{"affected":[{"ecosystem_specific":{"binaries":[{"curl":"8.12.1-slfo.1.1_1.1","libcurl4":"8.12.1-slfo.1.1_1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.1","name":"curl","purl":"pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"8.12.1-slfo.1.1_1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for curl fixes the following issues:\n\nUpdate to 8.12.1:\n\n  * Bugfixes:\n\n    - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'\n    - asyn-thread: fix HTTPS RR crash\n    - asyn-thread: fix the returned bitmask from Curl_resolver_getsock\n    - asyn-thread: survive a c-ares channel set to NULL\n    - cmake: always reference OpenSSL and ZLIB via imported targets\n    - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'\n    - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'\n    - content_encoding: #error on too old zlib\n    - imap: TLS upgrade fix\n    - ldap: drop support for legacy Novell LDAP SDK\n    - libssh2: comparison is always true because rc <= -1\n    - libssh2: raise lowest supported version to 1.2.8\n    - libssh: drop support for libssh older than 0.9.0\n    - openssl-quic: ignore ciphers for h3\n    - pop3: TLS upgrade fix\n    - runtests: fix the disabling of the memory tracking\n    - runtests: quote commands to support paths with spaces\n    - scache: add magic checks\n    - smb: silence '-Warray-bounds' with gcc 13+\n    - smtp: TLS upgrade fix\n    - tool_cfgable: sort struct fields by size, use bitfields for booleans\n    - tool_getparam: add \"TLS required\" flag for each such option\n    - vtls: fix multissl-init\n    - wakeup_write: make sure the eventfd write sends eight bytes\n\nUpdate to 8.12.0:\n\n  * Security fixes:\n\n    - [bsc#1234068, CVE-2024-11053] curl could leak the password used\n      for the first host to the followed-to host under certain circumstances.\n    - [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry\n    - [bsc#1236589, CVE-2025-0665] eventfd double close\n\n  * Changes:\n\n    - curl: add byte range support to --variable reading from file\n    - curl: make --etag-save acknowledge --create-dirs\n    - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var\n    - getinfo: provide info which auth was used for HTTP and proxy\n    - hyper: drop support\n    - openssl: add support to use keys and certificates from PKCS#11 provider\n    - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA\n    - vtls: feature ssls-export for SSL session im-/export\n\n  * Bugfixes:\n\n    - altsvc: avoid integer overflow in expire calculation\n    - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL\n    - asyn-ares: fix memory leak\n    - asyn-ares: initial HTTPS resolve support\n    - asyn-thread: use c-ares to resolve HTTPS RR\n    - async-thread: avoid closing eventfd twice\n    - cd2nroff: do not insist on quoted <> within backticks\n    - cd2nroff: support \"none\" as a TLS backend\n    - conncache: count shutdowns against host and max limits\n    - content_encoding: drop support for zlib before 1.2.0.4\n    - content_encoding: namespace GZIP flag constants\n    - content_encoding: put the decomp buffers into the writer structs\n    - content_encoding: support use of custom libzstd memory functions\n    - cookie: cap expire times to 400 days\n    - cookie: parse only the exact expire date\n    - curl: return error if etag options are used with multiple URLs\n    - curl_multi_fdset: include the shutdown connections in the set\n    - curl_sha512_256: rename symbols to the curl namespace\n    - curl_url_set.md: adjust the added-in to 7.62.0\n    - doh: send HTTPS RR requests for all HTTP(S) transfers\n    - easy: allow connect-only handle reuse with easy_perform\n    - easy: make curl_easy_perform() return error if connection still there\n    - easy_lock: use Sleep(1) for thread yield on old Windows\n    - ECH: update APIs to those agreed with OpenSSL maintainers\n    - GnuTLS: fix 'time_appconnect' for early data\n    - HTTP/2: strip TE request header\n    - http2: fix data_pending check\n    - http2: fix value stored to 'result' is never read\n    - http: ignore invalid Retry-After times\n    - http_aws_sigv4: Fix invalid compare function handling zero-length pairs\n    - https-connect: start next immediately on failure\n    - lib: redirect handling by protocol handler\n    - multi: fix curl_multi_waitfds reporting of fd_count\n    - netrc: 'default' with no credentials is not a match\n    - netrc: fix password-only entries\n    - netrc: restore _netrc fallback logic\n    - ngtcp2: fix memory leak on connect failure\n    - openssl: define `HAVE_KEYLOG_CALLBACK` before use\n    - openssl: fix ECH logic\n    - osslq: use SSL_poll to determine writeability of QUIC streams\n    - sectransp: free certificate on error\n    - select: avoid a NULL deref in cwfds_add_sock\n    - src: omit hugehelp and ca-embed from libcurltool\n    - ssl session cache: change cache dimensions\n    - system.h: add 64-bit curl_off_t definitions for NonStop\n    - telnet: handle single-byte input option\n    - TLS: check connection for SSL use, not handler\n    - tool_formparse.c: make curlx_uztoso a static in here\n    - tool_formparse: accept digits in --form type= strings\n    - tool_getparam: ECH param parsing refix\n    - tool_getparam: fail --hostpubsha256 if libssh2 is not used\n    - tool_getparam: fix \"Ignored Return Value\"\n    - tool_getparam: fix memory leak on error in parse_ech\n    - tool_getparam: fix the ECH parser\n    - tool_operate: make --etag-compare always accept a non-existing file\n    - transfer: fix CURLOPT_CURLU override logic\n    - urlapi: fix redirect to a new fragment or query (only)\n    - vquic: make vquic_send_packets not return without setting psent\n    - vtls: fix default SSL backend as a fallback\n    - vtls: only remember the expiry timestamp in session cache\n    - websocket: fix message send corruption\n    - x509asn1: add parse recursion limit\n\nUpdate to 8.11.1:\n\n  * Security fixes:\n\n    - netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]\n\n  * Bugfixes:\n\n    - build: fix ECH to always enable HTTPS RR\n    - cookie: treat cookie name case sensitively\n    - curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected\n    - curl: use realtime in trace timestamps\n    - digest: produce a shorter cnonce in Digest headers\n    - docs: document default 'User-Agent'\n    - docs: suggest --ssl-reqd instead of --ftp-ssl\n    - duphandle: also init netrc\n    - hostip: don't use the resolver for FQDN localhost\n    - http_negotiate: allow for a one byte larger channel binding buffer\n    - krb5: fix socket/sockindex confusion, MSVC compiler warnings\n    - libssh: use libssh sftp_aio to upload file\n    - libssh: when using IPv6 numerical address, add brackets\n    - mime: fix reader stall on small read lengths\n    - mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions\n    - mprintf: fix the integer overflow checks\n    - multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...\n    - netrc: address several netrc parser flaws\n    - netrc: support large file, longer lines, longer tokens\n    - nghttp2: use custom memory functions\n    - OpenSSL: improvde error message on expired certificate\n    - openssl: remove three \"Useless Assignments\"\n    - openssl: stop using SSL_CTX_ function prefix for our functions\n    - pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS\n    - rtsp: check EOS in the RTSP receive and return an error code\n    - schannel: remove TLS 1.3 ciphersuite-list support\n    - setopt: fix CURLOPT_HTTP_CONTENT_DECODING\n    - setopt: fix missing options for builds without HTTP & MQTT\n    - socket: handle binding to \"host!<ip>\"\n    - socketpair: fix enabling 'USE_EVENTFD'\n    - strtok: use namespaced 'strtok_r' macro instead of redefining it\n\nUpdate to 8.11.0:\n\n  * Security fixes: [bsc#1232528, CVE-2024-9681]\n\n    - curl: HSTS subdomain overwrites parent cache entry\n\n  * Changes:\n\n    - curl: --create-dirs works for --dump-header as well\n    - gtls: Add P12 format support\n    - ipfs: add options to disable\n    - TLS: TLSv1.3 earlydata support for curl\n    - WebSockets: make support official (non-experimental)\n\n  * Bugfixes:\n\n    - build: clarify CA embed is for curl tool, mark default, improve summary\n    - build: show if CA bundle to embed was found\n    - build: tidy up and improve versioned-symbols options\n    - cmake/FindNGTCP2: use library path as hint for finding crypto module\n    - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled\n    - cmake: rename LDAP dependency config variables to match Find modules\n    - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection\n    - cmake: use OpenSSL for LDAP detection only if available\n    - curl: add build options for safe/no CA bundle search (Windows)\n    - curl: detect ECH support dynamically, not at build time\n    - curl_addrinfo: support operating systems with only getaddrinfo(3)\n    - ftp: fix 0-length last write on upload from stdin\n    - gnutls: use session cache for QUIC\n    - hsts: improve subdomain handling\n    - hsts: support \"implied LWS\" properly around max-age\n    - http2: auto reset stream on server eos\n    - json.md: cli-option '--json' is an alias of '--data-binary'\n    - lib: move curl_path.[ch] into vssh/\n    - lib: remove function pointer typecasts for hmac/sha256/md5\n    - libssh.c: handle EGAINS during proto-connect correctly\n    - libssh2: use the filename buffer when getting the homedir\n    - multi.c: warn/assert on stall only without timer\n    - negotiate: conditional check around GSS & SSL specific code\n    - netrc: cache the netrc file in memory\n    - ngtcp2: do not loop on recv\n    - ngtcp2: set max window size to 10x of initial (128KB)\n    - openssl quic: populate x509 store before handshake\n    - openssl: extend the OpenSSL error messages\n    - openssl: improve retries on shutdown\n    - quic: use send/recvmmsg when available\n    - schannel: fix TLS cert verification by IP SAN\n    - schannel: ignore error on recv beyond close notify\n    - select: use poll() if existing, avoid poll() with no sockets\n    - sendf: add condition to max-filesize check\n    - server/mqttd: fix two memory leaks\n    - setopt: return error for bad input to CURLOPT_RTSP_REQUEST\n    - setopt_cptr: make overflow check only done when needed\n    - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED\n    - tool: support --show-headers AND --remote-header-name\n    - tool_operate: make --skip-existing work for --parallel\n    - url: connection reuse on h3 connections\n    - url: use same credentials on redirect\n    - urlapi: normalize the IPv6 address\n    - version: say quictls in MSH3 builds\n    - vquic: fix compiler warning with gcc + MUSL\n    - vquic: recv_mmsg, use fewer, but larger buffers\n    - vtls: convert Curl_pin_peer_pubkey to use dynbuf\n    - vtls: convert pubkey_pem_to_der to use dynbuf\n\nUpdate to 8.10.1:\n\n  * Bugfixes:\n\n    - autotools: fix `--with-ca-embed` build rule\n    - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync\n    - cmake: fix MSH3 to appear on the feature list\n    - connect: store connection info when really done\n    - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a\n    - http2: when uploading data from stdin, fix eos forwarding\n    - http: make max-filesize check not count ignored bodies\n    - lib: fix AF_INET6 use outside of USE_IPV6\n    - multi: check that the multi handle is valid in curl_multi_assign\n    - QUIC: on connect, keep on trying on draining server\n    - request: correctly reset the eos_sent flag\n    - setopt: remove superfluous use of ternary expressions\n    - singleuse: drop `Curl_memrchr()` for no-HTTP builds\n    - tool_cb_wrt: use \"curl_response\" if no file name in URL\n    - transfer: fix sendrecv() without interim poll\n    - vtls: fix `Curl_ssl_conn_config_match` doc param\n\nUpdate to version 8.10.0:\n\n  * Security fixes:\n\n    - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS\n\n  * Changes:\n\n    - curl: make --rate accept \"number of units\"\n    - curl: make --show-headers the same as --include\n    - curl: support --dump-header % to direct to stderr\n    - curl: support embedding a CA bundle and --dump-ca-embed\n    - curl: support repeated use of the verbose option; -vv etc\n    - curl: use libuv for parallel transfers with --test-event\n    - vtls: stop offering alpn http/1.1 for http2-prior-knowledge\n\n  * Bugfixes:\n\n    - curl: allow 500MB data URL encode strings\n    - curl: warn on unsupported SSL options\n    - Curl_rand_bytes to control env override\n    - curl_sha512_256: fix symbol collisions with nettle library\n    - dist: fix reproducible build from release tarball\n    - http2: fix GOAWAY message sent to server\n    - http2: improve rate limiting of downloads\n    - INSTALL.md: MultiSSL and QUIC are mutually exclusive\n    - lib: add eos flag to send methods\n    - lib: make SSPI global symbols use Curl_ prefix\n    - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name\n    - lib: remove the final strncpy() calls\n    - lib: remove use of RANDOM_FILE\n    - Makefile.mk: fixup enabling libidn2\n    - max-filesize.md: mention zero disables the limit\n    - mime: avoid inifite loop in client reader\n    - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks\n    - openssl quic: fix memory leak\n    - openssl: certinfo errors now fail correctly\n    - openssl: fix the data race when sharing an SSL session between threads\n    - openssl: improve shutdown handling\n    - POP3: fix multi-line responses\n    - pop3: use the protocol handler ->write_resp\n    - progress: ratelimit/progress tweaks\n    - rand: only provide weak random when needed\n    - sectransp: fix setting tls version\n    - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values\n    - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL\n    - sigpipe: init the struct so that first apply ignores\n    - smb: convert superflous assign into assert\n    - smtp: add tracing feature\n    - spnego_gssapi: implement TLS channel bindings for openssl\n    - src: delete `curlx_m*printf()` aliases\n    - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)\n    - tool_operhlp: fix \"potentially uninitialized local variable 'pc' used\"\n    - tool_paramhlp: bump maximum post data size in memory to 16GB\n    - transfer: skip EOS read when download done\n    - url: fix connection reuse for HTTP/2 upgrades\n    - urlapi: verify URL *decoded* hostname when set\n    - urldata: introduce `data->mid`, a unique identifier inside a multi\n    - vtls: add SSLSUPP_CIPHER_LIST\n    - vtls: fix static function name collisions between TLS backends\n    - vtls: init ssl peer only once\n    - websocket: introduce blocking sends\n    - ws: flags to opcodes should ignore CURLWS_CONT flag\n    - x509asn1: raise size limit for x509 certification information\n","id":"SUSE-SU-2025:20239-1","modified":"2025-03-13T10:36:20Z","published":"2025-03-13T10:36:20Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520239-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230093"},{"type":"REPORT","url":"https://bugzilla.suse.com/1232528"},{"type":"REPORT","url":"https://bugzilla.suse.com/1234068"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236589"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-11053"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-8096"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-9681"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-0665"}],"related":["CVE-2024-11053","CVE-2024-8096","CVE-2024-9681","CVE-2025-0665"],"summary":"Security update for curl","upstream":["CVE-2024-11053","CVE-2024-8096","CVE-2024-9681","CVE-2025-0665"]}