Overview

File _patchinfo of Package patchinfo.39870

<patchinfo incident="39870">
  <issue tracker="bnc" id="1246197">shipped curl command v8.14.1  does not have the --ftp-pasv option</issue>
  <issue tracker="bnc" id="1249348">VUL-0: EMBARGOED: CVE-2025-10148: curl: predictable WebSocket mask</issue>
  <issue tracker="bnc" id="1249191">VUL-0: EMBARGOED: CVE-2025-9086: curl: Out of bounds read for cookie path</issue>
  <issue tracker="bnc" id="1249367">curl can return invalid return value</issue>
  <issue tracker="jsc" id="PED-13055"/>
  <issue tracker="jsc" id="PED-13056"/>
  <issue tracker="cve" id="2025-9086"/>
  <issue tracker="cve" id="2025-10148"/>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for curl</summary>
  <description>This update for curl fixes the following issues:

Security issues fixed:

- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
    
Other issues fixed:
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places