[AutoPR- Security] Patch curl for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965 [MEDIUM]

[azurelinux-security]

Auto Patch curl for CVE-2026-3784, CVE-2026-3783, CVE-2026-1965.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1071438&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch curl for CVE-2026-3784 (MEDIUM), CVE-2026-3783 (MEDIUM), CVE-2026-1965 (MEDIUM).

Change Log

• CVE-2026-3784
• CVE-2026-3783
• CVE-2026-1965

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-3784
• https://nvd.nist.gov/vuln/detail/CVE-2026-3783
• https://nvd.nist.gov/vuln/detail/CVE-2026-1965

Test Methodology

• Pipeline build id: Buddy Build URL

[akhila-guruju]

For CVE-2026-1965:
Backported patch has been taken from ubuntu, CVE-2026-1965-1.patch and CVE-2026-1965-2.patch
Since there is something wrong on the website, the links are not functioning. We can see the diff from here, https://launchpadlibrarian.net/851032327/curl_8.5.0-2ubuntu10.4_8.5.0-2ubuntu10.8.diff.gz
Note: search for CVE-2026-1965-1.patch or url: fix reuse of connections using HTTP Negotiate to navigate to exact diff.

For CVE-2026-3783:
Refactored the test suite according to v8.11.1
crlf="headers" in tests/data/test2006 is a v8.19.0-only test framework feature and will fail for v8.11.1 as the value "headers" is not defined in this version. It has been introduced in v8.17.0
curl-8_19_0/docs/tests/FILEFORMAT.md

We have curl of version 8.11.1, According to the curl test suite file format 8_11_1/tests/FILEFORMAT.md, the crlf only takes one value that is "yes". So, refactored according to v8.11.1

For CVE-2026-3784:
Patch matches with the upstream patch. only one extra comment added by AI.

[akhila-guruju]

resolved merge conflicts

[Kanishk-Bansal]

Buddy Build

[akhila-guruju]

Buddy Build has passed.

[suresh-thelkar]

Code changes look good to me. I sign off.

I have also run the full build given below. Please make sure that it runs successfully.
https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1094302&view=results

[akhila-guruju]

Full build was not successful. Checking the reason of failure.

[akhila-guruju]

libnvidia-container is failing with Segmentation fault.

[kgodara912]

All the patches almost match with respective upstream references in the changes except, 1965 -> there was a minor follow-up fix compared to launchpad one which is incorporated and mentioned as origin in patch. Full build is successful for arm64 and the partial success state due to push error for amd64 image building didn't allow other stage runs but till package building, it is fine. Buddy build is successful. Currently tests are not running likely due to restriction in pipeline environment to access to/from the upstream repos. LGTM.