Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03198-1 Final 1 1 2025-09-12T12:15:10Z current 2025-09-12T12:15:10Z 2025-09-12T12:15:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:latest-2025-3198,Container bci/kiwi:latest-2025-3198,Container bci/spack:0.23-2025-3198,Container bci/spack:latest-2025-3198,Container private-registry/harbor-trivy-adapter:latest-2025-3198,Container suse/git:latest-2025-3198,Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest-2025-3198,Container suse/sle15:latest-2025-3198,SUSE-2025-3198,SUSE-SLE-Module-Basesystem-15-SP6-2025-3198,SUSE-SLE-Module-Basesystem-15-SP7-2025-3198,openSUSE-SLE-15.6-2025-3198 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ Link for SUSE-SU-2025:03198-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041687.html E-Mail link for SUSE-SU-2025:03198-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228260 SUSE Bug 1228260 https://bugzilla.suse.com/1236589 SUSE Bug 1236589 https://bugzilla.suse.com/1243397 SUSE Bug 1243397 https://bugzilla.suse.com/1243706 SUSE Bug 1243706 https://bugzilla.suse.com/1243933 SUSE Bug 1243933 https://bugzilla.suse.com/1246197 SUSE Bug 1246197 https://bugzilla.suse.com/1249191 SUSE Bug 1249191 https://bugzilla.suse.com/1249348 SUSE Bug 1249348 https://bugzilla.suse.com/1249367 SUSE Bug 1249367 https://www.suse.com/security/cve/CVE-2024-6874/ SUSE CVE CVE-2024-6874 page https://www.suse.com/security/cve/CVE-2025-0665/ SUSE CVE CVE-2025-0665 page https://www.suse.com/security/cve/CVE-2025-10148/ SUSE CVE CVE-2025-10148 page https://www.suse.com/security/cve/CVE-2025-4947/ SUSE CVE CVE-2025-4947 page https://www.suse.com/security/cve/CVE-2025-5025/ SUSE CVE CVE-2025-5025 page https://www.suse.com/security/cve/CVE-2025-5399/ SUSE CVE CVE-2025-5399 page https://www.suse.com/security/cve/CVE-2025-9086/ SUSE CVE CVE-2025-9086 page Container bci/golang:latest Container bci/kiwi:latest Container bci/spack:0.23 Container bci/spack:latest Container private-registry/harbor-trivy-adapter:latest Container suse/git:latest Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container suse/sle15:latest SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP7 openSUSE Leap 15.6 curl-8.14.1-150600.4.28.1 libcurl4-8.14.1-150600.4.28.1 libcurl-devel-8.14.1-150600.4.28.1 curl-fish-completion-8.14.1-150600.4.28.1 curl-zsh-completion-8.14.1-150600.4.28.1 libcurl-devel-32bit-8.14.1-150600.4.28.1 libcurl-devel-64bit-8.14.1-150600.4.28.1 libcurl-devel-doc-8.14.1-150600.4.28.1 libcurl-mini4-8.14.1-150600.4.28.1 libcurl4-32bit-8.14.1-150600.4.28.1 libcurl4-64bit-8.14.1-150600.4.28.1 curl-8.14.1-150600.4.28.1 as a component of Container bci/golang:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container bci/golang:latest curl-8.14.1-150600.4.28.1 as a component of Container bci/kiwi:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container bci/kiwi:latest curl-8.14.1-150600.4.28.1 as a component of Container bci/spack:0.23 libcurl-devel-8.14.1-150600.4.28.1 as a component of Container bci/spack:0.23 libcurl4-8.14.1-150600.4.28.1 as a component of Container bci/spack:0.23 curl-8.14.1-150600.4.28.1 as a component of Container bci/spack:latest libcurl-devel-8.14.1-150600.4.28.1 as a component of Container bci/spack:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container bci/spack:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container private-registry/harbor-trivy-adapter:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container suse/git:latest curl-8.14.1-150600.4.28.1 as a component of Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest curl-8.14.1-150600.4.28.1 as a component of Container suse/sle15:latest libcurl4-8.14.1-150600.4.28.1 as a component of Container suse/sle15:latest curl-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcurl-devel-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcurl4-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcurl4-32bit-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 curl-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcurl-devel-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcurl4-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcurl4-32bit-8.14.1-150600.4.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 curl-8.14.1-150600.4.28.1 as a component of openSUSE Leap 15.6 libcurl-devel-8.14.1-150600.4.28.1 as a component of openSUSE Leap 15.6 libcurl-devel-32bit-8.14.1-150600.4.28.1 as a component of openSUSE Leap 15.6 libcurl4-8.14.1-150600.4.28.1 as a component of openSUSE Leap 15.6 libcurl4-32bit-8.14.1-150600.4.28.1 as a component of openSUSE Leap 15.6 libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string. CVE-2024-6874 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2024-6874.html CVE-2024-6874 https://bugzilla.suse.com/1228260 SUSE Bug 1228260 libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. CVE-2025-0665 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-0665.html CVE-2025-0665 https://bugzilla.suse.com/1236589 SUSE Bug 1236589 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. CVE-2025-10148 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-10148.html CVE-2025-10148 https://bugzilla.suse.com/1249348 SUSE Bug 1249348 libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. CVE-2025-4947 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-4947.html CVE-2025-4947 https://bugzilla.suse.com/1243397 SUSE Bug 1243397 libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. CVE-2025-5025 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-5025.html CVE-2025-5025 https://bugzilla.suse.com/1243706 SUSE Bug 1243706 Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. CVE-2025-5399 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-5399.html CVE-2025-5399 https://bugzilla.suse.com/1243933 SUSE Bug 1243933 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. CVE-2025-9086 Container bci/golang:latest:curl-8.14.1-150600.4.28.1 Container bci/golang:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/kiwi:latest:curl-8.14.1-150600.4.28.1 Container bci/kiwi:latest:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:0.23:curl-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:0.23:libcurl4-8.14.1-150600.4.28.1 Container bci/spack:latest:curl-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl-devel-8.14.1-150600.4.28.1 Container bci/spack:latest:libcurl4-8.14.1-150600.4.28.1 Container private-registry/harbor-trivy-adapter:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/git:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:curl-8.14.1-150600.4.28.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:latest:libcurl4-8.14.1-150600.4.28.1 Container suse/sle15:latest:curl-8.14.1-150600.4.28.1 Container suse/sle15:latest:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcurl4-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:curl-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl-devel-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-32bit-8.14.1-150600.4.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcurl4-8.14.1-150600.4.28.1 openSUSE Leap 15.6:curl-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl-devel-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-32bit-8.14.1-150600.4.28.1 openSUSE Leap 15.6:libcurl4-8.14.1-150600.4.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/ https://www.suse.com/security/cve/CVE-2025-9086.html CVE-2025-9086 https://bugzilla.suse.com/1249191 SUSE Bug 1249191