suse-su-2025:20824-1
Vulnerability from csaf_suse
Published
2025-09-25 10:52
Modified
2025-09-25 10:52
Summary
Security update for curl
Notes
Title of the patch
Security update for curl
Description of the patch
This update for curl fixes the following issues:
- CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
- CVE-2025-10148: Predictable WebSocket mask (bsc#1249348)
- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]
- tool_operate: fix return code when --retry is used but not
triggered [bsc#1249367]
- Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056]
* Add _multibuild
* Bugfixes:
- asyn-thrdd: fix cleanup when RR fails due to OOM
- ftp: fix teardown of DATA connection in done
- http: fail early when rewind of input failed when following redirects
- multi: fix add_handle resizing
- tls BIOs: handle BIO_CTRL_EOF correctly
- tool_getparam: make --no-anyauth not be accepted
- wolfssl: fix sending of early data
- ws: handle blocked sends better
- ws: tests and fixes
- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]
* Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error
when building the curl-mini package in SLE.
* Add libssh minimum version requirements.
* Use ldconfig_scriptlets when available.
* Remove unused option --disable-ntlm-wb.
- Update to 8.14.0:
* Changes:
- mqtt: send ping at upkeep interval
- schannel: handle pkcs12 client certificates containing CA certificates
- TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
- vquic: ngtcp2 + openssl support
- wcurl: import v2025.04.20 script + docs
- websocket: add option to disable auto-pong reply
* Bugfixes:
- asny-thrdd: fix detach from running thread
- async-threaded resolver: use ref counter
- async: DoH improvements
- build: enable gcc-12/13+, clang-10+ picky warnings
- build: enable gcc-15 picky warnings
- certs: drop unused `default_bits` from `.prm` files
- cf-https-connect: use the passed in dns struct pointer
- cf-socket: fix FTP accept connect
- cfilters: remove assert
- cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
- cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
- cmake: revert `CURL_LTO` behavior for multi-config generators
- configure: fix --disable-rt
- CONTRIBUTE: add project guidelines for AI use
- cpool/cshutdown: force close connections under pressure
- curl: fix memory leak when -h is used in config file
- curl_get_line: handle lines ending on the buffer boundary
- headers: enforce a max number of response header to accept
- http: fix HTTP/2 handling of TE request header using "trailers"
- lib: include files using known path
- lib: unify conversions to/from hex
- libssh: add NULL check for Curl_meta_get()
- libssh: fix memory leak
- mqtt: use conn/easy meta hash
- multi: do transfer book keeping using mid
- multi: init_do(): check result
- netrc: avoid NULL deref on weird input
- netrc: avoid strdup NULL
- netrc: deal with null token better
- openssl-quic: avoid potential `-Wnull-dereference`, add assert
- openssl-quic: fix shutdown when stream not open
- openssl: enable builds for *both* engines and providers
- openssl: set the cipher string before doing private cert
- progress: avoid integer overflow when gathering total transfer size
- rand: update comment on Curl_rand_bytes weak random
- rustls: make max size of cert and key reasonable
- smb: avoid integer overflow on weird input date
- urlapi: redirecting to "" is considered fine
- Update to 8.13.0:
* Changes:
- curl: add write-out variable 'tls_earlydata'
- curl: make --url support a file with URLs
- gnutls: set priority via --ciphers
- IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
- lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
- OpenSSL/quictls: add support for TLSv1.3 early data
- rustls: add support for CERTINFO
- rustls: add support for SSLKEYLOGFILE
- rustls: support ECH w/ DoH lookup for config
- rustls: support native platform verifier
- var: add a '64dec' function that can base64 decode a string
* Bugfixes:
- conn: fix connection reuse when SSL is optional
- hash: use single linked list for entries
- http2: detect session being closed on ingress handling
- http2: reset stream on response header error
- http: remove a HTTP method size restriction
- http: version negotiation
- httpsrr: fix port detection
- libssh: fix freeing of resources in disconnect
- libssh: fix scp large file upload for 32-bit size_t systems
- openssl-quic: do not iterate over multi handles
- openssl: check return value of X509_get0_pubkey
- openssl: drop support for old OpenSSL/LibreSSL versions
- openssl: fix crash on missing cert password
- openssl: fix pkcs11 URI checking for key files.
- openssl: remove bad `goto`s into other scope
- setopt: illegal CURLOPT_SOCKS5_AUTH should return error
- setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
- sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
- sshserver: fix excluding obsolete client config lines
- SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
- tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
- tool_operate: fail SSH transfers without server auth
- url: call protocol handler's disconnect in Curl_conn_free
- urlapi: remove percent encoded dot sequences from the URL path
- urldata: remove 'hostname' from struct Curl_async
- Update to 8.12.1:
* Bugfixes:
- asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
- asyn-thread: fix HTTPS RR crash
- asyn-thread: fix the returned bitmask from Curl_resolver_getsock
- asyn-thread: survive a c-ares channel set to NULL
- cmake: always reference OpenSSL and ZLIB via imported targets
- cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
- cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
- content_encoding: #error on too old zlib
- imap: TLS upgrade fix
- ldap: drop support for legacy Novell LDAP SDK
- libssh2: comparison is always true because rc <= -1
- libssh2: raise lowest supported version to 1.2.8
- libssh: drop support for libssh older than 0.9.0
- openssl-quic: ignore ciphers for h3
- pop3: TLS upgrade fix
- runtests: fix the disabling of the memory tracking
- runtests: quote commands to support paths with spaces
- scache: add magic checks
- smb: silence '-Warray-bounds' with gcc 13+
- smtp: TLS upgrade fix
- tool_cfgable: sort struct fields by size, use bitfields for booleans
- tool_getparam: add "TLS required" flag for each such option
- vtls: fix multissl-init
- wakeup_write: make sure the eventfd write sends eight bytes
- Update to 8.12.0:
* Changes:
- curl: add byte range support to --variable reading from file
- curl: make --etag-save acknowledge --create-dirs
- getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: provide info which auth was used for HTTP and proxy
- hyper: drop support
- openssl: add support to use keys and certificates from PKCS#11 provider
- QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
- vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
- altsvc: avoid integer overflow in expire calculation
- asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: fix memory leak
- asyn-ares: initial HTTPS resolve support
- asyn-thread: use c-ares to resolve HTTPS RR
- async-thread: avoid closing eventfd twice
- cd2nroff: do not insist on quoted <> within backticks
- cd2nroff: support "none" as a TLS backend
- conncache: count shutdowns against host and max limits
- content_encoding: drop support for zlib before 1.2.0.4
- content_encoding: namespace GZIP flag constants
- content_encoding: put the decomp buffers into the writer structs
- content_encoding: support use of custom libzstd memory functions
- cookie: cap expire times to 400 days
- cookie: parse only the exact expire date
- curl: return error if etag options are used with multiple URLs
- curl_multi_fdset: include the shutdown connections in the set
- curl_sha512_256: rename symbols to the curl namespace
- curl_url_set.md: adjust the added-in to 7.62.0
- doh: send HTTPS RR requests for all HTTP(S) transfers
- easy: allow connect-only handle reuse with easy_perform
- easy: make curl_easy_perform() return error if connection still there
- easy_lock: use Sleep(1) for thread yield on old Windows
- ECH: update APIs to those agreed with OpenSSL maintainers
- GnuTLS: fix 'time_appconnect' for early data
- HTTP/2: strip TE request header
- http2: fix data_pending check
- http2: fix value stored to 'result' is never read
- http: ignore invalid Retry-After times
- http_aws_sigv4: Fix invalid compare function handling zero-length pairs
- https-connect: start next immediately on failure
- lib: redirect handling by protocol handler
- multi: fix curl_multi_waitfds reporting of fd_count
- netrc: 'default' with no credentials is not a match
- netrc: fix password-only entries
- netrc: restore _netrc fallback logic
- ngtcp2: fix memory leak on connect failure
- openssl: define `HAVE_KEYLOG_CALLBACK` before use
- openssl: fix ECH logic
- osslq: use SSL_poll to determine writeability of QUIC streams
- sectransp: free certificate on error
- select: avoid a NULL deref in cwfds_add_sock
- src: omit hugehelp and ca-embed from libcurltool
- ssl session cache: change cache dimensions
- system.h: add 64-bit curl_off_t definitions for NonStop
- telnet: handle single-byte input option
- TLS: check connection for SSL use, not handler
- tool_formparse.c: make curlx_uztoso a static in here
- tool_formparse: accept digits in --form type= strings
- tool_getparam: ECH param parsing refix
- tool_getparam: fail --hostpubsha256 if libssh2 is not used
- tool_getparam: fix "Ignored Return Value"
- tool_getparam: fix memory leak on error in parse_ech
- tool_getparam: fix the ECH parser
- tool_operate: make --etag-compare always accept a non-existing file
- transfer: fix CURLOPT_CURLU override logic
