Resolves: CVE-2022-35252 - control code in cookie denial of service

Although Fedora curl packages are compiled with OpenSSL backend, some
developers rebuild them with gnutls backend in their own COPRs.  This
commit makes the source code compile again with gnutls while it does
not affect the official Fedora (binary) RPMs.

.fmf/version

@@ -0,0 +1 @@
+1

0001-curl-7.67.0-upload-glob.patch

@@ -1,316 +0,0 @@
-From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 13 Nov 2019 11:33:29 +0100
-Subject: [PATCH] curl: fix -T globbing
-
-Regression from e59371a4936f8 (7.67.0)
-
-Added test 490, 491 and 492 to verify the functionality.
-
-Reported-by: Kamil Dudka
-Reported-by: Anderson Sasaki
-
-Fixes #4588
-Closes #4591
-
-Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/tool_operate.c      | 15 ++++---
- tests/data/Makefile.inc |  2 +
- tests/data/test490      | 68 +++++++++++++++++++++++++++++++
- tests/data/test491      | 64 +++++++++++++++++++++++++++++
- tests/data/test492      | 89 +++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 232 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test490
- create mode 100644 tests/data/test491
- create mode 100644 tests/data/test492
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 3087d2d..4ecb1ed 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-       separator = ((!state->outfiles ||
-                     !strcmp(state->outfiles, "-")) && urlnum > 1);
- 
--      /* Here's looping around each globbed URL */
--
--      if(state->li >= urlnum) {
--        state->li = 0;
--        state->up++;
--      }
-       if(state->up < state->infilenum) {
-         struct per_transfer *per;
-         struct OutStruct *outs;
-@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-         per->retrystart = tvnow();
- 
-         state->li++;
-+        /* Here's looping around each globbed URL */
-+        if(state->li >= urlnum) {
-+          state->li = 0;
-+          state->urlnum = 0; /* forced reglob of URLs */
-+          glob_cleanup(state->urls);
-+          state->urls = NULL;
-+          state->up++;
-+          Curl_safefree(state->uploadfile); /* clear it to get the next */
-+        }
-       }
-       else {
-         /* Free this URL node data without destroying the
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 557f928..212900e 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -66,6 +66,8 @@ test393 test394 test395 \
- test400 test401 test402 test403 test404 test405 test406 test407 test408 \
- test409 \
- \
-+test490 test491 test492 \
-+\
- test500 test501 test502 test503 test504 test505 test506 test507 test508 \
- test509 test510 test511 test512 test513 test514 test515 test516 test517 \
- test518 test519 test520 test521 test522 test523 test524 test525 test526 \
-diff --git a/tests/data/test490 b/tests/data/test490
-new file mode 100644
-index 0000000..a3383a9
---- /dev/null
-+++ b/tests/data/test490
-@@ -0,0 +1,68 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
-+</command>
-+<file name="log/in490">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test491 b/tests/data/test491
-new file mode 100644
-index 0000000..b49c06c
---- /dev/null
-+++ b/tests/data/test491
-@@ -0,0 +1,64 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs, the second upload file is missing
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
-+</command>
-+<file name="log/in491">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /491 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+<errorcode>
-+26
-+</errorcode>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test492 b/tests/data/test492
-new file mode 100644
-index 0000000..12edd8b
---- /dev/null
-+++ b/tests/data/test492
-@@ -0,0 +1,89 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs to two globbed URLs
-+ </name>
-+ <command>
-+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
-+</command>
-+<file name="log/first492">
-+first 492 contents
-+</file>
-+<file1 name="log/second492">
-+second 492 contents
-+</file1>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /one/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /two/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /one/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+PUT /two/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.20.1
-

0001-curl-7.82.0-openssl-spurious-oom.patch

@@ -0,0 +1,36 @@
+From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Mar 2022 13:38:13 +0100
+Subject: [PATCH] openssl: fix CN check error code
+
+Due to a missing 'else' this returns error too easily.
+
+Regressed in: d15692ebb
+
+Reported-by: Kristoffer Gleditsch
+Fixes #8559
+Closes #8560
+
+Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 616a510..1bafe96 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
+               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
+               peer_CN[peerlen] = '\0';
+             }
+-            result = CURLE_OUT_OF_MEMORY;
++            else
++              result = CURLE_OUT_OF_MEMORY;
+           }
+         }
+         else /* not a UTF8 name */
+-- 
+2.34.1
+

0002-curl-7.82.0-CVE-2022-22576.patch

@@ -0,0 +1,148 @@
+From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+
+Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c   | 10 ++++++++++
+ lib/strcase.h   |  2 ++
+ lib/url.c       | 13 ++++++++++++-
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1..692a3f1 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+   } while(*src++ && --n);
+ }
+ 
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  return !a && !b;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b628656..382b80a 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index adef2cd..94e3406 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn)
+   Curl_safefree(conn->passwd);
+   Curl_safefree(conn->sasl_authzid);
+   Curl_safefree(conn->options);
++  Curl_safefree(conn->oauth_bearer);
+   Curl_dyn_free(&conn->trailer);
+   Curl_safefree(conn->host.rawalloc); /* host name buffer */
+   Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data,
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(strcmp(needle->user, check->user) ||
+-           strcmp(needle->passwd, check->passwd)) {
++           strcmp(needle->passwd, check->passwd) ||
++           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+           /* one of them was different */
+           continue;
+         }
+@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+     }
+   }
+ 
++  if(data->set.str[STRING_BEARER]) {
++    conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++    if(!conn->oauth_bearer) {
++      result = CURLE_OUT_OF_MEMORY;
++      goto out;
++    }
++  }
++
+ #ifdef USE_UNIX_SOCKETS
+   if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+     conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index cc8a600..03da59a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -984,6 +984,7 @@ struct connectdata {
+   char *passwd;  /* password string, allocated */
+   char *options; /* options string, allocated */
+   char *sasl_authzid;     /* authorisation identity string, allocated */
++  char *oauth_bearer; /* OAUTH2 bearer, allocated */
+   unsigned char httpversion; /* the HTTP version*10 reported by the server */
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba..a40ac06 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+   return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+ 
+-static bool safecmp(char *a, char *b)
+-{
+-  if(a && b)
+-    return !strcmp(a, b);
+-  else if(!a && !b)
+-    return TRUE; /* match */
+-  return FALSE; /* no match */
+-}
+-
+ 
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      blobcmp(data->cert_blob, needle->cert_blob) &&
+      blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
+      blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+-     safecmp(data->CApath, needle->CApath) &&
+-     safecmp(data->CAfile, needle->CAfile) &&
+-     safecmp(data->issuercert, needle->issuercert) &&
+-     safecmp(data->clientcert, needle->clientcert) &&
+-     safecmp(data->random_file, needle->random_file) &&
+-     safecmp(data->egdsocket, needle->egdsocket) &&
++     Curl_safecmp(data->CApath, needle->CApath) &&
++     Curl_safecmp(data->CAfile, needle->CAfile) &&
++     Curl_safecmp(data->issuercert, needle->issuercert) &&
++     Curl_safecmp(data->clientcert, needle->clientcert) &&
++     Curl_safecmp(data->random_file, needle->random_file) &&
++     Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
+-- 
+2.34.1
+

0003-curl-7.82.0-CVE-2022-27775.patch

@@ -0,0 +1,40 @@
+From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+
+Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index cd5756a..9b9f683 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+     /* report back which name we used */
+     *hostp = hostname;
+ 
+-  /* put the number first so that the hostname gets cut off if too long */
+-  msnprintf(buf, len, "%ld%s", port, hostname);
++  /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++  msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++  msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+   Curl_strntolower(buf, buf, len);
+ }
+ 
+-- 
+2.34.1
+

0004-curl-7.82.0-CVE-2022-27776.patch

@@ -0,0 +1,246 @@
+From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+
+Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c    | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 799d4fb..0791dcf 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+   return CURLE_OK;
+ }
+ 
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++  struct connectdata *conn = data->conn;
++  return (!data->state.this_is_a_follow ||
++          data->set.allow_auth_to_other_hosts ||
++          (data->state.first_host &&
++           strcasecompare(data->state.first_host, conn->host.name) &&
++           (data->state.first_remote_port == conn->remote_port) &&
++           (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+  * Curl_http_output_auth() setups the authentication headers for the
+  * host/proxy and the correct authentication
+@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
+        with it */
+     authproxy->done = TRUE;
+ 
+-  /* To prevent the user+password to get sent to other than the original
+-     host due to a location-follow, we do some weirdo checks here */
+-  if(!data->state.this_is_a_follow ||
++  /* To prevent the user+password to get sent to other than the original host
++     due to a location-follow */
++  if(allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+-     conn->bits.netrc ||
++     || conn->bits.netrc
+ #endif
+-     !data->state.first_host ||
+-     data->set.allow_auth_to_other_hosts ||
+-     strcasecompare(data->state.first_host, conn->host.name)) {
++    )
+     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+-  }
+   else
+     authhost->done = TRUE;
+ 
+@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  (data->state.this_is_a_follow &&
+-                   data->state.first_host &&
+-                   !data->set.allow_auth_to_other_hosts &&
+-                   !strcasecompare(data->state.first_host, conn->host.name)))
++                  !allow_auth_to_host(data))
+             ;
+           else {
+ #ifdef USE_HYPER
+@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+       return CURLE_OUT_OF_MEMORY;
+ 
+     data->state.first_remote_port = conn->remote_port;
++    data->state.first_remote_protocol = conn->handler->protocol;
+   }
+   Curl_safefree(data->state.aptr.host);
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 03da59a..f92052a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1329,14 +1329,16 @@ struct UrlState {
+   char *ulbuf; /* allocated upload buffer or NULL */
+   curl_off_t current_speed;  /* the ProgressShow() function sets this,
+                                 bytes / second */
+-  char *first_host; /* host name of the first (not followed) request.
+-                       if set, this should be the host name that we will
+-                       sent authorization to, no else. Used to make Location:
+-                       following not keep sending user+password... This is
+-                       strdup() data.
+-                    */
++
++  /* host name, port number and protocol of the first (not followed) request.
++     if set, this should be the host name that we will sent authorization to,
++     no else. Used to make Location: following not keep sending user+password.
++     This is strdup()ed data. */
++  char *first_host;
++  int first_remote_port;
++  unsigned int first_remote_protocol;
++
+   int retrycount; /* number of retries on a new connection */
+-  int first_remote_port; /* remote port of the first (not followed) request */
+   struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+   long sessionage;                  /* number of the most recent session */
+   struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
+-- 
+2.34.1
+
+
+From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:47 +0200
+Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
+
+Do not pass on Authorization headers on redirects to another port
+
+Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test898      | 90 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test898
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 59d46bc..7ae2cf8 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
+ test863 test864 test865 test866 test867 test868 test869 test870 test871 \
+ test872 test873 test874 test875 test876 test877 test878 test879 test880 \
+ test881 test882 test883 test884 test885 test886 test887 test888 test889 \
+-test890 test891 test892 test893 test894 test895 test896 test897 \
++test890 test891 test892 test893 test894 test895 test896 test897 test898 \
+ \
+ test900 test901 test902 test903 test904 test905 test906 test907 test908 \
+ test909 test910 test911 test912 test913 test914 test915 test916 test917 \
+diff --git a/tests/data/test898 b/tests/data/test898
+new file mode 100644
+index 0000000..5cbb7d8
+--- /dev/null
++++ b/tests/data/test898
+@@ -0,0 +1,90 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location
++Authorization
++Cookie
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with custom auth and cookies redirected to HTTP on a diff port
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++Authorization: Basic am9lOnNlY3JldA==
++Cookie: userpwd=am9lOnNlY3JldA==
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+-- 
+2.34.1
+

0005-curl-7.82.0-CVE-2022-27774.patch

@@ -0,0 +1,636 @@
+From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+
+Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 64f9511..7518807 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+   data->info.conn_scheme = conn->handler->scheme;
+   data->info.conn_protocol = conn->handler->protocol;
+   data->info.conn_primary_port = conn->port;
++  data->info.conn_remote_port = conn->remote_port;
+   data->info.conn_local_port = local_port;
+ }
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f92052a..5218f76 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1160,7 +1160,11 @@ struct PureInfo {
+      reused, in the connection cache. */
+ 
+   char conn_primary_ip[MAX_IPADR_LEN];
+-  int conn_primary_port;
++  int conn_primary_port; /* this is the destination port to the connection,
++                            which might have been a proxy */
++  int conn_remote_port;  /* this is the "remote port", which is the port
++                            number of the used URL, independent of proxy or
++                            not */
+   char conn_local_ip[MAX_IPADR_LEN];
+   int conn_local_port;
+   const char *conn_scheme;
+-- 
+2.34.1
+
+
+From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
+ auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+
+Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 1f8019b..752fe14 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       return CURLE_OUT_OF_MEMORY;
+   }
+   else {
+-
+     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
++
++    /* Clear auth if this redirects to a different port number or protocol,
++       unless permitted */
++    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++      char *portnum;
++      int port;
++      bool clear = FALSE;
++
++      if(data->set.use_port && data->state.allow_port)
++        /* a custom port is used */
++        port = (int)data->set.use_port;
++      else {
++        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++                          CURLU_DEFAULT_PORT);
++        if(uc) {
++          free(newurl);
++          return Curl_uc_to_curlcode(uc);
++        }
++        port = atoi(portnum);
++        free(portnum);
++      }
++      if(port != data->info.conn_remote_port) {
++        infof(data, "Clear auth, redirects to port from %u to %u",
++              data->info.conn_remote_port, port);
++        clear = TRUE;
++      }
++      else {
++        char *scheme;
++        const struct Curl_handler *p;
++        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++        if(uc) {
++          free(newurl);
++          return Curl_uc_to_curlcode(uc);
++        }
++
++        p = Curl_builtin_scheme(scheme);
++        if(p && (p->protocol != data->info.conn_protocol)) {
++          infof(data, "Clear auth, redirects scheme from %s to %s",
++                data->info.conn_scheme, scheme);
++          clear = TRUE;
++        }
++        free(scheme);
++      }
++      if(clear) {
++        Curl_safefree(data->state.aptr.user);
++        Curl_safefree(data->state.aptr.passwd);
++      }
++    }
+   }
+ 
+   if(type == FOLLOW_FAKE) {
+-- 
+2.34.1
+
+
+From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
+
+ - Test 973 redirects from HTTP to FTP, clear auth
+ - Test 974 redirects from HTTP to HTTP different port, clear auth
+ - Test 975 redirects from HTTP to FTP, permitted to keep auth
+ - Test 976 redirects from HTTP to HTTP different port, permitted to keep
+   auth
+
+Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test973      | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test974      | 87 ++++++++++++++++++++++++++++++++++++++++
+ tests/data/test975      | 88 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test976      | 88 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 352 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test973
+ create mode 100644 tests/data/test974
+ create mode 100644 tests/data/test975
+ create mode 100644 tests/data/test976
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7ae2cf8..175fc43 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+-test972 \
++test972 test973 test974 test975 test976 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test973 b/tests/data/test973
+new file mode 100644
+index 0000000..6ced107
+--- /dev/null
++++ b/tests/data/test973
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++FTP
++--location
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++data
++    to
++      see
++that FTP
++works
++  so does it?
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++data
++    to
++      see
++that FTP
++works
++  so does it?
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++ftp
++</server>
++ <name>
++HTTP with auth redirected to FTP w/o auth
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD a
++CWD path
++EPSV
++TYPE I
++SIZE %TESTNUMBER0002
++RETR %TESTNUMBER0002
++QUIT
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test974 b/tests/data/test974
+new file mode 100644
+index 0000000..ac4e641
+--- /dev/null
++++ b/tests/data/test974
+@@ -0,0 +1,87 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with auth redirected to HTTP on a diff port w/o auth
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test975 b/tests/data/test975
+new file mode 100644
+index 0000000..85e03e4
+--- /dev/null
++++ b/tests/data/test975
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++FTP
++--location-trusted
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++data
++    to
++      see
++that FTP
++works
++  so does it?
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
++
++data
++    to
++      see
++that FTP
++works
++  so does it?
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++ftp
++</server>
++ <name>
++HTTP with auth redirected to FTP allowing auth to continue
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++
++USER joe
++PASS secret
++PWD
++CWD a
++CWD path
++EPSV
++TYPE I
++SIZE %TESTNUMBER0002
++RETR %TESTNUMBER0002
++QUIT
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test976 b/tests/data/test976
+new file mode 100644
+index 0000000..c4dd61e
+--- /dev/null
++++ b/tests/data/test976
+@@ -0,0 +1,88 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--location-trusted
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++</data>
++<data2>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</data2>
++
++<datacheck>
++HTTP/1.1 301 redirect
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 4
++Connection: close
++Content-Type: text/html
++
++hey
++</datacheck>
++
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP with auth redirected to HTTP on a diff port --location-trusted
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.com/ HTTP/1.1
++Host: firsthost.com
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
++Host: firsthost.com:9999
++Authorization: Basic am9lOnNlY3JldA==
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+-- 
+2.34.1
+
+
+From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 17:59:15 +0200
+Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
+ either
+
+Follow-up to 620ea21410030
+
+Reported-by: Harry Sintonen
+Closes #8751
+
+Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c         | 10 +++++-----
+ lib/http.h         |  6 ++++++
+ lib/vtls/openssl.c |  3 ++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 0791dcf..4433824 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
+ }
+ 
+ /*
+- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+- * data" can (still) be sent to this host.
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
+  */
+-static bool allow_auth_to_host(struct Curl_easy *data)
++bool Curl_allow_auth_to_host(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   return (!data->state.this_is_a_follow ||
+@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
+ 
+   /* To prevent the user+password to get sent to other than the original host
+      due to a location-follow */
+-  if(allow_auth_to_host(data)
++  if(Curl_allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+      || conn->bits.netrc
+ #endif
+@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  !allow_auth_to_host(data))
++                  !Curl_allow_auth_to_host(data))
+             ;
+           else {
+ #ifdef USE_HYPER
+diff --git a/lib/http.h b/lib/http.h
+index 07e963d..9000bae 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
+                       bool proxytunnel); /* TRUE if this is the request setting
+                                             up the proxy tunnel */
+ 
++/*
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
++ */
++bool Curl_allow_auth_to_host(struct Curl_easy *data);
++
+ #endif /* HEADER_CURL_HTTP_H */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1bafe96..97c5666 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2894,7 +2894,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+ 
+ #ifdef USE_OPENSSL_SRP
+-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
++  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
++     Curl_allow_auth_to_host(data)) {
+     char * const ssl_username = SSL_SET_OPTION(username);
+ 
+     infof(data, "Using TLS-SRP username: %s", ssl_username);
+-- 
+2.34.1
+

