import curl-7.76.1-23.el9

SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch

@@ -0,0 +1,136 @@
+From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr)
+   *str = strdup(newstr);
+ }
+ 
++/*
++  RFC 6265 section 4.1.1 says a server should accept this range:
++
++  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++  fine. The prime reason for filtering out control bytes is that some HTTP
++  servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++  static const char badoctets[] = {
++    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++  };
++  size_t vlen, len;
++  /* scan for all the octets that are *not* in cookie-octet */
++  len = strcspn(p, badoctets);
++  vlen = strlen(p);
++  return (len != vlen);
++}
++
+ /*
+  * remove_expired() removes expired cookies.
+  */
+@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
++          if(invalid_octets(whatptr) || invalid_octets(name)) {
++            infof(data, "invalid octets in name/value, cookie dropped");
++            badcookie = TRUE;
++            break;
++          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
+-- 
+2.37.1
+
+
+From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
+
+Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6..8587611 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
++Set-Cookie: cookie1=%hex[%01-junk]hex%
++Set-Cookie: cookie2=%hex[%02-junk]hex%
++Set-Cookie: cookie3=%hex[%03-junk]hex%
++Set-Cookie: cookie4=%hex[%04-junk]hex%
++Set-Cookie: cookie5=%hex[%05-junk]hex%
++Set-Cookie: cookie6=%hex[%06-junk]hex%
++Set-Cookie: cookie7=%hex[%07-junk]hex%
++Set-Cookie: cookie8=%hex[%08-junk]hex%
++Set-Cookie: cookie9=%hex[junk-%09-]hex%
++Set-Cookie: cookie11=%hex[%0b-junk]hex%
++Set-Cookie: cookie12=%hex[%0c-junk]hex%
++Set-Cookie: cookie14=%hex[%0e-junk]hex%
++Set-Cookie: cookie15=%hex[%0f-junk]hex%
++Set-Cookie: cookie16=%hex[%10-junk]hex%
++Set-Cookie: cookie17=%hex[%11-junk]hex%
++Set-Cookie: cookie18=%hex[%12-junk]hex%
++Set-Cookie: cookie19=%hex[%13-junk]hex%
++Set-Cookie: cookie20=%hex[%14-junk]hex%
++Set-Cookie: cookie21=%hex[%15-junk]hex%
++Set-Cookie: cookie22=%hex[%16-junk]hex%
++Set-Cookie: cookie23=%hex[%17-junk]hex%
++Set-Cookie: cookie24=%hex[%18-junk]hex%
++Set-Cookie: cookie25=%hex[%19-junk]hex%
++Set-Cookie: cookie26=%hex[%1a-junk]hex%
++Set-Cookie: cookie27=%hex[%1b-junk]hex%
++Set-Cookie: cookie28=%hex[%1c-junk]hex%
++Set-Cookie: cookie29=%hex[%1d-junk]hex%
++Set-Cookie: cookie30=%hex[%1e-junk]hex%
++Set-Cookie: cookie31=%hex[%1f-junk]hex%
++Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.37.1
+

SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch

@@ -0,0 +1,251 @@
+From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d5e3b50..b8793b4 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
+-- 
+2.37.3
+
+
+From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:23:33 +0200
+Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
+
+Reproduced #9507, verifies the fix
+
+Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc    |  1 +
+ tests/data/test1948        | 73 +++++++++++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc |  5 +++
+ tests/libtest/lib1948.c    | 79 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+)
+ create mode 100644 tests/data/test1948
+ create mode 100644 tests/libtest/lib1948.c
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 818ee08..0cfab9b 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
+ test1916 test1917 test1918 \
+ \
+ test1933 test1934 test1935 test1936 \
++test1948 \
+ \
+ test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
+ test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
+diff --git a/tests/data/test1948 b/tests/data/test1948
+new file mode 100644
+index 0000000..639523d
+--- /dev/null
++++ b/tests/data/test1948
+@@ -0,0 +1,73 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP POST
++HTTP PUT
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++</data>
++<datacheck>
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++HTTP/1.1 200 OK
++Date: Thu, 01 Nov 2001 14:49:00 GMT
++Content-Type: text/html
++Content-Length: 6
++
++hello
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++
++<name>
++CURLOPT_POST after CURLOPT_UPLOAD reusing handle
++</name>
++<tool>
++lib%TESTNUMBER
++</tool>
++
++<command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++PUT /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++Content-Length: 22
++Expect: 100-continue
++
++This is test PUT data
++POST /1948 HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++Content-Length: 22
++Content-Type: application/x-www-form-urlencoded
++
++This is test PUT data
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 83a8af4..3192eca 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
+  lib1591 lib1592 lib1593 lib1594 lib1596 \
+          lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
+          lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
++ lib1948 \
+          lib3010
+ 
+ chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
+@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1936_LDADD = $(TESTUTIL_LIBS)
+ lib1936_CPPFLAGS = $(AM_CPPFLAGS)
+ 
++lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
++lib1948_LDADD = $(TESTUTIL_LIBS)
++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
++
+ lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib3010_LDADD = $(TESTUTIL_LIBS)
+ lib3010_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
+new file mode 100644
+index 0000000..7c891a2
+--- /dev/null
++++ b/tests/libtest/lib1948.c
+@@ -0,0 +1,79 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "test.h"
++
++typedef struct
++{
++  char *buf;
++  size_t len;
++} put_buffer;
++
++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
++{
++  put_buffer *putdata = (put_buffer *)stream;
++  size_t totalsize = size * nmemb;
++  size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
++  memcpy(ptr, putdata->buf, tocopy);
++  putdata->len -= tocopy;
++  putdata->buf += tocopy;
++  return tocopy;
++}
++
++int test(char *URL)
++{
++  CURL *curl;
++  CURLcode res = CURLE_OUT_OF_MEMORY;
++
++  curl_global_init(CURL_GLOBAL_DEFAULT);
++
++  curl = curl_easy_init();
++  if(curl) {
++    const char *testput = "This is test PUT data\n";
++    put_buffer pbuf;
++
++    /* PUT */
++    curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
++    curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
++    curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
++    pbuf.buf = (char *)testput;
++    pbuf.len = strlen(testput);
++    curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
++    curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
++    res = curl_easy_setopt(curl, CURLOPT_URL, URL);
++    if(!res)
++      res = curl_easy_perform(curl);
++    if(!res) {
++      /* POST */
++      curl_easy_setopt(curl, CURLOPT_POST, 1L);
++      curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
++      curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
++      res = curl_easy_perform(curl);
++    }
++    curl_easy_cleanup(curl);
++  }
++
++  curl_global_cleanup();
++  return (int)res;
++}
+-- 
+2.37.3
+

SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch

@@ -0,0 +1,81 @@
+From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.38.1
+

SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch

@@ -0,0 +1,678 @@
+From 95f873ff983a1ae57415b3c16a881e74432cf8b8 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Tue, 9 Feb 2021 14:04:32 +0100
+Subject: [PATCH 1/4] runtests.pl: support the nonewline attribute for the data
+ part
+
+Added to FILEFORMAT
+
+Closes #8239
+
+Upstream-commit: 736847611a40c01e7c290407e22e2f0f5f8efd6a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md    |  5 ++++-
+ tests/runtests.pl      |  7 +++++++
+ tests/server/getpart.c | 11 ++++++++++-
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index b75a02a..0b98787 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -185,7 +185,7 @@ which are treated together as a single identifier.
+ 
+ ## `<reply>`
+ 
+-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"]>`
++### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
+ 
+ data to be sent to the client on its request and later verified that it
+ arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
+@@ -211,6 +211,9 @@ much sense for other sections than "data").
+ `hex=yes` means that the data is a sequence of hex pairs. It will get decoded
+ and used as "raw" data.
+ 
++`nonewline=yes` means that the last byte (the trailing newline character)
++should be cut off from the data before sending or comparing it.
++
+ For FTP file listings, the `<data>` section will be used *only* if you make
+ sure that there has been a CWD done first to a directory named `test-[num]`
+ where [num] is the test case number. Otherwise the ftp server can't know from
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 40315aa..2e1500d 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -3837,6 +3837,13 @@ sub singletest {
+     else {
+         # check against the data section
+         @reply = getpart("reply", "data");
++        if(@reply) {
++            my %hash = getpartattr("reply", "data");
++            if($hash{'nonewline'}) {
++                # cut off the final newline from the final line of the data
++                chomp($reply[$#reply]);
++            }
++        }
+         # get the mode attribute
+         my $filemode=$replyattr{'mode'};
+         if($filemode && ($filemode eq "text") && $has_textaware) {
+diff --git a/tests/server/getpart.c b/tests/server/getpart.c
+index 32b55bc..f8fe3f6 100644
+--- a/tests/server/getpart.c
++++ b/tests/server/getpart.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -295,6 +295,7 @@ int getpart(char **outbuf, size_t *outlen,
+   size_t outalloc = 256;
+   int in_wanted_part = 0;
+   int base64 = 0;
++  int nonewline = 0;
+   int error;
+ 
+   enum {
+@@ -360,6 +361,8 @@ int getpart(char **outbuf, size_t *outlen,
+             if(error)
+               return error;
+           }
++          if(nonewline)
++            (*outlen)--;
+           break;
+         }
+       }
+@@ -377,6 +380,8 @@ int getpart(char **outbuf, size_t *outlen,
+             if(error)
+               return error;
+           }
++          if(nonewline)
++            (*outlen)--;
+           break;
+         }
+       }
+@@ -451,6 +456,10 @@ int getpart(char **outbuf, size_t *outlen,
+               /* bit rough test, but "mostly" functional, */
+               /* treat wanted part data as base64 encoded */
+               base64 = 1;
++          if(strstr(patt, "nonewline=")) {
++            show(("* setting nonewline\n"));
++            nonewline = 1;
++          }
+         }
+         continue;
+       }
+-- 
+2.39.1
+
+
+From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 1 Dec 2022 09:21:04 +0100
+Subject: [PATCH 2/4] runtests: do CRLF replacements per section only
+
+The `crlf="yes"` attribute and "hyper mode" are now only applied on a
+subset of dedicated sections: data, datacheck, stdout and protocol.
+
+Updated test 2500 accordingly.
+
+Also made test1 use crlf="yes" for <protocol>, mostly because it is
+often used as a template test case. Going forward, using this attribute
+we should be able to write test cases using linefeeds only and avoid
+mixed line ending encodings.
+
+Follow-up to ca15b7512e8d11
+
+Fixes #10009
+Closes #10010
+
+Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 22 +++++++++++++++------
+ tests/data/test1    | 14 ++++++-------
+ tests/runtests.pl   | 48 ++++++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 68 insertions(+), 16 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index c1fbc57..dcb5695 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -185,7 +185,7 @@ which are treated together as a single identifier.
+ 
+ ## `<reply>`
+ 
+-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
++### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"] [crlf="yes"]>`
+ 
+ data to be sent to the client on its request and later verified that it
+ arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
+@@ -214,12 +214,16 @@ and used as "raw" data.
+ `nonewline=yes` means that the last byte (the trailing newline character)
+ should be cut off from the data before sending or comparing it.
+ 
++`crlf=yes` forces *header* newlines to become CRLF even if not written so in
++the source file. Note that this makes runtests.pl parse and "guess" what is a
++header and what is not in order to apply the CRLF line endings appropriately.
++
+ For FTP file listings, the `<data>` section will be used *only* if you make
+ sure that there has been a CWD done first to a directory named `test-[num]`
+ where [num] is the test case number. Otherwise the ftp server can't know from
+ which test file to load the list content.
+ 
+-### `<dataNUM>`
++### `<dataNUM [crlf="yes"]>`
+ 
+ Send back this contents instead of the <data> one. The num is set by:
+ 
+@@ -243,7 +247,7 @@ The connect section is used instead of the 'data' for all CONNECT
+ requests. The remainder of the rules for the data section then apply but with
+ a connect prefix.
+ 
+-### `<datacheck [mode="text"] [nonewline="yes"]>`
++### `<datacheck [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ if the data is sent but this is what should be checked afterwards. If
+ `nonewline=yes` is set, runtests will cut off the trailing newline from the
+ data before comparing with the one actually received by the client.
+@@ -251,7 +255,7 @@ data before comparing with the one actually received by the client.
+ Use the `mode="text"` attribute if the output is in text mode on platforms
+ that have a text/binary difference.
+ 
+-### `<datacheckNUM [nonewline="yes"] [mode="text"]>`
++### `<datacheckNUM [nonewline="yes"] [mode="text"] [crlf="yes"]>`
+ The contents of numbered datacheck sections are appended to the non-numbered
+ one.
+ 
+@@ -528,13 +532,16 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"]>`
++### `<protocol [nonewline="yes"] crlf="yes">`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+ sent by the client The `<strip>` and `<strippart>` rules are applied before
+ comparisons are made.
+ 
++`crlf=yes` forces the newlines to become CRLF even if not written so in the
++test.
++
+ ### `<proxy [nonewline="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+@@ -551,7 +558,7 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
+-### `<stdout [mode="text"] [nonewline="yes"]>`
++### `<stdout [mode="text"] [nonewline="yes"] [crlf="yes"]>`
+ This verifies that this data was passed to stdout.
+ 
+ Use the mode="text" attribute if the output is in text mode on platforms that
+@@ -560,6 +567,9 @@ have a text/binary difference.
+ If 'nonewline' is set, we will cut off the trailing newline of this given data
+ before comparing with the one actually received by the client
+ 
++`crlf=yes` forces the newlines to become CRLF even if not written so in the
++test.
++
+ ### `<file name="log/filename" [mode="text"]>`
+ The file's contents must be identical to this after the test is complete.  Use
+ the mode="text" attribute if the output is in text mode on platforms that have
+diff --git a/tests/data/test1 b/tests/data/test1
+index f39a08b..700bed8 100644
+--- a/tests/data/test1
++++ b/tests/data/test1
+@@ -9,7 +9,7 @@ HTTP GET
+ #
+ # Server-side
+ <reply>
+-<data>
++<data crlf="yes">
+ HTTP/1.1 200 OK
+ Date: Tue, 09 Nov 2010 14:49:00 GMT
+ Server: test-server/fake
+@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+ #
+ # Verify data after the test has been "shot"
+ <verify>
+-<protocol>
+-GET /%TESTNUMBER HTTP/1.1
+-Host: %HOSTIP:%HTTPPORT
+-User-Agent: curl/%VERSION
+-Accept: */*
+-
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
+ </protocol>
+ </verify>
+ </testcase>
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 72a9989..b12a42d 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -3410,7 +3410,13 @@ sub subBase64 {
+ 
+ my $prevupdate;
+ sub subNewlines {
+-    my ($thing) = @_;
++    my ($force, $thing) = @_;
++
++    if($force) {
++        # enforce CRLF newline
++        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
++        return;
++    }
+ 
+     # When curl is built with Hyper, it gets all response headers delivered as
+     # name/value pairs and curl "invents" the newlines when it saves the
+@@ -3424,7 +3430,7 @@ sub subNewlines {
+         # skip curl error messages
+         ($$thing !~ /^curl: \(\d+\) /))) {
+         # enforce CRLF newline
+-        $$thing =~ s/\x0a/\x0d\x0a/;
++        $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
+         $prevupdate = 1;
+     }
+     else {
+@@ -3496,6 +3502,7 @@ sub prepro {
+     my (@entiretest) = @_;
+     my $show = 1;
+     my @out;
++    my $data_crlf;
+     for my $s (@entiretest) {
+         my $f = $s;
+         if($s =~ /^ *%if (.*)/) {
+@@ -3519,9 +3526,19 @@ sub prepro {
+             next;
+         }
+         if($show) {
++            # The processor does CRLF replacements in the <data*> sections if
++            # necessary since those parts might be read by separate servers.
++            if($s =~ /^ *<data(.*)\>/) {
++                if($1 =~ /crlf="yes"/ || $has_hyper) {
++                    $data_crlf = 1;
++                }
++            }
++            elsif(($s =~ /^ *<\/data/) && $data_crlf) {
++                $data_crlf = 0;
++            }
+             subVariables(\$s, $testnum, "%");
+             subBase64(\$s);
+-            subNewlines(\$s) if($has_hyper);
++            subNewlines(0, \$s) if($data_crlf);
+             push @out, $s;
+         }
+     }
+@@ -3830,6 +3847,11 @@ sub singletest {
+                     # of the datacheck
+                     chomp($replycheckpart[$#replycheckpart]);
+                 }
++                if($replycheckpartattr{'crlf'} ||
++                   ($has_hyper && ($keywords{"HTTP"}
++                                   || $keywords{"HTTPS"}))) {
++                    map subNewlines(0, \$_), @replycheckpart;
++                }
+                 push(@reply, @replycheckpart);
+             }
+         }
+@@ -3851,6 +3873,11 @@ sub singletest {
+             map s/\r\n/\n/g, @reply;
+             map s/\n/\r\n/g, @reply;
+         }
++        if($replyattr{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"}
++                           || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @reply;
++        }
+     }
+ 
+     # this is the valid protocol blurb curl should generate
+@@ -4287,6 +4314,12 @@ sub singletest {
+             chomp($validstdout[$#validstdout]);
+         }
+ 
++        if($hash{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"}
++                           || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @validstdout;
++        }
++
+         $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout);
+         if($res) {
+             return $errorreturncode;
+@@ -4381,6 +4414,10 @@ sub singletest {
+             }
+         }
+ 
++        if($hash{'crlf'}) {
++            map subNewlines(1, \$_), @protstrip;
++        }
++
+         if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) {
+             logmsg "\n $testnum: protocol FAILED!\n".
+                 " There was no content at all in the file $SERVERIN.\n".
+@@ -4512,6 +4549,11 @@ sub singletest {
+                 map s/\r\n/\n/g, @outfile;
+                 map s/\n/\r\n/g, @outfile;
+             }
++            if($hash{'crlf'} ||
++               ($has_hyper && ($keywords{"HTTP"}
++                               || $keywords{"HTTPS"}))) {
++                map subNewlines(0, \$_), @outfile;
++            }
+ 
+             my $strip;
+             for $strip (@stripfile) {
+-- 
+2.39.1
+
+
+From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH 3/4] runtests: support crlf="yes" for verify/proxy
+
+Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/FILEFORMAT.md | 4 ++--
+ tests/runtests.pl   | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index dcb5695..6646793 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -532,7 +532,7 @@ changing protocol data such as port numbers or user-agent strings.
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+ 
+-### `<protocol [nonewline="yes"] crlf="yes">`
++### `<protocol [nonewline="yes"][crlf="yes"]>`
+ 
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+@@ -542,7 +542,7 @@ comparisons are made.
+ `crlf=yes` forces the newlines to become CRLF even if not written so in the
+ test.
+ 
+-### `<proxy [nonewline="yes"]>`
++### `<proxy [nonewline="yes"][crlf="yes"]>`
+ 
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+ server is used), if 'nonewline' is set, we will cut off the trailing newline
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index b12a42d..5cdc83d 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -4510,6 +4510,11 @@ sub singletest {
+             }
+         }
+ 
++        if($hash{'crlf'} ||
++           ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) {
++            map subNewlines(0, \$_), @protstrip;
++        }
++
+         $res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
+         if($res) {
+             return $errorreturncode;
+-- 
+2.39.1
+
+
+From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH 4/4] content_encoding: do not reset stage counter for each
+ header
+
+Test 418 verifies
+
+Closes #10492
+
+Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   1 +
+ tests/data/test387      |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test418
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index bfc13e2..94344d6 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1033,7 +1033,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1068,9 +1067,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5b4b34f..8c8c20b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -700,6 +700,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);       /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);  /* set to TRUE when doing chunked transfer-encoding
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index fb51cd6..86b6f85 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -67,6 +67,7 @@ test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 test410 \
++        test418 \
+ \
+ test430 test431 test432 test433 test434 \
+ \
+diff --git a/tests/data/test387 b/tests/data/test387
+index 015ec25..644fc7f 100644
+--- a/tests/data/test387
++++ b/tests/data/test387
+@@ -47,7 +47,7 @@ Accept: */*
+ 61
+ </errorcode>
+ <stderr mode="text">
+-curl: (61) Reject response due to 5 content encodings
++curl: (61) Reject response due to more than 5 content encodings
+ </stderr>
+ </verify>
+ </testcase>
+diff --git a/tests/data/test418 b/tests/data/test418
+new file mode 100644
+index 0000000..50e974e
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
+-- 
+2.39.1
+

SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch

@@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
  lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)

SPECS/curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 19%{?dist}
+Release: 23%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
 
@@ -62,6 +62,18 @@ Patch19:  0019-curl-7.76.1-CVE-2022-32207.patch
 # fix build failure caused by openldap rebase (#2094159)
 Patch20:  0020-curl-7.76.1-openldap-rebase.patch
 
+# control code in cookie denial of service (CVE-2022-35252)
+Patch21:  0021-curl-7.76.1-CVE-2022-35252.patch
+
+# fix POST following PUT confusion (CVE-2022-32221)
+Patch22:  0022-curl-7.76.1-CVE-2022-32221.patch
+
+# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
+
+# fix HTTP multi-header compression denial of service (CVE-2023-23916)
+Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -256,6 +268,10 @@ be installed.
 %patch17 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -282,6 +298,11 @@ echo "582" >> tests/data/DISABLED
 printf "702\n703\n716\n" >> tests/data/DISABLED
 %endif
 
+# temporarily disable tests 2034 2037 2041 on aarch64
+%ifarch aarch64
+printf "2034\n2037\n2041\n" >> tests/data/DISABLED
+%endif
+
 # adapt test 323 for updated OpenSSL
 sed -e 's|^35$|35,52|' -i tests/data/test323
 
@@ -476,6 +497,18 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
+- fix HTTP multi-header compression denial of service (CVE-2023-23916)
+
+* Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-22
+- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+
+* Wed Oct 26 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-21
+- fix POST following PUT confusion (CVE-2022-32221)
+
+* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-20
+- control code in cookie denial of service (CVE-2022-35252)
+
 * Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
 - fix unpreserved file permissions (CVE-2022-32207)
 - fix HTTP compression denial of service (CVE-2022-32206)