diff --git a/0001-curl-7.61.1-test320-gnutls.patch b/0001-curl-7.61.1-test320-gnutls.patch
deleted file mode 100644
index a9cbaac..0000000
--- a/0001-curl-7.61.1-test320-gnutls.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg
-Date: Thu, 4 Oct 2018 15:34:13 +0200
-Subject: [PATCH] test320: strip out more HTML when comparing
-
-To make the test case work with different gnutls-serv versions better.
-
-Reported-by: Kamil Dudka
-Fixes #3093
-Closes #3094
-
-Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
-Signed-off-by: Kamil Dudka
----
- tests/data/test320 | 24 ++++--------------------
- 1 file changed, 4 insertions(+), 20 deletions(-)
-
-diff --git a/tests/data/test320 b/tests/data/test320
-index 457a11eb2..87311d4f2 100644
---- a/tests/data/test320
-+++ b/tests/data/test320
-@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
- HTTP/1.0 200 OK
- Content-type: text/html
-
--
--
--
--
--
--
--If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
--Connected as user 'jsmith'.
--
--
|
--Key Exchange: | SRP |
--Compression | NULL |
--Cipher | AES-NNN-CBC |
--MAC | SHA1 |
--Ciphersuite | SRP_SHA_AES_NNN_CBC_SHA1 |
--
Your HTTP header was:
Host: %HOSTIP:%HTTPTLSPORT
-+FINE
- User-Agent: curl-test-suite
- Accept: */*
-
--
--
--
-
-
--s/^Session ID:.*//
-+s/^
Connected as user 'jsmith'.*/FINE/
- s/Protocol version:.*[0-9]//
- s/GNUTLS/GnuTLS/
- s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
-+s/^<.*\n//
-+s/^\n//
-
-
-
---
-2.17.1
-
diff --git a/0002-curl-7.61.1-tlsv1.0-man.patch b/0002-curl-7.61.1-tlsv1.0-man.patch
deleted file mode 100644
index f384366..0000000
--- a/0002-curl-7.61.1-tlsv1.0-man.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001
-From: Kamil Dudka
-Date: Fri, 7 Sep 2018 16:50:45 +0200
-Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0
-
-... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
-
-Closes #2955
-
-Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e
-Signed-off-by: Kamil Dudka
----
- docs/cmdline-opts/tlsv1.0.d | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d
-index 8789025e0..54e259682 100644
---- a/docs/cmdline-opts/tlsv1.0.d
-+++ b/docs/cmdline-opts/tlsv1.0.d
-@@ -3,4 +3,4 @@ Help: Use TLSv1.0
- Protocols: TLS
- Added: 7.34.0
- ---
--Forces curl to use TLS version 1.0 when connecting to a remote TLS server.
-+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.
---
-2.17.1
-
diff --git a/0003-curl-7.61.1-TLS-1.3-PHA.patch b/0003-curl-7.61.1-TLS-1.3-PHA.patch
deleted file mode 100644
index 99273ac..0000000
--- a/0003-curl-7.61.1-TLS-1.3-PHA.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
-From: Christian Heimes
-Date: Fri, 21 Sep 2018 10:37:43 +0200
-Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
-
-OpenSSL 1.1.1 requires clients to opt-in for post-handshake
-authentication.
-
-Fixes: https://github.com/curl/curl/issues/3026
-Signed-off-by: Christian Heimes
-
-Closes https://github.com/curl/curl/pull/3027
-
-Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
-Signed-off-by: Kamil Dudka
----
- lib/vtls/openssl.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index a487f55..78970d1 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
- !defined(LIBRESSL_VERSION_NUMBER) && \
- !defined(OPENSSL_IS_BORINGSSL))
- #define HAVE_SSL_CTX_SET_CIPHERSUITES
-+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
- #endif
-
- #if defined(LIBRESSL_VERSION_NUMBER)
-@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
- }
- #endif
-
-+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
-+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
-+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
-+#endif
-+
- #ifdef USE_TLS_SRP
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
- char * const ssl_username = SSL_SET_OPTION(username);
---
-2.17.1
-
diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch
index 532980e..613106d 100644
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
;;
--prefix)
-@@ -143,32 +143,17 @@ while test $# -gt 0; do
+@@ -155,32 +155,17 @@ while test $# -gt 0; do
;;
--libs)
diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch
index bbb253f..495fe63 100644
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@@ -12,7 +12,7 @@ diff --git a/configure b/configure
index 8f079a3..53b4774 100755
--- a/configure
+++ b/configure
-@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
+@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; }
gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch
index f66b6c0..56485fe 100644
--- a/0103-curl-7.59.0-python3.patch
+++ b/0103-curl-7.59.0-python3.patch
@@ -1,88 +1,23 @@
-From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka
-Date: Thu, 15 Mar 2018 13:21:40 +0100
-Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3
-
----
- tests/http_pipe.py | 4 ++--
- tests/runtests.pl | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/http_pipe.py b/tests/http_pipe.py
-index bc32173..75ac165 100755
---- a/tests/http_pipe.py
-+++ b/tests/http_pipe.py
-@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler):
- self.request.setblocking(True)
- if not new_data:
- return
-- new_requests = self._request_parser.ParseAdditionalData(new_data)
-+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8'))
- self._response_builder.QueueRequests(
- new_requests, self._request_parser.were_all_requests_http_1_1)
