From c829072f9fee134adc18797198988f3aac885673 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 9 Dec 2020 10:30:08 +0100
Subject: [PATCH] new upstream release - 7.74.0

Resolves: CVE-2020-8286 - curl: Inferior OCSP verification
Resolves: CVE-2020-8285 - libcurl: FTP wildcard stack overflow
Resolves: CVE-2020-8284 - curl: trusting FTP PASV responses
---
 0101-curl-7.32.0-multilib.patch         |  4 ++--
 0105-curl-7.63.0-lib1560-valgrind.patch |  2 +-
 curl-7.73.0.tar.xz.asc                  | 11 -----------
 curl-7.74.0.tar.xz.asc                  | 11 +++++++++++
 curl.spec                               | 12 +++++++++---
 sources                                 |  2 +-
 6 files changed, 24 insertions(+), 18 deletions(-)
 delete mode 100644 curl-7.73.0.tar.xz.asc
 create mode 100644 curl-7.74.0.tar.xz.asc

diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch
index 295120e..46c8986 100644
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@@ -85,7 +85,7 @@ index 2ba9c39..f8f8b00 100644
 +configure_options=@CONFIGURE_OPTIONS@
  
  Name: libcurl
- URL: https://curl.haxx.se/
+ URL: https://curl.se/
 -- 
-2.5.0
+2.26.2
 
diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch
index c0d390b..f99a737 100644
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -587,6 +587,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
  lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
diff --git a/curl-7.73.0.tar.xz.asc b/curl-7.73.0.tar.xz.asc
deleted file mode 100644
index 41b3394..0000000
--- a/curl-7.73.0.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl+GkkYACgkQXMkI/bce
-EsI5vwf+NwIw3Jmn9lW7/VHNgFWB1Qa0gB4KlDISM2qG9CHzeIW8K50g2JiIAuLa
-CVOfuMi/jg1r2INRLErZzdGDtD71TzjaEv6A/dxWL+k5/ieFxmH5iC80rYWi8EE9
-sv/bx8vEq8ikIqqV7KxYPlX8xMJBMfCs+TNQbzYM3WUDMLYJLpuNiWrzS6h8+mPq
-4w8qYyrNI5x/J3HSJuzyoJy0ueQOQ6CaZwV/ViGBLmFkMKgsAXJu9ImRMmJXKAk5
-MLiVUKI1KpHJNHZS5pLIP5wrjIN3z7FIRxThJ6f/IqUF1mIc6MNnqcER6lBtxeq4
-SuRq9Dx5W2en/g+I5iic8GwkDD+U6A==
-=W3Yh
------END PGP SIGNATURE-----
diff --git a/curl-7.74.0.tar.xz.asc b/curl-7.74.0.tar.xz.asc
new file mode 100644
index 0000000..2712a60
--- /dev/null
+++ b/curl-7.74.0.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl/QcZ8ACgkQXMkI/bce
+EsJYnggAs5MbJByXsUEI3LzdRvjb2s/dNS/+ubJ98GL+ed8uVsLmGxdF0fS9EPVX
++KoaYbaZwjZJH43+UyqtoFr4GQKhxxhcyZi3477s9Ws9x60yEA21oIggkQLF6X+E
+OEymG0YmNUn/6vvWizCWZtE7TkoWAXEzPLyVbBzoFzfmgzxiQ9//usKCaDh/nCWA
+kouxubBJbpdjk8KTnVf5HMP5PJKs9LeiVh9B2F+Rq1cEvzLrxNlDYptEgH/ml5Sd
+WsWeWttngs2pnZu0pMQNGhdXp6XC5lteN21C1/3hy3KVFUnkqaA+1IHm39wBE73j
+Bmnoi36d+Ub6ZT3Va84Dp/tWJ65Xig==
+=9ka/
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index eeca740..ecc8711 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.73.0
-Release: 2%{?dist}
+Version: 7.74.0
+Release: 1%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
 
@@ -318,7 +318,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %doc README
 %doc docs/BUGS.md
 %doc docs/FAQ
-%doc docs/FEATURES
+%doc docs/FEATURES.md
 %doc docs/TODO
 %doc docs/TheArtOfHttpScripting.md
 %{_bindir}/curl
@@ -351,6 +351,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2020-8286 - curl: Inferior OCSP verification
+    CVE-2020-8285 - libcurl: FTP wildcard stack overflow
+    CVE-2020-8284 - curl: trusting FTP PASV responses
+
 * Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-2
 - prevent upstream test 1451 from being skipped
 
diff --git a/sources b/sources
index 586c3da..fec3ccb 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (curl-7.73.0.tar.xz) = 95330bac2d6bc5306d47723b3c7bdb754fabe2ba2df7b2a8027453a40286f1c7caaee69333f0715e59fbc7fdf09080968ea624398c995cabf3d57493973867bd
+SHA512 (curl-7.74.0.tar.xz) = 5d987f0b4d051c9e254f14d4e2a05f7cda9fb0f0ac7b3ca3664a25a51ee5ffe092ee072c0d9a613fcd3f34727d75bba14b70f5500cb110ca818591e071c3e6f4