From patchwork Sat Jan 10 17:36:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78430 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB449D277F9 for ; Sat, 10 Jan 2026 17:37:05 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12761.1768066620059768606 for ; Sat, 10 Jan 2026 09:37:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=APJz0Z06; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202601101736569e332be16d000207f3-rkvsx0@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202601101736569e332be16d000207f3 for ; Sat, 10 Jan 2026 18:36:57 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=+Y5XUgRgSxkKH4Wci8llsJOuymOvU3nONrQkiRXM7EY=; b=APJz0Z06/obx/meNtdRWrI7Zm7ZLua09iMnDikpdGIqlwa+UbfIc6tD7PE9Xza2kSGiY/j KNpgmOateOYNtbyZ3bRUtbISgKJCnXalf0FVxEZjBx255+dOnerSFLTrH3s27bncxoj3JFJr DEN5UItD/6yuFObLOZkcH/YU50ZOWfTdOS0q4IMx/V3YfLCvV7hIot9qsrwF59NJuzBCvJKq oPxtDBivZr0DSetUaQKFfUc/N58PHAWGuL/PwtUU+Nj/lebBZTTIIcDDP3P8UzjephAMcanD CpJfpThX7seORt/njW0VeLTfDwVHp/ZZEMjP3XBGO1N0f9l9i4uyZVSg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 1/6] curl: patch CVE-2025-13034 Date: Sat, 10 Jan 2026 18:36:34 +0100 Message-Id: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229152 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-13034.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-13034.patch | 37 +++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-13034.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-13034.patch b/meta/recipes-support/curl/curl/CVE-2025-13034.patch new file mode 100644 index 0000000000..0c3fe42509 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-13034.patch @@ -0,0 +1,37 @@ +From 3d91ca8cdb3b434226e743946d428b4dd3acf2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 14 Nov 2025 16:42:23 +0100 +Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally + +Closes #19531 + +CVE: CVE-2025-13034 +Upstream-Status: Backport [https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9] +Signed-off-by: Peter Marko +--- + lib/vquic/vquic-tls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c +index f4ef06c33b..46bb4c7d4c 100644 +--- a/lib/vquic/vquic-tls.c ++++ b/lib/vquic/vquic-tls.c +@@ -168,13 +168,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, + (void)conn_config; + result = Curl_ossl_check_peer_cert(cf, data, &ctx->ossl, peer); + #elif defined(USE_GNUTLS) +- if(conn_config->verifyhost) { +- result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session, +- conn_config, &data->set.ssl, peer, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY]); +- if(result) +- return result; +- } ++ result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session, ++ conn_config, &data->set.ssl, peer, ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); ++ if(result) ++ return result; + #elif defined(USE_WOLFSSL) + (void)data; + if(conn_config->verifyhost) { diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index 352f407d28..edae6ebb95 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -14,6 +14,7 @@ SRC_URI = " \ file://run-ptest \ file://disable-tests \ file://no-test-timeout.patch \ + file://CVE-2025-13034.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78429 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9705D277F7 for ; Sat, 10 Jan 2026 17:37:05 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12763.1768066622601355990 for ; Sat, 10 Jan 2026 09:37:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=AAix6YOW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-2026011017370086ee1212f30002074b-2b6o00@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2026011017370086ee1212f30002074b for ; Sat, 10 Jan 2026 18:37:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/YToywlh8S5+kw4fX6d/CP7YNx6noMM/Ug7etZwLzH0=; b=AAix6YOWm2UihvisX6b5KY6P8Q/vWoDkpI9HHCdx3TrNa/ZbJ25olKnjLMPcKw3XuRdpzG YF3PHBxrDe7ryouzZ9s9nvBuULhYBbxYlwi0ItkpQbCIG+SeebvrHKDskoZ1xIIm+sHQORzH iTxxnmTGRV1yMJuA+2Q08lHcbZTTpAzFQH4FS419pYmOoss+gIZ4pZRQA0zOHmkAZQCXaudP lNhmI9H/vVYKIMlNMlOatbiFeE/K1G9hwpM9nkhMFrN+m9tAlAf3JpWzZMu/ko5aJpFiy4Qo ULULEBNRumZC+0m5thJKpKN13CNrq0uQc5cf9Un/IJ/p23orvo9jdhzw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 2/6] curl: patch CVE-2025-14017 Date: Sat, 10 Jan 2026 18:36:35 +0100 Message-Id: <20260110173639.1643322-2-peter.marko@siemens.com> In-Reply-To: <20260110173639.1643322-1-peter.marko@siemens.com> References: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229153 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-14017.