Version in base suite: 8.14.1-2+deb13u4 Base version: curl_8.14.1-2+deb13u4 Target version: curl_8.14.1-2+deb13u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_8.14.1-2+deb13u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_8.14.1-2+deb13u5.dsc changelog | 11 ++++++++ patches/CVE-2026-3784.patch | 8 +++--- patches/openssl_fix_openssl_engines.patch | 37 ++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 53 insertions(+), 4 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5av7sfig/curl_8.14.1-2+deb13u4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5av7sfig/curl_8.14.1-2+deb13u5.dsc: no acceptable signature found diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog --- curl-8.14.1/debian/changelog 2026-05-08 01:36:52.000000000 +0000 +++ curl-8.14.1/debian/changelog 2026-07-12 21:17:22.000000000 +0000 @@ -1,3 +1,14 @@ +curl (8.14.1-2+deb13u5) trixie; urgency=medium + + [ Carlos Henrique Lima Melara ] + * d/p/CVE-2026-3784.patch: remove trailing whitespace from patch + + [ Samuel Henrique ] + * d/p/openssl_fix_openssl_engines.patch: New patch to fix engine support + (closes: #1137539) + + -- Samuel Henrique Sun, 12 Jul 2026 14:17:22 -0700 + curl (8.14.1-2+deb13u4) trixie; urgency=medium * Import upstream patches for 13 CVE fixes: diff -Nru curl-8.14.1/debian/patches/CVE-2026-3784.patch curl-8.14.1/debian/patches/CVE-2026-3784.patch --- curl-8.14.1/debian/patches/CVE-2026-3784.patch 2026-05-08 01:36:52.000000000 +0000 +++ curl-8.14.1/debian/patches/CVE-2026-3784.patch 2026-07-12 21:17:22.000000000 +0000 @@ -15,7 +15,7 @@ 3 files changed, 42 insertions(+), 26 deletions(-) diff --git a/lib/url.c b/lib/url.c -index 0c9b878..efd50a0 100644 +index 0c9b878..4eeb316 100644 --- a/lib/url.c +++ b/lib/url.c @@ -640,34 +640,19 @@ proxy_info_matches(const struct proxy_info *data, @@ -23,13 +23,13 @@ if((data->proxytype == needle->proxytype) && (data->port == needle->port) && - strcasecompare(data->host.name, needle->host.name)) +- return TRUE; + curl_strequal(data->host.name, needle->host.name)) { -+ + + if(Curl_timestrcmp(data->user, needle->user) || + Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; - return TRUE; -- ++ return TRUE; + } return FALSE; } diff -Nru curl-8.14.1/debian/patches/openssl_fix_openssl_engines.patch curl-8.14.1/debian/patches/openssl_fix_openssl_engines.patch --- curl-8.14.1/debian/patches/openssl_fix_openssl_engines.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-8.14.1/debian/patches/openssl_fix_openssl_engines.patch 2026-07-12 21:17:22.000000000 +0000 @@ -0,0 +1,37 @@ +From 17f2a220a99db30bacd66df4df677dfb0a18b405 Mon Sep 17 00:00:00 2001 +From: "Theodore A. Roth" +Date: Thu, 12 Jun 2025 11:36:02 -0600 +Subject: [PATCH] openssl: Fix openssl engines + +- Return CURLE_OK if the engine successfully loaded. + +Prior to this change: + +When loading an openssl engine, the result code is initialized to +CURLE_SSL_ENGINE_NOTFOUND, but is never set to CURLE_OK when the engine +was successfully loaded. This causes curl to error out, falsely stating +engine not found when it actually was. + +Broken since f2ce6c46 (precedes 8.14.0) which added support for using +engines and providers at the same time. + +Fixes https://github.com/curl/curl/issues/17617 +Closes https://github.com/curl/curl/pull/17618 +--- + lib/vtls/openssl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 69cde17c2c5f..a32307c05bdf 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1907,6 +1907,9 @@ static CURLcode ossl_set_engine(struct Curl_easy *data, const char *name) + result = CURLE_SSL_ENGINE_INITFAILED; + e = NULL; + } ++ else { ++ result = CURLE_OK; ++ } + data->state.engine = e; + return result; + } diff -Nru curl-8.14.1/debian/patches/series curl-8.14.1/debian/patches/series --- curl-8.14.1/debian/patches/series 2026-05-08 01:36:52.000000000 +0000 +++ curl-8.14.1/debian/patches/series 2026-07-12 21:17:22.000000000 +0000 @@ -24,3 +24,4 @@ CVE-2026-6276.patch CVE-2026-7168.patch CVE-2026-6429.patch +openssl_fix_openssl_engines.patch