From patchwork Sat Jan 10 17:36:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A9BDD232D3 for ; Sat, 10 Jan 2026 17:37:45 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12780.1768066659378178788 for ; Sat, 10 Jan 2026 09:37:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=KX6/utGF; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202601101737379813d95e010002076e-l5rtw6@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202601101737379813d95e010002076e for ; Sat, 10 Jan 2026 18:37:37 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=+JrkXe/PIVL5Ih38sYz9DS2Z8czffUW0adA+TZbxn9A=; b=KX6/utGFmecWmjCrzkF15E2f0iV1My0JiFixhT27sl7PqfYsV0YirHCBAqLgQudF/f4aJp lLxv3hozOwMEbFdw0gatwZWeteo9mBJAI2AczyC56D99IsrqDrLumfuzJz5ab00mQlpAZ4Kt 1Lb4aagXgv/wgIJnnoqKz41fn1gifW7k4Dk+/IibkoGAHJSYY79Y76F4g3/Ainw+QZpUQfes M6dyKhhK3tcdgYNxOLTTeJETKTURQRytEFDenEtw9YaQnPUFuT9FsmzTHtNjYBy43fasCL2E OR6roOh9k8Xx1nMcLcshwCZxECnhtitKYTuBdkmHAg82Im0hvx9WGOAg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 1/3] curl: patch CVE-2025-14017 Date: Sat, 10 Jan 2026 18:36:33 +0100 Message-Id: <20260110173635.1643307-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229162 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-14017.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-14017.patch | 115 ++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14017.patch b/meta/recipes-support/curl/curl/CVE-2025-14017.patch new file mode 100644 index 00000000000..a18e1d74dd5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14017.patch @@ -0,0 +1,115 @@ +From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Dec 2025 00:14:20 +0100 +Subject: [PATCH] ldap: call ldap_init() before setting the options + +Closes #19830 + +CVE: CVE-2025-14017 +Upstream-Status: Backport [https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d] +Signed-off-by: Peter Marko +--- + lib/ldap.c | 49 +++++++++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 30 deletions(-) + +diff --git a/lib/ldap.c b/lib/ldap.c +index 63b2cbc414..0911a9239a 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -333,16 +333,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + passwd = conn->passwd; + } + ++#ifdef USE_WIN32_LDAP ++ if(ldap_ssl) ++ server = ldap_sslinit(host, (int)conn->port, 1); ++ else ++#else ++ server = ldap_init(host, (int)conn->port); ++#endif ++ if(!server) { ++ failf(data, "LDAP local: Cannot connect to %s:%ld", ++ conn->host.dispname, conn->port); ++ result = CURLE_COULDNT_CONNECT; ++ goto quit; ++ } ++ + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); ++ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); + #endif +- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); ++ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + + if(ldap_ssl) { + #ifdef HAVE_LDAP_SSL + #ifdef USE_WIN32_LDAP + /* Win32 LDAP SDK doesn't support insecure mode without CA! */ +- server = ldap_sslinit(host, (int)conn->port, 1); + ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); + #else + int ldap_option; +@@ -410,7 +423,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + goto quit; + } + infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca); +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); +@@ -422,20 +435,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + else + ldap_option = LDAP_OPT_X_TLS_NEVER; + +- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); ++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); + if(rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting cert verify mode: %s", + ldap_err2string(rc)); + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +- server = ldap_init(host, (int)conn->port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%ld", +- conn->host.dispname, conn->port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } + ldap_option = LDAP_OPT_X_TLS_HARD; + rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); + if(rc != LDAP_SUCCESS) { +@@ -444,15 +450,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_SSL_CERTPROBLEM; + goto quit; + } +-/* +- rc = ldap_start_tls_s(server, NULL, NULL); +- if(rc != LDAP_SUCCESS) { +- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", +- ldap_err2string(rc)); +- result = CURLE_SSL_CERTPROBLEM; +- goto quit; +- } +-*/ + #else + /* we should probably never come up to here since configure + should check in first place if we can support LDAP SSL/TLS */ +@@ -469,15 +466,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + result = CURLE_NOT_BUILT_IN; + goto quit; + } +- else { +- server = ldap_init(host, (int)conn->port); +- if(!server) { +- failf(data, "LDAP local: Cannot connect to %s:%ld", +- conn->host.dispname, conn->port); +- result = CURLE_COULDNT_CONNECT; +- goto quit; +- } +- } ++ + #ifdef USE_WIN32_LDAP + ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); + rc = ldap_win_bind(data, server, user, passwd); diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 2326392a4f5..db3dc019290 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -67,6 +67,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2024-11053-0002.patch \ file://CVE-2025-0167.patch \ file://CVE-2025-9086.patch \ + file://CVE-2025-14017.