Resolves: CVE-2021-22947 - fix STARTTLS protocol injection via MITM

Resolves: CVE-2021-22923 - metalink download sends credentials
Resolves: CVE-2021-22922 - wrong content via metalink not discarded

0001-curl-7.67.0-upload-glob.patch

@@ -1,316 +0,0 @@
-From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 13 Nov 2019 11:33:29 +0100
-Subject: [PATCH] curl: fix -T globbing
-
-Regression from e59371a4936f8 (7.67.0)
-
-Added test 490, 491 and 492 to verify the functionality.
-
-Reported-by: Kamil Dudka
-Reported-by: Anderson Sasaki
-
-Fixes #4588
-Closes #4591
-
-Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/tool_operate.c      | 15 ++++---
- tests/data/Makefile.inc |  2 +
- tests/data/test490      | 68 +++++++++++++++++++++++++++++++
- tests/data/test491      | 64 +++++++++++++++++++++++++++++
- tests/data/test492      | 89 +++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 232 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test490
- create mode 100644 tests/data/test491
- create mode 100644 tests/data/test492
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 3087d2d..4ecb1ed 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-       separator = ((!state->outfiles ||
-                     !strcmp(state->outfiles, "-")) && urlnum > 1);
- 
--      /* Here's looping around each globbed URL */
--
--      if(state->li >= urlnum) {
--        state->li = 0;
--        state->up++;
--      }
-       if(state->up < state->infilenum) {
-         struct per_transfer *per;
-         struct OutStruct *outs;
-@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-         per->retrystart = tvnow();
- 
-         state->li++;
-+        /* Here's looping around each globbed URL */
-+        if(state->li >= urlnum) {
-+          state->li = 0;
-+          state->urlnum = 0; /* forced reglob of URLs */
-+          glob_cleanup(state->urls);
-+          state->urls = NULL;
-+          state->up++;
-+          Curl_safefree(state->uploadfile); /* clear it to get the next */
-+        }
-       }
-       else {
-         /* Free this URL node data without destroying the
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 557f928..212900e 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -66,6 +66,8 @@ test393 test394 test395 \
- test400 test401 test402 test403 test404 test405 test406 test407 test408 \
- test409 \
- \
-+test490 test491 test492 \
-+\
- test500 test501 test502 test503 test504 test505 test506 test507 test508 \
- test509 test510 test511 test512 test513 test514 test515 test516 test517 \
- test518 test519 test520 test521 test522 test523 test524 test525 test526 \
-diff --git a/tests/data/test490 b/tests/data/test490
-new file mode 100644
-index 0000000..a3383a9
---- /dev/null
-+++ b/tests/data/test490
-@@ -0,0 +1,68 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
-+</command>
-+<file name="log/in490">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test491 b/tests/data/test491
-new file mode 100644
-index 0000000..b49c06c
---- /dev/null
-+++ b/tests/data/test491
-@@ -0,0 +1,64 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs, the second upload file is missing
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
-+</command>
-+<file name="log/in491">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /491 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+<errorcode>
-+26
-+</errorcode>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test492 b/tests/data/test492
-new file mode 100644
-index 0000000..12edd8b
---- /dev/null
-+++ b/tests/data/test492
-@@ -0,0 +1,89 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs to two globbed URLs
-+ </name>
-+ <command>
-+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
-+</command>
-+<file name="log/first492">
-+first 492 contents
-+</file>
-+<file1 name="log/second492">
-+second 492 contents
-+</file1>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /one/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /two/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /one/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+PUT /two/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.20.1
-

0001-curl-7.71.1-tool-krb-opt.patch

@@ -0,0 +1,65 @@
+From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 2 Jul 2020 17:41:37 +0200
+Subject: [PATCH 1/2] tool_getparam: make --krb option work again
+
+It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
+
+Bug: https://bugzilla.redhat.com/1833193
+Closes #5640
+
+Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_getparam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 3409621..9c6bc8a 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+         break;
+       case 'x': /* --krb */
+         /* kerberos level string */
+-        if(curlinfo->features & CURL_VERSION_KERBEROS4)
++        if(curlinfo->features & CURL_VERSION_SPNEGO)
+           GetStr(&config->krblevel, nextarg);
+         else
+           return PARAM_LIBCURL_DOESNT_SUPPORT;
+-- 
+2.21.3
+
+
+From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 2 Jul 2020 23:46:40 +0200
+Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
+
+This came up in #5640. It make sense to clarify this in the docs!
+
+Reminded-by: Kamil Dudka
+Closes #5642
+
+Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/curl_version_info.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
+index 2d21dfb..0d26e87 100644
+--- a/docs/libcurl/curl_version_info.3
++++ b/docs/libcurl/curl_version_info.3
+@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
+ .IP CURL_VERSION_IPV6
+ supports IPv6
+ .IP CURL_VERSION_KERBEROS4
+-supports Kerberos V4 (when using FTP)
++supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
+ .IP CURL_VERSION_KERBEROS5
+ supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
+ (Added in 7.40.0)
+-- 
+2.21.3
+

0002-curl-7.71.1-unset-nobody.patch

@@ -0,0 +1,148 @@
+From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Jul 2020 11:44:01 +0200
+Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
+
+Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
+action but before 7.71.0 that used to switch back to GET and with this
+change (assuming the method is still set to HEAD) this behavior is
+brought back.
+
+Reported-by: causal-agent on github
+Fixes #5725
+Closes #5728
+
+Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 90edf6a..d621335 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     if(data->set.opt_no_body)
+       /* in HTTP lingo, no body means using the HEAD request... */
+       data->set.method = HTTPREQ_HEAD;
++    else if(data->set.method == HTTPREQ_HEAD)
++      data->set.method = HTTPREQ_GET;
+     break;
+   case CURLOPT_FAILONERROR:
+     /*
+-- 
+2.25.4
+
+
+From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Jul 2020 11:54:29 +0200
+Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
+
+... and mention that HTTP with other methods than HEAD might get a body and
+there's no option available to stop that.
+
+Closes #5729
+
+Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
+index f720f49..3674dde 100644
+--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
++++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
+ libcurl do a HEAD request. For most other protocols it means just not asking
+ to transfer the body data.
+ 
+-Enabling this option means asking for a download but without a body.
++For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
++option (with 0) will make it a GET again - only if the method is still set to
++be HEAD. The proper way to get back to a GET request is to set
++\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
++options.
++
++Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
++
++If you do a transfer with HTTP that involves a method other than HEAD, you
++will get a body (unless the resource and server sends a zero byte body for the
++specific URL you request).
+ .SH DEFAULT
+ 0, the body is transferred
+ .SH PROTOCOLS
+@@ -43,9 +53,9 @@ Most
+ .nf
+ curl = curl_easy_init();
+ if(curl) {
+-  curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
++  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
+ 
+-  /* get us the resource without a body! */
++  /* get us the resource without a body - use HEAD! */
+   curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
+ 
+   /* Perform the request */
+@@ -57,5 +67,5 @@ Always
+ .SH RETURN VALUE
+ Returns CURLE_OK
+ .SH "SEE ALSO"
+-.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
+-.BR CURLOPT_REQUEST_TARGET "(3), "
++.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
++.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
+-- 
+2.25.4
+
+
+From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Jul 2020 23:59:00 +0200
+Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
+
+As test 1140 fails otherwise!
+
+Follow-up to e1bac81cc815
+
+Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
+index 3674dde..112fb1a 100644
+--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
++++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
+@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
+ libcurl do a HEAD request. For most other protocols it means just not asking
+ to transfer the body data.
+ 
+-For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
++For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
+ option (with 0) will make it a GET again - only if the method is still set to
+ be HEAD. The proper way to get back to a GET request is to set
+-\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
++\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
+ options.
+ 
+-Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
++Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
+ 
+ If you do a transfer with HTTP that involves a method other than HEAD, you
+ will get a body (unless the resource and server sends a zero byte body for the
+-- 
+2.25.4
+

0004-curl-7.71.1-CVE-2020-8231.patch

@@ -0,0 +1,281 @@
+From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001
+From: Marc Aldorasi <marc@groundctl.com>
+Date: Thu, 30 Jul 2020 14:16:17 -0400
+Subject: [PATCH 1/2] multi_remove_handle: close unused connect-only
+ connections
+
+Previously any connect-only connections in a multi handle would be kept
+alive until the multi handle was closed.  Since these connections cannot
+be re-used, they can be marked for closure when the associated easy
+handle is removed from the multi handle.
+
+Closes #5749
+
+Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/multi.c         | 34 ++++++++++++++++++++++++++++++----
+ tests/data/test1554 |  6 ++++++
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 249e360..f1371bd 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -689,6 +689,26 @@ static CURLcode multi_done(struct Curl_easy *data,
+   return result;
+ }
+ 
++static int close_connect_only(struct connectdata *conn, void *param)
++{
++  struct Curl_easy *data = param;
++
++  if(data->state.lastconnect != conn)
++    return 0;
++
++  if(conn->data != data)
++    return 1;
++  conn->data = NULL;
++
++  if(!conn->bits.connect_only)
++    return 1;
++
++  connclose(conn, "Removing connect-only easy handle");
++  conn->bits.connect_only = FALSE;
++
++  return 1;
++}
++
+ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+                                    struct Curl_easy *data)
+ {
+@@ -776,10 +796,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+      multi_done() as that may actually call Curl_expire that uses this */
+   Curl_llist_destroy(&data->state.timeoutlist, NULL);
+ 
+-  /* as this was using a shared connection cache we clear the pointer to that
+-     since we're not part of that multi handle anymore */
+-  data->state.conn_cache = NULL;
+-
+   /* change state without using multistate(), only to make singlesocket() do
+      what we want */
+   data->mstate = CURLM_STATE_COMPLETED;
+@@ -789,12 +805,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+   /* Remove the association between the connection and the handle */
+   Curl_detach_connnection(data);
+ 
++  if(data->state.lastconnect) {
++    /* Mark any connect-only connection for closure */
++    Curl_conncache_foreach(data, data->state.conn_cache,
++                           data, &close_connect_only);
++  }
++
+ #ifdef USE_LIBPSL
+   /* Remove the PSL association. */
+   if(data->psl == &multi->psl)
+     data->psl = NULL;
+ #endif
+ 
++  /* as this was using a shared connection cache we clear the pointer to that
++     since we're not part of that multi handle anymore */
++  data->state.conn_cache = NULL;
++
+   data->multi = NULL; /* clear the association to this multi handle */
+ 
+   /* make sure there's no pending message in the queue sent from this easy
+diff --git a/tests/data/test1554 b/tests/data/test1554
+index d3926d9..fffa6ad 100644
+--- a/tests/data/test1554
++++ b/tests/data/test1554
+@@ -50,6 +50,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -65,6 +67,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -74,6 +78,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ </datacheck>
+ </reply>
+ 
+-- 
+2.25.4
+
+
+From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH 2/2] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c    |  3 +--
+ lib/multi.c   |  9 +++++----
+ lib/url.c     |  2 +-
+ lib/urldata.h |  2 +-
+ 5 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 29293f0..e1c5662 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
+ }
+ 
+ struct connfind {
+-  struct connectdata *tofind;
+-  bool found;
++  long id_tofind;
++  struct connectdata *found;
+ };
+ 
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+   struct connfind *f = (struct connfind *)param;
+-  if(conn == f->tofind) {
+-    f->found = TRUE;
++  if(conn->connection_id == f->id_tofind) {
++    f->found = conn;
+     return 1;
+   }
+   return 0;
+@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+    * - that is associated with a multi handle, and whose connection
+    *   was detached with CURLOPT_CONNECT_ONLY
+    */
+-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+-    struct connectdata *c = data->state.lastconnect;
++  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++    struct connectdata *c;
+     struct connfind find;
+-    find.tofind = data->state.lastconnect;
+-    find.found = FALSE;
++    find.id_tofind = data->state.lastconnect_id;
++    find.found = NULL;
+ 
+     Curl_conncache_foreach(data, data->multi_easy?
+                            &data->multi_easy->conn_cache:
+                            &data->multi->conn_cache, &find, conn_is_conn);
+ 
+     if(!find.found) {
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+       return CURL_SOCKET_BAD;
+     }
+ 
++    c = find.found;
+     if(connp) {
+       /* only store this if the caller cares for it */
+       *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 292cca7..a69eb9e 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+ 
+   /* the connection cache is setup on demand */
+   outcurl->state.conn_cache = NULL;
+-
+-  outcurl->state.lastconnect = NULL;
++  outcurl->state.lastconnect_id = -1;
+ 
+   outcurl->progress.flags    = data->progress.flags;
+   outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index f1371bd..778c537 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+     data->state.conn_cache = &data->share->conn_cache;
+   else
+     data->state.conn_cache = &multi->conn_cache;
++  data->state.lastconnect_id = -1;
+ 
+ #ifdef USE_LIBPSL
+   /* Do the same for PSL. */
+@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data,
+     CONNCACHE_UNLOCK(data);
+     if(Curl_conncache_return_conn(data, conn)) {
+       /* remember the most recently used connection */
+-      data->state.lastconnect = conn;
++      data->state.lastconnect_id = conn->connection_id;
+       infof(data, "%s\n", buffer);
+     }
+     else
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+   }
+ 
+   Curl_safefree(data->state.buffer);
+@@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param)
+ {
+   struct Curl_easy *data = param;
+ 
+-  if(data->state.lastconnect != conn)
++  if(data->state.lastconnect_id != conn->connection_id)
+     return 0;
+ 
+   if(conn->data != data)
+@@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+   /* Remove the association between the connection and the handle */
+   Curl_detach_connnection(data);
+ 
+-  if(data->state.lastconnect) {
++  if(data->state.lastconnect_id != -1) {
+     /* Mark any connect-only connection for closure */
+     Curl_conncache_foreach(data, data->state.conn_cache,
+                            data, &close_connect_only);
+diff --git a/lib/url.c b/lib/url.c
+index a1a6b69..2919a3d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+     Curl_initinfo(data);
+ 
+     /* most recent connection is not yet defined */
+-    data->state.lastconnect = NULL;
++    data->state.lastconnect_id = -1;
+ 
+     data->progress.flags |= PGRS_HIDE;
+     data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f80a02d..6d8eb69 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1300,7 +1300,7 @@ struct UrlState {
+   /* buffers to store authentication data in, as parsed from input options */
+   struct curltime keeps_speed; /* for the progress meter really */
+ 
+-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++  long lastconnect_id; /* The last connection, -1 if undefined */
+   struct dynbuf headerb; /* buffer to store headers in */
+ 
+   char *buffer; /* download buffer */
+-- 
+2.25.4
+

