Описание
Security update for curl
This update for curl fixes the following issues:
Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
Security issues fixed:
- CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589).
- CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397).
- CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706).
- CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933).
- CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260).
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
Other issues fixed:
-
Fix wrong return code when --retry is used (bsc#1249367).
- tool_operate: fix return code when --retry is used but not triggered [b42776b]
-
Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
- tool_getparam: fix --ftp-pasv [5f805ee]
-
Fixed with version 8.14.1:
- TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
- websocket: add option to disable auto-pong reply.
- huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.
Список пакетов
Container bci/golang:latest
Container bci/kiwi:latest
Container bci/spack:0.23
Container bci/spack:latest
Container private-registry/harbor-trivy-adapter:latest
Container suse/git:latest
Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest
Container suse/sle15:latest
SUSE Linux Enterprise Module for Basesystem 15 SP6
SUSE Linux Enterprise Module for Basesystem 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:03198-1
- E-Mail link for SUSE-SU-2025:03198-1
- SUSE Security Ratings
- SUSE Bug 1228260
- SUSE Bug 1236589
- SUSE Bug 1243397
- SUSE Bug 1243706
- SUSE Bug 1243933
- SUSE Bug 1246197
- SUSE Bug 1249191
- SUSE Bug 1249348
- SUSE Bug 1249367
- SUSE CVE CVE-2024-6874 page
- SUSE CVE CVE-2025-0665 page
- SUSE CVE CVE-2025-10148 page
- SUSE CVE CVE-2025-4947 page
- SUSE CVE CVE-2025-5025 page
- SUSE CVE CVE-2025-5399 page
- SUSE CVE CVE-2025-9086 page
Описание
libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.
Затронутые продукты
Ссылки
- CVE-2024-6874
- SUSE Bug 1228260
Описание
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
Затронутые продукты
Ссылки
- CVE-2025-0665
- SUSE Bug 1236589
Описание
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
Затронутые продукты
Ссылки
- CVE-2025-10148
- SUSE Bug 1249348
Описание
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Затронутые продукты
Ссылки
- CVE-2025-4947
- SUSE Bug 1243397
Описание
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
Затронутые продукты
Ссылки
- CVE-2025-5025
- SUSE Bug 1243706
Описание
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.
Затронутые продукты
Ссылки
- CVE-2025-5399
- SUSE Bug 1243933
Описание
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Затронутые продукты
Ссылки
- CVE-2025-9086
- SUSE Bug 1249191