url: reject TLS-to-cleartext STARTTLS connection reuse (CVE-2026-8286)

Resolves: RHEL-192523
This commit is contained in:
Jacek Migacz 2026-07-13 14:00:17 +00:00
parent 75d7c367b8
commit 1cd46dc9af
2 changed files with 61 additions and 1 deletions

View File

@ -0,0 +1,53 @@
From a86efdd7ca5433de9231e650f18247de8319ad16 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 7 May 2026 10:30:07 +0200
Subject: [PATCH] url: fix connection reuse for starttls protocols
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Also reject non-TLS connections when the transfer requires TLS via
STARTTLS (use_ssl >= CURLUSESSL_CONTROL).
Adapted from upstream commit a86efdd7ca5433de9231e650f18247de8319ad16
for the ConnectionExists() function in curl 7.61.1.
Upstream-commit: a86efdd7ca5433de9231e650f18247de8319ad16
Resolves: CVE-2026-8286
---
lib/url.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/lib/url.c b/lib/url.c
--- a/lib/url.c
+++ b/lib/url.c
@@ -1220,6 +1220,13 @@
/* except protocols that have been upgraded via TLS */
continue;
+ /* For STARTTLS protocols that require TLS, reject non-TLS connections */
+ if(data->set.use_ssl >= CURLUSESSL_CONTROL &&
+ !(needle->handler->flags & PROTOPT_SSL) &&
+ check->ssl[FIRSTSOCKET].state != ssl_connection_complete &&
+ !check->tls_upgraded)
+ continue;
+
if(needle->bits.httpproxy != check->bits.httpproxy ||
needle->bits.socksproxy != check->bits.socksproxy)
continue;
@@ -1344,9 +1351,10 @@
/* The schemes match or the the protocol family is the same and the
previous connection was TLS upgraded, and the hostname and host
port match */
- if(needle->handler->flags & PROTOPT_SSL) {
- /* This is a SSL connection so verify that we're using the same
- SSL options as well */
+ if((needle->handler->flags & PROTOPT_SSL) ||
+ data->set.use_ssl > CURLUSESSL_NONE) {
+ /* This is a SSL or STARTTLS connection so verify that we're
+ using the same SSL options as well */
if(!Curl_ssl_config_matches(&needle->ssl_config,
&check->ssl_config)) {
DEBUGF(infof(data,

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
Release: 34%{?dist}.12
Release: 34%{?dist}.13
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -205,6 +205,9 @@ Patch69: 0069-curl-7.61.1-aws-sigv4.patch
# noproxy: support proxies specified using cidr notation
Patch70: 0070-curl-7.61.1-noproxy-support-using-cidr.patch
# url: reject TLS-to-cleartext STARTTLS connection reuse (CVE-2026-8286)
Patch71: 0071-curl-7.61.1-CVE-2026-8286.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -447,6 +450,7 @@ git apply %{PATCH52}
%patch -P 68 -p1
%patch -P 69 -p1
%patch -P 70 -p1
%patch -P 71 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -611,6 +615,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Mon Jul 13 2026 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.13
- fix TLS/STARTTLS connection reuse vulnerability (CVE-2026-8286)
* Tue May 06 2026 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.12
- NTLM: use HTTP/1.0 instead of HTTP/1.1 for compatibility (RHEL-171912)