Resolves: CVE-2017-1000100 - tftp: reject file name lengths that do not fit buffer

Resolves: CVE-2017-1000101 - do not continue parsing of glob after range overflow
Resolves: #1436158 - nss: fix a possible use-after-free in SelectClientCert()
2017-08-09 15:49:56 +02:00 · 2017-08-09 15:48:51 +02:00 · 2017-07-20 08:57:41 +02:00 · 2017-06-21 15:51:05 +02:00 · 2017-04-07 12:51:56 +02:00 · 2017-04-04 10:05:25 +02:00
27 changed files with 1373 additions and 1341 deletions
--- a/0001-curl-7.51.0-ssh-md5.patch
+++ b/0001-curl-7.51.0-ssh-md5.patch
@ -0,0 +1,33 @@
+From a57cd03551cb373bd69278d7281026ac147bb4b4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 7 Nov 2016 12:54:40 +0100
+Subject: [PATCH 1/2] ssh: check md5 fingerprints case insensitively
+ (regression)
+
+Revert the change from ce8d09483eea but use the new function
+
+Reported-by: Kamil Dudka
+Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
+
+Upstream-commit: 50aded1cd4bb751cad52c39c4fa1f06ebc5e133e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ssh.c b/lib/ssh.c
+index 43c8283..0df030d 100644
+--- a/lib/ssh.c
+++ b/lib/ssh.c
+@@ -676,7 +676,7 @@ static CURLcode ssh_check_fingerprint(struct connectdata *conn)
+    * against a known fingerprint, if available.
+    */
+   if(pubkey_md5 && strlen(pubkey_md5) == 32) {
+-    if(!fingerprint || strcmp(md5buffer, pubkey_md5)) {
+    if(!fingerprint || !strcasecompare(md5buffer, pubkey_md5)) {
+       if(fingerprint)
+         failf(data,
+             "Denied establishing ssh session: mismatch md5 fingerprint. "
+-- 
+2.7.4
+
--- a/0001-curl-7.67.0-upload-glob.patch
+++ b/0001-curl-7.67.0-upload-glob.patch
@ -1,316 +0,0 @@
-From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 13 Nov 2019 11:33:29 +0100
-Subject: [PATCH] curl: fix -T globbing
-
-Regression from e59371a4936f8 (7.67.0)
-
-Added test 490, 491 and 492 to verify the functionality.
-
-Reported-by: Kamil Dudka
-Reported-by: Anderson Sasaki
-
-Fixes #4588
-Closes #4591
-
-Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- src/tool_operate.c      | 15 ++++---
- tests/data/Makefile.inc |  2 +
- tests/data/test490      | 68 +++++++++++++++++++++++++++++++
- tests/data/test491      | 64 +++++++++++++++++++++++++++++
- tests/data/test492      | 89 +++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 232 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test490
- create mode 100644 tests/data/test491
- create mode 100644 tests/data/test492
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 3087d2d..4ecb1ed 100644
--- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-       separator = ((!state->outfiles ||
-                     !strcmp(state->outfiles, "-")) && urlnum > 1);
- 
-      /* Here's looping around each globbed URL */
-
-      if(state->li >= urlnum) {
-        state->li = 0;
-        state->up++;
-      }
-       if(state->up < state->infilenum) {
-         struct per_transfer *per;
-         struct OutStruct *outs;
-@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-         per->retrystart = tvnow();
- 
-         state->li++;
-+        /* Here's looping around each globbed URL */
-+        if(state->li >= urlnum) {
-+          state->li = 0;
-+          state->urlnum = 0; /* forced reglob of URLs */
-+          glob_cleanup(state->urls);
-+          state->urls = NULL;
-+          state->up++;
-+          Curl_safefree(state->uploadfile); /* clear it to get the next */
-+        }
-       }
-       else {
-         /* Free this URL node data without destroying the
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 557f928..212900e 100644
--- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -66,6 +66,8 @@ test393 test394 test395 \
- test400 test401 test402 test403 test404 test405 test406 test407 test408 \
- test409 \
- \
-+test490 test491 test492 \
-+\
- test500 test501 test502 test503 test504 test505 test506 test507 test508 \
- test509 test510 test511 test512 test513 test514 test515 test516 test517 \
- test518 test519 test520 test521 test522 test523 test524 test525 test526 \
-diff --git a/tests/data/test490 b/tests/data/test490
-new file mode 100644
-index 0000000..a3383a9
--- /dev/null
-+++ b/tests/data/test490
-@@ -0,0 +1,68 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
-+</command>
-+<file name="log/in490">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test491 b/tests/data/test491
-new file mode 100644
-index 0000000..b49c06c
--- /dev/null
-+++ b/tests/data/test491
-@@ -0,0 +1,64 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs, the second upload file is missing
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
-+</command>
-+<file name="log/in491">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /491 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+<errorcode>
-+26
-+</errorcode>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test492 b/tests/data/test492
-new file mode 100644
-index 0000000..12edd8b
--- /dev/null
-+++ b/tests/data/test492
-@@ -0,0 +1,89 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs to two globbed URLs
-+ </name>
-+ <command>
-+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
-+</command>
-+<file name="log/first492">
-+first 492 contents
-+</file>
-+<file1 name="log/second492">
-+second 492 contents
-+</file1>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /one/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /two/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /one/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+PUT /two/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+</protocol>
-+</verify>
-+</testcase>
-- 
-2.20.1
-
--- a/0002-curl-7.51.0-file-host.patch
+++ b/0002-curl-7.51.0-file-host.patch
@ -0,0 +1,91 @@
+From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 11 Nov 2016 08:09:04 +0100
+Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be
+ localhost
+
+Previously, the [host] part was just ignored which made libcurl accept
+strange URLs misleading users. like "file://etc/passwd" which might've
+looked like it refers to "/etc/passwd" but is just "/passwd" since the
+"etc" is an ignored host name.
+
+Reported-by: Mike Crowe
+Assisted-by: Kamil Dudka
+
+Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 55 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index b997f41..9a8f6e3 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+      * the URL protocols specified in RFC 1738
+      */
+     if(path[0] != '/') {
+-      /* the URL included a host name, we ignore host names in file:// URLs
+-         as the standards don't define what to do with them */
+-      char *ptr=strchr(path, '/');
+-      if(ptr) {
+-        /* there was a slash present
+-
+-           RFC1738 (section 3.1, page 5) says:
+-
+-           The rest of the locator consists of data specific to the scheme,
+-           and is known as the "url-path". It supplies the details of how the
+-           specified resource can be accessed. Note that the "/" between the
+-           host (or port) and the url-path is NOT part of the url-path.
+-
+-           As most agents use file://localhost/foo to get '/foo' although the
+-           slash preceding foo is a separator and not a slash for the path,
+-           a URL as file://localhost//foo must be valid as well, to refer to
+-           the same file with an absolute path.
+-        */
+      /* the URL includes a host name, it must match "localhost" or
+         "127.0.0.1" to be valid */
+      char *ptr;
+      if(!checkprefix("localhost/", path) &&
+         !checkprefix("127.0.0.1/", path)) {
+        failf(data, "Valid host name with slash missing in URL");
+        return CURLE_URL_MALFORMAT;
+      }
+      ptr = &path[9]; /* now points to the slash after the host */
+ 
+-        if(ptr[1] && ('/' == ptr[1]))
+-          /* if there was two slashes, we skip the first one as that is then
+-             used truly as a separator */
+-          ptr++;
+      /* there was a host name and slash present
+ 
+-        /* This cannot be made with strcpy, as the memory chunks overlap! */
+-        memmove(path, ptr, strlen(ptr)+1);
+-      }
+         RFC1738 (section 3.1, page 5) says:
+
+         The rest of the locator consists of data specific to the scheme,
+         and is known as the "url-path". It supplies the details of how the
+         specified resource can be accessed. Note that the "/" between the
+         host (or port) and the url-path is NOT part of the url-path.
+
+         As most agents use file://localhost/foo to get '/foo' although the
+         slash preceding foo is a separator and not a slash for the path,
+         a URL as file://localhost//foo must be valid as well, to refer to
+         the same file with an absolute path.
+      */
+
+      if('/' == ptr[1])
+        /* if there was two slashes, we skip the first one as that is then
+           used truly as a separator */
+        ptr++;
+
+      /* This cannot be made with strcpy, as the memory chunks overlap! */
+      memmove(path, ptr, strlen(ptr)+1);
+     }
+ 
+     protop = "file"; /* protocol string */
+-- 
+2.7.4
+
--- a/0003-curl-7.51.0-tls-version.patch
+++ b/0003-curl-7.51.0-tls-version.patch
@ -0,0 +1,285 @@
+From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:27:25 +0200
+Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default
+
+... but make sure we use at least TLSv1.0 according to libcurl API
+
+Reported-by: Cure53
+Reviewed-by: Ray Satiro
+
+Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index dff1575..5abb574 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+                                 struct Curl_easy *data)
+ {
+   switch(data->set.ssl.version) {
+-  default:
+   case CURL_SSLVERSION_DEFAULT:
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    return CURLE_OK;
+
+   case CURL_SSLVERSION_TLSv1:
