From patchwork Fri Mar 20 23:07:16 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84028
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6B5981099B56
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:43 +0000 (UTC)
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com
 [209.85.221.41])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.1900.1774048048397779500
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:28 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=hGJJRYKu;
 spf=pass (domain: smile.fr, ip: 209.85.221.41,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f41.google.com with SMTP id
 ffacd0b85a97d-43b48ac2727so1857542f8f.3
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048046; x=1774652846;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=6V+OisQvw5Q2WIBuYxO6FTguRr4wpRQoVFXAAZUiWhs=;
        b=hGJJRYKuE3aKTLRFCUiCbmEjm1bQwvbv4OVc6gXSkq+KwuHLUtg8Pczq8VgohCSwrg
         PHvdWIM3nYlFCaI0DYtxKBZw/3VswQzoKp6UYU+df5ffecca6c6AXDSoWSmv0Tg39kyd
         Qx9lqXCTuj5wkoNLUQshRWpb8Udm27lWnHyoE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048046; x=1774652846;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=6V+OisQvw5Q2WIBuYxO6FTguRr4wpRQoVFXAAZUiWhs=;
        b=EtAFTwOGmni4JCDo2mZURINwDTPN7Fg5cgUEAuXspRBtTZOHZwscGdIbwfzTyVV7XQ
         pKVhR6INGJFHEXldAP1J6ZLd+oQX8ErsLgwerMUEpqn/ncEdJM1g4nax0nb33N/INc0x
         BGBxXxeJjmoumsO9kBVOvQYCt0xD6IUZMKvCYfB4ybFEcNN82jTMtYBJXsnfp9yoJjzB
         xpe3aOwNdTiCa4f9kyHbmz7tZg+ZTmbUelivLcOANfGcH48CP5pBSRM3ZHXYHPyB5TEu
         vUfmQPNSZpbI0Krpo139IuhJyiQ3oRCfmfBjdUc4kIB9GfBt0A+vHsN1wKDMSh7SF4tV
         f2dg==
X-Gm-Message-State: AOJu0YwTzsEVMz/2VIQijWprzgobS7Vkp6WGgFf36fS3uPw5mPcKYBC8
	Uei7zAF7jJwpVbya40KXP9AMz3AxGysXS0wSPYZnKp3HUwCyEyV/K9DZBVuqakWtJdu/H+fpidr
	3zSqq
X-Gm-Gg: ATEYQzyj7lQoA57qBXHEmgacPx8L9KaGFuYOU53++sf6uU5IubHUlpZxr0TxQdFvUeK
	D/M6OngamptxNLdxWlOYY87Rw5t2I66k7JXDT/SOCkJaD5SL6mPcLuByXdXMdQK2jjg1rV+JdYE
	L6+lmFiqqkq131z1Z4Yqpv3TO/tkvKO8d1gTcgSWCYRP/zPa4vU130jwzecCM5TgHIgH4gCPyNs
	Gzg5DJVeLTqU7G+XfkyiSp3nG8cnWkDTtZaLsnFPUwdKAIuKuJO0odwFv3o+V22NYamT8uzgnEf
	oEKQ38mcFKqfxD+p/h5vnylxXYYQAr/uJE0siAYzRzyKoa3a2GE//m463tEkzqEnEH/JGh5x8/j
	E648dN1s2QIg5rYOfFDkNhzEMd0Ci0r2qtVBnzLzrjHOMV2oPsxhgIiVEv2VhJeDQr/h4KT2G1w
	wblgmrZ5Xgs7Bs+jjZ+FqtBsmjSIzsnCn9qk0dRDa1vtGi9pFX0h0zbz1CJBVkyxaemy41fROkx
	DHOvnG8nM2pbrJphzJlO9L9HZo=
X-Received: by 2002:a05:6000:2c0e:b0:43b:3e40:222c with SMTP id
 ffacd0b85a97d-43b6427d657mr8455299f8f.26.1774048046452;
        Fri, 20 Mar 2026 16:07:26 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.26
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:26 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 1/7] inetutils: Fix CVE-2026-32746
Date: Sat, 21 Mar 2026 00:07:16 +0100
Message-ID: 
 <46a29a287dffe7ee624e15b6659235be1c58c5ce.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233637

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-32746
[2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
[3] https://codeberg.org/inetutils/inetutils/pulls/17/files

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../inetutils/inetutils/CVE-2026-32746.patch  | 40 +++++++++++++++++++
 .../inetutils/inetutils_2.6.bb                |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
new file mode 100644
index 00000000000..dfab82f01f2
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
@@ -0,0 +1,40 @@
+From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
+From: Collin Funk <collin.funk1@gmail.com>
+Date: Wed, 11 Mar 2026 23:06:46 -0700
+Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption triplets
+
+Previously a client could write past the end of an internal buffer using
+an SLC suboption with many triplets using function octets greater than
+18, possibly leading to remote code execution. Reported by Adiel Sol,
+Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
+Security Research Team at:
+<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
+
+* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
+us to writing past the end of the buffer.
+* NEWS.md: Mention the fix.
+
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=6864598a29b652a6b69a958f5cd1318aa2b258af]
+CVE: CVE-2026-32746
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ telnetd/slc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/telnetd/slc.c b/telnetd/slc.c
+index be18782..3434829 100644
+--- a/telnetd/slc.c
++++ b/telnetd/slc.c
+@@ -162,6 +162,9 @@ get_slc_defaults (void)
+ void
+ add_slc (char func, char flag, cc_t val)
+ {
++  /* Do nothing if the entire triplet cannot fit in the buffer.  */
++  if (slcbuf + sizeof slcbuf - slcptr <= 6)
++    return;
+ 
+   if ((*slcptr++ = (unsigned char) func) == 0xff)
+     *slcptr++ = 0xff;
+-- 
+2.43.0
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index 29a40143a28..9892507ad9a 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://CVE-2026-24061-01.patch \
            file://CVE-2026-24061-02.patch \
            file://CVE-2026-28372.patch \
+           file://CVE-2026-32746.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

From patchwork Fri Mar 20 23:07:17 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84024
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 38CB61099B4F
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:33 +0000 (UTC)
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com
 [209.85.221.42])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.1972.1774048049034398646
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=dh9jBuHC;
 spf=pass (domain: smile.fr, ip: 209.85.221.42,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f42.google.com with SMTP id
 ffacd0b85a97d-439b7c2788dso679793f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048047; x=1774652847;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=A2Xjr2+Xtb+Fk4T6zEuw/Lmf5MMbgTZr7JDM+BU/noo=;
        b=dh9jBuHCjNNCxX3sB91grZGcXUBfDpL+RTEx1FAsmM64QfegAiF7QoUzVt2VYoolsK
         ZR1LXrS2yYjHWiHJdiFlsavD+34M9AE2qZfeCFvZyjd6wJLq0/2McCgADFdiubk9leSq
         bS+yGG+W5oJ3itXu9A0eD5wHr0s0fNMG6nrUY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048047; x=1774652847;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=A2Xjr2+Xtb+Fk4T6zEuw/Lmf5MMbgTZr7JDM+BU/noo=;
        b=aFT3JZ+WT//vzDuZtncYNbTJhpQLnmxkSUE0cICllCmxiaeOwhmlJfsLuQvI9sVdHn
         wSl0JEeH5P4J4SuaFT04r7rxFqlqZlP0wVs2GQGdAHqUBHHfjB5Qx77kzFTYjZBeXZfD
         4NrVmnYGVaUcEeO92ykH5pg/sJ/Z2yE9f71YyevH6A3W++dtumdlt0c/a4YRYcU83FMc
         9jKbaRdEavQM4yyHMh4cJ8/ulhMWDDyyvo508AVsfTYUbPxDtTx6ptcLtC0rmBZPlTer
         2lcM3dOnf3DZsui5DWNsMxo8/Dd/3bz/fDGto391wnSKjWx8r0RTpZACaUexaIoV7cQB
         ddpA==
X-Gm-Message-State: AOJu0YwFKWjMj6I1vsmdgz3w4yTGgVd6/KJafieC+viR4FT+RYPmh2ue
	IDBRy3GecEgmZvonyOfUnHYKsfY1uGmU4kU1XsUyrfH42MBBWYIicDXJpKNtmNEivYNUGTE+koR
	NUDGD
X-Gm-Gg: ATEYQzxDnznaAAqM8igHLIN6GKKDdTpVWlvdN36Cv1ec+3QW/36wfV3z2JkR6Qu4uGs
	zzNs0WEEAUhSQRtn/KS5vzg1FRdHeZ/FPpzw4nTPW37PtsymS5Hk0anPaG9/ZPXK2OUi88kJ/4A
	wzWbIYLtpQji7uUGyUrHCdsU8lud177QmTcsIp8JXRpPMHc7zu82EY/LVlKn7BYpHcfDS+gplZs
	BAVNDzdH3jONiA3kXJr7wd8Y5OQQlRBrX6KrCkAbPilyI4tIluGPkd2h99/e3+4LncAruzke2UK
	H2+vhyCV5Rg6bjwoGHrBoEg9mbMyFpZ++S7vTj4UdrwmVVTSYtIUykaHvjSwvUsk+xdjGvMSjro
	Z0OD7phN6oHhx4fYwHBTmO/qaGqcn8PztDQklWbnIuXVKgS2tTnJknQipNPmRBnuG4HMZryI78N
	UwjPcaF22jZAtRMxDG/+sLDu7zTG7J4vXTehf4/EjAbrC+cReFeJ+x+cFqbzKX60qwJMrZDrNB6
	sguFljPC7mT0eR32zHVcJS4GFE=
X-Received: by 2002:a5d:5d13:0:b0:439:caf7:a5e5 with SMTP id
 ffacd0b85a97d-43b6427d3b7mr7628740f8f.31.1774048047031;
        Fri, 20 Mar 2026 16:07:27 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.26
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:26 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 2/7] python3-setuptools: drop Windows launcher
 executables on non-mingw builds
Date: Sat, 21 Mar 2026 00:07:17 +0100
Message-ID: 
 <2462eee5fa3cdc13eacafbb281e8871ee7c3a101.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233638

From: Krupal Ka Patel <krkapate@cisco.com>

setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.

Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../recipes-devtools/python/python3-setuptools_80.9.0.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb b/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
index 533d8ce3d44..833d610be5b 100644
--- a/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
@@ -13,6 +13,15 @@ SRC_URI += " \
 
 SRC_URI[sha256sum] = "f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c"
 
+do_install:append() {
+	# setuptools ships Windows launcher executables (cli*.exe, gui*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/setuptools/*.exe ;;
+	esac
+}
+
 DEPENDS += "python3"
 
 RDEPENDS:${PN} = "\

From patchwork Fri Mar 20 23:07:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84027
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7F76F1099B58
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:43 +0000 (UTC)
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
 [209.85.221.54])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.1901.1774048049606057271
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=nq7v+Zo0;
 spf=pass (domain: smile.fr, ip: 209.85.221.54,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f54.google.com with SMTP id
 ffacd0b85a97d-439b9b1900bso806549f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048048; x=1774652848;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=hxelKFxRqWGVK4+RwE4zvIHRKCo8E1Bf7FNnNntmM4I=;
        b=nq7v+Zo0G1ArxaQitRKLvIFed8BmwMFchXidrb+xVWoXJqE09ud7iBS3fODe7UB0+V
         U7ksBIw+z95VXdJwZItnDeDXceYGTobs4/bDqLoTO4ABkm90lgonM7s35glwb+Zl1LCW
         kCIDiUjJxVjRzLiartAp2Hn6CHsj57CbPkVkY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048048; x=1774652848;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=hxelKFxRqWGVK4+RwE4zvIHRKCo8E1Bf7FNnNntmM4I=;
        b=i/028SlhjdwFP9i3choGQRsOKiCsmKL66fhvBMayO7sWOdkfgHUFeB1VlaYHEua3zy
         UlF0PLP0UOIWAlPTUn71LaptUmCPOks7uqR+n+y/cl3ax1rytlB1/nfTFOwcIIWdQFlR
         SS8Avsd6oL5uJ9GBo8tiL+3Y0WcTY/67c8hKeSd/Bf3UXANqMSenOpuE6KsDASOp/qZ3
         aXrLGrexHH7WEEsnLjNWbv+RsIBsYCEjq1wERGG9jZUKVXi2Gb/5MaIAYNMhxI7qmPvn
         LiEMZOMf6Gv8eA1JrkVeEgqbLKmp3LsSd6S2JF5nwtPCaFHlz0Pl9QIzuelDMwaXLvzu
         gR4g==
X-Gm-Message-State: AOJu0YyasxT0mm2BFH2K2zO6jYiWUJ3LCWAaDmqyvwBW/p0uQpUexvOx
	9WYETlAlE+qv5hMud90XwR02GlvJ1wphGD4lOEAlPHn8e3d/zMCdVKZYDl4H2QnqjkeaIU5bcuV
	7/eQ6
X-Gm-Gg: ATEYQzx1qzIA8sjgZMoRZX7L+0m6NTHOJyHfvCVyqyvE/pxYfIVNPKlURRMWLewSXf/
	KDFY2gTdGU4x29m+y2RZCmVlS/Iudzn2mZTN7FndgfbYSMdg9To9EkJp65osd70q5xSTza/JSGC
	JDkALBY+TW+73mwWP/sSTDdQpr0opX2zrueHsWqQ/ozwIbE+k69vZe3yAKMAHsjURE/sGYrvyw6
	LTedzilkokrSCds/faOw3hrn9/AxI8wE4D752/iosqjEQejiSky7lqZUCgMWelTD2CXmr3F2GDd
	WGa2Z3AIPPNoWcLt/0IrW3cCvH+dQ0Ka8p0Xkwk4Kna3IEesi3oDNG4vHzpcae8DuzzHl4HSrik
	GeMkXX1/KQM7o9n5vgDONvYkjl0NpSoLz3fFtoYV/J86mkdbEMnb8Wlhvg/KWlMxQidL1OydtB4
	b+asOJWKAQnDJ94bixlnC4vaeGAAeiO8kWhLkWMgyvWyb1IJeUvAM3a92dDAGseIUZ60wV8MLo9
	MBP5a8geqFPikAF9/vUUFS1LUU=
X-Received: by 2002:a5d:588c:0:b0:43b:410d:c4ad with SMTP id
 ffacd0b85a97d-43b642815e7mr7866348f8f.42.1774048047643;
        Fri, 20 Mar 2026 16:07:27 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.27
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:27 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 3/7] python3-pip: drop unused Windows distlib
 launcher templates
Date: Sat, 21 Mar 2026 00:07:18 +0100
Message-ID: 
 <5e37c0345bccc3c732217aecf800f1d48bda0235.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233639

From: Krupal Ka Patel <krkapate@cisco.com>

pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.

Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/python/python3-pip_25.2.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
index 496eff1f15d..901c0152dfb 100644
--- a/meta/recipes-devtools/python/python3-pip_25.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
@@ -30,6 +30,15 @@ SRC_URI += "file://no_shebang_mangling.patch \
 
 SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
 
+do_install:append(){
+	# pip vendors distlib which ships Windows launcher templates (*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/pip/_vendor/distlib/*.exe ;;
+	esac
+}
+
 RDEPENDS:${PN} = "\
   python3-compile \
   python3-html \

From patchwork Fri Mar 20 23:07:19 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84026
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5B2331099B53
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:43 +0000 (UTC)
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com
 [209.85.221.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.1902.1774048050132984349
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=qdw0URYN;
 spf=pass (domain: smile.fr, ip: 209.85.221.42,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f42.google.com with SMTP id
 ffacd0b85a97d-4327790c4e9so1598699f8f.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048048; x=1774652848;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HwSuRu/aokmURQEgNYaT6xC02QZlBOtl2GjX9NiMABs=;
        b=qdw0URYN7QZ3vt7HCizEb8Q4cq5SVXZldEk0sGOTA4Lww5kalcdNO3YSULWT9h5ob8
         16aDJ5qbMG99EKrog2edR+rx7C+UET4k7M0V7RP1f6AfMMsS3MeNc1hxQ27Abghn3zYw
         s+nDHaocN/a5mttQeA9VnRGWO0wcDe5e6E98M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048048; x=1774652848;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=HwSuRu/aokmURQEgNYaT6xC02QZlBOtl2GjX9NiMABs=;
        b=SqAloUTp1uZzkZIaWbLvlWz10CFnhCCrMhh5yv7C8OEAW3a/AvGk2ysDZ/9irXAySJ
         AdIqa8r+JhVbeVBl4dT+cBkAhfnALHH/2anm3cj2zoC/yOsL6DPPZe36J1FcxhB2thg1
         CalBgbR9LVjWq5M3zTUor0wblQE6qn6bWi5IQewSuxilYrrNuXfnaR9wSXOl7WTUW+DS
         sEEYZN/LE4Vm/92OzD7J7DBfD/HphDHNMku/vG1PCQHd4H/mgBTU4I8/u1gbzVooEJsm
         8DlVNkiVPTlD53LmgTRhQYyL90fa4ugNPuyuy/O7YzA421mTYzBop5SSD/eAOfJx7xdV
         PFKg==
X-Gm-Message-State: AOJu0YxF4BtIKjTZte+SYvPuVuwTe2j4rWYLfOwxZODCp+XOuqf6GQ7z
	urrpVT7Ples+SrzDICYYi4fHihyfXp2CVmQvGKN2eE6yUG7gNYXYMdSMjSi+akzn1Ui+jlNXhL0
	k8Nec
X-Gm-Gg: ATEYQzwhJGT1YrfHjVTfAtFm4tQbm5yUzXCwlBMZWhuFD3yQXAQxIxx8LmJQKHYTYFR
	/4QkWbqAX+tyxtSX/Q96Nfl6QN3Uj75TQljPY/mJod7l5UMXbaMjiYI5IKA2oPKsWwYbFfOotTE
	+kGQak4cukSdK/UAbi2gI0ofYJsg48zFP01lfCc+UvKaU/2r9PJNthHr/2s+6S7CvV0JM1lKUg8
	nAT7m+zTxZBewFmgfAy2g2XGtUALwbcTDXeOWDn7eS5vmHabYdsNASoaa91RxrYbkDVtfCykLlO
	RDKIV0iZ9+LcyJPweH4khhd6BHWiYQu1HHCo7pgSXcR+lciuQofWwrOB6wvIvmYYzCW01rb8jFe
	m4cpHEthbVPIb230fFIQ1jbcGZXrP/sIgW76nw87eLUaajiDZcL/ADvpISPzL4H18x9BzDq1qX+
	m7mGbwhIDlKtSZPIZCWDblA7xyH74qjGkiSIBv8k3XZ5LlPVJMisQcbvHMKMwdMEK5Q7J534Hbj
	tUE6y8Y1mKOb8QQFVWnNrQC0FgnC4YfB0Plrw==
X-Received: by 2002:a5d:588a:0:b0:43b:634a:8ee3 with SMTP id
 ffacd0b85a97d-43b642755cbmr8288803f8f.34.1774048048215;
        Fri, 20 Mar 2026 16:07:28 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.27
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:27 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 4/7] curl: patch CVE-2026-1965
Date: Sat, 21 Mar 2026 00:07:19 +0100
Message-ID: 
 <9bccd0ef46868fc9b4b56dd885ac3a81208a8435.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233640

From: Peter Marko <peter.marko@siemens.com>

Pick patches from [1].

[1] https://curl.se/docs/CVE-2026-1965.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-1965-01.patch          | 138 ++++++++++++++++++
 .../curl/curl/CVE-2026-1965-02.patch          |  29 ++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   2 +
 3 files changed, 169 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-02.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
new file mode 100644
index 00000000000..dbfbfd7e633
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
@@ -0,0 +1,138 @@
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index fac8cea732..cfe398de8b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -792,6 +792,8 @@ struct url_conn_match {
+   BIT(may_multiplex);
+   BIT(want_ntlm_http);
+   BIT(want_proxy_ntlm_http);
++  BIT(want_nego_http);
++  BIT(want_proxy_nego_http);
+ 
+   BIT(wait_pipe);
+   BIT(force_reuse);
+@@ -1215,6 +1217,63 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
+ #define url_match_auth_ntlm(c,m)    ((void)c, (void)m, TRUE)
+ #endif
+ 
++#ifdef USE_SPNEGO
++static bool url_match_auth_nego(struct connectdata *conn,
++                                struct url_conn_match *m)
++{
++  /* If we are looking for an HTTP+Negotiate connection, check if this is
++     already authenticating with the right credentials. If not, keep looking
++     so that we can reuse Negotiate connections if possible. */
++  if(m->want_nego_http) {
++    if(Curl_timestrcmp(m->needle->user, conn->user) ||
++       Curl_timestrcmp(m->needle->passwd, conn->passwd))
++      return FALSE;
++  }
++  else if(conn->http_negotiate_state != GSS_AUTHNONE) {
++    /* Connection is using Negotiate auth but we do not want Negotiate */
++    return FALSE;
++  }
++
++#ifndef CURL_DISABLE_PROXY
++  /* Same for Proxy Negotiate authentication */
++  if(m->want_proxy_nego_http) {
++    /* Both conn->http_proxy.user and conn->http_proxy.passwd can be
++     * NULL */
++    if(!conn->http_proxy.user || !conn->http_proxy.passwd)
++      return FALSE;
++
++    if(Curl_timestrcmp(m->needle->http_proxy.user,
++                       conn->http_proxy.user) ||
++       Curl_timestrcmp(m->needle->http_proxy.passwd,
++                       conn->http_proxy.passwd))
++      return FALSE;
++  }
++  else if(conn->proxy_negotiate_state != GSS_AUTHNONE) {
++    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++    return FALSE;
++  }
++#endif
++  if(m->want_ntlm_http || m->want_proxy_ntlm_http) {
++    /* Credentials are already checked, we may use this connection. We MUST
++     * use a connection where it has already been fully negotiated. If it has
++     * not, we keep on looking for a better one. */
++    m->found = conn;
++    if((m->want_nego_http &&
++        (conn->http_negotiate_state != GSS_AUTHNONE)) ||
++       (m->want_proxy_nego_http &&
++        (conn->proxy_negotiate_state != GSS_AUTHNONE))) {
++      /* We must use this connection, no other */
++      m->force_reuse = TRUE;
++      return TRUE;
++    }
++    return FALSE; /* get another */
++  }
++  return TRUE;
++}
++#else
++#define url_match_auth_nego(c, m) ((void)c, (void)m, TRUE)
++#endif
++
+ static bool url_match_conn(struct connectdata *conn, void *userdata)
+ {
+   struct url_conn_match *m = userdata;
+@@ -1258,6 +1317,11 @@ static bool url_match_conn(struct connectdata *conn, void *userdata)
+   else if(m->force_reuse)
+     return TRUE;
+ 
++  if(!url_match_auth_nego(conn, m))
++    return FALSE;
++  else if(m->force_reuse)
++    return TRUE;
++
+   if(!url_match_multiplex_limits(conn, m))
+     return FALSE;
+ 
+@@ -1324,13 +1388,26 @@ ConnectionExists(struct Curl_easy *data,
+   match.may_multiplex = xfer_may_multiplex(data, needle);
+ 
+ #ifdef USE_NTLM
+-  match.want_ntlm_http = ((data->state.authhost.want & CURLAUTH_NTLM) &&
+-                          (needle->handler->protocol & PROTO_FAMILY_HTTP));
++  match.want_ntlm_http =
++    (data->state.authhost.want & CURLAUTH_NTLM) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
+ #ifndef CURL_DISABLE_PROXY
+   match.want_proxy_ntlm_http =
+-    (needle->bits.proxy_user_passwd &&
+-     (data->state.authproxy.want & CURLAUTH_NTLM) &&
+-     (needle->handler->protocol & PROTO_FAMILY_HTTP));
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NTLM) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++  match.want_nego_http =
++    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++  match.want_proxy_nego_http =
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
+ #endif
+ #endif
+ 
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch
new file mode 100644
index 00000000000..e945b83b244
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch
@@ -0,0 +1,29 @@
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index c879a85e92..8b42aebade 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1253,7 +1253,7 @@ static bool url_match_auth_nego(struct connectdata *conn,
+     return FALSE;
+   }
+ #endif
+-  if(m->want_ntlm_http || m->want_proxy_ntlm_http) {
++  if(m->want_nego_http || m->want_proxy_nego_http) {
+     /* Credentials are already checked, we may use this connection. We MUST
+      * use a connection where it has already been fully negotiated. If it has
+      * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 739838c3e88..06f4353134f 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -20,6 +20,8 @@ SRC_URI = " \
     file://CVE-2025-14819.patch \
     file://CVE-2025-15079.patch \
     file://CVE-2025-15224.patch \
+    file://CVE-2026-1965-01.patch \
+    file://CVE-2026-1965-02.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

From patchwork Fri Mar 20 23:07:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84022
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4EAFC1099B52
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:33 +0000 (UTC)
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com
 [209.85.221.51])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.1973.1774048050873279101
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=VizMuqex;
 spf=pass (domain: smile.fr, ip: 209.85.221.51,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f51.google.com with SMTP id
 ffacd0b85a97d-43b41b545d9so2929758f8f.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048049; x=1774652849;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=xPhjJPVwDn8ksPlBmmf6a7h7ivzI8TmVvfWLVE6OQBA=;
        b=VizMuqex7VCUa7xCvv5proS1n0DS/kfVeFz5VmdSM2WogdJPIpxh7k28quVJvIxVyN
         fxt5ZOjwy8Tk35UOYGu4Ff6uZAvA1G/M4uGwD75iUKmF8dFGSzeJ/7l44RrKgT/s2V50
         nn0P7wDDNCFainj7WA6Bm6LiHPUeNWJUzEo5I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048049; x=1774652849;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=xPhjJPVwDn8ksPlBmmf6a7h7ivzI8TmVvfWLVE6OQBA=;
        b=eNcAf8fJVF1SfvciJNJWmY3ASDKT3XmG/jlkbX4TI5RQaydGWR1n0ZxEXbbzNccYMM
         l/pn3zGPTFg/8DfDE3Se8intEXYM81wsRaxLkbtcpjLeADH/TK5RUrC5RvLBesTAAniD
         TUt7q2hQgWBjnaeO6M0JWkRzjAkSFsH+GWHQumn9xn/bhiaKrGAAIw3VjK/SB4pLpMhJ
         n34UQT06VPLAYbq9y5Tpxbn78ZD7qjOBlv5xnpSXFV67glj8J6krXJCKIyNB9DlZpAXb
         g1WDpGk/lhB93J/0MOI4k8CkZaRLBOgNBGrv/L61uc+LQ2iyEtYpAgKypmLcRUdPmoFi
         fXIw==
X-Gm-Message-State: AOJu0YwTJtnNx+foe2tbxqUMMw25/obY8Tgl65I6QqfzOBMtElTaMJR7
	STpXi3NKNE0brtQXlO2ZBYWE+/sW9pacV54q1E5/EW+yNwhHTxQUqSxBftYLh23fxOsvj4F0T4k
	geL8c
X-Gm-Gg: ATEYQzznjc651ZkQbciCrSOc1MvSk+ZsF7VmvhT1RKEAnizSh4PvH/Gt68rQ3SxmAx1
	nFeOLern6BGWZjuIFU1lqkFEYXJL4rvBimPw34T/yApIh3mrUpK+fXdx/DCSBFbSk3bKIWJi2Zy
	M051hSr7LdGWrnkNJ1ZJ61HvK6B9uA/mNCTlQvAbVcVM5YcG2Urv88LsaAlf0GYsHD84MQKSe5i
	Tu1cw0wOsiaRXCEq+HiyKIEhUA5veAoP0fIffvWAF1SYqbn09245fLPee36++8zHURNbfXwWyU6
	Gn8wjzx+hN/Oal1Am4hn7Klpb14tULolBwtFdflej1RHpFzacOJE3XRRR/xX+08+SXYTAW/xp6M
	zpm7xpEk5Md7FnEntq4XfUGV89GkUMsWCF/3TZPOLdq8mQASrZq5deD2b3ljN/u1H59mBKHZmAz
	+Bq9tinVR+SobdBvMb9iLRQJDTkWmTPxV3163bunGchj7BsARUS3y9DkWzRDyCg1nR77bjHfiXA
	UCiklF7kfIFhRqCOclPs+LNh50=
X-Received: by 2002:a05:6000:613:b0:439:c42f:10c4 with SMTP id
 ffacd0b85a97d-43b6423bc0bmr8892082f8f.15.1774048048767;
        Fri, 20 Mar 2026 16:07:28 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.28
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:28 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 5/7] curl: patch CVE-2026-3783
Date: Sat, 21 Mar 2026 00:07:20 +0100
Message-ID: 
 <9d82d72e16b803fb69d913195c28ca4d95d001fa.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233641

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].

[1] https://curl.se/docs/CVE-2026-3783.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-3783.patch             | 148 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   1 +
 2 files changed, 149 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
new file mode 100644
index 00000000000..11ffaa72de4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
@@ -0,0 +1,148 @@
+From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 6 Mar 2026 23:13:07 +0100
+Subject: [PATCH] http: only send bearer if auth is allowed
+
+Verify with test 2006
+
+Closes #20843
+
+CVE: CVE-2026-3783
+Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/http.c             |  1 +
+ tests/data/Makefile.am |  2 +-
+ tests/data/test2006    | 98 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2006
+
+diff --git a/lib/http.c b/lib/http.c
+index d2f85fc5bf..d61edbd0cd 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -729,6 +729,7 @@ output_auth_headers(struct Curl_easy *data,
+   if(authstatus->picked == CURLAUTH_BEARER) {
+     /* Bearer */
+     if((!proxy && data->set.str[STRING_BEARER] &&
++        Curl_auth_allowed_to_host(data) &&
+         !Curl_checkheaders(data, STRCONST("Authorization")))) {
+       auth = "Bearer";
+       result = http_output_bearer(data);
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index f39568d3b8..6c8be18b32 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -242,7 +242,7 @@ test1955 test1956 test1957 test1958 test1959 test1960 test1964 \
+ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \
+ test1978 test1979 test1980 test1981 \
+ \
+-test2000 test2001 test2002 test2003 test2004 test2005 \
++test2000 test2001 test2002 test2003 test2004 test2005 test2006 \
+ \
+                                                                test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
+diff --git a/tests/data/test2006 b/tests/data/test2006
+new file mode 100644
+index 0000000000..200d30a7ce
+--- /dev/null
++++ b/tests/data/test2006
+@@ -0,0 +1,98 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++# Server-side
++<reply>
++<data crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="headers">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc default with redirect plus oauth2-bearer
++</name>
++<command>
++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="%LOGDIR/netrc%TESTNUMBER" >
++default login testuser password testpass
++</file>
++</client>
++
++<verify>
++<protocol crlf="headers">
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Bearer SECRET_TOKEN
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 06f4353134f..31d34c53909 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
     file://CVE-2025-15224.patch \
     file://CVE-2026-1965-01.patch \
     file://CVE-2026-1965-02.patch \
+    file://CVE-2026-3783.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

From patchwork Fri Mar 20 23:07:21 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84023
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 56B6C1099B54
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:33 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.1974.1774048051525649036
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=f+RxC5qE;
 spf=pass (domain: smile.fr, ip: 209.85.128.42,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-48558d6ef83so9775485e9.3
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048050; x=1774652850;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Kr1Lc8MB21ZmNR2d1DWEUjdosliVLeo73l0zv05E9HQ=;
        b=f+RxC5qEvKPGtgQKur2/Di7uzVXtyy202aB5wcoh2EyhiqgRnJQwPTjTfck2CcjvXv
         iOSHpxD2INu12xmtbNRqy6zr8DpyZwyFXbexKRx0xDrg6mnvsdGAURI5XlArbT7BkDMG
         zeJkP4DzAClMctLFVIJZ86urX1DKkrLPiGdVM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048050; x=1774652850;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=Kr1Lc8MB21ZmNR2d1DWEUjdosliVLeo73l0zv05E9HQ=;
        b=O/MjvCFo9xMo9iC+dI6V8eQUi9yDDWtiEl96BYqSW2FVQ6PJ2fknmvtaxHQ3y70CJm
         MmG9+b/jnLq1qrinebonaPGmDTe2yDGBSnJfifMCOtyktGJruCn1xIca8e0Qt62/JYBF
         tTZ3y951cj4bOaBSRJOr+ue3nXUqnqRxklOIEWjGthcYZbo4yJvycQisF/f1eVyfxtg0
         xhrxrIlAiE06IwcU2Af0Ojmyo0K9J+nFL/MFoDJXVLMAm3KgwORvzOc2ae8GeypONd5g
         11HAPxdx6ZNsPyZMMe+cyUBx0sJlvUafYc9oIi+9+kbGms3wVqjJEtnuaIoCaAFQslGy
         ueXw==
X-Gm-Message-State: AOJu0YxO5Jv7H5eGqgiR6PTkHDF/oX2P61C78OezTRWsj9oF+gHukix6
	o309wQA+TuCTZVvqqQYOczqBKBDSh58PJ/o3qCu2qkudv47jBVs8MHPvR+PdVdaiHj9R4rS71ll
	UxUs8
X-Gm-Gg: ATEYQzya0Ym3g1Wqf7e6cZX7blEo2NvTEF91gLpkvFWQB9xNQR87WAZ4Gsz3tKss0aQ
	mvvy8fJPPol80IIY0X2UQ8a5Bthi0KVhHvRLATnMziE063eWLMEM5bviAzXch+1I9BhslvoKkX3
	YnX67M09CcIEmZqJftfkOEV+RFkaJb4AxYo/Ou00Jvy7WaI5rLZ6TeEtmizExYTFF/DP4vB/KRx
	aU5ssT+Ay5WfN3Lsm6iwLThCaw4dLvo0gf9Dl70fcVRmgXLK9piZ8S51c0wyFDtvm4Yu5U5S+OS
	Gwa8XAqMumohuhz1yXu2kfdCjHLbuXbdz/Mg84Jy8vAE9PHD7XikVF8XACk17EyjsKowzRK6T3T
	peDj0weD7EoXMp0aD5ArJrtvE5RB43eneBFGTdwQirjo6ZwEPJzM3SKmC31wrb32ZmIxror1IYD
	SYDmb+h+FkeHJVea0uzh5COE46P5xneoF9Qv3g9+CEB7iIHVzmHU2mvWl1cAZ0V/1ckefJ1DkmY
	pUWPQsL0AYRHYyH7+UdLyh1GV0=
X-Received: by 2002:a05:600c:8b32:b0:485:4394:b0e with SMTP id
 5b1f17b1804b1-486fedbad16mr63965965e9.12.1774048049507;
        Fri, 20 Mar 2026 16:07:29 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.28
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:29 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 6/7] curl: patch CVE-2026-3784
Date: Sat, 21 Mar 2026 00:07:21 +0100
Message-ID: 
 <dcbf96f16f009db19566e5292a19e3a18f06accd.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233642

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].
Additionally pick part of clenup patch which resolves conflicts.

[1] https://curl.se/docs/CVE-2026-3784.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...d-macros-warnings-and-related-tidy-u.patch |  44 +++++
 .../curl/curl/CVE-2026-3784-02.patch          | 162 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   2 +
 3 files changed, 208 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784-02.patch

diff --git a/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
new file mode 100644
index 00000000000..b4af8421f53
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
@@ -0,0 +1,44 @@
+From 5fa5cb382560316a55f0954f1e8cebdbd6568cfb Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Fri, 13 Feb 2026 17:05:36 +0100
+Subject: [PATCH] build: fix `-Wunused-macros` warnings, and related tidy-ups
+
+- fix internal macro `AN_APPLE_OS` reused between sources without
+  resetting it. It may potentially have left the system sha256
+  function unused.
+- fix to define `WOLFSSL_OPTIONS_IGNORE_SYS` so that it always applies
+  to wolfSSL headers, also during feature detection.
+- md4, md5, sha256: simplify fallback logic.
+- delete 20+ unused macros.
+- scope or move macros to avoid `-Wunused-macros` warnings.
+- examples: delete unused code.
+
+The warning detects macros defined but not used within the same C
+source. It does not warn for macros defined in headers. It also works
+with unity builds, but to a lesser extent.
+
+Closes #20593
+
+<picked only part relevant for CVE-2026-3784>
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5fa5cb382560316a55f0954f1e8cebdbd6568cfb]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3c0d913432..f0b6b0d5b2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -639,10 +639,6 @@ socks_proxy_info_matches(const struct proxy_info *data,
+     return FALSE;
+   return TRUE;
+ }
+-#else
+-/* disabled, will not get called */
+-#define proxy_info_matches(x,y) FALSE
+-#define socks_proxy_info_matches(x,y) FALSE
+ #endif
+ 
+ /* A connection has to have been idle for less than 'conn_max_idle_ms'
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch
new file mode 100644
index 00000000000..84f37374c64
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch
@@ -0,0 +1,162 @@
+From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 6 Mar 2026 14:54:09 +0100
+Subject: [PATCH] proxy-auth: additional tests
+
+Also eliminate the special handling for socks proxy match.
+
+Closes #20837
+
+CVE: CVE-2026-3784
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c                        | 29 +++++++----------------------
+ tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++
+ tests/http/testenv/curl.py       | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 25 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index eabeb776ab..bdc183b45b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -615,30 +615,15 @@ proxy_info_matches(const struct proxy_info *data,
+ {
+   if((data->proxytype == needle->proxytype) &&
+      (data->port == needle->port) &&
+-     curl_strequal(data->host.name, needle->host.name))
++     curl_strequal(data->host.name, needle->host.name)) {
++
++    if(Curl_timestrcmp(data->user, needle->user) ||
++       Curl_timestrcmp(data->passwd, needle->passwd))
++      return FALSE;
+     return TRUE;
+-
++  }
+   return FALSE;
+ }
+-
+-static bool
+-socks_proxy_info_matches(const struct proxy_info *data,
+-                         const struct proxy_info *needle)
+-{
+-  if(!proxy_info_matches(data, needle))
+-    return FALSE;
+-
+-  /* the user information is case-sensitive
+-     or at least it is not defined as case-insensitive
+-     see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-
+-  /* curl_strequal does a case insensitive comparison,
+-     so do not use it here! */
+-  if(Curl_timestrcmp(data->user, needle->user) ||
+-     Curl_timestrcmp(data->passwd, needle->passwd))
+-    return FALSE;
+-  return TRUE;
+-}
+ #endif
+ 
+ /* A connection has to have been idle for less than 'conn_max_idle_ms'
+@@ -954,7 +939,7 @@ static bool url_match_proxy_use(struct connectdata *conn,
+     return FALSE;
+ 
+   if(m->needle->bits.socksproxy &&
+-    !socks_proxy_info_matches(&m->needle->socks_proxy,
++    !proxy_info_matches(&m->needle->socks_proxy,
+                               &conn->socks_proxy))
+     return FALSE;
+ 
+diff --git a/tests/http/test_13_proxy_auth.py b/tests/http/test_13_proxy_auth.py
+index 080adef187..33fb211e99 100644
+--- a/tests/http/test_13_proxy_auth.py
++++ b/tests/http/test_13_proxy_auth.py
+@@ -169,3 +169,23 @@ class TestProxyAuth:
+             '--negotiate', '--proxy-user', 'proxy:proxy'
+         ])
+         r1.check_response(count=1, http_status=200)
++
++    def test_13_10_tunnels_mixed_auth(self, env: Env, httpd, configures_httpd):
++        self.httpd_configure(env, httpd)
++        curl = CurlClient(env=env)
++        url1 = f'http://localhost:{env.http_port}/data.json?1'
++        url2 = f'http://localhost:{env.http_port}/data.json?2'
++        url3 = f'http://localhost:{env.http_port}/data.json?3'
++        xargs1 = curl.get_proxy_args(proxys=False, tunnel=True)
++        xargs1.extend(['--proxy-user', 'proxy:proxy']) # good auth
++        xargs2 = curl.get_proxy_args(proxys=False, tunnel=True)
++        xargs2.extend(['--proxy-user', 'ungood:ungood']) # bad auth
++        xargs3 = curl.get_proxy_args(proxys=False, tunnel=True)
++        # no auth
++        r = curl.http_download(urls=[url1, url2, url3], alpn_proto='http/1.1', with_stats=True,
++                               url_options={url1: xargs1, url2: xargs2, url3: xargs3})
++        # only url1 succeeds, others fail, no connection reuse
++        assert r.stats[0]['http_code'] == 200, f'{r.dump_logs()}'
++        assert r.stats[1]['http_code'] == 0, f'{r.dump_logs()}'
++        assert r.stats[2]['http_code'] == 0, f'{r.dump_logs()}'
++        assert r.total_connects == 3, f'{r.dump_logs()}'
+diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py
+index 4fc11c7923..1f812a1c2e 100644
+--- a/tests/http/testenv/curl.py
++++ b/tests/http/testenv/curl.py
+@@ -635,7 +635,8 @@ class CurlClient:
+                       with_tcpdump: bool = False,
+                       no_save: bool = False,
+                       limit_rate: Optional[str] = None,
+-                      extra_args: Optional[List[str]] = None):
++                      extra_args: Optional[List[str]] = None,
++                      url_options: Optional[Dict[str,List[str]]] = None):
+         if extra_args is None:
+             extra_args = []
+         if no_save:
+@@ -653,6 +654,7 @@ class CurlClient:
+             ])
+         return self._raw(urls, alpn_proto=alpn_proto, options=extra_args,
+                          with_stats=with_stats,
++                         url_options=url_options,
+                          with_headers=with_headers,
+                          with_profile=with_profile,
+                          with_tcpdump=with_tcpdump)
+@@ -929,6 +931,7 @@ class CurlClient:
+ 
+     def _raw(self, urls, intext='', timeout=None, options=None, insecure=False,
+              alpn_proto: Optional[str] = None,
++             url_options=None,
+              force_resolve=True,
+              with_stats=False,
+              with_headers=True,
+@@ -938,7 +941,8 @@ class CurlClient:
+         args = self._complete_args(
+             urls=urls, timeout=timeout, options=options, insecure=insecure,
+             alpn_proto=alpn_proto, force_resolve=force_resolve,
+-            with_headers=with_headers, def_tracing=def_tracing)
++            with_headers=with_headers, def_tracing=def_tracing,
++            url_options=url_options)
+         r = self._run(args, intext=intext, with_stats=with_stats,
+                       with_profile=with_profile, with_tcpdump=with_tcpdump)
+         if r.exit_code == 0 and with_headers:
+@@ -948,8 +952,10 @@ class CurlClient:
+     def _complete_args(self, urls, timeout=None, options=None,
+                        insecure=False, force_resolve=True,
+                        alpn_proto: Optional[str] = None,
++                       url_options=None,
+                        with_headers: bool = True,
+                        def_tracing: bool = True):
++        url_sep = []
+         if not isinstance(urls, list):
+             urls = [urls]
+ 
+@@ -975,7 +981,13 @@ class CurlClient:
+             active_options = options[options.index('--next') + 1:]
+ 
+         for url in urls:
+-            u = urlparse(urls[0])
++            args.extend(url_sep)
++            if url_options is not None:
++                url_sep = ['--next']
++
++            u = urlparse(url)
++            if url_options is not None and url in url_options:
++                args.extend(url_options[url])
+             if options:
+                 args.extend(options)
+             if alpn_proto is not None:
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 31d34c53909..7211c43afd2 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -23,6 +23,8 @@ SRC_URI = " \
     file://CVE-2026-1965-01.patch \
     file://CVE-2026-1965-02.patch \
     file://CVE-2026-3783.patch \
+    file://0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch \
+    file://CVE-2026-3784-02.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

From patchwork Fri Mar 20 23:07:22 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 84021
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 39CE01099B50
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 23:07:33 +0000 (UTC)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com
 [209.85.221.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.1975.1774048051966573127
 for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=NVWbSVFH;
 spf=pass (domain: smile.fr, ip: 209.85.221.52,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f52.google.com with SMTP id
 ffacd0b85a97d-439b97a8a8cso1161601f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 20 Mar 2026 16:07:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1774048050; x=1774652850;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JiFuCrH/ysYLpeCMVsa0eypVfC+x4PMX1M3U2Vkfqck=;
        b=NVWbSVFHQO6pnErHHO+9WlO6luOOC7yXRyQXp56f9k2RnBxeEzChN3lN1aFhFUswGw
         WXwP7y/UNyZUWF0u2PQP+N3WD+JJgqqpc07oj2nLwrPsbyIHqVI9DhwTtMxD5GvCVwBg
         UIkiRwJbMYxKO//dRB+yc2+kabAxCJbJcYrb4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774048050; x=1774652850;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=JiFuCrH/ysYLpeCMVsa0eypVfC+x4PMX1M3U2Vkfqck=;
        b=qt9+EsGxPO53RaIfzwMS8zVuFnuBk0CwwwaufEIa3QSHW8dRBg8JWMaT26ofv7Sa+D
         NnSCNaHH5FsWn9dCayj8/YmhH326vmecb6W2dlHIcnsRZjHDJsN/4ZaOGgZ/XJnk0PbF
         +y209rkreJGPx4qUvtY8d9/a/U3AJjxAs16klhC4y0IWckaW1HgCp0/PUA7HkdpnAkxa
         J8d5heX7a56/oax/lLSPS7tZf0JGfqmlkKwp/UdFJFHK5PBsW4B1UNGAMGRRNcEa5bPN
         tJdkP17XEsTJ1ReFlalK3KOUDCIJHEEfSw1nzCvwLFHfw4fo3QRQ/9NH2O+Qth0THoqs
         4n0Q==
X-Gm-Message-State: AOJu0YzVxS6dBX5i+UBMpFxV+/Kv01K/979NyRnTdCO+LebMvm97qFZa
	CwcVOasSs9vvCKuxRO8XDbgpxM/nWqq1KFB9GS1CsAB3/R9J2kDaZA5srRl9SJHTF6iQKw5uZub
	3nWrB
X-Gm-Gg: ATEYQzz1pzstsJrnar28I7OmfH6oBq/J7zFGhPU0mO7ILTWSIgYHiOHLYt4QTNGfNL4
	35XyxeBroAOfd7pTYgCwsVOg7SZkQaRPMcuFmgu19GJ1NH1Xq+9jBSvN1Ng9+dGktX4oZ4xo1mu
	jmnJaVcAUd2ItVhvC45qWy/bt8ewoWbb/RH1/67b0j7dhYUw4UbgfGLORy9XwpHunneQB4lCePC
	ugdJ8IsZawgmEg5cX/L+2X8OSurBbavJCt7T0T+mLL58cLFLsOhPH+vsNBdaqUkCcDLlf8cVsD1
	raq22Ac+qIUYGJFCFwYQ5LXBaURU7BRwOTVTxhDRyfyqeGK9VNKo/IXteBCgZbq8T+asA9qpEGc
	nDwZ7S2XQgKWcqJFGXgyRpdp3i0B+OgMl9r5j7V+Hy1TeotcAtbw1viMYVNbI4Wkd/xQEFXEWJX
	SVPj+4dtqBA0WdpDhkuw6Qjtk5HY009nXnMmNhTlfRmk8HRRp0Ikfez+Mwo9hxQJ0jqdrs2pyVj
	DVXIFvVZGvnoPpUFQpwHHHMBmc=
X-Received: by 2002:a5d:5d13:0:b0:43b:4489:d44f with SMTP id
 ffacd0b85a97d-43b64263f4emr7466767f8f.32.1774048050008;
        Fri, 20 Mar 2026 16:07:30 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43b6425eeb4sm9238332f8f.0.2026.03.20.16.07.29
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Mar 2026 16:07:29 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 7/7] curl: patch CVE-2026-3805
Date: Sat, 21 Mar 2026 00:07:22 +0100
Message-ID: 
 <2d6383491f4246a93e1a49a9fe258d873adf8b76.1774047909.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1774047909.git.yoann.congal@smile.fr>
References: <cover.1774047909.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 23:07:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233643

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].

[1] https://curl.se/docs/CVE-2026-3805.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-3805.patch             | 67 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3805.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3805.patch b/meta/recipes-support/curl/curl/CVE-2026-3805.patch
new file mode 100644
index 00000000000..f3b3285a3ab
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3805.patch
@@ -0,0 +1,67 @@
+From e090be9f73a7a71459ef678c7cc4b1f75e3ea883 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sun, 8 Mar 2026 14:30:00 +0100
+Subject: [PATCH] smb: free the path in the request struct properly
+
+Closes #20854
+
+CVE: CVE-2026-3805
+Upstream-Status: Backport [https://github.com/curl/curl/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/smb.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 41ba48fe89..00297adee7 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -448,9 +448,7 @@ static void smb_easy_dtor(void *key, size_t klen, void *entry)
+   struct smb_request *req = entry;
+   (void)key;
+   (void)klen;
+-  /* `req->path` points to somewhere in `struct smb_conn` which is
+-   * kept at the connection meta. If the connection is destroyed first,
+-   * req->path points to free'd memory. */
++  Curl_safefree(req->path);
+   free(req);
+ }
+ 
+@@ -1240,7 +1238,7 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+                                    struct smb_request *req)
+ {
+   char *path;
+-  char *slash;
++  char *slash, *s;
+   CURLcode result;
+ 
+   /* URL decode the path */
+@@ -1249,6 +1247,7 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+     return result;
+ 
+   /* Parse the path for the share */
++  Curl_safefree(smbc->share);
+   smbc->share = strdup((*path == '/' || *path == '\\') ? path + 1 : path);
+   free(path);
+   if(!smbc->share)
+@@ -1268,12 +1267,15 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+   /* Parse the path for the file path converting any forward slashes into
+      backslashes */
+   *slash++ = 0;
+-  req->path = slash;
+-
+-  for(; *slash; slash++) {
+-    if(*slash == '/')
+-      *slash = '\\';
++  for(s = slash; *s; s++) {
++    if(*s == '/')
++      *s = '\\';
+   }
++  /* keep a copy at easy struct to not share this with connection state */
++  req->path = curlx_strdup(slash);
++  if(!req->path)
++    return CURLE_OUT_OF_MEMORY;
++
+   return CURLE_OK;
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 7211c43afd2..24af8613ab9 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
     file://CVE-2026-3783.patch \
     file://0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch \
     file://CVE-2026-3784-02.patch \
+    file://CVE-2026-3805.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \