From patchwork Fri Mar 20 07:56:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 83942
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 70B7B1093186
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 07:56:21 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.7529.1773993379153890674
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:19 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=RpPKuGKj;
 spf=pass (domain: mvista.com, ip: 209.85.214.174,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2b04b4974abso16105335ad.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1773993378; x=1774598178;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=AxDDNTvtGGFGB36Neyut/IaeqvMSJbfI8Az+EJjV0tA=;
        b=RpPKuGKjMR0sQDZhfzFoLxqPKvhnD6Kx1PYsH5hBHnpNGvTVjPFNamdkmN4l4YcCP7
         YNAAsCVTDZuzdJY/ZPTPy6yyAtSV6B2hsT1XO425wx7zxLUD7toZkgMOc4+NOVpRC1u0
         nZD+BtqM6rJR31aVl0psccFIOTuKzfBwNwhng=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773993378; x=1774598178;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AxDDNTvtGGFGB36Neyut/IaeqvMSJbfI8Az+EJjV0tA=;
        b=KKAOkSwChGCjqg3Yp3RST14r6a+0oj/nSMyY+up/zEaMAkCBp9R9PEiTK6EZaFjU0g
         14uFT6fI+KcIhiDRUUqjwj6uvyIzVio3YcW5e+10FK0kOYU6hcMML5kvPjXg1KzSYvid
         dpDwdpBq+Aevlo0dpz8XEeeNglx/2EpaH75Iq1vQ9QsBCURxVWWgVbKT9G+ZOvuBSSmk
         43pvo86cMbPPToGnQvD3t3LRp1Er5+j6PcTKkEtW6NTaQfpTAG61G74j8SAzV+189ZRV
         JYGj+bXqczDMP6gbdVBEOte1F8BGuLHLW+8pWY/AwkxC3+AXY89SYpbbwFIP8HOKnv2Z
         y0pA==
X-Gm-Message-State: AOJu0YzAunqPOgVf4L0ZZBb8T4kIupER+AEomksdKV5T91mnFE7uIqLe
	8QIeMc08CTRg31yTFcKgLrx6sNp06s9DeSYHa5GSMmO3m74DOvupkkWlVhM5rCIXOsfXEiLW17Z
	Di8jIAGc=
X-Gm-Gg: ATEYQzzn5REd20UEqvQcmdbspPrTXPCA51fREt+2vbR1RiEmUXbUqTQQq8owFTpgIw4
	TuPXRsLkX2sPHuzZuV2S2Teu/oYZtTH9umF4+Kr3X/sZQubdaRrnAGxlJlAHhfFxxVtsEpbx/AY
	7r9cmxrmo3qlMxcb6LdBBw/v9MqQgGHNoQGLmSw/9HefmUQuFYZr6WtTyS7YAvXGoRUtS1EK4z5
	f0wXXF92E1N1MXHra7dZA3Jau4co5fRjrYUd4noswYLrDHVr/vWA/X99uQSV96ggUZwBxnitoh3
	z8KxANuKZF2uQR58x5d/Nk95jJg25tMYqsmu/9Lq+Zi3O8RT/W7iLbPgPM9XN0jUEa+gIA/1YOQ
	o+U4fKeDPgCLIpaPOq+9uXyf073s/0Ly4FzxnoeuOTDfUEAqg61KZkAYkx+ExmZKKKjfoX2IGRS
	H+UtnMd99OAMk1sf3Xqjo0lneht2r+PZduzGIp
X-Received: by 2002:a17:902:da83:b0:2b0:66bc:2282 with SMTP id
 d9443c01a7336-2b0826d6bb5mr19549625ad.6.1773993377059;
        Fri, 20 Mar 2026 00:56:17 -0700 (PDT)
Received: from localhost.localdomain ([2406:7400:54:2bec:8f5f:34a4:6ab0:7770])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b08352ae70sm14770965ad.23.2026.03.20.00.56.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 00:56:16 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][kirkstone][PATCH 1/4] curl: Fix CVE-2025-14524
Date: Fri, 20 Mar 2026 13:26:01 +0530
Message-Id: <20260320075604.551251-1-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 07:56:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233584

