[OE-core][whinlatter 0/7] Patch review

[OE-core][whinlatter 0/7] Patch review

[Yoann Congal]

Please review this set of changes for whinlatter and have comments back by
end of day Tuesday, March 24.

Passed a-full on autobuilder with 1 AB-INT failure:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3471
* meta-arm failed. I reported it to the meta-arm mailing-list:
  * AB-INT failure in whinlatter/edk2-firmware do_compile https://lists.yoctoproject.org/g/meta-arm/message/6967
  * Successfully retried as https://autobuilder.yoctoproject.org/valkyrie/#/builders/75/builds/3303

The following changes since commit ab57471acad7ce2a037480dc7b301104620f1ebf:

  build-appliance-image: Update to whinlatter head revisions (2026-03-16 11:05:22 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut

for you to fetch changes up to 2d6383491f4246a93e1a49a9fe258d873adf8b76:

  curl: patch CVE-2026-3805 (2026-03-19 08:45:38 +0100)

----------------------------------------------------------------

Krupal Ka Patel (2):
  python3-setuptools: drop Windows launcher executables on non-mingw
    builds
  python3-pip: drop unused Windows distlib launcher templates

Peter Marko (4):
  curl: patch CVE-2026-1965
  curl: patch CVE-2026-3783
  curl: patch CVE-2026-3784
  curl: patch CVE-2026-3805

Vijay Anusuri (1):
  inetutils: Fix CVE-2026-32746

 .../inetutils/inetutils/CVE-2026-32746.patch  |  40 +++++
 .../inetutils/inetutils_2.6.bb                |   1 +
 .../python/python3-pip_25.2.bb                |   9 +
 .../python/python3-setuptools_80.9.0.bb       |   9 +
 ...d-macros-warnings-and-related-tidy-u.patch |  44 +++++
 .../curl/curl/CVE-2026-1965-01.patch          | 138 +++++++++++++++
 .../curl/curl/CVE-2026-1965-02.patch          |  29 ++++
 .../curl/curl/CVE-2026-3783.patch             | 148 ++++++++++++++++
 .../curl/curl/CVE-2026-3784-02.patch          | 162 ++++++++++++++++++
 .../curl/curl/CVE-2026-3805.patch             |  67 ++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   6 +
 11 files changed, 653 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
 create mode 100644 meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-02.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784-02.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3805.patch

[OE-core][whinlatter 1/7] inetutils: Fix CVE-2026-32746

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-32746
[2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
[3] https://codeberg.org/inetutils/inetutils/pulls/17/files

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../inetutils/inetutils/CVE-2026-32746.patch  | 40 +++++++++++++++++++
 .../inetutils/inetutils_2.6.bb                |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
new file mode 100644
index 00000000000..dfab82f01f2
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
@@ -0,0 +1,40 @@
+From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
+From: Collin Funk <collin.funk1@gmail.com>
+Date: Wed, 11 Mar 2026 23:06:46 -0700
+Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption triplets
+
+Previously a client could write past the end of an internal buffer using
+an SLC suboption with many triplets using function octets greater than
+18, possibly leading to remote code execution. Reported by Adiel Sol,
+Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
+Security Research Team at:
+<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
+
+* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
+us to writing past the end of the buffer.
+* NEWS.md: Mention the fix.
+
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=6864598a29b652a6b69a958f5cd1318aa2b258af]
+CVE: CVE-2026-32746
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ telnetd/slc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/telnetd/slc.c b/telnetd/slc.c
+index be18782..3434829 100644
+--- a/telnetd/slc.c
++++ b/telnetd/slc.c
+@@ -162,6 +162,9 @@ get_slc_defaults (void)
+ void
+ add_slc (char func, char flag, cc_t val)
+ {
++  /* Do nothing if the entire triplet cannot fit in the buffer.  */
++  if (slcbuf + sizeof slcbuf - slcptr <= 6)
++    return;
+ 
+   if ((*slcptr++ = (unsigned char) func) == 0xff)
+     *slcptr++ = 0xff;
+-- 
+2.43.0
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index 29a40143a28..9892507ad9a 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://CVE-2026-24061-01.patch \
            file://CVE-2026-24061-02.patch \
            file://CVE-2026-28372.patch \
+           file://CVE-2026-32746.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

[OE-core][whinlatter 2/7] python3-setuptools: drop Windows launcher executables on non-mingw builds

[Yoann Congal]

From: Krupal Ka Patel <krkapate@cisco.com>

setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.

Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../recipes-devtools/python/python3-setuptools_80.9.0.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb b/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
index 533d8ce3d44..833d610be5b 100644
--- a/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_80.9.0.bb
@@ -13,6 +13,15 @@ SRC_URI += " \
 
 SRC_URI[sha256sum] = "f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c"
 
+do_install:append() {
+	# setuptools ships Windows launcher executables (cli*.exe, gui*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/setuptools/*.exe ;;
+	esac
+}
+
 DEPENDS += "python3"
 
 RDEPENDS:${PN} = "\

[OE-core][whinlatter 3/7] python3-pip: drop unused Windows distlib launcher templates

[Yoann Congal]

From: Krupal Ka Patel <krkapate@cisco.com>

pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.

Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/python/python3-pip_25.2.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
index 496eff1f15d..901c0152dfb 100644
--- a/meta/recipes-devtools/python/python3-pip_25.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
@@ -30,6 +30,15 @@ SRC_URI += "file://no_shebang_mangling.patch \
 
 SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
 
+do_install:append(){
+	# pip vendors distlib which ships Windows launcher templates (*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/pip/_vendor/distlib/*.exe ;;
+	esac
+}
+
 RDEPENDS:${PN} = "\
   python3-compile \
   python3-html \

[OE-core][whinlatter 4/7] curl: patch CVE-2026-1965

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patches from [1].

[1] https://curl.se/docs/CVE-2026-1965.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-1965-01.patch          | 138 ++++++++++++++++++
 .../curl/curl/CVE-2026-1965-02.patch          |  29 ++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   2 +
 3 files changed, 169 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-02.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
new file mode 100644
index 00000000000..dbfbfd7e633
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-01.patch
@@ -0,0 +1,138 @@
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index fac8cea732..cfe398de8b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -792,6 +792,8 @@ struct url_conn_match {
+   BIT(may_multiplex);
+   BIT(want_ntlm_http);
+   BIT(want_proxy_ntlm_http);
++  BIT(want_nego_http);
++  BIT(want_proxy_nego_http);
+ 
+   BIT(wait_pipe);
+   BIT(force_reuse);
+@@ -1215,6 +1217,63 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
+ #define url_match_auth_ntlm(c,m)    ((void)c, (void)m, TRUE)
+ #endif
+ 
++#ifdef USE_SPNEGO
++static bool url_match_auth_nego(struct connectdata *conn,
++                                struct url_conn_match *m)
++{
++  /* If we are looking for an HTTP+Negotiate connection, check if this is
++     already authenticating with the right credentials. If not, keep looking
++     so that we can reuse Negotiate connections if possible. */
++  if(m->want_nego_http) {
++    if(Curl_timestrcmp(m->needle->user, conn->user) ||
++       Curl_timestrcmp(m->needle->passwd, conn->passwd))
++      return FALSE;
++  }
++  else if(conn->http_negotiate_state != GSS_AUTHNONE) {
++    /* Connection is using Negotiate auth but we do not want Negotiate */
++    return FALSE;
++  }
++
++#ifndef CURL_DISABLE_PROXY
++  /* Same for Proxy Negotiate authentication */
++  if(m->want_proxy_nego_http) {
++    /* Both conn->http_proxy.user and conn->http_proxy.passwd can be
++     * NULL */
++    if(!conn->http_proxy.user || !conn->http_proxy.passwd)
++      return FALSE;
++
++    if(Curl_timestrcmp(m->needle->http_proxy.user,
++                       conn->http_proxy.user) ||
++       Curl_timestrcmp(m->needle->http_proxy.passwd,
++                       conn->http_proxy.passwd))
++      return FALSE;
++  }
++  else if(conn->proxy_negotiate_state != GSS_AUTHNONE) {
++    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++    return FALSE;
++  }
++#endif
++  if(m->want_ntlm_http || m->want_proxy_ntlm_http) {
++    /* Credentials are already checked, we may use this connection. We MUST
++     * use a connection where it has already been fully negotiated. If it has
++     * not, we keep on looking for a better one. */
++    m->found = conn;
++    if((m->want_nego_http &&
++        (conn->http_negotiate_state != GSS_AUTHNONE)) ||
++       (m->want_proxy_nego_http &&
++        (conn->proxy_negotiate_state != GSS_AUTHNONE))) {
++      /* We must use this connection, no other */
++      m->force_reuse = TRUE;
++      return TRUE;
++    }
++    return FALSE; /* get another */
++  }
++  return TRUE;
++}
++#else
++#define url_match_auth_nego(c, m) ((void)c, (void)m, TRUE)
++#endif
++
+ static bool url_match_conn(struct connectdata *conn, void *userdata)
+ {
+   struct url_conn_match *m = userdata;
+@@ -1258,6 +1317,11 @@ static bool url_match_conn(struct connectdata *conn, void *userdata)
+   else if(m->force_reuse)
+     return TRUE;
+ 
++  if(!url_match_auth_nego(conn, m))
++    return FALSE;
++  else if(m->force_reuse)
++    return TRUE;
++
+   if(!url_match_multiplex_limits(conn, m))
+     return FALSE;
+ 
+@@ -1324,13 +1388,26 @@ ConnectionExists(struct Curl_easy *data,
+   match.may_multiplex = xfer_may_multiplex(data, needle);
+ 
+ #ifdef USE_NTLM
+-  match.want_ntlm_http = ((data->state.authhost.want & CURLAUTH_NTLM) &&
+-                          (needle->handler->protocol & PROTO_FAMILY_HTTP));
++  match.want_ntlm_http =
++    (data->state.authhost.want & CURLAUTH_NTLM) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
+ #ifndef CURL_DISABLE_PROXY
+   match.want_proxy_ntlm_http =
+-    (needle->bits.proxy_user_passwd &&
+-     (data->state.authproxy.want & CURLAUTH_NTLM) &&
+-     (needle->handler->protocol & PROTO_FAMILY_HTTP));
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NTLM) &&
++    (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
++
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++  match.want_nego_http =
++    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++  match.want_proxy_nego_http =
++    needle->bits.proxy_user_passwd &&
++    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
+ #endif
+ #endif
+ 
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch
new file mode 100644
index 00000000000..e945b83b244
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-02.patch
@@ -0,0 +1,29 @@
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+CVE: CVE-2026-1965
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index c879a85e92..8b42aebade 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1253,7 +1253,7 @@ static bool url_match_auth_nego(struct connectdata *conn,
+     return FALSE;
+   }
+ #endif
+-  if(m->want_ntlm_http || m->want_proxy_ntlm_http) {
++  if(m->want_nego_http || m->want_proxy_nego_http) {
+     /* Credentials are already checked, we may use this connection. We MUST
+      * use a connection where it has already been fully negotiated. If it has
+      * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 739838c3e88..06f4353134f 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -20,6 +20,8 @@ SRC_URI = " \
     file://CVE-2025-14819.patch \
     file://CVE-2025-15079.patch \
     file://CVE-2025-15224.patch \
+    file://CVE-2026-1965-01.patch \
+    file://CVE-2026-1965-02.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 5/7] curl: patch CVE-2026-3783

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].

[1] https://curl.se/docs/CVE-2026-3783.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-3783.patch             | 148 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   1 +
 2 files changed, 149 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
new file mode 100644
index 00000000000..11ffaa72de4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
@@ -0,0 +1,148 @@
+From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 6 Mar 2026 23:13:07 +0100
+Subject: [PATCH] http: only send bearer if auth is allowed
+
+Verify with test 2006
+
+Closes #20843
+
+CVE: CVE-2026-3783
+Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/http.c             |  1 +
+ tests/data/Makefile.am |  2 +-
+ tests/data/test2006    | 98 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2006
+
+diff --git a/lib/http.c b/lib/http.c
+index d2f85fc5bf..d61edbd0cd 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -729,6 +729,7 @@ output_auth_headers(struct Curl_easy *data,
+   if(authstatus->picked == CURLAUTH_BEARER) {
+     /* Bearer */
+     if((!proxy && data->set.str[STRING_BEARER] &&
++        Curl_auth_allowed_to_host(data) &&
+         !Curl_checkheaders(data, STRCONST("Authorization")))) {
+       auth = "Bearer";
+       result = http_output_bearer(data);
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index f39568d3b8..6c8be18b32 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -242,7 +242,7 @@ test1955 test1956 test1957 test1958 test1959 test1960 test1964 \
+ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \
+ test1978 test1979 test1980 test1981 \
+ \
+-test2000 test2001 test2002 test2003 test2004 test2005 \
++test2000 test2001 test2002 test2003 test2004 test2005 test2006 \
+ \
+                                                                test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
+diff --git a/tests/data/test2006 b/tests/data/test2006
+new file mode 100644
+index 0000000000..200d30a7ce
+--- /dev/null
++++ b/tests/data/test2006
+@@ -0,0 +1,98 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++# Server-side
++<reply>
++<data crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="headers">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc default with redirect plus oauth2-bearer
++</name>
++<command>
++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="%LOGDIR/netrc%TESTNUMBER" >
++default login testuser password testpass
++</file>
++</client>
++
++<verify>
++<protocol crlf="headers">
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Bearer SECRET_TOKEN
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 06f4353134f..31d34c53909 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
     file://CVE-2025-15224.patch \
     file://CVE-2026-1965-01.patch \
     file://CVE-2026-1965-02.patch \
+    file://CVE-2026-3783.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 6/7] curl: patch CVE-2026-3784

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].
Additionally pick part of clenup patch which resolves conflicts.

[1] https://curl.se/docs/CVE-2026-3784.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...d-macros-warnings-and-related-tidy-u.patch |  44 +++++
 .../curl/curl/CVE-2026-3784-02.patch          | 162 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   2 +
 3 files changed, 208 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784-02.patch

diff --git a/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
new file mode 100644
index 00000000000..b4af8421f53
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch
@@ -0,0 +1,44 @@
+From 5fa5cb382560316a55f0954f1e8cebdbd6568cfb Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Fri, 13 Feb 2026 17:05:36 +0100
+Subject: [PATCH] build: fix `-Wunused-macros` warnings, and related tidy-ups
+
+- fix internal macro `AN_APPLE_OS` reused between sources without
+  resetting it. It may potentially have left the system sha256
+  function unused.
+- fix to define `WOLFSSL_OPTIONS_IGNORE_SYS` so that it always applies
+  to wolfSSL headers, also during feature detection.
+- md4, md5, sha256: simplify fallback logic.
+- delete 20+ unused macros.
+- scope or move macros to avoid `-Wunused-macros` warnings.
+- examples: delete unused code.
+
+The warning detects macros defined but not used within the same C
+source. It does not warn for macros defined in headers. It also works
+with unity builds, but to a lesser extent.
+
+Closes #20593
+
+<picked only part relevant for CVE-2026-3784>
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5fa5cb382560316a55f0954f1e8cebdbd6568cfb]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3c0d913432..f0b6b0d5b2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -639,10 +639,6 @@ socks_proxy_info_matches(const struct proxy_info *data,
+     return FALSE;
+   return TRUE;
+ }
+-#else
+-/* disabled, will not get called */
+-#define proxy_info_matches(x,y) FALSE
+-#define socks_proxy_info_matches(x,y) FALSE
+ #endif
+ 
+ /* A connection has to have been idle for less than 'conn_max_idle_ms'
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch
new file mode 100644
index 00000000000..84f37374c64
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3784-02.patch
@@ -0,0 +1,162 @@
+From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 6 Mar 2026 14:54:09 +0100
+Subject: [PATCH] proxy-auth: additional tests
+
+Also eliminate the special handling for socks proxy match.
+
+Closes #20837
+
+CVE: CVE-2026-3784
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/url.c                        | 29 +++++++----------------------
+ tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++
+ tests/http/testenv/curl.py       | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 25 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index eabeb776ab..bdc183b45b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -615,30 +615,15 @@ proxy_info_matches(const struct proxy_info *data,
+ {
+   if((data->proxytype == needle->proxytype) &&
+      (data->port == needle->port) &&
+-     curl_strequal(data->host.name, needle->host.name))
++     curl_strequal(data->host.name, needle->host.name)) {
++
++    if(Curl_timestrcmp(data->user, needle->user) ||
++       Curl_timestrcmp(data->passwd, needle->passwd))
++      return FALSE;
+     return TRUE;
+-
++  }
+   return FALSE;
+ }
+-
+-static bool
+-socks_proxy_info_matches(const struct proxy_info *data,
+-                         const struct proxy_info *needle)
+-{
+-  if(!proxy_info_matches(data, needle))
+-    return FALSE;
+-
+-  /* the user information is case-sensitive
+-     or at least it is not defined as case-insensitive
+-     see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-
+-  /* curl_strequal does a case insensitive comparison,
+-     so do not use it here! */
+-  if(Curl_timestrcmp(data->user, needle->user) ||
+-     Curl_timestrcmp(data->passwd, needle->passwd))
+-    return FALSE;
+-  return TRUE;
+-}
+ #endif
+ 
+ /* A connection has to have been idle for less than 'conn_max_idle_ms'
+@@ -954,7 +939,7 @@ static bool url_match_proxy_use(struct connectdata *conn,
+     return FALSE;
+ 
+   if(m->needle->bits.socksproxy &&
+-    !socks_proxy_info_matches(&m->needle->socks_proxy,
++    !proxy_info_matches(&m->needle->socks_proxy,
+                               &conn->socks_proxy))
+     return FALSE;
+ 
+diff --git a/tests/http/test_13_proxy_auth.py b/tests/http/test_13_proxy_auth.py
+index 080adef187..33fb211e99 100644
+--- a/tests/http/test_13_proxy_auth.py
++++ b/tests/http/test_13_proxy_auth.py
+@@ -169,3 +169,23 @@ class TestProxyAuth:
+             '--negotiate', '--proxy-user', 'proxy:proxy'
+         ])
+         r1.check_response(count=1, http_status=200)
++
++    def test_13_10_tunnels_mixed_auth(self, env: Env, httpd, configures_httpd):
++        self.httpd_configure(env, httpd)
++        curl = CurlClient(env=env)
++        url1 = f'http://localhost:{env.http_port}/data.json?1'
++        url2 = f'http://localhost:{env.http_port}/data.json?2'
++        url3 = f'http://localhost:{env.http_port}/data.json?3'
++        xargs1 = curl.get_proxy_args(proxys=False, tunnel=True)
++        xargs1.extend(['--proxy-user', 'proxy:proxy']) # good auth
++        xargs2 = curl.get_proxy_args(proxys=False, tunnel=True)
++        xargs2.extend(['--proxy-user', 'ungood:ungood']) # bad auth
++        xargs3 = curl.get_proxy_args(proxys=False, tunnel=True)
++        # no auth
++        r = curl.http_download(urls=[url1, url2, url3], alpn_proto='http/1.1', with_stats=True,
++                               url_options={url1: xargs1, url2: xargs2, url3: xargs3})
++        # only url1 succeeds, others fail, no connection reuse
++        assert r.stats[0]['http_code'] == 200, f'{r.dump_logs()}'
++        assert r.stats[1]['http_code'] == 0, f'{r.dump_logs()}'
++        assert r.stats[2]['http_code'] == 0, f'{r.dump_logs()}'
++        assert r.total_connects == 3, f'{r.dump_logs()}'
+diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py
+index 4fc11c7923..1f812a1c2e 100644
+--- a/tests/http/testenv/curl.py
++++ b/tests/http/testenv/curl.py
+@@ -635,7 +635,8 @@ class CurlClient:
+                       with_tcpdump: bool = False,
+                       no_save: bool = False,
+                       limit_rate: Optional[str] = None,
+-                      extra_args: Optional[List[str]] = None):
++                      extra_args: Optional[List[str]] = None,
++                      url_options: Optional[Dict[str,List[str]]] = None):
+         if extra_args is None:
+             extra_args = []
+         if no_save:
+@@ -653,6 +654,7 @@ class CurlClient:
+             ])
+         return self._raw(urls, alpn_proto=alpn_proto, options=extra_args,
+                          with_stats=with_stats,
++                         url_options=url_options,
+                          with_headers=with_headers,
+                          with_profile=with_profile,
+                          with_tcpdump=with_tcpdump)
+@@ -929,6 +931,7 @@ class CurlClient:
+ 
+     def _raw(self, urls, intext='', timeout=None, options=None, insecure=False,
+              alpn_proto: Optional[str] = None,
++             url_options=None,
+              force_resolve=True,
+              with_stats=False,
+              with_headers=True,
+@@ -938,7 +941,8 @@ class CurlClient:
+         args = self._complete_args(
+             urls=urls, timeout=timeout, options=options, insecure=insecure,
+             alpn_proto=alpn_proto, force_resolve=force_resolve,
+-            with_headers=with_headers, def_tracing=def_tracing)
++            with_headers=with_headers, def_tracing=def_tracing,
++            url_options=url_options)
+         r = self._run(args, intext=intext, with_stats=with_stats,
+                       with_profile=with_profile, with_tcpdump=with_tcpdump)
+         if r.exit_code == 0 and with_headers:
+@@ -948,8 +952,10 @@ class CurlClient:
+     def _complete_args(self, urls, timeout=None, options=None,
+                        insecure=False, force_resolve=True,
+                        alpn_proto: Optional[str] = None,
++                       url_options=None,
+                        with_headers: bool = True,
+                        def_tracing: bool = True):
++        url_sep = []
+         if not isinstance(urls, list):
+             urls = [urls]
+ 
+@@ -975,7 +981,13 @@ class CurlClient:
+             active_options = options[options.index('--next') + 1:]
+ 
+         for url in urls:
+-            u = urlparse(urls[0])
++            args.extend(url_sep)
++            if url_options is not None:
++                url_sep = ['--next']
++
++            u = urlparse(url)
++            if url_options is not None and url in url_options:
++                args.extend(url_options[url])
+             if options:
+                 args.extend(options)
+             if alpn_proto is not None:
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 31d34c53909..7211c43afd2 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -23,6 +23,8 @@ SRC_URI = " \
     file://CVE-2026-1965-01.patch \
     file://CVE-2026-1965-02.patch \
     file://CVE-2026-3783.patch \
+    file://0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch \
+    file://CVE-2026-3784-02.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 7/7] curl: patch CVE-2026-3805

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch from [1].

[1] https://curl.se/docs/CVE-2026-3805.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2026-3805.patch             | 67 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3805.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2026-3805.patch b/meta/recipes-support/curl/curl/CVE-2026-3805.patch
new file mode 100644
index 00000000000..f3b3285a3ab
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3805.patch
@@ -0,0 +1,67 @@
+From e090be9f73a7a71459ef678c7cc4b1f75e3ea883 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sun, 8 Mar 2026 14:30:00 +0100
+Subject: [PATCH] smb: free the path in the request struct properly
+
+Closes #20854
+
+CVE: CVE-2026-3805
+Upstream-Status: Backport [https://github.com/curl/curl/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/smb.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 41ba48fe89..00297adee7 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -448,9 +448,7 @@ static void smb_easy_dtor(void *key, size_t klen, void *entry)
+   struct smb_request *req = entry;
+   (void)key;
+   (void)klen;
+-  /* `req->path` points to somewhere in `struct smb_conn` which is
+-   * kept at the connection meta. If the connection is destroyed first,
+-   * req->path points to free'd memory. */
++  Curl_safefree(req->path);
+   free(req);
+ }
+ 
+@@ -1240,7 +1238,7 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+                                    struct smb_request *req)
+ {
+   char *path;
+-  char *slash;
++  char *slash, *s;
+   CURLcode result;
+ 
+   /* URL decode the path */
+@@ -1249,6 +1247,7 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+     return result;
+ 
+   /* Parse the path for the share */
++  Curl_safefree(smbc->share);
+   smbc->share = strdup((*path == '/' || *path == '\\') ? path + 1 : path);
+   free(path);
+   if(!smbc->share)
+@@ -1268,12 +1267,15 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
+   /* Parse the path for the file path converting any forward slashes into
+      backslashes */
+   *slash++ = 0;
+-  req->path = slash;
+-
+-  for(; *slash; slash++) {
+-    if(*slash == '/')
+-      *slash = '\\';
++  for(s = slash; *s; s++) {
++    if(*s == '/')
++      *s = '\\';
+   }
++  /* keep a copy at easy struct to not share this with connection state */
++  req->path = curlx_strdup(slash);
++  if(!req->path)
++    return CURLE_OUT_OF_MEMORY;
++
+   return CURLE_OK;
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 7211c43afd2..24af8613ab9 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
     file://CVE-2026-3783.patch \
     file://0001-build-fix-Wunused-macros-warnings-and-related-tidy-u.patch \
     file://CVE-2026-3784-02.patch \
+    file://CVE-2026-3805.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \