diff --git a/backport-libssh-fix-freeing-of-resources-in-disconnect.patch b/backport-libssh-fix-freeing-of-resources-in-disconnect.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b111bad3ddb2fd73b48bd60b829c3052853aaba8
--- /dev/null
+++ b/backport-libssh-fix-freeing-of-resources-in-disconnect.patch
@@ -0,0 +1,176 @@
+From 571e92f730831a860f8d2786674177ca08c0f592 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Mon, 10 Mar 2025 17:08:57 +0100
+Subject: [PATCH] libssh: fix freeing of resources in disconnect
+
+ssh's disconnect assumed that the session to the server could be shut
+down successfully during disconnect. When this failed, e.g. timed out,
+memory was leaked.
+
+Closes #16659
+
+Conflict:context adapt
+Curl_dyn_free(&sshc->readdir_buf); => Curl_safefree(sshc->readdir_line);
+Reference:https://github.com/curl/curl/commit/571e92f730831a860f8d2786674177ca08c0f592
+---
+ lib/vssh/libssh.c | 95 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 53 insertions(+), 42 deletions(-)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 0467de041..8a08d8161 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -138,6 +138,7 @@ static void myssh_block2waitfor(struct connectdata *conn, bool block);
+ 
+ static CURLcode myssh_setup_connection(struct Curl_easy *data,
+                                        struct connectdata *conn);
++static void sshc_cleanup(struct ssh_conn *sshc, struct Curl_easy *data);
+ 
+ /*
+  * SCP protocol handler.
+@@ -1943,48 +1944,10 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+       state(data, SSH_SESSION_FREE);
+       /* FALLTHROUGH */
+     case SSH_SESSION_FREE:
+-      if(sshc->ssh_session) {
+-        ssh_free(sshc->ssh_session);
+-        sshc->ssh_session = NULL;
+-      }
+-
+-      /* worst-case scenario cleanup */
+-
+-      DEBUGASSERT(sshc->ssh_session == NULL);
+-      DEBUGASSERT(sshc->scp_session == NULL);
+-
+-      if(sshc->readdir_tmp) {
+-        ssh_string_free_char(sshc->readdir_tmp);
+-        sshc->readdir_tmp = NULL;
+-      }
+-
+-      if(sshc->quote_attrs)
+-        sftp_attributes_free(sshc->quote_attrs);
+-
+-      if(sshc->readdir_attrs)
+-        sftp_attributes_free(sshc->readdir_attrs);
+-
+-      if(sshc->readdir_link_attrs)
+-        sftp_attributes_free(sshc->readdir_link_attrs);
+-
+-      if(sshc->privkey)
+-        ssh_key_free(sshc->privkey);
+-      if(sshc->pubkey)
+-        ssh_key_free(sshc->pubkey);
+-
+-      Curl_safefree(sshc->rsa_pub);
+-      Curl_safefree(sshc->rsa);
+-      Curl_safefree(sshc->quote_path1);
+-      Curl_safefree(sshc->quote_path2);
+-      Curl_safefree(sshc->readdir_line);
+-      Curl_safefree(sshc->readdir_linkPath);
+-      SSH_STRING_FREE_CHAR(sshc->homedir);
+-
++      sshc_cleanup(sshc, data);
+       /* the code we are about to return */
+       result = sshc->actualcode;
+-
+       memset(sshc, 0, sizeof(struct ssh_conn));
+-
+       connclose(conn, "SSH session free");
+       sshc->state = SSH_SESSION_FREE;   /* current */
+       sshc->nextstate = SSH_NO_STATE;
+@@ -2328,6 +2291,52 @@ static CURLcode myssh_do_it(struct Curl_easy *data, bool *done)
+   return result;
+ }
+ 
++static void sshc_cleanup(struct ssh_conn *sshc, struct Curl_easy *data)
++{
++  (void)data;
++  if(sshc->ssh_session) {
++    ssh_free(sshc->ssh_session);
++    sshc->ssh_session = NULL;
++  }
++
++  /* worst-case scenario cleanup */
++  DEBUGASSERT(sshc->ssh_session == NULL);
++  DEBUGASSERT(sshc->scp_session == NULL);
++
++  if(sshc->readdir_tmp) {
++    ssh_string_free_char(sshc->readdir_tmp);
++    sshc->readdir_tmp = NULL;
++  }
++  if(sshc->quote_attrs) {
++    sftp_attributes_free(sshc->quote_attrs);
++    sshc->quote_attrs = NULL;
++  }
++  if(sshc->readdir_attrs) {
++    sftp_attributes_free(sshc->readdir_attrs);
++    sshc->readdir_attrs = NULL;
++  }
++  if(sshc->readdir_link_attrs) {
++    sftp_attributes_free(sshc->readdir_link_attrs);
++    sshc->readdir_link_attrs = NULL;
++  }
++  if(sshc->privkey) {
++    ssh_key_free(sshc->privkey);
++    sshc->privkey = NULL;
++  }
++  if(sshc->pubkey) {
++    ssh_key_free(sshc->pubkey);
++    sshc->pubkey = NULL;
++  }
++
++  Curl_safefree(sshc->rsa_pub);
++  Curl_safefree(sshc->rsa);
++  Curl_safefree(sshc->quote_path1);
++  Curl_safefree(sshc->quote_path2);
++  Curl_safefree(sshc->readdir_line);
++  Curl_safefree(sshc->readdir_linkPath);
++  SSH_STRING_FREE_CHAR(sshc->homedir);
++}
++
+ /* BLOCKING, but the function is using the state machine so the only reason
+    this is still blocking is that the multi interface code has no support for
+    disconnecting operations that takes a while */
+@@ -2336,10 +2345,10 @@ static CURLcode scp_disconnect(struct Curl_easy *data,
+                                bool dead_connection)
+ {
+   CURLcode result = CURLE_OK;
+-  struct ssh_conn *ssh = &conn->proto.sshc;
++  struct ssh_conn *sshc = &conn->proto.sshc;
+   (void) dead_connection;
+ 
+-  if(ssh->ssh_session) {
++  if(sshc->ssh_session) {
+     /* only if there's a session still around to use! */
+ 
+     state(data, SSH_SESSION_DISCONNECT);
+@@ -2347,6 +2356,7 @@ static CURLcode scp_disconnect(struct Curl_easy *data,
+     result = myssh_block_statemach(data, TRUE);
+   }
+ 
++  sshc_cleanup(sshc, data);
+   return result;
+ }
+ 
+@@ -2500,6 +2510,7 @@ static CURLcode sftp_disconnect(struct Curl_easy *data,
+                                 struct connectdata *conn,
+                                 bool dead_connection)
+ {
++  struct ssh_conn *sshc = &conn->proto.sshc;
+   CURLcode result = CURLE_OK;
+   (void) dead_connection;
+ 
+@@ -2512,9 +2523,9 @@ static CURLcode sftp_disconnect(struct Curl_easy *data,
+   }
+ 
+   DEBUGF(infof(data, "SSH DISCONNECT is done"));
++  sshc_cleanup(sshc, data);
+ 
+   return result;
+-
+ }
+ 
+ static CURLcode sftp_done(struct Curl_easy *data, CURLcode status,
+-- 
+2.43.0
+
diff --git a/backport-openssl-fix-crash-on-missing-cert-password.patch b/backport-openssl-fix-crash-on-missing-cert-password.patch
new file mode 100644
index 0000000000000000000000000000000000000000..158effa8fde753efe2218ca4ef7d9afc87a1712b
--- /dev/null
+++ b/backport-openssl-fix-crash-on-missing-cert-password.patch
@@ -0,0 +1,48 @@
+From e60166815448f1ce4cc27e59a16e5805e864113d Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Mon, 24 Mar 2025 02:48:01 -0400
+Subject: [PATCH] openssl: fix crash on missing cert password
+
+- Return 0 for password length if OpenSSL is expecting a certificate
+  password but the user did not provide one.
+
+Prior to this change libcurl would crash if OpenSSL called the certificate
+password callback in libcurl but no password was provided (NULL).
+
+Reported-by: Roman Zharkov
+
+Fixes https://github.com/curl/curl/issues/16806
+Closes https://github.com/curl/curl/pull/16807
+
+Conflict:context adapt
+Reference:https://github.com/curl/curl/commit/e60166815448f1ce4cc27e59a16e5805e864113d
+---
+ lib/vtls/openssl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1beda3133..4d5e1be29 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -931,14 +931,14 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+-                           void *global_passwd)
++                           void *password)
+ {
+   DEBUGASSERT(0 == encrypting);
+ 
+-  if(!encrypting) {
+-    int klen = curlx_uztosi(strlen((char *)global_passwd));
++  if(!encrypting && num >= 0 && password) {
++    int klen = curlx_uztosi(strlen((char *)password));
+     if(num > klen) {
+-      memcpy(buf, global_passwd, klen + 1);
++      memcpy(buf, password, klen + 1);
+       return klen;
+     }
+   }
+-- 
+2.43.0
+
diff --git a/curl.spec b/curl.spec
index f9ef409236fed06798cff27416260d539aac909f..e5742c2be2b19040be03077f956debb496e07be6 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        38
+Release:        39
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -117,6 +117,8 @@ Patch103:       backport-altsvc-avoid-integer-overflow-in-expire-calculation.pat
 Patch104:       backport-test391-verify-path-as-is-with-redirect.patch
 Patch105:       backport-urlapi-fix-redirect-to-a-new-fragment-or-query-only-adapt.patch
 Patch106:       backport-tool_getparam-clear-sensitive-arguments-better.patch
+Patch107:       backport-libssh-fix-freeing-of-resources-in-disconnect.patch
+Patch108:       backport-openssl-fix-crash-on-missing-cert-password.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -285,6 +287,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Tue May 06 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-39
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:libssh: fix freeing of resources in disconnect
+       openssl: fix crash on missing cert password
+
 * Tue Mar 25 2025 xingwei <xingwei14@h-partners.com> - 7.79.1-38
 - Type:bugfix
 - CVE:NA