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Sat Jan 10 17:36:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78440 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A97ED1D48A for ; Sat, 10 Jan 2026 17:37:45 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12783.1768066664091418904 for ; Sat, 10 Jan 2026 09:37:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=KXInk5e6; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202601101737429f5d3d544d000207a6-okxw7y@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202601101737429f5d3d544d000207a6 for ; Sat, 10 Jan 2026 18:37:42 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=mMg86Biz7BV4ukMbUMUfrbe6xoDKFYHOADaA8RZc4S4=; b=KXInk5e6mD8cHKFWQiFh2nBtj/MfRMjasB2x/PebcJngCwIJitCNom1jUf4QIhX3ChJfe6 5kYmYViYzs7XnPGMR/Pap2wNaoq+vyzMDiPl/bsR6lMlD2rg5Oi8TuytTjEZ+ia2BlUw0eG8 awHS0+eVjk0LI+rDA1XQykcWkD6YP5urdMt4JbKOGBcCVEBE1WSk3anIUd0PhkI65SkxWnOM ukcTwTK+pKvq1DaJV/HYQ97+VlTnLFIc4O0KOg2YbthPZK9koju4OyLTYy2hMdJO8BjHdYEZ wM67sOqGbD/SLYHrkOlxV1lwhxx5ntxY6w8tHfcWRUHCGvnVRVfOLcQg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 2/3] curl: patch CVE-2025-15079 Date: Sat, 10 Jan 2026 18:36:34 +0100 Message-Id: <20260110173635.1643307-2-peter.marko@siemens.com> In-Reply-To: <20260110173635.1643307-1-peter.marko@siemens.com> References: <20260110173635.1643307-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229163 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15079.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15079.patch | 32 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch new file mode 100644 index 00000000000..47fa518309f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch @@ -0,0 +1,32 @@ +From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 24 Dec 2025 17:47:03 +0100 +Subject: [PATCH] libssh: set both knownhosts options to the same file + +Reported-by: Harry Sintonen + +Closes #20092 + +CVE: CVE-2025-15079 +Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 7d5905c83d..98c109ab59 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done) + infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]); + rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS, + data->set.str[STRING_SSH_KNOWNHOSTS]); ++ if(rc == SSH_OK) ++ /* libssh has two separate options for this. Set both to the same file ++ to avoid surprises */ ++ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, ++ data->set.str[STRING_SSH_KNOWNHOSTS]); + if(rc != SSH_OK) { + failf(data, "Could not set known hosts file path"); + return CURLE_FAILED_INIT; diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index db3dc019290..9c1a90e1912 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -68,6 +68,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2025-0167.patch \ file://CVE-2025-9086.patch \ file://CVE-2025-14017.patch \ + file://CVE-2025-15079.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Sat Jan 10 17:36:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 78441 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85787D232D3 for ; Sat, 10 Jan 2026 17:37:55 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12785.1768066668169985212 for ; Sat, 10 Jan 2026 09:37:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=eiwrc0ZY; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20260110173746b8e19b6a900002073b-1srezc@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20260110173746b8e19b6a900002073b for ; Sat, 10 Jan 2026 18:37:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=T+t0TKsNsjMCRvXw1ur6TEVQUfSpOreaqzYbBw9B5X4=; b=eiwrc0ZYIO9Wl5AM7oIBWXGtCshSOnOMkpgVt0PEucihv6Bwnbf62pStLeUKS4NURcIhJ6 ab0ZsBQ+tD5RhvqpfWnHwEF/AKGXdv2iOSfkIqhvOhkjKgt13809UTKyVkiEJkAnLsC16YhT nZp9snMyvzzlkK6wq4SJGAr7SGB64T3g0oa2cqnmunMwe1K8pFJFLs3bVI4P/2qXWpFaYz1u z36+pYjtp/vY8JqjxuppcUgpylfD95XPVUNC5y5hx3mUwOZ3BFgP6r3GrFW7AFs0lTz39MAN 2r5Tix123DVCYtPx4u6z5jloA47kVTRzA7+sg5noAyF9cOIWcyM44z4A==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 3/3] curl: patch CVE-2025-15224 Date: Sat, 10 Jan 2026 18:36:35 +0100 Message-Id: <20260110173635.1643307-3-peter.marko@siemens.com> In-Reply-To: <20260110173635.1643307-1-peter.marko@siemens.com> References: <20260110173635.1643307-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 17:37:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229164 From: Peter Marko Pick patch per [1]. [1] https://curl.se/docs/CVE-2025-15224.html Signed-off-by: Peter Marko --- .../curl/curl/CVE-2025-15224.patch | 31 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch new file mode 100644 index 00000000000..36f5f1b93ab --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch @@ -0,0 +1,31 @@ +From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Mon, 29 Dec 2025 16:56:39 +0100 +Subject: [PATCH] libssh: require private key or user-agent for public key auth + +Closes #20110 + +CVE: CVE-2025-15224 +Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa] +Signed-off-by: Peter Marko +--- + lib/vssh/libssh.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 5d5125b526..bde6355f73 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -741,7 +741,11 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL); +- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { ++ /* For public key auth we need either the private key or ++ CURLSSH_AUTH_AGENT. */ ++ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) && ++ (data->set.str[STRING_SSH_PRIVATE_KEY] || ++ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) { + state(data, SSH_AUTH_PKEY_INIT); + infof(data, "Authentication using SSH public key file"); + } diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 9c1a90e1912..72bd1a20881 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -69,6 +69,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2025-9086.patch \ file://CVE-2025-14017.patch \ file://CVE-2025-15079.patch \ + file://CVE-2025-15224.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"