SOURCES/0048-curl-7.61.1-CVE-2023-27535.patch

@@ -0,0 +1,231 @@
+From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c | 22 ++++++++++++++++++++++
+ lib/strcase.h |  1 +
+ 2 files changed, 23 insertions(+)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index f932485..c73907d 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index d245929..11a67a1 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+-- 
+2.39.2
+
+
+From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 13 ++++++++++++-
+ lib/urldata.h |  4 ++--
+ 5 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 9442832..df15bc0 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
+   }
+ 
+   freedirs(ftpc);
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
+   free(ftpc->prevpath);
+   ftpc->prevpath = NULL;
+   free(ftpc->server_os);
+@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   char *type;
+   struct FTP *ftp;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(NULL == ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  data->req.protop = ftp;
++
+   data->state.path++;   /* don't include the initial slash */
+   data->state.slash_removed = TRUE; /* we've skipped the slash */
+ 
+@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   if(isBadFtpString(ftp->passwd))
+     return CURLE_URL_MALFORMAT;
+ 
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 7f6f432..3f33e27 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -117,6 +117,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char **dirs;   /* realloc()ed array for path components */
+   int dirdepth;  /* number of entries used in the 'dirs' array */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 3339a67..6fc111d 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index 61ba832..4e21838 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data,
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-
++#ifndef CURL_DISABLE_FTP
++      if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+       if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+          needle->bits.tunnel_proxy) {
+         /* The requested connection does not use a HTTP proxy or it uses SSL or
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 9d9ca92..4e2f5b9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1498,6 +1498,8 @@ struct UserDefined {
+   curl_write_callback fwrite_header; /* function that stores headers */
+   curl_write_callback fwrite_rtp;    /* function that stores interleaved RTP */
+   curl_read_callback fread_func_set; /* function that reads the input */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+   int is_fread_set; /* boolean, has read callback been set to non-NULL? */
+   int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */
+   curl_progress_callback fprogress; /* OLD and deprecated progress callback  */
+@@ -1622,8 +1624,6 @@ struct UserDefined {
+   bool ftp_use_eprt;     /* if EPRT is to be attempted or not */
+   bool ftp_use_pret;     /* if PRET is to be used before PASV or not */
+ 
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */
+   curl_ftpccc ftp_ccc;   /* FTP CCC options */
+   bool no_signal;        /* do not use any signal/alarm handler */
+-- 
+2.39.2
+

SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch

@@ -0,0 +1,55 @@
+From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3b11b7e..cbbc7f3 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++        continue;
++
+       if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+      it may live on without (this specific) Curl_easy */
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ce90304..9e16f26 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -856,6 +856,8 @@ struct connectdata {
+   int httpversion;        /* the HTTP version*10 reported by the server */
+   int rtspversion;        /* the RTSP version*10 reported by the server */
+ 
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
++
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+   curl_socket_t sock[2]; /* two sockets, the second is used for the data
+-- 
+2.39.2
+

SOURCES/0050-curl-7.61.1-sftp-upload-flags.patch

@@ -0,0 +1,34 @@
+From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
+Date: Wed, 24 Jul 2019 11:47:51 +0200
+Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode
+
+Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
+make much sense. And this combination of flags is not accepted by all
+SFTP servers (at least not Apache SSHD).
+
+Fixes #4147
+Closes #4148
+
+Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh-libssh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index 4110be2..2414173 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+         flags = O_WRONLY|O_APPEND;
+       else
+         /* Clear file before writing (normal behaviour) */
+-        flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC;
++        flags = O_WRONLY|O_CREAT|O_TRUNC;
+ 
+       if(sshc->sftp_file)
+         sftp_close(sshc->sftp_file);
+-- 
+2.39.2
+

SOURCES/0051-curl-7.61.1-CVE-2023-28321.patch

@@ -0,0 +1,305 @@
+From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Apr 2023 21:07:02 +0200
+Subject: [PATCH] hostcheck: fix host name wildcard checking
+
+The leftmost "label" of the host name can now only match against single
+'*'. Like the browsers have worked for a long time.
+
+- extended unit test 1397 for this
+- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
+
+Reported-by: Hiroki Kurosawa
+Closes #11018
+---
+ lib/hostcheck.c         |  50 +++++++--------
+ tests/data/test1397     |  10 ++-
+ tests/unit/Makefile.am  |  94 ----------------------------
+ tests/unit/Makefile.inc |  94 ++++++++++++++++++++++++++++
+ tests/unit/unit1397.c   | 134 ++++++++++++++++++++++++----------------
+ 5 files changed, 202 insertions(+), 180 deletions(-)
+
+diff --git a/lib/hostcheck.c b/lib/hostcheck.c
+index e827dc58f378c..d061c6356f97f 100644
+--- a/lib/hostcheck.c
++++ b/lib/hostcheck.c
+@@ -43,6 +43,17 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
++/* check the two input strings with given length, but do not
++   assume they end in nul-bytes */
++static int pmatch(const char *hostname, size_t hostlen,
++                  const char *pattern, size_t patternlen)
++{
++  if(hostlen != patternlen)
++    return CURL_HOST_NOMATCH;
++  return strncasecompare(hostname, pattern, hostlen) ?
++    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
++}
++
+ /*
+  * Match a hostname against a wildcard pattern.
+  * E.g.
+@@ -65,26 +76,27 @@
+ 
+ static int hostmatch(char *hostname, char *pattern)
+ {
+-  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+-  int wildcard_enabled;
+-  size_t prefixlen, suffixlen;
++  size_t hostlen, patternlen;
++  const char *pattern_label_end;
+   struct in_addr ignored;
+ #ifdef ENABLE_IPV6
+   struct sockaddr_in6 si6;
+ #endif
+ 
++  DEBUGASSERT(pattern);
++  DEBUGASSERT(hostname);
++
++  hostlen = strlen(hostname);
++  patternlen = strlen(pattern);
++
+   /* normalize pattern and hostname by stripping off trailing dots */
+-  size_t len = strlen(hostname);
+-  if(hostname[len-1]=='.')
+-    hostname[len-1] = 0;
+-  len = strlen(pattern);
+-  if(pattern[len-1]=='.')
+-    pattern[len-1] = 0;
+-
+-  pattern_wildcard = strchr(pattern, '*');
+-  if(pattern_wildcard == NULL)
+-    return strcasecompare(pattern, hostname) ?
+-      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
++  if(hostname[hostlen-1]=='.')
++    hostname[hostlen-1] = 0;
++  if(pattern[patternlen-1]=='.')
++    pattern[patternlen-1] = 0;
++
++  if(strncmp(pattern, "*.", 2))
++    return pmatch(hostname, hostlen, pattern, patternlen);
+ 
+   /* detect IP address as hostname and fail the match if so */
+   if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+@@ -96,34 +108,20 @@ static int hostmatch(char *hostname, char *pattern)
+ 
+   /* We require at least 2 dots in pattern to avoid too wide wildcard
+      match. */
+-  wildcard_enabled = 1;
+   pattern_label_end = strchr(pattern, '.');
+-  if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
+-     pattern_wildcard > pattern_label_end ||
+-     strncasecompare(pattern, "xn--", 4)) {
+-    wildcard_enabled = 0;
++  if(pattern_label_end == NULL ||
++    (strrchr(pattern, '.') == pattern_label_end))
++      return pmatch(pattern, patternlen, hostname, hostlen);
++
++  const char *hostname_label_end = strchr(hostname, '.');
++  if(hostname_label_end != NULL) {
++    size_t skiphost = hostname_label_end - hostname;
++    size_t skiplen = pattern_label_end - pattern;
++    return pmatch(hostname_label_end, hostlen - skiphost,
++                  pattern_label_end, patternlen - skiplen);
+   }
+-  if(!wildcard_enabled)
+-    return strcasecompare(pattern, hostname) ?
+-      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+-
+-  hostname_label_end = strchr(hostname, '.');
+-  if(hostname_label_end == NULL ||
+-     !strcasecompare(pattern_label_end, hostname_label_end))
+-    return CURL_HOST_NOMATCH;
+ 
+-  /* The wildcard must match at least one character, so the left-most
+-     label of the hostname is at least as large as the left-most label
+-     of the pattern. */
+-  if(hostname_label_end - hostname < pattern_label_end - pattern)
+-    return CURL_HOST_NOMATCH;
+-
+-  prefixlen = pattern_wildcard - pattern;
+-  suffixlen = pattern_label_end - (pattern_wildcard + 1);
+-  return strncasecompare(pattern, hostname, prefixlen) &&
+-    strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
+-                    suffixlen) ?
+-    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
++  return CURL_HOST_NOMATCH;
+ }
+ 
+ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
+diff --git a/tests/data/test1397 b/tests/data/test1397
+index 84f962abebee3..f31b2c2a3f330 100644
+--- a/tests/data/test1397
++++ b/tests/data/test1397
+@@ -2,8 +2,7 @@
+ <info>
+ <keywords>
+ unittest
+-ssl
+-wildcard
++Curl_cert_hostcheck
+ </keywords>
+ </info>
+ 
+@@ -15,10 +14,10 @@ none
+ <features>
+ unittest
+ </features>
+- <name>
+-Check wildcard certificate matching function Curl_cert_hostcheck
+- </name>
++<name>
++Curl_cert_hostcheck unit tests
++</name>
+ <tool>
+ unit1397
+ </tool>
+ </client>
+diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
+index 2f3d3aa4d09e1..3ae75618d5d10 100644
+--- a/tests/unit/unit1397.c
++++ b/tests/unit/unit1397.c
+@@ -21,8 +21,6 @@
+  ***************************************************************************/
+ #include "curlcheck.h"
+ 
+-#include "hostcheck.h" /* from the lib dir */
+-
+ static CURLcode unit_setup(void)
+ {
+   return CURLE_OK;
+@@ -30,50 +28,93 @@ static CURLcode unit_setup(void)
+ 
+ static void unit_stop(void)
+ {
+-  /* done before shutting down and exiting */
+ }
+ 
+-UNITTEST_START
+-
+ /* only these backends define the tested functions */
+-#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
+-
+-  /* here you start doing things and checking that the results are good */
++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
++#include "hostcheck.h"
++struct testcase {
++  const char *host;
++  const char *pattern;
++  bool match;
++};
+ 
+-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
+-            "good 1");
+-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
+-            "good 2");
+-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
+-            "good 3");
+-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
+-            "good 4");
+-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
+-            "good 5");
+-
+-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
+-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
+-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
+-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
+-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
+-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
+-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
+-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
+-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
+-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
+-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
+-
+-#ifdef ENABLE_IPV6
+-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
+-                            "fe80::3285:a9ff:fe46:b619"), "bad 14");
+-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
+-                                "fe80::3285:a9ff:fe46:b619"), "good 6");
+-#endif
++static struct testcase tests[] = {
++  {"", "", FALSE},
++  {"a", "", FALSE},
++  {"", "b", FALSE},
++  {"a", "b", FALSE},
++  {"aa", "bb", FALSE},
++  {"\xff", "\xff", TRUE},
++  {"aa.aa.aa", "aa.aa.bb", FALSE},
++  {"aa.aa.aa", "aa.aa.aa", TRUE},
++  {"aa.aa.aa", "*.aa.bb", FALSE},
++  {"aa.aa.aa", "*.aa.aa", TRUE},
++  {"192.168.0.1", "192.168.0.1", TRUE},
++  {"192.168.0.1", "*.168.0.1", FALSE},
++  {"192.168.0.1", "*.0.1", FALSE},
++  {"h.ello", "*.ello", FALSE},
++  {"h.ello.", "*.ello", FALSE},
++  {"h.ello", "*.ello.", FALSE},
++  {"h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo", " *.e.llo", FALSE},
++  {" h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo", TRUE},
++  {"*.e.llo.", "*.e.llo", TRUE},
++  {"************.e.llo.", "*.e.llo", TRUE},
++  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
++   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
++   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
++   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
++   ".e.llo.", "*.e.llo", TRUE},
++  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo.", TRUE},
++  {"h.e.llo", "*.e.llo.", TRUE},
++  {".h.e.llo", "*.e.llo.", FALSE},
++  {"h.e.llo", "*.*.llo.", FALSE},
++  {"h.e.llo", "h.*.llo", FALSE},
++  {"h.e.llo", "h.e.*", FALSE},
++  {"hello", "*.ello", FALSE},
++  {"hello", "**llo", FALSE},
++  {"bar.foo.example.com", "*.example.com", FALSE},
++  {"foo.example.com", "*.example.com", TRUE},
++  {"baz.example.net", "b*z.example.net", FALSE},
++  {"foobaz.example.net", "*baz.example.net", FALSE},
++  {"xn--l8j.example.local", "x*.example.local", FALSE},
++  {"xn--l8j.example.net", "*.example.net", TRUE},
++  {"xn--l8j.example.net", "*j.example.net", FALSE},
++  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
++  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
++  {"xl8j.example.net", "*.example.net", TRUE},
++  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
++  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
++  {NULL, NULL, FALSE}
++};
+ 
+-#endif
++UNITTEST_START
++{
++  int i;
++  for(i = 0; tests[i].host; i++) {
++    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
++                                             strlen(tests[i].pattern),
++                                             tests[i].host,
++                                             strlen(tests[i].host))) {
++      fprintf(stderr,
++              "HOST: %s\n"
++              "PTRN: %s\n"
++              "did %sMATCH\n",
++              tests[i].host,
++              tests[i].pattern,
++              tests[i].match ? "NOT ": "");
++      unitfail++;
++    }
++  }
++}
++UNITTEST_STOP
++#else
+ 
+-  /* you end the test code like this: */
++UNITTEST_START
+ 
+ UNITTEST_STOP
++#endif