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-14017.patch | 116 ++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14017.patch b/meta/recipes-support/curl/curl/CVE-2025-14017.patch new file mode 100644 index 0000000000..79be357ded --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14017.patch @@ -0,0 +1,116 @@ +From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Dec 2025 00:14:20 +0100 +Subject: [PATCH] ldap: call ldap_init() before setting the options + +Closes #19830 + +CVE: CVE-2025-14017 +Upstream-Status: Backport [https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d] +Signed-off-by: Peter Marko +--- + lib/ldap.c | 50 +++++++++++++++++++------------------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/lib/ldap.c b/lib/ldap.c +index 63b2cbc414..0911a9239a 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -382,16 +382,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + passwd = conn->passwd; + } + ++#ifdef USE_WIN32_LDAP ++ if(ldap_ssl) ++ server = ldap_sslinit(host, (curl_ldap_num_t)ipquad.remote_port, 1); ++ else ++#else ++ server = ldap_init(host, (curl_ldap_num_t)ipquad.remote_port); ++#endif ++ if(!server) { ++ failf(data, "LDAP: cannot setup connect to %s:%u", ++ conn->host.dispname, ipquad.remote_port); ++ result = CURLE_COULDNT_CONNECT; ++ goto quit; ++ } ++ + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); ++ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); + #endif +- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); ++ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + + if(ldap_ssl) { + #ifdef HAVE_LDAP_SSL + #ifdef USE_WIN32_LDAP + /* Win32 LDAP SDK does not support insecure mode without CA! */ +- server = ldap_sslinit(host, (curl_ldap_num_t)ipquad.remote_port, 1); + ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); + #else /* !USE_WIN32_LDAP */ + int ldap_option; +@@ -411,7 +424,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + goto quit; + } + infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca); +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); +@@ -423,20 +436,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + else + ldap_option = LDAP_OPT_X_TLS_NEVER; + +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting cert verify mode: %s", + ldap_err2string(rc)); + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +- server = ldap_init(host, ipquad.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, ipquad.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } + ldap_option = LDAP_OPT_X_TLS_HARD; + rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); + if(rc != LDAP_SUCCESS) { +@@ -445,16 +451,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +-#if 0 +- rc = ldap_start_tls_s(server, NULL, NULL); +- if(rc != LDAP_SUCCESS) { +- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", +- ldap_err2string(rc)); +- result = CURLE_SSL_CERTPROBLEM; +- goto quit; +- } +-#endif +- + #else /* !LDAP_OPT_X_TLS */ + (void)ldap_option; + (void)ldap_ca; +@@ -473,15 +469,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_NOT_BUILT_IN; + goto quit; + } +- else { +- server = ldap_init(host, (curl_ldap_num_t)ipquad.remote_port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%u", +- conn->host.dispname, ipquad.remote_port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } +- } ++ + #ifdef USE_WIN32_LDAP + ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + rc = ldap_win_bind(data, server, user, passwd); diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index edae6ebb95..e0a9bae23d 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -15,6 +15,7 @@ SRC_URI = " \ file://disable-tests \ file://no-test-timeout.patch \ file://CVE-2025-13034.patch \ + file://CVE-2025-14017.