[AutoPR- Security] Patch curl for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965 [MEDIUM]

[azurelinux-security]

Auto Patch curl for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1068254&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch curl for CVE-2026-3784 (MEDIUM), CVE-2026-3783 (MEDIUM), CVE-2026-1965 (MEDIUM).

Change Log

• CVE-2026-3784
• CVE-2026-3783
• CVE-2026-1965

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-3784
• https://nvd.nist.gov/vuln/detail/CVE-2026-3783
• https://nvd.nist.gov/vuln/detail/CVE-2026-1965

Test Methodology

• Pipeline build id: Buddy Build URL

[akhila-guruju]

Failure Reason: crlf="headers" in tests/data/test2006 is a v8.19.0-only test framework feature and will fail for v8.11.1 as the value "headers" is not defined in this version. It has been introduced in v8.17.0
curl-8_19_0/docs/tests/FILEFORMAT.md

Fix: We have curl of version 8.11.1, According to the curl test suite file format 8_11_1/tests/FILEFORMAT.md, the crlf only takes one value that is "yes". So, refactored the test suite according to v8.11.1

[akhila-guruju]

Buddy Build after recent changes.
Build has passed.

[akhila-guruju]

resolved merge conflicts

[Kanishk-Bansal]

PR #16181 Review: [AutoPR-Security] Patch curl for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965 [MEDIUM]

PR: #16181
Build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1071437&view=results
Branch: azure-autosec/curl/3.0/1068254 → 3.0-dev
Labels: AutoPR-Security, 3.0-dev, Packaging, security

---

CVE Details

Field	CVE-2026-1965	CVE-2026-3783	CVE-2026-3784
Severity	MEDIUM (6.5)	MEDIUM (5.3)	MEDIUM (6.5)
CWE	CWE-305	CWE-522	CWE-305
CVSS	AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description	libcurl wrongly reuses connections authenticated via HTTP Negotiate with different credentials	OAuth2 bearer token leaked to redirected hostname when .netrc has matching machine/default entry	HTTP proxy CONNECT connection wrongly reused with different proxy credentials
NVD	Link	Link	Link
Upstream Fix	34fa034 + f1a39f2	e3d7401	5f13a76

---

Files Changed (8 files, +475 / -15)

File	Change
SPECS/curl/CVE-2026-1965.patch	New — 139 lines
SPECS/curl/CVE-2026-3783.patch	New — 149 lines
SPECS/curl/CVE-2026-3784.patch	New — 166 lines
SPECS/curl/curl.spec	Release bump + patch declarations + changelog
toolkit/resources/manifests/package/pkggen_core_aarch64.txt	curl 8.11.1-5 → 8.11.1-6
toolkit/resources/manifests/package/pkggen_core_x86_64.txt	curl 8.11.1-5 → 8.11.1-6
toolkit/resources/manifests/package/toolchain_aarch64.txt	curl 8.11.1-5 → 8.11.1-6
toolkit/resources/manifests/package/toolchain_x86_64.txt	curl 8.11.1-5 → 8.11.1-6

---

Review Checklist

1. SPEC File Changes (curl.spec)

Check	Status	Details
Release bump	✅ PASS	Release: 5%{?dist} → Release: 6%{?dist}
Patch declarations	✅ PASS	Patch5: CVE-2026-1965.patch, Patch6: CVE-2026-3783.patch, Patch7: CVE-2026-3784.patch — sequential after existing Patch4
Patch application	✅ PASS	Uses %autosetup -p1 — patches applied automatically
Changelog entry	✅ PASS	* Thu Mar 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.11.1-6 with - Patch for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965
Changelog ordering	⚠️ WARNING	error: %changelog not in descending chronological order — pre-existing issue, not introduced by this PR

2. Patch File Verification

CVE-2026-1965.patch — Negotiate authentication connection reuse fix

Check	Status	Details
Upstream reference	✅ PASS	AI backport of upstream commits 34fa034 and f1a39f2
Patch target	✅ PASS	lib/url.c — 85 additions, 5 deletions
Patch applies cleanly	✅ PASS	Applied with --fuzz=0 --no-backup-if-mismatch

Patch content: Adds url_match_auth_nego() function (guarded by USE_SPNEGO) to properly verify Negotiate authentication credentials before reusing connections. Adds want_nego_http and want_proxy_nego_http BIT fields to struct url_conn_match. The function checks user/password match using Curl_timestrcmp (timing-safe comparison) and enforces separate connections for different Negotiate-authenticated users.

Key observations:

• Uses Curl_timestrcmp for constant-time credential comparison — good security practice
• Properly handles both direct and proxy Negotiate auth
• Includes #ifndef CURL_DISABLE_PROXY guards for proxy-related code
• Falls back to #define url_match_auth_nego(c, m) ((void)c, (void)m, TRUE) when USE_SPNEGO is not defined
• Also adjusts existing NTLM match code to remove unnecessary parentheses around boolean expressions (cosmetic cleanup)

CVE-2026-3783.patch — Bearer token leak on redirect fix

Check	Status	Details
Upstream reference	✅ PASS	Upstream commit e3d7401 (Daniel Stenberg, closes #20843)
Patch target	✅ PASS	lib/http.c (1 line), tests/data/Makefile.am (1 line), tests/data/test2006 (new test file)
Patch applies cleanly	✅ PASS	Applied with --fuzz=0 --no-backup-if-mismatch

Patch content: Adds Curl_auth_allowed_to_host(data) check before sending Bearer token in output_auth_headers(). This prevents the bearer token from being sent to a redirected host when .netrc has credentials for the redirect target.

Test suite adaptation (commit 442f2bf): The upstream test2006 originally used crlf="headers" which is a curl v8.19.0+ test framework feature. Since Azure Linux ships curl 8.11.1, the test was correctly refactored to use crlf="yes" which is supported in this version. This was identified by @akhila-guruju and is properly documented in the PR conversation. The <protocol crlf="yes"> and <data crlf="yes"> tags match the v8.11.1 test format spec.

CVE-2026-3784.patch — Proxy auth connection reuse fix

Check	Status	Details
Upstream reference	✅ PASS	AI backport of upstream commit 5f13a76 (closes #20837)
Patch target	✅ PASS	lib/url.c (reformulated), tests/http/test_13_proxy_auth.py (new test), tests/http/testenv/curl.py (url_options support)
Patch applies cleanly	✅ PASS	Applied with --fuzz=0 --no-backup-if-mismatch

Patch content: Merges proxy credential checking into proxy_info_matches() by adding Curl_timestrcmp user/password comparison directly in the function. This eliminates the separate socks_proxy_info_matches() function (which was the only place doing credential checks for SOCKS proxies) and ensures all proxy types (HTTP and SOCKS) validate credentials before connection reuse. This is a simplification that strengthens security by making credential checks uniform.

Key changes:

• proxy_info_matches() now checks user/password (using timing-safe Curl_timestrcmp)
• Removes socks_proxy_info_matches() — its logic is now subsumed
• url_match_conn() uses proxy_info_matches() for SOCKS proxies instead of the removed function
• Adds test_13_10_tunnels_mixed_auth test validating correct behavior with mixed proxy credentials
• Extends CurlClient with url_options parameter for per-URL argument support

3. Patch Ordering and Dependencies

Check	Status	Details
Patch ordering	✅ PASS	CVE-2026-1965 (Patch5) → CVE-2026-3783 (Patch6) → CVE-2026-3784 (Patch7)
Patch dependencies	✅ PASS	CVE-2026-1965 modifies lib/url.c (index 436edd8→d62eefa), CVE-2026-3784 builds on that (index d62eefa→88f559a) — correct chaining
No conflicts between patches	✅ PASS	Patches target different sections: CVE-2026-1965 (Negotiate auth matching), CVE-2026-3783 (HTTP bearer output), CVE-2026-3784 (proxy matching)

4. Manifest Updates

Check	Status	Details
pkggen_core_aarch64.txt	✅ PASS	curl, curl-devel, curl-libs: 8.11.1-5 → 8.11.1-6
pkggen_core_x86_64.txt	✅ PASS	curl, curl-devel, curl-libs: 8.11.1-5 → 8.11.1-6
toolchain_aarch64.txt	✅ PASS	curl, curl-debuginfo, curl-devel, curl-libs: 8.11.1-5 → 8.11.1-6
toolchain_x86_64.txt	✅ PASS	curl, curl-debuginfo, curl-devel, curl-libs: 8.11.1-5 → 8.11.1-6

5. PR Description

Check	Status	Details
Summary	✅ PASS	CVE descriptions and links provided
Change Log	✅ PASS	All three CVEs referenced
Links to CVEs	✅ PASS	NVD links provided for all three CVEs
Test Methodology	✅ PASS	Buddy build URL provided (buildId=1068310 initial, 1071437 after fix)
Failure analysis documented	✅ PASS	@akhila-guruju documented the crlf="headers" compatibility issue and fix

6. Build Verification (Build ID: 1071437)

AMD64 (x86_64)

Check	Status	Details
Build result	✅ PASS	Built (curl-8.11.1-6.azl3.src.rpm) -> [curl, curl-debuginfo, curl-devel, curl-libs]
Patches applied cleanly	✅ PASS	All 8 patches (Patch0-Patch7) applied via %autosetup -p1 with --fuzz=0 --no-backup-if-mismatch
Compilation	✅ PASS	No errors or new warnings from patched files
Test suite	✅ PASS	1447 out of 1447 tests reported OK: 100% (1746 total considered, rest skipped due to missing server capabilities)
Test 2006	✅ PASS	test 2006...OK (new test for CVE-2026-3783 bearer token fix)
Package test	✅ PASS	pkgtest: Pass (482s execution time)
License check	✅ PASS	"No license issues found"

Skipped server types (expected in chroot, not failures):

• SSH server, SMB server, HTTP/2 server — not available in build environment

Produced RPMs:

• curl-8.11.1-6.azl3.x86_64.rpm
• curl-debuginfo-8.11.1-6.azl3.x86_64.rpm
• curl-devel-8.11.1-6.azl3.x86_64.rpm
• curl-libs-8.11.1-6.azl3.x86_64.rpm

ARM64 (aarch64)

Check	Status	Details
Build result	✅ PASS	Built (curl-8.11.1-6.azl3.src.rpm) -> [curl, curl-debuginfo, curl-devel, curl-libs]
Patches applied cleanly	✅ PASS	All patches applied without issues
Test suite	✅ PASS	1447 out of 1447 tests reported OK: 100%
Package test	✅ PASS	pkgtest: Pass (522s execution time)

Produced RPMs:

• curl-8.11.1-6.azl3.aarch64.rpm
• curl-debuginfo-8.11.1-6.azl3.aarch64.rpm
• curl-devel-8.11.1-6.azl3.aarch64.rpm
• curl-libs-8.11.1-6.azl3.aarch64.rpm

7. Additional Checks

Check	Status	Details
Signatures file	N/A	Not visible in PR diff — may need verification
Branch targeting	✅ PASS	3.0-dev appropriate for MEDIUM severity CVEs
Severity label	✅ PASS	[MEDIUM] in title matches all three CVE CVSS scores
Dependent package rebuilds	✅ PASS	curl is a shared library — no static-link dependents requiring release bumps
Merge conflicts	✅ PASS	Resolved (noted in PR conversation by @akhila-guruju)

---

Summary

Category	Result
SPEC file changes	✅ PASS
CVE-2026-1965 patch	✅ PASS
CVE-2026-3783 patch	✅ PASS (with test adaptation for v8.11.1)
CVE-2026-3784 patch	✅ PASS
Patch ordering/dependencies	✅ PASS
Manifest updates	✅ PASS
PR description	✅ PASS
AMD64 build + tests	✅ PASS (100% test pass rate)
ARM64 build + tests	✅ PASS (100% test pass rate)

Overall: LGTM — All three patches address genuine connection-reuse security vulnerabilities in curl. Patches reference upstream commits, apply cleanly without fuzz, and the full test suite passes at 100% on both architectures. The crlf="headers" → crlf="yes" adaptation for test2006 is correctly done for the v8.11.1 test framework.

[suresh-thelkar]

Code changes look good to me. There are some PR checks failing. Please look into it and fix them if they are valid issues. In case if they are known issues, please add a brief description about them.

[kgodara912]

All the patches match with respective upstream reference except there are minor name changes in higher upstream version, those variable name changes are inferred from the removed code lines and kept in backport. Buddy build is successful. LGTM.