Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20675-1 Final 1 1 2025-09-09T10:22:04Z current 2025-09-09T10:22:04Z 2025-09-09T10:22:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-254 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520675-1/ Link for SUSE-SU-2025:20675-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041626.html E-Mail link for SUSE-SU-2025:20675-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1243397 SUSE Bug 1243397 https://bugzilla.suse.com/1243706 SUSE Bug 1243706 https://bugzilla.suse.com/1243933 SUSE Bug 1243933 https://bugzilla.suse.com/1246197 SUSE Bug 1246197 https://www.suse.com/security/cve/CVE-2025-4947/ SUSE CVE CVE-2025-4947 page https://www.suse.com/security/cve/CVE-2025-5025/ SUSE CVE CVE-2025-5025 page https://www.suse.com/security/cve/CVE-2025-5399/ SUSE CVE CVE-2025-5399 page SUSE Linux Micro 6.1 curl-8.14.1-slfo.1.1_1.1 libcurl4-8.14.1-slfo.1.1_1.1 curl-8.14.1-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 libcurl4-8.14.1-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. CVE-2025-4947 SUSE Linux Micro 6.1:curl-8.14.1-slfo.1.1_1.1 SUSE Linux Micro 6.1:libcurl4-8.14.1-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520675-1/ https://www.suse.com/security/cve/CVE-2025-4947.html CVE-2025-4947 https://bugzilla.suse.com/1243397 SUSE Bug 1243397 libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. CVE-2025-5025 SUSE Linux Micro 6.1:curl-8.14.1-slfo.1.1_1.1 SUSE Linux Micro 6.1:libcurl4-8.14.1-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520675-1/ https://www.suse.com/security/cve/CVE-2025-5025.html CVE-2025-5025 https://bugzilla.suse.com/1243706 SUSE Bug 1243706 Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. CVE-2025-5399 SUSE Linux Micro 6.1:curl-8.14.1-slfo.1.1_1.1 SUSE Linux Micro 6.1:libcurl4-8.14.1-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520675-1/ https://www.suse.com/security/cve/CVE-2025-5399.html CVE-2025-5399 https://bugzilla.suse.com/1243933 SUSE Bug 1243933