Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20029-1 Final 1 1 2025-02-03T08:51:25Z current 2025-02-03T08:51:25Z 2025-02-03T08:51:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888) - CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666) - CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668) - CVE-2024-2004: Usage of disabled protocol (bsc#1221665) - CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667) Non-security issue fixed: - Fixed various TLS related issues including FTP over SSL transmission timeouts. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-30 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ Link for SUSE-SU-2025:20029-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021336.html E-Mail link for SUSE-SU-2025:20029-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221665 SUSE Bug 1221665 https://bugzilla.suse.com/1221666 SUSE Bug 1221666 https://bugzilla.suse.com/1221667 SUSE Bug 1221667 https://bugzilla.suse.com/1221668 SUSE Bug 1221668 https://bugzilla.suse.com/1227888 SUSE Bug 1227888 https://bugzilla.suse.com/1228535 SUSE Bug 1228535 https://www.suse.com/security/cve/CVE-2024-2004/ SUSE CVE CVE-2024-2004 page https://www.suse.com/security/cve/CVE-2024-2379/ SUSE CVE CVE-2024-2379 page https://www.suse.com/security/cve/CVE-2024-2398/ SUSE CVE CVE-2024-2398 page https://www.suse.com/security/cve/CVE-2024-2466/ SUSE CVE CVE-2024-2466 page https://www.suse.com/security/cve/CVE-2024-6197/ SUSE CVE CVE-2024-6197 page https://www.suse.com/security/cve/CVE-2024-7264/ SUSE CVE CVE-2024-7264 page SUSE Linux Micro 6.0 curl-8.6.0-3.1 libcurl4-8.6.0-3.1 curl-8.6.0-3.1 as a component of SUSE Linux Micro 6.0 libcurl4-8.6.0-3.1 as a component of SUSE Linux Micro 6.0 When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug. CVE-2024-2004 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-2004.html CVE-2024-2004 https://bugzilla.suse.com/1221665 SUSE Bug 1221665 libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. CVE-2024-2379 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-2379.html CVE-2024-2379 https://bugzilla.suse.com/1221666 SUSE Bug 1221666 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-2398.html CVE-2024-2398 https://bugzilla.suse.com/1221667 SUSE Bug 1221667 libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). CVE-2024-2466 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-2466.html CVE-2024-2466 https://bugzilla.suse.com/1221668 SUSE Bug 1221668 libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. CVE-2024-6197 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-6197.html CVE-2024-6197 https://bugzilla.suse.com/1227888 SUSE Bug 1227888 libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 SUSE Linux Micro 6.0:curl-8.6.0-3.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/ https://www.suse.com/security/cve/CVE-2024-7264.html CVE-2024-7264 https://bugzilla.suse.com/1228535 SUSE Bug 1228535