SUSE-SU-2025:03267-1

HIGH7.5

Security update for curl

Published Sep 18, 2025

Modified 9 months ago

Fix available

Details

Description of the patch:

This update for curl fixes the following issues:

Security issues fixed:

CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191).
CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).

Other issues fixed:

Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
- tool_getparam: fix --ftp-pasv [5f805ee]
Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
- TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
- websocket: add option to disable auto-pong reply.
- huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.

Affected Packages

libcurl4

SUSE Linux Enterprise Desktop 15 SP4SUSE Linux Enterprise Desktop 15 SP5SUSE Linux Enterprise High Performance Computing 15 SP4SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSS

Fixed in:

8.14.1-150400.5.69.1

curl

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Micro 5.3

Fixed in:

8.14.1-150400.5.69.1

libcurl-devel

Fixed in:

8.14.1-150400.5.69.1

libcurl4-32bit

Fixed in:

8.14.1-150400.5.69.1

References

ADVISORY

https://bugzilla.suse.com/1246197

ADVISORY