_session_handshake() to work on win64
+ - ftp: prevent server from hanging on closed data connection when stopping
+ a transfer before the end of the full transfer (ranges)
+ - LDAP: detect non-binary attributes properly
+ - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
+ - gnutls->handshake: improved timeout handling
+ - security: pass the right parameter to init
+ - krb5: use GSS_ERROR to check for error
+ - TFTP: resend the correct data
+ - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
+ - GnuTLS: now detects socket errors on Windows
+ - symbols-in-versions: updated en masse
+ - added a couple of examples that were missing from the tarball
+ - Curl_send/recv_plain: return errno on failure
+ - Curl_wait_for_resolv (for c-ares): correct timeout
+ - ossl_connect_common: detect connection re-use
+ - configure: prevent link errors with --librtmp
+ - openldap: use remote port in URL passed to ldap_init_fd()
+ - url: provide dead_connection flag in Curl_handler::disconnect
+ - lots of compiler warning fixes
+ - ssh: fix a download resume point calculation
+ - fix getinfo CURLINFO_LOCAL* for reused connections
+ - multi: the returned running handles counter could turn negative
+ - multi: only ever consider pipelining for connections doing HTTP(S)
+- drop upstream patches now in tarball
+- update bz650255 and disable-test1112 patches to apply against new codebase
+- add workaround for false-positive glibc-detected buffer overflow in tftpd
+ test server with FORTIFY_SOURCE (similar to #515361)
+
+* Fri Nov 12 2010 Kamil Dudka <kdudka@redhat.com> 7.21.2-5
+- do not send QUIT to a dead FTP control connection (#650255)
+- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed
+
+* Tue Nov 09 2010 Kamil Dudka <kdudka@redhat.com> 7.21.2-4
+- prevent FTP client from hanging on unrecognized ABOR response (#649347)
+- return more appropriate error code in case FTP server session idle
+ timeout has exceeded (#650255)
+
+* Fri Oct 29 2010 Kamil Dudka <kdudka@redhat.com> 7.21.2-3
+- prevent FTP server from hanging on closed data connection (#643656)
+
+* Thu Oct 14 2010 Paul Howarth <paul@city-fan.org> 7.21.2-2
+- enforce versioned libssh2 dependency for libcurl (#642796)
+
+* Wed Oct 13 2010 Kamil Dudka <kdudka@redhat.com> 7.21.2-1
+- new upstream release, drop applied patches
+- make 0102-curl-7.21.2-debug.patch less intrusive
+
+* Wed Sep 29 2010 jkeating - 7.21.1-6
+- Rebuilt for gcc bug 634757
+
+* Sat Sep 11 2010 Kamil Dudka <kdudka@redhat.com> 7.21.1-5
+- make it possible to run SCP/SFTP tests on x86_64 (#632914)
+
+* Tue Sep 07 2010 Kamil Dudka <kdudka@redhat.com> 7.21.1-4
+- work around glibc/valgrind problem on x86_64 (#631449)
+
+* Tue Aug 24 2010 Paul Howarth <paul@city-fan.org> 7.21.1-3
+- fix up patches so there's no need to run autotools in the rpm build
+- drop buildreq automake
+- drop dependency on automake for devel package from F-14, where
+ %%{_datadir}/aclocal is included in the filesystem package
+- drop dependency on pkgconfig for devel package from F-11, where
+ pkgconfig dependencies are auto-generated
+
+* Mon Aug 23 2010 Kamil Dudka <kdudka@redhat.com> 7.21.1-2
+- re-enable test575 on s390(x), already fixed (upstream commit d63bdba)
+- modify system headers to work around gcc bug (#617757)
+- curl -T now ignores file size of special files (#622520)
+- fix kerberos proxy authentication for https (#625676)
+- work around glibc/valgrind problem on x86_64 (#626470)
+
+* Thu Aug 12 2010 Kamil Dudka <kdudka@redhat.com> 7.21.1-1
+- new upstream release
+
+* Mon Jul 12 2010 Dan Horák <dan[at]danny.cz> 7.21.0-3
+- disable test 575 on s390(x)
+
+* Mon Jun 28 2010 Kamil Dudka <kdudka@redhat.com> 7.21.0-2
+- add support for NTLM authentication (#603783)
+
+* Wed Jun 16 2010 Kamil Dudka <kdudka@redhat.com> 7.21.0-1
+- new upstream release, drop applied patches
+- update of %%description
+- disable valgrind for certain test-cases (libssh2 problem)
+
+* Tue May 25 2010 Kamil Dudka <kdudka@redhat.com> 7.20.1-6
+- fix -J/--remote-header-name to strip CR-LF (upstream patch)
+
+* Wed Apr 28 2010 Kamil Dudka <kdudka@redhat.com> 7.20.1-5
+- CRL support now works again (#581926)
+- make it possible to start a testing OpenSSH server when building with SELinux
+ in the enforcing mode (#521087)
+
+* Sat Apr 24 2010 Kamil Dudka <kdudka@redhat.com> 7.20.1-4
+- upstream patch preventing failure of test536 with threaded DNS resolver
+- upstream patch preventing SSL handshake timeout underflow
+
+* Thu Apr 22 2010 Paul Howarth <paul@city-fan.org> 7.20.1-3
+- replace Rawhide s390-sleep patch with a more targeted patch adding a
+ delay after tests 513 and 514 rather than after all tests