+     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
+ #ifdef SSL_LIBRARY_VERSION_TLS_1_2
+     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+ #elif defined SSL_LIBRARY_VERSION_TLS_1_1
+@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+     return CURLE_OK;
+ #endif
+     break;
+
+  default:
+    /* unsupported SSL/TLS version */
+    break;
+   }
+ 
+   failf(data, "TLS minor version cannot be set");
+-- 
+2.7.4
+
+
+From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:57:11 +0200
+Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+
+Fully implemented with the NSS backend only for now.
+
+Reviewed-by: Ray Satiro
+
+Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
+ docs/libcurl/symbols-in-versions       | 1 +
+ include/curl/curl.h                    | 1 +
+ lib/vtls/nss.c                         | 8 ++++++++
+ 4 files changed, 12 insertions(+)
+
+diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+index 2f40e46..1854af0 100644
+--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
+ TLSv1.1 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_2
+ TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
+ .RE
+ .SH DEFAULT
+ CURL_SSLVERSION_DEFAULT
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index f6365ae..a77fde4 100644
+--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
+@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
+ CURL_SSLVERSION_TLSv1_0         7.34.0
+ CURL_SSLVERSION_TLSv1_1         7.34.0
+ CURL_SSLVERSION_TLSv1_2         7.34.0
+CURL_SSLVERSION_TLSv1_3         7.51.1
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 9c09cb9..03fcfeb 100644
+--- a/include/curl/curl.h
+++ b/include/curl/curl.h
+@@ -1805,6 +1805,7 @@ enum {
+   CURL_SSLVERSION_TLSv1_0,
+   CURL_SSLVERSION_TLSv1_1,
+   CURL_SSLVERSION_TLSv1_2,
+  CURL_SSLVERSION_TLSv1_3,
+ 
+   CURL_SSLVERSION_LAST /* never use, keep last */
+ };
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 5abb574..5e52727 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ #endif
+     break;
+ 
+  case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    return CURLE_OK;
+#endif
+    break;
+
+   default:
+     /* unsupported SSL/TLS version */
+     break;
+-- 
+2.7.4
+
+
+From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:58:43 +0200
+Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3
+
+Fully implemented with the NSS backend only for now.
+
+Reviewed-by: Ray Satiro
+
+Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1         | 10 +++++++---
+ src/tool_getparam.c |  5 +++++
+ src/tool_help.c     |  1 +
+ src/tool_setopt.c   |  1 +
+ 4 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index f5375ed..e9c6150 100644
+--- a/docs/curl.1
+++ b/docs/curl.1
+@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
+ .IP "-1, --tlsv1"
+ (SSL)
+ Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
+-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
+-control the TLS version more precisely (if the SSL backend in use supports such
+-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
+ .IP "-2, --sslv2"
+ (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
+ server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
+@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
+ (SSL)
+ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
+ (Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
+ .IP "--tr-encoding"
+ (HTTP) Request a compressed Transfer-Encoding response using one of the
+ algorithms curl supports, and uncompress the data while receiving it.
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 95dd455..2d16e06 100644
+--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
+@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
+   {"10",  "tlsv1.0",                 FALSE},
+   {"11",  "tlsv1.1",                 FALSE},
+   {"12",  "tlsv1.2",                 FALSE},
+  {"13",  "tlsv1.3",                 FALSE},
+   {"2",  "sslv2",                    FALSE},
+   {"3",  "sslv3",                    FALSE},
+   {"4",  "ipv4",                     FALSE},
+@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
+         /* TLS version 1.2 */
+         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
+         break;
+      case '3':
+        /* TLS version 1.3 */
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+        break;
+       }
+       break;
+     case '2':
+diff --git a/src/tool_help.c b/src/tool_help.c
+index fb428c9..9890cc8 100644
+--- a/src/tool_help.c
+++ b/src/tool_help.c
+@@ -232,6 +232,7 @@ static const char *const helptext[] = {
+   "     --tlsv1.0       Use TLSv1.0 (SSL)",
+   "     --tlsv1.1       Use TLSv1.1 (SSL)",
+   "     --tlsv1.2       Use TLSv1.2 (SSL)",
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
+   "     --trace FILE    Write a debug trace to FILE",
+   "     --trace-ascii FILE  Like --trace, but without hex output",
+   "     --trace-time    Add time stamps to trace/verbose output",
+diff --git a/src/tool_setopt.c b/src/tool_setopt.c
+index c854225..f3de09d 100644
+--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
+@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
+   NV(CURL_SSLVERSION_TLSv1_0),
+   NV(CURL_SSLVERSION_TLSv1_1),
+   NV(CURL_SSLVERSION_TLSv1_2),
+  NV(CURL_SSLVERSION_TLSv1_3),
+   NVEND,
+ };
+ 
+-- 
+2.7.4
+
+
+From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 15 Nov 2016 12:21:00 +0100
+Subject: [PATCH 4/4] docs: the next release will be 7.52.0
+
+Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1                            | 2 +-
+ docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +-
+ docs/libcurl/symbols-in-versions       | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index e9c6150..05d1a8d 100644
+--- a/docs/curl.1
+++ b/docs/curl.1
+@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
+ .IP "--tlsv1.3"
+ (SSL)
+ Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+-(Added in 7.51.1)
+(Added in 7.52.0)
+ .IP "--tr-encoding"
+ (HTTP) Request a compressed Transfer-Encoding response using one of the
+ algorithms curl supports, and uncompress the data while receiving it.
+diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+index 1854af0..77dfcd4 100644
+--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_2
+ TLSv1.2 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_3
+-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
+ .RE
+ .SH DEFAULT
+ CURL_SSLVERSION_DEFAULT
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index a77fde4..ef730c8 100644
+--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
+@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
+ CURL_SSLVERSION_TLSv1_0         7.34.0
+ CURL_SSLVERSION_TLSv1_1         7.34.0
+ CURL_SSLVERSION_TLSv1_2         7.34.0
+-CURL_SSLVERSION_TLSv1_3         7.51.1
+CURL_SSLVERSION_TLSv1_3         7.52.0
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+-- 
+2.7.4
+
--- a/0004-curl-7.51.0-CVE-2016-9586.patch
+++ b/0004-curl-7.51.0-CVE-2016-9586.patch
@ -0,0 +1,283 @@
+From 7ad1cdfb256f7e1b84fc960a8ca1403cca5d930f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Nov 2016 15:30:33 +0100
+Subject: [PATCH 1/2] printf: fix ".*f" handling
+
+It would always use precision 1 instead of reading it from the argument
+list as intended.
+
+Reported-by: Ray Satiro
+
+Bug: #1113
+
+Upstream-commit: 5dd1b65f79bc6dc75b752c53f3fa853b2a3b6d69
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/mprintf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index 2c88aa8..e1ad537 100644
+--- a/lib/mprintf.c
+++ b/lib/mprintf.c
+@@ -303,7 +303,6 @@ static int dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
+           flags |= FLAGS_ALT;
+           break;
+         case '.':
+-          flags |= FLAGS_PREC;
+           if('*' == *fmt) {
+             /* The precision is picked from a specified parameter */
+ 
+-- 
+2.7.4
+
+
+From 3162df571802b2c94d9969b6b269cd0d50c6650d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Nov 2016 15:32:37 +0100
+Subject: [PATCH 2/2] printf: fix floating point buffer overflow issues
+
+... and add a bunch of floating point printf tests
+
+Upstream-commit: 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/mprintf.c          |  20 +++++++-
+ tests/data/test557     |   1 +
+ tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++--
+ 3 files changed, 152 insertions(+), 5 deletions(-)
+
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index e1ad537..e3a690b 100644
+--- a/lib/mprintf.c
+++ b/lib/mprintf.c
+@@ -92,7 +92,8 @@
+ #  define mp_uintmax_t unsigned long
+ #endif
+ 
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+                        fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+ 
+ #ifdef __AMIGA__
+@@ -916,12 +917,25 @@ static int dprintf_formatf(
+         *fptr = 0;
+ 
+         if(width >= 0) {
+          if(width >= (long)sizeof(work))
+            width = sizeof(work)-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, "%ld", width);
+           fptr += len;
+           left -= len;
+         }
+         if(prec >= 0) {
+          /* for each digit in the integer part, we can have one less
+             precision */
+          size_t maxprec = sizeof(work) - 2;
+          double val = p->data.dnum;
+          while(val >= 10.0) {
+            val /= 10;
+            maxprec--;
+          }
+
+          if(prec > (long)maxprec)
+            prec = maxprec-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, ".%ld", prec);
+           fptr += len;
+@@ -941,7 +955,9 @@ static int dprintf_formatf(
+         /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+            output characters */
+         (sprintf)(work, formatbuf, p->data.dnum);
+-
+#ifdef CURLDEBUG
+        assert(strlen(work) <= sizeof(work));
+#endif
+         for(fptr=work; *fptr; fptr++)
+           OUTCHAR(*fptr);
+       }
+diff --git a/tests/data/test557 b/tests/data/test557
+index 8d0944a..ad9350f 100644
+--- a/tests/data/test557
+++ b/tests/data/test557
+@@ -40,6 +40,7 @@ All curl_mprintf() unsigned long tests OK!
+ All curl_mprintf() signed long tests OK!
+ All curl_mprintf() curl_off_t tests OK!
+ All curl_mprintf() strings tests OK!
+All float strings tests OK!
+ </stdout>
+ </verify>
+ 
+diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c
+index 683ca08..8c62a0e 100644
+--- a/tests/libtest/lib557.c
+++ b/tests/libtest/lib557.c
+@@ -1374,16 +1374,31 @@ static int test_curl_off_t_formatting(void)
+   return failed;
+ }
+ 
+-static int string_check(char *buf, const char *buf2)
+static int _string_check(int linenumber, char *buf, const char *buf2)
+ {
+   if(strcmp(buf, buf2)) {
+     /* they shouldn't differ */
+-    printf("sprintf failed:\nwe '%s'\nsystem: '%s'\n",
+-           buf, buf2);
+    printf("sprintf line %d failed:\nwe      '%s'\nsystem: '%s'\n",
+           linenumber, buf, buf2);
+     return 1;
+   }
+   return 0;
+ }
+#define string_check(x,y) _string_check(__LINE__, x, y)
+
+static int _strlen_check(int linenumber, char *buf, size_t len)
+{
+  size_t buflen = strlen(buf);
+  if(len != buflen) {
+    /* they shouldn't differ */
+    printf("sprintf strlen:%d failed:\nwe '%d'\nsystem: '%d'\n",
+           linenumber, buflen, len);
+    return 1;
+  }
+  return 0;
+}
+
+#define strlen_check(x,y) _strlen_check(__LINE__, x, y)
+ 
+ /*
+  * The output strings in this test need to have been verified with a system
+@@ -1523,6 +1538,119 @@ static int test_weird_arguments(void)
+   return errors;
+ }
+ 
+/* DBL_MAX value from Linux */
+#define MAXIMIZE -179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368.000000
+
+static int test_float_formatting(void)
+{
+  int errors = 0;
+  char buf[512]; /* larger than max float size */
+  curl_msnprintf(buf, sizeof(buf), "%f", 9.0);
+  errors += string_check(buf, "9.000000");
+
+  curl_msnprintf(buf, sizeof(buf), "%.1f", 9.1);
+  errors += string_check(buf, "9.1");
+
+  curl_msnprintf(buf, sizeof(buf), "%.2f", 9.1);
+  errors += string_check(buf, "9.10");
+
+  curl_msnprintf(buf, sizeof(buf), "%.0f", 9.1);
+  errors += string_check(buf, "9");
+
+  curl_msnprintf(buf, sizeof(buf), "%0f", 9.1);
+  errors += string_check(buf, "9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%10f", 9.1);
+  errors += string_check(buf, "  9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%10.3f", 9.1);
+  errors += string_check(buf, "     9.100");
+
+  curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.1);
+  errors += string_check(buf, "9.100     ");
+
+  curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.123456);
+  errors += string_check(buf, "9.123     ");
+
+  curl_msnprintf(buf, sizeof(buf), "%.-2f", 9.1);
+  errors += string_check(buf, "9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%*f", 10, 9.1);
+  errors += string_check(buf, "  9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%*f", 3, 9.1);
+  errors += string_check(buf, "9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.2987654);
+  errors += string_check(buf, "9.298765");
+
+  curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.298765);
+  errors += string_check(buf, "9.298765");
+
+  curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.29876);
+  errors += string_check(buf, "9.298760");
+
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 6, 9.2987654);
+  errors += string_check(buf, "9.298765");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 5, 9.2987654);
+  errors += string_check(buf, "9.29877");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 4, 9.2987654);
+  errors += string_check(buf, "9.2988");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 3, 9.2987654);
+  errors += string_check(buf, "9.299");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 2, 9.2987654);
+  errors += string_check(buf, "9.30");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 1, 9.2987654);
+  errors += string_check(buf, "9.3");
+  curl_msnprintf(buf, sizeof(buf), "%.*f", 0, 9.2987654);
+  errors += string_check(buf, "9");
+
+  /* very large precisions easily turn into system specific outputs so we only
+     check the output buffer length here as we know the internal limit */
+
+  curl_msnprintf(buf, sizeof(buf), "%.*f", (1<<30), 9.2987654);
+  errors += strlen_check(buf, 325);
+
+  curl_msnprintf(buf, sizeof(buf), "%10000.10000f", 9.2987654);
+  errors += strlen_check(buf, 325);
+
+  curl_msnprintf(buf, sizeof(buf), "%240.10000f",
+                 123456789123456789123456789.2987654);
+  errors += strlen_check(buf, 325);
+
+  /* 1<<31 turns negative (-2147483648) when used signed */
+  curl_msnprintf(buf, sizeof(buf), "%*f", (1<<31), 9.1);
+  errors += string_check(buf, "9.100000");
+
+  /* curl_msnprintf() limits a single float output to 325 bytes maximum
+     width */
+  curl_msnprintf(buf, sizeof(buf), "%*f", (1<<30), 9.1);
+  errors += string_check(buf, "                                                                                                                                                                                                                                                                                                                             9.100000");
+  curl_msnprintf(buf, sizeof(buf), "%100000f", 9.1);
+  errors += string_check(buf, "                                                                                                                                                                                                                                                                                                                             9.100000");
+
+  curl_msnprintf(buf, sizeof(buf), "%f", MAXIMIZE);
+  errors += strlen_check(buf, 317);
+
+  curl_msnprintf(buf, 2, "%f", MAXIMIZE);
+  errors += strlen_check(buf, 1);
+  curl_msnprintf(buf, 3, "%f", MAXIMIZE);
+  errors += strlen_check(buf, 2);
+  curl_msnprintf(buf, 4, "%f", MAXIMIZE);
+  errors += strlen_check(buf, 3);
+  curl_msnprintf(buf, 5, "%f", MAXIMIZE);
+  errors += strlen_check(buf, 4);
+  curl_msnprintf(buf, 6, "%f", MAXIMIZE);
+  errors += strlen_check(buf, 5);
+
+  if(!errors)
+    printf("All float strings tests OK!\n");
+  else
+    printf("test_float_formatting Failed!\n");
+
+  return errors;
+}
+
+ 
+ int test(char *URL)
+ {
+@@ -1547,6 +1675,8 @@ int test(char *URL)
+ 
+   errors += test_string_formatting();
+ 
+  errors += test_float_formatting();
+
+   if(errors)
+     return TEST_ERR_MAJOR_BAD;
+   else
+-- 
+2.7.4
+
--- a/0005-curl-7.51.0-CVE-2017-7407.patch
+++ b/0005-curl-7.51.0-CVE-2017-7407.patch
@ -0,0 +1,225 @@
+From eb160abce0ac45a8e070d9fa995c61a416a58ddd Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH 1/2] tool_writeout: fixed a buffer read overrun on --write-out
+
+If a % ended the statement, the string's trailing NUL would be skipped
+and memory past the end of the buffer would be accessed and potentially
+displayed as part of the --write-out output. Added tests 1440 and 1441
+to check for this kind of condition.
+
+Reported-by: Brian Carpenter
+
+Upstream-commit: 1890d59905414ab84a35892b2e45833654aa5c13
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_writeout.c     |  2 +-
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
+ 4 files changed, 64 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1440
+ create mode 100644 tests/data/test1441
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 2fb7774..7843182 100644
+--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
+@@ -109,7 +109,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+   double doubleinfo;
+ 
+   while(ptr && *ptr) {
+-    if('%' == *ptr) {
+    if('%' == *ptr && ptr[1]) {
+       if('%' == ptr[1]) {
+         /* an escaped %-letter */
+         fputc('%', stream);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8251ab9..2e70895 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -148,7 +148,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 \
+test1436 test1437 test1440 test1441 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1440 b/tests/data/test1440
+new file mode 100644
+index 0000000..7ed0c4d
+--- /dev/null
+++ b/tests/data/test1440
+@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %{
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%{'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%{
+</stdout>
+</verify>
+</testcase>
+diff --git a/tests/data/test1441 b/tests/data/test1441
+new file mode 100644
+index 0000000..6e253a6
+--- /dev/null
+++ b/tests/data/test1441
+@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%
+</stdout>
+</verify>
+</testcase>
+-- 
+2.9.3
+
+
+From 67bee1434a17065da7db3fc2915c494f289f46de Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 24 Mar 2017 10:14:21 +0100
+Subject: [PATCH 2/2] curl: check for end of input in writeout backslash
+ handling
+
+Reported-by: Brian Carpenter
+
+Added test 1442 to verify
+
+Upstream-commit: 8e65877870c1fac920b65219adec720df810aab9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_writeout.c     |  4 ++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1442
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 7843182..5d92bd2 100644
+--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -320,7 +320,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+         }
+       }
+     }
+-    else if('\\' == *ptr) {
+    else if('\\' == *ptr && ptr[1]) {
+       switch(ptr[1]) {
+       case 'r':
+         fputc('\r', stream);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 2e70895..267ff6a 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -148,7 +148,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1440 test1441 \
+test1436 test1437 test1440 test1441 test1442 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1442 b/tests/data/test1442
+new file mode 100644
+index 0000000..255a4c9
+--- /dev/null
+++ b/tests/data/test1442
+@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+FILE
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing \
+</name>
+<command>
+file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
+</command>
+</client>
+
+# Verify data
+<verify>
+<errorcode>
+37
+</errorcode>
+<stdout nonewline="yes">
+\
+</stdout>
+</verify>
+</testcase>
+-- 
+2.9.3
+
--- a/0006-curl-7.51.0-ciphers-man-page.patch
+++ b/0006-curl-7.51.0-ciphers-man-page.patch
@ -0,0 +1,65 @@
+From e7e5ada376af33d00b75c1f80f4b2d0438cb91f6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 25 Dec 2016 11:01:17 +0100
+Subject: [PATCH] docs/ciphers: link to our own new page about ciphers
+
+... as the former ones always go stale!
+
+Upstream-commit: 209b2302272b86c2bbe4d3d2b62e1695655f8670
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1                                 | 6 +-----
+ docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 | 8 ++------
+ 2 files changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index 05d1a8d..915e3d1 100644
+--- a/docs/curl.1
+++ b/docs/curl.1
+@@ -292,11 +292,7 @@ If this option is used several times, the last one will be used.
+ .IP "--ciphers <list of ciphers>"
+ (SSL) Specifies which ciphers to use in the connection. The list of ciphers
+ must specify valid ciphers. Read up on SSL cipher list details on this URL:
+-\fIhttps://www.openssl.org/docs/apps/ciphers.html\fP
+-
+-NSS ciphers are done differently than OpenSSL and GnuTLS. The full list of NSS
+-ciphers is in the NSSCipherSuite entry at this URL:
+-\fIhttps://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP
+\fIhttps://curl.haxx.se/docs/ssl-ciphers.html\fP
+ 
+ If this option is used several times, the last one will be used.
+ .IP "--compressed"
+diff --git a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
+index 71833b5..f6b9459 100644
+--- a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -40,16 +40,12 @@ compile OpenSSL.
+ 
+ You'll find more details about cipher lists on this URL:
+ 
+- https://www.openssl.org/docs/apps/ciphers.html
+ https://curl.haxx.se/docs/ssl-ciphers.html
+ 
+ For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
+ \'rsa_aes_128_sha\', etc. With NSS you don't add/remove ciphers. If one uses
+ this option then all known ciphers are disabled and only those passed in are
+ enabled.
+-
+-You'll find more details about the NSS cipher lists on this URL:
+-
+- http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives
+ .SH DEFAULT
+ NULL, use internal default
+ .SH PROTOCOLS
+-- 
+2.9.4
+
--- a/0007-curl-7.54.1-nss-cc-use-after-free.patch
+++ b/0007-curl-7.54.1-nss-cc-use-after-free.patch
@ -0,0 +1,104 @@
+From fe9bc87820bd2afa72d014d5316b0287e70587e6 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 20 Jul 2017 08:05:59 +0200
+Subject: [PATCH 1/2] nss: unify the coding style of nss_send() and nss_recv()
+
+No changes in behavior intended by this commit.
+
+Upstream-commit: c89eb6d0f87a3620074bc04a6af255e5dc3a523e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 4e5f4b3..ab4ddff 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -2013,8 +2013,10 @@ static ssize_t nss_send(struct connectdata *conn,  /* connection data */
+                         size_t len,                /* amount to write */
+                         CURLcode *curlcode)
+ {
+-  ssize_t rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0,
+-                       PR_INTERVAL_NO_WAIT);
+  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  ssize_t rc;
+
+  rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
+   if(rc < 0) {
+     PRInt32 err = PR_GetError();
+     if(err == PR_WOULD_BLOCK_ERROR)
+@@ -2038,14 +2040,17 @@ static ssize_t nss_send(struct connectdata *conn,  /* connection data */
+   return rc; /* number of bytes */
+ }
+ 
+-static ssize_t nss_recv(struct connectdata * conn, /* connection data */
+-                        int num,                   /* socketindex */
+static ssize_t nss_recv(struct connectdata *conn,  /* connection data */
+                        int sockindex,             /* socketindex */
+                         char *buf,                 /* store read data here */
+                         size_t buffersize,         /* max amount to read */
+                         CURLcode *curlcode)
+ {
+-  ssize_t nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0,
+-                          PR_INTERVAL_NO_WAIT);
+  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  ssize_t nread;
+
+  nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
+                  PR_INTERVAL_NO_WAIT);
+   if(nread < 0) {
+     /* failed SSL read */
+     PRInt32 err = PR_GetError();
+-- 
+2.9.4
+
+
+From f6c464a55a2319901c4f22d0d65cc437f691f55c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 19 Jul 2017 18:02:26 +0200
+Subject: [PATCH 2/2] nss: fix a possible use-after-free in SelectClientCert()
+
+... causing a SIGSEGV in showit() in case the handle used to initiate
+the connection has already been freed.
+
+This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
+
+Reported-by: Rob Sanders
+Bug: https://bugzilla.redhat.com/1436158
+
+Upstream-commit: 42a4cd4c78b3feb5ca07286479129116e125a730
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ab4ddff..4c90400 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -2016,6 +2016,10 @@ static ssize_t nss_send(struct connectdata *conn,  /* connection data */
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   ssize_t rc;
+ 
+  /* The SelectClientCert() hook uses this for infof() and failf() but the
+     handle stored in nss_setup_connect() could have already been freed. */
+  connssl->data = conn->data;
+
+   rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
+   if(rc < 0) {
+     PRInt32 err = PR_GetError();
+@@ -2049,6 +2053,10 @@ static ssize_t nss_recv(struct connectdata *conn,  /* connection data */
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   ssize_t nread;
+ 
+  /* The SelectClientCert() hook uses this for infof() and failf() but the
+     handle stored in nss_setup_connect() could have already been freed. */
+  connssl->data = conn->data;
+
+   nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
+                   PR_INTERVAL_NO_WAIT);
+   if(nread < 0) {
+-- 
+2.9.4
+
--- a/0009-curl-7.54.1-CVE-2017-1000101.patch
+++ b/0009-curl-7.54.1-CVE-2017-1000101.patch
@ -0,0 +1,95 @@
+From 8846a6507283f2bfe439cc3679ac81aca5ee3447 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:07 +0200
+Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
+ range
+
+Added test 1289 to verify.
+
+CVE-2017-1000101
+
+Bug: https://curl.haxx.se/docs/adv_20170809A.html
+Reported-by: Brian Carpenter
+
+Upstream-commit: 453e7a7a03a2cec749abd3878a48e728c515cca7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_urlglob.c      |  5 ++++-
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1289     | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1289
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index d002f27..caf2385 100644
+--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
+@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+         }
+         errno = 0;
+         max_n = strtoul(pattern, &endp, 10);
+-        if(errno || (*endp == ':')) {
+        if(errno)
+          /* overflow */
+          endp = NULL;
+        else if(*endp == ':') {
+           pattern = endp+1;
+           errno = 0;
+           step_n = strtoul(pattern, &endp, 10);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index ecfedc9..be69e7c 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -128,7 +128,7 @@ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
+ test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
+ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
+ test1244 test1245 test1246 \
+-\
+test1289 \
+ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
+ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
+ test1316 test1317 test1318 test1319 test1320 test1321 test1322          \
+diff --git a/tests/data/test1289 b/tests/data/test1289
+new file mode 100644
+index 0000000..d679cc0
+--- /dev/null
+++ b/tests/data/test1289
+@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+globbing
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+globbing with overflow and bad syntxx
+</name>
+<command>
+http://ur%20[0-60000000000000000000
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# curl: (3) [globbing] bad range in column 
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
+-- 
+2.9.4
+
--- a/0010-curl-7.54.1-CVE-2017-1000100.patch
+++ b/0010-curl-7.54.1-CVE-2017-1000100.patch
@ -0,0 +1,49 @@
+From d30858296331b3ab1dc57043eef66fddf87637c3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:46 +0200
+Subject: [PATCH] tftp: reject file name lengths that don't fit
+
+... and thereby avoid telling send() to send off more bytes than the
+size of the buffer!
+
+CVE-2017-1000100
+
+Bug: https://curl.haxx.se/docs/adv_20170809B.html
+Reported-by: Even Rouault
+
+Credit to OSS-Fuzz for the discovery
+
+Upstream-commit: 358b2b131ad6c095696f20dcfa62b8305263f898
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index f2f8347..92b3edf 100644
+--- a/lib/tftp.c
+++ b/lib/tftp.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
+     if(result)
+       return result;
+ 
+    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
+      failf(data, "TFTP file name too long\n");
+      return CURLE_TFTP_ILLEGAL; /* too long file name field */
+    }
+
+     snprintf((char *)state->spacket.data+2,
+              state->blksize,
+              "%s%c%s%c", filename, '\0',  mode, '\0');
+-- 
+2.9.4
+
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -76,7 +76,7 @@ while test $# -gt 0; do
+@@ -75,7 +75,7 @@ while test $# -gt 0; do
         ;;
 
