Stay Secure with the Latest Linux Advisories

security advisorySuSEimportant

SUSE: Curl Important Fixes for Cookie and WebSocket 2025:20824-1

* bsc#1246197 * bsc#1249191 * bsc#1249348 * bsc#1249367 * jsc#PED-13055 . # Security update for curl Announcement ID: SUSE-SU-2025:20824-1 Release Date: 2025-09-25T10:50:20Z Rating: important References: * bsc#1246197 * bsc#1249191 * bsc#1249348 * bsc#1249367 * jsc#PED-13055 * jsc#PED-13056 Cross-References: * CVE-2025-10148 * CVE-2025-9086 CVSS scores: * CVE-2025-10148 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-9086 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-9086 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves two vulnerabilities, contains two features and has two fixes can now be installed. ## Description: This update for curl fixes the following issues: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) * Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] * tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] * Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: * asyn-thrdd: fix cleanup when RR fails due to OOM * ftp: fix teardown of DATA connection in done * http: fail early when rewind of input failed when following redirects * multi: fix add_handle resizing * tls BIOs: handle BIO_CTRL_EOF correctly * tool_getparam: make --no-anyauth not be accepted * wolfssl: fix sending of early data * ws: handle blocked sends better * ws: tests and fixes * Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. * Update to 8.14.0: * Changes: * mqtt: send ping atupkeep interval * schannel: handle pkcs12 client certificates containing CA certificates * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs * vquic: ngtcp2 + openssl support * wcurl: import v2025.04.20 script + docs * websocket: add option to disable auto-pong reply * Bugfixes: * asny-thrdd: fix detach from running thread * async-threaded resolver: use ref counter * async: DoH improvements * build: enable gcc-12/13+, clang-10+ picky warnings * build: enable gcc-15 picky warnings * certs: drop unused `default_bits` from `.prm` files * cf-https-connect: use the passed in dns struct pointer * cf-socket: fix FTP accept connect * cfilters: remove assert * cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` * cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options * cmake: revert `CURL_LTO` behavior for multi-config generators * configure: fix --disable-rt * CONTRIBUTE: add project guidelines for AI use * cpool/cshutdown: force close connections under pressure * curl: fix memory leak when -h is used in config file * curl_get_line: handle lines ending on the buffer boundary * headers: enforce a max number of response header to accept * http: fix HTTP/2 handling of TE request header using "trailers" * lib: include files using known path * lib: unify conversions to/from hex * libssh: add NULL check for Curl_meta_get() * libssh: fix memory leak * mqtt: use conn/easy meta hash * multi: do transfer book keeping using mid * multi: init_do(): check result * netrc: avoid NULL deref on weird input * netrc: avoid strdup NULL * netrc: deal with null token better * openssl-quic: avoid potential `-Wnull-dereference`, add assert * openssl-quic: fix shutdown when stream not open * openssl: enable builds for _both_ engines and providers * openssl: set the cipher string before doing private cert * progress: avoid integer overflow when gatheringtotal transfer size * rand: update comment on Curl_rand_bytes weak random * rustls: make max size of cert and key reasonable * smb: avoid integer overflow on weird input date * urlapi: redirecting to "" is considered fine * Update to 8.13.0: * Changes: * curl: add write-out variable 'tls_earlydata' * curl: make --url support a file with URLs * gnutls: set priority via --ciphers * IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags * lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY * OpenSSL/quictls: add support for TLSv1.3 early data * rustls: add support for CERTINFO * rustls: add support for SSLKEYLOGFILE * rustls: support ECH w/ DoH lookup for config * rustls: support native platform verifier * var: add a '64dec' function that can base64 decode a string * Bugfixes: * conn: fix connection reuse when SSL is optional * hash: use single linked list for entries * http2: detect session being closed on ingress handling * http2: reset stream on response header error * http: remove a HTTP method size restriction * http: version negotiation * httpsrr: fix port detection * libssh: fix freeing of resources in disconnect * libssh: fix scp large file upload for 32-bit size_t systems * openssl-quic: do not iterate over multi handles * openssl: check return value of X509_get0_pubkey * openssl: drop support for old OpenSSL/LibreSSL versions * openssl: fix crash on missing cert password * openssl: fix pkcs11 URI checking for key files. * openssl: remove bad `goto`s into other scope * setopt: illegal CURLOPT_SOCKS5_AUTH should return error * setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine * sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version * sshserver: fix excluding obsolete client config lines * SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR * tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` * tool_operate: fail SSHtransfers without server auth * url: call protocol handler's disconnect in Curl_conn_free * urlapi: remove percent encoded dot sequences from the URL path * urldata: remove 'hostname' from struct Curl_async * Update to 8.12.1: * Bugfixes: * asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' * asyn-thread: fix HTTPS RR crash * asyn-thread: fix the returned bitmask from Curl_resolver_getsock * asyn-thread: survive a c-ares channel set to NULL * cmake: always reference OpenSSL and ZLIB via imported targets * cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' * cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' * content_encoding: #error on too old zlib * imap: TLS upgrade fix * ldap: drop support for legacy Novell LDAP SDK * libssh2: comparison is always true because rc

Oct 14, 2025 •Important SuSE