SUSE-SU-2025:20239-1: moderate: Security update for curl
SLE-UPDATES
null at suse.de
Wed Jun 4 08:08:36 UTC 2025
# Security update for curl
Announcement ID: SUSE-SU-2025:20239-1
Release Date: 2025-03-13T10:37:02Z
Rating: moderate
References:
* bsc#1230093
* bsc#1232528
* bsc#1234068
* bsc#1236589
Cross-References:
* CVE-2024-11053
* CVE-2024-8096
* CVE-2024-9681
* CVE-2025-0665
CVSS scores:
* CVE-2024-11053 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-11053 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2024-8096 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-8096 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-8096 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-9681 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-9681 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-9681 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-9681 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
* CVE-2025-0665 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-0665 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2025-0665 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Micro 6.1
An update that solves four vulnerabilities can now be installed.
## Description:
This update for curl fixes the following issues:
Update to 8.12.1:
* Bugfixes:
* asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
* asyn-thread: fix HTTPS RR crash
* asyn-thread: fix the returned bitmask from Curl_resolver_getsock
* asyn-thread: survive a c-ares channel set to NULL
* cmake: always reference OpenSSL and ZLIB via imported targets
* cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
* cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
* content_encoding: #error on too old zlib
* imap: TLS upgrade fix
* ldap: drop support for legacy Novell LDAP SDK
* libssh2: comparison is always true because rc <= -1
* libssh2: raise lowest supported version to 1.2.8
* libssh: drop support for libssh older than 0.9.0
* openssl-quic: ignore ciphers for h3
* pop3: TLS upgrade fix
* runtests: fix the disabling of the memory tracking
* runtests: quote commands to support paths with spaces
* scache: add magic checks
* smb: silence '-Warray-bounds' with gcc 13+
* smtp: TLS upgrade fix
* tool_cfgable: sort struct fields by size, use bitfields for booleans
* tool_getparam: add "TLS required" flag for each such option
* vtls: fix multissl-init
* wakeup_write: make sure the eventfd write sends eight bytes
Update to 8.12.0:
* Security fixes:
* [bsc#1234068, CVE-2024-11053] curl could leak the password used for the first host to the followed-to host under certain circumstances.
* [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
* [bsc#1236589, CVE-2025-0665] eventfd double close
* Changes:
* curl: add byte range support to --variable reading from file
* curl: make --etag-save acknowledge --create-dirs
* getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
* getinfo: provide info which auth was used for HTTP and proxy
* hyper: drop support
* openssl: add support to use keys and certificates from PKCS#11 provider
* QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
* vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
* altsvc: avoid integer overflow in expire calculation
* asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
* asyn-ares: fix memory leak
* asyn-ares: initial HTTPS resolve support
* asyn-thread: use c-ares to resolve HTTPS RR
* async-thread: avoid closing eventfd twice
* cd2nroff: do not insist on quoted <> within backticks
* cd2nroff: support "none" as a TLS backend
* conncache: count shutdowns against host and max limits
* content_encoding: drop support for zlib before 1.2.0.4
* content_encoding: namespace GZIP flag constants
* content_encoding: put the decomp buffers into the writer structs
* content_encoding: support use of custom libzstd memory functions
* cookie: cap expire times to 400 days
* cookie: parse only the exact expire date
* curl: return error if etag options are used with multiple URLs
* curl_multi_fdset: include the shutdown connections in the set
* curl_sha512_256: rename symbols to the curl namespace
* curl_url_set.md: adjust the added-in to 7.62.0
* doh: send HTTPS RR requests for all HTTP(S) transfers
* easy: allow connect-only handle reuse with easy_perform
* easy: make curl_easy_perform() return error if connection still there
* easy_lock: use Sleep(1) for thread yield on old Windows
* ECH: update APIs to those agreed with OpenSSL maintainers
* GnuTLS: fix 'time_appconnect' for early data
* HTTP/2: strip TE request header
* http2: fix data_pending check
* http2: fix value stored to 'result' is never read
* http: ignore invalid Retry-After times
* http_aws_sigv4: Fix invalid compare function handling zero-length pairs
* https-connect: start next immediately on failure
* lib: redirect handling by protocol handler
* multi: fix curl_multi_waitfds reporting of fd_count
* netrc: 'default' with no credentials is not a match
* netrc: fix password-only entries
* netrc: restore _netrc fallback logic
* ngtcp2: fix memory leak on connect failure
* openssl: define `HAVE_KEYLOG_CALLBACK` before use