     --cc)
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
         ;;
 
     --prefix)
-@@ -155,32 +155,17 @@ while test $# -gt 0; do
+@@ -142,29 +142,14 @@ while test $# -gt 0; do
         ;;
 
     --libs)
@ -38,9 +38,6 @@ index 150004d..95d0759 100644
 -        fi
 +        echo -lcurl
         ;;
-     --ssl-backends)
-         echo "@SSL_BACKENDS@"
-         ;;
 
     --static-libs)
 -        if test "X@ENABLE_STATIC@" != "Xno" ; then
@ -61,8 +58,8 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1
 index 14a9d2b..ffcc004 100644
 --- a/docs/curl-config.1
 +++ b/docs/curl-config.1
-@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
- comma-separated. (Added in 7.58.0)
+@@ -65,7 +65,9 @@ be listed using uppercase and are separated by newlines. There may be none,
+ one, or several protocols in the list. (Added in 7.13.0)
 .IP "--static-libs"
 Shows the complete set of libs and other linker options you will need in order
 -to link your application with libcurl statically. (Added in 7.17.1)
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
+@@ -16620,18 +16620,11 @@ $as_echo "yes" >&6; }
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@ -27,7 +27,7 @@ index 8f079a3..53b4774 100755
 +    flags_dbg_all=""
     flags_dbg_yes="-g"
     flags_dbg_off=""
-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
 -    flags_opt_yes="-O2"
 +    flags_opt_all=""
 +    flags_opt_yes=""
@ -38,7 +38,7 @@ diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
 index 0cbba7a..9175b5b 100644
 --- a/m4/curl-compilers.m4
 +++ b/m4/curl-compilers.m4
-@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@ -53,7 +53,7 @@ index 0cbba7a..9175b5b 100644
 +    flags_dbg_all=""
     flags_dbg_yes="-g"
     flags_dbg_off=""
-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
 -    flags_opt_yes="-O2"
 +    flags_opt_all=""
 +    flags_opt_yes=""
--- a/0103-curl-7.59.0-python3.patch
+++ b/0103-curl-7.59.0-python3.patch
@ -1,34 +0,0 @@
-From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Thu, 15 Mar 2018 14:49:56 +0100
-Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
-
-Unfortunately, smbserver.py does not work with Python 3 because
-there is no 'impacket' module available for Python 3:
-
-https://github.com/CoreSecurity/impacket/issues/61
---
- tests/negtelnetserver.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
-index 8cfd409..72ee771 100755
--- a/tests/negtelnetserver.py
-+++ b/tests/negtelnetserver.py
-@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
-                 response_data = response.encode('ascii')
-             else:
-                 log.debug("Received normal request - echoing back")
-                response_data = data.strip()
-+                response_data = data.decode('utf8').strip()
- 
-             if response_data:
-                 log.debug("Sending %r", response_data)
-                self.request.sendall(response_data)
-+                self.request.sendall(response_data.encode('utf8'))
- 
-         except IOError:
-             log.exception("IOError hit during request")
-- 
-2.14.3
-
--- a/0104-curl-7.19.7-localhost6.patch
+++ b/0104-curl-7.19.7-localhost6.patch
@ -14,8 +14,8 @@ index e441278..b0958b6 100644
 +-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
 </command>
 <precheck>
-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
-+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
+-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
 </precheck>
 </client>
 
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@ -1,39 +0,0 @@
-From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 4 Feb 2019 17:32:56 +0100
-Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
-
-... to prevent valgrind from reporting false positives on x86_64:
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCAA: part2id (lib1560.c:489)
-   by 0x10BCAA: updateurl (lib1560.c:521)
-   by 0x10BCAA: set_parts (lib1560.c:630)
-   by 0x10BCAA: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCC3: part2id (lib1560.c:491)
-   by 0x10BCC3: updateurl (lib1560.c:521)
-   by 0x10BCC3: set_parts (lib1560.c:630)
-   by 0x10BCC3: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
---
- tests/libtest/Makefile.inc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
-index 080421b..ea3b806 100644
--- a/tests/libtest/Makefile.inc
-+++ b/tests/libtest/Makefile.inc
-@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
- lib1559_LDADD = $(TESTUTIL_LIBS)
- 
- lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
-+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
- lib1560_LDADD = $(TESTUTIL_LIBS)
- 
- lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
-- 
-2.17.2
-
--- a/curl-7.51.0.tar.lzma.asc
+++ b/curl-7.51.0.tar.lzma.asc
@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf
+JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO
+FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk
+nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1
+IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i
+Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI=
+=v+YR
+-----END PGP SIGNATURE-----
--- a/curl-7.67.0.tar.xz.asc
+++ b/curl-7.67.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
-EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
-kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
-O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
-s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
-ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
-3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
-=5gov
-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,12 +1,37 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.67.0
-Release: 2%{?dist}
+Version: 7.51.0
+Release: 9%{?dist}
 License: MIT
-Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
+Group: Applications/Internet
+Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma

-# fix infinite loop on upload using a glob (#1771025)
-Patch1:   0001-curl-7.67.0-upload-glob.patch
+# ssh: check md5 fingerprints case insensitively
+Patch1:   0001-curl-7.51.0-ssh-md5.patch
+
+# stricter host name checking for file:// URLs
+Patch2:   0002-curl-7.51.0-file-host.patch
+
+# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+Patch3:   0003-curl-7.51.0-tls-version.patch
+
+# fix floating point buffer overflow issues (CVE-2016-9586)
+Patch4:   0004-curl-7.51.0-CVE-2016-9586.patch
+
+# fix out of bounds read in curl --write-out (CVE-2017-7407)
+Patch5:   0005-curl-7.51.0-CVE-2017-7407.patch
+
+# fix links to documentation of TLS cipher-suites (#1463532)
+Patch6:   0006-curl-7.51.0-ciphers-man-page.patch
+
+# nss: fix a possible use-after-free in SelectClientCert() (#1436158)
+Patch7:   0007-curl-7.54.1-nss-cc-use-after-free.patch
+
+# do not continue parsing of glob after range overflow (CVE-2017-1000101)
+Patch9:   0009-curl-7.54.1-CVE-2017-1000101.patch
+
+# tftp: reject file name lengths that do not fit buffer (CVE-2017-1000100)
+Patch10:  0010-curl-7.54.1-CVE-2017-1000100.patch

 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -14,53 +39,30 @@ Patch101: 0101-curl-7.32.0-multilib.patch
 # prevent configure script from discarding -g in CFLAGS (#496778)
 Patch102: 0102-curl-7.36.0-debug.patch

-# migrate tests/http_pipe.py to Python 3
-Patch103: 0103-curl-7.59.0-python3.patch
-
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch

-# prevent valgrind from reporting false positives on x86_64
-Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch
-
-Provides: curl-full = %{version}-%{release}
 Provides: webclient
-URL: https://curl.haxx.se/
+URL: http://curl.haxx.se/
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildRequires: automake
-BuildRequires: brotli-devel
-BuildRequires: coreutils
-BuildRequires: gcc
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
 BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
-BuildRequires: libssh-devel
-BuildRequires: make
+BuildRequires: libssh2-devel
+BuildRequires: multilib-rpm-config
+BuildRequires: nss-devel
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
-BuildRequires: openssl-devel
-BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
-BuildRequires: python3-devel
-BuildRequires: sed
+BuildRequires: python
 BuildRequires: stunnel
 BuildRequires: zlib-devel

-# needed to compress content of tool_hugehelp.c after changing curl.1 man page
-BuildRequires: perl(IO::Compress::Gzip)
-
-# needed for generation of shell completions
-BuildRequires: perl(Getopt::Long)
-BuildRequires: perl(Pod::Usage)
-BuildRequires: perl(strict)
-BuildRequires: perl(warnings)
-
-# gnutls-serv is used by the upstream test-suite
-BuildRequires: gnutls-utils
-
 # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
 BuildRequires: nghttp2

@ -73,34 +75,27 @@ BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(MIME::Base64)
+BuildRequires: perl(strict)
 BuildRequires: perl(Time::Local)
 BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(warnings)
 BuildRequires: perl(vars)

-# The test-suite runs automatically through valgrind if valgrind is available
+# The test-suite runs automatically trough valgrind if valgrind is available
 # on the system.  By not installing valgrind into mock's chroot, we disable
 # this feature for production builds on architectures where valgrind is known
 # to be less reliable, in order to avoid unnecessary build failures (see RHBZ
 # #810992, #816175, and #886891).  Nevertheless developers are free to install
 # valgrind manually to improve test coverage on any architecture.
-%ifarch x86_64
+%ifarch %{ix86} x86_64
 BuildRequires: valgrind
 %endif

-# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
-Requires: libcurl%{?_isa} >= %{version}-%{release}
+Requires: libcurl%{?_isa} = %{version}-%{release}

-# require at least the version of libpsl that we were built against,
-# to ensure that we have the necessary symbols available (#1631804)
-%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
-
-# require at least the version of libssh that we were built against,
+# require at least the version of libssh2 that we were built against,
 # to ensure that we have the necessary symbols available (#525002, #642796)
-%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
-
-# require at least the version of openssl-libs that we were built against,
-# to ensure that we have the necessary symbols available (#1462184, #1462211)
-%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)
+%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0)

 %description
 curl is a command line tool for transferring data with URL syntax, supporting
@ -112,11 +107,12 @@ resume, proxy tunneling and a busload of other useful tricks.

