diff --git a/SPECS/curl/CVE-2026-4873.patch b/SPECS/curl/CVE-2026-4873.patch new file mode 100644 index 00000000000..7cf6175ba19 --- /dev/null +++ b/SPECS/curl/CVE-2026-4873.patch @@ -0,0 +1,50 @@ +From 2abe41479e16dc1969c465f7d47218aa9822c877 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 24 Mar 2026 08:35:08 +0100 +Subject: [PATCH] url: do not reuse a non-tls starttls connection if new + requires TLS + +Reported-by: Arkadi Vainbrand + +Closes #21082 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/curl/curl/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865.patch +--- + lib/url.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 88f559a..2ba5311 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -841,7 +841,7 @@ struct url_conn_match { + BIT(want_proxy_ntlm_http); + BIT(want_nego_http); + BIT(want_proxy_nego_http); +- ++ BIT(req_tls); /* require TLS use from a clear-text start */ + BIT(wait_pipe); + BIT(force_reuse); + BIT(seen_pending_conn); +@@ -900,6 +900,9 @@ static bool url_match_auth_nego(struct connectdata *conn, + } + return FALSE; /* get another */ + } ++ else if(m->req_tls) ++ /* a clear-text STARTTLS protocol with required TLS */ ++ return FALSE; + return TRUE; + } + #else +@@ -1326,6 +1329,7 @@ ConnectionExists(struct Curl_easy *data, + (needle->handler->protocol & PROTO_FAMILY_HTTP); + #endif + #endif ++ match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL; + + /* Find a connection in the pool that matches what "data + needle" + * requires. If a suitable candidate is found, it is attached to "data". */ +-- +2.45.4 + diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index 7cb93f8747d..830e7e8f90f 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,7 +1,7 @@ Summary: An URL retrieval utility and library Name: curl Version: 8.11.1 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Vendor: Microsoft Corporation Distribution: Azure Linux @@ -16,6 +16,7 @@ Patch4: CVE-2025-14017.patch Patch5: CVE-2026-1965.patch Patch6: CVE-2026-3783.patch Patch7: CVE-2026-3784.patch +Patch8: CVE-2026-4873.patch BuildRequires: cmake BuildRequires: krb5-devel BuildRequires: libnghttp2-devel @@ -106,6 +107,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libcurl.so.* %changelog +* Thu May 14 2026 Azure Linux Security Servicing Account - 8.11.1-7 +- Patch for CVE-2026-4873 + * Thu Mar 12 2026 Azure Linux Security Servicing Account - 8.11.1-6 - Patch for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 594c1d5b9c5..e3baa5d42bd 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -199,9 +199,9 @@ krb5-1.21.3-4.azl3.aarch64.rpm krb5-devel-1.21.3-4.azl3.aarch64.rpm nghttp2-1.61.0-3.azl3.aarch64.rpm nghttp2-devel-1.61.0-3.azl3.aarch64.rpm -curl-8.11.1-6.azl3.aarch64.rpm -curl-devel-8.11.1-6.azl3.aarch64.rpm -curl-libs-8.11.1-6.azl3.aarch64.rpm +curl-8.11.1-7.azl3.aarch64.rpm +curl-devel-8.11.1-7.azl3.aarch64.rpm +curl-libs-8.11.1-7.azl3.aarch64.rpm createrepo_c-1.0.3-1.azl3.aarch64.rpm libxml2-2.11.5-9.azl3.aarch64.rpm libxml2-devel-2.11.5-9.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 4752b06361a..89eb4f1e712 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -199,9 +199,9 @@ krb5-1.21.3-4.azl3.x86_64.rpm krb5-devel-1.21.3-4.azl3.x86_64.rpm nghttp2-1.61.0-3.azl3.x86_64.rpm nghttp2-devel-1.61.0-3.azl3.x86_64.rpm -curl-8.11.1-6.azl3.x86_64.rpm -curl-devel-8.11.1-6.azl3.x86_64.rpm -curl-libs-8.11.1-6.azl3.x86_64.rpm +curl-8.11.1-7.azl3.x86_64.rpm +curl-devel-8.11.1-7.azl3.x86_64.rpm +curl-libs-8.11.1-7.azl3.x86_64.rpm createrepo_c-1.0.3-1.azl3.x86_64.rpm libxml2-2.11.5-9.azl3.x86_64.rpm libxml2-devel-2.11.5-9.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 475c5fb72d2..91c4e2780b4 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -67,10 +67,10 @@ cracklib-lang-2.9.11-1.azl3.aarch64.rpm createrepo_c-1.0.3-1.azl3.aarch64.rpm createrepo_c-debuginfo-1.0.3-1.azl3.aarch64.rpm createrepo_c-devel-1.0.3-1.azl3.aarch64.rpm -curl-8.11.1-6.azl3.aarch64.rpm -curl-debuginfo-8.11.1-6.azl3.aarch64.rpm -curl-devel-8.11.1-6.azl3.aarch64.rpm -curl-libs-8.11.1-6.azl3.aarch64.rpm +curl-8.11.1-7.azl3.aarch64.rpm +curl-debuginfo-8.11.1-7.azl3.aarch64.rpm +curl-devel-8.11.1-7.azl3.aarch64.rpm +curl-libs-8.11.1-7.azl3.aarch64.rpm Cython-debuginfo-3.0.5-3.azl3.aarch64.rpm debugedit-5.0-2.azl3.aarch64.rpm debugedit-debuginfo-5.0-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 3d7c2696fd6..6e844a49c51 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -72,10 +72,10 @@ createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm cross-binutils-common-2.41-11.azl3.noarch.rpm cross-gcc-common-13.2.0-7.azl3.noarch.rpm -curl-8.11.1-6.azl3.x86_64.rpm -curl-debuginfo-8.11.1-6.azl3.x86_64.rpm -curl-devel-8.11.1-6.azl3.x86_64.rpm -curl-libs-8.11.1-6.azl3.x86_64.rpm +curl-8.11.1-7.azl3.x86_64.rpm +curl-debuginfo-8.11.1-7.azl3.x86_64.rpm +curl-devel-8.11.1-7.azl3.x86_64.rpm +curl-libs-8.11.1-7.azl3.x86_64.rpm Cython-debuginfo-3.0.5-3.azl3.x86_64.rpm debugedit-5.0-2.azl3.x86_64.rpm debugedit-debuginfo-5.0-2.azl3.x86_64.rpm