Fedora alert FEDORA-2026-f13d888b0f (curl)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 44 Update: curl-8.18.0-6.fc44 | |
| Date: | Sat, 25 Apr 2026 01:56:12 +0000 | |
| Message-ID: | <20260425015612.26163381F6@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-f13d888b0f 2026-04-25 01:21:36.172613+00:00 -------------------------------------------------------------------------------- Name : curl Product : Fedora 44 Version : 8.18.0 Release : 6.fc44 URL : https://curl.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others) Description : curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. -------------------------------------------------------------------------------- Update Information: Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) Fix token leak with redirect and netrc (CVE-2026-3783) Fix wrong proxy connection reuse with credentials (CVE-2026-3784) Fix use after free in SMB connection reuse (CVE-2026-3805) Fix Could not find digest algorithm UNDEF (NID 0) -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 10 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-6 - Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) - Fix token leak with redirect and netrc (CVE-2026-3783) - Fix wrong proxy connection reuse with credentials (CVE-2026-3784) - Fix use after free in SMB connection reuse (CVE-2026-3805) * Mon Mar 30 2026 Jan Macku <jamacku@redhat.com> - 8.18.0-5 - Fix `Could not find digest algorithm UNDEF (NID 0)` (#2438170) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2438170 - OBJ_find_sigid_algs() returns NID_undef for ML-DSA certificate https://bugzilla.redhat.com/show_bug.cgi?id=2438170 [ 2 ] Bug #2457259 - CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457259 [ 3 ] Bug #2457261 - CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457261 [ 4 ] Bug #2457262 - CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457262 [ 5 ] Bug #2457263 - CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457263 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f13d888b0f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new