diff --git a/0001-curl-7.53.1-CVE-2017-7407.patch b/0001-curl-7.53.1-CVE-2017-7407.patch
new file mode 100644
index 0000000..08869ae
--- /dev/null
+++ b/0001-curl-7.53.1-CVE-2017-7407.patch
@@ -0,0 +1,225 @@
+From eb160abce0ac45a8e070d9fa995c61a416a58ddd Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH 1/2] tool_writeout: fixed a buffer read overrun on --write-out
+
+If a % ended the statement, the string's trailing NUL would be skipped
+and memory past the end of the buffer would be accessed and potentially
+displayed as part of the --write-out output. Added tests 1440 and 1441
+to check for this kind of condition.
+
+Reported-by: Brian Carpenter
+
+Upstream-commit: 1890d59905414ab84a35892b2e45833654aa5c13
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_writeout.c     |  2 +-
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
+ 4 files changed, 64 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1440
+ create mode 100644 tests/data/test1441
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 2fb7774..7843182 100644
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+   double doubleinfo;
+ 
+   while(ptr && *ptr) {
+-    if('%' == *ptr) {
++    if('%' == *ptr && ptr[1]) {
+       if('%' == ptr[1]) {
+         /* an escaped %-letter */
+         fputc('%', stream);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8251ab9..2e70895 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1438 test1439 \
++test1436 test1437 test1438 test1439 test1440 test1441 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1440 b/tests/data/test1440
+new file mode 100644
+index 0000000..7ed0c4d
+--- /dev/null
++++ b/tests/data/test1440
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %{
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%{'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%{
++</stdout>
++</verify>
++</testcase>
+diff --git a/tests/data/test1441 b/tests/data/test1441
+new file mode 100644
+index 0000000..6e253a6
+--- /dev/null
++++ b/tests/data/test1441
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%
++</stdout>
++</verify>
++</testcase>
+-- 
+2.9.3
+
+
+From 67bee1434a17065da7db3fc2915c494f289f46de Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 24 Mar 2017 10:14:21 +0100
+Subject: [PATCH 2/2] curl: check for end of input in writeout backslash
+ handling
+
+Reported-by: Brian Carpenter
+
+Added test 1442 to verify
+
+Upstream-commit: 8e65877870c1fac920b65219adec720df810aab9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_writeout.c     |  4 ++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1442
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 7843182..5d92bd2 100644
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -341,7 +341,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+         }
+       }
+     }
+-    else if('\\' == *ptr) {
++    else if('\\' == *ptr && ptr[1]) {
+       switch(ptr[1]) {
+       case 'r':
+         fputc('\r', stream);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 2e70895..267ff6a 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1438 test1439 test1440 test1441 \
++test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1442 b/tests/data/test1442
+new file mode 100644
+index 0000000..255a4c9
+--- /dev/null
++++ b/tests/data/test1442
+@@ -0,0 +1,35 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++FILE
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing \
++</name>
++<command>
++file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
++</command>
++</client>
++
++# Verify data
++<verify>
++<errorcode>
++37
++</errorcode>
++<stdout nonewline="yes">
++\
++</stdout>
++</verify>
++</testcase>
+-- 
+2.9.3
+
diff --git a/curl.spec b/curl.spec
index f079543..979a2e4 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,11 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.53.1
-Release: 3.5%{?dist}
+Release: 3.6%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 
+# fix out of bounds read in curl --write-out (CVE-2017-7407)
+Patch1:   0001-curl-7.53.1-CVE-2017-7407.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -18,6 +21,7 @@ Patch104: 0104-curl-7.19.7-localhost6.patch
 Provides: webclient
 URL: https://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+BuildRequires: automake
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
@@ -142,15 +146,21 @@ be installed.
 %setup -q
 
 # upstream patches
+%patch1 -p1
 
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
 %patch104 -p1
 
+# regenerate Makefile.in files
+aclocal -I m4
+automake
+
 # disable test 1112 (#565305) and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-printf "1112\n1801\n" >> tests/data/DISABLED
+# and test 2033, which is a flaky test for HTTP/1 pipelining
+printf "1112\n1801\n2033\n" >> tests/data/DISABLED
 
 # disable test 1319 on ppc64 (server times out)
 %ifarch ppc64
@@ -299,6 +309,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 
 %changelog
+* Wed Apr 12 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3.6
+- rebase on top of current master
+
 * Wed Apr 05 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3.5
 - keep the HTTP/2 support in libcurl-minimal, too