url: reject TLS-to-cleartext STARTTLS connection reuse (CVE-2026-8286)
Resolves: RHEL-192523
This commit is contained in:
parent
75d7c367b8
commit
1cd46dc9af
53
0071-curl-7.61.1-CVE-2026-8286.patch
Normal file
53
0071-curl-7.61.1-CVE-2026-8286.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From a86efdd7ca5433de9231e650f18247de8319ad16 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Eissing <stefan@eissing.org>
|
||||
Date: Thu, 7 May 2026 10:30:07 +0200
|
||||
Subject: [PATCH] url: fix connection reuse for starttls protocols
|
||||
|
||||
When a connection is tested for reuse in a transfer that *may* upgrade
|
||||
to TLS (commonly via STARTTLS), the SSL configuration must match the
|
||||
existing connection.
|
||||
|
||||
Also reject non-TLS connections when the transfer requires TLS via
|
||||
STARTTLS (use_ssl >= CURLUSESSL_CONTROL).
|
||||
|
||||
Adapted from upstream commit a86efdd7ca5433de9231e650f18247de8319ad16
|
||||
for the ConnectionExists() function in curl 7.61.1.
|
||||
|
||||
Upstream-commit: a86efdd7ca5433de9231e650f18247de8319ad16
|
||||
Resolves: CVE-2026-8286
|
||||
|
||||
---
|
||||
lib/url.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -1220,6 +1220,13 @@
|
||||
/* except protocols that have been upgraded via TLS */
|
||||
continue;
|
||||
|
||||
+ /* For STARTTLS protocols that require TLS, reject non-TLS connections */
|
||||
+ if(data->set.use_ssl >= CURLUSESSL_CONTROL &&
|
||||
+ !(needle->handler->flags & PROTOPT_SSL) &&
|
||||
+ check->ssl[FIRSTSOCKET].state != ssl_connection_complete &&
|
||||
+ !check->tls_upgraded)
|
||||
+ continue;
|
||||
+
|
||||
if(needle->bits.httpproxy != check->bits.httpproxy ||
|
||||
needle->bits.socksproxy != check->bits.socksproxy)
|
||||
continue;
|
||||
@@ -1344,9 +1351,10 @@
|
||||
/* The schemes match or the the protocol family is the same and the
|
||||
previous connection was TLS upgraded, and the hostname and host
|
||||
port match */
|
||||
- if(needle->handler->flags & PROTOPT_SSL) {
|
||||
- /* This is a SSL connection so verify that we're using the same
|
||||
- SSL options as well */
|
||||
+ if((needle->handler->flags & PROTOPT_SSL) ||
|
||||
+ data->set.use_ssl > CURLUSESSL_NONE) {
|
||||
+ /* This is a SSL or STARTTLS connection so verify that we're
|
||||
+ using the same SSL options as well */
|
||||
if(!Curl_ssl_config_matches(&needle->ssl_config,
|
||||
&check->ssl_config)) {
|
||||
DEBUGF(infof(data,
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 34%{?dist}.12
|
||||
Release: 34%{?dist}.13
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -205,6 +205,9 @@ Patch69: 0069-curl-7.61.1-aws-sigv4.patch
|
||||
# noproxy: support proxies specified using cidr notation
|
||||
Patch70: 0070-curl-7.61.1-noproxy-support-using-cidr.patch
|
||||
|
||||
# url: reject TLS-to-cleartext STARTTLS connection reuse (CVE-2026-8286)
|
||||
Patch71: 0071-curl-7.61.1-CVE-2026-8286.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -447,6 +450,7 @@ git apply %{PATCH52}
|
||||
%patch -P 68 -p1
|
||||
%patch -P 69 -p1
|
||||
%patch -P 70 -p1
|
||||
%patch -P 71 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
@ -611,6 +615,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Mon Jul 13 2026 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.13
|
||||
- fix TLS/STARTTLS connection reuse vulnerability (CVE-2026-8286)
|
||||
|
||||
* Tue May 06 2026 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.12
|
||||
- NTLM: use HTTP/1.0 instead of HTTP/1.1 for compatibility (RHEL-171912)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user