diff --git a/backport-curl-8.0-libcurl-ocloexec.patch b/backport-curl-8.0-libcurl-ocloexec.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1db69a51daa396a735fd8315660e79642fd25425
--- /dev/null
+++ b/backport-curl-8.0-libcurl-ocloexec.patch
@@ -0,0 +1,93 @@
+Open library file descriptors with O_CLOEXEC
+This patch is non-portable, it needs linux 2.6.23 and glibc 2.7
+or later, different combinations (old linux, new glibc and vice-versa)
+will result in a crash.
+
+To make it portable you have to test O_CLOEXEC support at *runtime*
+compile time is not enough.
+
+
+Index: curl-8.0.0/lib/file.c
+===================================================================
+--- curl-8.0.0.orig/lib/file.c
++++ curl-8.0.0/lib/file.c
+@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
+     }
+   }
+   #else
+-  fd = open_readonly(real_path, O_RDONLY);
++  fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC);
+   file->path = real_path;
+   #endif
+ #endif
+@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_
+   else
+     mode = MODE_DEFAULT|O_TRUNC;
+ 
+-  fd = open(file->path, mode, data->set.new_file_perms);
++  fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
+   if(fd < 0) {
+     failf(data, "Can't open %s for writing", file->path);
+     return CURLE_WRITE_ERROR;
+Index: curl-8.0.0/lib/if2ip.c
+===================================================================
+--- curl-8.0.0.orig/lib/if2ip.c
++++ curl-8.0.0/lib/if2ip.c
+@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
+   if(len >= sizeof(req.ifr_name))
+     return IF2IP_NOT_FOUND;
+ 
+-  dummy = socket(AF_INET, SOCK_STREAM, 0);
++  dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
+   if(CURL_SOCKET_BAD == dummy)
+     return IF2IP_NOT_FOUND;
+ 
+Index: curl-8.0.0/configure.ac
+===================================================================
+--- curl-8.0.0.orig/configure.ac
++++ curl-8.0.0/configure.ac
+@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+ # Silence warning: ar: 'u' modifier ignored since 'D' is the default
+ AC_SUBST(AR_FLAGS, [cr])
+ 
++AC_USE_SYSTEM_EXTENSIONS
++
+ dnl This defines _ALL_SOURCE for AIX
+ CURL_CHECK_AIX_ALL_SOURCE
+ 
+Index: curl-8.0.0/lib/hostip.c
+===================================================================
+--- curl-8.0.0.orig/lib/hostip.c
++++ curl-8.0.0/lib/hostip.c
+@@ -48,6 +48,7 @@
+ #include <signal.h>
+ #endif
+ 
++#include <fcntl.h>
+ #include "urldata.h"
+ #include "sendf.h"
+ #include "hostip.h"
+@@ -582,7 +583,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+   else {
+     int ipv6_works = -1;
+     /* probe to see if we have a working IPv6 stack */
+-    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
++    curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+     if(s == CURL_SOCKET_BAD)
+       /* an IPv6 address was requested but we can't get/use one */
+       ipv6_works = 0;
+Index: curl-8.0.0/lib/cf-socket.c
+===================================================================
+--- curl-8.0.0.orig/lib/cf-socket.c
++++ curl-8.0.0/lib/cf-socket.c
+@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
+   }
+   else {
+     /* opensocket callback not set, so simply create the socket now */
+-    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
++    *sockfd = socket(addr->family,
++		     addr->socktype|SOCK_CLOEXEC,
++		     addr->protocol);
+   }
+ 
+   if(*sockfd == CURL_SOCKET_BAD)
diff --git a/curl-7.88.1.tar.xz b/curl-7.88.1.tar.xz
deleted file mode 100644
index fe94b69a26ff1e5ff6670175a70bf559784ee689..0000000000000000000000000000000000000000
Binary files a/curl-7.88.1.tar.xz and /dev/null differ
diff --git a/curl-8.0.1.tar.xz b/curl-8.0.1.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..b7620db19d05ff53ff85d49c37735208d767ce1e
Binary files /dev/null and b/curl-8.0.1.tar.xz differ
diff --git a/curl.spec b/curl.spec
index 832042b7b0b051d4144e8dbfc41cd2f8437a9ff7..0be3cfafac55956d576fbd6ff26b34ffe960f37b 100644
--- a/curl.spec
+++ b/curl.spec
@@ -5,7 +5,7 @@
 %global _configure ../configure
 
 Name:           curl
-Version:        7.88.1
+Version:        8.0.1
 Release:        2
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
@@ -22,6 +22,7 @@ Patch7:         backport-CVE-2023-27538.patch
 Patch8:         backport-CVE-2023-27535.patch
 Patch9:         backport-CVE-2023-27536.patch
 Patch10:        backport-CVE-2023-27537.patch
+Patch10:        backport-curl-8.0-libcurl-ocloexec.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel