SUSE-SU-2025:20824-1: important: Security update for curl
SLE-SECURITY-UPDATES
null at suse.de
Tue Oct 14 12:31:45 UTC 2025
# Security update for curl
Announcement ID: SUSE-SU-2025:20824-1
Release Date: 2025-09-25T10:50:20Z
Rating: important
References:
* bsc#1246197
* bsc#1249191
* bsc#1249348
* bsc#1249367
* jsc#PED-13055
* jsc#PED-13056
Cross-References:
* CVE-2025-10148
* CVE-2025-9086
CVSS scores:
* CVE-2025-10148 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-9086 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-9086 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Linux Micro 6.0
An update that solves two vulnerabilities, contains two features and has two
fixes can now be installed.
## Description:
This update for curl fixes the following issues:
* CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
* CVE-2025-10148: Predictable WebSocket mask (bsc#1249348)
* Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]
* tool_operate: fix return code when --retry is used but not triggered
[bsc#1249367]
* Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056]
* Add _multibuild
* Bugfixes:
* asyn-thrdd: fix cleanup when RR fails due to OOM
* ftp: fix teardown of DATA connection in done
* http: fail early when rewind of input failed when following redirects
* multi: fix add_handle resizing
* tls BIOs: handle BIO_CTRL_EOF correctly
* tool_getparam: make --no-anyauth not be accepted
* wolfssl: fix sending of early data
* ws: handle blocked sends better
* ws: tests and fixes
* Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]
* Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when
building the curl-mini package in SLE.
* Add libssh minimum version requirements.
* Use ldconfig_scriptlets when available.
* Remove unused option --disable-ntlm-wb.
* Update to 8.14.0:
* Changes:
* mqtt: send ping at upkeep interval
* schannel: handle pkcs12 client certificates containing CA certificates
* TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
* vquic: ngtcp2 + openssl support
* wcurl: import v2025.04.20 script + docs
* websocket: add option to disable auto-pong reply
* Bugfixes:
* asny-thrdd: fix detach from running thread
* async-threaded resolver: use ref counter
* async: DoH improvements
* build: enable gcc-12/13+, clang-10+ picky warnings
* build: enable gcc-15 picky warnings
* certs: drop unused `default_bits` from `.prm` files
* cf-https-connect: use the passed in dns struct pointer
* cf-socket: fix FTP accept connect
* cfilters: remove assert
* cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
* cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
* cmake: revert `CURL_LTO` behavior for multi-config generators
* configure: fix --disable-rt
* CONTRIBUTE: add project guidelines for AI use
* cpool/cshutdown: force close connections under pressure
* curl: fix memory leak when -h is used in config file
* curl_get_line: handle lines ending on the buffer boundary
* headers: enforce a max number of response header to accept
* http: fix HTTP/2 handling of TE request header using "trailers"
* lib: include files using known path
* lib: unify conversions to/from hex
* libssh: add NULL check for Curl_meta_get()
* libssh: fix memory leak
* mqtt: use conn/easy meta hash
* multi: do transfer book keeping using mid
* multi: init_do(): check result
* netrc: avoid NULL deref on weird input
* netrc: avoid strdup NULL
* netrc: deal with null token better
* openssl-quic: avoid potential `-Wnull-dereference`, add assert
* openssl-quic: fix shutdown when stream not open
* openssl: enable builds for _both_ engines and providers
* openssl: set the cipher string before doing private cert
* progress: avoid integer overflow when gathering total transfer size
* rand: update comment on Curl_rand_bytes weak random
* rustls: make max size of cert and key reasonable
* smb: avoid integer overflow on weird input date
* urlapi: redirecting to "" is considered fine
* Update to 8.13.0:
* Changes:
* curl: add write-out variable 'tls_earlydata'
* curl: make --url support a file with URLs
* gnutls: set priority via --ciphers
* IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
* lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
* OpenSSL/quictls: add support for TLSv1.3 early data
* rustls: add support for CERTINFO
* rustls: add support for SSLKEYLOGFILE
* rustls: support ECH w/ DoH lookup for config
* rustls: support native platform verifier
* var: add a '64dec' function that can base64 decode a string
* Bugfixes:
* conn: fix connection reuse when SSL is optional
* hash: use single linked list for entries
* http2: detect session being closed on ingress handling
* http2: reset stream on response header error
* http: remove a HTTP method size restriction
* http: version negotiation
* httpsrr: fix port detection
* libssh: fix freeing of resources in disconnect
* libssh: fix scp large file upload for 32-bit size_t systems
* openssl-quic: do not iterate over multi handles
* openssl: check return value of X509_get0_pubkey
* openssl: drop support for old OpenSSL/LibreSSL versions
* openssl: fix crash on missing cert password
* openssl: fix pkcs11 URI checking for key files.
* openssl: remove bad `goto`s into other scope
* setopt: illegal CURLOPT_SOCKS5_AUTH should return error
* setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
* sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
* sshserver: fix excluding obsolete client config lines
* SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
* tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
* tool_operate: fail SSH transfers without server auth
* url: call protocol handler's disconnect in Curl_conn_free
* urlapi: remove percent encoded dot sequences from the URL path
* urldata: remove 'hostname' from struct Curl_async
* Update to 8.12.1:
* Bugfixes:
* asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
* asyn-thread: fix HTTPS RR crash
* asyn-thread: fix the returned bitmask from Curl_resolver_getsock
* asyn-thread: survive a c-ares channel set to NULL
* cmake: always reference OpenSSL and ZLIB via imported targets
* cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
* cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
* content_encoding: #error on too old zlib
* imap: TLS upgrade fix
* ldap: drop support for legacy Novell LDAP SDK
* libssh2: comparison is always true because rc <= -1
* libssh2: raise lowest supported version to 1.2.8
* libssh: drop support for libssh older than 0.9.0
* openssl-quic: ignore ciphers for h3
* pop3: TLS upgrade fix
* runtests: fix the disabling of the memory tracking
* runtests: quote commands to support paths with spaces
* scache: add magic checks
* smb: silence '-Warray-bounds' with gcc 13+
* smtp: TLS upgrade fix
* tool_cfgable: sort struct fields by size, use bitfields for booleans
* tool_getparam: add "TLS required" flag for each such option
* vtls: fix multissl-init
* wakeup_write: make sure the eventfd write sends eight bytes
* Update to 8.12.0:
* Changes:
* curl: add byte range support to --variable reading from file
* curl: make --etag-save acknowledge --create-dirs
* getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
* getinfo: provide info which auth was used for HTTP and proxy
* hyper: drop support
* openssl: add support to use keys and certificates from PKCS#11 provider
* QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
* vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
* altsvc: avoid integer overflow in expire calculation
* asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
* asyn-ares: fix memory leak
* asyn-ares: initial HTTPS resolve support
* asyn-thread: use c-ares to resolve HTTPS RR
* async-thread: avoid closing eventfd twice
* cd2nroff: do not insist on quoted <> within backticks
* cd2nroff: support "none" as a TLS backend
* conncache: count shutdowns against host and max limits
* content_encoding: drop support for zlib before 1.2.0.4
* content_encoding: namespace GZIP flag constants
* content_encoding: put the decomp buffers into the writer structs
* content_encoding: support use of custom libzstd memory functions
* cookie: cap expire times to 400 days
* cookie: parse only the exact expire date
* curl: return error if etag options are used with multiple URLs
* curl_multi_fdset: include the shutdown connections in the set
* curl_sha512_256: rename symbols to the curl namespace
* curl_url_set.md: adjust the added-in to 7.62.0
* doh: send HTTPS RR requests for all HTTP(S) transfers
* easy: allow connect-only handle reuse with easy_perform
* easy: make curl_easy_perform() return error if connection still there
* easy_lock: use Sleep(1) for thread yield on old Windows
* ECH: update APIs to those agreed with OpenSSL maintainers
* GnuTLS: fix 'time_appconnect' for early data
* HTTP/2: strip TE request header
* http2: fix data_pending check
* http2: fix value stored to 'result' is never read
* http: ignore invalid Retry-After times
* http_aws_sigv4: Fix invalid compare function handling zero-length pairs
* https-connect: start next immediately on failure
* lib: redirect handling by protocol handler
* multi: fix curl_multi_waitfds reporting of fd_count
* netrc: 'default' with no credentials is not a match
* netrc: fix password-only entries
* netrc: restore _netrc fallback logic
* ngtcp2: fix memory leak on connect failure
* openssl: define `HAVE_KEYLOG_CALLBACK` before use
* openssl: fix ECH logic
* osslq: use SSL_poll to determine writeability of QUIC streams
* sectransp: free certificate on error
* select: avoid a NULL deref in cwfds_add_sock
* src: omit hugehelp and ca-embed from libcurltool
* ssl session cache: change cache dimensions
* system.h: add 64-bit curl_off_t definitions for NonStop
* telnet: handle single-byte input option
* TLS: check connection for SSL use, not handler
* tool_formparse.c: make curlx_uztoso a static in here
* tool_formparse: accept digits in --form type= strings
* tool_getparam: ECH param parsing refix
* tool_getparam: fail --hostpubsha256 if libssh2 is not used
* tool_getparam: fix "Ignored Return Value"
* tool_getparam: fix memory leak on error in parse_ech
* tool_getparam: fix the ECH parser
* tool_operate: make --etag-compare always accept a non-existing file
* transfer: fix CURLOPT_CURLU override logic
* urlapi: fix redirect to a new fragment or query (only)
* vquic: make vquic_send_packets not return without setting psent
* vtls: fix default SSL backend as a fallback
* vtls: only remember the expiry timestamp in session cache
* websocket: fix message send corruption
* x509asn1: add parse recursion limit
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-477=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* curl-8.14.1-1.1
* libcurl4-8.14.1-1.1
* curl-debuginfo-8.14.1-1.1
* curl-debugsource-8.14.1-1.1
* libcurl4-debuginfo-8.14.1-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-10148.html
* https://www.suse.com/security/cve/CVE-2025-9086.html
* https://bugzilla.suse.com/show_bug.cgi?id=1246197
* https://bugzilla.suse.com/show_bug.cgi?id=1249191
* https://bugzilla.suse.com/show_bug.cgi?id=1249348
* https://bugzilla.suse.com/show_bug.cgi?id=1249367
* https://jira.suse.com/browse/PED-13055
* https://jira.suse.com/browse/PED-13056
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20251014/aa0c8c07/attachment.htm>
More information about the sle-security-updates
mailing list