Security update for curl

Announcement ID: SUSE-SU-2025:20824-1
Release Date: 2025-09-25T10:50:20Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2025-10148 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2025-9086 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2025-9086 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Micro 6.0

An update that solves two vulnerabilities, contains two features and has two fixes can now be installed.

Description:

This update for curl fixes the following issues:

  • CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
  • CVE-2025-10148: Predictable WebSocket mask (bsc#1249348)
  • Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]

  • tool_operate: fix return code when --retry is used but not triggered [bsc#1249367]

  • Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056]

  • Add _multibuild

  • Bugfixes:

    • asyn-thrdd: fix cleanup when RR fails due to OOM
    • ftp: fix teardown of DATA connection in done
    • http: fail early when rewind of input failed when following redirects
    • multi: fix add_handle resizing
    • tls BIOs: handle BIO_CTRL_EOF correctly
    • tool_getparam: make --no-anyauth not be accepted
    • wolfssl: fix sending of early data
    • ws: handle blocked sends better
    • ws: tests and fixes

  • Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]

  • Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE.

  • Add libssh minimum version requirements.
  • Use ldconfig_scriptlets when available.

  • Remove unused option --disable-ntlm-wb.

  • Update to 8.14.0:

  • Changes:

    • mqtt: send ping at upkeep interval
    • schannel: handle pkcs12 client certificates containing CA certificates
    • TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
    • vquic: ngtcp2 + openssl support
    • wcurl: import v2025.04.20 script + docs
    • websocket: add option to disable auto-pong reply

  • Bugfixes:

    • asny-thrdd: fix detach from running thread
    • async-threaded resolver: use ref counter
    • async: DoH improvements
    • build: enable gcc-12/13+, clang-10+ picky warnings
    • build: enable gcc-15 picky warnings
    • certs: drop unused default_bits from .prm files
    • cf-https-connect: use the passed in dns struct pointer
    • cf-socket: fix FTP accept connect
    • cfilters: remove assert
    • cmake: fix nghttp3 static linking with USE_OPENSSL_QUIC=ON
    • cmake: prefer COMPILE_OPTIONS over CMAKE_C_FLAGS for custom C options
    • cmake: revert CURL_LTO behavior for multi-config generators
    • configure: fix --disable-rt
    • CONTRIBUTE: add project guidelines for AI use
    • cpool/cshutdown: force close connections under pressure
    • curl: fix memory leak when -h is used in config file
    • curl_get_line: handle lines ending on the buffer boundary
    • headers: enforce a max number of response header to accept
    • http: fix HTTP/2 handling of TE request header using "trailers"
    • lib: include files using known path
    • lib: unify conversions to/from hex
    • libssh: add NULL check for Curl_meta_get()
    • libssh: fix memory leak
    • mqtt: use conn/easy meta hash
    • multi: do transfer book keeping using mid
    • multi: init_do(): check result
    • netrc: avoid NULL deref on weird input
    • netrc: avoid strdup NULL
    • netrc: deal with null token better
    • openssl-quic: avoid potential -Wnull-dereference, add assert
    • openssl-quic: fix shutdown when stream not open
    • openssl: enable builds for both engines and providers
    • openssl: set the cipher string before doing private cert
    • progress: avoid integer overflow when gathering total transfer size
    • rand: update comment on Curl_rand_bytes weak random
    • rustls: make max size of cert and key reasonable
    • smb: avoid integer overflow on weird input date
    • urlapi: redirecting to "" is considered fine

  • Update to 8.13.0:

  • Changes:

    • curl: add write-out variable 'tls_earlydata'
    • curl: make --url support a file with URLs
    • gnutls: set priority via --ciphers
    • IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
    • lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
    • OpenSSL/quictls: add support for TLSv1.3 early data
    • rustls: add support for CERTINFO
    • rustls: add support for SSLKEYLOGFILE
    • rustls: support ECH w/ DoH lookup for config
    • rustls: support native platform verifier
    • var: add a '64dec' function that can base64 decode a string

  • Bugfixes:

    • conn: fix connection reuse when SSL is optional
    • hash: use single linked list for entries
    • http2: detect session being closed on ingress handling
    • http2: reset stream on response header error
    • http: remove a HTTP method size restriction
    • http: version negotiation
    • httpsrr: fix port detection
    • libssh: fix freeing of resources in disconnect
    • libssh: fix scp large file upload for 32-bit size_t systems
    • openssl-quic: do not iterate over multi handles
    • openssl: check return value of X509_get0_pubkey
    • openssl: drop support for old OpenSSL/LibreSSL versions
    • openssl: fix crash on missing cert password
    • openssl: fix pkcs11 URI checking for key files.
    • openssl: remove bad gotos into other scope
    • setopt: illegal CURLOPT_SOCKS5_AUTH should return error
    • setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
    • sshserver.pl: adjust AuthorizedKeysFile2 cutoff version
    • sshserver: fix excluding obsolete client config lines
    • SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
    • tftpd: prefix TFTP protocol error E* constants with TFTP_
    • tool_operate: fail SSH transfers without server auth
    • url: call protocol handler's disconnect in Curl_conn_free
    • urlapi: remove percent encoded dot sequences from the URL path
    • urldata: remove 'hostname' from struct Curl_async

  • Update to 8.12.1:

  • Bugfixes:

    • asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
    • asyn-thread: fix HTTPS RR crash
    • asyn-thread: fix the returned bitmask from Curl_resolver_getsock
    • asyn-thread: survive a c-ares channel set to NULL
    • cmake: always reference OpenSSL and ZLIB via imported targets
    • cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
    • cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
    • content_encoding: #error on too old zlib
    • imap: TLS upgrade fix
    • ldap: drop support for legacy Novell LDAP SDK
    • libssh2: comparison is always true because rc <= -1
    • libssh2: raise lowest supported version to 1.2.8
    • libssh: drop support for libssh older than 0.9.0
    • openssl-quic: ignore ciphers for h3
    • pop3: TLS upgrade fix
    • runtests: fix the disabling of the memory tracking
    • runtests: quote commands to support paths with spaces
    • scache: add magic checks
    • smb: silence '-Warray-bounds' with gcc 13+
    • smtp: TLS upgrade fix
    • tool_cfgable: sort struct fields by size, use bitfields for booleans
    • tool_getparam: add "TLS required" flag for each such option
    • vtls: fix multissl-init
    • wakeup_write: make sure the eventfd write sends eight bytes

  • Update to 8.12.0:

  • Changes:

    • curl: add byte range support to --variable reading from file
    • curl: make --etag-save acknowledge --create-dirs
    • getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
    • getinfo: provide info which auth was used for HTTP and proxy
    • hyper: drop support
    • openssl: add support to use keys and certificates from PKCS#11 provider
    • QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
    • vtls: feature ssls-export for SSL session im-/export

  • Bugfixes:

    • altsvc: avoid integer overflow in expire calculation
    • asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
    • asyn-ares: fix memory leak
    • asyn-ares: initial HTTPS resolve support
    • asyn-thread: use c-ares to resolve HTTPS RR
    • async-thread: avoid closing eventfd twice
    • cd2nroff: do not insist on quoted <> within backticks
    • cd2nroff: support "none" as a TLS backend
    • conncache: count shutdowns against host and max limits
    • content_encoding: drop support for zlib before 1.2.0.4
    • content_encoding: namespace GZIP flag constants
    • content_encoding: put the decomp buffers into the writer structs
    • content_encoding: support use of custom libzstd memory functions
    • cookie: cap expire times to 400 days
    • cookie: parse only the exact expire date
    • curl: return error if etag options are used with multiple URLs
    • curl_multi_fdset: include the shutdown connections in the set
    • curl_sha512_256: rename symbols to the curl namespace
    • curl_url_set.md: adjust the added-in to 7.62.0
    • doh: send HTTPS RR requests for all HTTP(S) transfers
    • easy: allow connect-only handle reuse with easy_perform
    • easy: make curl_easy_perform() return error if connection still there
    • easy_lock: use Sleep(1) for thread yield on old Windows
    • ECH: update APIs to those agreed with OpenSSL maintainers
    • GnuTLS: fix 'time_appconnect' for early data
    • HTTP/2: strip TE request header
    • http2: fix data_pending check
    • http2: fix value stored to 'result' is never read
    • http: ignore invalid Retry-After times
    • http_aws_sigv4: Fix invalid compare function handling zero-length pairs
    • https-connect: start next immediately on failure
    • lib: redirect handling by protocol handler
    • multi: fix curl_multi_waitfds reporting of fd_count
    • netrc: 'default' with no credentials is not a match
    • netrc: fix password-only entries
    • netrc: restore _netrc fallback logic
    • ngtcp2: fix memory leak on connect failure
    • openssl: define HAVE_KEYLOG_CALLBACK before use
    • openssl: fix ECH logic
    • osslq: use SSL_poll to determine writeability of QUIC streams
    • sectransp: free certificate on error
    • select: avoid a NULL deref in cwfds_add_sock
    • src: omit hugehelp and ca-embed from libcurltool
    • ssl session cache: change cache dimensions
    • system.h: add 64-bit curl_off_t definitions for NonStop
    • telnet: handle single-byte input option
    • TLS: check connection for SSL use, not handler
    • tool_formparse.c: make curlx_uztoso a static in here
    • tool_formparse: accept digits in --form type= strings
    • tool_getparam: ECH param parsing refix
    • tool_getparam: fail --hostpubsha256 if libssh2 is not used
    • tool_getparam: fix "Ignored Return Value"
    • tool_getparam: fix memory leak on error in parse_ech
    • tool_getparam: fix the ECH parser
    • tool_operate: make --etag-compare always accept a non-existing file
    • transfer: fix CURLOPT_CURLU override logic
    • urlapi: fix redirect to a new fragment or query (only)
    • vquic: make vquic_send_packets not return without setting psent
    • vtls: fix default SSL backend as a fallback
    • vtls: only remember the expiry timestamp in session cache
    • websocket: fix message send corruption
    • x509asn1: add parse recursion limit

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.0
    zypper in -t patch SUSE-SLE-Micro-6.0-477=1

Package List:

  • SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    • curl-8.14.1-1.1
    • libcurl4-8.14.1-1.1
    • curl-debuginfo-8.14.1-1.1
    • curl-debugsource-8.14.1-1.1
    • libcurl4-debuginfo-8.14.1-1.1

References: