This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-418=1
- openSUSE Leap 16.0:
curl-8.14.1-160000.5.1
curl-fish-completion-8.14.1-160000.5.1
curl-zsh-completion-8.14.1-160000.5.1
libcurl-devel-8.14.1-160000.5.1
libcurl-devel-doc-8.14.1-160000.5.1
libcurl4-8.14.1-160000.5.1
* bsc#1259362
* bsc#1259363
* bsc#1259364
* bsc#1259365
References:
* https://www.suse.com/security/cve/CVE-2026-1965.html
* https://www.suse.com/security/cve/CVE-2026-3783.html
* https://www.suse.com/security/cve/CVE-2026-3784.html
* https://www.suse.com/security/cve/CVE-2026-3805.html
Get the latest Linux and open source security news straight to your inbox.