- urlapi: fix redirect to a new fragment or query (only)
- vquic: make vquic_send_packets not return without setting psent
- vtls: fix default SSL backend as a fallback
- vtls: only remember the expiry timestamp in session cache
- websocket: fix message send corruption
- x509asn1: add parse recursion limit
Patchnames
SUSE-SLE-Micro-6.0-477
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n- CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)\n- CVE-2025-10148: Predictable WebSocket mask (bsc#1249348)\n- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]\n- tool_operate: fix return code when --retry is used but not\n triggered [bsc#1249367]\n\n- Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056]\n * Add _multibuild\n * Bugfixes:\n - asyn-thrdd: fix cleanup when RR fails due to OOM\n - ftp: fix teardown of DATA connection in done\n - http: fail early when rewind of input failed when following redirects\n - multi: fix add_handle resizing\n - tls BIOs: handle BIO_CTRL_EOF correctly\n - tool_getparam: make --no-anyauth not be accepted\n - wolfssl: fix sending of early data\n - ws: handle blocked sends better\n - ws: tests and fixes\n\n- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]\n \n * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error\n when building the curl-mini package in SLE.\n * Add libssh minimum version requirements.\n * Use ldconfig_scriptlets when available.\n * Remove unused option --disable-ntlm-wb.\n\n- Update to 8.14.0:\n \n * Changes:\n - mqtt: send ping at upkeep interval\n - schannel: handle pkcs12 client certificates containing CA certificates\n - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs\n - vquic: ngtcp2 + openssl support\n - wcurl: import v2025.04.20 script + docs\n - websocket: add option to disable auto-pong reply\n \n * Bugfixes:\n - asny-thrdd: fix detach from running thread\n - async-threaded resolver: use ref counter\n - async: DoH improvements\n - build: enable gcc-12/13+, clang-10+ picky warnings\n - build: enable gcc-15 picky warnings\n - certs: drop unused `default_bits` from `.prm` files\n - cf-https-connect: use the passed in dns struct pointer\n - cf-socket: fix FTP accept connect\n - cfilters: remove assert\n - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`\n - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options\n - cmake: revert `CURL_LTO` behavior for multi-config generators\n - configure: fix --disable-rt\n - CONTRIBUTE: add project guidelines for AI use\n - cpool/cshutdown: force close connections under pressure\n - curl: fix memory leak when -h is used in config file\n - curl_get_line: handle lines ending on the buffer boundary\n - headers: enforce a max number of response header to accept\n - http: fix HTTP/2 handling of TE request header using \"trailers\"\n - lib: include files using known path\n - lib: unify conversions to/from hex\n - libssh: add NULL check for Curl_meta_get()\n - libssh: fix memory leak\n - mqtt: use conn/easy meta hash\n - multi: do transfer book keeping using mid\n - multi: init_do(): check result\n - netrc: avoid NULL deref on weird input\n - netrc: avoid strdup NULL\n - netrc: deal with null token better\n - openssl-quic: avoid potential `-Wnull-dereference`, add assert\n - openssl-quic: fix shutdown when stream not open\n - openssl: enable builds for *both* engines and providers\n - openssl: set the cipher string before doing private cert\n - progress: avoid integer overflow when gathering total transfer size\n - rand: update comment on Curl_rand_bytes weak random\n - rustls: make max size of cert and key reasonable\n - smb: avoid integer overflow on weird input date\n - urlapi: redirecting to \"\" is considered fine\n\n- Update to 8.13.0:\n \n * Changes:\n - curl: add write-out variable \u0027tls_earlydata\u0027\n - curl: make --url support a file with URLs\n - gnutls: set priority via --ciphers\n - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags\n - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY\n - OpenSSL/quictls: add support for TLSv1.3 early data\n - rustls: add support for CERTINFO\n - rustls: add support for SSLKEYLOGFILE\n - rustls: support ECH w/ DoH lookup for config\n - rustls: support native platform verifier\n - var: add a \u002764dec\u0027 function that can base64 decode a string\n \n * Bugfixes:\n - conn: fix connection reuse when SSL is optional\n - hash: use single linked list for entries\n - http2: detect session being closed on ingress handling\n - http2: reset stream on response header error\n - http: remove a HTTP method size restriction\n - http: version negotiation\n - httpsrr: fix port detection\n - libssh: fix freeing of resources in disconnect\n - libssh: fix scp large file upload for 32-bit size_t systems\n - openssl-quic: do not iterate over multi handles\n - openssl: check return value of X509_get0_pubkey\n - openssl: drop support for old OpenSSL/LibreSSL versions\n - openssl: fix crash on missing cert password\n - openssl: fix pkcs11 URI checking for key files.\n - openssl: remove bad `goto`s into other scope\n - setopt: illegal CURLOPT_SOCKS5_AUTH should return error\n - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine\n - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version\n - sshserver: fix excluding obsolete client config lines\n - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR\n - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`\n - tool_operate: fail SSH transfers without server auth\n - url: call protocol handler\u0027s disconnect in Curl_conn_free\n - urlapi: remove percent encoded dot sequences from the URL path\n - urldata: remove \u0027hostname\u0027 from struct Curl_async\n\n- Update to 8.12.1:\n \n * Bugfixes:\n - asyn-thread: fix build with \u0027CURL_DISABLE_SOCKETPAIR\u0027\n - asyn-thread: fix HTTPS RR crash\n - asyn-thread: fix the returned bitmask from Curl_resolver_getsock\n - asyn-thread: survive a c-ares channel set to NULL\n - cmake: always reference OpenSSL and ZLIB via imported targets\n - cmake: respect \u0027GNUTLS_CFLAGS\u0027 when detected via \u0027pkg-config\u0027\n - cmake: respect \u0027GNUTLS_LIBRARY_DIRS\u0027 in \u0027libcurl.pc\u0027 and \u0027curl-config\u0027\n - content_encoding: #error on too old zlib\n - imap: TLS upgrade fix\n - ldap: drop support for legacy Novell LDAP SDK\n - libssh2: comparison is always true because rc \u003c= -1\n - libssh2: raise lowest supported version to 1.2.8\n - libssh: drop support for libssh older than 0.9.0\n - openssl-quic: ignore ciphers for h3\n - pop3: TLS upgrade fix\n - runtests: fix the disabling of the memory tracking\n - runtests: quote commands to support paths with spaces\n - scache: add magic checks\n - smb: silence \u0027-Warray-bounds\u0027 with gcc 13+\n - smtp: TLS upgrade fix\n - tool_cfgable: sort struct fields by size, use bitfields for booleans\n - tool_getparam: add \"TLS required\" flag for each such option\n - vtls: fix multissl-init\n - wakeup_write: make sure the eventfd write sends eight bytes\n\n- Update to 8.12.0:\n \n * Changes:\n - curl: add byte range support to --variable reading from file\n - curl: make --etag-save acknowledge --create-dirs\n - getinfo: fix CURLINFO_QUEUE_TIME_T and add \u0027time_queue\u0027 var\n - getinfo: provide info which auth was used for HTTP and proxy\n - hyper: drop support\n - openssl: add support to use keys and certificates from PKCS#11 provider\n - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA\n - vtls: feature ssls-export for SSL session im-/export\n \n * Bugfixes:\n - altsvc: avoid integer overflow in expire calculation\n - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL\n - asyn-ares: fix memory leak\n - asyn-ares: initial HTTPS resolve support\n - asyn-thread: use c-ares to resolve HTTPS RR\n - async-thread: avoid closing eventfd twice\n - cd2nroff: do not insist on quoted \u003c\u003e within backticks\n - cd2nroff: support \"none\" as a TLS backend\n - conncache: count shutdowns against host and max limits\n - content_encoding: drop support for zlib before 1.2.0.4\n - content_encoding: namespace GZIP flag constants\n - content_encoding: put the decomp buffers into the writer structs\n - content_encoding: support use of custom libzstd memory functions\n - cookie: cap expire times to 400 days\n - cookie: parse only the exact expire date\n - curl: return error if etag options are used with multiple URLs\n - curl_multi_fdset: include the shutdown connections in the set\n - curl_sha512_256: rename symbols to the curl namespace\n - curl_url_set.md: adjust the added-in to 7.62.0\n - doh: send HTTPS RR requests for all HTTP(S) transfers\n - easy: allow connect-only handle reuse with easy_perform\n - easy: make curl_easy_perform() return error if connection still there\n - easy_lock: use Sleep(1) for thread yield on old Windows\n - ECH: update APIs to those agreed with OpenSSL maintainers\n - GnuTLS: fix \u0027time_appconnect\u0027 for early data\n - HTTP/2: strip TE request header\n - http2: fix data_pending check\n - http2: fix value stored to \u0027result\u0027 is never read\n - http: ignore invalid Retry-After times\n - http_aws_sigv4: Fix invalid compare function handling zero-length pairs\n - https-connect: start next immediately on failure\n - lib: redirect handling by protocol handler\n - multi: fix curl_multi_waitfds reporting of fd_count\n - netrc: \u0027default\u0027 with no credentials is not a match\n - netrc: fix password-only entries\n - netrc: restore _netrc fallback logic\n - ngtcp2: fix memory leak on connect failure\n - openssl: define `HAVE_KEYLOG_CALLBACK` before use\n - openssl: fix ECH logic\n - osslq: use SSL_poll to determine writeability of QUIC streams\n - sectransp: free certificate on error\n - select: avoid a NULL deref in cwfds_add_sock\n - src: omit hugehelp and ca-embed from libcurltool\n - ssl session cache: change cache dimensions\n - system.h: add 64-bit curl_off_t definitions for NonStop\n - telnet: handle single-byte input option\n - TLS: check connection for SSL use, not handler\n - tool_formparse.c: make curlx_uztoso a static in here\n - tool_formparse: accept digits in --form