diff -Nru curl-7.58.0/debian/changelog curl-7.58.0/debian/changelog
--- curl-7.58.0/debian/changelog	2020-06-17 13:19:29.000000000 +0000
+++ curl-7.58.0/debian/changelog	2020-08-13 17:38:57.000000000 +0000
@@ -1,3 +1,13 @@
+curl (7.58.0-2ubuntu3.10) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: wrong connect-only connection
+    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
+      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
+      lib/urldata.h.
+    - CVE-2020-8231
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 13 Aug 2020 13:38:57 -0400
+
 curl (7.58.0-2ubuntu3.9) bionic-security; urgency=medium
 
   * SECURITY UPDATE: curl overwrite local file with -J
diff -Nru curl-7.58.0/debian/patches/CVE-2020-8231.patch curl-7.58.0/debian/patches/CVE-2020-8231.patch
--- curl-7.58.0/debian/patches/CVE-2020-8231.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.58.0/debian/patches/CVE-2020-8231.patch	2020-08-13 17:38:14.000000000 +0000
@@ -0,0 +1,128 @@
+Backport of:
+
+From 8c899c70575126151628b1455429cdb7224894fc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 3 Aug 2020 14:54:13 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c    |  3 +--
+ lib/multi.c   | 10 ++++++----
+ lib/url.c     |  2 +-
+ lib/urldata.h |  2 +-
+ 5 files changed, 19 insertions(+), 17 deletions(-)
+
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1210,15 +1210,15 @@ CURLcode Curl_connecthost(struct connect
+ }
+ 
+ struct connfind {
+-  struct connectdata *tofind;
+-  bool found;
++  long id_tofind;
++  struct connectdata *found;
+ };
+ 
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+   struct connfind *f = (struct connfind *)param;
+-  if(conn == f->tofind) {
+-    f->found = TRUE;
++  if(conn->connection_id == f->id_tofind) {
++    f->found = conn;
+     return 1;
+   }
+   return 0;
+@@ -1242,21 +1242,22 @@ curl_socket_t Curl_getconnectinfo(struct
+    * - that is associated with a multi handle, and whose connection
+    *   was detached with CURLOPT_CONNECT_ONLY
+    */
+-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+-    struct connectdata *c = data->state.lastconnect;
++  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++    struct connectdata *c;
+     struct connfind find;
+-    find.tofind = data->state.lastconnect;
+-    find.found = FALSE;
++    find.id_tofind = data->state.lastconnect_id;
++    find.found = NULL;
+ 
+     Curl_conncache_foreach(data, data->multi_easy?
+                            &data->multi_easy->conn_cache:
+                            &data->multi->conn_cache, &find, conn_is_conn);
+ 
+     if(!find.found) {
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+       return CURL_SOCKET_BAD;
+     }
+ 
++    c = find.found;
+     if(connp)
+       /* only store this if the caller cares for it */
+       *connp = c;
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -918,8 +918,7 @@ struct Curl_easy *curl_easy_duphandle(st
+ 
+   /* the connection cache is setup on demand */
+   outcurl->state.conn_cache = NULL;
+-
+-  outcurl->state.lastconnect = NULL;
++  outcurl->state.lastconnect_id = -1;
+ 
+   outcurl->progress.flags    = data->progress.flags;
+   outcurl->progress.callback = data->progress.callback;
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -402,6 +402,7 @@ CURLMcode curl_multi_add_handle(struct C
+     data->state.conn_cache = &data->share->conn_cache;
+   else
+     data->state.conn_cache = &multi->conn_cache;
++  data->state.lastconnect_id = -1;
+ 
+   /* This adds the new entry at the 'end' of the doubly-linked circular
+      list of Curl_easy structs to try and maintain a FIFO queue so
+@@ -604,11 +605,11 @@ static CURLcode multi_done(struct connec
+     /* the connection is no longer in use */
+     if(Curl_conncache_return_conn(conn)) {
+       /* remember the most recently used connection */
+-      data->state.lastconnect = conn;
++      data->state.lastconnect_id = conn->connection_id;
+       infof(data, "%s\n", buffer);
+     }
+     else
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+   }
+ 
+   *connp = NULL; /* to make the caller of this function better detect that
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -583,7 +583,7 @@ CURLcode Curl_open(struct Curl_easy **cu
+       Curl_initinfo(data);
+ 
+       /* most recent connection is not yet defined */
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+ 
+       data->progress.flags |= PGRS_HIDE;
+       data->state.current_speed = -1; /* init to negative == impossible */
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1217,7 +1217,7 @@ struct UrlState {
+   /* buffers to store authentication data in, as parsed from input options */
+   struct curltime keeps_speed; /* for the progress meter really */
+ 
+-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++  long lastconnect_id; /* The last connection, -1 if undefined */
+ 
+   char *headerbuff; /* allocated buffer to store headers in */
+   size_t headersize;   /* size of the allocation */
diff -Nru curl-7.58.0/debian/patches/series curl-7.58.0/debian/patches/series
--- curl-7.58.0/debian/patches/series	2020-06-17 13:19:23.000000000 +0000
+++ curl-7.58.0/debian/patches/series	2020-08-13 17:38:51.000000000 +0000
@@ -20,6 +20,7 @@
 CVE-2019-5481.patch
 CVE-2019-5482.patch
 CVE-2020-8177.patch
+CVE-2020-8231.patch
 
 # do not add patches below
 90_gnutls.patch