SUSE alert SUSE-SU-2025:20824-1 (curl)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2025:20824-1: important: Security update for curl | |
| Date: | Tue, 14 Oct 2025 12:31:45 -0000 | |
| Message-ID: | <176044510569.27771.12767392770658696703@smelt2.prg2.suse.org> |
# Security update for curl Announcement ID: SUSE-SU-2025:20824-1 Release Date: 2025-09-25T10:50:20Z Rating: important References: * bsc#1246197 * bsc#1249191 * bsc#1249348 * bsc#1249367 * jsc#PED-13055 * jsc#PED-13056 Cross-References: * CVE-2025-10148 * CVE-2025-9086 CVSS scores: * CVE-2025-10148 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-9086 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-9086 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves two vulnerabilities, contains two features and has two fixes can now be installed. ## Description: This update for curl fixes the following issues: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) * Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] * tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] * Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: * asyn-thrdd: fix cleanup when RR fails due to OOM * ftp: fix teardown of DATA connection in done * http: fail early when rewind of input failed when following redirects * multi: fix add_handle resizing * tls BIOs: handle BIO_CTRL_EOF correctly * tool_getparam: make --no-anyauth not be accepted * wolfssl: fix sending of early data * ws: handle blocked sends better * ws: tests and fixes * Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. * Update to 8.14.0: * Changes: * mqtt: send ping at upkeep interval * schannel: handle pkcs12 client certificates containing CA certificates * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs * vquic: ngtcp2 + openssl support * wcurl: import v2025.04.20 script + docs * websocket: add option to disable auto-pong reply * Bugfixes: * asny-thrdd: fix detach from running thread * async-threaded resolver: use ref counter * async: DoH improvements * build: enable gcc-12/13+, clang-10+ picky warnings * build: enable gcc-15 picky warnings * certs: drop unused `default_bits` from `.prm` files * cf-https-connect: use the passed in dns struct pointer * cf-socket: fix FTP accept connect * cfilters: remove assert * cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` * cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options * cmake: revert `CURL_LTO` behavior for multi-config generators * configure: fix --disable-rt * CONTRIBUTE: add project guidelines for AI use * cpool/cshutdown: force close connections under pressure * curl: fix memory leak when -h is used in config file * curl_get_line: handle lines ending on the buffer boundary * headers: enforce a max number of response header to accept * http: fix HTTP/2 handling of TE request header using "trailers" * lib: include files using known path * lib: unify conversions to/from hex * libssh: add NULL check for Curl_meta_get() * libssh: fix memory leak * mqtt: use conn/easy meta hash * multi: do transfer book keeping using mid * multi: init_do(): check result * netrc: avoid NULL deref on weird input * netrc: avoid strdup NULL * netrc: deal with null token better * openssl-quic: avoid potential `-Wnull-dereference`, add assert * openssl-quic: fix shutdown when stream not open * openssl: enable builds for _both_ engines and providers * openssl: set the cipher string before doing private cert * progress: avoid integer overflow when gathering total transfer size * rand: update comment on Curl_rand_bytes weak random * rustls: make max size of cert and key reasonable * smb: avoid integer overflow on weird input date * urlapi: redirecting to "" is considered fine * Update to 8.13.0: * Changes: * curl: add write-out variable 'tls_earlydata' * curl: make --url support a file with URLs * gnutls: set priority via --ciphers * IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags * lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY * OpenSSL/quictls: add support for TLSv1.3 early data * rustls: add support for CERTINFO * rustls: add support for SSLKEYLOGFILE * rustls: support ECH w/ DoH lookup for config * rustls: support native platform verifier * var: add a '64dec' function that can base64 decode a string * Bugfixes: * conn: fix connection reuse when SSL is optional * hash: use single linked list for entries * http2: detect session being closed on ingress handling * http2: reset stream on response header error * http: remove a HTTP method size restriction * http: version negotiation * httpsrr: fix port detection * libssh: fix freeing of resources in disconnect * libssh: fix scp large file upload for 32-bit size_t systems * openssl-quic: do not iterate over multi handles * openssl: check return value of X509_get0_pubkey * openssl: drop support for old OpenSSL/LibreSSL versions * openssl: fix crash on missing cert password * openssl: fix pkcs11 URI checking for key files. * openssl: remove bad `goto`s into other scope * setopt: illegal CURLOPT_SOCKS5_AUTH should return error * setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine * sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version * sshserver: fix excluding obsolete client config lines * SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR * tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` * tool_operate: fail SSH transfers without server auth * url: call protocol handler's disconnect in Curl_conn_free * urlapi: remove percent encoded dot sequences from the URL path * urldata: remove 'hostname' from struct Curl_async * Update to 8.12.1: * Bugfixes: * asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' * asyn-thread: fix HTTPS RR crash * asyn-thread: fix the returned bitmask from Curl_resolver_getsock * asyn-thread: survive a c-ares channel set to NULL * cmake: always reference OpenSSL and ZLIB via imported targets * cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' * cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' * content_encoding: #error on too old zlib * imap: TLS upgrade fix * ldap: drop support for legacy Novell LDAP SDK * libssh2: comparison is always true because rc <= -1 * libssh2: raise lowest supported version to 1.2.8 * libssh: drop support for libssh older than 0.9.0 * openssl-quic: ignore ciphers for h3 * pop3: TLS upgrade fix * runtests: fix the disabling of the memory tracking * runtests: quote commands to support paths with spaces * scache: add magic checks * smb: silence '-Warray-bounds' with gcc 13+ * smtp: TLS upgrade fix * tool_cfgable: sort struct fields by size, use bitfields for booleans * tool_getparam: add "TLS required" flag for each such option * vtls: fix multissl-init * wakeup_write: make sure the eventfd write sends eight bytes * Update to 8.12.0: * Changes: * curl: add byte range support to --variable reading from file * curl: make --etag-save acknowledge --create-dirs * getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var * getinfo: provide info which auth was used for HTTP and proxy * hyper: drop support * openssl: add support to use keys and certificates from PKCS#11 provider * QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA * vtls: feature ssls-export for SSL session im-/export * Bugfixes: * altsvc: avoid integer overflow in expire calculation * asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL * asyn-ares: fix memory leak * asyn-ares: initial HTTPS resolve support * asyn-thread: use c-ares to resolve HTTPS RR * async-thread: avoid closing eventfd twice * cd2nroff: do not insist on quoted <> within backticks * cd2nroff: support "none" as a TLS backend * conncache: count shutdowns against host and max limits * content_encoding: drop support for zlib before 1.2.0.4 * content_encoding: namespace GZIP flag constants * content_encoding: put the decomp buffers into the writer structs * content_encoding: support use of custom libzstd memory functions * cookie: cap expire times to 400 days * cookie: parse only the exact expire date * curl: return error if etag options are used with multiple URLs * curl_multi_fdset: include the shutdown connections in the set * curl_sha512_256: rename symbols to the curl namespace * curl_url_set.md: adjust the added-in to 7.62.0 * doh: send HTTPS RR requests for all HTTP(S) transfers * easy: allow connect-only handle reuse with easy_perform * easy: make curl_easy_perform() return error if connection still there * easy_lock: use Sleep(1) for thread yield on old Windows * ECH: update APIs to those agreed with OpenSSL maintainers * GnuTLS: fix 'time_appconnect' for early data * HTTP/2: strip TE request header * http2: fix data_pending check * http2: fix value stored to 'result' is never read * http: ignore invalid Retry-After times * http_aws_sigv4: Fix invalid compare function handling zero-length pairs * https-connect: start next immediately on failure * lib: redirect handling by protocol handler * multi: fix curl_multi_waitfds reporting of fd_count * netrc: 'default' with no credentials is not a match * netrc: fix password-only entries * netrc: restore _netrc fallback logic * ngtcp2: fix memory leak on connect failure * openssl: define `HAVE_KEYLOG_CALLBACK` before use * openssl: fix ECH logic * osslq: use SSL_poll to determine writeability of QUIC streams * sectransp: free certificate on error * select: avoid a NULL deref in cwfds_add_sock * src: omit hugehelp and ca-embed from libcurltool * ssl session cache: change cache dimensions * system.h: add 64-bit curl_off_t definitions for NonStop * telnet: handle single-byte input option * TLS: check connection for SSL use, not handler * tool_formparse.c: make curlx_uztoso a static in here * tool_formparse: accept digits in --form type= strings * tool_getparam: ECH param parsing refix * tool_getparam: fail --hostpubsha256 if libssh2 is not used * tool_getparam: fix "Ignored Return Value" * tool_getparam: fix memory leak on error in parse_ech * tool_getparam: fix the ECH parser * tool_operate: make --etag-compare always accept a non-existing file * transfer: fix CURLOPT_CURLU override logic * urlapi: fix redirect to a new fragment or query (only) * vquic: make vquic_send_packets not return without setting psent * vtls: fix default SSL backend as a fallback * vtls: only remember the expiry timestamp in session cache * websocket: fix message send corruption * x509asn1: add parse recursion limit ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-477=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * curl-8.14.1-1.1 * libcurl4-8.14.1-1.1 * curl-debuginfo-8.14.1-1.1 * curl-debugsource-8.14.1-1.1 * libcurl4-debuginfo-8.14.1-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-10148.html * https://www.suse.com/security/cve/CVE-2025-9086.html * https://bugzilla.suse.com/show_bug.cgi?id=1246197 * https://bugzilla.suse.com/show_bug.cgi?id=1249191 * https://bugzilla.suse.com/show_bug.cgi?id=1249348 * https://bugzilla.suse.com/show_bug.cgi?id=1249367 * https://jira.suse.com/browse/PED-13055 * https://jira.suse.com/browse/PED-13056
Attachment: None (type=text/html)
(HTML attachment elided)