type= strings\n - tool_getparam: ECH param parsing refix\n - tool_getparam: fail --hostpubsha256 if libssh2 is not used\n - tool_getparam: fix \"Ignored Return Value\"\n - tool_getparam: fix memory leak on error in parse_ech\n - tool_getparam: fix the ECH parser\n - tool_operate: make --etag-compare always accept a non-existing file\n - transfer: fix CURLOPT_CURLU override logic\n - urlapi: fix redirect to a new fragment or query (only)\n - vquic: make vquic_send_packets not return without setting psent\n - vtls: fix default SSL backend as a fallback\n - vtls: only remember the expiry timestamp in session cache\n - websocket: fix message send corruption\n - x509asn1: add parse recursion limit\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-477",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20824-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20824-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520824-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20824-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042161.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246197",
"url": "https://bugzilla.suse.com/1246197"
},
{
"category": "self",
"summary": "SUSE Bug 1249191",
"url": "https://bugzilla.suse.com/1249191"
},
{
"category": "self",
"summary": "SUSE Bug 1249348",
"url": "https://bugzilla.suse.com/1249348"
},
{
"category": "self",
"summary": "SUSE Bug 1249367",
"url": "https://bugzilla.suse.com/1249367"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-10148 page",
"url": "https://www.suse.com/security/cve/CVE-2025-10148/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9086 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9086/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2025-09-25T10:52:04Z",
"generator": {
"date": "2025-09-25T10:52:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20824-1",
"initial_release_date": "2025-09-25T10:52:04Z",
"revision_history": [
{
"date": "2025-09-25T10:52:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-8.14.1-1.1.aarch64",
"product": {
"name": "curl-8.14.1-1.1.aarch64",
"product_id": "curl-8.14.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-8.14.1-1.1.aarch64",
"product": {
"name": "libcurl4-8.14.1-1.1.aarch64",
"product_id": "libcurl4-8.14.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-8.14.1-1.1.s390x",
"product": {
"name": "curl-8.14.1-1.1.s390x",
"product_id": "curl-8.14.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-8.14.1-1.1.s390x",
"product": {
"name": "libcurl4-8.14.1-1.1.s390x",
"product_id": "libcurl4-8.14.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-8.14.1-1.1.x86_64",
"product": {
"name": "curl-8.14.1-1.1.x86_64",
"product_id": "curl-8.14.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-8.14.1-1.1.x86_64",
"product": {
"name": "libcurl4-8.14.1-1.1.x86_64",
"product_id": "libcurl4-8.14.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.14.1-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64"
},
"product_reference": "curl-8.14.1-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.14.1-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x"
},
"product_reference": "curl-8.14.1-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.14.1-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64"
},
"product_reference": "curl-8.14.1-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.14.1-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64"
},
"product_reference": "libcurl4-8.14.1-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.14.1-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x"
},
"product_reference": "libcurl4-8.14.1-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.14.1-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
},
"product_reference": "libcurl4-8.14.1-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-10148",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-10148"
}
],
"notes": [
{
"category": "general",
"text": "curl\u0027s websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-10148",
"url": "https://www.suse.com/security/cve/CVE-2025-10148"
},
{
"category": "external",
"summary": "SUSE Bug 1249348 for CVE-2025-10148",
"url": "https://bugzilla.suse.com/1249348"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T10:52:04Z",
"details": "moderate"
}
],
"title": "CVE-2025-10148"
},
{
"cve": "CVE-2025-9086",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9086"
}
],
"notes": [
{
"category": "general",
"text": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\u0027/\u0027`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9086",
"url": "https://www.suse.com/security/cve/CVE-2025-9086"
},
{
"category": "external",
"summary": "SUSE Bug 1249191 for CVE-2025-9086",
"url": "https://bugzilla.suse.com/1249191"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:curl-8.14.1-1.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.14.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T10:52:04Z",
"details": "important"
}
],
"title": "CVE-2025-9086"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…