{"affected":[{"ecosystem_specific":{"binaries":[{"curl":"8.14.1-1.1","libcurl4":"8.14.1-1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.0","name":"curl","purl":"pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"8.14.1-1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for curl fixes the following issues:\n\n- CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)\n- CVE-2025-10148: Predictable WebSocket mask (bsc#1249348)\n- Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197]\n- tool_operate: fix return code when --retry is used but not\n  triggered [bsc#1249367]\n\n- Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056]\n  * Add _multibuild\n  * Bugfixes:\n    - asyn-thrdd: fix cleanup when RR fails due to OOM\n    - ftp: fix teardown of DATA connection in done\n    - http: fail early when rewind of input failed when following redirects\n    - multi: fix add_handle resizing\n    - tls BIOs: handle BIO_CTRL_EOF correctly\n    - tool_getparam: make --no-anyauth not be accepted\n    - wolfssl: fix sending of early data\n    - ws: handle blocked sends better\n    - ws: tests and fixes\n\n- Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056]\n  \n  * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error\n    when building the curl-mini package in SLE.\n  * Add libssh minimum version requirements.\n  * Use ldconfig_scriptlets when available.\n  * Remove unused option --disable-ntlm-wb.\n\n- Update to 8.14.0:\n  \n  * Changes:\n    - mqtt: send ping at upkeep interval\n    - schannel: handle pkcs12 client certificates containing CA certificates\n    - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs\n    - vquic: ngtcp2 + openssl support\n    - wcurl: import v2025.04.20 script + docs\n    - websocket: add option to disable auto-pong reply\n  \n  * Bugfixes:\n    - asny-thrdd: fix detach from running thread\n    - async-threaded resolver: use ref counter\n    - async: DoH improvements\n    - build: enable gcc-12/13+, clang-10+ picky warnings\n    - build: enable gcc-15 picky warnings\n    - certs: drop unused `default_bits` from `.prm` files\n    - cf-https-connect: use the passed in dns struct pointer\n    - cf-socket: fix FTP accept connect\n    - cfilters: remove assert\n    - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`\n    - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options\n    - cmake: revert `CURL_LTO` behavior for multi-config generators\n    - configure: fix --disable-rt\n    - CONTRIBUTE: add project guidelines for AI use\n    - cpool/cshutdown: force close connections under pressure\n    - curl: fix memory leak when -h is used in config file\n    - curl_get_line: handle lines ending on the buffer boundary\n    - headers: enforce a max number of response header to accept\n    - http: fix HTTP/2 handling of TE request header using \"trailers\"\n    - lib: include files using known path\n    - lib: unify conversions to/from hex\n    - libssh: add NULL check for Curl_meta_get()\n    - libssh: fix memory leak\n    - mqtt: use conn/easy meta hash\n    - multi: do transfer book keeping using mid\n    - multi: init_do(): check result\n    - netrc: avoid NULL deref on weird input\n    - netrc: avoid strdup NULL\n    - netrc: deal with null token better\n    - openssl-quic: avoid potential `-Wnull-dereference`, add assert\n    - openssl-quic: fix shutdown when stream not open\n    - openssl: enable builds for *both* engines and providers\n    - openssl: set the cipher string before doing private cert\n    - progress: avoid integer overflow when gathering total transfer size\n    - rand: update comment on Curl_rand_bytes weak random\n    - rustls: make max size of cert and key reasonable\n    - smb: avoid integer overflow on weird input date\n    - urlapi: redirecting to \"\" is considered fine\n\n- Update to 8.13.0:\n  \n  * Changes:\n    - curl: add write-out variable 'tls_earlydata'\n    - curl: make --url support a file with URLs\n    - gnutls: set priority via --ciphers\n    - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags\n    - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY\n    - OpenSSL/quictls: add support for TLSv1.3 early data\n    - rustls: add support for CERTINFO\n    - rustls: add support for SSLKEYLOGFILE\n    - rustls: support ECH w/ DoH lookup for config\n    - rustls: support native platform verifier\n    - var: add a '64dec' function that can base64 decode a string\n  \n  * Bugfixes:\n    - conn: fix connection reuse when SSL is optional\n    - hash: use single linked list for entries\n    - http2: detect session being closed on ingress handling\n    - http2: reset stream on response header error\n    - http: remove a HTTP method size restriction\n    - http: version negotiation\n    - httpsrr: fix port detection\n    - libssh: fix freeing of resources in disconnect\n    - libssh: fix scp large file upload for 32-bit size_t systems\n    - openssl-quic: do not iterate over multi handles\n    - openssl: check return value of X509_get0_pubkey\n    - openssl: drop support for old OpenSSL/LibreSSL versions\n    - openssl: fix crash on missing cert password\n    - openssl: fix pkcs11 URI checking for key files.\n    - openssl: remove bad `goto`s into other scope\n    - setopt: illegal CURLOPT_SOCKS5_AUTH should return error\n    - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine\n    - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version\n    - sshserver: fix excluding obsolete client config lines\n    - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR\n    - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`\n    - tool_operate: fail SSH transfers without server auth\n    - url: call protocol handler's disconnect in Curl_conn_free\n    - urlapi: remove percent encoded dot sequences from the URL path\n    - urldata: remove 'hostname' from struct Curl_async\n\n- Update to 8.12.1:\n  \n  * Bugfixes:\n    - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'\n    - asyn-thread: fix HTTPS RR crash\n    - asyn-thread: fix the returned bitmask from Curl_resolver_getsock\n    - asyn-thread: survive a c-ares channel set to NULL\n    - cmake: always reference OpenSSL and ZLIB via imported targets\n    - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'\n    - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'\n    - content_encoding: #error on too old zlib\n    - imap: TLS upgrade fix\n    - ldap: drop support for legacy Novell LDAP SDK\n    - libssh2: comparison is always true because rc <= -1\n    - libssh2: raise lowest supported version to 1.2.8\n    - libssh: drop support for libssh older than 0.9.0\n    - openssl-quic: ignore ciphers for h3\n    - pop3: TLS upgrade fix\n    - runtests: fix the disabling of the memory tracking\n    - runtests: quote commands to support paths with spaces\n    - scache: add magic checks\n    - smb: silence '-Warray-bounds' with gcc 13+\n    - smtp: TLS upgrade fix\n    - tool_cfgable: sort struct fields by size, use bitfields for booleans\n    - tool_getparam: add \"TLS required\" flag for each such option\n    - vtls: fix multissl-init\n    - wakeup_write: make sure the eventfd write sends eight bytes\n\n- Update to 8.12.0:\n  \n  * Changes:\n    - curl: add byte range support to --variable reading from file\n    - curl: make --etag-save acknowledge --create-dirs\n    - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var\n    - getinfo: provide info which auth was used for HTTP and proxy\n    - hyper: drop support\n    - openssl: add support to use keys and certificates from PKCS#11 provider\n    - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA\n    - vtls: feature ssls-export for SSL session im-/export\n  \n  * Bugfixes:\n    - altsvc: avoid integer overflow in expire calculation\n    - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL\n    - asyn-ares: fix memory leak\n    - asyn-ares: initial HTTPS resolve support\n    - asyn-thread: use c-ares to resolve HTTPS RR\n    - async-thread: avoid closing eventfd twice\n    - cd2nroff: do not insist on quoted <> within backticks\n    - cd2nroff: support \"none\" as a TLS backend\n    - conncache: count shutdowns against host and max limits\n    - content_encoding: drop support for zlib before 1.2.0.4\n    - content_encoding: namespace GZIP flag constants\n    - content_encoding: put the decomp buffers into the writer structs\n    - content_encoding: support use of custom libzstd memory functions\n    - cookie: cap expire times to 400 days\n    - cookie: parse only the exact expire date\n    - curl: return error if etag options are used with multiple URLs\n    - curl_multi_fdset: include the shutdown connections in the set\n    - curl_sha512_256: rename symbols to the curl namespace\n    - curl_url_set.md: adjust the added-in to 7.62.0\n    - doh: send HTTPS RR requests for all HTTP(S) transfers\n    - easy: allow connect-only handle reuse with easy_perform\n    - easy: make curl_easy_perform() return error if connection still there\n    - easy_lock: use Sleep(1) for thread yield on old Windows\n    - ECH: update APIs to those agreed with OpenSSL maintainers\n    - GnuTLS: fix 'time_appconnect' for early data\n    - HTTP/2: strip TE request header\n    - http2: fix data_pending check\n    - http2: fix value stored to 'result' is never read\n    - http: ignore invalid Retry-After times\n    - http_aws_sigv4: Fix invalid compare function handling zero-length pairs\n    - https-connect: start next immediately on failure\n    - lib: redirect handling by protocol handler\n    - multi: fix curl_multi_waitfds reporting of fd_count\n    - netrc: 'default' with no credentials is not a match\n    - netrc: fix password-only entries\n    - netrc: restore _netrc fallback logic\n    - ngtcp2: fix memory leak on connect failure\n    - openssl: define `HAVE_KEYLOG_CALLBACK` before use\n    - openssl: fix ECH logic\n    - osslq: use SSL_poll to determine writeability of QUIC streams\n    - sectransp: free certificate on error\n    - select: avoid a NULL deref in cwfds_add_sock\n    - src: omit hugehelp and ca-embed from libcurltool\n    - ssl session cache: change cache dimensions\n    - system.h: add 64-bit curl_off_t definitions for NonStop\n    - telnet: handle single-byte input option\n    - TLS: check connection for SSL use, not handler\n    - tool_formparse.c: make curlx_uztoso a static in here\n    - tool_formparse: accept digits in --form type= strings\n    - tool_getparam: ECH param parsing refix\n    - tool_getparam: fail --hostpubsha256 if libssh2 is not used\n    - tool_getparam: fix \"Ignored Return Value\"\n    - tool_getparam: fix memory leak on error in parse_ech\n    - tool_getparam: fix the ECH parser\n    - tool_operate: make --etag-compare always accept a non-existing file\n    - transfer: fix CURLOPT_CURLU override logic\n    - urlapi: fix redirect to a new fragment or query (only)\n    - vquic: make vquic_send_packets not return without setting psent\n    - vtls: fix default SSL backend as a fallback\n    - vtls: only remember the expiry timestamp in session cache\n    - websocket: fix message send corruption\n    - x509asn1: add parse recursion limit\n","id":"SUSE-SU-2025:20824-1","modified":"2025-09-25T10:52:04Z","published":"2025-09-25T10:52:04Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520824-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246197"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249191"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249348"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249367"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10148"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-9086"}],"related":["CVE-2025-10148","CVE-2025-9086"],"summary":"Security update for curl","upstream":["CVE-2025-10148","CVE-2025-9086"]}