Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0066-1 Final 1 1 2026-01-08T12:21:35Z current 2026-01-08T12:21:35Z 2026-01-08T12:21:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2025-14524: Fixed bearer token leak on cross-protocol redirect (bsc#1255731) - CVE-2025-15079: Fixed unknown host connection acceptance when set in the global knownhostsfile (bsc#1255733) - CVE-2025-14819: Fixed issue where alteration of CURLSSLOPT_NO_PARTIALCHAIN could accidentally lead to CA cache reuse for which partial chain was reversed (bsc#1255732) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/ltss/sle12.5/sles12sp5:latest-2026-66,SUSE-2026-66,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-66 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260066-1/ Link for SUSE-SU-2026:0066-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023711.html E-Mail link for SUSE-SU-2026:0066-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255731 SUSE Bug 1255731 https://bugzilla.suse.com/1255732 SUSE Bug 1255732 https://bugzilla.suse.com/1255733 SUSE Bug 1255733 https://www.suse.com/security/cve/CVE-2025-14524/ SUSE CVE CVE-2025-14524 page https://www.suse.com/security/cve/CVE-2025-14819/ SUSE CVE CVE-2025-14819 page https://www.suse.com/security/cve/CVE-2025-15079/ SUSE CVE CVE-2025-15079 page Container suse/ltss/sle12.5/sles12sp5:latest SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libcurl4-8.0.1-11.111.1 curl-8.0.1-11.111.1 libcurl-devel-8.0.1-11.111.1 libcurl-devel-32bit-8.0.1-11.111.1 libcurl-devel-64bit-8.0.1-11.111.1 libcurl4-32bit-8.0.1-11.111.1 libcurl4-64bit-8.0.1-11.111.1 libcurl4-8.0.1-11.111.1 as a component of Container suse/ltss/sle12.5/sles12sp5:latest curl-8.0.1-11.111.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libcurl-devel-8.0.1-11.111.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libcurl4-8.0.1-11.111.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libcurl4-32bit-8.0.1-11.111.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. CVE-2025-14524 Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:curl-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl-devel-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-32bit-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-8.0.1-11.111.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260066-1/ https://www.suse.com/security/cve/CVE-2025-14524.html CVE-2025-14524 https://bugzilla.suse.com/1255731 SUSE Bug 1255731 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. CVE-2025-14819 Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:curl-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl-devel-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-32bit-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-8.0.1-11.111.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260066-1/ https://www.suse.com/security/cve/CVE-2025-14819.html CVE-2025-14819 https://bugzilla.suse.com/1255732 SUSE Bug 1255732 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. CVE-2025-15079 Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:curl-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl-devel-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-32bit-8.0.1-11.111.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libcurl4-8.0.1-11.111.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260066-1/ https://www.suse.com/security/cve/CVE-2025-15079.html CVE-2025-15079 https://bugzilla.suse.com/1255733 SUSE Bug 1255733