SOURCES/0053-curl-7.61.1-password-when-keyboard-interactive-fails.patch

@@ -0,0 +1,169 @@
+From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 May 2023 16:34:11 +0200
+Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state machine had a mistake in that it would not carry on to that
+next step.
+
+This also adds a verbose output what methods that are available from the
+server and renames the macros that change to the next auth methods to
+try.
+
+Reported-by: 左潇峰
+Fixes #11196
+Closes #11197
+---
+ lib/ssh-libssh.c | 43 +++++++++++++++++++++++++++----------------
+ 1 file changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index 7ebe61321419f..1cecb649cb623 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -442,7 +442,7 @@ static int myssh_is_known(struct Curl_easy *data)
+   break; \
+ }
+ 
+-#define MOVE_TO_LAST_AUTH \
++#define MOVE_TO_PASSWD_AUTH \
+   if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
+     rc = SSH_OK; \
+     state(conn, SSH_AUTH_PASS_INIT); \
+@@ -452,25 +452,25 @@ static int myssh_is_known(struct Curl_easy *data)
+     MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
+   }
+ 
+-#define MOVE_TO_TERTIARY_AUTH \
++#define MOVE_TO_KEY_AUTH \
+   if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
+     rc = SSH_OK; \
+     state(conn, SSH_AUTH_KEY_INIT); \
+     break; \
+   } \
+   else { \
+-    MOVE_TO_LAST_AUTH; \
++    MOVE_TO_PASSWD_AUTH; \
+   }
+ 
+-#define MOVE_TO_SECONDARY_AUTH \
++#define MOVE_TO_GSSAPI_AUTH \
+   if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
+     rc = SSH_OK; \
+     state(conn, SSH_AUTH_GSSAPI); \
+     break; \
+   } \
+   else { \
+-    MOVE_TO_TERTIARY_AUTH; \
++    MOVE_TO_KEY_AUTH; \
+   }
+ 
+ static
+ int myssh_auth_interactive(struct connectdata *conn)
+@@ -617,6 +617,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         }
+ 
+         sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
++        if(sshc->auth_methods)
++          infof(data, "SSH authentication methods available: %s%s%s%s",
++                sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
++                "public key, ": "",
++                sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
++                "GSSAPI, " : "",
++                sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
++                "keyboard-interactive, " : "",
++                sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
++                "password": "");
+         if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
+           state(conn, SSH_AUTH_PKEY_INIT);
+           infof(data, "Authentication using SSH public key file\n");
+@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       }
+     case SSH_AUTH_PKEY_INIT:
+       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
+-        MOVE_TO_SECONDARY_AUTH;
++        MOVE_TO_GSSAPI_AUTH;
+       }
+ 
+       /* Two choices, (1) private key was given on CMD,
+        * (2) use the "default" keys. */
+@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+           }
+ 
+           if(rc != SSH_OK) {
+-            MOVE_TO_SECONDARY_AUTH;
++            MOVE_TO_GSSAPI_AUTH;
+           }
+         }
+ 
+@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+           break;
+         }
+ 
+-        MOVE_TO_SECONDARY_AUTH;
++        MOVE_TO_GSSAPI_AUTH;
+       }
+       break;
+     case SSH_AUTH_PKEY:
+@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       }
+       else {
+         infof(data, "Failed public key authentication (rc: %d)\n", rc);
+-        MOVE_TO_SECONDARY_AUTH;
++        MOVE_TO_GSSAPI_AUTH;
+       }
+       break;
+ 
+     case SSH_AUTH_GSSAPI:
+       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
+-        MOVE_TO_TERTIARY_AUTH;
++        MOVE_TO_KEY_AUTH;
+       }
+ 
+       rc = ssh_userauth_gssapi(sshc->ssh_session);
+@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         break;
+       }
+ 
+-      MOVE_TO_TERTIARY_AUTH;
++      MOVE_TO_KEY_AUTH;
+       break;
+ 
+     case SSH_AUTH_KEY_INIT:
+@@ -736,13 +736,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         state(conn, SSH_AUTH_KEY);
+       }
+       else {
+-        MOVE_TO_LAST_AUTH;
++        MOVE_TO_PASSWD_AUTH;
+       }
+       break;
+ 
+     case SSH_AUTH_KEY:
+-
+-      /* Authentication failed. Continue with keyboard-interactive now. */
++      /* keyboard-interactive authentication */
+       rc = myssh_auth_interactive(conn);
+       if(rc == SSH_AGAIN) {
+         break;
+@@ -759,13 +759,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       if(rc == SSH_OK) {
+         sshc->authed = TRUE;
+         infof(data, "completed keyboard interactive authentication\n");
++        state(conn, SSH_AUTH_DONE);
++      }
++      else {
++        MOVE_TO_PASSWD_AUTH;
+       }
+-      state(conn, SSH_AUTH_DONE);
+       break;
+ 
+     case SSH_AUTH_PASS_INIT:
+       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
+-        /* Host key authentication is intentionally not implemented */
+         MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
+       }
+       state(conn, SSH_AUTH_PASS);

SOURCES/0054-curl-7.61.1-64K-sftp.patch

@@ -0,0 +1,31 @@
+From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 5 Sep 2023 17:33:41 +0200
+Subject: [PATCH] libssh: cap SFTP packet size sent
+
+Due to libssh limitations
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+Closes #11804
+---
+ lib/ssh-libssh.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index dea0084575859..7c6a2e53f338f 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -2412,6 +2412,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
+   ssize_t nwrite;
+   (void)sockindex;
+ 
++  /* limit the writes to the maximum specified in Section 3 of
++   * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
++   */
++  if(len > 32768)
++    len = 32768;
++
+   nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
+ 
+   myssh_block2waitfor(conn, FALSE);

SOURCES/0055-curl-7.61.1-CVE-2023-28322.patch

@@ -0,0 +1,388 @@
+From 47f0d37bfc008c088416f3dcca802c9e087d9bf1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 25 Apr 2023 08:28:01 +0200
+Subject: [PATCH] lib: unify the upload/method handling
+
+By making sure we set state.upload based on the set.method value and not
+independently as set.upload, we reduce confusion and mixup risks, both
+internally and externally.
+---
+ lib/curl_rtmp.c    | 4 ++--
+ lib/file.c         | 4 ++--
+ lib/ftp.c          | 8 ++++----
+ lib/http.c         | 4 ++--
+ lib/imap.c         | 6 +++---
+ lib/rtsp.c         | 4 ++--
+ lib/setopt.c       | 6 ++----
+ lib/smb.c          | 6 +++---
+ lib/smtp.c         | 4 ++--
+ lib/tftp.c         | 8 ++++----
+ lib/transfer.c     | 4 ++--
+ lib/urldata.h      | 2 +-
+ lib/ssh-libssh.c   | 6 +++---
+ lib/ssh.c          | 6 +++---
+ 14 files changed, 36 insertions(+), 38 deletions(-)
+
+diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
+index 2679a2cdc1afe..406fb42ac0f44 100644
+--- a/lib/curl_rtmp.c
++++ b/lib/curl_rtmp.c
+@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done)
+   /* We have to know if it's a write before we send the
+    * connect request packet
+    */
+-  if(conn->data->set.upload)
++  if(conn->data->state.upload)
+     r->Link.protocol |= RTMP_FEATURE_WRITE;
+ 
+   /* For plain streams, use the buffer toggle trick to keep data flowing */
+@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done)
+   if(!RTMP_ConnectStream(r, 0))
+     return CURLE_FAILED_INIT;
+ 
+-  if(conn->data->set.upload) {
++  if(conn->data->state.upload) {
+     Curl_pgrsSetUploadSize(conn->data, conn->data->state.infilesize);
+     Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
+   }
+diff --git a/lib/file.c b/lib/file.c
+index 51c5d07ce40ab..c751e8861a99b 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -240,7 +240,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done)
+   file->freepath = real_path; /* free this when done */
+ 
+   file->fd = fd;
+-  if(!data->set.upload && (fd == -1)) {
++  if(!data->state.upload && (fd == -1)) {
+     failf(data, "Couldn't open file %s", data->state.path);
+     file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
+     return CURLE_FILE_COULDNT_READ_FILE;
+@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done)
+ 
+   Curl_pgrsStartNow(data);
+ 
+-  if(data->set.upload)
++  if(data->state.upload)
+     return file_upload(conn);
+ 
+   file = conn->data->req.protop;
+diff --git a/lib/ftp.c b/lib/ftp.c
+index f50d7baf622f8..4ff68cc454cbc 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data)
+                 data->set.str[STRING_CUSTOMREQUEST]:
+                 (data->set.ftp_list_only?"NLST":"LIST"));
+       }
+-      else if(data->set.upload) {
++      else if(data->state.upload) {
+         PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
+       }
+       else {
+@@ -3368,7 +3368,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
+     /* the response code from the transfer showed an error already so no
+        use checking further */
+     ;
+-  else if(data->set.upload) {
++  else if(data->state.upload) {
+     if((-1 != data->state.infilesize) &&
+        (data->state.infilesize != *ftp->bytecountp) &&
+        !data->set.crlf &&
+@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep)
+                            connected back to us */
+       }
+     }
+-    else if(data->set.upload) {
++    else if(data->state.upload) {
+       result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
+       if(result)
+         return result;
+@@ -4217,7 +4217,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
+     ftpc->file = NULL; /* instead of point to a zero byte, we make it a NULL
+                           pointer */
+ 
+-  if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
++  if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
+     /* We need a file name when uploading. Return error! */
+     failf(data, "Uploading to a URL without a file name!");
+     return CURLE_URL_MALFORMAT;
+diff --git a/lib/http.c b/lib/http.c
+index 80e43f6f361e8..bffdd3468536d 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
+   http->writebytecount = http->readbytecount = 0;
+ 
+   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
+-     data->set.upload) {
++     data->state.upload) {
+     httpreq = HTTPREQ_PUT;
+   }
+ 
+@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
+     if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
+        (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
+        http->postsize < 0) ||
+-       (data->set.upload && data->state.infilesize == -1))) {
++       (data->state.upload && data->state.infilesize == -1))) {
+       if(conn->bits.authneg)
+         /* don't enable chunked during auth neg */
+         ;
+diff --git a/lib/imap.c b/lib/imap.c
+index c2f675d4b2618..1952e66a1efcd 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -1511,10 +1511,10 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status,
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && !imap->custom &&
+-          (imap->uid || data->set.upload ||
++          (imap->uid || data->state.upload ||
+           data->set.mimepost.kind != MIMEKIND_NONE)) {
+     /* Handle responses after FETCH or APPEND transfer has finished */
+-    if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
++    if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
+       state(conn, IMAP_FETCH_FINAL);
+     else {
+       /* End the APPEND command first by sending an empty line */
+@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected,
+     selected = TRUE;
+ 
+   /* Start the first command in the DO phase */
+-  if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
++  if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
+     /* APPEND can be executed directly */
+     result = imap_perform_append(conn);
+   else if(imap->custom && (selected || !imap->mailbox))
+index ea99d720ec4eb..ccd7264b00e74 100644
+--- a/lib/rtsp.c
++++ b/lib/rtsp.c
+@@ -493,7 +493,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
+      rtspreq == RTSPREQ_SET_PARAMETER ||
+      rtspreq == RTSPREQ_GET_PARAMETER) {
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       putsize = data->state.infilesize;
+       data->set.httpreq = HTTPREQ_PUT;
+ 
+@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
+       if(!Curl_checkheaders(conn, "Content-Length")) {
+         result = Curl_add_bufferf(req_buffer,
+             "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
+-            (data->set.upload ? putsize : postsize));
++            (data->state.upload ? putsize : postsize));
+         if(result)
+           return result;
+       }
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 38f5711e44191..0c3b9634d1192 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -333,8 +333,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      * We want to sent data to the remote host. If this is HTTP, that equals
+      * using the PUT request.
+      */
+-    data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
+-    if(data->set.upload) {
++    arg = va_arg(param, long);
++    if(arg) {
+       /* If this is HTTP, PUT is what's needed to "upload" */
+       data->set.httpreq = HTTPREQ_PUT;
+       data->set.opt_no_body = FALSE; /* this is implied */
+@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+      */
+     if(va_arg(param, long)) {
+       data->set.httpreq = HTTPREQ_GET;
+-      data->set.upload = FALSE; /* switch off upload */
+       data->set.opt_no_body = FALSE; /* this is implied */
+     }
+     break;
+diff --git a/lib/smb.c b/lib/smb.c
+index a1e444ee6b97e..d6822213529bc 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -530,7 +530,7 @@ static CURLcode smb_send_open(struct Curl_easy *data)
+   byte_count = strlen(req->path);
+   msg.name_length = smb_swap16((unsigned short)byte_count);
+   msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
+-  if(conn->data->set.upload) {
++  if(conn->data->state.upload) {
+     msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
+     msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
+   }
+@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+     smb_m = (const struct smb_nt_create_response*) msg;
+     req->fid = smb_swap16(smb_m->fid);
+     conn->data->req.offset = 0;
+-    if(conn->data->set.upload) {
++    if(conn->data->state.upload) {
+       conn->data->req.size = conn->data->state.infilesize;
+       Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
+       next_state = SMB_UPLOAD;
+diff --git a/lib/smtp.c b/lib/smtp.c
+index 7a030308d4689..c182cace742d7 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1419,7 +1419,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status,
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && data->set.mail_rcpt &&
+-          (data->set.upload || data->set.mimepost.kind)) {
++          (data->state.upload || data->set.mimepost.kind)) {
+     /* Calculate the EOB taking into account any terminating CRLF from the
+        previous line of the email or the CRLF of the DATA command when there
+        is "no mail data". RFC-5321, sect. 4.1.1.4.
+@@ -1511,7 +1511,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected,
+   smtp->eob = 2;
+ 
+   /* Start the first command in the DO phase */
+-  if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
++  if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
+     /* MAIL transfer */
+     result = smtp_perform_mail(conn);
+   else
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 164d3c723c5b9..8ed1b887b4d21 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -370,7 +370,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state,
+ 
+       /* tsize should be ignored on upload: Who cares about the size of the
+          remote file? */
+-      if(!data->set.upload) {
++      if(!data->state.upload) {
+         if(!tsize) {
+           failf(data, "invalid tsize -:%s:- value in OACK packet", value);
+           return CURLE_TFTP_ILLEGAL;
+@@ -451,7 +451,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+       return result;
+     }
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       /* If we are uploading, send an WRQ */
+       setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
+       state->conn->data->req.upload_fromhere =
+@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+     if(!data->set.tftp_no_options) {
+       char buf[64];
+       /* add tsize option */
+-      if(data->set.upload && (data->state.infilesize != -1))
++      if(data->state.upload && (data->state.infilesize != -1))
+         snprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
+                  data->state.infilesize);
+       else
+@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
+     break;
+ 
+   case TFTP_EVENT_OACK:
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       result = tftp_connect_for_tx(state, event);
+     }
+     else {
+diff --git a/lib/transfer.c b/lib/transfer.c
+index e9ab8fbf09510..cb69f3365855a 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1293,6 +1293,7 @@ void Curl_init_CONNECT(struct Curl_easy *data)
+ {
+   data->state.fread_func = data->set.fread_func_set;
+   data->state.in = data->set.in_set;
++  data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
+ }
+ 
+ /*
+@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url)
+ 
+   /* if we're talking upload, we can't do the checks below, unless the protocol
+      is HTTP as when uploading over HTTP we will still get a response */
+-  if(data->set.upload &&
++  if(data->state.upload &&
+      !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
+     return CURLE_OK;
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index cca992a0295aa..a8580bdb66fe8 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1494,6 +1494,7 @@ struct UrlState {
+ #ifdef CURLDEBUG
+   bool conncache_lock;
+ #endif
++  bool upload;         /* upload request */
+ };
+ 
+ 
+@@ -1838,7 +1839,6 @@ struct UserDefined {
+   bool http_set_referer; /* is a custom referer used */
+   bool http_auto_referer; /* set "correct" referer when following location: */
+   bool opt_no_body;      /* as set with CURLOPT_NOBODY */
+-  bool upload;           /* upload request */
+   enum CURL_NETRC_OPTION
+        use_netrc;        /* defined in include/curl.h */
+   bool verbose;          /* output verbosity */
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index b31f741ba9492..d60edaa303642 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(protop->path[strlen(protop->path)-1] == '/')
+@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
+       ssh_set_blocking(sshc->ssh_session, 1);
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -1907,7 +1907,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+         break;
+       }
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SCP_SEND_EOF);
+       else
+         state(conn, SSH_SCP_CHANNEL_FREE);
+diff --git a/lib/ssh.c b/lib/ssh.c
+index f1154dc47a74e..f2e5352d1fd3a 100644
+--- a/lib/ssh.c
++++ b/lib/ssh.c
+@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
+@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+         break;
+       }
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -2831,7 +2831,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
+     break;
+ 
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SCP_SEND_EOF);
+       else
+         state(conn, SSH_SCP_CHANNEL_FREE);

SOURCES/0056-curl-7.61.1-CVE-2023-38546.patch

@@ -0,0 +1,124 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4345a84c6fd9d..e39c89a94a960 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if(strcasecompare("version", name)) {
+-          strstore(&co->version, whatptr);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if(strcasecompare("max-age", name)) {
+           /* Defined in RFC2109:
+@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
+         free(clist->path);
+         free(clist->spath);
+         free(clist->expirestr);
+-        free(clist->version);
+         free(clist->maxage);
+ 
+         *clist = *co;  /* then store all the new data */
+@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+   }
+   else {
+     /* we got an already existing one, use that */
+@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3c0063b2cfb2..41e9e7a6914e0 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+   bool httponly;     /* true if the httponly directive is present */
+@@ -56,15 +52,14 @@ struct Cookie {
+   int creationtime;  /* time when the cookie was written */
+ };
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+ 
+-  char *filename;  /* file we read from/write to */
+   bool running;    /* state info, for cookie adding information */
+-  long numcookies; /* number of cookies in the "jar" */
++  int numcookies; /* number of cookies in the "jar" */
+   bool newsession; /* new session, discard session cookies on load */
+   int lastct;      /* last creation-time used in the jar */
+ };
+diff --git a/lib/easy.c b/lib/easy.c
+index 16bbd35251d40..03195481f9780 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;

