diff -r eab2ad081951 -r deebdf0190db components/curl/patches/015-CVE-2014-3613-part2.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/015-CVE-2014-3613-part2.patch	Wed Sep 17 06:05:09 2014 -0700
@@ -0,0 +1,48 @@
+From ceab2ea8f0c0fc4c4be219240ccf99ddc2de7b22 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH 2/2] cookies: reject incoming cookies set for TLDs
+
+Test 61 was modified to verify this.
+
+Reported-by: Tim Ruehsen
+---
+ lib/cookie.c      | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+
+This problem has been fixed upstream in curl version 7.38.0
+
+--- lib/cookie.c.orig	2014-09-04 10:48:44.170722741 -0700
++++ lib/cookie.c	2014-09-04 10:44:28.980086252 -0700
+@@ -303,6 +303,7 @@
+           }
+           else if(Curl_raw_equal("domain", name)) {
+             bool is_ip;
++            const char *dotp;
+ 
+             /* note that this name may or may not have a preceeding dot, but
+                we don't care about that, we treat the names the same anyway */
+@@ -347,6 +348,11 @@
+ 
+               is_ip = isip(domain ? domain : whatptr);
+ 
++              /* check for more dots */
++              dotp = strchr(whatptr, '.');
++              if(!dotp)
++                domain=":";
++
+               if(!domain
+                  || (is_ip && !strcmp(whatptr, domain))
+                  || (!is_ip && tailmatch(whatptr, domain))) {
+--- tests/data/test61.orig	2014-09-04 10:50:40.756783312 -0700
++++ tests/data/test61	2014-09-04 10:53:06.461671210 -0700
+@@ -22,6 +22,8 @@
+ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
++Set-Cookie: fake=fooledyou; domain=..com; path=/;
++Set-Cookie: supercookie=fooledyou; domain=.com; path=/;
+ Content-Length: 4
+ 
+ boo