An update for curl is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1704 Final 1.0 1.0 2026-03-20 Initial 2026-03-20 2026-03-20 openEuler SA Tool V1.0 2026-03-20 curl security update An update for curl is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3 cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).(CVE-2026-1965) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.(CVE-2026-3783) curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.(CVE-2026-3784) An update for curl is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium curl https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1704 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1965 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3783 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3784 https://nvd.nist.gov/vuln/detail/CVE-2026-1965 https://nvd.nist.gov/vuln/detail/CVE-2026-3783 https://nvd.nist.gov/vuln/detail/CVE-2026-3784 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 curl-7.71.1-47.oe2003sp4.aarch64.rpm curl-debuginfo-7.71.1-47.oe2003sp4.aarch64.rpm curl-debugsource-7.71.1-47.oe2003sp4.aarch64.rpm libcurl-7.71.1-47.oe2003sp4.aarch64.rpm libcurl-devel-7.71.1-47.oe2003sp4.aarch64.rpm curl-7.79.1-48.oe2203sp4.aarch64.rpm curl-debuginfo-7.79.1-48.oe2203sp4.aarch64.rpm curl-debugsource-7.79.1-48.oe2203sp4.aarch64.rpm libcurl-7.79.1-48.oe2203sp4.aarch64.rpm libcurl-devel-7.79.1-48.oe2203sp4.aarch64.rpm curl-8.4.0-28.oe2403.aarch64.rpm curl-debuginfo-8.4.0-28.oe2403.aarch64.rpm curl-debugsource-8.4.0-28.oe2403.aarch64.rpm libcurl-8.4.0-28.oe2403.aarch64.rpm libcurl-devel-8.4.0-28.oe2403.aarch64.rpm curl-8.4.0-28.oe2403sp1.aarch64.rpm curl-debuginfo-8.4.0-28.oe2403sp1.aarch64.rpm curl-debugsource-8.4.0-28.oe2403sp1.aarch64.rpm libcurl-8.4.0-28.oe2403sp1.aarch64.rpm libcurl-devel-8.4.0-28.oe2403sp1.aarch64.rpm curl-8.4.0-28.oe2403sp2.aarch64.rpm curl-debuginfo-8.4.0-28.oe2403sp2.aarch64.rpm curl-debugsource-8.4.0-28.oe2403sp2.aarch64.rpm libcurl-8.4.0-28.oe2403sp2.aarch64.rpm libcurl-devel-8.4.0-28.oe2403sp2.aarch64.rpm curl-8.4.0-28.oe2403sp3.aarch64.rpm curl-debuginfo-8.4.0-28.oe2403sp3.aarch64.rpm curl-debugsource-8.4.0-28.oe2403sp3.aarch64.rpm libcurl-8.4.0-28.oe2403sp3.aarch64.rpm libcurl-devel-8.4.0-28.oe2403sp3.aarch64.rpm curl-7.71.1-47.oe2003sp4.src.rpm curl-7.79.1-48.oe2203sp4.src.rpm curl-8.4.0-28.oe2403.src.rpm curl-8.4.0-28.oe2403sp1.src.rpm curl-8.4.0-28.oe2403sp2.src.rpm curl-8.4.0-28.oe2403sp3.src.rpm curl-7.71.1-47.oe2003sp4.x86_64.rpm curl-debuginfo-7.71.1-47.oe2003sp4.x86_64.rpm curl-debugsource-7.71.1-47.oe2003sp4.x86_64.rpm libcurl-7.71.1-47.oe2003sp4.x86_64.rpm libcurl-devel-7.71.1-47.oe2003sp4.x86_64.rpm curl-7.79.1-48.oe2203sp4.x86_64.rpm curl-debuginfo-7.79.1-48.oe2203sp4.x86_64.rpm curl-debugsource-7.79.1-48.oe2203sp4.x86_64.rpm libcurl-7.79.1-48.oe2203sp4.x86_64.rpm libcurl-devel-7.79.1-48.oe2203sp4.x86_64.rpm curl-8.4.0-28.oe2403.x86_64.rpm curl-debuginfo-8.4.0-28.oe2403.x86_64.rpm curl-debugsource-8.4.0-28.oe2403.x86_64.rpm libcurl-8.4.0-28.oe2403.x86_64.rpm libcurl-devel-8.4.0-28.oe2403.x86_64.rpm curl-8.4.0-28.oe2403sp1.x86_64.rpm curl-debuginfo-8.4.0-28.oe2403sp1.x86_64.rpm curl-debugsource-8.4.0-28.oe2403sp1.x86_64.rpm libcurl-8.4.0-28.oe2403sp1.x86_64.rpm libcurl-devel-8.4.0-28.oe2403sp1.x86_64.rpm curl-8.4.0-28.oe2403sp2.x86_64.rpm curl-debuginfo-8.4.0-28.oe2403sp2.x86_64.rpm curl-debugsource-8.4.0-28.oe2403sp2.x86_64.rpm libcurl-8.4.0-28.oe2403sp2.x86_64.rpm libcurl-devel-8.4.0-28.oe2403sp2.x86_64.rpm curl-8.4.0-28.oe2403sp3.x86_64.rpm curl-debuginfo-8.4.0-28.oe2403sp3.x86_64.rpm curl-debugsource-8.4.0-28.oe2403sp3.x86_64.rpm libcurl-8.4.0-28.oe2403sp3.x86_64.rpm libcurl-devel-8.4.0-28.oe2403sp3.x86_64.rpm curl-help-7.71.1-47.oe2003sp4.noarch.rpm curl-help-7.79.1-48.oe2203sp4.noarch.rpm curl-help-8.4.0-28.oe2403.noarch.rpm curl-help-8.4.0-28.oe2403sp1.noarch.rpm curl-help-8.4.0-28.oe2403sp2.noarch.rpm curl-help-8.4.0-28.oe2403sp3.noarch.rpm libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). 2026-03-20 CVE-2026-1965 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N curl security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1704 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. 2026-03-20 CVE-2026-3783 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N curl security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1704 curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. 2026-03-20 CVE-2026-3784 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N curl security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1704