[CLSA-2026:1783341627] Fix CVE(s): CVE-2026-8286, CVE-2026-8924, CVE-2026-8927
Type:
security
Severity:
Moderate
Release date:
2026-07-06 12:40:46 UTC
Description:
* SECURITY UPDATE: libcurl could reuse a connection for a STARTTLS transfer despite a mismatched TLS configuration. - debian/patches/CVE-2026-8286.patch: add an SSL-config match check before reusing a connection for a clear-text protocol that requests TLS, in lib/url.c. - CVE-2026-8286 * SECURITY UPDATE: a trailing-dot cookie domain could bypass the Public Suffix List check and set a super-cookie. - debian/patches/CVE-2026-8924.patch: trim trailing dots from the domains before the PSL check in lib/cookie.c. - CVE-2026-8924 * SECURITY UPDATE: libcurl could send proxy Digest credentials to the wrong proxy when the proxy is selected from environment variables on a reused handle. - debian/patches/CVE-2026-8927.patch: clear the proxy Digest state when the environment proxy changes, in lib/url.c and lib/urldata.h. - CVE-2026-8927
Updated packages:
  • curl_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:290dd2898e100672aa5c8be68811ecec672c3adc
  • libcurl3_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:bd99ed5961eb3c179ef72a1cc44ce5bc9516b2ca
  • libcurl3-gnutls_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:069e6462464b7445c2bdf452cc8d5e79c18728bc
  • libcurl3-nss_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:d3c9ad951e14d9179b88a283d6d8d40968ba0660
  • libcurl4-doc_7.47.0-1ubuntu2.23+tuxcare.els15_all.deb
    sha:05112a504c64a9ac6bb4f0a0e80b4805069c41b0
  • libcurl4-gnutls-dev_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:03b206fb6b0fbc532400f075a189148920bd2cdd
  • libcurl4-nss-dev_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:6e194511f2a541910b8c431cf94ea45f3c5362c7
  • libcurl4-openssl-dev_7.47.0-1ubuntu2.23+tuxcare.els15_amd64.deb
    sha:521981c46d2682a77da460d9211ac206f47ec49e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.