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78431 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87FCBD277FB for ; Sat, 10 Jan 2026 17:37:15 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12827.1768066626224847114 for ; Sat, 10 Jan 2026 09:37:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=OuVzPtbD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260110173704683b9cd9cc00020777-2yeffg@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260110173704683b9cd9cc00020777 for ; Sat, 10 Jan 2026 18:37:04 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=SFfMrLU9H4T/pA5/k2B6NsF4CMnQvsoKTpQrXkxSYhY=; b=OuVzPtbDZPJInjeox30FZKeJ99AVdr1xqhqL5IohBlJL1NmUrBPoYL/lFJqj/e/xrmx7/B YADvpW9SCxVPi1XtJys9+7Tm30YnrQPoIYeDUP22CJcTKZ4qt+BX+iLrHuk4rX2FsRIW6zDg Sy/89+/uP2N4PdQ8u4mz/V7/SHw+6Uzc3pJdoJRTqC0b57webN9U29TvNpHf0E3fCYQWmBVQ GAFTawUbYUTZHPOwmaVmiveUxhYqjdZYMqTqtazcdaCX0hDKANvZSFmSS8GA041r7TrRWkPi u5o2cT/yDUy0G5KxXBRQnr62RhTR3vw0HlIRnfiwbcIPyod3Ht2fS6cQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 3/6] curl: patch CVE-2025-14524 Date: Sat, 10 Jan 2026 18:36:36 +0100 Message-Id: <20260110173639.1643322-3-peter.marko@siemens.com> In-Reply-To: <20260110173639.1643322-1-peter.marko@siemens.com> References: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229154 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-14524.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-14524.patch | 40 +++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch new file mode 100644 index 0000000000..c70dd0a04d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch @@ -0,0 +1,40 @@ +From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Dec 2025 11:40:47 +0100 +Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer + +Closes #19933 + +CVE: CVE-2025-14524 +Upstream-Status: Backport [https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640] +Signed-off-by: Peter Marko +--- + lib/curl_sasl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index 3e4bafc19a..b93bafbefa 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -456,7 +456,9 @@ static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx) + + static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx) + { +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + + if(sctx->user && oauth_bearer && + (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) { +@@ -481,7 +483,9 @@ static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx) + + static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx) + { +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + + if(sctx->user && oauth_bearer && + (sctx->enabledmechs & SASL_MECH_XOAUTH2)) { diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index e0a9bae23d..ad9b7c9ab7 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://no-test-timeout.patch \ file://CVE-2025-13034.patch \ file://CVE-2025-14017.patch \ + file://CVE-2025-14524.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78433 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 897E4D277F1 for ; Sat, 10 Jan 2026 17:37:15 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12827.1768066626224847114 for ; Sat, 10 Jan 2026 09:37:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=SjAZOoO7; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202601101737085cee645c220002077c-fgxo55@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202601101737085cee645c220002077c for ; Sat, 10 Jan 2026 18:37:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=m58FGAU1Ls4a40ivE7Y3Fk7S4BfIZRPFv2Puh0oU8j0=; b=SjAZOoO7h+zKpQUkw62BNdadPpsPodUjjta4JTWmPNGLdjWaSVxyr4LAHASmMlkaCif2TF JLlAZkPbK/7wXNq+La0L4BXwTOsw0KWmaEMc6SZaixHXWL2+eZ7bp75dhVTqmunA4gYGFpUo NETYrluSofwi3qZIxI4Z9u0uX95wPoSWJ51IFcsVF/ucmfn/TVi4p+coXfnmCesJ0gOJoyDw kKPRnpbK18DpRJtMTb8SBo3i9XuOrUurSZy1VNWwscgVyGkEZKt6Rb5huL68Lo7bnLatoL/V hQi5agh8L7WWMwoikaBH90Z1J2NZs/nFawGvAdCNBepqr64J/2tgsmrw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 4/6] curl: patch CVE-2025-14819 Date: Sat, 10 Jan 2026 18:36:37 +0100 Message-Id: <20260110173639.1643322-4-peter.marko@siemens.com> In-Reply-To: <20260110173639.1643322-1-peter.marko@siemens.com> References: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229155 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-14819.