SOURCES/0057-curl-7.61.1-consolidate-nghttp2-session-mem-recv.patch

@@ -0,0 +1,193 @@
+diff -up curl-7.61.1/lib/http2.c.25a25f45 curl-7.61.1/lib/http2.c
+--- curl-7.61.1/lib/http2.c.25a25f45	2023-08-07 14:03:42.043463284 +0200
++++ curl-7.61.1/lib/http2.c	2023-08-07 14:10:24.769489855 +0200
+@@ -1202,7 +1202,7 @@ CURLcode Curl_http2_request_upgrade(Curl
+   binlen = nghttp2_pack_settings_payload(binsettings, H2_BINSETTINGS_LEN,
+                                          httpc->local_settings,
+                                          httpc->local_settings_num);
+-  if(!binlen) {
++  if(binlen <= 0) {
+     failf(conn->data, "nghttp2 unexpectedly failed on pack_settings_payload");
+     Curl_add_buffer_free(req);
+     return CURLE_FAILED_INIT;
+@@ -1285,6 +1285,14 @@ static int h2_process_pending_input(stru
+     return -1;
+   }
+ 
++  if(nghttp2_session_check_request_allowed(httpc->h2) == 0) {
++    /* No more requests are allowed in the current session, so
++       the connection may not be reused. This is set when a
++       GOAWAY frame has been received or when the limit of stream
++       identifiers has been reached. */
++    connclose(conn, "http/2: No new requests allowed");
++  }
++
+   if(should_close_session(httpc)) {
+     H2BUGF(infof(data,
+                  "h2_process_pending_input: nothing to do in this session\n"));
+@@ -1297,7 +1305,6 @@ static int h2_process_pending_input(stru
+     }
+     return -1;
+   }
+-
+   return 0;
+ }
+ 
+@@ -1455,8 +1462,6 @@ static int h2_session_send(struct Curl_e
+ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+                           char *mem, size_t len, CURLcode *err)
+ {
+-  CURLcode result = CURLE_OK;
+-  ssize_t rv;
+   ssize_t nread;
+   struct http_conn *httpc = &conn->proto.httpc;
+   struct Curl_easy *data = conn->data;
+@@ -1519,8 +1524,7 @@ static ssize_t http2_recv(struct connect
+       /* We have paused nghttp2, but we have no pause data (see
+          on_data_chunk_recv). */
+       httpc->pause_stream_id = 0;
+-      if(h2_process_pending_input(conn, httpc, &result) != 0) {
+-        *err = result;
++      if(h2_process_pending_input(conn, httpc, err) != 0) {
+         return -1;
+       }
+     }
+@@ -1549,8 +1553,7 @@ static ssize_t http2_recv(struct connect
+          frames, then we have to call it again with 0-length data.
+          Without this, on_stream_close callback will not be called,
+          and stream could be hanged. */
+-      if(h2_process_pending_input(conn, httpc, &result) != 0) {
+-        *err = result;
++      if(h2_process_pending_input(conn, httpc, err) != 0) {
+         return -1;
+       }
+     }
+@@ -1573,7 +1576,6 @@ static ssize_t http2_recv(struct connect
+     return -1;
+   }
+   else {
+-    char *inbuf;
+     /* remember where to store incoming data for this stream and how big the
+        buffer is */
+     stream->mem = mem;
+@@ -1582,16 +1584,15 @@ static ssize_t http2_recv(struct connect
+ 
+     if(httpc->inbuflen == 0) {
+       nread = ((Curl_recv *)httpc->recv_underlying)(
+-          conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, &result);
++          conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, err);
+ 
+       if(nread == -1) {
+-        if(result != CURLE_AGAIN)
++        if(*err != CURLE_AGAIN)
+           failf(data, "Failed receiving HTTP2 data");
+         else if(stream->closed)
+           /* received when the stream was already closed! */
+           return http2_handle_stream_close(conn, data, stream, err);
+ 
+-        *err = result;
+         return -1;
+       }
+ 
+@@ -1604,47 +1605,17 @@ static ssize_t http2_recv(struct connect
+       H2BUGF(infof(data, "nread=%zd\n", nread));
+ 
+       httpc->inbuflen = nread;
+-      inbuf = httpc->inbuf;
++
++      DEBUGASSERT(httpc->nread_inbuf == 0);
+     }
+     else {
+       nread = httpc->inbuflen - httpc->nread_inbuf;
+-      inbuf = httpc->inbuf + httpc->nread_inbuf;
+-
++      (void)nread;  /* silence warning, used in debug */
+       H2BUGF(infof(data, "Use data left in connection buffer, nread=%zd\n",
+                    nread));
+     }
+-    rv = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)inbuf, nread);
+-
+-    if(nghttp2_is_fatal((int)rv)) {
+-      failf(data, "nghttp2_session_mem_recv() returned %zd:%s\n",
+-            rv, nghttp2_strerror((int)rv));
+-      *err = CURLE_RECV_ERROR;
+-      return -1;
+-    }
+-    H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", rv));
+-    if(nread == rv) {
+-      H2BUGF(infof(data, "All data in connection buffer processed\n"));
+-      httpc->inbuflen = 0;
+-      httpc->nread_inbuf = 0;
+-    }
+-    else {
+-      httpc->nread_inbuf += rv;
+-      H2BUGF(infof(data, "%zu bytes left in connection buffer\n",
+-                   httpc->inbuflen - httpc->nread_inbuf));
+-    }
+-    /* Always send pending frames in nghttp2 session, because
+-       nghttp2_session_mem_recv() may queue new frame */
+-    rv = h2_session_send(data, httpc->h2);
+-    if(rv != 0) {
+-      *err = CURLE_SEND_ERROR;
+-      return -1;
+-    }
+-
+-    if(should_close_session(httpc)) {
+-      H2BUGF(infof(data, "http2_recv: nothing to do in this session\n"));
+-      *err = CURLE_HTTP2;
++    if(h2_process_pending_input(conn, httpc, err) != 0)
+       return -1;
+-    }
+   }
+   if(stream->memlen) {
+     ssize_t retlen = stream->memlen;
+@@ -2108,7 +2079,6 @@ CURLcode Curl_http2_switched(struct conn
+   CURLcode result;
+   struct http_conn *httpc = &conn->proto.httpc;
+   int rv;
+-  ssize_t nproc;
+   struct Curl_easy *data = conn->data;
+   struct HTTP *stream = conn->data->req.protop;
+ 
+@@ -2186,39 +2156,10 @@ CURLcode Curl_http2_switched(struct conn
+     memcpy(httpc->inbuf, mem, nread);
+   httpc->inbuflen = nread;
+ 
+-  nproc = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)httpc->inbuf,
+-                                   httpc->inbuflen);
++  DEBUGASSERT(httpc->nread_inbuf == 0);
+ 
+-  if(nghttp2_is_fatal((int)nproc)) {
+-    failf(data, "nghttp2_session_mem_recv() failed: %s(%d)",
+-          nghttp2_strerror((int)nproc), (int)nproc);
++  if(-1 == h2_process_pending_input(conn, httpc, &result))
+     return CURLE_HTTP2;
+-  }
+-
+-  H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", nproc));
+-
+-  if((ssize_t)nread == nproc) {
+-    httpc->inbuflen = 0;
+-    httpc->nread_inbuf = 0;
+-  }
+-  else {
+-    httpc->nread_inbuf += nproc;
+-  }
+-
+-  /* Try to send some frames since we may read SETTINGS already. */
+-  rv = h2_session_send(data, httpc->h2);
+-
+-  if(rv != 0) {
+-    failf(data, "nghttp2_session_send() failed: %s(%d)",
+-          nghttp2_strerror(rv), rv);
+-    return CURLE_HTTP2;
+-  }
+-
+-  if(should_close_session(httpc)) {
+-    H2BUGF(infof(data,
+-                 "nghttp2_session_send(): nothing to do in this session\n"));
+-    return CURLE_HTTP2;
+-  }
+ 
+   return CURLE_OK;
+ }

SOURCES/0058-curl-7.61.1-error-in-the-HTTP2-framing-layer.patch

@@ -0,0 +1,15 @@
+diff -up curl-7.61.1/lib/http2.c.c1b6a384 curl-7.61.1/lib/http2.c
+--- curl-7.61.1/lib/http2.c.c1b6a384	2023-08-07 13:59:18.482137005 +0200
++++ curl-7.61.1/lib/http2.c	2023-08-07 14:03:42.043463284 +0200
+@@ -1467,6 +1467,11 @@ static ssize_t http2_recv(struct connect
+   if(should_close_session(httpc)) {
+     H2BUGF(infof(data,
+                  "http2_recv: nothing to do in this session\n"));
++    if(conn->bits.close) {
++      /* already marked for closure, return OK and we're done */
++      *err = CURLE_OK;
++      return 0;
++    }
+     *err = CURLE_HTTP2;
+     return -1;
+   }

SOURCES/0059-curl-7.61.1-CVE-2023-46218.patch

@@ -0,0 +1,48 @@
+From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH] cookie: lowercase the domain names before PSL checks
+
+Reported-by: Harry Sintonen
+
+Closes #12387
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 568cf537ad1b1f..9095cea3e97f22 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
+ #ifdef USE_LIBPSL
+   /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
+   if(domain && co->domain && !isip(co->domain)) {
+-    const psl_ctx_t *psl = Curl_psl_use(data);
+-    int acceptable;
+-
+-    if(psl) {
+-      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+-      Curl_psl_release(data);
++    bool acceptable = FALSE;
++    char lcase[256];
++    char lcookie[256];
++    size_t dlen = strlen(domain);
++    size_t clen = strlen(co->domain);
++    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
++      const psl_ctx_t *psl = Curl_psl_use(data);
++      if(psl) {
++        /* the PSL check requires lowercase domain name and pattern */
++        Curl_strntolower(lcase, domain, dlen + 1);
++        Curl_strntolower(lcookie, co->domain, clen + 1);
++        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
++        Curl_psl_release(data);
++      }
++      else
++        acceptable = !bad_domain(domain);
+     }
+-    else
+-      acceptable = !bad_domain(domain);
+ 
+     if(!acceptable) {
+       infof(data, "cookie '%s' dropped, domain '%s' must not "

SOURCES/0060-curl-7.61.1-lowercase-headernames.patch

@@ -0,0 +1,136 @@
+From 0023fce38d3bd6ee0e9b6ff8708fee1195057846 Mon Sep 17 00:00:00 2001
+From: Barry Pollard <barry_pollard@hotmail.com>
+Date: Sun, 22 Sep 2019 21:17:12 +0100
+Subject: [PATCH] http: lowercase headernames for HTTP/2 and HTTP/3
+
+Closes #4401
+Fixes #4400
+---
+ lib/strcase.c      | 84 ++++++++++++++++++++++++++++++++++++++++++++++
+ lib/strcase.h      |  2 ++
+ 5 files changed, 95 insertions(+), 3 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index 24bcca932..098cec7a8 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -93,6 +93,75 @@ char Curl_raw_toupper(char in)
+   return in;
+ }
+ 
++
++/* Portable, consistent tolower (remember EBCDIC). Do not use tolower() because
++   its behavior is altered by the current locale. */
++char Curl_raw_tolower(char in)
++{
++#if !defined(CURL_DOES_CONVERSIONS)
++  if(in >= 'A' && in <= 'Z')
++    return (char)('a' + in - 'A');
++#else
++  switch(in) {
++  case 'A':
++    return 'a';
++  case 'B':
++    return 'b';
++  case 'C':
++    return 'c';
++  case 'D':
++    return 'd';
++  case 'E':
++    return 'e';
++  case 'F':
++    return 'f';
++  case 'G':
++    return 'g';
++  case 'H':
++    return 'h';
++  case 'I':
++    return 'i';
++  case 'J':
++    return 'j';
++  case 'K':
++    return 'k';
++  case 'L':
++    return 'l';
++  case 'M':
++    return 'm';
++  case 'N':
++    return 'n';
++  case 'O':
++    return 'o';
++  case 'P':
++    return 'p';
++  case 'Q':
++    return 'q';
++  case 'R':
++    return 'r';
++  case 'S':
++    return 's';
++  case 'T':
++    return 't';
++  case 'U':
++    return 'u';
++  case 'V':
++    return 'v';
++  case 'W':
++    return 'w';
++  case 'X':
++    return 'X';
++  case 'Y':
++    return 'y';
++  case 'Z':
++    return 'z';
++  }
++#endif
++
++  return in;
++}
++
++
+ /*
+  * Curl_strcasecompare() is for doing "raw" case insensitive strings. This is
+  * meant to be locale independent and only compare strings we know are safe
+@@ -234,6 +303,21 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
+   } while(*src++ && --n);
+ }
+ 
++/* Copy a lower case version of the string from src to dest.  The
++ * strings may overlap.  No more than n characters of the string are copied
++ * (including any NUL) and the destination string will NOT be
++ * NUL-terminated if that limit is reached.
++ */
++void Curl_strntolower(char *dest, const char *src, size_t n)
++{
++  if(n < 1)
++    return;
++
++  do {
++    *dest++ = Curl_raw_tolower(*src);
++  } while(*src++ && --n);
++}
++
+ /* Compare case-sensitive NUL-terminated strings, taking care of possible
+  * null pointers. Return true if arguments match.
+  */
+diff --git a/lib/strcase.h b/lib/strcase.h
+index 6fee3840e..2f07a74c9 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -40,12 +40,14 @@ int Curl_safe_strcasecompare(const char *first, const char *second);
+ int Curl_strncasecompare(const char *first, const char *second, size_t max);
+ 
+ char Curl_raw_toupper(char in);
++char Curl_raw_tolower(char in);
+ 
+ /* checkprefix() is a shorter version of the above, used when the first
+    argument is zero-byte terminated */
+ #define checkprefix(a,b)    curl_strnequal(a,b,strlen(a))
+ 
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
++void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
+ int Curl_timestrcmp(const char *first, const char *second);
+-- 
+2.43.0
+

SOURCES/0061-curl-7.61.1-CVE-2024-2398.patch

@@ -0,0 +1,80 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index c63ecd38371ab4..96868728a53a1f 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
+   return http2_perform_getsock(conn, sock, numsocks);
+ }
+ 
++static void free_push_headers(struct HTTP *http)
++{
++  size_t i;
++  for(i = 0; i<http->push_headers_used; i++)
++    free(http->push_headers[i]);
++  Curl_safefree(http->push_headers);
++  http->push_headers_used = 0;
++}
++
+ /*
+  * http2_stream_free() free HTTP2 stream related data
+  */
+@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
+     http->header_recvbuf = NULL; /* clear the pointer */
+     Curl_add_buffer_free(http->trailer_recvbuf);
+     http->trailer_recvbuf = NULL; /* clear the pointer */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
++    free_push_headers(http);
+   }
+ }
+ 
+@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       /* denied, kill off the new handle again */
+@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;

SOURCES/0062-curl-7.61.1-socketpair-to-wait-on.patch

@@ -0,0 +1,146 @@
+From eb9a604f8d7db859555adc0ddacdabd1ed986106 Mon Sep 17 00:00:00 2001
+From: amkatyal <amkatyal@cisco.com>
+Date: Fri, 26 Jul 2019 21:28:41 +0530
+Subject: [PATCH] asyn-thread: create a socketpair to wait on
+
+Closes #4157
+---
+ lib/asyn-thread.c | 76 ++++++++++++++++++++++++++++++++++++++++-------
+ lib/multi.c       |  0
+ 2 files changed, 65 insertions(+), 11 deletions(-)
+ mode change 100644 => 100755 lib/asyn-thread.c
+ mode change 100644 => 100755 lib/multi.c
+
+diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
+old mode 100644
+new mode 100755
+index 5f33c9affd0f27..f17638e44e6b18
+--- a/lib/asyn-thread.c
++++ b/lib/asyn-thread.c
+@@ -163,6 +163,9 @@ struct thread_sync_data {
+   char *hostname;        /* hostname to resolve, Curl_async.hostname
+                             duplicate */
+   int port;
++#ifdef HAVE_SOCKETPAIR
++  curl_socket_t sock_pair[2]; /* socket pair */
++#endif
+   int sock_error;
+   Curl_addrinfo *res;
+ #ifdef HAVE_GETADDRINFO
+@@ -197,6 +200,16 @@ void destroy_thread_sync_data(struct thread_sync_data * tsd)
+   if(tsd->res)
+     Curl_freeaddrinfo(tsd->res);
+ 
++#ifdef HAVE_SOCKETPAIR
++  /* close socket pair */
++  if(tsd->sock_pair[0] != CURL_SOCKET_BAD) {
++    sclose(tsd->sock_pair[0]);
++  }
++
++  if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
++    sclose(tsd->sock_pair[1]);
++  }
++#endif
+   memset(tsd, 0, sizeof(*tsd));
+ }
+ 
+@@ -230,6 +243,14 @@ int init_thread_sync_data(struct thread_data * td,
+ 
+   Curl_mutex_init(tsd->mtx);
+ 
++#ifdef HAVE_SOCKETPAIR
++  /* create socket pair */
++  if(socketpair(AF_LOCAL, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
++    tsd->sock_pair[0] = CURL_SOCKET_BAD;
++    tsd->sock_pair[1] = CURL_SOCKET_BAD;
++    goto err_exit;
++  }
++#endif
+   tsd->sock_error = CURL_ASYNC_SUCCESS;
+ 
+   /* Copying hostname string because original can be destroyed by parent
+@@ -297,6 +318,9 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
+   struct thread_data *td = tsd->td;
+   char service[12];
+   int rc;
++#ifdef HAVE_SOCKETPAIR
++  char buf[1];
++#endif
+ 
+   snprintf(service, sizeof(service), "%d", tsd->port);
+ 
+@@ -298,6 +322,16 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
+     free(td);
+   }
+   else {
++#ifdef HAVE_SOCKETPAIR
++    if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
++      /* DNS has been resolved, signal client task */
++      buf[0] = 1;
++      if(write(tsd->sock_pair[1],  buf, sizeof(buf)) < 0) {
++        /* update sock_erro to errno */
++        tsd->sock_error = SOCKERRNO;
++      }
++    }
++#endif
+     tsd->done = 1;
+     Curl_mutex_release(tsd->mtx);
+   }
+@@ -595,23 +629,43 @@ int Curl_resolver_getsock(struct connectdata *conn,
+                           curl_socket_t *socks,
+                           int numsocks)
+ {
++  int ret_val = 0;
+   time_t milli;
+   timediff_t ms;
+   struct Curl_easy *data = conn->data;
+   struct resdata *reslv = (struct resdata *)data->state.resolver;
++#ifdef HAVE_SOCKETPAIR
++  struct thread_data *td = (struct thread_data*)conn->async.os_specific;
++  int loop_idx;
++#else
+   (void)socks;
+   (void)numsocks;
+-  ms = Curl_timediff(Curl_now(), reslv->start);
+-  if(ms < 3)
+-    milli = 0;
+-  else if(ms <= 50)
+-    milli = ms/3;
+-  else if(ms <= 250)
+-    milli = 50;
+-  else
+-    milli = 200;
+-  Curl_expire(data, milli, EXPIRE_ASYNC_NAME);
+-  return 0;
++#endif
++
++#ifdef HAVE_SOCKETPAIR
++  if(td) {
++    /* return read fd to client for polling the DNS resolution status */
++    socks[0] = td->tsd.sock_pair[0];
++    ret_val = GETSOCK_READSOCK(0);
++  }
++  else {
++#endif
++    ms = Curl_timediff(Curl_now(), reslv->start);
++    if(ms < 3)
++      milli = 0;
++    else if(ms <= 50)
++      milli = ms/3;
++    else if(ms <= 250)
++      milli = 50;
++    else
++      milli = 200;
++    Curl_expire(data, milli, EXPIRE_ASYNC_NAME);
++#ifdef HAVE_SOCKETPAIR
++  }
++#endif
++
++
++  return ret_val;
+ }
+ 
+ #ifndef HAVE_GETADDRINFO
+diff --git a/lib/multi.c b/lib/multi.c
+old mode 100644
+new mode 100755

SOURCES/0063-curl-7.61.1-native-md5.patch

@@ -0,0 +1,279 @@
+diff -up curl-7.61.1/lib/curl_md5.h.RHEL-32335 curl-7.61.1/lib/curl_md5.h
+--- curl-7.61.1/lib/curl_md5.h.RHEL-32335	2024-04-10 10:09:36.758098940 +0200
++++ curl-7.61.1/lib/curl_md5.h	2024-04-10 10:10:22.426370509 +0200
+@@ -49,8 +49,8 @@ typedef struct {
+ extern const MD5_params Curl_DIGEST_MD5[1];
+ extern const HMAC_params Curl_HMAC_MD5[1];
+ 
+-void Curl_md5it(unsigned char *output,
+-                const unsigned char *input);
++void Curl_md5it(unsigned char *output, const unsigned char *input,
++                const size_t len);
+ 
+ MD5_context * Curl_MD5_init(const MD5_params *md5params);
+ int Curl_MD5_update(MD5_context *context,
+diff -up curl-7.61.1/lib/curl_ntlm_core.h.RHEL-32335 curl-7.61.1/lib/curl_ntlm_core.h
+--- curl-7.61.1/lib/curl_ntlm_core.h.RHEL-32335	2024-04-10 09:52:39.872042425 +0200
++++ curl-7.61.1/lib/curl_ntlm_core.h	2024-04-10 09:54:46.230795176 +0200
+@@ -48,9 +48,9 @@
+ #endif
+ 
+ /* Define USE_NTLM2SESSION in order to make the type-3 message include the
+-   NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and a
+-   Crypto engine that we have curl_ssl_md5sum() for. */
+-#if defined(USE_NTRESPONSES) && !defined(USE_WIN32_CRYPTO)
++   NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and
++   MD5 support */
++#if defined(USE_NTRESPONSES) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+ #define USE_NTLM2SESSION
+ #endif
+ 
+diff -up curl-7.61.1/lib/curl_sha256.h.RHEL-32335 curl-7.61.1/lib/curl_sha256.h
+--- curl-7.61.1/lib/curl_sha256.h.RHEL-32335	2024-04-10 10:13:40.975551190 +0200
++++ curl-7.61.1/lib/curl_sha256.h	2024-04-10 10:14:00.251665815 +0200
+@@ -24,8 +24,8 @@
+ 
+ #ifndef CURL_DISABLE_CRYPTO_AUTH
+ 
+-void Curl_sha256it(unsigned char *outbuffer,
+-                const unsigned char *input);
++void Curl_sha256it(unsigned char *outbuffer, const unsigned char *input,
++                   const size_t len);
+ 
+ #endif
+ 
+diff -up curl-7.61.1/lib/md5.c.RHEL-32335 curl-7.61.1/lib/md5.c
+--- curl-7.61.1/lib/md5.c.RHEL-32335	2024-04-10 10:10:39.831474009 +0200
++++ curl-7.61.1/lib/md5.c	2024-04-10 10:13:29.963485706 +0200
+@@ -519,12 +519,13 @@ const MD5_params Curl_DIGEST_MD5[] = {
+ /*
+  * @unittest: 1601
+  */
+-void Curl_md5it(unsigned char *outbuffer, /* 16 bytes */
+-                const unsigned char *input)
++void Curl_md5it(unsigned char *outbuffer, const unsigned char *input,
++                const size_t len)
+ {
+   MD5_CTX ctx;
++
+   MD5_Init(&ctx);
+-  MD5_Update(&ctx, input, curlx_uztoui(strlen((char *)input)));
++  MD5_Update(&ctx, input, curlx_uztoui(len));
+   MD5_Final(outbuffer, &ctx);
+ }
+ 
+diff -up curl-7.61.1/lib/sha256.c.RHEL-32335 curl-7.61.1/lib/sha256.c
+--- curl-7.61.1/lib/sha256.c.RHEL-32335	2024-04-10 10:14:32.047854892 +0200
++++ curl-7.61.1/lib/sha256.c	2024-04-10 10:15:23.010157942 +0200
+@@ -255,12 +255,13 @@ static int SHA256_Final(unsigned char *o
+ 
+ #endif
+ 
+-void Curl_sha256it(unsigned char *outbuffer, /* 32 unsigned chars */
+-                   const unsigned char *input)
++void Curl_sha256it(unsigned char *outbuffer, const unsigned char *input,
++                   const size_t len)
+ {
+   SHA256_CTX ctx;
++
+   SHA256_Init(&ctx);
+-  SHA256_Update(&ctx, input, curlx_uztoui(strlen((char *)input)));
++  SHA256_Update(&ctx, input, curlx_uztoui(len));
+   SHA256_Final(outbuffer, &ctx);
+ }
+ 
+diff -up curl-7.61.1/lib/vauth/digest.c.RHEL-32335 curl-7.61.1/lib/vauth/digest.c
+--- curl-7.61.1/lib/vauth/digest.c.RHEL-32335	2024-04-10 10:15:31.737209838 +0200
++++ curl-7.61.1/lib/vauth/digest.c	2024-04-10 10:20:11.293872233 +0200
+@@ -62,7 +62,7 @@
+    what ultimately goes over the network.
+ */
+ #define CURL_OUTPUT_DIGEST_CONV(a, b) \
+-  result = Curl_convert_to_network(a, (char *)b, strlen((const char *)b)); \
++  result = Curl_convert_to_network(a, b, strlen(b)); \
+   if(result) { \
+     free(b); \
+     return result; \
+@@ -687,12 +687,12 @@ static CURLcode _Curl_auth_create_digest
+                   struct digestdata *digest,
+                   char **outptr, size_t *outlen,
+                   void (*convert_to_ascii)(unsigned char *, unsigned char *),
+-                  void (*hash)(unsigned char *, const unsigned char *))
++                  void (*hash)(unsigned char *, const unsigned char *,
++                               const size_t))
+ {
+   CURLcode result;
+   unsigned char hashbuf[32]; /* 32 bytes/256 bits */
+   unsigned char request_digest[65];
+-  unsigned char *hashthis;
+   unsigned char ha1[65];    /* 64 digits and 1 zero byte */
+   unsigned char ha2[65];    /* 64 digits and 1 zero byte */
+   char userh[65];
+@@ -700,6 +700,7 @@ static CURLcode _Curl_auth_create_digest
+   size_t cnonce_sz = 0;
+   char *userp_quoted;
+   char *response = NULL;
++  char *hashthis = NULL;
+   char *tmp = NULL;
+ 
+   if(!digest->nc)
+@@ -721,12 +722,12 @@ static CURLcode _Curl_auth_create_digest
+   }
+ 
+   if(digest->userhash) {
+-    hashthis = (unsigned char *) aprintf("%s:%s", userp, digest->realm);
++    hashthis = aprintf("%s:%s", userp, digest->realm);
+     if(!hashthis)
+       return CURLE_OUT_OF_MEMORY;
+ 
+     CURL_OUTPUT_DIGEST_CONV(data, hashthis);
+-    hash(hashbuf, hashthis);
++    hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
+     free(hashthis);
+     convert_to_ascii(hashbuf, (unsigned char *)userh);
+   }
+@@ -742,14 +743,13 @@ static CURLcode _Curl_auth_create_digest
+            unq(nonce-value) ":" unq(cnonce-value)
+   */
+ 
+-  hashthis = (unsigned char *)
+-    aprintf("%s:%s:%s", digest->userhash ? userh : userp,
+-                                    digest->realm, passwdp);
++  hashthis = aprintf("%s:%s:%s", digest->userhash ? userh : userp,
++                                 digest->realm, passwdp);
+   if(!hashthis)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
+-  hash(hashbuf, hashthis);
++  hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
+   free(hashthis);
+   convert_to_ascii(hashbuf, ha1);
+ 
+@@ -762,7 +762,7 @@ static CURLcode _Curl_auth_create_digest
+       return CURLE_OUT_OF_MEMORY;
+ 
+     CURL_OUTPUT_DIGEST_CONV(data, tmp); /* Convert on non-ASCII machines */
+-    hash(hashbuf, (unsigned char *) tmp);
++    hash(hashbuf, (unsigned char *) tmp, strlen(tmp));
+     free(tmp);
+     convert_to_ascii(hashbuf, ha1);
+   }
+@@ -780,18 +780,18 @@ static CURLcode _Curl_auth_create_digest
+     5.1.1 of RFC 2616)
+   */
+ 
+-  hashthis = (unsigned char *) aprintf("%s:%s", request, uripath);
++  hashthis = aprintf("%s:%s", request, uripath);
+ 
+   if(digest->qop && strcasecompare(digest->qop, "auth-int")) {
+     /* We don't support auth-int for PUT or POST at the moment.
+        TODO: replace hash of empty string with entity-body for PUT/POST */
+     char hashed[65];
+-    unsigned char *hashthis2;
++    char *hashthis2;
+ 
+-    hash(hashbuf, (const unsigned char *)"");
++    hash(hashbuf, (const unsigned char *)"", 0);
+     convert_to_ascii(hashbuf, (unsigned char *)hashed);
+ 
+-    hashthis2 = (unsigned char *)aprintf("%s:%s", hashthis, hashed);
++    hashthis2 = aprintf("%s:%s", hashthis, hashed);
+     free(hashthis);
+     hashthis = hashthis2;
+   }
+@@ -800,31 +800,23 @@ static CURLcode _Curl_auth_create_digest
+     return CURLE_OUT_OF_MEMORY;
+ 
+   CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
+-  hash(hashbuf, hashthis);
++  hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
+   free(hashthis);
+   convert_to_ascii(hashbuf, ha2);
+ 
+   if(digest->qop) {
+-    hashthis = (unsigned char *) aprintf("%s:%s:%08x:%s:%s:%s",
+-                                        ha1,
+-                                        digest->nonce,
+-                                        digest->nc,
+-                                        digest->cnonce,
+-                                        digest->qop,
+-                                        ha2);
++    hashthis = aprintf("%s:%s:%08x:%s:%s:%s", ha1, digest->nonce, digest->nc,
++                       digest->cnonce, digest->qop, ha2);
+   }
+   else {
+-    hashthis = (unsigned char *) aprintf("%s:%s:%s",
+-                                        ha1,
+-                                        digest->nonce,
+-                                        ha2);
++    hashthis = aprintf("%s:%s:%s", ha1, digest->nonce, ha2);
+   }
+ 
+   if(!hashthis)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
+-  hash(hashbuf, hashthis);
++  hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
+   free(hashthis);
+   convert_to_ascii(hashbuf, request_digest);
+ 
+diff -up curl-7.61.1/lib/vauth/ntlm.c.RHEL-32335 curl-7.61.1/lib/vauth/ntlm.c
+--- curl-7.61.1/lib/vauth/ntlm.c.RHEL-32335	2024-04-10 09:51:15.114537483 +0200
++++ curl-7.61.1/lib/vauth/ntlm.c	2024-04-10 09:52:26.411962237 +0200
+@@ -40,6 +40,7 @@
+ #include "curl_ntlm_core.h"
+ #include "curl_gethostname.h"
+ #include "curl_multibyte.h"
++#include "curl_md5.h"
+ #include "warnless.h"
+ #include "rand.h"
+ #include "vtls/vtls.h"
+@@ -621,11 +622,10 @@ CURLcode Curl_auth_create_ntlm_type3_mes
+     memcpy(tmp, &ntlm->nonce[0], 8);
+     memcpy(tmp + 8, entropy, 8);
+ 
+-    result = Curl_ssl_md5sum(tmp, 16, md5sum, MD5_DIGEST_LENGTH);
+-    if(!result)
+-      /* We shall only use the first 8 bytes of md5sum, but the des code in
+-         Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
+-      result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
++    Curl_md5it(md5sum, tmp, 16);
++    /* We shall only use the first 8 bytes of md5sum, but the des code in
++       Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
++    result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
+     if(result)
+       return result;
+ 
+diff -up curl-7.61.1/tests/unit/unit1601.c.RHEL-32335 curl-7.61.1/tests/unit/unit1601.c
+--- curl-7.61.1/tests/unit/unit1601.c.RHEL-32335	2024-04-10 10:20:19.347920127 +0200
++++ curl-7.61.1/tests/unit/unit1601.c	2024-04-10 10:21:53.606480641 +0200
+@@ -36,18 +36,19 @@ static void unit_stop(void)
+ UNITTEST_START
+ 
+ #ifndef CURL_DISABLE_CRYPTO_AUTH
+-  unsigned char output[16];
++  const char string1[] = "1";
++  const char string2[] = "hello-you-fool";
++  unsigned char output[MD5_DIGEST_LEN];
+   unsigned char *testp = output;
+-  Curl_md5it(output, (const unsigned char *)"1");
+ 
+-/* !checksrc! disable LONGLINE 2 */
+-  verify_memory(testp,
+-                "\xc4\xca\x42\x38\xa0\xb9\x23\x82\x0d\xcc\x50\x9a\x6f\x75\x84\x9b", 16);
++  Curl_md5it(output, (const unsigned char *) string1, strlen(string1));
++  verify_memory(testp, "\xc4\xca\x42\x38\xa0\xb9\x23\x82\x0d\xcc\x50\x9a\x6f"
++                "\x75\x84\x9b", MD5_DIGEST_LEN);
+ 
+-  Curl_md5it(output, (const unsigned char *)"hello-you-fool");
++  Curl_md5it(output, (const unsigned char *) string2, strlen(string2));
+ 
+-  verify_memory(testp,
+-                "\x88\x67\x0b\x6d\x5d\x74\x2f\xad\xa5\xcd\xf9\xb6\x82\x87\x5f\x22", 16);
++  verify_memory(testp, "\x88\x67\x0b\x6d\x5d\x74\x2f\xad\xa5\xcd\xf9\xb6\x82"
++                "\x87\x5f\x22", MD5_DIGEST_LEN);
+ #endif
+ 
+ 

SPECS/curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 30%{?dist}
+Release: 34%{?dist}.3
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -136,6 +136,54 @@ Patch46:  0046-curl-7.61.1-h2-window-size.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch47:  0047-curl-7.61.1-CVE-2023-23916.patch
 
+# fix FTP too eager connection reuse (CVE-2023-27535)
+Patch48:  0048-curl-7.61.1-CVE-2023-27535.patch
+
+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
+Patch49:  0049-curl-7.61.1-CVE-2023-27536.patch
+
+# sftp: do not specify O_APPEND when not in append mode (#2187717)
+Patch50:  0050-curl-7.61.1-sftp-upload-flags.patch
+
+# fix host name wildcard checking (CVE-2023-28321)
+Patch51:  0051-curl-7.61.1-CVE-2023-28321.patch
+
+# rebuild certs with 2048-bit RSA keys
+Patch52:  0052-curl-7.61.1-certs.patch
+
+# when keyboard-interactive auth fails, try password
+Patch53:  0053-curl-7.61.1-password-when-keyboard-interactive-fails.patch
+
+# cap SFTP packet size sent
+Patch54:  0054-curl-7.61.1-64K-sftp.patch
+
+# unify the upload/method handling (CVE-2023-28322)
+Patch55:  0055-curl-7.61.1-CVE-2023-28322.patch
+
+# fix cookie injection with none file (CVE-2023-38546)
+Patch56:  0056-curl-7.61.1-CVE-2023-38546.patch
+
+# consolidate nghttp2_session_mem_recv() call paths
+Patch57:  0057-curl-7.61.1-consolidate-nghttp2-session-mem-recv.patch
+
+# when marked for closure and wanted to close == OK
+Patch58:  0058-curl-7.61.1-error-in-the-HTTP2-framing-layer.patch
+
+# lowercase the domain names before PSL checks (CVE-2023-46218)
+Patch59:  0059-curl-7.61.1-CVE-2023-46218.patch
+
+# lowercase headernames
+Patch60:  0060-curl-7.61.1-lowercase-headernames.patch
+
+# provide common cleanup method for push headers (CVE-2024-2398)
+Patch61:  0061-curl-7.61.1-CVE-2024-2398.patch
+
+# asyn-thread: create a socketpair to wait on
+Patch62:  0062-curl-7.61.1-socketpair-to-wait-on.patch
+
+# fix crash, when talking to a NTLM proxy in FIPS mode
+Patch63:  0063-curl-7.61.1-native-md5.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -296,66 +344,82 @@ be installed.
 %setup -q
 
 # upstream patches
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
 git init
 git apply %{PATCH4}
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch14 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+%patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+%patch -P 11 -p1
+%patch -P 14 -p1
 
 # Fedora patches
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch104 -p1
+%patch -P 101 -p1
+%patch -P 102 -p1
+%patch -P 103 -p1
+%patch -P 104 -p1
 
 # use different port range for 32bit and 64bit builds, thus make it possible
 # to run both the builds in parallel on the same machine
-%patch105 -p1
+%patch -P 105 -p1
 sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
 
 # upstream patches
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
+%patch -P 17 -p1
+%patch -P 18 -p1
+%patch -P 19 -p1
+%patch -P 20 -p1
+%patch -P 21 -p1
+%patch -P 22 -p1
+%patch -P 23 -p1
+%patch -P 24 -p1
+%patch -P 25 -p1
+%patch -P 26 -p1
+%patch -P 27 -p1
+%patch -P 28 -p1
+%patch -P 29 -p1
+%patch -P 30 -p1
+%patch -P 31 -p1
+%patch -P 32 -p1
+%patch -P 33 -p1
+%patch -P 34 -p1
+%patch -P 35 -p1
+%patch -P 36 -p1
+%patch -P 37 -p1
 
-%patch38 -p1
+%patch -P 38 -p1
 sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
-%patch47 -p1
+%patch -P 39 -p1
+%patch -P 40 -p1
+%patch -P 41 -p1
+%patch -P 42 -p1
+%patch -P 43 -p1
+%patch -P 44 -p1
+%patch -P 45 -p1
+%patch -P 46 -p1
+%patch -P 47 -p1
+%patch -P 48 -p1
+%patch -P 49 -p1
+%patch -P 50 -p1
+%patch -P 51 -p1
+git apply %{PATCH52}
+%patch -P 53 -p1
+%patch -P 54 -p1
+%patch -P 55 -p1
+%patch -P 56 -p1
+%patch -P 57 -p1
+%patch -P 58 -p1
+%patch -P 59 -p1
+%patch -P 60 -p1
+%patch -P 61 -p1
+%patch -P 62 -p1
+%patch -P 63 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -518,6 +582,35 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Oct 30 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.3
+- asyn-thread: create a socketpair to wait on (RHEL-34906)
+- fix crash, when talking to a NTLM proxy in FIPS mode (RHEL-32641)
+
+* Wed Aug 14 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.2
+- provide common cleanup method for push headers (CVE-2024-2398)
+
+* Tue Jun 25 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.1
+- fix incorrect backport of bz2229800 (RHEL-44684)
+
+* Tue Sep 19 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34
+- when keyboard-interactive auth fails, try password (#2229800)
+- cap SFTP packet size sent (RHEL-5311)
+- unify the upload/method handling (CVE-2023-28322)
+- fix cookie injection with none file (CVE-2023-38546)
+- fix HTTP2 connection failure with HTTP2 framing layer (RHEL-5657)
+- lowercase the domain names before PSL checks (CVE-2023-46218)
+
+* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-33
+- fix host name wildcard checking (CVE-2023-28321)
+- rebuild certs with 2048-bit RSA keys
+
+* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-32
+- sftp: do not specify O_APPEND when not in append mode (#2187717)
+
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31
+- fix GSS delegation too eager connection re-use (CVE-2023-27536)
+- fix FTP too eager connection reuse (CVE-2023-27535)
+
 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)