diff mbox series

[scarthgap,1/7] curl: ignore CVE-2026-4873

Message ID 20260629104801.972184-1-adongare@cisco.com
State Awaiting Upstream
Delegated to: Yoann Congal
Headers show
Series [scarthgap,1/7] curl: ignore CVE-2026-4873 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) June 29, 2026, 10:47 a.m. UTC 
From: Anil Dongare <adongare@cisco.com>

- CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
  clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
  transfer.
- In scarthgap, these protocols are optional PACKAGECONFIG entries and are not
  enabled by default in `curl_8.7.1.bb`.
- Record this CVE as configuration-not-applicable for the default recipe
  configuration instead of carrying the upstream fix unconditionally.

Reference:
- https://curl.se/docs/CVE-2026-4873.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-4873

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 1 +
 1 file changed, 1 insertion(+)

Comments

Yoann Congal June 29, 2026, 11:53 a.m. UTC | #1 
On Mon Jun 29, 2026 at 12:47 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
>   clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
>   transfer.
> - In scarthgap, these protocols are optional PACKAGECONFIG entries and are not
>   enabled by default in `curl_8.7.1.bb`.
> - Record this CVE as configuration-not-applicable for the default recipe
>   configuration instead of carrying the upstream fix unconditionally.
>
> Reference:
> - https://curl.se/docs/CVE-2026-4873.html
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4873

Hello,

That CVE applies to wrynose, but I don't think I received a
equivalent patch.

Before sending more scarthgap fixes, do you plan to send the wrynose
fixes blocking some of your previous patches?
You can see them here:
https://patchwork.yoctoproject.org/project/oe-core/list/?submitter=1525&state=8&series=&q=&delegate=&archive=both

Regards,

>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
>  meta/recipes-support/curl/curl_8.7.1.bb | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
> index 14d63d6373..ad7ceceb69 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -51,6 +51,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
>  CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
>  CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
>  CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
> +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
>  
>  
>  inherit autotools pkgconfig binconfig multilib_header ptest
Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) June 29, 2026, 12:08 p.m. UTC | #2 
Hi Yoann,

Thank you for the clarification.

You are right, CVE-2026-4873 should also be handled for wrynose, and I missed
sending the corresponding wrynose patch before continuing with the scarthgap
series.

I will review the pending wrynose items from Patchwork, prepare the required
wrynose fixes, and send them first. After that, I will rebase and resend the
scarthgap curl CVE patches as needed.

Apologies for the inconvenience.

Regards,
Anil Dongare.
Yoann Congal June 29, 2026, 12:19 p.m. UTC | #3 
On Mon Jun 29, 2026 at 2:08 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> Hi Yoann,
>
> Thank you for the clarification.
>
> You are right, CVE-2026-4873 should also be handled for wrynose, and I missed
> sending the corresponding wrynose patch before continuing with the scarthgap
> series.

Also double-check other patches of this series, 2/7 seems to also have
the issue.

> I will review the pending wrynose items from Patchwork, prepare the required
> wrynose fixes, and send them first. After that, I will rebase and resend the
> scarthgap curl CVE patches as needed.

Sounds good!

> Apologies for the inconvenience.

That's fine! Please note to do this for all the future patches and it's
all good :)

> Regards,
> Anil Dongare.

Regards,
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 14d63d6373..ad7ceceb69 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -51,6 +51,7 @@  CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
 CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
 CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
 CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
+CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
 
 
 inherit autotools pkgconfig binconfig multilib_header ptest