On Fri Mar 27, 2026 at 6:05 PM CET, Yoann Congal wrote: > On Thu Mar 26, 2026 at 11:00 AM CET, Sudhir Dumbhare -X (sudumbha - E > INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: >> From: Sudhir Dumbhare <[email protected]> >> >> Applying the fixes from upstream commit [3] and [4] cause merge conflicts >> and require other dependent commits to be backported. Instead, backport >> the Ubuntu-provided patches [1], which fixes the vulnerability as mentioned >> in changelog [2]. >> >> [1] >> http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz >> debian/patches/CVE-2026-1965-1.patch >> debian/patches/CVE-2026-1965-2.patch >> [2] >> https://changelogs.ubuntu.com/changelogs/pool/main/c/curl/curl_8.5.0-2ubuntu10.8/changelog >> [3] >> https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12 >> [4] >> https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70 >> >> Reference: >> https://nvd.nist.gov/vuln/detail/CVE-2026-1965 >> https://curl.se/docs/CVE-2026-1965.html >> https://ubuntu.com/security/CVE-2026-1965 >> >> Signed-off-by: Sudhir Dumbhare <[email protected]> >> --- > > Hello, > > Looks like this patch break tests on arm64: > WARNING: core-image-ptest-curl-1.0-r0 do_testimage: There were failing > ptests. > [...] > AssertionError: > Failed ptests: > {'curl': ['2006_-_.netrc_default_with_redirect_plus_oauth2-bearer_-_data']}
And also breaks on x86-64: qemuarm64-ptest https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/3361 qemux86-64-ptest https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/3384 > > Can you look at this? > > And, while you are fixing this patch, can you please resend your series > (the 3 curl CVE fixes) as 1 series instead of 3 individual patches? > > Thanks! > > >> Changes from v1 -> v2: >> - Updated with the correct patch series numbering >> >> .../curl/curl/CVE-2026-1965_p1.patch | 98 +++++++++++++++++++ >> .../curl/curl/CVE-2026-1965_p2.patch | 30 ++++++ >> meta/recipes-support/curl/curl_8.7.1.bb | 2 + >> 3 files changed, 130 insertions(+) >> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch >> create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch >> >> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch >> b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch >> new file mode 100644 >> index 0000000000..8079b453eb >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p1.patch >> @@ -0,0 +1,98 @@ >> +Backport of: >> + >> +From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001 >> +From: Daniel Stenberg <[email protected]> >> +Date: Thu, 5 Feb 2026 08:34:21 +0100 >> +Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate >> + >> +Assume Negotiate means connection-based >> + >> +Reported-by: Zhicheng Chen >> +Closes #20534 >> + >> +CVE: CVE-2026-1965 >> +Upstream-Status: Backport >> [https://github.com/curl/curl/commit/34fa034d9a390c4bd65e2d05262755ec8646ac12] >> + >> +Signed-off-by: Sudhir Dumbhare <[email protected]> >> +--- >> + lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++---- >> + 1 file changed, 82 insertions(+), 5 deletions(-) >> + >> +--- a/lib/url.c >> ++++ b/lib/url.c >> +@@ -935,6 +935,18 @@ ConnectionExists(struct Curl_easy *data, >> + bool wantProxyNTLMhttp = FALSE; >> + #endif >> + #endif >> ++ >> ++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) >> ++ bool wantNegohttp = >> ++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) && >> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); >> ++#ifndef CURL_DISABLE_PROXY >> ++ bool wantProxyNegohttp = >> ++ needle->bits.proxy_user_passwd && >> ++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) && >> ++ (needle->handler->protocol & PROTO_FAMILY_HTTP); >> ++#endif >> ++#endif >> + /* plain HTTP with upgrade */ >> + bool h2upgrade = (data->state.httpwant == CURL_HTTP_VERSION_2_0) && >> + (needle->handler->protocol & CURLPROTO_HTTP); >> +@@ -1272,6 +1284,56 @@ ConnectionExists(struct Curl_easy *data, >> + } >> + #endif >> + >> ++#ifdef USE_SPNEGO >> ++ /* If we are looking for an HTTP+Negotiate connection, check if this is >> ++ already authenticating with the right credentials. If not, keep >> looking >> ++ so that we can reuse Negotiate connections if possible. */ >> ++ if(wantNegohttp) { >> ++ if(Curl_timestrcmp(needle->user, check->user) || >> ++ Curl_timestrcmp(needle->passwd, check->passwd)) >> ++ continue; >> ++ } >> ++ else if(check->http_negotiate_state != GSS_AUTHNONE) { >> ++ /* Connection is using Negotiate auth but we do not want Negotiate */ >> ++ continue; >> ++ } >> ++ >> ++#ifndef CURL_DISABLE_PROXY >> ++ /* Same for Proxy Negotiate authentication */ >> ++ if(wantProxyNegohttp) { >> ++ /* Both check->http_proxy.user and check->http_proxy.passwd can be >> ++ * NULL */ >> ++ if(!check->http_proxy.user || !check->http_proxy.passwd) >> ++ continue; >> ++ >> ++ if(Curl_timestrcmp(needle->http_proxy.user, >> ++ check->http_proxy.user) || >> ++ Curl_timestrcmp(needle->http_proxy.passwd, >> ++ check->http_proxy.passwd)) >> ++ continue; >> ++ } >> ++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) { >> ++ /* Proxy connection is using Negotiate auth but we do not want >> Negotiate */ >> ++ continue; >> ++ } >> ++#endif >> ++ if(wantNTLMhttp || wantProxyNTLMhttp) { >> ++ /* Credentials are already checked, we may use this connection. We MUST >> ++ * use a connection where it has already been fully negotiated. If it >> has >> ++ * not, we keep on looking for a better one. */ >> ++ chosen = check; >> ++ if((wantNegohttp && >> ++ (check->http_negotiate_state != GSS_AUTHNONE)) || >> ++ (wantProxyNegohttp && >> ++ (check->proxy_negotiate_state != GSS_AUTHNONE))) { >> ++ /* We must use this connection, no other */ >> ++ *force_reuse = TRUE; >> ++ break; >> ++ } >> ++ continue; /* get another */ >> ++ } >> ++#endif >> ++ >> + if(CONN_INUSE(check)) { >> + DEBUGASSERT(canmultiplex); >> + DEBUGASSERT(check->bits.multiplex); >> diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch >> b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch >> new file mode 100644 >> index 0000000000..1fdb658f23 >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/CVE-2026-1965_p2.patch >> @@ -0,0 +1,30 @@ >> +Backport of: >> + >> +From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001 >> +From: Daniel Stenberg <[email protected]> >> +Date: Sat, 21 Feb 2026 18:11:41 +0100 >> +Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake >> + >> +Follow-up to 34fa034 >> +Reported-by: dahmono on github >> +Closes #20662 >> + >> +CVE: CVE-2026-1965 >> +Upstream-Status: Backport >> [https://github.com/curl/curl/commit/f1a39f221d57354990e3eeeddc3404aede2aff70] >> + >> +Signed-off-by: Sudhir Dumbhare <[email protected]> >> +--- >> + lib/url.c | 2 +- >> + 1 file changed, 1 insertion(+), 1 deletion(-) >> + >> +--- a/lib/url.c >> ++++ b/lib/url.c >> +@@ -1317,7 +1317,7 @@ ConnectionExists(struct Curl_easy *data, >> + continue; >> + } >> + #endif >> +- if(wantNTLMhttp || wantProxyNTLMhttp) { >> ++ if(wantNegohttp || wantProxyNegohttp) { >> + /* Credentials are already checked, we may use this connection. We MUST >> + * use a connection where it has already been fully negotiated. If it >> has >> + * not, we keep on looking for a better one. */ >> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb >> b/meta/recipes-support/curl/curl_8.7.1.bb >> index 9e37684b2c..e2f6f8472f 100644 >> --- a/meta/recipes-support/curl/curl_8.7.1.bb >> +++ b/meta/recipes-support/curl/curl_8.7.1.bb >> @@ -32,6 +32,8 @@ SRC_URI = " \ >> file://CVE-2025-14819.patch \ >> file://CVE-2025-15079.patch \ >> file://CVE-2025-15224.patch \ >> + file://CVE-2026-1965_p1.patch \ >> + file://CVE-2026-1965_p2.patch \ >> " >> >> SRC_URI:append:class-nativesdk = " \ -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234103): https://lists.openembedded.org/g/openembedded-core/message/234103 Mute This Topic: https://lists.openembedded.org/mt/118515626/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