0005-curl-7.71.1-CVE-2020-8284.patch

@@ -0,0 +1,208 @@
+From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 24 Nov 2020 14:56:57 +0100
+Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
+
+The command line tool also independently sets --ftp-skip-pasv-ip by
+default.
+
+Ten test cases updated to adapt the modified --libcurl output.
+
+Bug: https://curl.se/docs/CVE-2020-8284.html
+CVE-2020-8284
+
+Reported-by: Varnavas Papaioannou
+
+Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/cmdline-opts/ftp-skip-pasv-ip.d         | 2 ++
+ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
+ lib/url.c                                    | 1 +
+ src/tool_cfgable.c                           | 1 +
+ tests/data/test1400                          | 1 +
+ tests/data/test1401                          | 1 +
+ tests/data/test1402                          | 1 +
+ tests/data/test1403                          | 1 +
+ tests/data/test1404                          | 1 +
+ tests/data/test1405                          | 1 +
+ tests/data/test1406                          | 1 +
+ tests/data/test1407                          | 1 +
+ tests/data/test1420                          | 1 +
+ 13 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+index da6ab11..4be8b43 100644
+--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
++++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
+ will re-use the same IP address it already uses for the control
+ connection.
+ 
++Since curl 7.74.0 this option is enabled by default.
++
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+index e68d2e7..29bc672 100644
+--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
++++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
+ number from the 227-response.
+ 
+ This option thus allows libcurl to work around broken server installations
+-that due to NATs, firewalls or incompetence report the wrong IP address back.
++that due to NATs, firewalls or incompetence report the wrong IP address
++back. Setting the option also reduces the risk for various sorts of client
++abuse by malicious servers.
+ 
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+ .SH DEFAULT
+-0
++1 since 7.74.0, was 0 before then.
+ .SH PROTOCOLS
+ FTP
+ .SH EXAMPLE
+diff --git a/lib/url.c b/lib/url.c
+index 2919a3d..41029d6 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -480,6 +480,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
+   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
+   set->ftp_filemethod = FTPFILE_MULTICWD;
++  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
+ #endif
+   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
+ 
+diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
+index 63bdeaa..22770c4 100644
+--- a/src/tool_cfgable.c
++++ b/src/tool_cfgable.c
+@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config)
+   config->tcp_nodelay = TRUE; /* enabled by default */
+   config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
+   config->http09_allowed = FALSE;
++  config->ftp_skip_ip = TRUE;
+ }
+ 
+ static void free_config_fields(struct OperationConfig *config)
+diff --git a/tests/data/test1400 b/tests/data/test1400
+index c0d409b..ade50d4 100644
+--- a/tests/data/test1400
++++ b/tests/data/test1400
+@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1401 b/tests/data/test1401
+index ec3b25c..a2e9ef2 100644
+--- a/tests/data/test1401
++++ b/tests/data/test1401
+@@ -90,6 +90,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
+                                            (long)CURLPROTO_FTP |
+diff --git a/tests/data/test1402 b/tests/data/test1402
+index bf7eb7b..99d4b70 100644
+--- a/tests/data/test1402
++++ b/tests/data/test1402
+@@ -81,6 +81,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1403 b/tests/data/test1403
+index 731d274..90f9b4e 100644
+--- a/tests/data/test1403
++++ b/tests/data/test1403
+@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1404 b/tests/data/test1404
+index d3c66a9..d351c3e 100644
+--- a/tests/data/test1404
++++ b/tests/data/test1404
+@@ -147,6 +147,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1405 b/tests/data/test1405
+index dcc8f80..d1ebb7c 100644
+--- a/tests/data/test1405
++++ b/tests/data/test1405
+@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
+   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1406 b/tests/data/test1406
+index 8803c84..31db82a 100644
+--- a/tests/data/test1406
++++ b/tests/data/test1406
+@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
+   curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
+   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
+diff --git a/tests/data/test1407 b/tests/data/test1407
+index 917a5de..d329509 100644
+--- a/tests/data/test1407
++++ b/tests/data/test1407
+@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1420 b/tests/data/test1420
+index 03c4584..c1ba190 100644
+--- a/tests/data/test1420
++++ b/tests/data/test1420
+@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+-- 
+2.26.2
+

0007-curl-7.71.1-CVE-2020-8286.patch

@@ -0,0 +1,129 @@
+From 2ad3b3d39e45a9eeaf6845f393928ef0095893e7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Dec 2020 23:01:11 +0100
+Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
+
+CVE-2020-8286
+
+Reported by anonymous
+
+Bug: https://curl.se/docs/CVE-2020-8286.html
+
+Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 29 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 2e9f900..5803fd1 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -1775,6 +1775,11 @@ static CURLcode verifystatus(struct connectdata *conn,
+   X509_STORE     *st = NULL;
+   STACK_OF(X509) *ch = NULL;
+   struct ssl_backend_data *backend = connssl->backend;
++  X509 *cert;
++  OCSP_CERTID *id = NULL;
++  int cert_status, crl_reason;
++  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  int ret;
+ 
+   long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
+ 
+@@ -1843,43 +1848,63 @@ static CURLcode verifystatus(struct connectdata *conn,
+     goto end;
+   }
+ 
+-  for(i = 0; i < OCSP_resp_count(br); i++) {
+-    int cert_status, crl_reason;
+-    OCSP_SINGLERESP *single = NULL;
+-
+-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  /* Compute the certificate's ID */
++  cert = SSL_get_peer_certificate(backend->handle);
++  if(!cert) {
++    failf(data, "Error getting peer certficate");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    single = OCSP_resp_get0(br, i);
+-    if(!single)
+-      continue;
++  for(i = 0; i < sk_X509_num(ch); i++) {
++    X509 *issuer = sk_X509_value(ch, i);
++    if(X509_check_issued(issuer, cert) == X509_V_OK) {
++      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
++      break;
++    }
++  }
++  X509_free(cert);
+ 
+-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+-                                          &thisupd, &nextupd);
++  if(!id) {
++    failf(data, "Error computing OCSP ID");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+-      failf(data, "OCSP response has expired");
+-      result = CURLE_SSL_INVALIDCERTSTATUS;
+-      goto end;
+-    }
++  /* Find the single OCSP response corresponding to the certificate ID */
++  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
++                              &thisupd, &nextupd);
++  OCSP_CERTID_free(id);
++  if(ret != 1) {
++    failf(data, "Could not find certificate ID in OCSP response");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    infof(data, "SSL certificate status: %s (%d)\n",
+-          OCSP_cert_status_str(cert_status), cert_status);
++  /* Validate the corresponding single OCSP response */
++  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
++    failf(data, "OCSP response has expired");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    switch(cert_status) {
+-      case V_OCSP_CERTSTATUS_GOOD:
+-        break;
++  infof(data, "SSL certificate status: %s (%d)\n",
++        OCSP_cert_status_str(cert_status), cert_status);
+ 
+-      case V_OCSP_CERTSTATUS_REVOKED:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
++  switch(cert_status) {
++  case V_OCSP_CERTSTATUS_GOOD:
++    break;
+ 
+-        failf(data, "SSL certificate revocation reason: %s (%d)",
+-              OCSP_crl_reason_str(crl_reason), crl_reason);
+-        goto end;
++  case V_OCSP_CERTSTATUS_REVOKED:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    failf(data, "SSL certificate revocation reason: %s (%d)",
++          OCSP_crl_reason_str(crl_reason), crl_reason);
++    goto end;
+ 
+-      case V_OCSP_CERTSTATUS_UNKNOWN:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+-        goto end;
+-    }
++  case V_OCSP_CERTSTATUS_UNKNOWN:
++  default:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
+   }
+ 
+ end:
+-- 
+2.26.2
+

0008-curl-7.71.1-CVE-2021-22876.patch

@@ -0,0 +1,64 @@
+From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: [PATCH] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+
+Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 44104ab..3325a0e 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->set.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1591,9 +1594,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+-- 
+2.26.3
+

0009-curl-7.71.1-CVE-2021-22890.patch

@@ -0,0 +1,217 @@
+From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Mar 2021 12:38:49 +0100
+Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+
+Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
+ lib/vtls/vtls.c    | 12 ++++++++---
+ lib/vtls/vtls.h    |  2 ++
+ 3 files changed, 51 insertions(+), 15 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 5803fd1..16276f3 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
++  static int sockindex_index = -1;
++  if(sockindex_index < 0) {
++    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
++  return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++  static int proxy_index = -1;
++  if(proxy_index < 0) {
++    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++  }
++  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void)
+   Curl_tls_keylog_open();
+ 
+   /* Initialize the extra data indexes */
+-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
++  if(ossl_get_ssl_conn_index() < 0 ||
++     ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   curl_socket_t *sockindex_ptr;
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
++  int proxy_idx = ossl_get_proxy_index();
++  bool isproxy;
+ 
+-  if(connectdata_idx < 0 || sockindex_idx < 0)
++  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
++  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
++    if(isproxy)
++      incache = FALSE;
++    else
++      incache = !(Curl_ssl_getsessionid(conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
++      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+                                       0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
++    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+       SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++
+     }
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index c3a55fb..e50fdd2 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+  * there's one suitable, it is provided. Returns TRUE when no entry matched.
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   bool no_match = TRUE;
+ 
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+   const char * const name = conn->host.name;
+   int port = conn->remote_port;
+-  (void)sockindex;
+ #endif
++  (void)sockindex;
+   *ssl_sessionid = NULL;
+ 
++#ifdef CURL_DISABLE_PROXY
++  if(isProxy)
++    return TRUE;
++#endif
++
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+  * later on.
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+   int conn_to_port;
+   long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+   const char *hostname = conn->host.name;
+   (void)sockindex;
+ #endif
++  (void)sockindex;
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(hostname);
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index bcc8444..343cad0 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+  * under sessionid mutex).
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+  * object with cache (e.g. incrementing refcount on success)
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+-- 
+2.26.3
+