- self._num_queued += len(new_requests)
- self._last_queued_time = time.time()
- elif fileno in wlist:
-- num_bytes_sent = self.request.send(self._send_buffer[0:4096])
-+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8'))
- self._send_buffer = self._send_buffer[num_bytes_sent:]
- time.sleep(0.05)
-
-diff --git a/tests/runtests.pl b/tests/runtests.pl
-index d6aa5ca..4d395ef 100755
---- a/tests/runtests.pl
-+++ b/tests/runtests.pl
-@@ -1439,7 +1439,7 @@ sub runhttpserver {
- elsif($alt eq "pipe") {
- # basically the same, but another ID
- $idnum = 3;
-- $exe = "python $srcdir/http_pipe.py";
-+ $exe = "python3 $srcdir/http_pipe.py";
- $verbose_flag .= "1 ";
- }
- elsif($alt eq "unix") {
---
-2.14.3
-
-
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
From: Kamil Dudka
Date: Thu, 15 Mar 2018 14:49:56 +0100
-Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3
+Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
Unfortunately, smbserver.py does not work with Python 3 because
there is no 'impacket' module available for Python 3:
https://github.com/CoreSecurity/impacket/issues/61
---
- tests/negtelnetserver.py | 12 ++++++------
- tests/smbserver.py | 4 ++--
- 2 files changed, 8 insertions(+), 8 deletions(-)
+ tests/negtelnetserver.py | 4 ++--
+ tests/smbserver.py | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
index 8cfd409..72ee771 100755
--- a/tests/negtelnetserver.py
+++ b/tests/negtelnetserver.py
-@@ -23,7 +23,7 @@ IDENT = "NTEL"
-
- # The strings that indicate the test framework is checking our aliveness
- VERIFIED_REQ = b"verifiedserver"
--VERIFIED_RSP = b"WE ROOLZ: {pid}"
-+VERIFIED_RSP = "WE ROOLZ: {pid}"
-
-
- def telnetserver(options):
-@@ -34,7 +34,7 @@ def telnetserver(options):
- if options.pidfile:
- pid = os.getpid()
- with open(options.pidfile, "w") as f:
-- f.write(b"{0}".format(pid))
-+ f.write("{0}".format(pid))
-
- local_bind = (HOST, options.port)
- log.info("Listening on %s", local_bind)
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
- response_data = VERIFIED_RSP.format(pid=os.getpid())
+ response_data = response.encode('ascii')
else:
log.debug("Received normal request - echoing back")
- response_data = data.strip()
@@ -95,24 +30,6 @@ index 8cfd409..72ee771 100755
except IOError:
log.exception("IOError hit during request")
-@@ -132,7 +132,7 @@ class Negotiator(object):
- return buffer
-
- def byte_to_int(self, byte):
-- return struct.unpack(b'B', byte)[0]
-+ return int(byte)
-
- def no_neg(self, byte, byte_int, buffer):
- # Not negotiating anything thus far. Check to see if we
-@@ -197,7 +197,7 @@ class Negotiator(object):
- self.tcp.sendall(packed_message)
-
- def pack(self, arr):
-- return struct.pack(b'{0}B'.format(len(arr)), *arr)
-+ return struct.pack('{0}B'.format(len(arr)), *arr)
-
- def send_iac(self, arr):
- message = [NegTokens.IAC]
diff --git a/tests/smbserver.py b/tests/smbserver.py
index 195ae39..b09cd44 100755
--- a/tests/smbserver.py
diff --git a/curl-7.61.1.tar.xz.asc b/curl-7.61.1.tar.xz.asc
deleted file mode 100644
index 6a1e664..0000000
--- a/curl-7.61.1.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce
-EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi
-EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy
-fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy
-RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B
-Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb
-51KLH2D0G75wlfMbgMhX/rguuXT2rg==
-=vM6i
------END PGP SIGNATURE-----
diff --git a/curl-7.62.0.tar.xz.asc b/curl-7.62.0.tar.xz.asc
new file mode 100644
index 0000000..230438a
--- /dev/null
+++ b/curl-7.62.0.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce
+EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq
+OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4
+hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F
+pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO
+VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX
+nBPWNGArGJq2+kMP7v5pr0onBz6wxg==
+=CWQL
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index d3366ac..70e148e 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,19 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
-Version: 7.61.1
-Release: 3%{?dist}
+Version: 7.62.0
+Release: 1%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
-# test320: update expected output for gnutls-3.6.4
-Patch1: 0001-curl-7.61.1-test320-gnutls.patch
-
-# update the documentation of --tlsv1.0 in curl(1) man page
-Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
-
-# enable TLS 1.3 post-handshake auth in OpenSSL
-Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
-
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -172,9 +163,6 @@ be installed.
%setup -q
# upstream patches
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
# Fedora patches
%patch101 -p1
@@ -341,6 +329,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-16839 - SASL password overflow via integer overflow
+ CVE-2018-16840 - use-after-free in handle close
+ CVE-2018-16842 - warning message out-of-buffer read
+
* Thu Oct 11 2018 Kamil Dudka - 7.61.1-3
- enable TLS 1.3 post-handshake auth in OpenSSL
- update the documentation of --tlsv1.0 in curl(1) man page
diff --git a/sources b/sources
index 717a22e..f127541 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a
+SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd