From patchwork Sat Mar 21 09:47:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84035 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 919701094466 for ; Sat, 21 Mar 2026 09:47:45 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8226.1774086458168070007 for ; Sat, 21 Mar 2026 02:47:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=C8WBZSxd; spf=pass (domain: mvista.com, ip: 209.85.216.42, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-35b97ed057cso813759a91.1 for ; Sat, 21 Mar 2026 02:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774086457; x=1774691257; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=uvvzdnxSsnOJ6uZUXXn4aDrGsvrO1e9Wg1h1jH6biOk=; b=C8WBZSxd1nJ6RwkQ9SoMbqh+ZWNPlH9qB8zyvcdfgNc8+edsgpIL5Fs8C+YkDslzlF 704oJjXY1zTaMUSdNG8l1ZM6nmS7PlWXNDHNwFB69DPcHlPCRqUt+83hYUCG3wWb7Oz9 DJxoPSvQs11DFVAJVDm4tpS0TNmI1QqiCsz1c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774086457; x=1774691257; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=uvvzdnxSsnOJ6uZUXXn4aDrGsvrO1e9Wg1h1jH6biOk=; b=Sfd03lLoh9JicPxV/YZ0sAg1VGTuT2My8MQH+qISrKI5nd7xfY1M9UVtkthAVE7/V3 iyenbBAq/InheM/J+1TosxfhHoBXdpt1gFagKZZrRgayVqb1Zk3JTSwaxORFDwxEG0KR RsBRuklrwKtirJ0eeqBdL7w1TfXFuTSuRP3MUCJHQFe+mibFDYRs3K/9Gc8fdBO2IkTR F7Yoz3i+PbcWWoR8slRpaGU67xt6RJC6OTh/DbSu7etM95keOKnN7J8g493O6qPAQKxp XQ5PPUt2VBMwfsvNDWyVvbii0RMHQig73UfaI+C1SvwXqysRLm56kQR/nvz6ele9GaGc ZwgA== X-Gm-Message-State: AOJu0YwTuZM+a7Pc19jvdOyj1NYq2QzdwmPRhcPHmKRgz0LNWrd2epAd dshOgxD7vD3ymdjehBYXGjNIrbIzopcQNwy8j1ecoMQE3XC0kG1FT+cxJkA8aCnFWpow2HmWJVe x74VFUgo= X-Gm-Gg: ATEYQzxFJWfelX2avzmnPRnuZuzj4S0AqsSwBMu+vP4DAW6IgwdsHP/7WNubzolAYb9 pQpyFuIQqtdkFvb/aqQNqopSIHvV+FDn5uwbN1XWFRCn/CEUQC5TahOALLHH/yficWWkRgnbT2y YvC3e+XT14votkcfP/7Wg/LDVDGu0NQzoUhkKCxaU4zOqbrvVsEE5dMVoYnq5v/yKYaoVqJAfkA 7ViSJTd83ldS+pCAEuTN7KcvEJbv/vb9/a5NxXMQbu3nioBzmkOhdKi+sJbL698YltfkzXGzP7H BcpPyo78M7WCRj1WvJuPhZte0P2RCjFf7pvh0GWqNRN9xNACrXpfXIlk2vapo3apgSE5gm1vmiJ iPuplTMi92o7/OEg/H7dnnbL79d3MJRxMYWR2cf+aWg4lMN3bGbFSX8JycARdwk8eAmKd0wKlbY oFRS0I4saO9dBxf44qVofcc+s6KkEnrUXpj4sR X-Received: by 2002:a17:90a:e70f:b0:35b:952c:43b9 with SMTP id 98e67ed59e1d1-35bd2bcd125mr4646271a91.10.1774086457037; Sat, 21 Mar 2026 02:47:37 -0700 (PDT) Received: from localhost.localdomain ([2406:7400:54:2bec:e896:2af1:2e77:522f]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bc5ff704bsm7489501a91.2.2026.03.21.02.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 02:47:36 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri , Amaury Couderc , Yoann Congal , Paul Barker Subject: [OE-core][kirkstone][PATCH v2 1/4] curl: patch CVE-2025-14524 Date: Sat, 21 Mar 2026 15:17:20 +0530 Message-Id: <20260321094723.273058-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Mar 2026 09:47:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233652 From: Vijay Anusuri Pick commit per [1]. [1] https://curl.se/docs/CVE-2025-14524.html [2] https://security-tracker.debian.org/tracker/CVE-2025-14524 (From OE-Core rev: 951113a6e8185969444b5e28292f23434dba1f6c) Signed-off-by: Amaury Couderc Signed-off-by: Yoann Congal Signed-off-by: Paul Barker Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2025-14524.patch | 42 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch new file mode 100644 index 0000000000..0ab77ade9d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch @@ -0,0 +1,42 @@ +From b3e2318ff3cbe4a9babe5b6875916a429bd584be Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Dec 2025 11:40:47 +0100 +Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer + +Closes #19933 + +CVE: CVE-2025-14524 +Upstream-Status: Backport [https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640] + +Signed-off-by: Amaury Couderc + +--- + lib/curl_sasl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index 7e28c92..f0b0341 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -345,7 +345,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref nullmsg; + + Curl_bufref_init(&nullmsg); +@@ -531,7 +533,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref serverdata; + + Curl_bufref_init(&serverdata); diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 72bd1a2088..b8fa8b5266 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -70,6 +70,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2025-14017.patch \ file://CVE-2025-15079.patch \ file://CVE-2025-15224.patch \ + file://CVE-2025-14524.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Sat Mar 21 09:47:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84036 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B73751094468 for ; Sat, 21 Mar 2026 09:47:45 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8228.1774086462654191186 for ; Sat, 21 Mar 2026 02:47:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=NpS9wGRN; spf=pass (domain: mvista.com, ip: 209.85.216.41, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-3567e2b4159so1812306a91.0 for ; Sat, 21 Mar 2026 02:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774086461; x=1774691261; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Q+sMXw8XsgDGJTlurirIlBQAERrLvr8jxFTvj1Pqr+Q=; b=NpS9wGRNoHWzJuSKSnKI9HXiouQpnKCjmn3j2U/Z35NKTYPKfZHFHSBA1/d8pI3GnX WnE4kXW31ZlJyf7LD3Hu7v2MFpNQtBvI7sVMeW24lvvNndCs4CHZHVXJ9QyvCuCNgvua aNMWBFABjtUUKnYV4g4SpR7txnXES+0Dm40L0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774086461; x=1774691261; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Q+sMXw8XsgDGJTlurirIlBQAERrLvr8jxFTvj1Pqr+Q=; b=A6K19Q+OMlfUtnit/49u0bOmTLtuqTH2TOpAWuWlrmY1E3Vz8GaVfKAIwOlw/5856H KglqKr0omOYAFmy7Qqj5V9D1HudEl8I0HAEjOOaWfxWFhhex6vC87Q1Rz0ZFMmWykvrY Xrm/cskv1qtJgwJFghxKjweicfEQnfJU6BYCCaI4idXvTIQbY79gRRCKeLG5mwIPH7jk U+4dTLWSf4M2oimUIGqJgk5CE52plpP1DRBBcJh/uhvakBWtAImX/tzKYzLE4OOR2PD7 kVb1scCcLmZjtZLqsxTDnIZ5h0E2UOvMkUM7xcPXsG7WH5Fn+v3qyl/4LQOp9ZKQthbc aqZg== X-Gm-Message-State: AOJu0Yz94nMLswiXjCgyD1iLElJGcq0QD7NOaqLKLGMHXdIkzkeifJUi QTKuOxnE8WecVrPbFYMkoQJ1IpZAkICJFGHGgAblGRhahqWmMQOYmKJLR3pY0AmcFgg8GpXRDgJ r9B5/5CQ= X-Gm-Gg: ATEYQzwnM89LqumZ+rDjgKlaHXG+L0Bplmmm8B9ubiezfk0A8KuJzLfKhDnaepeudw6 6wU5HhhsbXTTgfbOcx1D88vGBA8qn3uKODNfkaJpmRatrttNQXB77vXyrvxnHGsIPGH6z09osac lDfpIEbc40htF7djoJXmc0pIiTmZwklq/ouWNo0LGAPrVozv+spVG/TciOBpPCCLH3RyIAPn+aF M5xQbaU7JQytX9D1eATsstANpgSQ5R6goWcEWFXpadtbqhNNf/LXIX8Z+5udEnCc9CLt8Xp2/q7 jc5yQjdiOgx3uRumLjWaUxsh76yWwor4cEKRnOv5G2Z14FVJMzzvILgs4lTeNXtLEn4PSPs7+yq UoY7Ckij3YenmC3BnYFyBv36xoHn0D/YUq8mgwU09jcOyRFmHecftvuyYJdtqA8W4P19+sIoMQd abKcTnIvFixTC8U/2HqFquMTucSnqQp2vcu3Qt X-Received: by 2002:a17:90a:15d7:b0:35b:e51a:85af with SMTP id 98e67ed59e1d1-35be51a85edmr47838a91.10.1774086461365; Sat, 21 Mar 2026 02:47:41 -0700 (PDT) Received: from localhost.localdomain ([2406:7400:54:2bec:e896:2af1:2e77:522f]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bc5ff704bsm7489501a91.2.2026.03.21.02.47.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 02:47:40 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 2/4] curl: patch CVE-2026-1965 Date: Sat, 21 Mar 2026 15:17:21 +0530 Message-Id: <20260321094723.273058-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260321094723.273058-1-vanusuri@mvista.com> References: <20260321094723.273058-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Mar 2026 09:47:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233653 From: Vijay Anusuri pick patches from ubuntu per [1] [1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-1965 [3] https://curl.se/docs/CVE-2026-1965.