From: Vijay Anusuri <vanusuri@mvista.com>
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][scarthgap][patch 1/3] curl: patch CVE-2026-1965
Date: Mon, 6 Apr 2026 18:51:27 +0530 [thread overview]
Message-ID: <20260406132129.440817-1-vanusuri@mvista.com> (raw)
pick patches from ubuntu per [1]
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-1965
[3] https://curl.se/docs/CVE-2026-1965.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../curl/curl/CVE-2026-1965-1.patch | 102 ++++++++++++++++++
.../curl/curl/CVE-2026-1965-2.patch | 34 ++++++
meta/recipes-support/curl/curl_8.7.1.bb | 2 +
3 files changed, 138 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
new file mode 100644
index 0000000000..acc8bfe044
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
@@ -0,0 +1,102 @@
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6]
+Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
+
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 62 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 1439c9e..792c422 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -936,6 +936,18 @@ ConnectionExists(struct Curl_easy *data,
+ #else
+ bool wantProxyNTLMhttp = FALSE;
+ #endif
++#endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++ bool wantNegohttp =
++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++ bool wantProxyNegohttp =
++ needle->bits.proxy_user_passwd &&
++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
+ #endif
+ /* plain HTTP with upgrade */
+ bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) &&
+@@ -1274,6 +1286,56 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ #endif
+
++#ifdef USE_SPNEGO
++ /* If we are looking for an HTTP+Negotiate connection, check if this is
++ already authenticating with the right credentials. If not, keep looking
++ so that we can reuse Negotiate connections if possible. */
++ if(wantNegohttp) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
++ /* Connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++
++#ifndef CURL_DISABLE_PROXY
++ /* Same for Proxy Negotiate authentication */
++ if(wantProxyNegohttp) {
++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
++ * NULL */
++ if(!check->http_proxy.user || !check->http_proxy.passwd)
++ continue;
++
++ if(Curl_timestrcmp(needle->http_proxy.user,
++ check->http_proxy.user) ||
++ Curl_timestrcmp(needle->http_proxy.passwd,
++ check->http_proxy.passwd))
++ continue;
++ }
++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++#endif
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we may use this connection. We MUST
++ * use a connection where it has already been fully negotiated. If it has
++ * not, we keep on looking for a better one. */
++ chosen = check;
++ if((wantNegohttp &&
++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
++ (wantProxyNegohttp &&
++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++ /* We must use this connection, no other */
++ *force_reuse = TRUE;
++ break;
++ }
++ continue; /* get another */
++ }
++#endif
++
+ if(CONN_INUSE(check)) {
+ DEBUGASSERT(canmultiplex);
+ DEBUGASSERT(check->bits.multiplex);
+--
+2.43.0
+
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
new file mode 100644
index 0000000000..07dbf4e973
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
@@ -0,0 +1,34 @@
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990]
+Backported by Ubuntu team http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
+
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 792c422..22ed0be 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1319,7 +1319,7 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+ }
+ #endif
+- if(wantNTLMhttp || wantProxyNTLMhttp) {
++ if(wantNegohttp || wantProxyNegohttp) {
+ /* Credentials are already checked, we may use this connection. We MUST
+ * use a connection where it has already been fully negotiated. If it has
+ * not, we keep on looking for a better one. */
+--
+2.43.0
+
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 9e37684b2c..0b4c93ec66 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -32,6 +32,8 @@ SRC_URI = " \
file://CVE-2025-14819.patch \
file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \
+ file://CVE-2026-1965-1.patch \
+ file://CVE-2026-1965-2.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.43.0
next reply other threads:[~2026-04-06 13:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 13:21 Vijay Anusuri [this message]
2026-04-06 13:21 ` [OE-core][scarthgap][patch 2/3] curl: patch CVE-2026-3783 Vijay Anusuri
2026-04-06 13:21 ` [OE-core][scarthgap][patch 3/3] curl: patch CVE-2026-3784 Vijay Anusuri
2026-04-07 6:56 ` [OE-core][scarthgap][patch 1/3] curl: patch CVE-2026-1965 Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260406132129.440817-1-vanusuri@mvista.com \
--to=vanusuri@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox