diff --git a/.curl.checksum b/.curl.checksum
index ebe4e3f5b9f83567729ece3b0d5f63e9e91f37b0..0b7fca4002ddd90b12b8faa257b9edaf4feadfb2 100644
--- a/.curl.checksum
+++ b/.curl.checksum
@@ -1 +1 @@
-b2f4bdac1b5b24ad9d08ce614e2159935a596808ffdf7db01aaf5fa33c9e7158
+bb15de7fef1b96d6aa48119f867c0025726117ed930c151619228d18b1754e71
diff --git a/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch b/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch
new file mode 100644
index 0000000000000000000000000000000000000000..94f2183c0c47fcb2e3a60fcd039ac0eef9685759
--- /dev/null
+++ b/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch
@@ -0,0 +1,14 @@
+diff -up curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof curl-7.76.1/lib/vtls/openssl.c
+--- curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof 2024-06-17 07:03:17.428620354 +0200
++++ curl-7.76.1/lib/vtls/openssl.c 2024-06-17 07:03:54.125799894 +0200
+@@ -2761,6 +2761,10 @@ static CURLcode ossl_connect_step1(struc
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++ ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
++#endif
++
+ SSL_CTX_set_options(backend->ctx, ctx_options);
+
+ #ifdef HAS_NPN
diff --git a/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch b/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0b2db4f304d546cd51b9dab10bf599c8aa5ed4a1
--- /dev/null
+++ b/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch
@@ -0,0 +1,80 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index c63ecd38371ab4..96868728a53a1f 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
+ return bitmap;
+ }
+
++static void free_push_headers(struct HTTP *http)
++{
++ size_t i;
++ for(i = 0; i<http->push_headers_used; i++)
++ free(http->push_headers[i]);
++ Curl_safefree(http->push_headers);
++ http->push_headers_used = 0;
++}
++
+ /*
+ * http2_stream_free() free HTTP2 stream related data
+ */
+@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
+ {
+ if(http) {
+ Curl_dyn_free(&http->header_recvbuf);
+- for(; http->push_headers_used > 0; --http->push_headers_used) {
+- free(http->push_headers[http->push_headers_used - 1]);
+- }
+- free(http->push_headers);
+- http->push_headers = NULL;
++ free_push_headers(http);
+ }
+ }
+
+@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -905,11 +905,7 @@ static int push_promise(struct Curl_cfilter *cf,
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+ stream->push_headers_alloc) {
+ char **headp;
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 2f493833f22e3bae344024b305cbb1f0c169b40a..a8a96a6a037a6fd873f2205eb0398055e8bcb8ca 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
-Release: 29%{?dist}.1
+Release: 31%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@@ -110,8 +110,11 @@ Patch35: 0035-curl-7.76.1-64K-sftp.patch
# lowercase the domain names before PSL checks (CVE-2023-46218)
Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch
+# ignore unexpected EOF (RHEL-39995)
+Patch37: 0037-curl-7.76.1-ignore-unexpected-eof.patch
+
# provide common cleanup method for push headers (CVE-2024-2398)
-Patch37: 0037-curl-7.76.1-CVE-2024-2398.patch
+Patch38: 0038-curl-7.76.1-CVE-2024-2398.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -324,6 +327,7 @@ be installed.
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
# Fedora patches
%patch101 -p1
@@ -355,6 +359,39 @@ printf "702\n703\n716\n" >> tests/data/DISABLED
printf "2034\n2037\n2041\n" >> tests/data/DISABLED
%endif
+# temporarily (really!, not like these above) disable tests related to openssl
+# and reported by valgrind. All of it are failing with similar stack trace:
+#=== Start of file valgrind3000
+# ==92709== Syscall param openat(filename) points to unaddressable byte(s)
+# ==92709== at 0x49D9784: open (open64.c:48)
+# ==92709== by 0x495E095: _IO_file_open (fileops.c:189)
+# ==92709== by 0x495E26A: _IO_file_fopen@@GLIBC_2.2.5 (fileops.c:281)
+# ==92709== by 0x49524CC: __fopen_internal (iofopen.c:75)
+# ==92709== by 0x4B37F2E: load_system_str (ssl_ciph.c:1472)
+# ==92709== by 0x4B43118: ssl_create_cipher_list (ssl_ciph.c:1528)
+# ==92709== by 0x4B4FCFF: UnknownInlinedFun (ssl_lib.c:3938)
+# ==92709== by 0x4B4FCFF: SSL_CTX_new_ex (ssl_lib.c:3823)
+# ==92709== by 0x48ABFA1: ossl_connect_step1.lto_priv.0 (openssl.c:2621)
+# ==92709== by 0x48BAF16: ossl_connect_common (openssl.c:4042)
+# ==92709== by 0x48B3D16: UnknownInlinedFun (vtls.c:370)
+# ==92709== by 0x48B3D16: Curl_ssl_connect_nonblocking (vtls.c:353)
+# ==92709== by 0x48873BB: UnknownInlinedFun (http.c:1595)
+# ==92709== by 0x48873BB: Curl_http_connect (http.c:1518)
+# ==92709== by 0x4895575: UnknownInlinedFun (multi.c:1514)
+# ==92709== by 0x4895575: multi_runsingle (multi.c:1847)
+# ==92709== by 0x48978AD: curl_multi_perform (multi.c:2403)
+# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:606)
+# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:696)
+# ==92709== by 0x4874152: curl_easy_perform (easy.c:715)
+# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2379)
+# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2553)
+# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2669)
+# ==92709== by 0x11478B: main (tool_main.c:277)
+# ==92709== Address 0xffffffffff000804 is not stack'd, malloc'd or (recently) free'd
+# ==92709==
+#=== End of file valgrind3000
+printf "300\n301\n303\n304\n305\n306\n309\n310\n311\n312\n313\n320\n321\n322\n324\n325\n400\n401\n403\n404\n405\n406\n407\n408\n409\n410\n560\n1272\n1561\n1562\n1630\n1631\n1632\n2034\n2035\n2037\n2038\n2041\n2042\n2048\n3000\n3001\n" >> tests/data/DISABLED
+
# adapt test 323 for updated OpenSSL
sed -e 's|^35$|35,52|' -i tests/data/test323
@@ -549,9 +586,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
-* Thu Jun 6 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-29.el9_4.1
+* Thu Aug 22 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-31
- provide common cleanup method for push headers (CVE-2024-2398)
+* Tue Jun 18 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-30
+- ignore unexpected EOF (RHEL-39995)
+
* Wed Mar 6 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-29
- rebuild for 9.4 GA