From: Anil Dongare <[email protected]> Backport the upstream fix [1] for the Negotiate-authenticated connection reuse issue described in [2] and tracked by [3].
[1] https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd [2] https://curl.se/docs/CVE-2026-5545.html [3] https://nvd.nist.gov/vuln/detail/CVE-2026-5545 Signed-off-by: Anil Dongare <[email protected]> --- .../curl/curl/CVE-2026-5545.patch | 44 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5545.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-5545.patch b/meta/recipes-support/curl/curl/CVE-2026-5545.patch new file mode 100644 index 0000000000..34400176f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-5545.patch @@ -0,0 +1,44 @@ +From b98d817a2c168834747ba4721b8d66cd1e683578 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Fri, 5 Jun 2026 01:17:44 -0700 +Subject: [PATCH] url: improve connection reuse on negotiate + +Check state of negotiate to allow proper connection reuse. + +Closes #21203 + +CVE: CVE-2026-5545 +Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd] + +Backport Changes: +- curl-8.7.1 still performs the NTLM/Negotiate reuse logic inline in + ConnectionExists(), so the upstream guard was adapted there. + +(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd) +Signed-off-by: Anil Dongare <[email protected]> +--- + lib/url.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 759a994..34a3470 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1226,8 +1226,14 @@ ConnectionExists(struct Curl_easy *data, + Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection +- that can be reused and "upgraded" to NTLM */ ++ that can be reused and "upgraded" to NTLM if it does ++ not have any auth ongoing. */ ++#ifdef USE_SPNEGO ++ if((check->http_ntlm_state == NTLMSTATE_NONE) && ++ (check->http_negotiate_state == GSS_AUTHNONE)) ++#else + if(check->http_ntlm_state == NTLMSTATE_NONE) ++#endif + chosen = check; + continue; + } +-- +2.43.7 diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index ad7ceceb69..5d0133f605 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -36,6 +36,7 @@ SRC_URI = " \ file://CVE-2026-1965-2.patch \ file://CVE-2026-3783.patch \ file://CVE-2026-3784.patch \ + file://CVE-2026-5545.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239747): https://lists.openembedded.org/g/openembedded-core/message/239747 Mute This Topic: https://lists.openembedded.org/mt/120028213/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