+
+* Wed Apr 21 2010 Kamil Dudka <kdudka@redhat.com> 7.20.1-2
+- experimentally enabled threaded DNS lookup
+- make curl-config multilib ready again (#584107)
+
+* Mon Apr 19 2010 Kamil Dudka <kdudka@redhat.com> 7.20.1-1
+- new upstream release
+
+* Tue Mar 23 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-4
+- add missing quote in libcurl.m4 (#576252)
+
+* Fri Mar 19 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-3
+- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972)
+- valgrind temporarily disabled (#574889)
+- kerberos installation prefix has been changed
+
+* Wed Feb 24 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-2
+- exclude test1112 from the test suite (#565305)
+
+* Thu Feb 11 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-1
+- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP
+- dropped patches applied upstream
+- dropped curl-7.16.0-privlibs.patch no longer useful
+- a new patch forcing -lrt when linking the curl tool and test-cases
+
+* Fri Jan 29 2010 Kamil Dudka <kdudka@redhat.com> 7.19.7-11
+- upstream patch adding a new option -J/--remote-header-name
+- dropped temporary workaround for #545779
+
+* Thu Jan 14 2010 Chris Weyl <cweyl@alumni.drew.edu> 7.19.7-10
+- bump for libssh2 rebuild
+
+* Sun Dec 20 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-9
+- temporary workaround for #548269
+ (restored behavior of 7.19.7-4)
+
+* Wed Dec 09 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-8
+- replace hard wired port numbers in the test suite
+
+* Wed Dec 09 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-7
+- use different port numbers for 32bit and 64bit builds
+- temporary workaround for #545779
+
+* Tue Dec 08 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-6
+- make it possible to run test241
+- re-enable SCP/SFTP tests (#539444)
+
+* Sat Dec 05 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-5
+- avoid use of uninitialized value in lib/nss.c
+- suppress failure of test513 on s390
+
+* Tue Dec 01 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-4
+- do not require valgrind on s390 and s390x
+- temporarily disabled SCP/SFTP test-suite (#539444)
+
+* Thu Nov 12 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-3
+- fix crash on doubly closed NSPR descriptor, patch contributed
+ by Kevin Baughman (#534176)
+- new version of patch for broken TLS servers (#525496, #527771)
+
+* Wed Nov 04 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-2
+- increased release number (CVS problem)
+
+* Wed Nov 04 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-1
+- new upstream release, dropped applied patches
+- workaround for broken TLS servers (#525496, #527771)
+
+* Wed Oct 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-13
+- fix timeout issues and gcc warnings within lib/nss.c
+
+* Tue Oct 06 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-12
+- upstream patch for NSS support written by Guenter Knauf
+
+* Wed Sep 30 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-11
+- build libcurl with c-ares support (#514771)
+
+* Sun Sep 27 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-10
+- require libssh2>=1.2 properly (#525002)
+
+* Sat Sep 26 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-9
+- let curl test-suite use valgrind
+- require libssh2>=1.2 (#525002)
+
+* Mon Sep 21 2009 Chris Weyl <cweyl@alumni.drew.edu> - 7.19.6-8
+- rebuild for libssh2 1.2
+
+* Thu Sep 17 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-7
+- make curl test-suite more verbose
+
+* Wed Sep 16 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-6
+- update polling patch to the latest upstream version
+
+* Thu Sep 03 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-5
+- cover ssh and stunnel support by the test-suite
+
+* Wed Sep 02 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-4
+- use pkg-config to find nss and libssh2 if possible
+- better patch (not only) for SCP/SFTP polling
+- improve error message for not matching common name (#516056)
+
+* Fri Aug 21 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-3
+- avoid tight loop during a sftp upload
+- http://permalink.gmane.org/gmane.comp.web.curl.library/24744
+
+* Tue Aug 18 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-2
+- let curl package depend on the same version of libcurl
+
+* Fri Aug 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-1
+- new upstream release, dropped applied patches
+- changed NSS code to not ignore the value of ssl.verifyhost and produce more
+ verbose error messages (#516056)
+
+* Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 7.19.5-10
+- Use lzma compressed upstream tarball.
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.19.5-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-8
+- do not pre-login to all PKCS11 slots, it causes problems with HW tokens
+- try to select client certificate automatically when not specified, thanks
+ to Claes Jakobsson
+
+* Fri Jul 10 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-7
+- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson
+
+* Sun Jul 05 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-6
+- force test suite to use the just built libcurl, thanks to Paul Howarth
+
+* Thu Jul 02 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-5
+- run test suite after build
+- enable built-in manual
+
+* Wed Jun 24 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-4
+- fix bug introduced by the last build (#504857)
+
+* Wed Jun 24 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-3
+- exclude curlbuild.h content from spec (#504857)
+
+* Wed Jun 10 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-2
+- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857)
+
+* Tue May 19 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-1
+- update to 7.19.5, dropped applied patches
+
+* Mon May 11 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-11
+- fix infinite loop while loading a private key, thanks to Michael Cronenworth
+ (#453612)
+
+* Mon Apr 27 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-10
+- fix curl/nss memory leaks while using client certificate (#453612, accepted
+ by upstream)
+
+* Wed Apr 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-9
+- add missing BuildRequire for autoconf
+
+* Wed Apr 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-8
+- fix configure.ac to not discard -g in CFLAGS (#496778)
+
+* Tue Apr 21 2009 Debarshi Ray <rishi@fedoraproject.org> 7.19.4-7
+- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings.
+
+* Tue Apr 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-6
+- upstream patch fixing memory leak in lib/nss.c (#453612)
+- remove redundant dependency of libcurl-devel on libssh2-devel
+
+* Wed Mar 18 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-5
+- enable 6 additional crypto algorithms by default (#436781,
+ accepted by upstream)
+
+* Thu Mar 12 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-4
+- fix memory leak in src/main.c (accepted by upstream)
+- avoid using %%ifarch
+
+* Wed Mar 11 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-3
+- make libcurl-devel multilib-ready (bug #488922)
+
+* Fri Mar 06 2009 Jindrich Novy <jnovy@redhat.com> 7.19.4-2
+- drop .easy-leak patch, causes problems in pycurl (#488791)
+- fix libcurl-devel dependencies (#488895)
+
+* Tue Mar 03 2009 Jindrich Novy <jnovy@redhat.com> 7.19.4-1
+- update to 7.19.4 (fixes CVE-2009-0037)
+- fix leak in curl_easy* functions, thanks to Kamil Dudka
+- drop nss-fix patch, applied upstream
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.19.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Feb 17 2009 Kamil Dudka <kdudka@redhat.com> 7.19.3-1
+- update to 7.19.3, dropped applied nss patches
+- add patch fixing 7.19.3 curl/nss bugs
+
+* Mon Dec 15 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-9
+- rebuild for f10/rawhide cvs tag clashes
+
+* Sat Dec 06 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-8
+- use improved NSS patch, thanks to Rob Crittenden (#472489)
+
+* Tue Sep 09 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-7
+- update the thread safety patch, thanks to Rob Crittenden (#462217)
