diff --git a/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
new file mode 100644
index 0000000..6d0c10c
--- /dev/null
+++ b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
@@ -0,0 +1,143 @@
+From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c | 3 +--
+ lib/multi.c | 5 +++--
+ lib/url.c | 2 +-
+ lib/urldata.h | 2 +-
+ 5 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 41f2202..f724646 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
+ }
+
+ struct connfind {
+- struct connectdata *tofind;
+- bool found;
++ long id_tofind;
++ struct connectdata *found;
+ };
+
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+ struct connfind *f = (struct connfind *)param;
+- if(conn == f->tofind) {
+- f->found = TRUE;
++ if(conn->connection_id == f->id_tofind) {
++ f->found = conn;
+ return 1;
+ }
+ return 0;
+@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+ * - that is associated with a multi handle, and whose connection
+ * was detached with CURLOPT_CONNECT_ONLY
+ */
+- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+- struct connectdata *c = data->state.lastconnect;
++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++ struct connectdata *c;
+ struct connfind find;
+- find.tofind = data->state.lastconnect;
+- find.found = FALSE;
++ find.id_tofind = data->state.lastconnect_id;
++ find.found = NULL;
+
+ Curl_conncache_foreach(data, data->multi_easy?
+ &data->multi_easy->conn_cache:
+ &data->multi->conn_cache, &find, conn_is_conn);
+
+ if(!find.found) {
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ return CURL_SOCKET_BAD;
+ }
+
++ c = find.found;
+ if(connp) {
+ /* only store this if the caller cares for it */
+ *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 027d0be..fe61cdd 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+
+ /* the connection cache is setup on demand */
+ outcurl->state.conn_cache = NULL;
+-
+- outcurl->state.lastconnect = NULL;
++ outcurl->state.lastconnect_id = -1;
+
+ outcurl->progress.flags = data->progress.flags;
+ outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index 0caf943..0f57fd5 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+ data->state.conn_cache = &data->share->conn_cache;
+ else
+ data->state.conn_cache = &multi->conn_cache;
++ data->state.lastconnect_id = -1;
+
+ #ifdef USE_LIBPSL
+ /* Do the same for PSL. */
+@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
+ /* the connection is no longer in use by this transfer */
+ if(Curl_conncache_return_conn(conn)) {
+ /* remember the most recently used connection */
+- data->state.lastconnect = conn;
++ data->state.lastconnect_id = conn->connection_id;
+ infof(data, "%s\n", buffer);
+ }
+ else
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ }
+
+ *connp = NULL; /* to make the caller of this function better detect that
+diff --git a/lib/url.c b/lib/url.c
+index dcc6cc8..d65d17d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+ Curl_initinfo(data);
+
+ /* most recent connection is not yet defined */
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+
+ data->progress.flags |= PGRS_HIDE;
+ data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 67db3b2..4b70cc5 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1219,7 +1219,7 @@ struct UrlState {
+ /* buffers to store authentication data in, as parsed from input options */
+ struct curltime keeps_speed; /* for the progress meter really */
+
+- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++ long lastconnect_id; /* The last connection, -1 if undefined */
+
+ char *headerbuff; /* allocated buffer to store headers in */
+ size_t headersize; /* size of the allocation */
+--
+2.25.4
+
diff --git a/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
new file mode 100644
index 0000000..f6bcb01
--- /dev/null
+++ b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
@@ -0,0 +1,60 @@
+From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
+Date: Thu, 27 Aug 2020 23:09:56 +0200
+Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+
+... in case NO_PROXY takes an effect
+
+Without this patch, the following command crashes:
+
+ $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+ git clone https://github.com/curl/curl.git
+
+Minimal libcurl-based reproducer:
+
+ #include <curl/curl.h>
+
+ int main() {
+ CURL *curl = curl_easy_init();
+ if(curl) {
+ CURLcode ret;
+ curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+ curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+ /* set the proxy type */
+ curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+ curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+ curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+ return ret;
+ }
+ return -1;
+ }
+
+Assisted-by: Kamil Dudka
+Bug: https://bugzilla.redhat.com/1873327
+Closes #5902
+
+Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index d65d17d..e77f391 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
+ conn->bits.socksproxy = FALSE;
+ conn->bits.proxy_user_passwd = FALSE;
+ conn->bits.tunnel_proxy = FALSE;
++ /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
++ to signal that CURLPROXY_HTTPS is not used for this connection */
++ conn->http_proxy.proxytype = CURLPROXY_HTTP;
+ }
+
+ out:
+--
+2.25.4
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 78b2cd3..f136a0a 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
-Release: 14%{?dist}
+Release: 15%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@@ -58,6 +58,12 @@ Patch20: 0020-curl-7.61.1-openssl-engines.patch
# avoid overwriting a local file with -J (CVE-2020-8177)
Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch22: 0022-curl-7.61.1-CVE-2020-8231.patch
+
+# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -242,6 +248,8 @@ git apply %{PATCH4}
%patch19 -p1
%patch20 -p1
%patch21 -p1
+%patch22 -p1
+%patch23 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -402,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15
+- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
- avoid overwriting a local file with -J (CVE-2020-8177)