Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20106-1 Final 1 1 2025-02-03T09:18:10Z current 2025-02-03T09:18:10Z 2025-02-03T09:18:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2024-11053: Fixed password leak used for the first host to the followed-to host under certain circumstances (bsc#1234068) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-166 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520106-1/ Link for SUSE-SU-2025:20106-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021215.html E-Mail link for SUSE-SU-2025:20106-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234068 SUSE Bug 1234068 https://www.suse.com/security/cve/CVE-2024-11053/ SUSE CVE CVE-2024-11053 page SUSE Linux Micro 6.0 curl-8.6.0-5.1 libcurl4-8.6.0-5.1 curl-8.6.0-5.1 as a component of SUSE Linux Micro 6.0 libcurl4-8.6.0-5.1 as a component of SUSE Linux Micro 6.0 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053 SUSE Linux Micro 6.0:curl-8.6.0-5.1 SUSE Linux Micro 6.0:libcurl4-8.6.0-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520106-1/ https://www.suse.com/security/cve/CVE-2024-11053.html CVE-2024-11053 https://bugzilla.suse.com/1234068 SUSE Bug 1234068