+
+* Wed Sep 03 2008 Warren Togami <wtogami@redhat.com> 7.18.2-6
+- add thread safety to libcurl NSS cleanup() functions (#459297)
+
+* Fri Aug 22 2008 Tom "spot" Callaway <tcallawa@redhat.com> 7.18.2-5
+- undo mini libcurl.so.3
+
+* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> 7.18.2-4
+- make miniature library for libcurl.so.3
+
+* Fri Jul 4 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-3
+- enable support for libssh2 (#453958)
+
+* Wed Jun 18 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-2
+- fix curl_multi_perform() over a proxy (#450140), thanks to
+ Rob Crittenden
+
+* Wed Jun 4 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-1
+- update to 7.18.2
+
+* Wed May 7 2008 Jindrich Novy <jnovy@redhat.com> 7.18.1-2
+- spec cleanup, thanks to Paul Howarth (#225671)
+ - drop BR: libtool
+ - convert CHANGES and README to UTF-8
+ - _GNU_SOURCE in CFLAGS is no more needed
+ - remove bogus rpath
+
+* Mon Mar 31 2008 Jindrich Novy <jnovy@redhat.com> 7.18.1-1
+- update to curl 7.18.1 (fixes #397911)
+- add ABI docs for libcurl
+- remove --static-libs from curl-config
+- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf
+ substitution (#432667)
+
+* Fri Feb 15 2008 Jindrich Novy <jnovy@redhat.com> 7.18.0-2
+- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc
+
+* Mon Jan 28 2008 Jindrich Novy <jnovy@redhat.com> 7.18.0-1
+- update to curl-7.18.0
+- drop sslgen patch -> applied upstream
+- fix typo in description
+
+* Tue Jan 22 2008 Jindrich Novy <jnovy@redhat.com> 7.17.1-6
+- fix curl-devel obsoletes so that we don't break F8->F9 upgrade
+ path (#429612)
+
+* Tue Jan 8 2008 Jindrich Novy <jnovy@redhat.com> 7.17.1-5
+- do not attempt to close a bad socket (#427966),
+ thanks to Caolan McNamara
+
+* Tue Dec 4 2007 Jindrich Novy <jnovy@redhat.com> 7.17.1-4
+- rebuild because of the openldap soname bump
+- remove old nsspem patch
+
+* Fri Nov 30 2007 Jindrich Novy <jnovy@redhat.com> 7.17.1-3
+- drop useless ldap library detection since curl doesn't
+ dlopen()s it but links to it -> BR: openldap-devel
+- enable LDAPS support (#225671), thanks to Paul Howarth
+- BR: krb5-devel to reenable GSSAPI support
+- simplify build process
+- update description
+
+* Wed Nov 21 2007 Jindrich Novy <jnovy@redhat.com> 7.17.1-2
+- update description to contain complete supported servers list (#393861)
+
+* Sat Nov 17 2007 Jindrich Novy <jnovy@redhat.com> 7.17.1-1
+- update to curl 7.17.1
+- include patch to enable SSL usage in NSS when a socket is opened
+ nonblocking, thanks to Rob Crittenden (rcritten@redhat.com)
+
+* Wed Oct 24 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-10
+- correctly provide/obsolete curl-devel (#130251)
+
+* Wed Oct 24 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-9
+- create libcurl and libcurl-devel subpackages (#130251)
+
+* Thu Oct 11 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-8
+- list features correctly when curl is compiled against NSS (#316191)
+
+* Mon Sep 17 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-7
+- add zlib-devel BR to enable gzip compressed transfers in curl (#292211)
+
+* Mon Sep 10 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-6
+- provide webclient (#225671)
+
+* Thu Sep 6 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-5
+- add support for the NSS PKCS#11 pem reader so the command-line is the
+ same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com)
+- switch to NSS again
+
+* Mon Sep 3 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-4
+- revert back to use OpenSSL (#266021)
+
+* Mon Aug 27 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-3
+- don't use openssl, use nss instead
+
+* Fri Aug 10 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-2
+- fix anonymous ftp login (#251570), thanks to David Cantrell
+
+* Wed Jul 11 2007 Jindrich Novy <jnovy@redhat.com> 7.16.4-1
+- update to 7.16.4
+
+* Mon Jun 25 2007 Jindrich Novy <jnovy@redhat.com> 7.16.3-1
+- update to 7.16.3
+- drop .print patch, applied upstream
+- next series of merge review fixes by Paul Howarth
+- remove aclocal stuff, no more needed
+- simplify makefile arguments
+- don't reference standard library paths in libcurl.pc
+- include docs/CONTRIBUTE
+
+* Mon Jun 18 2007 Jindrich Novy <jnovy@redhat.com> 7.16.2-5
+- don't print like crazy (#236981), backported from upstream CVS
+
+* Fri Jun 15 2007 Jindrich Novy <jnovy@redhat.com> 7.16.2-4
+- another series of review fixes (#225671),
+ thanks to Paul Howarth
+- check version of ldap library automatically
+- don't use %%makeinstall and preserve timestamps
+- drop useless patches
+
+* Fri May 11 2007 Jindrich Novy <jnovy@redhat.com> 7.16.2-3
+- add automake BR to curl-devel to fix aclocal dir. ownership,
+ thanks to Patrice Dumas
+
+* Thu May 10 2007 Jindrich Novy <jnovy@redhat.com> 7.16.2-2
+- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat
+
+* Wed Apr 11 2007 Jindrich Novy <jnovy@redhat.com> 7.16.2-1
+- update to 7.16.2
+
+* Mon Feb 19 2007 Jindrich Novy <jnovy@redhat.com> 7.16.1-3
+- don't create/ship static libraries (#225671)
+
+* Mon Feb 5 2007 Jindrich Novy <jnovy@redhat.com> 7.16.1-2
+- merge review related spec fixes (#225671)
+
+* Mon Jan 29 2007 Jindrich Novy <jnovy@redhat.com> 7.16.1-1
+- update to 7.16.1
+
+* Tue Jan 16 2007 Jindrich Novy <jnovy@redhat.com> 7.16.0-5
+- don't package generated makefiles for docs/examples to avoid
+ multilib conflicts
+
+* Mon Dec 18 2006 Jindrich Novy <jnovy@redhat.com> 7.16.0-4
+- convert spec to UTF-8
+- don't delete BuildRoot in %%prep phase
+- rpmlint fixes
+
+* Thu Nov 16 2006 Jindrich Novy <jnovy@redhat.com> -7.16.0-3
+- prevent curl from dlopen()ing missing ldap libraries so that
+ ldap:// requests work (#215928)
+
+* Tue Oct 31 2006 Jindrich Novy <jnovy@redhat.com> - 7.16.0-2
+- fix BuildRoot
+- add Requires: pkgconfig for curl-devel
+- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278)
+
+* Mon Oct 30 2006 Jindrich Novy <jnovy@redhat.com> - 7.16.0-1
+- update to curl-7.16.0
+
+* Thu Aug 24 2006 Jindrich Novy <jnovy@redhat.com> - 7.15.5-1.fc6
+- update to curl-7.15.5
+- use %%{?dist}
+
+* Fri Jun 30 2006 Ivana Varekova <varekova@redhat.com> - 7.15.4-1
+- update to 7.15.4
+
+* Mon Mar 20 2006 Ivana Varekova <varekova@redhat.com> - 7.15.3-1
+- fix multilib problem using pkg-config
+- update to 7.15.3
+
+* Thu Feb 23 2006 Ivana Varekova <varekova@redhat.com> - 7.15.1-2
+- fix multilib problem - #181290 -
+ curl-devel.i386 not installable together with curl-devel.x86-64
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 7.15.1-1.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 7.15.1-1.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Thu Dec 8 2005 Ivana Varekova <varekova@redhat.com> 7.15.1-1
+- update to 7.15.1 (bug 175191)
+
+* Wed Nov 30 2005 Ivana Varekova <varekova@redhat.com> 7.15.0-3
+- fix curl-config bug 174556 - missing vernum value
+
+* Wed Nov 9 2005 Ivana Varekova <varekova@redhat.com> 7.15.0-2
+- rebuilt
+