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-14819.patch | 73 +++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14819.patch b/meta/recipes-support/curl/curl/CVE-2025-14819.patch new file mode 100644 index 0000000000..204f1d48f4 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14819.patch @@ -0,0 +1,73 @@ +From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 17 Dec 2025 10:54:16 +0100 +Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a + different CA cache + +Reported-by: Stanislav Fort + +Closes #20009 + +CVE: CVE-2025-14819 +Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d] +Signed-off-by: Peter Marko +--- + lib/vtls/openssl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a7f169d641..7563d9a090 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3560,6 +3560,7 @@ struct ossl_x509_share { + X509_STORE *store; /* cached X509 store or NULL if none */ + struct curltime time; /* when the cached store was created */ + BIT(store_is_empty); /* no certs/paths/blobs are in the store */ ++ BIT(no_partialchain); /* keep partial chain state */ + }; + + static void oss_x509_share_free(void *key, size_t key_len, void *p) +@@ -3594,12 +3595,16 @@ ossl_cached_x509_store_expired(const struct Curl_easy *data, + + static bool + ossl_cached_x509_store_different(struct Curl_cfilter *cf, ++ const struct Curl_easy *data, + const struct ossl_x509_share *mb) + { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); ++ if(mb->no_partialchain != ssl_config->no_partialchain) ++ return TRUE; + if(!mb->CAfile || !conn_config->CAfile) + return mb->CAfile != conn_config->CAfile; +- + return strcmp(mb->CAfile, conn_config->CAfile); + } + +@@ -3618,7 +3623,7 @@ static X509_STORE *ossl_get_cached_x509_store(struct Curl_cfilter *cf, + sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL; + if(share && share->store && + !ossl_cached_x509_store_expired(data, share) && +- !ossl_cached_x509_store_different(cf, share)) { ++ !ossl_cached_x509_store_different(cf, data, share)) { + store = share->store; + *pempty = share->store_is_empty; + } +@@ -3657,6 +3662,8 @@ static void ossl_set_cached_x509_store(struct Curl_cfilter *cf, + + if(X509_STORE_up_ref(store)) { + char *CAfile = NULL; ++ struct ssl_config_data *ssl_config = ++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); + + if(conn_config->CAfile) { + CAfile = strdup(conn_config->CAfile); +@@ -3675,6 +3682,7 @@ static void ossl_set_cached_x509_store(struct Curl_cfilter *cf, + share->store = store; + share->store_is_empty = is_empty; + share->CAfile = CAfile; ++ share->no_partialchain = ssl_config->no_partialchain; + } + } + diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index ad9b7c9ab7..948769e0fb 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://CVE-2025-13034.patch \ file://CVE-2025-14017.patch \ file://CVE-2025-14524.patch \ + file://CVE-2025-14819.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78432 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87FFDD277FC for ; Sat, 10 Jan 2026 17:37:15 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12831.1768066634168243881 for ; Sat, 10 Jan 2026 09:37:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=dgym940E; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20260110173712693f1fc3ae000207e9-go5q4t@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20260110173712693f1fc3ae000207e9 for ; Sat, 10 Jan 2026 18:37:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/dDuYuVkktUU/JLBgB0PlxrCEvHxnLy2hGlTRbgCAyU=; b=dgym940E5pluTjq6NRMPETaq1trYWYjeWScH5nCsmUotXktcdw8tWk/bMyNqY//FJH/PK0 KGeXnT1zpJrjzv1oO1m+5Z0Mc59z95exWAsk+VH4E+4DfBJOI8fWsZ6h4lHVvLkDA/HhGLBg wlbIkoZidoiHjDk2d7S+WW+oBJ76OSVO+vyWvh+S0JcqQ1/IciwipmgJmleisn9q/Q9tcl/c SjTuT2J7kpEgQZaOsmbjg5jXBJgufzUF1AJ2x0vsp8I6M6X1ux/Vogpl87LH9+V5fGIiJwRN nt73UeWpdy4SlUinpgkD1Ty88y72C2Ai3wWc0zw59bezwdDMK+tvhCJA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 5/6] curl: patch CVE-2025-15079 Date: Sat, 10 Jan 2026 18:36:38 +0100 Message-Id: <20260110173639.1643322-5-peter.marko@siemens.com> In-Reply-To: <20260110173639.1643322-1-peter.marko@siemens.com> References: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229156 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15079.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15079.patch | 32 +++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch new file mode 100644 index 0000000000..2320e56d68 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch @@ -0,0 +1,32 @@ +From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 24 Dec 2025 17:47:03 +0100 +Subject: [PATCH] libssh: set both knownhosts options to the same file + +Reported-by: Harry Sintonen + +Closes #20092 + +CVE: CVE-2025-15079 +Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 7d5905c83d..98c109ab59 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2670,6 +2670,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done) + infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]); + rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS, + data->set.str[STRING_SSH_KNOWNHOSTS]); ++ if(rc == SSH_OK) ++ /* libssh has two separate options for this. Set both to the same file ++ to avoid surprises */ ++ rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, ++ data->set.str[STRING_SSH_KNOWNHOSTS]); + if(rc != SSH_OK) { + failf(data, "Could not set known hosts file path"); + return CURLE_FAILED_INIT; diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index 948769e0fb..a0022f3a3f 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://CVE-2025-14017.patch \ file://CVE-2025-14524.patch \ file://CVE-2025-14819.patch \ + file://CVE-2025-15079.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Sat Jan 10 17:36:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78434 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 882F8D277FD for ; Sat, 10 Jan 2026 17:37:25 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12831.1768066634168243881 for ; Sat, 10 Jan 2026 09:37:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=JLgywwnM; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20260110173716776d4da1090002079f-zhzw8x@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20260110173716776d4da1090002079f for ; Sat, 10 Jan 2026 18:37:16 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=9ctDsfMYfFoUbEe06nj8qnqed5deoawvmDjfLg55+RM=; b=JLgywwnMU0A5QfYYfjSfMNoPU+a1K00kpkR4VrprPWBUn14z3UBrC03WQwrPK5/LJKHxu1 60+3rK//wniaw+VDC0993+fr6jg+9ScAsDl8LDNIqBZ/85vBQ2t8mYAYZlRI0vGhG1piUCt7 5NYBESGtBZ+2y5OxaVAJa13hDLD0Q3vysM1CT3sjeeB6SVI4OCLIXv4NggGkyt0M6zaRPyFf 7DkdI5ORodiVvLgYb6qVk7Qlt1/ajofrRHUFBxp0oTrTNfY/6ecfm0LAKIzhTZrYMnxk+jpp T/7iZE66MbZAQP/cGFjWpm5+/jKXFZfUGX82xbV9MiBKL6z3RxZX+s5g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][whinlatter][PATCH 6/6] curl: patch CVE-2025-15224 Date: Sat, 10 Jan 2026 18:36:39 +0100 Message-Id: <20260110173639.1643322-6-peter.marko@siemens.com> In-Reply-To: <20260110173639.1643322-1-peter.marko@siemens.com> References: <20260110173639.1643322-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229157 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15224.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15224.patch | 31 +++++++++++++++++++ meta/recipes-support/curl/curl_8.17.0.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch new file mode 100644 index 0000000000..a8308b87a1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch @@ -0,0 +1,31 @@ +From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Mon, 29 Dec 2025 16:56:39 +0100 +Subject: [PATCH] libssh: require private key or user-agent for public key auth + +Closes #20110 + +CVE: CVE-2025-15224 +Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 5d5125b526..bde6355f73 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -935,7 +935,11 @@ static int myssh_in_AUTHLIST(struct Curl_easy *data, + "keyboard-interactive, " : "", + sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ? + "password": ""); +- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { ++ /* For public key auth we need either the private key or ++ CURLSSH_AUTH_AGENT. */ ++ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) && ++ (data->set.str[STRING_SSH_PRIVATE_KEY] || ++ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) { + myssh_to(data, sshc, SSH_AUTH_PKEY_INIT); + infof(data, "Authentication using SSH public key file"); + } diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index a0022f3a3f..739838c3e8 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -19,6 +19,7 @@ SRC_URI = " \ file://CVE-2025-14524.patch \ file://CVE-2025-14819.patch \ file://CVE-2025-15079.patch \ + file://CVE-2025-15224.patch \ " SRC_URI:append:class-nativesdk = " \