#1136033 trixie-pu: package curl/8.14.1-2+deb13u4

#1136033#5
Date:
2026-05-08 14:54:10 UTC
From:
To:
[ Reason ]
This update fixes 13 CVEs in curl that were published upstream after the
last trixie point release. All are upstream-derived patches; nine of them
needed minor adaptation against 8.14.1 (line numbers, helper-function
renames between 8.14.1 and current upstream, libtest harness shape, test
runner attribute differences). The unmodified upstream patches were
imported first and then a follow-up commit per CVE backports them onto
8.14.1; the commit history reflects this with one commit per CVE so each
fix is reviewable in isolation.

CVEs fixed:
  - CVE-2025-14524  curl_sasl: if redirected, require permission to use bearer
  - CVE-2025-14819  openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
  - CVE-2026-1965   url: fix reuse of connections using HTTP Negotiate (+ follow-up)
  - CVE-2026-3783   http: only send bearer if auth is allowed
  - CVE-2026-3784   proxy-auth: additional tests / proxy info match
  - CVE-2026-3805   smb: free the path in the request struct properly
  - CVE-2026-4873   url: do not reuse a non-tls starttls connection if new requires TLS
  - CVE-2026-5545   url: improve connection reuse on negotiate
  - CVE-2026-5773   protocol: disable connection reuse for SMB(S)
  - CVE-2026-6253   http: clear the proxy credentials as well on port or scheme change
  - CVE-2026-6276   urldata: move cookiehost to struct SingleRequest
  - CVE-2026-6429   http: clear credentials better on redirect
  - CVE-2026-7168   setopt: clear proxy auth properties when switching

[ Impact ]
Without this update, trixie users are exposed to 13 known CVEs in curl
covering credential leakage on redirect, cross-scheme/cross-host auth
header retention, connection reuse confusion (HTTP Negotiate, NTLM,
STARTTLS, SMB), digest proxy auth replay across CURLOPT_PROXY changes,
and a TLS cache-key collision. Several of these (the credential-leakage
ones in particular) have direct exfiltration potential in real-world
redirect scenarios.

[ Tests ]
The full upstream curl test suite is run as part of the package build
(both during the regular build and again under autopkgtest). With the
updated patches, all 1706 test cases run and pass:

  TESTDONE: 1706 tests out of 1706 reported OK: 100%

That includes the new regression tests added by the patches themselves
(test2006 for CVE-2026-3783, test2009-2011 for CVE-2026-6253, test2504
for CVE-2026-6276, test2506 for CVE-2026-6429, test1588 for
CVE-2026-7168). Existing tests that interact with the touched code
paths (e.g. test 998 for credential clearing on redirect) also still
pass.

[ Risks ]
Patches are upstream-authored, security-focused, and target areas that
are well covered by curl's test suite. The adaptations to 8.14.1 are
documented per-patch in a Backported-by: trailer with bullet points and
fall into a few categories:
  - context refresh / line-number drift only (CVE-2025-14819,
    CVE-2026-1965 _1 and _2, CVE-2026-4873, CVE-2026-5545)
  - apply same logic in a slightly different surrounding shape because
    upstream refactored helper functions (CVE-2025-14524, CVE-2026-3783,
    CVE-2026-3784, CVE-2026-6276, CVE-2026-6429, CVE-2026-7168)
  - replace upstream's curlx_* spellings with the historical strdup() /
    free() / Curl_safefree() the 8.14.1 tree still uses (CVE-2026-3805,
    CVE-2026-6276, CVE-2026-6429, CVE-2026-7168)
  - control-flow change rather than a flag change because the relevant
    flag (PROTOPT_CONN_REUSE) does not yet exist in 8.14.1
    (CVE-2026-5773: replace connkeep() with connclose() to achieve the
    same "do not reuse this connection" semantics)
  - test-runner adjustments so the new regression tests actually run on
    8.14.1: crlf="headers" -> crlf="yes", --follow -> --location,
    upstream's first.h libtest harness rewritten to 8.14.1's test.h /
    easy_init() / test_setopt() / goto test_cleanup harness, drop the
    "digest" feature-gate keyword that 8.14.1's curlinfo emits as
    "digest-auth"

For CVE-2026-6253, three new tests assert exit code 56
(CURLE_RECV_ERROR) instead of upstream's 7 (CURLE_COULDNT_CONNECT) for
the proxy-CONNECT-407 case. The exit-code change comes from upstream
commit a186ecf4bf ("proxy: chunked response, error code", 2026-03-24)
which is a behaviour change rather than a CVE fix and would also
require touching ~10 unrelated existing tests (test94, test217,
test287, test302, test440, test441, test493, test718, test749,
test1059) that still expect 56. Pulling that into stable seemed like
gratuitous churn; the security property the CVE fix verifies (proxy
credentials from http_proxy/https_proxy env vars are not forwarded
across schemes on redirect) is still asserted by the <protocol> block
of each test - only the resulting libcurl error code differs between
versions.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Imported the 13 upstream CVE patches (commit cd055feca, already in
    the previous trixie upload's branch state) and added a backport
    commit per CVE on top, documenting each adaptation in a
    Backported-by: trailer in the patch header. Patch series order
    matches the upload's d/changelog.
  * d/p/CVE-2025-10148.patch and d/p/CVE-2025-13034.patch: cosmetic
    refresh after running gbp pq import / gbp pq export over the
    series (drop the leading "From <hash> Mon Sep 17 00:00:00 2001"
    git format-patch marker, recompute the post-image blob hash for
    the CVE-2025-13034 hunk, rewrap the long Subject line). Patch
    content is unchanged.
  * d/p: refresh patch series after gbp pq round-trip - drop the
    section comment lines and blank separators, and refresh the
    leading "From <hash>" markers / trailing "-- \n2.47.3\n"
    signatures in the non-CVE patches. No content change.

[ Other info ]
The build and the full test suite were run with sbuild on amd64. The
package builds clean and all 1706 upstream tests pass.

I would like to keep the gbp pq round-trip changes because they don't affect
any patches while making it much easier to work on future p-u changes. I've
decided not to do the same for bookworm because there would be too many
changes, so in there I will just take the extra effort of not committing the
gbp pq round-trip changes.

I'm still yet to do another round of thorough review of all backporting
changes but I wanted to submit this request so that it can be viewed in time
for the next point release, as I understand the cutoff is this Saturday (May
9th). curl/libcurl is widely used and it's important to get these fixes out
on this one rather than in 2 months.

I will conclude the review before Sunday and reply to this bug if there are
any changes. Until then, the commits are in my fork at
https://salsa.debian.org/samueloph/curl.

Thank you!

#1136033#12
Date:
2026-05-23 11:52:53 UTC
From:
To:
Hi,

Please go ahead.

Thanks,