curl-8.16.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16652 Final 1 1 2025-10-01T00:00:00Z current 2025-10-01T00:00:00Z 2025-10-01T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-8.16.0-1.1 on GA media These are all security issues fixed in the curl-8.16.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16652 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-10148/ SUSE CVE CVE-2025-10148 page https://www.suse.com/security/cve/CVE-2025-9086/ SUSE CVE CVE-2025-9086 page openSUSE Tumbleweed curl-8.16.0-1.1 curl-fish-completion-8.16.0-1.1 curl-zsh-completion-8.16.0-1.1 libcurl-devel-8.16.0-1.1 libcurl-devel-32bit-8.16.0-1.1 libcurl-devel-doc-8.16.0-1.1 libcurl4-8.16.0-1.1 libcurl4-32bit-8.16.0-1.1 wcurl-8.16.0-1.1 curl-8.16.0-1.1 as a component of openSUSE Tumbleweed curl-fish-completion-8.16.0-1.1 as a component of openSUSE Tumbleweed curl-zsh-completion-8.16.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-8.16.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-8.16.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-doc-8.16.0-1.1 as a component of openSUSE Tumbleweed libcurl4-8.16.0-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-8.16.0-1.1 as a component of openSUSE Tumbleweed wcurl-8.16.0-1.1 as a component of openSUSE Tumbleweed curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. CVE-2025-10148 openSUSE Tumbleweed:curl-8.16.0-1.1 openSUSE Tumbleweed:curl-fish-completion-8.16.0-1.1 openSUSE Tumbleweed:curl-zsh-completion-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-doc-8.16.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.16.0-1.1 openSUSE Tumbleweed:libcurl4-8.16.0-1.1 openSUSE Tumbleweed:wcurl-8.16.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10148.html CVE-2025-10148 https://bugzilla.suse.com/1249348 SUSE Bug 1249348 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. CVE-2025-9086 openSUSE Tumbleweed:curl-8.16.0-1.1 openSUSE Tumbleweed:curl-fish-completion-8.16.0-1.1 openSUSE Tumbleweed:curl-zsh-completion-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.16.0-1.1 openSUSE Tumbleweed:libcurl-devel-doc-8.16.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.16.0-1.1 openSUSE Tumbleweed:libcurl4-8.16.0-1.1 openSUSE Tumbleweed:wcurl-8.16.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-9086.html CVE-2025-9086 https://bugzilla.suse.com/1249191 SUSE Bug 1249191