* openssl: fix ECH logic
* osslq: use SSL_poll to determine writeability of QUIC streams
* sectransp: free certificate on error
* select: avoid a NULL deref in cwfds_add_sock
* src: omit hugehelp and ca-embed from libcurltool
* ssl session cache: change cache dimensions
* system.h: add 64-bit curl_off_t definitions for NonStop
* telnet: handle single-byte input option
* TLS: check connection for SSL use, not handler
* tool_formparse.c: make curlx_uztoso a static in here
* tool_formparse: accept digits in --form type= strings
* tool_getparam: ECH param parsing refix
* tool_getparam: fail --hostpubsha256 if libssh2 is not used
* tool_getparam: fix "Ignored Return Value"
* tool_getparam: fix memory leak on error in parse_ech
* tool_getparam: fix the ECH parser
* tool_operate: make --etag-compare always accept a non-existing file
* transfer: fix CURLOPT_CURLU override logic
* urlapi: fix redirect to a new fragment or query (only)
* vquic: make vquic_send_packets not return without setting psent
* vtls: fix default SSL backend as a fallback
* vtls: only remember the expiry timestamp in session cache
* websocket: fix message send corruption
* x509asn1: add parse recursion limit
Update to 8.11.1:
* Security fixes:
* netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
* Bugfixes:
* build: fix ECH to always enable HTTPS RR
* cookie: treat cookie name case sensitively
* curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
* curl: use realtime in trace timestamps
* digest: produce a shorter cnonce in Digest headers
* docs: document default 'User-Agent'
* docs: suggest --ssl-reqd instead of --ftp-ssl
* duphandle: also init netrc
* hostip: don't use the resolver for FQDN localhost
* http_negotiate: allow for a one byte larger channel binding buffer
* krb5: fix socket/sockindex confusion, MSVC compiler warnings
* libssh: use libssh sftp_aio to upload file
* libssh: when using IPv6 numerical address, add brackets
* mime: fix reader stall on small read lengths
* mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
* mprintf: fix the integer overflow checks
* multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
* netrc: address several netrc parser flaws
* netrc: support large file, longer lines, longer tokens
* nghttp2: use custom memory functions
* OpenSSL: improvde error message on expired certificate
* openssl: remove three "Useless Assignments"
* openssl: stop using SSL_CTX_ function prefix for our functions
* pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
* rtsp: check EOS in the RTSP receive and return an error code
* schannel: remove TLS 1.3 ciphersuite-list support
* setopt: fix CURLOPT_HTTP_CONTENT_DECODING
* setopt: fix missing options for builds without HTTP & MQTT
* socket: handle binding to "host!<ip>"
* socketpair: fix enabling 'USE_EVENTFD'
* strtok: use namespaced 'strtok_r' macro instead of redefining it
Update to 8.11.0:
* Security fixes: [bsc#1232528, CVE-2024-9681]
* curl: HSTS subdomain overwrites parent cache entry
* Changes:
* curl: --create-dirs works for --dump-header as well
* gtls: Add P12 format support
* ipfs: add options to disable
* TLS: TLSv1.3 earlydata support for curl
* WebSockets: make support official (non-experimental)
* Bugfixes:
* build: clarify CA embed is for curl tool, mark default, improve summary
* build: show if CA bundle to embed was found
* build: tidy up and improve versioned-symbols options
* cmake/FindNGTCP2: use library path as hint for finding crypto module
* cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
* cmake: rename LDAP dependency config variables to match Find modules
* cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
* cmake: use OpenSSL for LDAP detection only if available
* curl: add build options for safe/no CA bundle search (Windows)
* curl: detect ECH support dynamically, not at build time
* curl_addrinfo: support operating systems with only getaddrinfo(3)
* ftp: fix 0-length last write on upload from stdin
* gnutls: use session cache for QUIC
* hsts: improve subdomain handling
* hsts: support "implied LWS" properly around max-age
* http2: auto reset stream on server eos
* json.md: cli-option '\--json' is an alias of '\--data-binary'
* lib: move curl_path.[ch] into vssh/
* lib: remove function pointer typecasts for hmac/sha256/md5
* libssh.c: handle EGAINS during proto-connect correctly
* libssh2: use the filename buffer when getting the homedir
* multi.c: warn/assert on stall only without timer
* negotiate: conditional check around GSS & SSL specific code
* netrc: cache the netrc file in memory
* ngtcp2: do not loop on recv
* ngtcp2: set max window size to 10x of initial (128KB)
* openssl quic: populate x509 store before handshake
* openssl: extend the OpenSSL error messages
* openssl: improve retries on shutdown
* quic: use send/recvmmsg when available
* schannel: fix TLS cert verification by IP SAN
* schannel: ignore error on recv beyond close notify
* select: use poll() if existing, avoid poll() with no sockets
* sendf: add condition to max-filesize check
* server/mqttd: fix two memory leaks