0006-curl-7.82.0-CVE-2022-27780.patch

@@ -0,0 +1,69 @@
+From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:19:38 +0200
+Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator
+ bytes
+
+CVE-2022-27780
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-27780.html
+Closes #8826
+
+Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/urlapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index ff00ee4..00222fc 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
+ #endif
+   }
+   else {
+-    /* letters from the second string is not ok */
+-    len = strcspn(hostname, " \r\n");
++    /* letters from the second string are not ok */
++    len = strcspn(hostname, " \r\n\t/:#?!@");
+     if(hlen != len)
+       /* hostname with bad content */
+       return CURLUE_BAD_HOSTNAME;
+-- 
+2.34.1
+
+
+From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:19:38 +0200
+Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix
+
+Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/libtest/lib1560.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 7614849..84ee933 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={
+ 
+ static const struct urltestcase get_url_list[] = {
+   /* percent encoded host names */
++  {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
++  {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+   {"https://%this", "https://%25this/", 0, 0, CURLUE_OK},
+   {"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK},
+   {"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK},
+-- 
+2.34.1
+

0007-curl-7.82.0-CVE-2022-30115.patch

@@ -0,0 +1,273 @@
+From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:13:54 +0200
+Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
+
+Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test440      | 72 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test441      | 72 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 146 insertions(+)
+ create mode 100644 tests/data/test440
+ create mode 100644 tests/data/test441
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 175fc43..a5b8dc2 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -72,6 +72,8 @@ test409 test410 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
++test440 test441 \
++\
+ test490 test491 test492 test493 test494 \
+ \
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+diff --git a/tests/data/test440 b/tests/data/test440
+new file mode 100644
+index 0000000..c640b02
+--- /dev/null
++++ b/tests/data/test440
+@@ -0,0 +1,72 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HSTS
++trailing-dot
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 403 not OK at all
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 6
++Connection: close
++Funny-head: yesyes
++
++-foo-
++</connect>
++</reply>
++
++<client>
++<server>
++http
++</server>
++<features>
++HSTS
++proxy
++https
++</features>
++
++# no trailing dot in the file only in the URL
++<file name="log/input%TESTNUMBER">
++this.hsts.example "99991001 04:47:41"
++</file>
++
++<name>
++HSTS with trailing-dot host name in URL but none in hsts file
++</name>
++<command>
++-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
++</command>
++</client>
++
++<verify>
++# we let it CONNECT to the server to confirm HSTS but deny from there
++<protocol>
++CONNECT this.hsts.example.:443 HTTP/1.1
++Host: this.hsts.example.:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<stdout>
++HTTP/1.1 403 not OK at all
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 6
++Connection: close
++Funny-head: yesyes
++
++https://this.hsts.example./%TESTNUMBER
++</stdout>
++# Proxy CONNECT aborted
++<errorcode>
++56
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test441 b/tests/data/test441
+new file mode 100644
+index 0000000..7f5245b
+--- /dev/null
++++ b/tests/data/test441
+@@ -0,0 +1,72 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HSTS
++trailing-dot
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 403 not OK at all
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 6
++Connection: close
++Funny-head: yesyes
++
++-foo-
++</connect>
++</reply>
++
++<client>
++<server>
++http
++</server>
++<features>
++HSTS
++proxy
++https
++</features>
++
++# no trailing dot in the file only in the URL
++<file name="log/input%TESTNUMBER">
++this.hsts.example. "99991001 04:47:41"
++</file>
++
++<name>
++HSTS with no t-dot host name in URL but t-dot in file
++</name>
++<command>
++-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
++</command>
++</client>
++
++<verify>
++# we let it CONNECT to the server to confirm HSTS but deny from there
++<protocol>
++CONNECT this.hsts.example:443 HTTP/1.1
++Host: this.hsts.example:443
++User-Agent: curl/%VERSION
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<stdout>
++HTTP/1.1 403 not OK at all
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 6
++Connection: close
++Funny-head: yesyes
++
++https://this.hsts.example/%TESTNUMBER
++</stdout>
++# Proxy CONNECT aborted
++<errorcode>
++56
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.34.1
+
+
+From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 08:13:55 +0200
+Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
+
+CVE-2022-30115
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-30115.html
+Closes #8821
+
+Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 03fcc9e..b9fa6f7 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
+                             curl_off_t expires)
+ {
+   struct stsentry *sts = hsts_entry();
++  char *duphost;
++  size_t hlen;
+   if(!sts)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  sts->expires = expires;
+-  sts->includeSubDomains = subdomains;
+-  sts->host = strdup(hostname);
+-  if(!sts->host) {
++  duphost = strdup(hostname);
++  if(!duphost) {
+     free(sts);
+     return CURLE_OUT_OF_MEMORY;
+   }
++
++  hlen = strlen(duphost);
++  if(duphost[hlen - 1] == '.')
++    /* strip off trailing any dot */
++    duphost[--hlen] = 0;
++
++  sts->host = duphost;
++  sts->expires = expires;
++  sts->includeSubDomains = subdomains;
+   Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
+   return CURLE_OK;
+ }
+@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+   if(h) {
++    char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++
++    if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
++      return NULL;
++    memcpy(buffer, hostname, hlen);
++    if(hostname[hlen-1] == '.')
++      /* remove the trailing dot */
++      --hlen;
++    buffer[hlen] = 0;
++    hostname = buffer;
++
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
+       n = e->next;
+@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
+     CURLSTScode sc;
+     DEBUGASSERT(h);
+     do {
+-      char buffer[257];
++      char buffer[MAX_HSTS_HOSTLEN + 1];
+       struct curl_hstsentry e;
+       e.name = buffer;
+       e.namelen = sizeof(buffer)-1;
+-- 
+2.34.1
+

0008-curl-7.82.0-CVE-2022-27779.patch

@@ -0,0 +1,144 @@
+From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD
+
+When PSL is not enabled
+
+Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test977      | 60 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test977
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index a5b8dc2..98d5516 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+-test972 test973 test974 test975 test976 \
++test972 test973 test974 test975 test976 test977 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test977 b/tests/data/test977
+new file mode 100644
+index 0000000..11ff1b7
+--- /dev/null
++++ b/tests/data/test977
+@@ -0,0 +1,60 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++cookies
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Set-Cookie: a=b; Domain=.me.;
++
++</data>
++
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++</server>
++ <name>
++URL with trailing dot and receiving a cookie for the TLD with dot
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.me./ HTTP/1.1
++Host: firsthost.me.
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<file name="log/cookies%TESTNUMBER" mode="text">
++# Netscape HTTP Cookie File
++# https://curl.se/docs/http-cookies.html
++# This file was generated by libcurl! Edit at your own risk.
++
++</file>
++</verify>
++</testcase>
+-- 
+2.34.1
+
+
+From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
+ fine
+
+The check for a dot in the domain must not consider a single trailing
+dot to be fine, as then TLD + trailing dot is fine and curl will accept
+setting cookies for it.
+
+CVE-2022-27779
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-27779.html
+Closes #8820
+
+Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index d418efa..1b8c8f9 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
+ /* Make sure domain contains a dot or is localhost. */
+ static bool bad_domain(const char *domain)
+ {
+-  return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
++  if(strcasecompare(domain, "localhost"))
++    return FALSE;
++  else {
++    /* there must be a dot present, but that dot must not be a trailing dot */
++    char *dot = strchr(domain, '.');
++    if(dot)
++      return dot[1] ? FALSE : TRUE;
++  }
++  return TRUE;
+ }
+ 
+ /*
+-- 
+2.34.1
+

