Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590)
- CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588)
Список пакетов
Container suse/ltss/sle15.3/bci-base:latest
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
Container suse/sle-micro-rancher/5.2:latest
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
Container suse/sle-micro/5.1/toolbox:latest
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
Container suse/sle-micro/5.2/toolbox:latest
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
Image SLES15-SP3-SAP-Azure-LI-BYOS-Production
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
SUSE Enterprise Storage 7.1
curl-7.66.0-150200.4.84.1
libcurl-devel-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
libcurl4-32bit-7.66.0-150200.4.84.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
curl-7.66.0-150200.4.84.1
libcurl-devel-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
libcurl4-32bit-7.66.0-150200.4.84.1
SUSE Linux Enterprise Micro 5.1
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
SUSE Linux Enterprise Micro 5.2
curl-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
SUSE Linux Enterprise Server 15 SP3-LTSS
curl-7.66.0-150200.4.84.1
libcurl-devel-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
libcurl4-32bit-7.66.0-150200.4.84.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
curl-7.66.0-150200.4.84.1
libcurl-devel-7.66.0-150200.4.84.1
libcurl4-7.66.0-150200.4.84.1
libcurl4-32bit-7.66.0-150200.4.84.1
Ссылки
- Link for SUSE-SU-2025:0372-1
- E-Mail link for SUSE-SU-2025:0372-1
- SUSE Security Ratings
- SUSE Bug 1236588
- SUSE Bug 1236590
- SUSE CVE CVE-2025-0167 page
- SUSE CVE CVE-2025-0725 page
Описание
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
Затронутые продукты
Container suse/ltss/sle15.3/bci-base:latest:curl-7.66.0-150200.4.84.1
Container suse/ltss/sle15.3/bci-base:latest:libcurl4-7.66.0-150200.4.84.1
Container suse/sle-micro-rancher/5.2:latest:curl-7.66.0-150200.4.84.1
Container suse/sle-micro-rancher/5.2:latest:libcurl4-7.66.0-150200.4.84.1
Ссылки
- CVE-2025-0167
- SUSE Bug 1234068
Описание
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
Затронутые продукты
Container suse/ltss/sle15.3/bci-base:latest:curl-7.66.0-150200.4.84.1
Container suse/ltss/sle15.3/bci-base:latest:libcurl4-7.66.0-150200.4.84.1
Container suse/sle-micro-rancher/5.2:latest:curl-7.66.0-150200.4.84.1
Container suse/sle-micro-rancher/5.2:latest:libcurl4-7.66.0-150200.4.84.1
Ссылки
- CVE-2025-0725
- SUSE Bug 1236590