* setopt: return error for bad input to CURLOPT_RTSP_REQUEST
* setopt_cptr: make overflow check only done when needed
* tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
* tool: support --show-headers AND --remote-header-name
* tool_operate: make --skip-existing work for --parallel
* url: connection reuse on h3 connections
* url: use same credentials on redirect
* urlapi: normalize the IPv6 address
* version: say quictls in MSH3 builds
* vquic: fix compiler warning with gcc + MUSL
* vquic: recv_mmsg, use fewer, but larger buffers
* vtls: convert Curl_pin_peer_pubkey to use dynbuf
* vtls: convert pubkey_pem_to_der to use dynbuf
Update to 8.10.1:
* Bugfixes:
* autotools: fix `--with-ca-embed` build rule
* cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
* cmake: fix MSH3 to appear on the feature list
* connect: store connection info when really done
* FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
* http2: when uploading data from stdin, fix eos forwarding
* http: make max-filesize check not count ignored bodies
* lib: fix AF_INET6 use outside of USE_IPV6
* multi: check that the multi handle is valid in curl_multi_assign
* QUIC: on connect, keep on trying on draining server
* request: correctly reset the eos_sent flag
* setopt: remove superfluous use of ternary expressions
* singleuse: drop `Curl_memrchr()` for no-HTTP builds
* tool_cb_wrt: use "curl_response" if no file name in URL
* transfer: fix sendrecv() without interim poll
* vtls: fix `Curl_ssl_conn_config_match` doc param
Update to version 8.10.0:
* Security fixes:
* [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
* Changes:
* curl: make --rate accept "number of units"
* curl: make --show-headers the same as --include
* curl: support --dump-header % to direct to stderr
* curl: support embedding a CA bundle and --dump-ca-embed
* curl: support repeated use of the verbose option; -vv etc
* curl: use libuv for parallel transfers with --test-event
* vtls: stop offering alpn http/1.1 for http2-prior-knowledge
* Bugfixes:
* curl: allow 500MB data URL encode strings
* curl: warn on unsupported SSL options
* Curl_rand_bytes to control env override
* curl_sha512_256: fix symbol collisions with nettle library
* dist: fix reproducible build from release tarball
* http2: fix GOAWAY message sent to server
* http2: improve rate limiting of downloads
* INSTALL.md: MultiSSL and QUIC are mutually exclusive
* lib: add eos flag to send methods
* lib: make SSPI global symbols use Curl_ prefix
* lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
* lib: remove the final strncpy() calls
* lib: remove use of RANDOM_FILE
* Makefile.mk: fixup enabling libidn2
* max-filesize.md: mention zero disables the limit
* mime: avoid inifite loop in client reader
* ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
* openssl quic: fix memory leak
* openssl: certinfo errors now fail correctly
* openssl: fix the data race when sharing an SSL session between threads
* openssl: improve shutdown handling
* POP3: fix multi-line responses
* pop3: use the protocol handler ->write_resp
* progress: ratelimit/progress tweaks
* rand: only provide weak random when needed
* sectransp: fix setting tls version
* setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
* sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
* sigpipe: init the struct so that first apply ignores
* smb: convert superflous assign into assert
* smtp: add tracing feature
* spnego_gssapi: implement TLS channel bindings for openssl
* src: delete `curlx_m*printf()` aliases
* ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
* tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
* tool_paramhlp: bump maximum post data size in memory to 16GB
* transfer: skip EOS read when download done
* url: fix connection reuse for HTTP/2 upgrades
* urlapi: verify URL _decoded_ hostname when set
* urldata: introduce `data->mid`, a unique identifier inside a multi
* vtls: add SSLSUPP_CIPHER_LIST
* vtls: fix static function name collisions between TLS backends
* vtls: init ssl peer only once
* websocket: introduce blocking sends
* ws: flags to opcodes should ignore CURLWS_CONT flag
* x509asn1: raise size limit for x509 certification information
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.1
zypper in -t patch SUSE-SLE-Micro-6.1-44=1
## Package List:
* SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
* curl-debugsource-8.12.1-slfo.1.1_1.1
* curl-8.12.1-slfo.1.1_1.1
* libcurl4-8.12.1-slfo.1.1_1.1
* libcurl4-debuginfo-8.12.1-slfo.1.1_1.1
* curl-debuginfo-8.12.1-slfo.1.1_1.1
## References:
* https://www.suse.com/security/cve/CVE-2024-11053.html
* https://www.suse.com/security/cve/CVE-2024-8096.html
* https://www.suse.com/security/cve/CVE-2024-9681.html
* https://www.suse.com/security/cve/CVE-2025-0665.html
* https://bugzilla.suse.com/show_bug.cgi?id=1230093
* https://bugzilla.suse.com/show_bug.cgi?id=1232528
* https://bugzilla.suse.com/show_bug.cgi?id=1234068
* https://bugzilla.suse.com/show_bug.cgi?id=1236589
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/c971d1da/attachment.htm>
More information about the sle-updates
mailing list