Overview

File _patchinfo of Package patchinfo.39809

<patchinfo incident="39809">
  <issue tracker="bnc" id="1249348">VUL-0: CVE-2025-10148: curl: predictable WebSocket mask</issue>
  <issue tracker="bnc" id="1249191">VUL-0: CVE-2025-9086: curl: Out of bounds read for cookie path</issue>
  <issue tracker="bnc" id="1236589">VUL-0: CVE-2025-0665: curl: eventfd double close</issue>
  <issue tracker="bnc" id="1243397">VUL-0: CVE-2025-4947: curl: QUIC certificate check skip with wolfSSL</issue>
  <issue tracker="bnc" id="1243706">VUL-0: CVE-2025-5025: curl: No QUIC certificate pinning with wolfSSL</issue>
  <issue tracker="bnc" id="1228260">VUL-0: CVE-2024-6874: curl: macidn punycode buffer overread</issue>
  <issue tracker="bnc" id="1243933">VUL-0: CVE-2025-5399: curl: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets</issue>
  <issue tracker="bnc" id="1246197">shipped curl command v8.14.1  does not have the --ftp-pasv option</issue>
  <issue tracker="bnc" id="1249367">curl can return invalid return value</issue>
  <issue tracker="jsc" id="PED-13055"/>
  <issue tracker="jsc" id="PED-13056"/>
  <issue tracker="cve" id="2025-4947"/>
  <issue tracker="cve" id="2025-5025"/>
  <issue tracker="cve" id="2025-0665"/>
  <issue tracker="cve" id="2024-6874"/>
  <issue tracker="cve" id="2025-5399"/>
  <issue tracker="cve" id="2025-9086"/>
  <issue tracker="cve" id="2025-10148"/>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for curl</summary>
  <description>This update for curl fixes the following issues:

Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).    
    
Security issues fixed:

- CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589).
- CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397).
- CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not
  easily noticed (bsc#1243706).
- CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing
  specially crafted packets (bsc#1243933).
- CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN
  backend (bsc#1228260).
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).

Other issues fixed:
    
- Fix wrong return code when --retry is used (bsc#1249367).
  * tool_operate: fix return code when --retry is used but not triggered [b42776b]
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Fixed with version 8.14.1:
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places