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2025-14524

Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
Upstream commit https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]

Reference: https://curl.se/docs/CVE-2025-14524.html

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../curl/curl/CVE-2025-14524.patch            | 33 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
new file mode 100644
index 0000000000..20f20d8692
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
@@ -0,0 +1,33 @@
+From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+
+Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
+Upstream commit https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]
+CVE: CVE-2025-14524
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/curl_sasl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index 7e28c92..ed9ca96 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -531,7 +531,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
+     data->set.str[STRING_SERVICE_NAME] :
+     sasl->params->service;
+ #endif
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+   struct bufref serverdata;
+ 
+   Curl_bufref_init(&serverdata);
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 72bd1a2088..b8fa8b5266 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -70,6 +70,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2025-14017.patch \
            file://CVE-2025-15079.patch \
            file://CVE-2025-15224.patch \
+           file://CVE-2025-14524.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 

From patchwork Fri Mar 20 07:56:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 83943
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6C2971093187
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 07:56:31 +0000 (UTC)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.7578.1773993381830809207
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:21 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=VLBCzKXN;
 spf=pass (domain: mvista.com, ip: 209.85.216.42,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-35a211df8e3so1217842a91.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1773993381; x=1774598181;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7fK47ibW46gnCtyDixxnDeE27OZIxhASjMqjTlDFihc=;
        b=VLBCzKXN0h2VOfLWl92TCJ1Ti2i9sAGg0se8geH6vrfPJGkOvKR1rgXMHsnHd/IYbK
         Bjxypnl48hgcNwzcCVaPoZC3CrfBRAuHDsuBdXKxkXZjAVk8qULBKskYB9iwFuZ4/Luj
         7Pa92DzCno9n5dR6uiN3qbs8cdyt54paG0EBo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773993381; x=1774598181;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=7fK47ibW46gnCtyDixxnDeE27OZIxhASjMqjTlDFihc=;
        b=J9FGzeI0ii0MT/iSvW2OCQ4YXQc5mxNhV9G8UyAkEfvFzdVB3qWZ/QOUIj15iGkRly
         tBpqGGUceIv8IFURDHyIWuRoEBizNIAJ4e/Kr6gvlIxCPQlBcilDRikGEztCGebMMZGn
         9am14Jo7ATnwDs8MxQXbB57BEhfAnoYiVWFsxcbrGSms1bJ84/slk7LAuu6HzqH8Wp8j
         A3M0fWnxWU89AZwzJQSM+D0BKnMKqNZDogtvmD3EJ/5mEbva+ccLlI/1krMNOQW1Jo8e
         6vbe9p78sI/dwyyFdczRFjpW1OCUml/+nSWgIJnBv3QBG5Yk8YMSzNO+vSv808ISpLBX
         2KVQ==
X-Gm-Message-State: AOJu0Yy7Zwel7kH9wJg4trs0LNzxMYFpVXW217HcXSlV6IkiXuMscu15
	BK1/xXaBuSD7enP5XCAl3wcIvA5RnnUdb73Wah3ixK59pHI/P9C4qkpsQig1HrA1LKl0pTlAd6x
	DINwHn3s=
X-Gm-Gg: ATEYQzwrUXffX4DqywFJUzrVzUG0ntyImw/4l+Mh8fFZ6vtv19SB66WMmLdjVrXNxpF
	qy3+VjB7V6+Nv6elgVB9PuUs91RIaK3hAnnIhbnFTsQKxzfzfDSTYUEkdqkJOIqXkO6hNnfs4ao
	ByPAKeoKQYoZDB+ZS5VJkZL5arEU5m43scoyoaqCHM9BRAJaJUqVBtrMwF03zhYLwd1MK+UloPP
	c/1aSBxhcc/eLwOOcX+p27syv4720CCNRmd3MLVvK3BbPET47jy2rBjMAac9Yg0Pycff0nzf6GN
	PJypIZwffFg2bUfQBQEnPXUfqnCStPDNBi0CYZ99lx07xUSjXl3YTdIpXxHEbrjnCO4lBUln3ck
	rCsMgksbOREMV6NZoXv1W4wYnuFQhrE3vn8+wjv87SJ/UDkHzJdIMg7aNQgGUoH46NfHoI+WcMZ
	krrvdxku+BCW1bbCJY2JE8P1YoaPOdB2SLBH/l
X-Received: by 2002:a17:902:ce08:b0:2ae:8077:b1c7 with SMTP id
 d9443c01a7336-2b0827b7c6fmr17850885ad.37.1773993380790;
        Fri, 20 Mar 2026 00:56:20 -0700 (PDT)
Received: from localhost.localdomain ([2406:7400:54:2bec:8f5f:34a4:6ab0:7770])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b08352ae70sm14770965ad.23.2026.03.20.00.56.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 00:56:20 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][kirkstone][PATCH 2/4] curl: Fix for CVE-2026-1965
Date: Fri, 20 Mar 2026 13:26:02 +0530
Message-Id: <20260320075604.551251-2-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20260320075604.551251-1-vanusuri@mvista.com>
References: <20260320075604.551251-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 07:56:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233585