0009-curl-7.82.0-CVE-2022-27782.patch

@@ -0,0 +1,659 @@
+From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Thu, 17 Mar 2022 15:31:10 -0400
+Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP
+
+Prior to this change if, at build time, the GnuTLS backend was found to
+have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
+via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
+
+Bug: https://curl.se/mail/lib-2022-03/0046.html
+Reported-by: Robert Brose
+
+Closes https://github.com/curl/curl/pull/8604
+
+Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/gtls.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5749376..bc8ef68 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -55,6 +55,14 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
++#ifdef HAVE_GNUTLS_SRP
++/* the function exists */
++#ifdef USE_TLS_SRP
++/* the functionality is not disabled */
++#define USE_GNUTLS_SRP
++#endif
++#endif
++
+ /* Enable GnuTLS debugging by defining GTLSDEBUG */
+ /*#define GTLSDEBUG */
+ 
+@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE;
+ struct ssl_backend_data {
+   gnutls_session_t session;
+   gnutls_certificate_credentials_t cred;
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   gnutls_srp_client_credentials_t srp_client_cred;
+ #endif
+ };
+@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data,
+     return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+     infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+ 
+@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data,
+   if(result)
+     return result;
+ 
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   /* Only add SRP to the cipher list if SRP is requested. Otherwise
+    * GnuTLS will disable TLS 1.3 support. */
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ #endif
+     infof(data, "GnuTLS ciphers: %s", prioritylist);
+     rc = gnutls_priority_set_direct(session, prioritylist, &err);
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   }
+ #endif
+ 
+@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data,
+     }
+   }
+ 
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   /* put the credentials to the current session */
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+         failf(data, "failed to get server cert");
+         *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
+         return CURLE_PEER_FAILED_VERIFICATION;
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+       }
+ #endif
+     }
+@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl)
+     gnutls_certificate_free_credentials(backend->cred);
+     backend->cred = NULL;
+   }
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   if(backend->srp_client_cred) {
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+     backend->srp_client_cred = NULL;
+@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+   }
+   gnutls_certificate_free_credentials(backend->cred);
+ 
+-#ifdef HAVE_GNUTLS_SRP
++#ifdef USE_GNUTLS_SRP
+   if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+      && SSL_SET_OPTION(username) != NULL)
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+-- 
+2.35.3
+
+
+From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c       | 29 +++++++++++++++++------------
+ lib/url.c          | 23 ++++++++++++++++-------
+ lib/urldata.h      | 13 +++++++------
+ lib/vtls/gtls.c    | 32 +++++++++++++++++---------------
+ lib/vtls/mbedtls.c |  2 +-
+ lib/vtls/nss.c     |  6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c    | 21 +++++++++++++++++++++
+ 8 files changed, 87 insertions(+), 49 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 8e1bf12..7aa6fdb 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ 
+   case CURLOPT_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
++                                                                  SRP */
+     break;
+ #endif
+   case CURLOPT_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+ #endif
+   case CURLOPT_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #endif
+ #endif
+diff --git a/lib/url.c b/lib/url.c
+index 94e3406..5ebf5e2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ssl.primary.verifypeer = TRUE;
+   set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+-  set->ssl.authtype = CURL_TLSAUTH_NONE;
++  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++  conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #ifndef CURL_DISABLE_PROXY
+   conn->proxy_ssl_config.verifystatus =
+     data->set.proxy_ssl.primary.verifystatus;
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
++  conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #endif
+   conn->ip_version = data->set.ipver;
+   conn->bits.connect_only = data->set.connect_only;
+@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.primary.issuercert_blob =
+     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
++  data->set.proxy_ssl.primary.CRLfile =
++    data->set.str[STRING_SSL_CRLFILE_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+   data->set.ssl.key = data->set.str[STRING_KEY];
+   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
++  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
++  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
++  data->set.proxy_ssl.primary.username =
++    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
++  data->set.proxy_ssl.primary.password =
++    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5218f76..e006495 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -253,10 +253,17 @@ struct ssl_primary_config {
+   char *cipher_list;     /* list of ciphers to use */
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
++  char *CRLfile;         /* CRL to check certificate revocation */
+   struct curl_blob *cert_blob;
+   struct curl_blob *ca_info_blob;
+   struct curl_blob *issuercert_blob;
++#ifdef USE_TLS_SRP
++  char *username; /* TLS username (for, e.g., SRP) */
++  char *password; /* TLS password (for, e.g., SRP) */
++  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
++#endif
+   char *curves;          /* list of curves to use */
++  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -266,7 +273,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+-  char *CRLfile;   /* CRL to check certificate revocation */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert_type; /* format for certificate (default: PEM)*/
+@@ -274,11 +280,6 @@ struct ssl_config_data {
+   struct curl_blob *key_blob;
+   char *key_type; /* format for private key (default: PEM) */
+   char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+-  char *username; /* TLS username (for, e.g., SRP) */
+-  char *password; /* TLS password (for, e.g., SRP) */
+-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+   BIT(certinfo);     /* gather lots of certificate info */
+   BIT(falsestart);
+   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5749376..ec6be16 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+ 
+ #ifdef USE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+-    infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
++    infof(data, "Using TLS-SRP username: %s",
++          SSL_SET_OPTION(primary.username));
+ 
+     rc = gnutls_srp_allocate_client_credentials(
+            &backend->srp_client_cred);
+@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data,
+     }
+ 
+     rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
+-                                           SSL_SET_OPTION(username),
+-                                           SSL_SET_OPTION(password));
++                                           SSL_SET_OPTION(primary.username),
++                                           SSL_SET_OPTION(primary.password));
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_set_client_cred() failed: %s",
+             gnutls_strerror(rc));
+@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+ #endif
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
++  if(SSL_SET_OPTION(primary.CRLfile)) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(backend->cred,
+-                                              SSL_SET_OPTION(CRLfile),
++                                              SSL_SET_OPTION(primary.CRLfile),
+                                               GNUTLS_X509_FMT_PEM);
+     if(rc < 0) {
+       failf(data, "error reading crl file %s (%s)",
+-            SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
++            SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+       return CURLE_SSL_CRL_BADFILE;
+     }
+     else
+       infof(data, "found %d CRL in %s",
+-            rc, SSL_SET_OPTION(CRLfile));
++            rc, SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   /* Initialize TLS session as a client */
+@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ #ifdef USE_GNUTLS_SRP
+   /* Only add SRP to the cipher list if SRP is requested. Otherwise
+    * GnuTLS will disable TLS 1.3 support. */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     size_t len = strlen(prioritylist);
+ 
+     char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
+@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ 
+ #ifdef USE_GNUTLS_SRP
+   /* put the credentials to the current session */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                                 backend->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_GNUTLS_SRP
+-      if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-         && SSL_SET_OPTION(username) != NULL
++      if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++         && SSL_SET_OPTION(primary.username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+          && gnutls_cipher_get(session)) {
+         /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+         failf(data, "server certificate verification failed. CAfile: %s "
+               "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+               "none",
+-              SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
++              SSL_SET_OPTION(primary.CRLfile) ?
++              SSL_SET_OPTION(primary.CRLfile) : "none");
+         return CURLE_PEER_FAILED_VERIFICATION;
+       }
+       else
+@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+   gnutls_certificate_free_credentials(backend->cred);
+ 
+ #ifdef USE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-     && SSL_SET_OPTION(username) != NULL)
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++     && SSL_SET_OPTION(primary.username) != NULL)
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+ #endif
+ 
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index b9fd26a..bd4ad8f 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   const char * const hostname = SSL_HOST_NAME();
+ #ifndef CURL_DISABLE_VERBOSE_STRINGS
+   const long int port = SSL_HOST_PORT();
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 558e3be..892e7d8 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+     }
+   }
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+-    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
++  if(SSL_SET_OPTION(primary.CRLfile)) {
++    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+     if(rv) {
+       result = rv;
+       goto error;
+     }
+-    infof(data, "  CRLfile: %s", SSL_SET_OPTION(CRLfile));
++    infof(data, "  CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   if(SSL_SET_OPTION(primary.clientcert)) {
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 97c5666..a4ef9d1 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+   const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_OPENSSL_SRP
+-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
++  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+     (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   char error_buffer[256];
+   struct ssl_backend_data *backend = connssl->backend;
+   bool imported_native_ca = false;
+@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #ifdef USE_OPENSSL_SRP
+   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    char * const ssl_username = SSL_SET_OPTION(username);
+-
++    char * const ssl_username = SSL_SET_OPTION(primary.username);
++    char * const ssl_password = SSL_SET_OPTION(primary.password);
+     infof(data, "Using TLS-SRP username: %s", ssl_username);
+ 
+     if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
+       failf(data, "Unable to set SRP user name");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+-    if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
++    if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
+       failf(data, "failed setting SRP password");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a40ac06..e2d3438 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ {
+   if((data->version == needle->version) &&
+      (data->version_max == needle->version_max) &&
++     (data->ssl_options == needle->ssl_options) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      Curl_safecmp(data->clientcert, needle->clientcert) &&
+      Curl_safecmp(data->random_file, needle->random_file) &&
+      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
++#ifdef USE_TLS_SRP
++     Curl_safecmp(data->username, needle->username) &&
++     Curl_safecmp(data->password, needle->password) &&
++     (data->authtype == needle->authtype) &&
++#endif
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
++     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+     return TRUE;
+ 
+@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->verifyhost = source->verifyhost;
+   dest->verifystatus = source->verifystatus;
+   dest->sessionid = source->sessionid;
++  dest->ssl_options = source->ssl_options;
++#ifdef USE_TLS_SRP
++  dest->authtype = source->authtype;
++#endif
+ 
+   CLONE_BLOB(cert_blob);
+   CLONE_BLOB(ca_info_blob);
+@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   CLONE_STRING(cipher_list13);
+   CLONE_STRING(pinned_key);
+   CLONE_STRING(curves);
++  CLONE_STRING(CRLfile);
++#ifdef USE_TLS_SRP
++  CLONE_STRING(username);
++  CLONE_STRING(password);
++#endif
+ 
+   return TRUE;
+ }
+@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+   Curl_safefree(sslc->ca_info_blob);
+   Curl_safefree(sslc->issuercert_blob);
+   Curl_safefree(sslc->curves);
++  Curl_safefree(sslc->CRLfile);
++#ifdef USE_TLS_SRP
++  Curl_safefree(sslc->username);
++  Curl_safefree(sslc->password);
++#endif
+ }
+ 
+ #ifdef USE_SSL
+-- 
+2.34.1
+
+
+From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH 3/3] url: check SSH config match on connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c      | 11 +++++++++++
+ lib/vssh/ssh.h |  6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 5ebf5e2..c713e54 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+   }
+ }
+ 
++static bool ssh_config_matches(struct connectdata *one,
++                               struct connectdata *two)
++{
++  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
++          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
++}
+ /*
+  * Given one filled in connection struct (named needle), this function should
+  * detect if there already is one that has all the significant details
+@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
++      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++        if(!ssh_config_matches(needle, check))
++          continue;
++      }
++
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 7972081..30d82e5 100644
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -131,8 +131,8 @@ struct ssh_conn {
+ 
+   /* common */
+   const char *passphrase;     /* pass-phrase to use */
+-  char *rsa_pub;              /* path name */
+-  char *rsa;                  /* path name */
++  char *rsa_pub;              /* strdup'ed public key file */
++  char *rsa;                  /* strdup'ed private key file */
+   bool authed;                /* the connection has been authenticated fine */
+   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
+                                  quote command fails) */
+-- 
+2.34.1
+

0010-curl-7.82.0-CVE-2022-32208.patch

@@ -0,0 +1,70 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = conn->mech->decode(conn->app_data, buf->data, len,
++                             conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
+-- 
+2.35.3
+

0011-curl-7.82.0-CVE-2022-32206.patch

@@ -0,0 +1,144 @@
+From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH 1/2] content_encoding: return error on too many compression
+ steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
+   return NULL;
+ }
+ 
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
++  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
++      if(++counter >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to %u content encodings",
++              counter);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(data, encoding, k->writer_stack);
+       if(!writer)
+-- 
+2.35.3
+
+
+From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:29:07 +0200
+Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
+
+Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test387      | 53 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test387
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 98d5516..9b5f4fb 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \
+ test361 test362 test363 test364 test365 test366 test367 test368 test369 \
+ test370 test371 test372 test373 test374 \
+ \
+-test380 test381 test383 test384 test385 test386 \
++test380 test381 test383 test384 test385 test386 test387 \
+ \
+ test392 test393 test394 test395 test396 test397 \
+ \
+diff --git a/tests/data/test387 b/tests/data/test387
+new file mode 100644
+index 0000000..015ec25
+--- /dev/null
++++ b/tests/data/test387
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with overly long compression chain
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to 5 content encodings
++</stderr>
++</verify>
++</testcase>
+-- 
+2.35.3
+

0013-curl-7.82.0-CVE-2022-32207.patch

@@ -0,0 +1,428 @@
+From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   2 +
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 154 insertions(+), 15 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b77de6d..a0bfaad 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d431870..7433bb9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
++  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index e8f110f..5139b03 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -133,6 +133,7 @@ LIB_CFILES =         \
+   escape.c           \
+   file.c             \
+   fileinfo.c         \
++  fopen.c            \
+   formdata.c         \
+   ftp.c              \
+   ftplistparser.c    \
+@@ -263,6 +264,7 @@ LIB_HFILES =         \
+   escape.h           \
+   file.h             \
+   fileinfo.h         \
++  fopen.h            \
+   formdata.h         \
+   ftp.h              \
+   ftplistparser.h    \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 8a6aa1a..cb0c03b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -96,8 +96,8 @@ Example set of cookies:
+ #include "curl_get_line.h"
+ #include "curl_memrchr.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return CURLE_OUT_OF_MEMORY;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out) {
+-      error = CURLE_WRITE_ERROR;
++    error = Curl_fopen(data, filename, &out, &tempstore);
++    if(error)
+       goto error;
+-    }
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
++    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       error = CURLE_WRITE_ERROR;
+       goto error;
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index d2a0f43..c254359 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -157,6 +157,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
++  !defined(CURL_DISABLE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include <fcntl.h>
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname)
++{
++  CURLcode result = CURLE_WRITE_ERROR;
++  unsigned char randsuffix[9];
++  char *tempstore = NULL;
++  struct_stat sb;
++  int fd = -1;
++  *tempname = NULL;
++
++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++    /* a non-regular file, fallback to direct fopen() */
++    *fh = fopen(filename, FOPEN_WRITETEXT);
++    if(*fh)
++      return CURLE_OK;
++    goto fail;
++  }
++
++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++  if(result)
++    goto fail;
++
++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++  if(!tempstore) {
++    result = CURLE_OUT_OF_MEMORY;
++    goto fail;
++  }
++
++  result = CURLE_WRITE_ERROR;
++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++  if(fd == -1)
++    goto fail;
++
++#ifdef HAVE_FCHMOD
++  {
++    struct_stat nsb;
++    if((fstat(fd, &nsb) != -1) &&
++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++      /* if the user and group are the same, clone the original mode */
++      if(fchmod(fd, sb.st_mode) == -1)
++        goto fail;
++    }
++  }
++#endif
++
++  *fh = fdopen(fd, FOPEN_WRITETEXT);
++  if(!*fh)
++    goto fail;
++
++  *tempname = tempstore;
++  return CURLE_OK;
++
++fail:
++  if(fd != -1) {
++    close(fd);
++    unlink(tempstore);
++  }
++
++  free(tempstore);
++
++  *tempname = NULL;
++  return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname);
++
++#endif
+-- 
+2.35.3
+
+
+From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH 2/3] altsvc: use Curl_fopen()
+
+Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/altsvc.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/altsvc.c b/lib/altsvc.c
+index 242733b..4dc4078 100644
+--- a/lib/altsvc.c
++++ b/lib/altsvc.c
+@@ -34,7 +34,7 @@
+ #include "parsedate.h"
+ #include "sendf.h"
+ #include "warnless.h"
+-#include "rand.h"
++#include "fopen.h"
+ #include "rename.h"
+ 
+ /* The last 3 #include files should be in this order */
+@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+   struct Curl_llist_element *n;
+   CURLcode result = CURLE_OK;
+   FILE *out;
+-  char *tempstore;
+-  unsigned char randsuffix[9];
++  char *tempstore = NULL;
+ 
+   if(!altsvc)
+     /* no cache activated */
+@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+     /* marked as read-only, no file or zero length file name */
+     return CURLE_OK;
+ 
+-  if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-    return CURLE_FAILED_INIT;
+-
+-  tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+-  if(!tempstore)
+-    return CURLE_OUT_OF_MEMORY;
+-
+-  out = fopen(tempstore, FOPEN_WRITETEXT);
+-  if(!out)
+-    result = CURLE_WRITE_ERROR;
+-  else {
++  result = Curl_fopen(data, file, &out, &tempstore);
++  if(!result) {
+     fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
+           "# This file was generated by libcurl! Edit at your own risk.\n",
+           out);
+@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
+         break;
+     }
+     fclose(out);
+-    if(!result && Curl_rename(tempstore, file))
++    if(!result && tempstore && Curl_rename(tempstore, file))
+       result = CURLE_WRITE_ERROR;
+ 
+-    if(result)
++    if(result && tempstore)
+       unlink(tempstore);
+   }
+   free(tempstore);
+-- 
+2.35.3
+
+
+From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:54 +0200
+Subject: [PATCH 3/3] hsts: use Curl_fopen()
+
+Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/hsts.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index b9fa6f7..9d54c82 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -35,7 +35,7 @@
+ #include "sendf.h"
+ #include "strtoofft.h"
+ #include "parsedate.h"
+-#include "rand.h"
++#include "fopen.h"
+ #include "rename.h"
+ #include "strtoofft.h"
+ 
+@@ -354,8 +354,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+   struct Curl_llist_element *n;
+   CURLcode result = CURLE_OK;
+   FILE *out;
+-  char *tempstore;
+-  unsigned char randsuffix[9];
++  char *tempstore = NULL;
+ 
+   if(!h)
+     /* no cache activated */
+@@ -369,17 +368,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+     /* marked as read-only, no file or zero length file name */
+     goto skipsave;
+ 
+-  if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-    return CURLE_FAILED_INIT;
+-
+-  tempstore = aprintf("%s.%s.tmp", file, randsuffix);
+-  if(!tempstore)
+-    return CURLE_OUT_OF_MEMORY;
+-
+-  out = fopen(tempstore, FOPEN_WRITETEXT);
+-  if(!out)
+-    result = CURLE_WRITE_ERROR;
+-  else {
++  result = Curl_fopen(data, file, &out, &tempstore);
++  if(!result) {
+     fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
+           "# This file was generated by libcurl! Edit at your own risk.\n",
+           out);
+@@ -391,10 +381,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
+         break;
+     }
+     fclose(out);
+-    if(!result && Curl_rename(tempstore, file))
++    if(!result && tempstore && Curl_rename(tempstore, file))
+       result = CURLE_WRITE_ERROR;
+ 
+-    if(result)
++    if(result && tempstore)
+       unlink(tempstore);
+   }
+   free(tempstore);
+-- 
+2.35.3
+

0014-curl-7.82.0-CVE-2022-35252.patch

@@ -0,0 +1,136 @@
+From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain)
+   return TRUE;
+ }
+ 
++/*
++  RFC 6265 section 4.1.1 says a server should accept this range:
++
++  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++  fine. The prime reason for filtering out control bytes is that some HTTP
++  servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++  static const char badoctets[] = {
++    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++  };
++  size_t vlen, len;
++  /* scan for all the octets that are *not* in cookie-octet */
++  len = strcspn(p, badoctets);
++  vlen = strlen(p);
++  return (len != vlen);
++}
++
+ /*
+  * Curl_cookie_add
+  *
+@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
++          if(invalid_octets(whatptr) || invalid_octets(name)) {
++            infof(data, "invalid octets in name/value, cookie dropped");
++            badcookie = TRUE;
++            break;
++          }
+         }
+         else if(!len) {
+           /*
+-- 
+2.37.1
+
+
+From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
+
+Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6..8587611 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
++Set-Cookie: cookie1=%hex[%01-junk]hex%
++Set-Cookie: cookie2=%hex[%02-junk]hex%
++Set-Cookie: cookie3=%hex[%03-junk]hex%
++Set-Cookie: cookie4=%hex[%04-junk]hex%
++Set-Cookie: cookie5=%hex[%05-junk]hex%
++Set-Cookie: cookie6=%hex[%06-junk]hex%
++Set-Cookie: cookie7=%hex[%07-junk]hex%
++Set-Cookie: cookie8=%hex[%08-junk]hex%
++Set-Cookie: cookie9=%hex[junk-%09-]hex%
++Set-Cookie: cookie11=%hex[%0b-junk]hex%
++Set-Cookie: cookie12=%hex[%0c-junk]hex%
++Set-Cookie: cookie14=%hex[%0e-junk]hex%
++Set-Cookie: cookie15=%hex[%0f-junk]hex%
++Set-Cookie: cookie16=%hex[%10-junk]hex%
++Set-Cookie: cookie17=%hex[%11-junk]hex%
++Set-Cookie: cookie18=%hex[%12-junk]hex%
++Set-Cookie: cookie19=%hex[%13-junk]hex%
++Set-Cookie: cookie20=%hex[%14-junk]hex%
++Set-Cookie: cookie21=%hex[%15-junk]hex%
++Set-Cookie: cookie22=%hex[%16-junk]hex%
++Set-Cookie: cookie23=%hex[%17-junk]hex%
++Set-Cookie: cookie24=%hex[%18-junk]hex%
++Set-Cookie: cookie25=%hex[%19-junk]hex%
++Set-Cookie: cookie26=%hex[%1a-junk]hex%
++Set-Cookie: cookie27=%hex[%1b-junk]hex%
++Set-Cookie: cookie28=%hex[%1c-junk]hex%
++Set-Cookie: cookie29=%hex[%1d-junk]hex%
++Set-Cookie: cookie30=%hex[%1e-junk]hex%
++Set-Cookie: cookie31=%hex[%1f-junk]hex%
++Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.37.1
+

0101-curl-7.32.0-multilib.patch

@@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in     |   21 +++------------------
- docs/curl-config.1 |    4 +++-
- libcurl.pc.in      |    1 +
- 3 files changed, 7 insertions(+), 19 deletions(-)
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
+ 3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
          ;;
  
      --prefix)
-@@ -155,32 +155,17 @@ while test $# -gt 0; do
+@@ -155,32 +155,19 @@ while test $# -gt 0; do
          ;;
  
      --libs)
@@ -31,7 +31,7 @@ index 150004d..95d0759 100644
 -        else
 -           CURLLIBDIR=""
 -        fi
--        if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
 -          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
 -        else
 -          echo ${CURLLIBDIR}-lcurl
@@ -49,6 +49,8 @@ index 150004d..95d0759 100644
 -          echo "curl was built with static libraries disabled" >&2
 -          exit 1
 -        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
          ;;
  
      --configure)
@@ -83,7 +85,7 @@ index 2ba9c39..f8f8b00 100644
 +configure_options=@CONFIGURE_OPTIONS@
  
  Name: libcurl
- URL: https://curl.haxx.se/
+ URL: https://curl.se/
 -- 
-2.5.0
+2.26.2
 

0102-curl-7.36.0-debug.patch

@@ -1,65 +0,0 @@
-From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 31 Oct 2012 11:38:30 +0100
-Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
-
----
- configure            |   13 +++----------
- m4/curl-compilers.m4 |   13 +++----------
- 2 files changed, 6 insertions(+), 20 deletions(-)
-
-diff --git a/configure b/configure
-index 8f079a3..53b4774 100755
---- a/configure
-+++ b/configure
-@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
--    flags_opt_yes="-O2"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
- 
-     OLDCPPFLAGS=$CPPFLAGS
-diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
-index 0cbba7a..9175b5b 100644
---- a/m4/curl-compilers.m4
-+++ b/m4/curl-compilers.m4
-@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
--    flags_opt_yes="-O2"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-     CURL_CHECK_DEF([_WIN32], [], [silent])
-   else
--- 
-1.7.1
-

0103-curl-7.59.0-python3.patch

@@ -1,34 +0,0 @@
-From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Thu, 15 Mar 2018 14:49:56 +0100
-Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
-
-Unfortunately, smbserver.py does not work with Python 3 because
-there is no 'impacket' module available for Python 3:
-
-https://github.com/CoreSecurity/impacket/issues/61
----
- tests/negtelnetserver.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
-index 8cfd409..72ee771 100755
---- a/tests/negtelnetserver.py
-+++ b/tests/negtelnetserver.py
-@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
-                 response_data = response.encode('ascii')
-             else:
-                 log.debug("Received normal request - echoing back")
--                response_data = data.strip()
-+                response_data = data.decode('utf8').strip()
- 
-             if response_data:
-                 log.debug("Sending %r", response_data)
--                self.request.sendall(response_data)
-+                self.request.sendall(response_data.encode('utf8'))
- 
-         except IOError:
-             log.exception("IOError hit during request")
--- 
-2.14.3
-

0104-curl-7.19.7-localhost6.patch

@@ -1,51 +0,0 @@
-diff --git a/tests/data/test1083 b/tests/data/test1083
-index e441278..b0958b6 100644
---- a/tests/data/test1083
-+++ b/tests/data/test1083
-@@ -33,13 +33,13 @@ ipv6
- http-ipv6
- </server>
-  <name>
--HTTP-IPv6 GET with ip6-localhost --interface
-+HTTP-IPv6 GET with localhost6 --interface
-  </name>
-  <command>
---g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
-+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
- </command>
- <precheck>
--perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
-+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
- </precheck>
- </client>
- 
-diff --git a/tests/data/test241 b/tests/data/test241
-index 46eae1f..4e1632c 100644
---- a/tests/data/test241
-+++ b/tests/data/test241
-@@ -30,13 +30,13 @@ ipv6
- http-ipv6
- </server>
-  <name>
--HTTP-IPv6 GET (using ip6-localhost)
-+HTTP-IPv6 GET (using localhost6)
-  </name>
-  <command>
---g "http://ip6-localhost:%HTTP6PORT/241"
-+-g "http://localhost6:%HTTP6PORT/241"
- </command>
- <precheck>
--./server/resolve --ipv6 ip6-localhost
-+./server/resolve --ipv6 localhost6
- </precheck>
- </client>
- 
-@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
- </strip>
- <protocol>
- GET /241 HTTP/1.1
--Host: ip6-localhost:%HTTP6PORT
-+Host: localhost6:%HTTP6PORT
- Accept: */*
- 
- </protocol>

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -1,39 +0,0 @@
-From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 4 Feb 2019 17:32:56 +0100
-Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
-
-... to prevent valgrind from reporting false positives on x86_64:
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCAA: part2id (lib1560.c:489)
-   by 0x10BCAA: updateurl (lib1560.c:521)
-   by 0x10BCAA: set_parts (lib1560.c:630)
-   by 0x10BCAA: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCC3: part2id (lib1560.c:491)
-   by 0x10BCC3: updateurl (lib1560.c:521)
-   by 0x10BCC3: set_parts (lib1560.c:630)
-   by 0x10BCC3: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
----
- tests/libtest/Makefile.inc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
-index 080421b..ea3b806 100644
---- a/tests/libtest/Makefile.inc
-+++ b/tests/libtest/Makefile.inc
-@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
- lib1559_LDADD = $(TESTUTIL_LIBS)
- 
- lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
-+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
- lib1560_LDADD = $(TESTUTIL_LIBS)
- 
- lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- 
-2.17.2
-

ci.fmf

@@ -0,0 +1,9 @@
+discover:
+  how: fmf
+prepare:
+  how: install
+  exclude:
+    - libcurl-minimal
+    - curl-minimal
+execute:
+  how: tmt

curl-7.67.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
-EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
-kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
-O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
-s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
-ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
-3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
-=5gov
------END PGP SIGNATURE-----

curl-7.82.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce
+EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4
+Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh
+DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C
+AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv
+yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq
+m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ==
+=/k1v
+-----END PGP SIGNATURE-----

curl.spec

@@ -1,31 +1,63 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.67.0
-Release: 2%{?dist}
+Version: 7.82.0
+Release: 8%{?dist}
 License: MIT
-Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
+Source0: https://curl.se/download/%{name}-%{version}.tar.xz
+Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
+# The curl download page ( https://curl.se/download.html ) links
+# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
+# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
+Source2: mykey.asc
 
-# fix infinite loop on upload using a glob (#1771025)
-Patch1:   0001-curl-7.67.0-upload-glob.patch
+# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
+Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch
+
+# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch
+
+# fix bad local IPv6 connection reuse (CVE-2022-27775)
+Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch
+
+# fix auth/cookie leak on redirect (CVE-2022-27776)
+Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch
+
+# fix credential leak on redirect (CVE-2022-27774)
+Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch
+
+# reject percent-encoded path separator in URL host (CVE-2022-27780)
+Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
+
+# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
+Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
+
+# do not accept cookies for TLD with trailing dot (CVE-2022-27779)
+Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
+
+# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
+
+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
+
+# fix HTTP compression denial of service (CVE-2022-32206)
+Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch
+
+# fix Set-Cookie denial of service (CVE-2022-32205)
+Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch
+
+# fix unpreserved file permissions (CVE-2022-32207)
+Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch
+
+# control code in cookie denial of service (CVE-2022-35252)
+Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
-# prevent configure script from discarding -g in CFLAGS (#496778)
-Patch102: 0102-curl-7.36.0-debug.patch
-
-# migrate tests/http_pipe.py to Python 3
-Patch103: 0103-curl-7.59.0-python3.patch
-
-# use localhost6 instead of ip6-localhost in the curl test-suite
-Patch104: 0104-curl-7.19.7-localhost6.patch
-
-# prevent valgrind from reporting false positives on x86_64
-Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch
-
 Provides: curl-full = %{version}-%{release}
 Provides: webclient
-URL: https://curl.haxx.se/
+URL: https://curl.se/
 BuildRequires: automake
 BuildRequires: brotli-devel
 BuildRequires: coreutils
@@ -33,10 +65,10 @@ BuildRequires: gcc
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
-BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
+BuildRequires: libtool
 BuildRequires: make
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
@@ -44,11 +76,14 @@ BuildRequires: openssh-server
 BuildRequires: openssl-devel
 BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
+BuildRequires: python-unversioned-command
 BuildRequires: python3-devel
 BuildRequires: sed
-BuildRequires: stunnel
 BuildRequires: zlib-devel
 
+# For gpg verification of source tarball
+BuildRequires: gnupg2
+
 # needed to compress content of tool_hugehelp.c after changing curl.1 man page
 BuildRequires: perl(IO::Compress::Gzip)
 
@@ -61,12 +96,16 @@ BuildRequires: perl(warnings)
 # gnutls-serv is used by the upstream test-suite
 BuildRequires: gnutls-utils
 
+# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot
+BuildRequires: hostname
+
 # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
 BuildRequires: nghttp2
 
