diff --git a/0071-curl-7.61.1-CVE-2026-8286.patch b/0071-curl-7.61.1-CVE-2026-8286.patch new file mode 100644 index 0000000..6085ffb --- /dev/null +++ b/0071-curl-7.61.1-CVE-2026-8286.patch @@ -0,0 +1,53 @@ +From a86efdd7ca5433de9231e650f18247de8319ad16 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 7 May 2026 10:30:07 +0200 +Subject: [PATCH] url: fix connection reuse for starttls protocols + +When a connection is tested for reuse in a transfer that *may* upgrade +to TLS (commonly via STARTTLS), the SSL configuration must match the +existing connection. + +Also reject non-TLS connections when the transfer requires TLS via +STARTTLS (use_ssl >= CURLUSESSL_CONTROL). + +Adapted from upstream commit a86efdd7ca5433de9231e650f18247de8319ad16 +for the ConnectionExists() function in curl 7.61.1. + +Upstream-commit: a86efdd7ca5433de9231e650f18247de8319ad16 +Resolves: CVE-2026-8286 + +--- + lib/url.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +--- a/lib/url.c ++++ b/lib/url.c +@@ -1220,6 +1220,13 @@ + /* except protocols that have been upgraded via TLS */ + continue; + ++ /* For STARTTLS protocols that require TLS, reject non-TLS connections */ ++ if(data->set.use_ssl >= CURLUSESSL_CONTROL && ++ !(needle->handler->flags & PROTOPT_SSL) && ++ check->ssl[FIRSTSOCKET].state != ssl_connection_complete && ++ !check->tls_upgraded) ++ continue; ++ + if(needle->bits.httpproxy != check->bits.httpproxy || + needle->bits.socksproxy != check->bits.socksproxy) + continue; +@@ -1344,9 +1351,10 @@ + /* The schemes match or the the protocol family is the same and the + previous connection was TLS upgraded, and the hostname and host + port match */ +- if(needle->handler->flags & PROTOPT_SSL) { +- /* This is a SSL connection so verify that we're using the same +- SSL options as well */ ++ if((needle->handler->flags & PROTOPT_SSL) || ++ data->set.use_ssl > CURLUSESSL_NONE) { ++ /* This is a SSL or STARTTLS connection so verify that we're ++ using the same SSL options as well */ + if(!Curl_ssl_config_matches(&needle->ssl_config, + &check->ssl_config)) { + DEBUGF(infof(data, diff --git a/curl.spec b/curl.spec index f0fd9bc..9ace3fb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 34%{?dist}.12 +Release: 34%{?dist}.13 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -205,6 +205,9 @@ Patch69: 0069-curl-7.61.1-aws-sigv4.patch # noproxy: support proxies specified using cidr notation Patch70: 0070-curl-7.61.1-noproxy-support-using-cidr.patch +# url: reject TLS-to-cleartext STARTTLS connection reuse (CVE-2026-8286) +Patch71: 0071-curl-7.61.1-CVE-2026-8286.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -447,6 +450,7 @@ git apply %{PATCH52} %patch -P 68 -p1 %patch -P 69 -p1 %patch -P 70 -p1 +%patch -P 71 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -611,6 +615,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 13 2026 Jacek Migacz - 7.61.1-34.el8_10.13 +- fix TLS/STARTTLS connection reuse vulnerability (CVE-2026-8286) + * Tue May 06 2026 Jacek Migacz - 7.61.1-34.el8_10.12 - NTLM: use HTTP/1.0 instead of HTTP/1.1 for compatibility (RHEL-171912)