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2026-1965

Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
Upstream commit https://github.com/curl/curl/commit/34fa034d9a390c4bd6 &
https://github.com/curl/curl/commit/f1a39f221d57354990]

Reference: https://curl.se/docs/CVE-2026-1965.html
           https://ubuntu.com/security/CVE-2026-1965

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../curl/curl/CVE-2026-1965-1.patch           | 99 +++++++++++++++++++
 .../curl/curl/CVE-2026-1965-2.patch           | 30 ++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  2 +
 3 files changed, 131 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
new file mode 100644
index 0000000000..72bf1bca7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
@@ -0,0 +1,99 @@
+Backport of:
+
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
+Upstream commit https://github.com/curl/curl/commit/34fa034d9a390c4bd6]
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1145,6 +1145,18 @@ ConnectionExists(struct Curl_easy *data,
+ #endif
+ #endif
+ 
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++  bool wantNegohttp =
++    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++  bool wantProxyNegohttp =
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
++
+   *force_reuse = FALSE;
+   *waitpipe = FALSE;
+ 
+@@ -1496,6 +1508,57 @@ ConnectionExists(struct Curl_easy *data,
+           continue;
+         }
+ #endif
++
++#ifdef USE_SPNEGO
++  /* If we are looking for an HTTP+Negotiate connection, check if this is
++     already authenticating with the right credentials. If not, keep looking
++     so that we can reuse Negotiate connections if possible. */
++  if(wantNegohttp) {
++    if(Curl_timestrcmp(needle->user, check->user) ||
++       Curl_timestrcmp(needle->passwd, check->passwd))
++      continue;
++  }
++  else if(check->http_negotiate_state != GSS_AUTHNONE) {
++    /* Connection is using Negotiate auth but we do not want Negotiate */
++    continue;
++  }
++
++#ifndef CURL_DISABLE_PROXY
++  /* Same for Proxy Negotiate authentication */
++  if(wantProxyNegohttp) {
++    /* Both check->http_proxy.user and check->http_proxy.passwd can be
++     * NULL */
++    if(!check->http_proxy.user || !check->http_proxy.passwd)
++      continue;
++
++    if(Curl_timestrcmp(needle->http_proxy.user,
++                       check->http_proxy.user) ||
++       Curl_timestrcmp(needle->http_proxy.passwd,
++                       check->http_proxy.passwd))
++      continue;
++  }
++  else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++    continue;
++  }
++#endif
++  if(wantNTLMhttp || wantProxyNTLMhttp) {
++    /* Credentials are already checked, we may use this connection. We MUST
++     * use a connection where it has already been fully negotiated. If it has
++     * not, we keep on looking for a better one. */
++    chosen = check;
++    if((wantNegohttp &&
++        (check->http_negotiate_state != GSS_AUTHNONE)) ||
++       (wantProxyNegohttp &&
++        (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++      /* We must use this connection, no other */
++      *force_reuse = TRUE;
++      break;
++    }
++    continue; /* get another */
++  }
++#endif
++
+         if(canmultiplex) {
+           /* We can multiplex if we want to. Let's continue looking for
+              the optimal connection to use. */
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
new file mode 100644
index 0000000000..25f419eea4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
@@ -0,0 +1,30 @@
+Backport of:
+
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
+Upstream commit https://github.com/curl/curl/commit/f1a39f221d57354990]
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1542,7 +1542,7 @@ ConnectionExists(struct Curl_easy *data,
+     continue;
+   }
+ #endif
+-  if(wantNTLMhttp || wantProxyNTLMhttp) {
++  if(wantNegohttp || wantProxyNegohttp) {
+     /* Credentials are already checked, we may use this connection. We MUST
+      * use a connection where it has already been fully negotiated. If it has
+      * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index b8fa8b5266..0e107f1e75 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -71,6 +71,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2025-15079.patch \
            file://CVE-2025-15224.patch \
            file://CVE-2025-14524.patch \
+           file://CVE-2026-1965-1.patch \
+           file://CVE-2026-1965-2.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 

