[AutoPR- Security] Patch curl for CVE-2026-4873 [MEDIUM]

SPECS/curl/CVE-2026-4873.patch

@@ -0,0 +1,50 @@
+From 2abe41479e16dc1969c465f7d47218aa9822c877 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 24 Mar 2026 08:35:08 +0100
+Subject: [PATCH] url: do not reuse a non-tls starttls connection if new
+ requires TLS
+
+Reported-by: Arkadi Vainbrand
+
+Closes #21082
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/curl/curl/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865.patch
+---
+ lib/url.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 88f559a..2ba5311 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -841,7 +841,7 @@ struct url_conn_match {
+   BIT(want_proxy_ntlm_http);
+   BIT(want_nego_http);
+   BIT(want_proxy_nego_http);
+-
++  BIT(req_tls); /* require TLS use from a clear-text start */
+   BIT(wait_pipe);
+   BIT(force_reuse);
+   BIT(seen_pending_conn);
+@@ -900,6 +900,9 @@ static bool url_match_auth_nego(struct connectdata *conn,
+     }
+     return FALSE; /* get another */
+   }
++  else if(m->req_tls)
++    /* a clear-text STARTTLS protocol with required TLS */
++    return FALSE;
+   return TRUE;
+ }
+ #else
+@@ -1326,6 +1329,7 @@ ConnectionExists(struct Curl_easy *data,
+     (needle->handler->protocol & PROTO_FAMILY_HTTP);
+ #endif
+ #endif
++  match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
+
+   /* Find a connection in the pool that matches what "data + needle"
+    * requires. If a suitable candidate is found, it is attached to "data". */
+-- 
+2.45.4
+

SPECS/curl/curl.spec

@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.11.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,6 +16,7 @@ Patch4:         CVE-2025-14017.patch
 Patch5:         CVE-2026-1965.patch
 Patch6:         CVE-2026-3783.patch
 Patch7:         CVE-2026-3784.patch
+Patch8:         CVE-2026-4873.patch
 BuildRequires:  cmake
 BuildRequires:  krb5-devel
 BuildRequires:  libnghttp2-devel
@@ -106,6 +107,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Thu May 14 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.11.1-7
+- Patch for CVE-2026-4873
+
 * Thu Mar 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.11.1-6
 - Patch for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -199,9 +199,9 @@ krb5-1.21.3-4.azl3.aarch64.rpm
 krb5-devel-1.21.3-4.azl3.aarch64.rpm
 nghttp2-1.61.0-3.azl3.aarch64.rpm
 nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
-curl-8.11.1-6.azl3.aarch64.rpm
-curl-devel-8.11.1-6.azl3.aarch64.rpm
-curl-libs-8.11.1-6.azl3.aarch64.rpm
+curl-8.11.1-7.azl3.aarch64.rpm
+curl-devel-8.11.1-7.azl3.aarch64.rpm
+curl-libs-8.11.1-7.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 libxml2-2.11.5-9.azl3.aarch64.rpm
 libxml2-devel-2.11.5-9.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -199,9 +199,9 @@ krb5-1.21.3-4.azl3.x86_64.rpm
 krb5-devel-1.21.3-4.azl3.x86_64.rpm
 nghttp2-1.61.0-3.azl3.x86_64.rpm
 nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
-curl-8.11.1-6.azl3.x86_64.rpm
-curl-devel-8.11.1-6.azl3.x86_64.rpm
-curl-libs-8.11.1-6.azl3.x86_64.rpm
+curl-8.11.1-7.azl3.x86_64.rpm
+curl-devel-8.11.1-7.azl3.x86_64.rpm
+curl-libs-8.11.1-7.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 libxml2-2.11.5-9.azl3.x86_64.rpm
 libxml2-devel-2.11.5-9.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -67,10 +67,10 @@ cracklib-lang-2.9.11-1.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-devel-1.0.3-1.azl3.aarch64.rpm
-curl-8.11.1-6.azl3.aarch64.rpm
-curl-debuginfo-8.11.1-6.azl3.aarch64.rpm
-curl-devel-8.11.1-6.azl3.aarch64.rpm
-curl-libs-8.11.1-6.azl3.aarch64.rpm
+curl-8.11.1-7.azl3.aarch64.rpm
+curl-debuginfo-8.11.1-7.azl3.aarch64.rpm
+curl-devel-8.11.1-7.azl3.aarch64.rpm
+curl-libs-8.11.1-7.azl3.aarch64.rpm
 Cython-debuginfo-3.0.5-3.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
 debugedit-debuginfo-5.0-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -72,10 +72,10 @@ createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
 cross-binutils-common-2.41-11.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
-curl-8.11.1-6.azl3.x86_64.rpm
-curl-debuginfo-8.11.1-6.azl3.x86_64.rpm
-curl-devel-8.11.1-6.azl3.x86_64.rpm
-curl-libs-8.11.1-6.azl3.x86_64.rpm
+curl-8.11.1-7.azl3.x86_64.rpm
+curl-debuginfo-8.11.1-7.azl3.x86_64.rpm
+curl-devel-8.11.1-7.azl3.x86_64.rpm
+curl-libs-8.11.1-7.azl3.x86_64.rpm
 Cython-debuginfo-3.0.5-3.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
 debugedit-debuginfo-5.0-2.azl3.x86_64.rpm