diff --git a/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch
new file mode 100644
index 0000000..a80fe11
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch
@@ -0,0 +1,70 @@
+From d8518b70b912aa55fc47400173bf6229e40b71d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
+Date: Wed, 8 Jul 2020 15:17:31 +0200
+Subject: [PATCH] Make a use of HTTP header content-encoding: gzip if available
+
+When fetching remote resources, some servers/CDNs may be able to serve us
+compressed http response even in cases when the original file is not compressed
+XML. libcurl is able to process encoded html for us with no added maintenance
+costs.
+
+Attached please find a CURL log of fetching plain XML file from Red Hat CDN:
+
+Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
+...
+* Trying 104.90.105.254:443...
+* Connected to www.redhat.com (104.90.105.254) port 443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+* CAfile: /etc/pki/tls/certs/ca-bundle.crt
+ CApath: none
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN, server accepted to use h2
+* Server certificate:
+* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=www.redhat.com
+* start date: Feb 24 00:00:00 2020 GMT
+* expire date: May 24 12:00:00 2022 GMT
+* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com"
+* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
+* SSL certificate verify ok.
+* Using HTTP2, server supports multi-use
+* Connection state changed (HTTP/2 confirmed)
+* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
+* Using Stream ID: 1 (easy handle 0x776c3b0)
+> GET /security/data/oval/com.redhat.rhsa-RHEL7.xml HTTP/2
+Host: www.redhat.com
+accept: */*
+accept-encoding: gzip
+
+* old SSL session ID is stale, removing
+* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
+< HTTP/2 200
+< server: Apache
+< last-modified: Wed, 08 Jul 2020 12:41:28 GMT
+< etag: "7f694279-fca5e0-5a9ed6d376a08"
+< accept-ranges: bytes
+< content-type: text/xml
+< content-encoding: gzip
+< content-length: 1766376
+< date: Wed, 08 Jul 2020 13:15:29 GMT
+< vary: Accept-Encoding
+< strict-transport-security: max-age=31536000
+<
+* Connection #0 to host www.redhat.com left intact
+---
+ src/common/oscap_acquire.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
+index 60ab62c05..551da43f0 100644
+--- a/src/common/oscap_acquire.c
++++ b/src/common/oscap_acquire.c
+@@ -302,6 +302,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
+ curl_easy_setopt(curl, CURLOPT_URL, url);
+ curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
++ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
+ curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
+
+ CURLcode res = curl_easy_perform(curl);
diff --git a/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch
new file mode 100644
index 0000000..e35e0f3
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch
@@ -0,0 +1,168 @@
+From 12ccadd9f9cd30143b3af6feced58f8da636e9d2 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Mon, 20 Jul 2020 07:45:05 +0200
+Subject: [PATCH] Add test for cURL "Accept-Encoding" header
+
+---
+ tests/CMakeLists.txt | 1 +
+ tests/curl/CMakeLists.txt | 1 +
+ tests/curl/ds.xml | 99 ++++++++++++++++++++++++++++++++
+ tests/curl/test_curl_encoding.sh | 23 ++++++++
+ 4 files changed, 124 insertions(+)
+ create mode 100644 tests/curl/CMakeLists.txt
+ create mode 100644 tests/curl/ds.xml
+ create mode 100755 tests/curl/test_curl_encoding.sh
+
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index b7ca6cd79..6948cd260 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -26,6 +26,7 @@ add_subdirectory("API")
+ add_subdirectory("bindings")
+ add_subdirectory("bz2")
+ add_subdirectory("codestyle")
++add_subdirectory("curl")
+ add_subdirectory("CPE")
+ add_subdirectory("DS")
+ add_subdirectory("mitre")
+diff --git a/tests/curl/CMakeLists.txt b/tests/curl/CMakeLists.txt
+new file mode 100644
+index 000000000..9c3d90d74
+--- /dev/null
++++ b/tests/curl/CMakeLists.txt
+@@ -0,0 +1 @@
++add_oscap_test("test_curl_encoding.sh")
+diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml
+new file mode 100644
+index 000000000..f33cb475d
+--- /dev/null
++++ b/tests/curl/ds.xml
+@@ -0,0 +1,99 @@
++<?xml version="1.0" encoding="utf-8"?>
++<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3">
++<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.3" use-case="OTHER">
++ <ds:checklists>
++ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
++ <cat:catalog>
++ <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
++ <cat:uri name="security-data-oval.xml.bz2" uri="#scap_org.open-scap_cref_security-data-oval.xml.bz2"/>
++ </cat:catalog>
++ </ds:component-ref>
++ </ds:checklists>
++ <ds:checks>
++ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
++<!--
++ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"/>
++-->
++ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://github.com/"/>
++ </ds:checks>
++</ds:data-stream>
++
++<ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
++<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
++ <generator>
++ <oval:schema_version>5.11</oval:schema_version>
++ <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
++ </generator>
++
++ <definitions>
++ <definition class="compliance" id="oval:test-pass:def:1" version="1">
++ <metadata>
++ <title>PASS</title>
++ <description>pass</description>
++ </metadata>
++ <criteria>
++ <criterion comment="PASS test" test_ref="oval:x:tst:1"/>
++ </criteria>
++ </definition>
++ </definitions>
++
++ <tests>
++ <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
++ <object object_ref="oval:x:obj:1"/>
++ </variable_test>
++ </tests>
++
++ <objects>
++ <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
++ <var_ref>oval:x:var:1</var_ref>
++ </variable_object>
++ </objects>
++
++ <variables>
++ <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
++ <value>100</value>
++ </constant_variable>
++ </variables>
++
++</oval_definitions>
++</ds:component>
++
++<ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
++<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xml:lang="en-US">
++ <status>accepted</status>
++ <version>1.0</version>
++
++ <Profile id="xccdf_com.example.www_profile_test_remote_res">
++ <title>xccdf_test_profile</title>
++ <description>This profile is for testing.</description>
++ <select idref="xccdf_com.example.www_rule_test-pass" selected="true"/>
++ <select idref="xccdf_com.example.www_rule_test-remote_res" selected="true"/>
++ </Profile>
++
++ <Value id="xccdf_com.example.www_value_val1" type="number" operator="equals" interactive="0">
++ <title>test value</title>
++ <description>foo</description>
++ <value selector="bar_1">50</value>
++ <value selector="bar_2">100</value>
++ </Value>
++ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
++ <title>This rule always pass</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
++ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
++ </check>
++ </Rule>
++ <Rule selected="true" id="xccdf_com.example.www_rule_test-remote_res">
++ <title>This rule checks remote resource</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" multi-check="true">
++ <check-content-ref href="security-data-oval.xml.bz2"/>
++ </check>
++ </Rule>
++ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass2">
++ <title>This rule always pass</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
++ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
++ </check>
++ </Rule>
++</Benchmark>
++</ds:component>
++</ds:data-stream-collection>
+diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh
+new file mode 100755
+index 000000000..6d82f9569
+--- /dev/null
++++ b/tests/curl/test_curl_encoding.sh
+@@ -0,0 +1,23 @@
++#!/bin/bash
++
++set -e -o pipefail
++
++. $builddir/tests/test_common.sh
++
++function curl_accept_encoding {
++ local DF="${srcdir}/ds.xml"
++ local RF="results.xml"
++ local LOG="verbose.log"
++
++ $OSCAP xccdf --verbose=DEVEL eval --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK"
++
++ grep -P "Accept-Encoding.*gzip" $LOG
++
++ return 0
++}
++
++test_init
++
++test_run "cURL: Accept-Encoding" curl_accept_encoding
++
++test_exit
diff --git a/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch
new file mode 100644
index 0000000..af4b663
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch
@@ -0,0 +1,76 @@
+From aab536acdd4b08e2e8c3d4ac43981dfcaf1cc9f8 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Mon, 13 Jul 2020 14:09:52 +0200
+Subject: [PATCH] Add CURLOPT_TRANSFER_ENCODING, enable CURLOPT_VERBOSE with
+ CURLOPT_DEBUGFUNCTION
+
+Adds a request for compressed Transfer Encoding in the outgoing
+HTTP request. If the server supports this and so desires, it can
+respond with the HTTP response sent using a compressed
+Transfer-Encoding that will be automatically uncompressed by
+libcurl on reception.
+
+The CURLOPT_DEBUGFUNCTION callback is used for printing headers and
+connection information on VERBOSE level (dD).
+---
+ src/common/oscap_acquire.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
+index 551da43f0..666f4f5c9 100644
+--- a/src/common/oscap_acquire.c
++++ b/src/common/oscap_acquire.c
+@@ -49,6 +49,7 @@
+ #include "common/_error.h"
+ #include "oscap_string.h"
+ #include "oscap_helpers.h"
++#include "debug_priv.h"
+
+ #ifndef OSCAP_TEMP_DIR
+ #define OSCAP_TEMP_DIR "/tmp"
+@@ -288,6 +289,34 @@ oscap_acquire_url_to_filename(const char *url)
+ return filename;
+ }
+
++static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp)
++{
++ const char *title;
++
++ switch (type) {
++ case CURLINFO_TEXT:
++ title = "== cURL info";
++ break;
++ case CURLINFO_HEADER_OUT:
++ title = "=> cURL header (out)";
++ break;
++ case CURLINFO_HEADER_IN:
++ title = "<= cURL header (in)";
++ break;
++ case CURLINFO_DATA_OUT:
++ case CURLINFO_SSL_DATA_OUT:
++ case CURLINFO_DATA_IN:
++ case CURLINFO_SSL_DATA_IN:
++ default:
++ return 0;
++ break;
++ }
++
++ dD("%s: %s", title, data);
++
++ return 0;
++}
++
+ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
+ {
+ CURL *curl;
+@@ -303,7 +332,10 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
+ curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
+ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
++ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
+ curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
++ curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
++ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
+
+ CURLcode res = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index 7288d8c..1095a6b 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,6 +1,6 @@
Name: openscap
Version: 1.3.3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
@@ -8,6 +8,9 @@ URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch
Patch2: openscap-1.3.4-fix-no-more-recursion.patch
+Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch
+Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch
+Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
@@ -130,6 +133,9 @@ for developing applications that use %{name}-engine-sce.
%setup -q
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
mkdir build
%build
@@ -217,6 +223,9 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
+* Tue Jul 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-3
+- Added support for fetching remote content with compression (RHBZ#1855708)
+
* Thu Jun 25 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-2
- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)