 # perl modules used in the test suite
 BuildRequires: perl(Cwd)
 BuildRequires: perl(Digest::MD5)
+BuildRequires: perl(Digest::SHA)
 BuildRequires: perl(Exporter)
 BuildRequires: perl(File::Basename)
 BuildRequires: perl(File::Copy)
@@ -77,6 +116,11 @@ BuildRequires: perl(Time::Local)
 BuildRequires: perl(Time::HiRes)
 BuildRequires: perl(vars)
 
+%if 0%{?fedora}
+# needed for upstream test 1451
+BuildRequires: python3-impacket
+%endif
+
 # The test-suite runs automatically through valgrind if valgrind is available
 # on the system.  By not installing valgrind into mock's chroot, we disable
 # this feature for production builds on architectures where valgrind is known
@@ -87,6 +131,12 @@ BuildRequires: perl(vars)
 BuildRequires: valgrind
 %endif
 
+# stunnel is used by upstream tests but it does not seem to work reliably
+# on s390x and occasionally breaks some tests (mainly 1561 and 1562)
+%ifnarch s390x
+BuildRequires: stunnel
+%endif
+
 # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
 Requires: libcurl%{?_isa} >= %{version}-%{release}
 
@@ -100,7 +150,8 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
 
 # require at least the version of openssl-libs that we were built against,
 # to ensure that we have the necessary symbols available (#1462184, #1462211)
-%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)
+# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
+%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|')
 
 %description
 curl is a command line tool for transferring data with URL syntax, supporting
@@ -159,7 +210,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
 Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
 Provides: libcurl = %{version}-%{release}
 Provides: libcurl%{?_isa} = %{version}-%{release}
-Conflicts: libcurl
+Conflicts: libcurl%{?_isa}
 RemovePathPostfixes: .minimal
 # needed for RemovePathPostfixes to work with shared libraries
 %undefine __brp_ldconfig
@@ -171,55 +222,85 @@ other hand, the package is smaller and requires fewer run-time dependencies to
 be installed.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
 
 # upstream patches
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 # Fedora patches
 %patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch104 -p1
-%patch105 -p1
-
-# make tests/*.py use Python 3
-sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
-
-# regenerate Makefile.in files
-aclocal -I m4
-automake
 
 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
 # with errno 98: Address already in use' in Koji environment), and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-# and test 1900, which is flaky and covers a deprecated feature of libcurl
-# <https://github.com/curl/curl/pull/2705>
-printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED
+printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED
 
 # disable test 1319 on ppc64 (server times out)
 %ifarch ppc64
 echo "1319" >> tests/data/DISABLED
 %endif
 
-# temporarily disable test 582 on s390x (client times out)
+# disable tests 320..322 on ppc64le where it started to hang/fail
+%ifarch ppc64le
+printf "320\n321\n322\n" >> tests/data/DISABLED
+%endif
+
+# temporarily disable tests 582 and 1452 on s390x (client times out)
 %ifarch s390x
-echo "582" >> tests/data/DISABLED
+printf "582\n1452\n" >> tests/data/DISABLED
+%endif
+
+# temporarily disable tests 702 703 716 on armv7hl (#1829180)
+%ifarch armv7hl
+printf "702\n703\n716\n" >> tests/data/DISABLED
+%endif
+
+# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself)
+%ifarch x86_64
+printf "3000\n3001\n" >> tests/data/DISABLED
 %endif
 
 # adapt test 323 for updated OpenSSL
-sed -e 's/^35$/35,52/' -i tests/data/test323
+sed -e 's|^35$|35,52|' -i tests/data/test323
+
+# use localhost6 instead of ip6-localhost in the curl test-suite
+(
+    # avoid glob expansion in the trace output of `bash -x`
+    { set +x; } 2>/dev/null
+    cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*"
+    printf "+ %s\n" "$cmd" >&2
+    eval "$cmd"
+)
+
+# regenerate the configure script and Makefile.in files
+autoreconf -fiv
 
 %build
 mkdir build-{full,minimal}
-export common_configure_opts=" \
-    --cache-file=../config.cache \
-    --disable-static \
-    --enable-symbol-hiding \
-    --enable-ipv6 \
-    --enable-threaded-resolver \
-    --with-gssapi \
-    --with-nghttp2 \
+export common_configure_opts="          \
+    --cache-file=../config.cache        \
+    --disable-static                    \
+    --enable-hsts                       \
+    --enable-ipv6                       \
+    --enable-symbol-hiding              \
+    --enable-threaded-resolver          \
+    --without-zstd                      \
+    --with-gssapi                       \
+    --with-nghttp2                      \
     --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
 
 %global _configure ../configure
@@ -227,28 +308,52 @@ export common_configure_opts=" \
 # configure minimal build
 (
     cd build-minimal
-    %configure $common_configure_opts \
-        --disable-ldap \
-        --disable-ldaps \
-        --disable-manual \
-        --without-brotli \
-        --without-libidn2 \
-        --without-libmetalink \
-        --without-libpsl \
+    %configure $common_configure_opts   \
+        --disable-dict                  \
+        --disable-gopher                \
+        --disable-imap                  \
+        --disable-ldap                  \
+        --disable-ldaps                 \
+        --disable-manual                \
+        --disable-mqtt                  \
+        --disable-ntlm                  \
+        --disable-ntlm-wb               \
+        --disable-pop3                  \
+        --disable-rtsp                  \
+        --disable-smb                   \
+        --disable-smtp                  \
+        --disable-telnet                \
+        --disable-tftp                  \
+        --disable-tls-srp               \
+        --without-brotli                \
+        --without-libidn2               \
+        --without-libpsl                \
         --without-libssh
 )
 
 # configure full build
 (
     cd build-full
-    %configure $common_configure_opts \
-        --enable-ldap \
-        --enable-ldaps \
-        --enable-manual \
-        --with-brotli \
-        --with-libidn2 \
-        --with-libmetalink \
-        --with-libpsl \
+    %configure $common_configure_opts   \
+        --enable-dict                   \
+        --enable-gopher                 \
+        --enable-imap                   \
+        --enable-ldap                   \
+        --enable-ldaps                  \
+        --enable-manual                 \
+        --enable-mqtt                   \
+        --enable-ntlm                   \
+        --enable-ntlm-wb                \
+        --enable-pop3                   \
+        --enable-rtsp                   \
+        --enable-smb                    \
+        --enable-smtp                   \
+        --enable-telnet                 \
+        --enable-tftp                   \
+        --enable-tls-srp                \
+        --with-brotli                   \
+        --with-libidn2                  \
+        --with-libpsl                   \
         --with-libssh
 )
 
@@ -257,35 +362,48 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \
     -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
     -i build-{full,minimal}/libtool
 
-make %{?_smp_mflags} V=1 -C build-minimal
-make %{?_smp_mflags} V=1 -C build-full
+%make_build V=1 -C build-minimal
+%make_build V=1 -C build-full
 
 %check
-# we have to override LD_LIBRARY_PATH because we eliminated rpath
-LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
-export LD_LIBRARY_PATH
-
 # compile upstream test-cases
-cd build-full/tests
-make %{?_smp_mflags} V=1
+%make_build V=1 -C build-minimal/tests
+%make_build V=1 -C build-full/tests
 
 # relax crypto policy for the test-suite to make it pass again (#1610888)
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
 export OPENSSL_CONF=
 
-# run the upstream test-suite
-srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+# make runtests.pl work for out-of-tree builds
+export srcdir=../../tests
+
+# prevent valgrind from being extremely slow (#1662656)
+# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault
+unset DEBUGINFOD_URLS
+
+# run the upstream test-suite for both curl-minimal and curl-full
+for size in minimal full; do (
+    cd build-${size}
+
+    # we have to override LD_LIBRARY_PATH because we eliminated rpath
+    export LD_LIBRARY_PATH="${PWD}/lib/.libs"
+
+    cd tests
+    perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+)
+done
+
 
 %install
 # install and rename the library that will be packaged as libcurl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
+%make_install -C build-minimal/lib
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
 for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
     mv -v $i $i.minimal
 done
 
 # install and rename the executable that will be packaged as curl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
+%make_install -C build-minimal/src
 mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
 
 # install libcurl.m4
@@ -294,12 +412,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 
 # install the executable and library that will be packaged as curl and libcurl
 cd build-full
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
+%make_install
 
 # install zsh completion for curl
 # (we have to override LD_LIBRARY_PATH because we eliminated rpath)
 LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
-    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
+    %make_install -C scripts
 
 # do not install /usr/share/fish/completions/curl.fish which is also installed
 # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
@@ -314,12 +432,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %files
 %doc CHANGES
 %doc README
-%doc docs/BUGS
+%doc docs/BUGS.md
 %doc docs/FAQ
-%doc docs/FEATURES
-%doc docs/RESOURCES
+%doc docs/FEATURES.md
 %doc docs/TODO
-%doc docs/TheArtOfHttpScripting
+%doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
 %{_datadir}/zsh
@@ -331,7 +448,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %files -n libcurl-devel
 %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
-%doc docs/CONTRIBUTE.md docs/libcurl/ABI
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@@ -350,10 +467,196 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
+* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-8
+- control code in cookie denial of service (CVE-2022-35252)
+
+* Mon Jul 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-7
+- fix build failure with gnutls backend enabled
+
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
+- fix unpreserved file permissions (CVE-2022-32207)
+- fix Set-Cookie denial of service (CVE-2022-32205)
+- fix HTTP compression denial of service (CVE-2022-32206)
+- fix FTP-KRB bad message verification (CVE-2022-32208)
+
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
+- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
+- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
+- reject percent-encoded path separator in URL host (CVE-2022-27780)
+
+* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-4
+- fix leak of SRP credentials in redirects (CVE-2022-27774)
+
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-3
+- fix credential leak on redirect (CVE-2022-27774)
+- fix auth/cookie leak on redirect (CVE-2022-27776)
+- fix bad local IPv6 connection reuse (CVE-2022-27775)
+- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
+
+* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
+- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
+
+* Sat Mar 05 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-1
+- new upstream release
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.81.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Jan 05 2022 Kamil Dudka <kdudka@redhat.com> - 7.81.0-1
+- new upstream release
+
+* Sun Nov 14 2021 Paul Howarth <paul@city-fan.org> - 7.80.0-2
+- sshserver.pl (used in test suite) now requires the Digest::SHA perl module
+
+* Wed Nov 10 2021 Kamil Dudka <kdudka@redhat.com> - 7.80.0-1
+- new upstream release
+
+* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-3
+- re-enable HSTS in libcurl-minimal as a security feature (#2005874)
+
+* Mon Oct 04 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-2
+- disable more protocols and features in libcurl-minimal (#2005874)
+
+* Wed Sep 22 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-1
+- new upstream release
+
+* Thu Sep 16 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-4
+- fix regression in http2 implementation introduced in the last release
+
+* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 7.79.0-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Sep 16 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-2
+- make SCP/SFTP tests work with openssh-8.7p1
+
+* Wed Sep 15 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2021-22947 - STARTTLS protocol injection via MITM
+    CVE-2021-22946 - protocol downgrade required TLS bypassed
+    CVE-2021-22945 - use-after-free and double-free in MQTT sending
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 7.78.0-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.78.0-3
+- make explicit dependency on openssl work with alpha/beta builds of openssl
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.78.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.78.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2021-22925 - TELNET stack contents disclosure again
+    CVE-2021-22924 - bad connection reuse due to flawed path name checks
+    CVE-2021-22923 - metalink download sends credentials
+    CVE-2021-22922 - wrong content via metalink not discarded
+
+* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-2
+- build the curl tool without metalink support (#1967213)
+
+* Wed May 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2021-22901 - TLS session caching disaster
+    CVE-2021-22898 - TELNET stack contents disclosure
+
+* Mon May 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-2
+- http2: fix resource leaks detected by Coverity
+
+* Wed Apr 14 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-1
+- new upstream release
+
+* Wed Mar 31 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup
+    CVE-2021-22876 - Automatic referer leaks credentials
+
+* Wed Mar 24 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-3
+- fix SIGSEGV upon disconnect of a ldaps:// transfer
+
+* Tue Feb 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-2
+- build-require python3-impacket only on Fedora
+
+* Wed Feb 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-1
+- new upstream release
+
+* Tue Jan 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.74.0-4
+- do not use stunnel for tests on s390x builds to avoid spurious failures
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.74.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-2
+- do not rewrite shebangs in test-suite to use python3 explicitly
+
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2020-8286 - curl: Inferior OCSP verification
+    CVE-2020-8285 - libcurl: FTP wildcard stack overflow
+    CVE-2020-8284 - curl: trusting FTP PASV responses
+
+* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-2
+- prevent upstream test 1451 from being skipped
+
+* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-1
+- new upstream release
+
+* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.72.0-2
+- fix multiarch conflicts in libcurl-minimal (#1877671)
+
+* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
+- new upstream release, which fixes the following vulnerability
+    CVE-2020-8231 - libcurl: wrong connect-only connection
+
+* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
+- setopt: unset NOBODY switches to GET if still HEAD
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2
+- curl: make the --krb option work again (#1833193)
+
+* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1
+- new upstream release
+
+* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
+    CVE-2020-8177 - curl: overwrite local file with -J
+
+* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
+- new upstream release
+
+* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
+- SSH: use new ECDSA key types to check known hosts (#1824926)
+
+* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
+- Prevent discarding of -g when compiling with clang
+
+* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1
+- new upstream release
+
+* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2
+- make Flatpak work again (#1810989)
+
+* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1
+- new upstream release
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1
+- new upstream release
+
+* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2
 - fix infinite loop on upload using a glob (#1771025)
 
-* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
+* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1
 - new upstream release
 
 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1

mykey.asc

@@ -0,0 +1,77 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ
+QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV
+0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1
+EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch
+soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje
+f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL
+gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo
+SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2
+m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0
+ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU
+ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w
+i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD
+AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv
+jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb
+XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz
+7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM
+wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+
+dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT
+rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t
+FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9
+OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx
+5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h
+zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O
+poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA
+Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d
+6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8
+tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu
+c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
+EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1
+svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+
+Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv
++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh
+Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg
+rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL
+y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP
+BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/
+0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf
+09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG
+6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8
+67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H
+a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr
+LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK
+nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb
+0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb
+2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC
+OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/
+PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC
+8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3
+/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e
+8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk
+bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0
+IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN
+2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ
+L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD
+/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6
+UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb
+9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh
+TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k
+IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ
+AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ
+eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8
+sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI
+c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND
+KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j
+4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S
+wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv
+BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF
+PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu
+gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5
+ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb
+j/qx4ytjt5uxt6Jm6IXV9cry8i6x
+=Phs/
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1 @@
-SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
+SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57

tests/non-root-user-download/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/non-root-user-download
-#   Description: various download methods with non-root user
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/non-root-user-download
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     various download methods with non-root user" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        5m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/non-root-user-download/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
-Description: various download methods with non-root user
-Author: Karel Srot <ksrot@redhat.com>

tests/non-root-user-download/main.fmf

@@ -0,0 +1,18 @@
+summary: various download methods with non-root user
+description: ''
+contact: Daniel Rusek <drusek@redhat.com>
+component:
+  - curl
+require:
+  - findutils
+  - libselinux-utils
+  - openssh-clients
+  - openssh-server
+  - passwd
+test: ./runtest.sh
+framework: beakerlib
+duration: 5m
+enabled: true
+tier: '1'
+link:
+  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921

tests/non-root-user-download/runtest.sh

@@ -27,14 +27,13 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
+CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"
@@ -47,9 +46,11 @@ rlJournalStart
         rlRun "useradd -m curltester" 0 "Adding the test user"
         rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
         rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
+        rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts
+        rlRun "rm -f $HOME/.ssh/*"
         [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
-        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
-        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
+        rlRun "rlServiceStart sshd"
+        rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
     rlPhaseEnd
 
     rlPhaseStartTest "http download"
@@ -82,7 +83,7 @@ if ! rlIsRHEL 5; then
 fi
 
     rlPhaseStartCleanup
-        rlRun "rm -f $HOME/.ssh/known_hosts"
+        rlRun "rlServiceRestore"
         rlFileRestore
         rlRun "popd"
         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

tests/non-root-user-download/runtest.yml

@@ -1,64 +0,0 @@
-- hosts: '{{ hosts | default("localhost") }}'
-  vars:
-    package: "curl"
-  tasks:
-    - name: "Set Content variables"
-      set_fact:
-        content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
-        password: "pAssw0rd"
-        crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
-    - name: "Create user curltester"
-      user: 
-        name: "curltester"
-        password: "{{ crypt_password }}"
-    - name: "Copy testfile"
-      copy:
-          dest: "/home/curltester/testfile"
-          content: "{{ content }}"
-    - block:
-      - name: "http download"
-        command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: http
-        become: yes
-        become_user: curltester
-      - name: "Compare http output"
-        fail:
-            msg: "{{ content }} not in {{ http.stdout }}"
-        when: content not in http.stdout
-      - name: "ftp download"
-        command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: ftp
-        become: yes
-        become_user: curltester
-      - name: "Compare ftp output"
-        fail:
-            msg: "{{ content }} not in {{ ftp.stdout }}"
-        when: content not in ftp.stdout
-      - name: "scp download"
-        command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: scp
-      - name: "Compare scp output"
-        fail:
-            msg: "{{ content }} not in {{ scp.stdout }}"
-        when: content not in scp.stdout
-      - name: "sftp download"
-        command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: sftp
-      - name: "Compare sftp output"
-        fail:
-            msg: "{{ content }} not in {{ sftp.stdout }}"
-        when: content not in sftp.stdout
-      always:
-      - name: "Remove user curltester"
-        user: 
-            name: "curltester"
-            remove: yes
-            state: absent

tests/scp-and-sftp-download-test/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-#   Description: downloads test file through scp and sftp
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     downloads test file through scp and sftp" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl openssh" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/scp-and-sftp-download-test/PURPOSE

@@ -1,12 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-Description: downloads test file through scp and sftp
-Author: Karel Srot <ksrot@redhat.com>
-
-Test scenario:
-- scp download
-- sftp download
-- scp upload
-- sftp upload
-
-When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
-with empty --pubkey parameter (--pubkey "") or with the paramiter omitted

tests/scp-and-sftp-download-test/main.fmf

@@ -0,0 +1,20 @@
+summary: downloads test file through scp and sftp
+description: |
+    Test scenario:
+    - scp download
+    - sftp download
+    - scp upload
+    - sftp upload
+
+    When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
+    with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
+contact: Daniel Rusek <drusek@redhat.com>
+require:
+  - findutils
+component:
+  - curl
+test: ./runtest.sh
+path: /tests/scp-and-sftp-download-test
+framework: beakerlib
+duration: 10m
+enabled: true

tests/scp-and-sftp-download-test/runtest.sh

@@ -27,8 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/bin/rhts-environment.sh
-. /usr/lib/beakerlib/beakerlib.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="curl"
 

tests/tests.yml

@@ -1,26 +0,0 @@
----
-# Tests for Classic
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-    required_packages:
-    - findutils         # non-root-user-download needs find command
-                        # scp-and-sftp-download-test needs find command
-    - passwd            # non-root-user-download needs passwd command
-    - openssh-clients   # non-root-user-download needs ssh-keyscan command
-
-# Tests for Atomic
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - atomic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-