+* Tue Oct 18 2005 Ivana Varekova <varekova@redhat.com> 7.15.0-1
+- update to 7.15.0
+
+* Thu Oct 13 2005 Ivana Varekova <varekova@redhat.com> 7.14.1-1
+- update to 7.14.1
+
+* Thu Jun 16 2005 Ivana Varekova <varekova@redhat.com> 7.14.0-1
+- rebuild new version
+
+* Tue May 03 2005 Ivana Varekova <varekova@redhat.com> 7.13.1-3
+- fix bug 150768 - curl-7.12.3-2 breaks basic authentication
+ used Daniel Stenberg patch
+
+* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 7.13.1-2
+- update to use ca-bundle in /etc/pki
+- mark License as MIT not MPL
+
+* Wed Mar 9 2005 Ivana Varekova <varekova@redhat.com> 7.13.1-1
+- rebuilt (7.13.1)
+
+* Tue Mar 1 2005 Tomas Mraz <tmraz@redhat.com> 7.13.0-2
+- rebuild with openssl-0.9.7e
+
+* Sun Feb 13 2005 Florian La Roche <laroche@redhat.com>
+- 7.13.0
+
+* Wed Feb 9 2005 Joe Orton <jorton@redhat.com> 7.12.3-3
+- don't pass /usr to --with-libidn to remove "-L/usr/lib" from
+ 'curl-config --libs' output on x86_64.
+
+* Fri Jan 28 2005 Adrian Havill <havill@redhat.com> 7.12.3-1
+- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794)
+- require libidn-devel for devel subpkg (#141341)
+- remove proftpd kludge; included upstream
+
+* Wed Oct 06 2004 Adrian Havill <havill@redhat.com> 7.12.1-1
+- upgrade to 7.12.1
+- enable GSSAPI auth (#129353)
+- enable I18N domain names (#134595)
+- workaround for broken ProFTPD SSL auth (#134133). Thanks to
+ Aleksandar Milivojevic
+
+* Wed Sep 29 2004 Adrian Havill <havill@redhat.com> 7.12.0-4
+- move new docs position so defattr gets applied
+
+* Mon Sep 27 2004 Warren Togami <wtogami@redhat.com> 7.12.0-3
+- remove INSTALL, move libcurl docs to -devel
+
+* Mon Jul 26 2004 Jindrich Novy <jnovy@redhat.com>
+- updated to 7.12.0
+- updated nousr patch
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed Apr 07 2004 Adrian Havill <havill@redhat.com> 7.11.1-1
+- upgraded; updated nousr patch
+- added COPYING (#115956)
+-
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Jan 31 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- update to 7.10.8
+- remove patch2, already upstream
+
+* Wed Oct 15 2003 Adrian Havill <havill@redhat.com> 7.10.6-7
+- aclocal before libtoolize
+- move OpenLDAP license so it's present as a doc file, present in
+ both the source and binary as per conditions
+
+* Mon Oct 13 2003 Adrian Havill <havill@redhat.com> 7.10.6-6
+- add OpenLDAP copyright notice for usage of code, add OpenLDAP
+ license for this code
+
+* Tue Oct 07 2003 Adrian Havill <havill@redhat.com> 7.10.6-5
+- match serverAltName certs with SSL (#106168)
+
+* Tue Sep 16 2003 Adrian Havill <havill@redhat.com> 7.10.6-4.1
+- bump n-v-r for RHEL
+
+* Tue Sep 16 2003 Adrian Havill <havill@redhat.com> 7.10.6-4
+- restore ca cert bundle (#104400)
+- require openssl, we want to use its ca-cert bundle
+
+* Sun Sep 7 2003 Joe Orton <jorton@redhat.com> 7.10.6-3
+- rebuild
+
+* Fri Sep 5 2003 Joe Orton <jorton@redhat.com> 7.10.6-2.2
+- fix to include libcurl.so
+
+* Mon Aug 25 2003 Adrian Havill <havill@redhat.com> 7.10.6-2.1
+- bump n-v-r for RHEL
+
+* Mon Aug 25 2003 Adrian Havill <havill@redhat.com> 7.10.6-2
+- devel subpkg needs openssl-devel as a Require (#102963)
+
+* Mon Jul 28 2003 Adrian Havill <havill@redhat.com> 7.10.6-1
+- bumped version
+
+* Tue Jul 01 2003 Adrian Havill <havill@redhat.com> 7.10.5-1
+- bumped version
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Apr 12 2003 Florian La Roche <Florian.LaRoche@redhat.de>
+- update to 7.10.4
+- adapt nousr patch
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan 21 2003 Joe Orton <jorton@redhat.com> 7.9.8-4
+- don't add -L/usr/lib to 'curl-config --libs' output
+
+* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 7.9.8-3
+- rebuild
+
+* Wed Nov 6 2002 Joe Orton <jorton@redhat.com> 7.9.8-2
+- fix `curl-config --libs` output for libdir!=/usr/lib
+- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la
+- libtoolize and reconf
+
+* Mon Jul 22 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.8-1
+- 7.9.8 (# 69473)
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Sun May 26 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 16 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.7-1
+- 7.9.7
+
+* Wed Apr 24 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.6-1
+- 7.9.6
+
+* Thu Mar 21 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.5-2
+- Stop the curl-config script from printing -I/usr/include
+ and -L/usr/lib (#59497)
+
+* Fri Mar 8 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.5-1
+- 7.9.5
+
+* Tue Feb 26 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.3-2
+- Rebuild
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 7.9.3-1
+- update to 7.9.3
+
+* Wed Jan 09 2002 Tim Powers <timp@redhat.com> 7.9.2-2
+- automated rebuild
+
+* Wed Jan 9 2002 Trond Eivind Glomsrød <teg@redhat.com> 7.9.2-1
+- 7.9.2
+
+* Fri Aug 17 2001 Nalin Dahyabhai <nalin@redhat.com>
+- include curl-config in curl-devel
+- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl
+
+* Wed Jul 18 2001 Crutcher Dunnavant <crutcher@redhat.com>
+- added openssl-devel build req
+
+* Mon May 21 2001 Tim Powers <timp@redhat.com>
+- built for the distro
+
+* Tue Apr 24 2001 Jeff Johnson <jbj@redhat.com>
+- upgrade to curl-7.7.2.
+- enable IPv6.
+
+* Fri Mar 2 2001 Tim Powers <timp@redhat.com>
+- rebuilt against openssl-0.9.6-1
+
+* Thu Jan 4 2001 Tim Powers <timp@redhat.com>
+- fixed mising ldconfigs
+- updated to 7.5.2, bug fixes
+
+* Mon Dec 11 2000 Tim Powers <timp@redhat.com>
+- updated to 7.5.1
+
+* Mon Nov 6 2000 Tim Powers <timp@redhat.com>
+- update to 7.4.1 to fix bug #20337, problems with curl -c
+- not using patch anymore, it's included in the new source. Keeping
+ for reference
+
+* Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix bogus req in -devel package
+
+* Fri Oct 20 2000 Tim Powers <timp@redhat.com>
+- devel package needed defattr so that root owns the files
+
+* Mon Oct 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 7.3
+- apply vsprintf/vsnprintf patch from Colin Phipps via Debian
+
+* Mon Aug 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- enable SSL support
+- fix packager tag
+- move buildroot to %%{_tmppath}
+
+* Tue Aug 1 2000 Tim Powers <timp@redhat.com>
+- fixed vendor tag for bug #15028
+
+* Mon Jul 24 2000 Prospector <prospector@redhat.com>
+- rebuilt
+
+* Tue Jul 11 2000 Tim Powers <timp@redhat.com>
+- workaround alpha build problems with optimizations
+
+* Mon Jul 10 2000 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Mon Jun 5 2000 Tim Powers <timp@redhat.com>
+- put man pages in correct place
+- use %%makeinstall
+
+* Mon Apr 24 2000 Tim Powers <timp@redhat.com>
+- updated to 6.5.2
+
+* Wed Nov 3 1999 Tim Powers <timp@redhat.com>
+- updated sources to 6.2
+- gzip man page
+
+* Mon Aug 30 1999 Tim Powers <timp@redhat.com>
+- changed group
+
+* Thu Aug 26 1999 Tim Powers <timp@redhat.com>
+- changelog started
+- general cleanups, changed prefix to /usr, added manpage to files section
+- including in Powertools