Security update for curl

Announcement ID:	SUSE-SU-2025:20239-1
Release Date:	2025-03-13T10:37:02Z
Rating:	moderate
References:	bsc#1230093 bsc#1232528 bsc#1234068 bsc#1236589
Cross-References:	CVE-2024-11053 CVE-2024-8096 CVE-2024-9681 CVE-2025-0665
CVSS scores:	CVE-2024-11053 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2024-11053 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2024-8096 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-8096 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-8096 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-9681 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2024-9681 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-9681 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-9681 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L CVE-2025-0665 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-0665 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2025-0665 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Micro 6.1

An update that solves four vulnerabilities can now be installed.

Description:

This update for curl fixes the following issues:

Update to 8.12.1:

• Bugfixes:

  • asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
  • asyn-thread: fix HTTPS RR crash
  • asyn-thread: fix the returned bitmask from Curl_resolver_getsock
  • asyn-thread: survive a c-ares channel set to NULL
  • cmake: always reference OpenSSL and ZLIB via imported targets
  • cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
  • cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
  • content_encoding: #error on too old zlib
  • imap: TLS upgrade fix
  • ldap: drop support for legacy Novell LDAP SDK
  • libssh2: comparison is always true because rc <= -1
  • libssh2: raise lowest supported version to 1.2.8
  • libssh: drop support for libssh older than 0.9.0
  • openssl-quic: ignore ciphers for h3
  • pop3: TLS upgrade fix
  • runtests: fix the disabling of the memory tracking
  • runtests: quote commands to support paths with spaces
  • scache: add magic checks
  • smb: silence '-Warray-bounds' with gcc 13+
  • smtp: TLS upgrade fix
  • tool_cfgable: sort struct fields by size, use bitfields for booleans
  • tool_getparam: add "TLS required" flag for each such option
  • vtls: fix multissl-init
  • wakeup_write: make sure the eventfd write sends eight bytes

Update to 8.12.0:

• Security fixes:

  • [bsc#1234068, CVE-2024-11053] curl could leak the password used for the first host to the followed-to host under certain circumstances.
  • [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
  • [bsc#1236589, CVE-2025-0665] eventfd double close

• Changes:

  • curl: add byte range support to --variable reading from file
  • curl: make --etag-save acknowledge --create-dirs
  • getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
  • getinfo: provide info which auth was used for HTTP and proxy
  • hyper: drop support
  • openssl: add support to use keys and certificates from PKCS#11 provider
  • QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
  • vtls: feature ssls-export for SSL session im-/export

• Bugfixes:

  • altsvc: avoid integer overflow in expire calculation
  • asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
  • asyn-ares: fix memory leak
  • asyn-ares: initial HTTPS resolve support
  • asyn-thread: use c-ares to resolve HTTPS RR
  • async-thread: avoid closing eventfd twice
  • cd2nroff: do not insist on quoted <> within backticks
  • cd2nroff: support "none" as a TLS backend
  • conncache: count shutdowns against host and max limits
  • content_encoding: drop support for zlib before 1.2.0.4
  • content_encoding: namespace GZIP flag constants
  • content_encoding: put the decomp buffers into the writer structs
  • content_encoding: support use of custom libzstd memory functions
  • cookie: cap expire times to 400 days
  • cookie: parse only the exact expire date
  • curl: return error if etag options are used with multiple URLs
  • curl_multi_fdset: include the shutdown connections in the set
  • curl_sha512_256: rename symbols to the curl namespace
  • curl_url_set.md: adjust the added-in to 7.62.0
  • doh: send HTTPS RR requests for all HTTP(S) transfers
  • easy: allow connect-only handle reuse with easy_perform
  • easy: make curl_easy_perform() return error if connection still there
  • easy_lock: use Sleep(1) for thread yield on old Windows
  • ECH: update APIs to those agreed with OpenSSL maintainers
  • GnuTLS: fix 'time_appconnect' for early data
  • HTTP/2: strip TE request header
  • http2: fix data_pending check
  • http2: fix value stored to 'result' is never read
  • http: ignore invalid Retry-After times
  • http_aws_sigv4: Fix invalid compare function handling zero-length pairs
  • https-connect: start next immediately on failure
  • lib: redirect handling by protocol handler
  • multi: fix curl_multi_waitfds reporting of fd_count
  • netrc: 'default' with no credentials is not a match
  • netrc: fix password-only entries
  • netrc: restore _netrc fallback logic
  • ngtcp2: fix memory leak on connect failure
  • openssl: define HAVE_KEYLOG_CALLBACK before use
  • openssl: fix ECH logic
  • osslq: use SSL_poll to determine writeability of QUIC streams
  • sectransp: free certificate on error
  • select: avoid a NULL deref in cwfds_add_sock
  • src: omit hugehelp and ca-embed from libcurltool
  • ssl session cache: change cache dimensions
  • system.h: add 64-bit curl_off_t definitions for NonStop
  • telnet: handle single-byte input option
  • TLS: check connection for SSL use, not handler
  • tool_formparse.c: make curlx_uztoso a static in here
  • tool_formparse: accept digits in --form type= strings
  • tool_getparam: ECH param parsing refix
  • tool_getparam: fail --hostpubsha256 if libssh2 is not used
  • tool_getparam: fix "Ignored Return Value"
  • tool_getparam: fix memory leak on error in parse_ech
  • tool_getparam: fix the ECH parser
  • tool_operate: make --etag-compare always accept a non-existing file
  • transfer: fix CURLOPT_CURLU override logic
  • urlapi: fix redirect to a new fragment or query (only)
  • vquic: make vquic_send_packets not return without setting psent
  • vtls: fix default SSL backend as a fallback
  • vtls: only remember the expiry timestamp in session cache
  • websocket: fix message send corruption
  • x509asn1: add parse recursion limit

Update to 8.11.1:

• Security fixes:

  • netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]

• Bugfixes:

  • build: fix ECH to always enable HTTPS RR
  • cookie: treat cookie name case sensitively
  • curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
  • curl: use realtime in trace timestamps
  • digest: produce a shorter cnonce in Digest headers
  • docs: document default 'User-Agent'
  • docs: suggest --ssl-reqd instead of --ftp-ssl
  • duphandle: also init netrc
  • hostip: don't use the resolver for FQDN localhost
  • http_negotiate: allow for a one byte larger channel binding buffer
  • krb5: fix socket/sockindex confusion, MSVC compiler warnings
  • libssh: use libssh sftp_aio to upload file
  • libssh: when using IPv6 numerical address, add brackets
  • mime: fix reader stall on small read lengths
  • mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
  • mprintf: fix the integer overflow checks
  • multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
  • netrc: address several netrc parser flaws
  • netrc: support large file, longer lines, longer tokens
  • nghttp2: use custom memory functions
  • OpenSSL: improvde error message on expired certificate
  • openssl: remove three "Useless Assignments"
  • openssl: stop using SSL_CTX_ function prefix for our functions
  • pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
  • rtsp: check EOS in the RTSP receive and return an error code
  • schannel: remove TLS 1.3 ciphersuite-list support
  • setopt: fix CURLOPT_HTTP_CONTENT_DECODING
  • setopt: fix missing options for builds without HTTP & MQTT
  • socket: handle binding to "host!<ip>"
  • socketpair: fix enabling 'USE_EVENTFD'
  • strtok: use namespaced 'strtok_r' macro instead of redefining it

Update to 8.11.0:

• Security fixes: [bsc#1232528, CVE-2024-9681]

  • curl: HSTS subdomain overwrites parent cache entry

• Changes:

  • curl: --create-dirs works for --dump-header as well
  • gtls: Add P12 format support
  • ipfs: add options to disable
  • TLS: TLSv1.3 earlydata support for curl
  • WebSockets: make support official (non-experimental)

• Bugfixes:

  • build: clarify CA embed is for curl tool, mark default, improve summary
  • build: show if CA bundle to embed was found
  • build: tidy up and improve versioned-symbols options
  • cmake/FindNGTCP2: use library path as hint for finding crypto module
  • cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
  • cmake: rename LDAP dependency config variables to match Find modules
  • cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
  • cmake: use OpenSSL for LDAP detection only if available
  • curl: add build options for safe/no CA bundle search (Windows)
  • curl: detect ECH support dynamically, not at build time
  • curl_addrinfo: support operating systems with only getaddrinfo(3)
  • ftp: fix 0-length last write on upload from stdin
  • gnutls: use session cache for QUIC
  • hsts: improve subdomain handling
  • hsts: support "implied LWS" properly around max-age
  • http2: auto reset stream on server eos
  • json.md: cli-option '--json' is an alias of '--data-binary'
  • lib: move curl_path.[ch] into vssh/
  • lib: remove function pointer typecasts for hmac/sha256/md5
  • libssh.c: handle EGAINS during proto-connect correctly
  • libssh2: use the filename buffer when getting the homedir
  • multi.c: warn/assert on stall only without timer
  • negotiate: conditional check around GSS & SSL specific code
  • netrc: cache the netrc file in memory
  • ngtcp2: do not loop on recv
  • ngtcp2: set max window size to 10x of initial (128KB)
  • openssl quic: populate x509 store before handshake
  • openssl: extend the OpenSSL error messages
  • openssl: improve retries on shutdown
  • quic: use send/recvmmsg when available
  • schannel: fix TLS cert verification by IP SAN
  • schannel: ignore error on recv beyond close notify
  • select: use poll() if existing, avoid poll() with no sockets
  • sendf: add condition to max-filesize check
  • server/mqttd: fix two memory leaks
  • setopt: return error for bad input to CURLOPT_RTSP_REQUEST
  • setopt_cptr: make overflow check only done when needed
  • tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
  • tool: support --show-headers AND --remote-header-name
  • tool_operate: make --skip-existing work for --parallel
  • url: connection reuse on h3 connections
  • url: use same credentials on redirect
  • urlapi: normalize the IPv6 address
  • version: say quictls in MSH3 builds
  • vquic: fix compiler warning with gcc + MUSL
  • vquic: recv_mmsg, use fewer, but larger buffers
  • vtls: convert Curl_pin_peer_pubkey to use dynbuf
  • vtls: convert pubkey_pem_to_der to use dynbuf

Update to 8.10.1:

• Bugfixes:

  • autotools: fix --with-ca-embed build rule
  • cmake: ensure CURL_USE_OPENSSL/USE_OPENSSL_QUIC are set in sync
  • cmake: fix MSH3 to appear on the feature list
  • connect: store connection info when really done
  • FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
  • http2: when uploading data from stdin, fix eos forwarding
  • http: make max-filesize check not count ignored bodies
  • lib: fix AF_INET6 use outside of USE_IPV6
  • multi: check that the multi handle is valid in curl_multi_assign
  • QUIC: on connect, keep on trying on draining server
  • request: correctly reset the eos_sent flag
  • setopt: remove superfluous use of ternary expressions
  • singleuse: drop Curl_memrchr() for no-HTTP builds
  • tool_cb_wrt: use "curl_response" if no file name in URL
  • transfer: fix sendrecv() without interim poll
  • vtls: fix Curl_ssl_conn_config_match doc param

Update to version 8.10.0:

• Security fixes:

  • [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS

• Changes:

  • curl: make --rate accept "number of units"
  • curl: make --show-headers the same as --include
  • curl: support --dump-header % to direct to stderr
  • curl: support embedding a CA bundle and --dump-ca-embed
  • curl: support repeated use of the verbose option; -vv etc
  • curl: use libuv for parallel transfers with --test-event
  • vtls: stop offering alpn http/1.1 for http2-prior-knowledge

• Bugfixes:

  • curl: allow 500MB data URL encode strings
  • curl: warn on unsupported SSL options
  • Curl_rand_bytes to control env override
  • curl_sha512_256: fix symbol collisions with nettle library
  • dist: fix reproducible build from release tarball
  • http2: fix GOAWAY message sent to server
  • http2: improve rate limiting of downloads
  • INSTALL.md: MultiSSL and QUIC are mutually exclusive
  • lib: add eos flag to send methods
  • lib: make SSPI global symbols use Curl_ prefix
  • lib: prefer CURL_SHA256_DIGEST_LENGTH over the unprefixed name
  • lib: remove the final strncpy() calls
  • lib: remove use of RANDOM_FILE
  • Makefile.mk: fixup enabling libidn2
  • max-filesize.md: mention zero disables the limit
  • mime: avoid inifite loop in client reader
  • ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
  • openssl quic: fix memory leak
  • openssl: certinfo errors now fail correctly
  • openssl: fix the data race when sharing an SSL session between threads
  • openssl: improve shutdown handling
  • POP3: fix multi-line responses
  • pop3: use the protocol handler ->write_resp
  • progress: ratelimit/progress tweaks
  • rand: only provide weak random when needed
  • sectransp: fix setting tls version
  • setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
  • sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
  • sigpipe: init the struct so that first apply ignores
  • smb: convert superflous assign into assert
  • smtp: add tracing feature
  • spnego_gssapi: implement TLS channel bindings for openssl
  • src: delete curlx_m*printf() aliases
  • ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
  • tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
  • tool_paramhlp: bump maximum post data size in memory to 16GB
  • transfer: skip EOS read when download done
  • url: fix connection reuse for HTTP/2 upgrades
  • urlapi: verify URL decoded hostname when set
  • urldata: introduce data->mid, a unique identifier inside a multi
  • vtls: add SSLSUPP_CIPHER_LIST
  • vtls: fix static function name collisions between TLS backends
  • vtls: init ssl peer only once
  • websocket: introduce blocking sends
  • ws: flags to opcodes should ignore CURLWS_CONT flag
  • x509asn1: raise size limit for x509 certification information

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-44=1

Package List:

• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • curl-debugsource-8.12.1-slfo.1.1_1.1
  • curl-8.12.1-slfo.1.1_1.1
  • libcurl4-8.12.1-slfo.1.1_1.1
  • libcurl4-debuginfo-8.12.1-slfo.1.1_1.1
  • curl-debuginfo-8.12.1-slfo.1.1_1.1

References:

• https://www.suse.com/security/cve/CVE-2024-11053.html
• https://www.suse.com/security/cve/CVE-2024-8096.html
• https://www.suse.com/security/cve/CVE-2024-9681.html
• https://www.suse.com/security/cve/CVE-2025-0665.html
• https://bugzilla.suse.com/show_bug.cgi?id=1230093
• https://bugzilla.suse.com/show_bug.cgi?id=1232528
• https://bugzilla.suse.com/show_bug.cgi?id=1234068
• https://bugzilla.suse.com/show_bug.cgi?id=1236589