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-1965-1.patch | 98 +++++++++++++++++++ .../curl/curl/CVE-2026-1965-2.patch | 29 ++++++ meta/recipes-support/curl/curl_7.82.0.bb | 2 + 3 files changed, 129 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch new file mode 100644 index 0000000000..1d0f5c59e8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch @@ -0,0 +1,98 @@ +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 5 Feb 2026 08:34:21 +0100 +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate + +Assume Negotiate means connection-based + +Reported-by: Zhicheng Chen +Closes #20534 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6] +Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz + +CVE: CVE-2026-1965 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 82 insertions(+), 5 deletions(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1145,6 +1145,18 @@ ConnectionExists(struct Curl_easy *data, + #endif + #endif + ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) ++ bool wantNegohttp = ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); ++#ifndef CURL_DISABLE_PROXY ++ bool wantProxyNegohttp = ++ needle->bits.proxy_user_passwd && ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); ++#endif ++#endif ++ + *force_reuse = FALSE; + *waitpipe = FALSE; + +@@ -1496,6 +1508,57 @@ ConnectionExists(struct Curl_easy *data, + continue; + } + #endif ++ ++#ifdef USE_SPNEGO ++ /* If we are looking for an HTTP+Negotiate connection, check if this is ++ already authenticating with the right credentials. If not, keep looking ++ so that we can reuse Negotiate connections if possible. */ ++ if(wantNegohttp) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) ++ continue; ++ } ++ else if(check->http_negotiate_state != GSS_AUTHNONE) { ++ /* Connection is using Negotiate auth but we do not want Negotiate */ ++ continue; ++ } ++ ++#ifndef CURL_DISABLE_PROXY ++ /* Same for Proxy Negotiate authentication */ ++ if(wantProxyNegohttp) { ++ /* Both check->http_proxy.user and check->http_proxy.passwd can be ++ * NULL */ ++ if(!check->http_proxy.user || !check->http_proxy.passwd) ++ continue; ++ ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) ++ continue; ++ } ++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) { ++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */ ++ continue; ++ } ++#endif ++ if(wantNTLMhttp || wantProxyNTLMhttp) { ++ /* Credentials are already checked, we may use this connection. We MUST ++ * use a connection where it has already been fully negotiated. If it has ++ * not, we keep on looking for a better one. */ ++ chosen = check; ++ if((wantNegohttp && ++ (check->http_negotiate_state != GSS_AUTHNONE)) || ++ (wantProxyNegohttp && ++ (check->proxy_negotiate_state != GSS_AUTHNONE))) { ++ /* We must use this connection, no other */ ++ *force_reuse = TRUE; ++ break; ++ } ++ continue; /* get another */ ++ } ++#endif ++ + if(canmultiplex) { + /* We can multiplex if we want to. Let's continue looking for + the optimal connection to use. */ diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch new file mode 100644 index 0000000000..fa5fefd251 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch @@ -0,0 +1,29 @@ +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 21 Feb 2026 18:11:41 +0100 +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake + +Follow-up to 34fa034 +Reported-by: dahmono on github +Closes #20662 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990] +Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz + +CVE: CVE-2026-1965 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1542,7 +1542,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + } + #endif +- if(wantNTLMhttp || wantProxyNTLMhttp) { ++ if(wantNegohttp || wantProxyNegohttp) { + /* Credentials are already checked, we may use this connection. We MUST + * use a connection where it has already been fully negotiated. If it has + * not, we keep on looking for a better one. */ diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index b8fa8b5266..0e107f1e75 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -71,6 +71,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2025-15079.patch \ file://CVE-2025-15224.patch \ file://CVE-2025-14524.patch \ + file://CVE-2026-1965-1.patch \ + file://CVE-2026-1965-2.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Sat Mar 21 09:47:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84038 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D8DD1094468 for ; Sat, 21 Mar 2026 09:47:55 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8246.1774086469523872246 for ; Sat, 21 Mar 2026 02:47:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=kPXU0OH2; spf=pass (domain: mvista.com, ip: 209.85.216.42, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-3590042fa8eso1797239a91.1 for ; Sat, 21 Mar 2026 02:47:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774086468; x=1774691268; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oYINxzLNb5IMPG9JZq1m2jpUYrz2c260UJ71jXGgs1c=; b=kPXU0OH22TTU2NbtQ4RerdANljknxmEvc6KF+6wLAKGZN2KcT9WMy+XMr8UduG24cs PwRMkWVgC2thMeRLBen7H7OmkPlHXL2ipEhp0ovbI2EUo0nJXFI4VhPMcGHsyL6qfjrz sYgOyJ5iJPb1K+EwAJR9MyXHDea5yZaQDnvVo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774086468; x=1774691268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oYINxzLNb5IMPG9JZq1m2jpUYrz2c260UJ71jXGgs1c=; b=KDIIQQtNt0rzKEZrPfmv9O4/5XcVoSjvLFKMG4rqL2gbJUWkXujRJHquY6mwOgnidT Cy5UeeBj+GNexGym5tMcMar3cN+0FprKwGSIhr5DMUURc4ZwFRn2zB/aFkHCpcIY91ce AAkZ8gJKseQMFiuHJppog2JUU1U9hso7YSA0JvEV6m5qO4fI2EWAguOEVb+hABIxyui7 bzOwAkvhKSz8MmGUl/SC5Lis08urkYWLVfwEmrzvrsV9y4tmgBrxM3+06C60O1Nzr9kC PYICy6IYNr72fWVaA75i9hm2JvySbV1ZzvhOglIb2f6kQ49pN718mbeeK6VU7sCg44wZ 0DGQ== X-Gm-Message-State: AOJu0YwLushTiilNAHnG3bFl+oMl897q8W9R4iwsTWBupA9O+bfSt7P9 CoyDD9nai/dsjjcfJaauVw701yeot/mnBis7wD74jT7vBGcO/MKgZ4i3s5kHznMC9/v/HKssA6P G7t23IRA= X-Gm-Gg: ATEYQzx6+tuHoWb8vmbodJrrYp4i7yBhzxnbxh5NN3Va14+pJFnMFv6YkOkhfrPRqch TYbNZRDKVbmNNk2Ly4RkFPMFMwoKdqmjj2Ipwal7S0CqXPCyZOXwsz+2jFG50GNhSV5e0Jzig6o TOGUzKhYv4GgGGCkwH0MDYUGWTmWonIKaFnrA+IfHQ0zNJ3T2SIwz8ft8qXmZZgSaGofelz4s63 EfpHmaD8H285WAnXzlvLn+1WEjxx+RNMSB0ZY8/cO9FrBkPsrdzamh1SlkSuJINKYBAYODXuXnu N/Q17knIUE/lGMuKsZ5rkBBKgsQ7HBLnaFzmvz0ka7nb2wQy90bt8BX4UUQNGpfcxdWzO7QpriZ 4YWX3aDQcxcB1m9XlHD6rV12+9dT2yKi1Ev08dloLGUkrNULsECjvVL3fJbSnQSmPQjBpBcOA3A HP4ejyVUoGujnY6x2GYq1BZ5FOV6TI94U/4uP3B7ieDg+Q4ko= X-Received: by 2002:a17:90b:4c4a:b0:35b:929f:7e8f with SMTP id 98e67ed59e1d1-35bd2bfdf2cmr5188134a91.13.1774086468407; Sat, 21 Mar 2026 02:47:48 -0700 (PDT) Received: from localhost.localdomain ([2406:7400:54:2bec:e896:2af1:2e77:522f]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bc5ff704bsm7489501a91.2.2026.03.21.02.47.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 02:47:47 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 3/4] curl: patch CVE-2026-3783 Date: Sat, 21 Mar 2026 15:17:22 +0530 Message-Id: <20260321094723.273058-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260321094723.273058-1-vanusuri@mvista.com> References: <20260321094723.273058-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Mar 2026 09:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233654 From: Vijay Anusuri CVE-2026-3783-pre1.patch is dependency patch for CVE-2026-3783.patch cherry picked from upstream commit: https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266 https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877 Reference: https://curl.se/docs/CVE-2026-3783.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-3783-pre1.patch | 66 ++++++++ .../curl/curl/CVE-2026-3783.patch | 157 ++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 2 + 3 files changed, 225 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch b/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch new file mode 100644 index 0000000000..746e5d9ab6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch @@ -0,0 +1,66 @@ +From d7b970e46ba29a7e558e21d19f485977ffed6266 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 29 Apr 2022 22:56:47 +0200 +Subject: [PATCH] http: move Curl_allow_auth_to_host() + +It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef + +Reported-by: Michael Olbrich +Fixes #8772 +Closes #8775 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266] +CVE: CVE-2026-3783 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + lib/http.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0d5c449bc72a..b215307dcaaa 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) + return result; + } + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + #ifndef CURL_DISABLE_HTTP_AUTH + /* + * Output the correct authentication header depending on the auth type +@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + +-/* +- * Curl_allow_auth_to_host() tells if authentication, cookies or other +- * "sensitive data" can (still) be sent to this host. +- */ +-bool Curl_allow_auth_to_host(struct Curl_easy *data) +-{ +- struct connectdata *conn = data->conn; +- return (!data->state.this_is_a_follow || +- data->set.allow_auth_to_other_hosts || +- (data->state.first_host && +- strcasecompare(data->state.first_host, conn->host.name) && +- (data->state.first_remote_port == conn->remote_port) && +- (data->state.first_remote_protocol == conn->handler->protocol))); +-} +- + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch new file mode 100644 index 0000000000..769198d688 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch @@ -0,0 +1,157 @@ +From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 6 Mar 2026 23:13:07 +0100 +Subject: [PATCH] http: only send bearer if auth is allowed + +Verify with test 2006 + +Closes #20843 + +Curl_auth_allowed_to_host() function got renamed from +Curl_allow_auth_to_host() by the commit +https://github.com/curl/curl/commit/72652c0613d37ce18e99cca17a42887f12ad43da + +Current curl version 7.82.0 has function Curl_allow_auth_to_host() + +Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877] +CVE: CVE-2026-3783 +Signed-off-by: Vijay Anusuri +--- + lib/http.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test2006 | 98 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 100 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test2006 + +diff --git a/lib/http.c b/lib/http.c +index 691091b..6acd537 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -757,6 +757,7 @@ output_auth_headers(struct Curl_easy *data, + if(authstatus->picked == CURLAUTH_BEARER) { + /* Bearer */ + if((!proxy && data->set.str[STRING_BEARER] && ++ Curl_allow_auth_to_host(data) && + !Curl_checkheaders(data, STRCONST("Authorization")))) { + auth = "Bearer"; + result = http_output_bearer(data); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index ad41a5e..e641cb8 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -221,7 +221,7 @@ test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 test1937 test1938 test1939 \ + \ +-test2000 test2001 test2002 test2003 test2004 \ ++test2000 test2001 test2002 test2003 test2004 test2006 \ + \ + test2023 \ + test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ +diff --git a/tests/data/test2006 b/tests/data/test2006 +new file mode 100644 +index 0000000..200d30a +--- /dev/null ++++ b/tests/data/test2006 +@@ -0,0 +1,98 @@ ++ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc default with redirect plus oauth2-bearer ++ ++ ++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++ ++ ++default login testuser password testpass ++ ++ ++ ++ ++ ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Bearer SECRET_TOKEN ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 0e107f1e75..f50af1d472 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -73,6 +73,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2025-14524.patch \ file://CVE-2026-1965-1.patch \ file://CVE-2026-1965-2.patch \ + file://CVE-2026-3783-pre1.patch \ + file://CVE-2026-3783.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Sat Mar 21 09:47:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84037 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87913109446A for ; Sat, 21 Mar 2026 09:47:55 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8248.1774086474436044342 for ; Sat, 21 Mar 2026 02:47:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=I3jd6uld; spf=pass (domain: mvista.com, ip: 209.85.216.41, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-356337f058aso1502656a91.2 for ; Sat, 21 Mar 2026 02:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774086473; x=1774691273; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Cwf2+AaNN+ZUBUbDEoKYitYLu3g146Y0s9aMZmMgQug=; b=I3jd6uldxlV7hpjzN4ZcQXNBg8EJx8Za/I3gQw4c/L9pOkDsjmeMm9uXfvbSylvRE7 wxZdfLaA63i42FDmNbFi2KkG+Yh1XX33d67vGw3O6cX04rAo+z5JBjcd6UZJSSC93xgx 9VsciepHQveklt6o+6sBAFj2MXLLnhbTiPtsU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774086473; x=1774691273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Cwf2+AaNN+ZUBUbDEoKYitYLu3g146Y0s9aMZmMgQug=; b=V9mOacXDTlCVl8BAUYYJixyeGBYVMGdrOaAlgsG39CqaeiCHaxMXsf5nLkvhMDJNsx B/kuFw790FzJwKLDa+urc1w2FYKeodq4iAvRC3cczGicm/0B9RZbtP9et5+iH1T0zWpc 0AngSg/DIIqXx3PCFY3FrD8oOiCdGlEg/52wXfIJg7zp5ZyMGEindsHXY09N/3Lr/Oii XzVTTB7/6ExvIM65ooiYuxbPw06BFxLDBXeQSrrbmqhOP3ekGE2IJoOniVbVc+bYh07v 7kNK0v55vNNmUaOS5p8nPgXlH6elrEr9fVWk1uQXC0RhUZJwwULDtMrjzm0rHLcOtRFF Xa4g== X-Gm-Message-State: AOJu0YxU5fpfHO2WFae9pil3yq/9VA8cPLqlnXUZYuLvcI5gbyP61Rsk Rate2r5ct5uDIGHCsCjxqc4oChRwO9uCvfaWAPVKp+MxyS3/9l1K0ypZjYftfc7ctZ6NlPe2lw6 OpvVhwVM= X-Gm-Gg: ATEYQzwEGwoZgoDxdmKbzkznpEVhU4HEWcRcnIHiHnPdFqVO4sk9G2y31NOp6qr5m7M MIXKqjXR5ps8ITGuxqncP0YAW2xhYgnNu4uLo7ZO8+iDcDsmbEdbFvNwYkwX+HxeOKEkVPjCR3V ibWXJ4JfsFLZeNZI96fH3wbA5OHb5572hUMq3qS5sQnd5TPBClxDf3No74RTSQzU9QS4wzukuFU VlPiJmLsVdmlolKLkHASMQCxVXUVJEegw9LZkyv899LVhCu+RuSBh41PKJDfsy9v+bOKDnoACqm PyyoyHpjVChOxTPxhnBiKtFNeOExC3LSnuCMNeulMOPq/wXZYGWGQuyUwAn9y+xJRb2v07mq6DI Z9qRoGV7INeFZN5VI6pJctv66wo3lq8KDniVkmBiuJb/MemkTlzhRKsWfQS5ThSwoTLkwlovzd8 znsge6SztttyGPMissw/gGGjGTl49dmWgcf085 X-Received: by 2002:a17:90b:4ccb:b0:359:f0e1:f8c9 with SMTP id 98e67ed59e1d1-35bd2b97290mr4950370a91.6.1774086473274; Sat, 21 Mar 2026 02:47:53 -0700 (PDT) Received: from localhost.localdomain ([2406:7400:54:2bec:e896:2af1:2e77:522f]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bc5ff704bsm7489501a91.2.2026.03.21.02.47.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 02:47:52 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 4/4] curl: patch CVE-2026-3784 Date: Sat, 21 Mar 2026 15:17:23 +0530 Message-Id: <20260321094723.273058-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260321094723.273058-1-vanusuri@mvista.com> References: <20260321094723.273058-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Mar 2026 09:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233655 From: Vijay Anusuri pick patch from ubuntu per [1] [1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-3784 [3] https://curl.se/docs/CVE-2026-3784.html Signed-off-by: Vijay Anusuri --- .../curl/curl/CVE-2026-3784.patch | 73 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch new file mode 100644 index 0000000000..95784e4763 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch @@ -0,0 +1,73 @@ +From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 6 Mar 2026 14:54:09 +0100 +Subject: [PATCH] proxy-auth: additional tests + +Also eliminate the special handling for socks proxy match. + +Closes #20837 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3] +Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz + +CVE: CVE-2026-3784 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 28 +++++++--------------------- + tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++ + tests/http/testenv/curl.py | 18 +++++++++++++++--- + 3 files changed, 42 insertions(+), 24 deletions(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in + { + if((data->proxytype == needle->proxytype) && + (data->port == needle->port) && +- Curl_safe_strcasecompare(data->host.name, needle->host.name)) +- return TRUE; ++ curl_strequal(data->host.name, needle->host.name)) { + ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) ++ return FALSE; ++ return TRUE; ++ } + return FALSE; + } +- +-static bool +-socks_proxy_info_matches(const struct proxy_info *data, +- const struct proxy_info *needle) +-{ +- if(!proxy_info_matches(data, needle)) +- return FALSE; +- +- /* the user information is case-sensitive +- or at least it is not defined as case-insensitive +- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(Curl_timestrcmp(data->user, needle->user) || +- Curl_timestrcmp(data->passwd, needle->passwd)) +- return FALSE; +- return TRUE; +-} +-#else +-/* disabled, won't get called */ +-#define proxy_info_matches(x,y) FALSE +-#define socks_proxy_info_matches(x,y) FALSE + #endif + + /* A connection has to have been idle for a shorter time than 'maxage_conn' +@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data, + continue; + + if(needle->bits.socksproxy && +- !socks_proxy_info_matches(&needle->socks_proxy, +- &check->socks_proxy)) ++ !proxy_info_matches(&needle->socks_proxy, ++ &check->socks_proxy)) + continue; + #endif + if(needle->bits.conn_to_host != check->bits.conn_to_host) diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index f50af1d472..a2ee573681 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -75,6 +75,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783-pre1.patch \ file://CVE-2026-3783.patch \ + file://CVE-2026-3784.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"