Detections
Analytics

EulerOS 2.0 SP13 : curl (EulerOS-SA-2026-2326)

medium Nessus Plugin ID 320222

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

 libcurl can in some circumstances reuse the wrong connection when asked to do_x000D_ an Negotiate-authenticated HTTP or HTTPS request._x000D_
 _x000D_ libcurl features a pool of recent connections so that subsequent requests can_x000D_ reuse an existing connection to avoid overhead._x000D_
 _x000D_ When reusing a connection a range of criterion must first be met. Due to a_x000D_ logical error in the code, a request that was issued by an application could_x000D_ wrongfully reuse an existing connection to the same server that was_x000D_ authenticated using different credentials. One underlying reason being that_x000D_ Negotiate sometimes authenticates *connections* and not *requests*, contrary_x000D_ to how HTTP is designed to work._x000D_
 _x000D_ An application that allows Negotiate authentication to a server (that responds_x000D_ wanting Negotiate) with `user1:password1` and then does another operation to_x000D_ the same server also using Negotiate but with `user2:password2` (while the_x000D_ previous connection is still alive) - the second request wrongly reused the_x000D_ same connection and since it then sees that the Negotiate negotiation is_x000D_ already made, it just sends the request over that connection thinking it uses_x000D_ the user2 credentials when it is in fact still using the connection_x000D_ authenticated for user1..._x000D_
 _x000D_ The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`._x000D_
 _x000D_ Applications can disable libcurl's reuse of connections and thus mitigate this_x000D_ problem, by using one of the following libcurl options to alter how_x000D_ connections are or are not reused: `CURLOPT_FRESH_CONNECT`,_x000D_ `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the_x000D_ curl_multi API).(CVE-2026-1965)

 curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a_x000D_ server, even if the new request uses different credentials for the HTTP proxy._x000D_ The proper behavior is to create or use a separate connection.(CVE-2026-3784)

 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer_x000D_ performs a redirect to a second URL, curl could leak that token to the second_x000D_ hostname under some circumstances._x000D_
 _x000D_ If the hostname that the first request is redirected to has information in the_x000D_ used .netrc file, with either of the `machine` or `default` keywords, curl_x000D_ would pass on the bearer token set for the first host also to the second one.(CVE-2026-3783)

Tenable has extracted the preceding description block directly from the EulerOS curl security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected curl packages.

See Also

http://www.nessus.org/u?0143f2fd

Plugin Details

Severity: Medium

ID: 320222

File Name: EulerOS_SA-2026-2326.nasl

Version: 1.1

Type: Local

Published: 6/10/2026

Updated: 6/10/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2026-1965

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-3784

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:curl, p-cpe:/a:huawei:euleros:libcurl-devel, p-cpe:/a:huawei:euleros:curl-help, p-cpe:/a:huawei:euleros:libcurl, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/10/2026

Vulnerability Publication Date: 3/11/2026

Reference Information

CVE: CVE-2026-1965, CVE-2026-3783, CVE-2026-3784