0010-curl-7.71.1-CVE-2021-22924.patch

@@ -0,0 +1,788 @@
+From c3e2c52593b94bd93775b50063e1d54bc7b1b911 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 18 Feb 2021 10:13:56 +0100
+Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names
+
+It doesn't provide any useful info but only makes the names longer.
+
+Closes #6624
+
+Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/doh.c            | 12 ++++++------
+ lib/setopt.c         | 38 +++++++++++++++++++-------------------
+ lib/url.c            | 42 +++++++++++++++++++++---------------------
+ lib/urldata.h        | 34 +++++++++++++++++-----------------
+ lib/vtls/gskit.c     |  2 +-
+ lib/vtls/gtls.c      |  2 +-
+ lib/vtls/mbedtls.c   |  4 ++--
+ lib/vtls/nss.c       |  2 +-
+ lib/vtls/openssl.c   |  2 +-
+ lib/vtls/schannel.c  |  2 +-
+ lib/vtls/sectransp.c |  7 ++++---
+ lib/vtls/wolfssl.c   |  4 ++--
+ 12 files changed, 76 insertions(+), 75 deletions(-)
+
+diff --git a/lib/doh.c b/lib/doh.c
+index ebb2c24..cbd34f6 100644
+--- a/lib/doh.c
++++ b/lib/doh.c
+@@ -318,17 +318,17 @@ static CURLcode dohprobe(struct Curl_easy *data,
+       ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
+     if(data->set.ssl.primary.verifystatus)
+       ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
+-    if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
++    if(data->set.str[STRING_SSL_CAFILE]) {
+       ERROR_CHECK_SETOPT(CURLOPT_CAINFO,
+-        data->set.str[STRING_SSL_CAFILE_ORIG]);
++        data->set.str[STRING_SSL_CAFILE]);
+     }
+-    if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
++    if(data->set.str[STRING_SSL_CAPATH]) {
+       ERROR_CHECK_SETOPT(CURLOPT_CAPATH,
+-        data->set.str[STRING_SSL_CAPATH_ORIG]);
++        data->set.str[STRING_SSL_CAPATH]);
+     }
+-    if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
++    if(data->set.str[STRING_SSL_CRLFILE]) {
+       ERROR_CHECK_SETOPT(CURLOPT_CRLFILE,
+-        data->set.str[STRING_SSL_CRLFILE_ORIG]);
++        data->set.str[STRING_SSL_CRLFILE]);
+     }
+     if(data->set.ssl.certinfo)
+       ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L);
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d621335..58d92e2 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -174,7 +174,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     break;
+   case CURLOPT_SSL_CIPHER_LIST:
+     /* set a list of cipher we want to use in the SSL connection */
+-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -187,7 +187,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_TLS13_CIPHERS:
+     if(Curl_ssl_tls13_ciphersuites()) {
+       /* set preferred list of TLS 1.3 cipher suites */
+-      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
++      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],
+                               va_arg(param, char *));
+     }
+     else
+@@ -1643,14 +1643,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * String that holds file name of the SSL certificate to use
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_CERT],
+                             va_arg(param, char *));
+     break;
+   case CURLOPT_SSLCERT_BLOB:
+     /*
+      * Blob that holds file name of the SSL certificate to use
+      */
+-    result = Curl_setblobopt(&data->set.blobs[BLOB_CERT_ORIG],
++    result = Curl_setblobopt(&data->set.blobs[BLOB_CERT],
+                              va_arg(param, struct curl_blob *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1673,7 +1673,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * String that holds file type of the SSL certificate to use
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1689,14 +1689,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * String that holds file name of the SSL key to use
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_KEY],
+                             va_arg(param, char *));
+     break;
+   case CURLOPT_SSLKEY_BLOB:
+     /*
+      * Blob that holds file name of the SSL key to use
+      */
+-    result = Curl_setblobopt(&data->set.blobs[BLOB_KEY_ORIG],
++    result = Curl_setblobopt(&data->set.blobs[BLOB_KEY],
+                              va_arg(param, struct curl_blob *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1719,7 +1719,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * String that holds file type of the SSL key to use
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1735,7 +1735,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * String that holds the SSL or SSH private key password.
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1944,7 +1944,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      */
+ #ifdef USE_SSL
+     if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)
+-      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
++      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
+                               va_arg(param, char *));
+     else
+ #endif
+@@ -1969,7 +1969,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     /*
+      * Set CA info for SSL connection. Specify file name of the CA certificate
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -1990,7 +1990,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifdef USE_SSL
+     if(Curl_ssl->supports & SSLSUPP_CA_PATH)
+       /* This does not work on windows. */
+-      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
++      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],
+                               va_arg(param, char *));
+     else
+ #endif
+@@ -2017,7 +2017,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      * Set CRL file info for SSL connection. Specify file name of the CRL
+      * to check certificates revocation
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],
+                             va_arg(param, char *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -2035,14 +2035,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      * Set Issuer certificate file
+      * to check certificates issuer
+      */
+-    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
+                             va_arg(param, char *));
+     break;
+   case CURLOPT_ISSUERCERT_BLOB:
+     /*
+      * Blob that holds Issuer certificate to check certificates issuer
+      */
+-    result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG],
++    result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT],
+                              va_arg(param, struct curl_blob *));
+     break;
+ #ifndef CURL_DISABLE_PROXY
+@@ -2638,9 +2638,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #endif
+ #ifdef USE_TLS_SRP
+   case CURLOPT_TLSAUTH_USERNAME:
+-    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
++    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+@@ -2653,9 +2653,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #endif
+     break;
+   case CURLOPT_TLSAUTH_PASSWORD:
+-    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
++    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
++    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+diff --git a/lib/url.c b/lib/url.c
+index 307b66e..dd18c63 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -543,7 +543,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+    */
+   if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
+ #if defined(CURL_CA_BUNDLE)
+-    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
++    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
+     if(result)
+       return result;
+ 
+@@ -553,7 +553,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+       return result;
+ #endif
+ #if defined(CURL_CA_PATH)
+-    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);
++    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);
+     if(result)
+       return result;
+ 
+@@ -3600,17 +3600,17 @@ static CURLcode create_conn(struct Curl_easy *data,
+      that will be freed as part of the Curl_easy struct, but all cloned
+      copies will be separately allocated.
+   */
+-  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
+-  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
++  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
++  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.primary.cipher_list =
+-    data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
++    data->set.str[STRING_SSL_CIPHER_LIST];
+   data->set.ssl.primary.cipher_list13 =
+-    data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
++    data->set.str[STRING_SSL_CIPHER13_LIST];
+   data->set.ssl.primary.pinned_key =
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
+-  data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
++  data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
+ 
+ #ifndef CURL_DISABLE_PROXY
+   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+@@ -3636,26 +3636,26 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+-  data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+-  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+-  data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
+-  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
+-  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
+-  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
++  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++  data->set.ssl.cert = data->set.str[STRING_CERT];
++  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
++  data->set.ssl.key = data->set.str[STRING_KEY];
++  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
++  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
++  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
++  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
++  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+   data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+ 
+-  data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
+-  data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
+-  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
++  data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
++  data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
++  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+                                     &conn->ssl_config)) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index df9d998..0fb046f 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1491,9 +1491,9 @@ struct Curl_multi;    /* declared and used only in multi.c */
+  * are catered for in curl_easy_setopt_ccsid()
+  */
+ enum dupstring {
+-  STRING_CERT_ORIG,       /* client certificate file name */
++  STRING_CERT,            /* client certificate file name */
+   STRING_CERT_PROXY,      /* client certificate file name */
+-  STRING_CERT_TYPE_ORIG,  /* format for certificate (default: PEM)*/
++  STRING_CERT_TYPE,       /* format for certificate (default: PEM)*/
+   STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/
+   STRING_COOKIE,          /* HTTP cookie string to send */
+   STRING_COOKIEJAR,       /* dump all cookies to this file */
+@@ -1504,11 +1504,11 @@ enum dupstring {
+   STRING_FTP_ACCOUNT,     /* ftp account data */
+   STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */
+   STRING_FTPPORT,         /* port to send with the FTP PORT command */
+-  STRING_KEY_ORIG,        /* private key file name */
++  STRING_KEY,             /* private key file name */
+   STRING_KEY_PROXY,       /* private key file name */
+-  STRING_KEY_PASSWD_ORIG, /* plain text private key password */
++  STRING_KEY_PASSWD,      /* plain text private key password */
+   STRING_KEY_PASSWD_PROXY, /* plain text private key password */
+-  STRING_KEY_TYPE_ORIG,   /* format for private key (default: PEM) */
++  STRING_KEY_TYPE,        /* format for private key (default: PEM) */
+   STRING_KEY_TYPE_PROXY,  /* format for private key (default: PEM) */
+   STRING_KRB_LEVEL,       /* krb security level */
+   STRING_NETRC_FILE,      /* if not NULL, use this instead of trying to find
+@@ -1518,22 +1518,22 @@ enum dupstring {
+   STRING_SET_RANGE,       /* range, if used */
+   STRING_SET_REFERER,     /* custom string for the HTTP referer field */
+   STRING_SET_URL,         /* what original URL to work on */
+-  STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */
++  STRING_SSL_CAPATH,      /* CA directory name (doesn't work on windows) */
+   STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
+-  STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
++  STRING_SSL_CAFILE,      /* certificate file to verify peer against */
+   STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
+-  STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
++  STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
+   STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
+-  STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
++  STRING_SSL_CIPHER_LIST, /* list of ciphers to use */
+   STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
+-  STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
++  STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */
+   STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
+   STRING_SSL_EGDSOCKET,   /* path to file containing the EGD daemon socket */
+   STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
+   STRING_USERAGENT,       /* User-Agent string */
+-  STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
++  STRING_SSL_CRLFILE,     /* crl file to check certificate */
+   STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
+-  STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
++  STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
+   STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
+   STRING_SSL_ENGINE,      /* name of ssl engine */
+   STRING_USERNAME,        /* <username>, if used */
+@@ -1557,9 +1557,9 @@ enum dupstring {
+   STRING_MAIL_FROM,
+   STRING_MAIL_AUTH,
+ 
+-  STRING_TLSAUTH_USERNAME_ORIG,  /* TLS auth <username> */
++  STRING_TLSAUTH_USERNAME,  /* TLS auth <username> */
+   STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */
+-  STRING_TLSAUTH_PASSWORD_ORIG,  /* TLS auth <password> */
++  STRING_TLSAUTH_PASSWORD,  /* TLS auth <password> */
+   STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
+ 
+   STRING_BEARER,                /* <bearer>, if used */
+@@ -1593,11 +1593,11 @@ enum dupstring {
+ };
+ 
+ enum dupblob {
+-  BLOB_CERT_ORIG,
++  BLOB_CERT,
+   BLOB_CERT_PROXY,
+-  BLOB_KEY_ORIG,
++  BLOB_KEY,
+   BLOB_KEY_PROXY,
+-  BLOB_SSL_ISSUERCERT_ORIG,
++  BLOB_SSL_ISSUERCERT,
+   BLOB_SSL_ISSUERCERT_PROXY,
+   BLOB_LAST
+ };
+diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
+index 0538e4a..de9a9db 100644
+--- a/lib/vtls/gskit.c
++++ b/lib/vtls/gskit.c
+@@ -1039,7 +1039,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
+ 
+   /* Check pinned public key. */
+   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+   if(!result && ptr) {
+     curl_X509certificate x509;
+     curl_asn1Element *p;
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 9b4c365..2ce5749 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1184,7 +1184,7 @@ gtls_connect_step3(struct connectdata *conn,
+   }
+ 
+   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-        data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+   if(ptr) {
+     result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
+     if(result != CURLE_OK) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 545f824..bf3683d 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -546,10 +546,10 @@ mbed_connect_step2(struct connectdata *conn,
+ #ifndef CURL_DISABLE_PROXY
+   const char * const pinnedpubkey = SSL_IS_PROXY() ?
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ #else
+   const char * const pinnedpubkey =
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ #endif
+ 
+   conn->recv[sockindex] = mbed_recv;
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index fca2926..9dad33f 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2131,7 +2131,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
+   const char * const pinnedpubkey = SSL_IS_PROXY() ?
+               data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-              data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++              data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ 
+ 
+   /* check timeout situation */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 16276f3..acf6577 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3965,7 +3965,7 @@ static CURLcode servercert(struct connectdata *conn,
+     result = CURLE_OK;
+ 
+   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+   if(!result && ptr) {
+     result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr);
+     if(result)
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 1996526..ba82513 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -1243,7 +1243,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
+ 
+   pubkey_ptr = SSL_IS_PROXY() ?
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+   if(pubkey_ptr) {
+     result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
+     if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 2627aff..120df3a 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -2609,9 +2609,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
+     connssl->connecting_state = ssl_connect_3;
+ 
+ #ifdef SECTRANSP_PINNEDPUBKEY
+-    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
+-      CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx,
+-                            data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
++    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
++      CURLcode result =
++        pkp_pin_peer_pubkey(data, backend->ssl_ctx,
++                            data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+       if(result) {
+         failf(data, "SSL: public key does not match pinned public key!");
+         return result;
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 7b2a124..fc41748 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -549,12 +549,12 @@ wolfssl_connect_step2(struct connectdata *conn,
+     conn->http_proxy.host.dispname : conn->host.dispname;
+   const char * const pinnedpubkey = SSL_IS_PROXY() ?
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ #else
+   const char * const hostname = conn->host.name;
+   const char * const dispname = conn->host.dispname;
+   const char * const pinnedpubkey =
+-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
++    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
+ #endif
+ 
+   conn->recv[sockindex] = wolfssl_recv;
+-- 
+2.31.1
+
+
+From fea46e2ddc6050b0aa008033325afbb0606d2b55 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 19 Jun 2021 00:42:28 +0200
+Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and
+ case sensitivity
+
+CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+
+Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c          |  9 ++++++---
+ lib/urldata.h      |  4 ++--
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 18 +++++++++---------
+ lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
+ 6 files changed, 45 insertions(+), 26 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index dd18c63..71e226e 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+   */
+   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
++  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.primary.cipher_list =
+@@ -3625,8 +3627,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.pinned_key =
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert =
++    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert_blob =
++    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+@@ -3637,7 +3642,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+   data->set.ssl.cert = data->set.str[STRING_CERT];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+   data->set.ssl.key = data->set.str[STRING_KEY];
+@@ -3655,7 +3659,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ 
+   data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+-  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+                                     &conn->ssl_config)) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 0fb046f..8b5b597 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -223,6 +223,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
++  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -230,6 +231,7 @@ struct ssl_primary_config {
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
+   struct curl_blob *cert_blob;
++  struct curl_blob *issuercert_blob;
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -240,8 +242,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+-  struct curl_blob *issuercert_blob;
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 2ce5749..1b87085 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -851,7 +851,7 @@ gtls_connect_step3(struct connectdata *conn,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
++       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1035,21 +1035,21 @@ gtls_connect_step3(struct connectdata *conn,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
++    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certname);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 9dad33f..d1b0016 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(backend->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index acf6577..56171ae 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3871,10 +3871,10 @@ static CURLcode servercert(struct connectdata *conn,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
+-      if(SSL_SET_OPTION(issuercert_blob))
+-        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
+-                             (int)SSL_SET_OPTION(issuercert_blob)->len);
++    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
++      if(SSL_CONN_CONFIG(issuercert_blob))
++        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
++                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
+       else {
+         fp = BIO_new(BIO_s_file());
+         if(fp == NULL) {
+@@ -3888,10 +3888,10 @@ static CURLcode servercert(struct connectdata *conn,
+           return CURLE_OUT_OF_MEMORY;
+         }
+ 
+-        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+           if(strict)
+             failf(data, "SSL: Unable to open issuer cert (%s)",
+-                  SSL_SET_OPTION(issuercert));
++                  SSL_CONN_CONFIG(issuercert));
+           BIO_free(fp);
+           X509_free(backend->server_cert);
+           backend->server_cert = NULL;
+@@ -3903,7 +3903,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3914,7 +3914,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3923,7 +3923,7 @@ static CURLcode servercert(struct connectdata *conn,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
++            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e50fdd2..855ee66 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -121,6 +121,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+   return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+ 
++static bool safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  else if(!a && !b)
++    return TRUE; /* match */
++  return FALSE; /* no match */
++}
++
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+                         struct ssl_primary_config *needle)
+@@ -131,11 +141,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+      blobcmp(data->cert_blob, needle->cert_blob) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
++     safecmp(data->CApath, needle->CApath) &&
++     safecmp(data->CAfile, needle->CAfile) &&
++     safecmp(data->issuercert, needle->issuercert) &&
++     safecmp(data->clientcert, needle->clientcert) &&
++     safecmp(data->random_file, needle->random_file) &&
++     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+@@ -156,8 +168,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->sessionid = source->sessionid;
+ 
+   CLONE_BLOB(cert_blob);
++  CLONE_BLOB(issuercert_blob);
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
++  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -172,6 +186,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
++  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+@@ -179,6 +194,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+   Curl_safefree(sslc->cipher_list13);
+   Curl_safefree(sslc->pinned_key);
+   Curl_safefree(sslc->cert_blob);
++  Curl_safefree(sslc->issuercert_blob);
+ }
+ 
+ #ifdef USE_SSL
+-- 
+2.31.1
+

0011-curl-7.71.1-CVE-2021-22898.patch

@@ -0,0 +1,31 @@
+From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Fri, 7 May 2021 13:09:57 +0200
+Subject: [PATCH] telnet: check sscanf() for correct number of matches
+
+CVE-2021-22898
+
+Bug: https://curl.se/docs/CVE-2021-22898.html
+
+Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1fc5af1..ea6bc71 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
++          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+             msnprintf((char *)&temp[len], sizeof(temp) - len,
+                       "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                       CURL_NEW_ENV_VALUE, varval);
+-- 
+2.31.1
+

0012-curl-7.71.1-CVE-2021-22925.patch

@@ -0,0 +1,47 @@
+From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVE-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+
+Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index ea6bc71..f8428b8 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
++          int rv;
++          char sep[2] = "";
++          varval[0] = 0;
++          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++          if(rv == 1)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s", CURL_NEW_ENV_VAR, varname);
++          else if(rv >= 2)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.31.1
+

0013-curl-7.71.1-CVE-2021-22945.patch

@@ -0,0 +1,33 @@
+From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
+From: z2_ on hackerone <>
+Date: Tue, 24 Aug 2021 09:50:33 +0200
+Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
+
+CVE-2021-22945
+
+Bug: https://curl.se/docs/CVE-2021-22945.html
+
+Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/mqtt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/mqtt.c b/lib/mqtt.c
+index d88fa73..f3fc045 100644
+--- a/lib/mqtt.c
++++ b/lib/mqtt.c
+@@ -123,6 +123,10 @@ static CURLcode mqtt_send(struct connectdata *conn,
+     mq->sendleftovers = sendleftovers;
+     mq->nsend = nsend;
+   }
++  else {
++    mq->sendleftovers = NULL;
++    mq->nsend = 0;
++  }
+   return result;
+ }
+ 
+-- 
+2.31.1
+

0014-curl-7.71.1-CVE-2021-22946.patch

@@ -0,0 +1,331 @@
+From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+
+Bug: https://curl.se/docs/CVE-2021-22946.html
+
+CVE-2021-22946
+
+Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c               |  9 ++++---
+ lib/imap.c              | 24 ++++++++----------
+ lib/pop3.c              | 33 +++++++++++-------------
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 71c9642..30ebeaa 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     /* we have now received a full FTP server response */
+     switch(ftpc->state) {
+     case FTP_WAIT220:
+-      if(ftpcode == 230)
+-        /* 230 User logged in - already! */
+-        return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++      if(ftpcode == 230) {
++        /* 230 User logged in - already! Take as 220 if TLS required. */
++        if(data->set.use_ssl <= CURLUSESSL_TRY ||
++           conn->ssl[FIRSTSOCKET].use)
++          return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++      }
+       else if(ftpcode != 220) {
+         failf(data, "Got a %03d ftp-server response when 220 was expected",
+               ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index bda23a5..7e159d4 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+       line += wordlen;
+     }
+   }
+-  else if(imapcode == IMAP_RESP_OK) {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(imapc->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = imap_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = imap_perform_authentication(conn);
+-      else {
+-        failf(data, "STARTTLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
++  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
++    /* PREAUTH is not compatible with STARTTLS. */
++    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
++      /* Switch to TLS connection now */
++      result = imap_perform_starttls(conn);
+     }
+-    else
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+       result = imap_perform_authentication(conn);
++    else {
++      failf(data, "STARTTLS not available.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+   else
+     result = imap_perform_authentication(conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 04cc887..3e916ce 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+       }
+     }
+   }
+-  else if(pop3code == '+') {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(pop3c->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = pop3_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = pop3_perform_authentication(conn);
+-      else {
+-        failf(data, "STLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+-    }
+-    else
+-      result = pop3_perform_authentication(conn);
+-  }
+   else {
+     /* Clear text is supported when CAPA isn't recognised */
+-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
++    if(pop3code != '+')
++      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ 
+-    result = pop3_perform_authentication(conn);
++    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
++      result = pop3_perform_authentication(conn);
++    else if(pop3code == '+' && pop3c->tls_supported)
++      /* Switch to TLS connection now */
++      result = pop3_perform_starttls(conn);
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
++      /* Fallback and carry on with authentication */
++      result = pop3_perform_authentication(conn);
++    else {
++      failf(data, "STLS not supported.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+ 
+   return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index ef9252b..1ba482b 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+ \
++test984 test985 test986 \
++\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
++++ b/tests/data/test984
+@@ -0,0 +1,56 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPABILITY A001 BAD Not implemented
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP require STARTTLS with failing capabilities
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++A001 CAPABILITY
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
++++ b/tests/data/test985
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPA -ERR Not implemented
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 require STARTTLS with failing capabilities
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++CAPA
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
++++ b/tests/data/test986
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY welcome 230 Welcome
++REPLY AUTH 500 unknown command
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP require STARTTLS while preauthenticated
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++AUTH SSL
++AUTH TLS
++</protocol>
++</verify>
++</testcase>
+-- 
+2.31.1
+

0015-curl-7.71.1-CVE-2021-22947.patch

@@ -0,0 +1,354 @@
+From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+ pipelining
+
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+
+CVE-2021-22947
+
+Bug: https://curl.se/docs/CVE-2021-22947.html
+
+Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c               |  3 +++
+ lib/imap.c              |  4 +++
+ lib/pop3.c              |  4 +++
+ lib/smtp.c              |  4 +++
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 236 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 71f998e..e920138 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2692,6 +2692,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     case FTP_AUTH:
+       /* we have gotten the response to a previous AUTH command */
+ 
++      if(pp->cache_size)
++        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
++
+       /* RFC2228 (page 5) says:
+        *
+        * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index feb7445..09bc5d6 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.imapc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(imapcode != IMAP_RESP_OK) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 7698d1c..dccfced 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.pop3c.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(pop3code != '+') {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index 1defb25..1f89777 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -817,6 +817,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.smtpc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(smtpcode != 220) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 163ce59..42b0569 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+ \
+-test984 test985 test986 \
++test980 test981 test982 test983 test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
++++ b/tests/data/test980
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++SMTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++AUTH PLAIN
++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
++REPLY AUTH 535 5.7.8 Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++smtp
++</server>
++ <name>
++SMTP STARTTLS pipelined server response
++ </name>
++<stdin>
++mail body
++</stdin>
++ <command>
++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++EHLO %TESTNUMBER
++STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
++++ b/tests/data/test981
+@@ -0,0 +1,59 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
++REPLY LOGIN A003 BAD Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP STARTTLS pipelined server response
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++A001 CAPABILITY
++A002 STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
++++ b/tests/data/test982
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STLS USER
++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
++REPLY PASS -ERR Authentication credentials invalid
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 STARTTLS pipelined server response
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++CAPA
++STLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
++++ b/tests/data/test983
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
++REPLY PASS 530 Login incorrect
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP STARTTLS pipelined server response
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++AUTH SSL
++</protocol>
++</verify>
++</testcase>
+-- 
+2.31.1
+

0101-curl-7.32.0-multilib.patch

@@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in     |   21 +++------------------
- docs/curl-config.1 |    4 +++-
- libcurl.pc.in      |    1 +
- 3 files changed, 7 insertions(+), 19 deletions(-)
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
+ 3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
          ;;
  
      --prefix)
-@@ -155,32 +155,17 @@ while test $# -gt 0; do
+@@ -155,32 +155,19 @@ while test $# -gt 0; do
          ;;
  
      --libs)
@@ -31,7 +31,7 @@ index 150004d..95d0759 100644
 -        else
 -           CURLLIBDIR=""
 -        fi
--        if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-        if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
 -          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
 -        else
 -          echo ${CURLLIBDIR}-lcurl
@@ -49,6 +49,8 @@ index 150004d..95d0759 100644
 -          echo "curl was built with static libraries disabled" >&2
 -          exit 1
 -        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
          ;;
  
      --configure)

0102-curl-7.36.0-debug.patch

@@ -1,21 +1,21 @@
-From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
+From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
 From: Kamil Dudka <kdudka@redhat.com>
 Date: Wed, 31 Oct 2012 11:38:30 +0100
-Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
+Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
+ (#496778)
 
 ---
- configure            |   13 +++----------
- m4/curl-compilers.m4 |   13 +++----------
- 2 files changed, 6 insertions(+), 20 deletions(-)
+ m4/curl-compilers.m4 | 26 ++++++--------------------
+ 1 file changed, 6 insertions(+), 20 deletions(-)
 
-diff --git a/configure b/configure
-index 8f079a3..53b4774 100755
---- a/configure
-+++ b/configure
-@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
+index c64db4bc6..d115a4aed 100644
+--- a/m4/curl-compilers.m4
++++ b/m4/curl-compilers.m4
+@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
+     clangvhi=`echo $clangver | cut -d . -f1`
+     clangvlo=`echo $clangver | cut -d . -f2`
+     compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
 -    flags_dbg_all="-g -g0 -g1 -g2 -g3"
 -    flags_dbg_all="$flags_dbg_all -ggdb"
 -    flags_dbg_all="$flags_dbg_all -gstabs"
@@ -27,18 +27,14 @@ index 8f079a3..53b4774 100755
 +    flags_dbg_all=""
      flags_dbg_yes="-g"
      flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
--    flags_opt_yes="-O2"
+-    flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
+-    flags_opt_yes="-Os"
 +    flags_opt_all=""
 +    flags_opt_yes=""
      flags_opt_off="-O0"
- 
-     OLDCPPFLAGS=$CPPFLAGS
-diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
-index 0cbba7a..9175b5b 100644
---- a/m4/curl-compilers.m4
-+++ b/m4/curl-compilers.m4
-@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+   else
+     AC_MSG_RESULT([no])
+@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

0103-curl-7.59.0-python3.patch

@@ -1,34 +0,0 @@
-From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Thu, 15 Mar 2018 14:49:56 +0100
-Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
-
-Unfortunately, smbserver.py does not work with Python 3 because
-there is no 'impacket' module available for Python 3:
-
-https://github.com/CoreSecurity/impacket/issues/61
----
- tests/negtelnetserver.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
-index 8cfd409..72ee771 100755
---- a/tests/negtelnetserver.py
-+++ b/tests/negtelnetserver.py
-@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
-                 response_data = response.encode('ascii')
-             else:
-                 log.debug("Received normal request - echoing back")
--                response_data = data.strip()
-+                response_data = data.decode('utf8').strip()
- 
-             if response_data:
-                 log.debug("Sending %r", response_data)
--                self.request.sendall(response_data)
-+                self.request.sendall(response_data.encode('utf8'))
- 
-         except IOError:
-             log.exception("IOError hit during request")
--- 
-2.14.3
-

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -26,14 +26,14 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
  lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
  lib1560_LDADD = $(TESTUTIL_LIBS)
  
- lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 -- 
 2.17.2
 

curl-7.67.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
-EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
-kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
-O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
-s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
-ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
-3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
-=5gov
------END PGP SIGNATURE-----

curl-7.71.1.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
+EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
+9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
+ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
+yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
+6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
+FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
+=0YwO
+-----END PGP SIGNATURE-----

curl.spec

@@ -1,12 +1,51 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.67.0
-Release: 2%{?dist}
+Version: 7.71.1
+Release: 11%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# fix infinite loop on upload using a glob (#1771025)
-Patch1:   0001-curl-7.67.0-upload-glob.patch
+# curl: make the --krb option work again (#1833193)
+Patch1:   0001-curl-7.71.1-tool-krb-opt.patch
+
+# setopt: unset NOBODY switches to GET if still HEAD
+Patch2:   0002-curl-7.71.1-unset-nobody.patch
+
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch4:   0004-curl-7.71.1-CVE-2020-8231.patch
+
+# curl: trusting FTP PASV responses (CVE-2020-8284)
+Patch5:   0005-curl-7.71.1-CVE-2020-8284.patch
+
+# libcurl: FTP wildcard stack overflow (CVE-2020-8285)
+Patch6:   0006-curl-7.71.1-CVE-2020-8285.patch
+
+# curl: Inferior OCSP verification (CVE-2020-8286)
+Patch7:   0007-curl-7.71.1-CVE-2020-8286.patch
+
+# prevent automatic referer from leaking credentials (CVE-2021-22876)
+Patch8:   0008-curl-7.71.1-CVE-2021-22876.patch
+
+# fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890)
+Patch9:   0009-curl-7.71.1-CVE-2021-22890.patch
+
+# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+Patch10:  0010-curl-7.71.1-CVE-2021-22924.patch
+
+# fix TELNET stack contents disclosure (CVE-2021-22898)
+Patch11:  0011-curl-7.71.1-CVE-2021-22898.patch
+
+# fix TELNET stack contents disclosure again (CVE-2021-22925)
+Patch12:  0012-curl-7.71.1-CVE-2021-22925.patch
+
+# fix use-after-free and double-free in MQTT sending (CVE-2021-22945)
+Patch13:  0013-curl-7.71.1-CVE-2021-22945.patch
+
+# fix protocol downgrade required TLS bypass (CVE-2021-22946)
+Patch14:  0014-curl-7.71.1-CVE-2021-22946.patch
+
+# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
+Patch15:  0015-curl-7.71.1-CVE-2021-22947.patch
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -14,9 +53,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch
 # prevent configure script from discarding -g in CFLAGS (#496778)
 Patch102: 0102-curl-7.36.0-debug.patch
 
-# migrate tests/http_pipe.py to Python 3
-Patch103: 0103-curl-7.59.0-python3.patch
-
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch
 
@@ -33,10 +69,10 @@ BuildRequires: gcc
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
-BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
+BuildRequires: libtool
 BuildRequires: make
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
@@ -61,6 +97,9 @@ BuildRequires: perl(warnings)
 # gnutls-serv is used by the upstream test-suite
 BuildRequires: gnutls-utils
 
+# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot
+BuildRequires: hostname
+
 # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
 BuildRequires: nghttp2
 
@@ -159,7 +198,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl = %{version}-%{release}
 Provides: libcurl%{?_isa} = %{version}-%{release}
-Conflicts: libcurl
+Conflicts: libcurl%{?_isa}
 RemovePathPostfixes: .minimal
 # needed for RemovePathPostfixes to work with shared libraries
 %undefine __brp_ldconfig
@@ -175,20 +214,31 @@ be installed.
 
 # upstream patches
 %patch1 -p1
+%patch2 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
-%patch103 -p1
 %patch104 -p1
 %patch105 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
 
-# regenerate Makefile.in files
-aclocal -I m4
-automake
+# regenerate the configure script and Makefile.in files
+autoreconf -fiv
 
 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
 # with errno 98: Address already in use' in Koji environment), and test 1801
@@ -207,6 +257,11 @@ echo "1319" >> tests/data/DISABLED
 echo "582" >> tests/data/DISABLED
 %endif
 
+# temporarily disable tests 702 703 716 on armv7hl (#1829180)
+%ifarch armv7hl
+printf "702\n703\n716\n" >> tests/data/DISABLED
+%endif
+
 # adapt test 323 for updated OpenSSL
 sed -e 's/^35$/35,52/' -i tests/data/test323
 
@@ -218,6 +273,7 @@ export common_configure_opts=" \
     --enable-symbol-hiding \
     --enable-ipv6 \
     --enable-threaded-resolver \
+    --without-libmetalink \
     --with-gssapi \
     --with-nghttp2 \
     --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
@@ -233,7 +289,6 @@ export common_configure_opts=" \
         --disable-manual \
         --without-brotli \
         --without-libidn2 \
-        --without-libmetalink \
         --without-libpsl \
         --without-libssh
 )
@@ -247,7 +302,6 @@ export common_configure_opts=" \
         --enable-manual \
         --with-brotli \
         --with-libidn2 \
-        --with-libmetalink \
         --with-libpsl \
         --with-libssh
 )
@@ -257,8 +311,8 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \
     -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
     -i build-{full,minimal}/libtool
 
-make %{?_smp_mflags} V=1 -C build-minimal
-make %{?_smp_mflags} V=1 -C build-full
+%make_build V=1 -C build-minimal
+%make_build V=1 -C build-full
 
 %check
 # we have to override LD_LIBRARY_PATH because we eliminated rpath
@@ -267,7 +321,7 @@ export LD_LIBRARY_PATH
 
 # compile upstream test-cases
 cd build-full/tests
-make %{?_smp_mflags} V=1
+%make_build V=1
 
 # relax crypto policy for the test-suite to make it pass again (#1610888)
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
@@ -278,14 +332,14 @@ srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
 
 %install
 # install and rename the library that will be packaged as libcurl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
+%make_install -C build-minimal/lib
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
 for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
     mv -v $i $i.minimal
 done
 
 # install and rename the executable that will be packaged as curl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
+%make_install -C build-minimal/src
 mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
 
 # install libcurl.m4
@@ -294,12 +348,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 
 # install the executable and library that will be packaged as curl and libcurl
 cd build-full
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
+%make_install
 
 # install zsh completion for curl
 # (we have to override LD_LIBRARY_PATH because we eliminated rpath)
 LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
-    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
+    %make_install -C scripts
 
 # do not install /usr/share/fish/completions/curl.fish which is also installed
 # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
@@ -331,7 +385,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %files -n libcurl-devel
 %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
-%doc docs/CONTRIBUTE.md docs/libcurl/ABI
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@@ -350,10 +404,83 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
+* Fri Sep 17 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-11
+- fix STARTTLS protocol injection via MITM (CVE-2021-22947)
+- fix protocol downgrade required TLS bypass (CVE-2021-22946)
+- fix use-after-free and double-free in MQTT sending (CVE-2021-22945)
+
+* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-10
+- fix TELNET stack contents disclosure again (CVE-2021-22925)
+- fix TELNET stack contents disclosure (CVE-2021-22898)
+- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+- disable metalink support to fix the following vulnerabilities
+    CVE-2021-22923 - metalink download sends credentials
+    CVE-2021-22922 - wrong content via metalink not discarded
+
+* Wed Mar 31 2021 Kamil Dudka <kdudka@redhat.com> - 7.71.1-9
+- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890)
+- prevent automatic referer from leaking credentials (CVE-2021-22876)
+
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-8
+- curl: Inferior OCSP verification (CVE-2020-8286)
+- libcurl: FTP wildcard stack overflow (CVE-2020-8285)
+- curl: trusting FTP PASV responses (CVE-2020-8284)
+
+* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.71.1-7
+- fix multiarch conflicts in libcurl-minimal (#1877671)
+
+* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-6
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
+* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
+- setopt: unset NOBODY switches to GET if still HEAD
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2
+- curl: make the --krb option work again (#1833193)
+
+* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1
+- new upstream release
+
+* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
+    CVE-2020-8177 - curl: overwrite local file with -J
+
+* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
+- new upstream release
+
+* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
+- SSH: use new ECDSA key types to check known hosts (#1824926)
+
+* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
+- Prevent discarding of -g when compiling with clang
+
+* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1
+- new upstream release
+
+* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2
+- make Flatpak work again (#1810989)
+
+* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1
+- new upstream release
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1
+- new upstream release
+
+* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2
 - fix infinite loop on upload using a glob (#1771025)
 
-* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
+* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1
 - new upstream release
 
 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1

sources

@@ -1 +1 @@
-SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
+SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b