From patchwork Fri Mar 20 07:56:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 83944
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 72D3A1093189
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 07:56:31 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.7531.1773993385922085616
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=PRTDkdg4;
 spf=pass (domain: mvista.com, ip: 209.85.214.180,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2a7a9b8ed69so22069535ad.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1773993385; x=1774598185;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JWo3X6St0+AIhwHCL6ARIuk0x9rQWVino7H+bnmVY7k=;
        b=PRTDkdg46ik8U4R0UTSZeS8ievf0K+OYWfr1y4A4FvddYpZr8H98sgweTtxchyIVBf
         YO5h33BpM40aIV2zOzEEPhT7wQT3mMY3XCgt7bG6w7HHhGy6HrSYcudYT21dAYpSfClf
         3COCiLWgmm+OEE45yH7IdHLXUHi6+aprU2xkE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773993385; x=1774598185;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=JWo3X6St0+AIhwHCL6ARIuk0x9rQWVino7H+bnmVY7k=;
        b=gfWxtyU17guYbr0V5t/4aMHifOwPA+IJrJPQLXkMjq4JheTfli028FoG5M4fvYEvNm
         1WE76oMo1dPxTPOGOT6tZz4o/rQbLcp/7fwJMs8guljd1cEW8pns2KYwpbWZfDn0WPVx
         XeIw6M5WmojtWjTGc/MVKLWgiewuaMUAvq95c8fAWV+8TO4MUfdx4zYPptFap57453uW
         sxZ5/Zc8KabcA3GOeN+1/FkvtVetFLM0u/+V26TO4Q6HcY44R5U2bp55xmRw0JNMMeVo
         CBV8qgnmIteoY3HXX11SCaTXZB/HZM/utcKc4ehrJmPnvnhdmgYpQYqK5xmA40CqyUg5
         M/qw==
X-Gm-Message-State: AOJu0YysOblqRi/QsjKexElQIhHUhOxdSPfNURP/4VnigA8JjJfWdrgD
	Hj5qryWgMoG/nagQNx1ykGtG3Knbnx3zO5KsBstMXpzmsFZQIMvfT7FaBjaKKNog4wFAhC092X3
	l1iomXGU=
X-Gm-Gg: ATEYQzwqGU7Aq5iuTX5O6dwQn80fKgEpd9d4Tc7KSs8FWi+UQaaXZaCWSDzklPK7Qnb
	itCccKXE8LfRQQeLZCxuCoCqZwet31kFuhXIt63RRiaSGum6HcYmXDCF2oSB4N5q26whcu3Z2ZR
	+Hs9IExeczmV/x6FfVZI9Rx3sry9cdo0kvNF5eOOd9FjFJLK6jczdrbzHx931FmADmH74FpwWVA
	J4VXlYGhiYVME7UvT59rlYIZ12UoSCsXgc80KxWQTjl3OsCFh81aMKT1Vb38Y6PGOt3+Gxmy31+
	k0d5YDv/CreVDAn3ocLRZEMsA9GTj0kRVxYLsnStTt+2tyZMqfIkFygtSkIKrDBD7VSkw0UQAI4
	m0Sx4Tk+/T01WCrarwBtYHFld/Wy53c1SkA5PhtuhAkqBLK7y1VYYPgQDBgyLMf3LRfTpLEb6UF
	+tQuWP1ELoVnFSLx6WbgG4S7tEF1GK8yxBfrUU
X-Received: by 2002:a17:902:e885:b0:2ae:5776:45f8 with SMTP id
 d9443c01a7336-2b0826d73dcmr21675585ad.3.1773993384887;
        Fri, 20 Mar 2026 00:56:24 -0700 (PDT)
Received: from localhost.localdomain ([2406:7400:54:2bec:8f5f:34a4:6ab0:7770])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b08352ae70sm14770965ad.23.2026.03.20.00.56.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 00:56:24 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][kirkstone][PATCH 3/4] curl: Fix for CVE-2026-3783
Date: Fri, 20 Mar 2026 13:26:03 +0530
Message-Id: <20260320075604.551251-3-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20260320075604.551251-1-vanusuri@mvista.com>
References: <20260320075604.551251-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 07:56:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233586

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2026-3783

Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
Upstream commit https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877]

Reference: https://curl.se/docs/CVE-2026-3783.html
           https://ubuntu.com/security/CVE-2026-3783

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../curl/curl/CVE-2026-3783.patch             | 188 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 2 files changed, 189 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
new file mode 100644
index 0000000000..577af6479c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
@@ -0,0 +1,188 @@
+Backport of:
+
+From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 6 Mar 2026 23:13:07 +0100
+Subject: [PATCH] http: only send bearer if auth is allowed
+
+Verify with test 2006
+
+Closes #20843
+
+Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
+Upstream commit https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877]
+CVE: CVE-2026-3783
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http.c             |  1 +
+ tests/data/Makefile.am |  2 +-
+ tests/data/test2006    | 98 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2006
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -652,6 +652,21 @@ CURLcode Curl_http_auth_act(struct Curl_
+   return result;
+ }
+ 
++/*
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
++ */
++bool Curl_allow_auth_to_host(struct Curl_easy *data)
++{
++  struct connectdata *conn = data->conn;
++  return (!data->state.this_is_a_follow ||
++          data->set.allow_auth_to_other_hosts ||
++          (data->state.first_host &&
++           strcasecompare(data->state.first_host, conn->host.name) &&
++           (data->state.first_remote_port == conn->remote_port) &&
++           (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ #ifndef CURL_DISABLE_HTTP_AUTH
+ /*
+  * Output the correct authentication header depending on the auth type
+@@ -742,6 +757,7 @@ output_auth_headers(struct Curl_easy *da
+   if(authstatus->picked == CURLAUTH_BEARER) {
+     /* Bearer */
+     if((!proxy && data->set.str[STRING_BEARER] &&
++        Curl_allow_auth_to_host(data) &&
+         !Curl_checkheaders(data, STRCONST("Authorization")))) {
+       auth = "Bearer";
+       result = http_output_bearer(data);
+@@ -775,21 +791,6 @@ output_auth_headers(struct Curl_easy *da
+   return CURLE_OK;
+ }
+ 
+-/*
+- * Curl_allow_auth_to_host() tells if authentication, cookies or other
+- * "sensitive data" can (still) be sent to this host.
+- */
+-bool Curl_allow_auth_to_host(struct Curl_easy *data)
+-{
+-  struct connectdata *conn = data->conn;
+-  return (!data->state.this_is_a_follow ||
+-          data->set.allow_auth_to_other_hosts ||
+-          (data->state.first_host &&
+-           strcasecompare(data->state.first_host, conn->host.name) &&
+-           (data->state.first_remote_port == conn->remote_port) &&
+-           (data->state.first_remote_protocol == conn->handler->protocol)));
+-}
+-
+ /**
+  * Curl_http_output_auth() setups the authentication headers for the
+  * host/proxy and the correct authentication
+--- /dev/null
++++ b/tests/data/test2006
+@@ -0,0 +1,98 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc default with redirect plus oauth2-bearer
++</name>
++<command>
++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="%LOGDIR/netrc%TESTNUMBER" >
++default login testuser password testpass
++</file>
++</client>
++
++<verify>
++<protocol crlf="yes">
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Bearer SECRET_TOKEN
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -218,7 +218,7 @@ test1916 test1917 test1918 \
+ \
+ test1933 test1934 test1935 test1936 test1937 test1938 test1939 \
+ \
+-test2000 test2001 test2002 test2003 test2004 \
++test2000 test2001 test2002 test2003 test2004 test2006 \
+ \
+                                                                test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 0e107f1e75..8fdd954c7e 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -73,6 +73,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2025-14524.patch \
            file://CVE-2026-1965-1.patch \
            file://CVE-2026-1965-2.patch \
+           file://CVE-2026-3783.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 

From patchwork Fri Mar 20 07:56:04 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 83945
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 858CE1093188
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 07:56:31 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.7532.1773993389479774345
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=FMqCjPeA;
 spf=pass (domain: mvista.com, ip: 209.85.214.179,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-2a7a9b8ed69so22070085ad.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 00:56:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1773993388; x=1774598188;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RjBARhUTUqICFt3IMO89NrIcC1A2ebBKU1U2Qy1mTCg=;
        b=FMqCjPeApbf4WqrD0B1pEmVozlAyG931CFpgFaHMjJMy6bVIxJIgIvkPZgQbip3uUV
         Sboo0B789dIbhIilwulkr19UVOYEeantTRsE8oKfYq1IcvcmwN0wyWwllbeeUJUbxRuK
         hjvIdllCWOdC5HO/4zjHKyAbdpEbg+Z2dvf60=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773993388; x=1774598188;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=RjBARhUTUqICFt3IMO89NrIcC1A2ebBKU1U2Qy1mTCg=;
        b=MibobzzyKju/v85q750kHg21k0TSmamKTlZYBwluqiv0FILHsZK22LoarRBUqie8/r
         BOTB2FfQrlbjpTuxxK9Mrlu3htRW7aPLOZg40p4oAVAxzMfdO+p7YPfp0yEle+hM4pLA
         fzPz0Sf4G2WPd1aJ6QJKZgxn6vgrM41r7Jznjo4EZWpGiJGsicSUeSUwV4uoQJrk/lHF
         kCqyKX2IGqr8huoSj6d/BkbAo3GeDRRQ6DrzdmznpGw4jLcKP0JrBVk6dv0U0FdsOOGQ
         jrl2B5EE5epHN/Fvv5Q8vebXk4TMj2lc8q+uLETubiu/QMY7MJGCBPGnrrkgJhcXeeUg
         4drA==
X-Gm-Message-State: AOJu0YzSOYIWqX410uj0FCbwTxsnTulsskjouC0iQwNuZD0qbAZwy9tG
	sh8K223aILx8T+EqwUP5FsXavYkUsKMhRoYj9MZ9/wCgM6lOhp/Tyg2INv+DYvq1sARbiG62uGf
	trBXasno=
X-Gm-Gg: ATEYQzyPDn/7uTCVDNFuOMnYTfPbSo0WU+lwLflmuw7/X5RDmYpuSVbZRM1p3KIXMYs
	+jLOz9KJL+AbMn3URA8oc1YM41pkc1osCmVLI9gnvcnmwgko34AvKbwZsKxCLSWu8qsVMLp2IRj
	UVOxJKM+H1hx90hrCsma7pCR49GBDLHKpknyJpuvd/ODSwMGykIUoUboAeRPBIJsr7jC0LfdBgb
	0dQGdXOg/boTXN1UoOL4VSxUwKHfMptW66TaIkPI4HaVQRdOzQXGQl71vxc2YNKtf1SnIMI39EK
	o7gFeZOlb55ecb7yY43fnDWzeUkYp3gAaQLyAp2r/VCf88cuEM/w3fP8ebFj612Kr8fccpzL82u
	9zKWdzqJ42ZA4hJhcLJk+MA3EGEfuHKpsO5Z/CP5K90rxm584kSJHoscZo0Q41atixqgnSCK6PM
	/SzsFXFFGoyck/yuA114wIaUOXfgoz63sQtQzQVq/aHp/p/HE=
X-Received: by 2002:a17:902:f605:b0:2b0:5084:eb1e with SMTP id
 d9443c01a7336-2b0827d60d6mr19612275ad.42.1773993388430;
        Fri, 20 Mar 2026 00:56:28 -0700 (PDT)
Received: from localhost.localdomain ([2406:7400:54:2bec:8f5f:34a4:6ab0:7770])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b08352ae70sm14770965ad.23.2026.03.20.00.56.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 00:56:27 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][kirkstone][PATCH 4/4] curl: Fix CVE-2026-3784
Date: Fri, 20 Mar 2026 13:26:04 +0530
Message-Id: <20260320075604.551251-4-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20260320075604.551251-1-vanusuri@mvista.com>
References: <20260320075604.551251-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 07:56:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233587

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2026-3784

Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3]

Reference: https://curl.se/docs/CVE-2026-3784.html
           https://ubuntu.com/security/CVE-2026-3784

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../curl/curl/CVE-2026-3784.patch             | 74 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
new file mode 100644
index 0000000000..8f3d56bab9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
@@ -0,0 +1,74 @@
+Backport of:
+
+From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 6 Mar 2026 14:54:09 +0100
+Subject: [PATCH] proxy-auth: additional tests
+
+Also eliminate the special handling for socks proxy match.
+
+Closes #20837
+
+Upstream-Status: Backport [import from ubuntu curl_7.81.0-1ubuntu1.23.debian.tar.xz
+Upstream commit https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3]
+CVE: CVE-2026-3784
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c                        | 28 +++++++---------------------
+ tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++
+ tests/http/testenv/curl.py       | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 24 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in
+ {
+   if((data->proxytype == needle->proxytype) &&
+      (data->port == needle->port) &&
+-     Curl_safe_strcasecompare(data->host.name, needle->host.name))
+-    return TRUE;
++     curl_strequal(data->host.name, needle->host.name)) {
+ 
++    if(Curl_timestrcmp(data->user, needle->user) ||
++       Curl_timestrcmp(data->passwd, needle->passwd))
++      return FALSE;
++    return TRUE;
++  }
+   return FALSE;
+ }
+-
+-static bool
+-socks_proxy_info_matches(const struct proxy_info *data,
+-                         const struct proxy_info *needle)
+-{
+-  if(!proxy_info_matches(data, needle))
+-    return FALSE;
+-
+-  /* the user information is case-sensitive
+-     or at least it is not defined as case-insensitive
+-     see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-
+-  /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(Curl_timestrcmp(data->user, needle->user) ||
+-     Curl_timestrcmp(data->passwd, needle->passwd))
+-    return FALSE;
+-  return TRUE;
+-}
+-#else
+-/* disabled, won't get called */
+-#define proxy_info_matches(x,y) FALSE
+-#define socks_proxy_info_matches(x,y) FALSE
+ #endif
+ 
+ /* A connection has to have been idle for a shorter time than 'maxage_conn'
+@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data,
+         continue;
+ 
+       if(needle->bits.socksproxy &&
+-        !socks_proxy_info_matches(&needle->socks_proxy,
+-                                  &check->socks_proxy))
++        !proxy_info_matches(&needle->socks_proxy,
++                            &check->socks_proxy))
+         continue;
+ #endif
+       if(needle->bits.conn_to_host != check->bits.conn_to_host)
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 8fdd954c7e..c33183e096 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -74,6 +74,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2026-1965-1.patch \
            file://CVE-2026-1965-2.patch \
            file://CVE-2026-3783.patch \
+           file://CVE-2026-3784.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"