diff --git a/curl-7.19.4-nss-leak2.patch b/curl-7.19.4-nss-leak2.patch
new file mode 100644
index 0000000..eb47dd9
--- /dev/null
+++ b/curl-7.19.4-nss-leak2.patch
@@ -0,0 +1,118 @@
+diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c
+--- curl-7.19.4.orig/lib/nss.c	2009-04-27 09:48:12.548102000 +0200
++++ curl-7.19.4/lib/nss.c	2009-04-27 09:48:32.993420443 +0200
+@@ -527,6 +527,7 @@ static int nss_load_key(struct connectda
+     return 0;
+   }
+   free(parg);
++  PK11_FreeSlot(slot);
+ 
+   return 1;
+ #else
+@@ -819,9 +820,9 @@ static SECStatus SelectClientCert(void *
+                                   struct CERTCertificateStr **pRetCert,
+                                   struct SECKEYPrivateKeyStr **pRetKey)
+ {
+-  CERTCertificate *cert;
+   SECKEYPrivateKey *privKey;
+-  char *nickname = (char *)arg;
++  struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
++  char *nickname = connssl->client_nickname;
+   void *proto_win = NULL;
+   SECStatus secStatus = SECFailure;
+   PK11SlotInfo *slot;
+@@ -832,34 +833,35 @@ static SECStatus SelectClientCert(void *
+   if(!nickname)
+     return secStatus;
+ 
+-  cert = PK11_FindCertFromNickname(nickname, proto_win);
+-  if(cert) {
++  connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
++  if(connssl->client_cert) {
+ 
+     if(!strncmp(nickname, "PEM Token", 9)) {
+       CK_SLOT_ID slotID = 1; /* hardcoded for now */
+       char slotname[SLOTSIZE];
+       snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
+       slot = PK11_FindSlotByName(slotname);
+-      privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
++      privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
+       PK11_FreeSlot(slot);
+       if(privKey) {
+         secStatus = SECSuccess;
+       }
+     }
+     else {
+-      privKey = PK11_FindKeyByAnyCert(cert, proto_win);
++      privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
+       if(privKey)
+         secStatus = SECSuccess;
+     }
+   }
+ 
+   if(secStatus == SECSuccess) {
+-    *pRetCert = cert;
++    *pRetCert = connssl->client_cert;
+     *pRetKey = privKey;
+   }
+   else {
+-    if(cert)
+-      CERT_DestroyCertificate(cert);
++    if(connssl->client_cert)
++      CERT_DestroyCertificate(connssl->client_cert);
++    connssl->client_cert = NULL;
+   }
+ 
+   return secStatus;
+@@ -891,8 +893,12 @@ void Curl_nss_cleanup(void)
+    * as a safety feature.
+    */
+   PR_Lock(nss_initlock);
+-  if (initialized)
++  if (initialized) {
++    if(mod)
++      SECMOD_DestroyModule(mod);
++    mod = NULL;
+     NSS_Shutdown();
++  }
+   PR_Unlock(nss_initlock);
+ 
+   PR_DestroyLock(nss_initlock);
+@@ -940,6 +946,8 @@ void Curl_nss_close(struct connectdata *
+       free(connssl->client_nickname);
+       connssl->client_nickname = NULL;
+     }
++    if(connssl->client_cert)
++      CERT_DestroyCertificate(connssl->client_cert);
+     if(connssl->key)
+       (void)PK11_DestroyGenericObject(connssl->key);
+     if(connssl->cacert[1])
+@@ -981,6 +989,7 @@ CURLcode Curl_nss_connect(struct connect
+   if (connssl->state == ssl_connection_complete)
+     return CURLE_OK;
+ 
++  connssl->client_cert = NULL;
+   connssl->cacert[0] = NULL;
+   connssl->cacert[1] = NULL;
+   connssl->key = NULL;
+@@ -1207,8 +1216,7 @@ CURLcode Curl_nss_connect(struct connect
+ 
+     if(SSL_GetClientAuthDataHook(model,
+                                  (SSLGetClientAuthData) SelectClientCert,
+-                                 (void *)connssl->client_nickname) !=
+-       SECSuccess) {
++                                 (void *)connssl) != SECSuccess) {
+       curlerr = CURLE_SSL_CERTPROBLEM;
+       goto error;
+     }
+diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h
+--- curl-7.19.4.orig/lib/urldata.h	2009-04-27 09:48:12.550102000 +0200
++++ curl-7.19.4/lib/urldata.h	2009-04-27 09:48:19.821215391 +0200
+@@ -211,6 +211,7 @@ struct ssl_connect_data {
+ #ifdef USE_NSS
+   PRFileDesc *handle;
+   char *client_nickname;
++  CERTCertificate *client_cert;
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+   PK11GenericObject *key;
+   PK11GenericObject *cacert[2];
diff --git a/curl.spec b/curl.spec
index 680bf99..8d6acf7 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.19.4
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
@@ -12,6 +12,7 @@ Patch4: curl-7.19.4-tool-leak.patch
 Patch5: curl-7.19.4-enable-aes.patch
 Patch6: curl-7.19.4-nss-leak.patch
 Patch7: curl-7.19.4-debug.patch
+Patch8: curl-7.19.4-nss-leak2.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -58,6 +59,7 @@ use cURL's capabilities internally.
 %patch5 -p1 -b .enableaes
 %patch6 -p1 -b .nssleak
 %patch7 -p1 -b .debug
+%patch8 -p1 -b .nssleak2
 
 # Convert docs to UTF-8
 for f in CHANGES README; do
@@ -150,6 +152,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Mon Apr 27 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-10
+- fix curl/nss memory leaks while using client certificate (#453612, accepted
+  by upstream)
+
 * Wed Apr 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-9
 - add missing BuildRequire for autoconf