 %package -n libcurl
 Summary: A library for getting files from web servers
-Requires: libpsl%{?_isa} >= %{libpsl_version}
-Requires: libssh%{?_isa} >= %{libssh_version}
-Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
-Provides: libcurl-full = %{version}-%{release}
-Provides: libcurl-full%{?_isa} = %{version}-%{release}
+Group: Development/Libraries
+Requires: libssh2%{?_isa} >= %{libssh2_version}
+
+# libnsspem.so is no longer included in the nss package (#1347336)
+BuildRequires: nss-pem
+Requires: nss-pem%{?_isa}

 %description -n libcurl
 libcurl is a free and easy-to-use client-side URL transfer library, supporting
@ -128,8 +124,19 @@ resume, http proxy tunneling and more.

 %package -n libcurl-devel
 Summary: Files needed for building applications with libcurl
+Group: Development/Libraries
 Requires: libcurl%{?_isa} = %{version}-%{release}

+# From Fedora 14, %%{_datadir}/aclocal is included in the filesystem package
+%if 0%{?fedora} < 14
+Requires: %{_datadir}/aclocal
+%endif
+
+# From Fedora 11, RHEL-6, pkgconfig dependency is auto-detected
+%if 0%{?fedora} < 11 && 0%{?rhel} < 6
+Requires: pkgconfig
+%endif
+
 Provides: curl-devel = %{version}-%{release}
 Provides: curl-devel%{?_isa} = %{version}-%{release}
 Obsoletes: curl-devel < %{version}-%{release}
@ -139,126 +146,66 @@ The libcurl-devel package includes header files and libraries necessary for
 developing programs which use the libcurl library. It contains the API
 documentation of the library, too.

-%package -n curl-minimal
-Summary: Conservatively configured build of curl for minimal installations
-Provides: curl = %{version}-%{release}
-Conflicts: curl
-RemovePathPostfixes: .minimal
-
-# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
-Requires: libcurl%{?_isa} >= %{version}-%{release}
-
-%description -n curl-minimal
-This is a replacement of the 'curl' package for minimal installations.  It
-comes with a limited set of features compared to the 'curl' package.  On the
-other hand, the package is smaller and requires fewer run-time dependencies to
-be installed.
-
-%package -n libcurl-minimal
-Summary: Conservatively configured build of libcurl for minimal installations
-Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
-Provides: libcurl = %{version}-%{release}
-Provides: libcurl%{?_isa} = %{version}-%{release}
-Conflicts: libcurl
-RemovePathPostfixes: .minimal
-# needed for RemovePathPostfixes to work with shared libraries
-%undefine __brp_ldconfig
-
-%description -n libcurl-minimal
-This is a replacement of the 'libcurl' package for minimal installations.  It
-comes with a limited set of features compared to the 'libcurl' package.  On the
-other hand, the package is smaller and requires fewer run-time dependencies to
-be installed.
-
 %prep
 %setup -q

 # upstream patches
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch9 -p1
+%patch10 -p1

 # Fedora patches
 %patch101 -p1
 %patch102 -p1
-%patch103 -p1
 %patch104 -p1
-%patch105 -p1
-
-# make tests/*.py use Python 3
-sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py

 # regenerate Makefile.in files
 aclocal -I m4
 automake

-# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
-# with errno 98: Address already in use' in Koji environment), and test 1801
+# disable test 1112 (#565305) and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-# and test 1900, which is flaky and covers a deprecated feature of libcurl
-# <https://github.com/curl/curl/pull/2705>
-printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED
+printf "1112\n1801\n" >> tests/data/DISABLED

 # disable test 1319 on ppc64 (server times out)
 %ifarch ppc64
 echo "1319" >> tests/data/DISABLED
 %endif

-# temporarily disable test 582 on s390x (client times out)
-%ifarch s390x
-echo "582" >> tests/data/DISABLED
-%endif
-
-# adapt test 323 for updated OpenSSL
-sed -e 's/^35$/35,52/' -i tests/data/test323
+# temporarily disable failing libidn2 test-cases
+printf "1034\n1035\n2046\n2047\n" >> tests/data/DISABLED

 %build
-mkdir build-{full,minimal}
-export common_configure_opts=" \
-    --cache-file=../config.cache \
-    --disable-static \
+[ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos"
+%configure --disable-static \
    --enable-symbol-hiding \
    --enable-ipv6 \
+    --enable-ldaps \
+    --enable-manual \
    --enable-threaded-resolver \
-    --with-gssapi \
+    --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
+    --with-gssapi${KRB5_PREFIX} \
+    --with-libidn2 \
+    --with-libmetalink \
+    --with-libpsl \
+    --with-libssh2 \
    --with-nghttp2 \
-    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
+    --without-ssl --with-nss
+#    --enable-debug
+# use ^^^ to turn off optimizations, etc.

-%global _configure ../configure
+# Remove bogus rpath
+sed -i \
+    -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
+    -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

-# configure minimal build
-(
-    cd build-minimal
-    %configure $common_configure_opts \
-        --disable-ldap \
-        --disable-ldaps \
-        --disable-manual \
-        --without-brotli \
-        --without-libidn2 \
-        --without-libmetalink \
-        --without-libpsl \
-        --without-libssh
-)
-
-# configure full build
-(
-    cd build-full
-    %configure $common_configure_opts \
-        --enable-ldap \
-        --enable-ldaps \
-        --enable-manual \
-        --with-brotli \
-        --with-libidn2 \
-        --with-libmetalink \
-        --with-libpsl \
-        --with-libssh
-)
-
-# avoid using rpath
-sed -e 's/^runpath_var=.*/runpath_var=/' \
-    -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
-    -i build-{full,minimal}/libtool
-
-make %{?_smp_mflags} V=1 -C build-minimal
-make %{?_smp_mflags} V=1 -C build-full
+make %{?_smp_mflags} V=1

 %check
 # we have to override LD_LIBRARY_PATH because we eliminated rpath
@ -266,34 +213,15 @@ LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
 export LD_LIBRARY_PATH

 # compile upstream test-cases
-cd build-full/tests
+cd tests
 make %{?_smp_mflags} V=1

-# relax crypto policy for the test-suite to make it pass again (#1610888)
-export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
-export OPENSSL_CONF=
-
 # run the upstream test-suite
-srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+./runtests.pl -a -p -v '!flaky'

 %install
-# install and rename the library that will be packaged as libcurl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
-rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
-for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
-    mv -v $i $i.minimal
-done
+rm -rf $RPM_BUILD_ROOT

-# install and rename the executable that will be packaged as curl-minimal
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
-mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
-
-# install libcurl.m4
-install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
-install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
-
-# install the executable and library that will be packaged as curl and libcurl
-cd build-full
 make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install

 # install zsh completion for curl
@ -301,33 +229,34 @@ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
 LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts

-# do not install /usr/share/fish/completions/curl.fish which is also installed
-# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
-rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
-
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

-%ldconfig_scriptlets -n libcurl
+install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
+install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal

-%ldconfig_scriptlets -n libcurl-minimal
+# Make libcurl-devel multilib-ready (bug #488922)
+%multilib_fix_c_header --file %{_includedir}/curl/curlbuild.h
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post -n libcurl -p /sbin/ldconfig
+
+%postun -n libcurl -p /sbin/ldconfig

 %files
-%doc CHANGES
-%doc README
-%doc docs/BUGS
-%doc docs/FAQ
-%doc docs/FEATURES
-%doc docs/RESOURCES
-%doc docs/TODO
-%doc docs/TheArtOfHttpScripting
+%doc CHANGES README*
+%doc docs/BUGS docs/FAQ docs/FEATURES
+%doc docs/MANUAL docs/RESOURCES
+%doc docs/TheArtOfHttpScripting docs/TODO
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
-%{_datadir}/zsh
+%{_datadir}/zsh/site-functions

 %files -n libcurl
+%{!?_licensedir:%global license %%doc}
 %license COPYING
-%{_libdir}/libcurl.so.4
-%{_libdir}/libcurl.so.4.[0-9].[0-9]
+%{_libdir}/libcurl.so.*

 %files -n libcurl-devel
 %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
@ -340,306 +269,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 %{_datadir}/aclocal/libcurl.m4

-%files -n curl-minimal
-%{_bindir}/curl.minimal
-%{_mandir}/man1/curl.1*
-
-%files -n libcurl-minimal
-%license COPYING
-%{_libdir}/libcurl.so.4.minimal
-%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
-
 %changelog
-* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
- fix infinite loop on upload using a glob (#1771025)
+* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-9
+- tftp: reject file name lengths that do not fit buffer (CVE-2017-1000100)
+- do not continue parsing of glob after range overflow (CVE-2017-1000101)

-* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
- new upstream release
+* Thu Jul 20 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-8
+- nss: fix a possible use-after-free in SelectClientCert() (#1436158)

-* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2019-5481 - double free due to subsequent call of realloc()
-    CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
+* Wed Jun 21 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-7
+- fix links to documentation of TLS cipher-suites (#1463532)

-* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
-
-* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
- improve handling of gss_init_sec_context() failures
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.65.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sat Jul 20 2019 Paul Howarth <paul@city-fan.org> - 7.65.3-1
- new upstream release
-
-* Wed Jul 17 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.2-1
- new upstream release
-
-* Wed Jun 05 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.1-1
- new upstream release
-
-* Thu May 30 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-2
- fix spurious timeout events with speed-limit (#1714893)
-
-* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2019-5436 - TFTP receive buffer overflow
-    CVE-2019-5435 - integer overflows in curl_url_set()
-
-* Thu May 09 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-2
- do not treat failure of gss_init_sec_context() with --negotiate as fatal
-
-* Wed Mar 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-1
- new upstream release
-
-* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
- remove verbose "Expire in" ... messages (#1690971)
-
-* Thu Mar 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-5
- avoid spurious "Could not resolve host: [host name]" error messages
-
-* Wed Feb 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-4
- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676)
-
-* Mon Feb 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-3
- prevent NetworkManager from leaking file descriptors (#1680198)
-
-* Mon Feb 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-2
- make zsh completion work again
-
-* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2019-3823 - SMTP end-of-response out-of-bounds read
-    CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow
-    CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read
-
-* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7
- prevent valgrind from reporting false positives on x86_64
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.63.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-5
- xattr: strip credentials from any URL that is stored (CVE-2018-20483)
-
-* Fri Jan 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-4
- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch
-
-* Wed Dec 19 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-3
- curl -J: do not append to the destination file (#1658574)
-
-* Fri Dec 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-2
- revert an upstream commit that broke `fedpkg new-sources` (#1659329)
-
-* Wed Dec 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-1
- new upstream release
-
-* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2018-16839 - SASL password overflow via integer overflow
-    CVE-2018-16840 - use-after-free in handle close
-    CVE-2018-16842 - warning message out-of-buffer read
-
-* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
- enable TLS 1.3 post-handshake auth in OpenSSL
- update the documentation of --tlsv1.0 in curl(1) man page
-
-* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2
- enforce versioned libpsl dependency for libcurl (#1631804)
- test320: update expected output for gnutls-3.6.4
- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594)
-
-* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1
- new upstream release, which fixes the following vulnerability
-    CVE-2018-14618 - NTLM password overflow via integer overflow
-
-* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
- make the --tls13-ciphers option work
-
-* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7
- tests: make ssh-keygen always produce PEM format (#1622594)
-
-* Wed Aug 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-6
- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
-
-* Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5
- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
-
-* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4
- relax crypto policy for the test-suite to make it pass again (#1610888)
-
-* Tue Jul 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-3
- disable flaky test 1900, which covers deprecated HTTP pipelining
- adapt test 323 for updated OpenSSL
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.61.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Wed Jul 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-1
- new upstream release, which fixes the following vulnerability
-    CVE-2018-0500 - SMTP send heap buffer overflow
-
-* Tue Jul 10 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-3
- enable support for brotli compression in libcurl-full
-
-* Wed Jul 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-2
- do not hard-wire path of the Python 3 interpreter
-
-* Wed May 16 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2018-1000300 - FTP shutdown response buffer overflow
-    CVE-2018-1000301 - RTSP bad headers buffer over-read
-
-* Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
- make the test-suite use Python 3
-
-* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
- ftp: fix typo in recursive callback detection for seeking
-
-* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
-    CVE-2018-1000121 - LDAP NULL pointer dereference
-    CVE-2018-1000122 - RTSP RTP buffer over-read
-
-* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
- http2: mark the connection for close on GOAWAY
-
-* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-7
- Add explicity-used build requirements
- Fix libcurl soname version number in %%files list to avoid accidental soname
-  bumps
-
-* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-6
- switch to %%ldconfig_scriptlets
- drop legacy BuildRoot: and Group: tags
- enforce versioned libssh dependency for libcurl
-
-* Tue Feb 13 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-5
- drop temporary workaround for #1540549
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.58.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Wed Jan 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-3
- temporarily work around internal compiler error on x86_64 (#1540549)
- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again
-
-* Wed Jan 24 2018 Andreas Schneider <asn@redhat.com> - 7.58.0-2
- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483)
-
-* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
-    CVE-2018-1000007 - curl: HTTP authentication leak in redirects
-
-* Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1
- new upstream release, which fixes the following vulnerabilities
-    CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
-    CVE-2017-8817 - curl: FTP wildcard out of bounds read
-    CVE-2017-8818 - curl: SSL out of buffer access
-
-* Mon Oct 23 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.1-1
- new upstream release (fixes CVE-2017-1000257)
-
-* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1
- new upstream release (fixes CVE-2017-1000254)
-
-* Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5
- apply the patch for the previous commit and fix its name (#1485702)
-
-* Mon Aug 28 2017 Bastien Nocera <bnocera@redhat.com> - 7.55.1-4
- Fix NetworkManager connectivity check not working (#1485702)
-
-* Tue Aug 22 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-3
- utilize system wide crypto policies for TLS (#1483972)
-
-* Tue Aug 15 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-2
- make zsh completion work again
-
-* Mon Aug 14 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-1
- new upstream release
-
-* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.55.0-1
- drop multilib fix for libcurl header files no longer needed
- new upstream release, which fixes the following vulnerabilities
-    CVE-2017-1000099 - FILE buffer read out of bounds
-    CVE-2017-1000100 - TFTP sends more than buffer size
-    CVE-2017-1000101 - URL globbing out of bounds read
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Fri Jul 28 2017 Florian Weimer <fweimer@redhat.com> - 7.54.1-7
- Rebuild with fixed binutils (#1475636)
-
-* Fri Jul 28 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 7.54.1-6
- Enable separate debuginfo back
-
-* Thu Jul 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-5
- rebuild to fix broken linkage of cmake on ppc64le
-
-* Wed Jul 26 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-4
- avoid build failure caused broken RPM code that produces debuginfo packages
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Mon Jun 19 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-2
- enforce versioned openssl-libs dependency for libcurl (#1462184)
-
-* Wed Jun 14 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-1
- new upstream release
-
-* Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-5
- add *-full provides for curl and libcurl to make them explicitly installable
-
-* Thu May 04 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-4
- make curl-minimal require a new enough version of libcurl
-
-* Thu Apr 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-3
- switch the TLS backend back to OpenSSL (#1445153)
-
-* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
- nss: use libnssckbi.so as the default source of trust
- nss: do not leak PKCS #11 slot while loading a key (#1444860)
-
-* Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
- new upstream release (fixes CVE-2017-7468)
-
-* Thu Apr 13 2017 Paul Howarth <paul@city-fan.org> 7.53.1-7
- add %%post and %%postun scriptlets for libcurl-minimal
- libcurl-minimal provides both libcurl and libcurl%%{?_isa}
- remove some legacy spec file cruft
-
-* Wed Apr 12 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-6
- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl
-
-* Mon Apr 10 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-5
- disable upstream test 2033 (flaky test for HTTP/1 pipelining)
-
-* Fri Apr 07 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-4
+* Fri Apr 07 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-6
 - fix out of bounds read in curl --write-out (CVE-2017-7407)

-* Mon Mar 06 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3
+* Tue Apr 04 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-5
 - make the dependency on nss-pem arch-specific (#1428550)

-* Thu Mar 02 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-2
- re-enable valgrind on ix86 because sqlite is fixed (#1428286)
-
-* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-1
- new upstream release
-
-* Wed Feb 22 2017 Kamil Dudka <kdudka@redhat.com> 7.53.0-1
- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)
- new upstream release (fixes CVE-2017-2629)
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.52.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1
- new upstream release (fixes CVE-2016-9586)
+* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-4
+- fix floating point buffer overflow issues (CVE-2016-9586)

 * Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
 - map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
+0f876ef6d5776d96b08510461d57db1b  curl-7.51.0.tar.lzma
--- a/tests/non-root-user-download/Makefile
+++ b/tests/non-root-user-download/Makefile
@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/non-root-user-download
-#   Description: various download methods with non-root user
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/non-root-user-download
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     various download methods with non-root user" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        5m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)
--- a/tests/non-root-user-download/PURPOSE
+++ b/tests/non-root-user-download/PURPOSE
@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
-Description: various download methods with non-root user
-Author: Karel Srot <ksrot@redhat.com>
--- a/tests/non-root-user-download/runtest.sh
+++ b/tests/non-root-user-download/runtest.sh
@ -1,92 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/curl/Sanity/non-root-user-download
-#   Description: various download methods with non-root user
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="curl"
-
-FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
-PASSWORD=pAssw0rd
-OPTIONS=""
-rlIsRHEL 7 && OPTIONS="--insecure"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm $PACKAGE
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "useradd -m curltester" 0 "Adding the test user"
-        rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
-        rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
-        [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
-        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
-        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
-    rlPhaseEnd
-
-    rlPhaseStartTest "http download"
-        rlRun "su - curltester -c 'curl $HTTP_URL' &> http.log"
-        cat http.log
-        rlAssertGrep "$CONTENT" http.log
-    rlPhaseEnd
-
-    rlPhaseStartTest "ftp download"
-        rlRun "su - curltester -c 'curl $FTP_URL' &> ftp.log"
-        cat ftp.log
-        rlAssertGrep "$CONTENT" ftp.log
-    rlPhaseEnd
-
-if ! rlIsRHEL 5; then
-# scp sftp not supported on RHEL5
-
-    rlPhaseStartTest "scp download"
-        rlRun "curl -u curltester:$PASSWORD $OPTIONS scp://localhost/home/curltester/testfile &> scp.log"
-        cat scp.log
-        rlAssertGrep "$CONTENT" scp.log
-    rlPhaseEnd
-
-    rlPhaseStartTest "sftp download"
-        rlRun "curl -u curltester:$PASSWORD $OPTIONS sftp://localhost/home/curltester/testfile &> sftp.log"
-        cat sftp.log
-        rlAssertGrep "$CONTENT" sftp.log
-    rlPhaseEnd
-
-fi
-
-    rlPhaseStartCleanup
-        rlRun "rm -f $HOME/.ssh/known_hosts"
-        rlFileRestore
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-        rlRun "userdel -r --force curltester"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
--- a/tests/non-root-user-download/runtest.yml
+++ b/tests/non-root-user-download/runtest.yml
@ -1,64 +0,0 @@
- hosts: '{{ hosts | default("localhost") }}'
-  vars:
-    package: "curl"
-  tasks:
-    - name: "Set Content variables"
-      set_fact:
-        content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
-        password: "pAssw0rd"
-        crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
-    - name: "Create user curltester"
-      user: 
-        name: "curltester"
-        password: "{{ crypt_password }}"
-    - name: "Copy testfile"
-      copy:
-          dest: "/home/curltester/testfile"
-          content: "{{ content }}"
-    - block:
-      - name: "http download"
-        command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: http
-        become: yes
-        become_user: curltester
-      - name: "Compare http output"
-        fail:
-            msg: "{{ content }} not in {{ http.stdout }}"
-        when: content not in http.stdout
-      - name: "ftp download"
-        command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: ftp
-        become: yes
-        become_user: curltester
-      - name: "Compare ftp output"
-        fail:
-            msg: "{{ content }} not in {{ ftp.stdout }}"
-        when: content not in ftp.stdout
-      - name: "scp download"
-        command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: scp
-      - name: "Compare scp output"
-        fail:
-            msg: "{{ content }} not in {{ scp.stdout }}"
-        when: content not in scp.stdout
-      - name: "sftp download"
-        command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: sftp
-      - name: "Compare sftp output"
-        fail:
-            msg: "{{ content }} not in {{ sftp.stdout }}"
-        when: content not in sftp.stdout
-      always:
-      - name: "Remove user curltester"
-        user: 
-            name: "curltester"
-            remove: yes
-            state: absent
--- a/tests/scp-and-sftp-download-test/Makefile
+++ b/tests/scp-and-sftp-download-test/Makefile
@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-#   Description: downloads test file through scp and sftp
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     downloads test file through scp and sftp" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl openssh" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)
--- a/tests/scp-and-sftp-download-test/PURPOSE
+++ b/tests/scp-and-sftp-download-test/PURPOSE
@ -1,12 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-Description: downloads test file through scp and sftp
-Author: Karel Srot <ksrot@redhat.com>
-
-Test scenario:
- scp download
- sftp download
- scp upload
- sftp upload
-
-When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
-with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
--- a/tests/scp-and-sftp-download-test/runtest.sh
+++ b/tests/scp-and-sftp-download-test/runtest.sh
@ -1,130 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-#   Description: downloads test file through scp and sftp
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/bin/rhts-environment.sh
-. /usr/lib/beakerlib/beakerlib.sh
-
-PACKAGE="curl"
-
-# GLOBAL/ENVIRONMENT VARIABLE:
-# PUBKEY_PARAM
-
-if [ "$PUBKEY_PARAM" == 'none' ]; then
-  PUBKEY_PARAM=""
-elif [ "$PUBKEY_PARAM" == 'empty' ]; then
-  PUBKEY_PARAM="--pubkey ''"
-else
-  PUBKEY_PARAM='--pubkey /root/.ssh/id_rsa.pub'
-fi
-
-FILESIZE=200 #MB
-OPTIONS=""
-rlIsRHEL 7 && OPTIONS="--insecure"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm $PACKAGE
-        rlFileBackup --clean  /root/.ssh/known_hosts /root/.ssh
-        rlFileBackup --clean  /etc/ssh/sshd_config
-        rlRun "useradd -m curltestuser"
-
-        # In FIPS-140 we need to explicitly allow one of libssh2-implemented
-        # Kex algorithms (eg. DH14-SHA1).
-        rlRun "echo 'KexAlgorithms +diffie-hellman-group14-sha1' >> /etc/ssh/sshd_config" 0
-        rlServiceStop "sshd"
-        rlRun "service sshd start && sleep 5" 0
-
-        # file for download test
-        rlRun "su - curltestuser -c 'dd if=/dev/zero of=testfile bs=1M count=200'" 0 "Creating $FILESIZE MB large test file"
-        SUM=`sha256sum /home/curltestuser/testfile | cut -d ' ' -f 1`
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "rm -vf /root/.ssh/*"
-        rlRun "ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''" 0 "Generate ssh key"
-        rlRun "mkdir /home/curltestuser/.ssh && cat /root/.ssh/id_rsa.pub > /home/curltestuser/.ssh/authorized_keys && chown -R curltestuser.curltestuser /home/curltestuser/.ssh/" 0 "Save the key to .ssh/authorized_keys"
-
-        # this is a workaround as libssh2 is not able to use newer hashes
-        #rlRun "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/root/.ssh/known_hosts curltestuser@localhost 'exit'" 0 "First ssh login to add localhost to known_hosts"
-        rlRun "ssh-keyscan localhost >>/root/.ssh/known_hosts"
-
-        # files for upload test
-        rlRun "dd if=/dev/zero of=uploadfile1 bs=1M count=50" 0 "Creating 50 MB large test file"
-        UPSUM1=`sha256sum uploadfile1 | cut -d ' ' -f 1`
-        rlRun "dd if=/dev/zero of=uploadfile2 bs=1M count=20" 0 "Creating 20 MB large test file"
-        UPSUM2=`sha256sum uploadfile2 | cut -d ' ' -f 1`
-    rlPhaseEnd
-
-    rlPhaseStartTest "scp download test"
-        rlRun "curl -o ./scp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS scp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download"
-        rlAssertExists scp_file
-        SCPSUM=`sha256sum ./scp_file | cut -d ' ' -f 1`
-        rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SCPSUM
-        rm -f ./scp_file
-    rlPhaseEnd
-
-    rlPhaseStartTest "sftp download test"
-        rlRun "curl -o ./sftp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS sftp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download"
-        rlAssertExists sftp_file
-        SFTPSUM=`sha256sum ./sftp_file | cut -d ' ' -f 1`
-        rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SFTPSUM
-        rm -f ./sftp_file
-    rlPhaseEnd
-
-    rlPhaseStartTest "scp upload test"
-        rlRun "curl -T '{uploadfile1,uploadfile2}' scp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl scp upload"
-        rlAssertExists /home/curltestuser/uploadfile1
-        rlAssertExists /home/curltestuser/uploadfile2
-        SCPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1`
-        SCPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1`
-        rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SCPUPSUM1}
-        rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SCPUPSUM2}
-        rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2
-    rlPhaseEnd
-
-    rlPhaseStartTest "sftp upload test"
-        rlRun "curl -T '{uploadfile1,uploadfile2}' sftp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl sftp upload"
-        rlAssertExists /home/curltestuser/uploadfile1
-        rlAssertExists /home/curltestuser/uploadfile2
-        SFTPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1`
-        SFTPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1`
-        rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SFTPUPSUM1}
-        rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SFTPUPSUM2}
-        rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2
-    rlPhaseEnd
-
-
-    rlPhaseStartCleanup
-        rlRun "userdel -r --force curltestuser"
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-        rlFileRestore
-        rlServiceRestore "sshd"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,26 +0,0 @@
---
-# Tests for Classic
- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-    required_packages:
-    - findutils         # non-root-user-download needs find command
-                        # scp-and-sftp-download-test needs find command
-    - passwd            # non-root-user-download needs passwd command
-    - openssh-clients   # non-root-user-download needs ssh-keyscan command
-
-# Tests for Atomic
- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - atomic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-
Author	SHA1	Message	Date
Kamil Dudka	2fc0fbf615	Resolves: CVE-2017-1000100 - tftp: reject file name lengths that do not fit buffer	2017-08-09 15:49:56 +02:00
Kamil Dudka	d0ba002000	Resolves: CVE-2017-1000101 - do not continue parsing of glob after range overflow	2017-08-09 15:48:51 +02:00
Kamil Dudka	b2b5c8f5f1	Resolves: #1436158 - nss: fix a possible use-after-free in SelectClientCert()	2017-07-20 08:57:41 +02:00
Kamil Dudka	f7a237e96a	Resolves: #1463532 - fix links to documentation of TLS cipher-suites	2017-06-21 15:51:05 +02:00
Kamil Dudka	944a671273	Resolves: CVE-2017-7407 - fix out of bounds read in curl --write-out	2017-04-07 12:51:56 +02:00
Kamil Dudka	afa73a568f	Resolves: #1428550 - make the dependency on nss-pem arch-specific	2017-04-04 10:05:25 +02:00
Kamil Dudka	d1f798c07e	Resolves: CVE-2016-9586 - fix floating point buffer overflow issues	2016-12-23 10:54:34 +01:00