SUSE-SU-2025:20239-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202520239-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20239-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2025:20239-1
Upstream
Related
Published
2025-03-13T10:36:20Z
Modified
2026-03-11T07:30:36.843517Z
Summary
Security update for curl
Details

This update for curl fixes the following issues:

Update to 8.12.1:

  • Bugfixes:

    • asyn-thread: fix build with 'CURLDISABLESOCKETPAIR'
    • asyn-thread: fix HTTPS RR crash
    • asyn-thread: fix the returned bitmask from Curlresolvergetsock
    • asyn-thread: survive a c-ares channel set to NULL
    • cmake: always reference OpenSSL and ZLIB via imported targets
    • cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
    • cmake: respect 'GNUTLSLIBRARYDIRS' in 'libcurl.pc' and 'curl-config'
    • content_encoding: #error on too old zlib
    • imap: TLS upgrade fix
    • ldap: drop support for legacy Novell LDAP SDK
    • libssh2: comparison is always true because rc <= -1
    • libssh2: raise lowest supported version to 1.2.8
    • libssh: drop support for libssh older than 0.9.0
    • openssl-quic: ignore ciphers for h3
    • pop3: TLS upgrade fix
    • runtests: fix the disabling of the memory tracking
    • runtests: quote commands to support paths with spaces
    • scache: add magic checks
    • smb: silence '-Warray-bounds' with gcc 13+
    • smtp: TLS upgrade fix
    • tool_cfgable: sort struct fields by size, use bitfields for booleans
    • tool_getparam: add "TLS required" flag for each such option
    • vtls: fix multissl-init
    • wakeup_write: make sure the eventfd write sends eight bytes

Update to 8.12.0:

  • Security fixes:

    • [bsc#1234068, CVE-2024-11053] curl could leak the password used for the first host to the followed-to host under certain circumstances.
    • [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
    • [bsc#1236589, CVE-2025-0665] eventfd double close

  • Changes:

    • curl: add byte range support to --variable reading from file
    • curl: make --etag-save acknowledge --create-dirs
    • getinfo: fix CURLINFOQUEUETIMET and add 'timequeue' var
    • getinfo: provide info which auth was used for HTTP and proxy
    • hyper: drop support
    • openssl: add support to use keys and certificates from PKCS#11 provider
    • QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
    • vtls: feature ssls-export for SSL session im-/export

  • Bugfixes:

    • altsvc: avoid integer overflow in expire calculation
    • asyn-ares: acknowledge CURLOPTDNSSERVERS set to NULL
    • asyn-ares: fix memory leak
    • asyn-ares: initial HTTPS resolve support
    • asyn-thread: use c-ares to resolve HTTPS RR
    • async-thread: avoid closing eventfd twice
    • cd2nroff: do not insist on quoted <> within backticks
    • cd2nroff: support "none" as a TLS backend
    • conncache: count shutdowns against host and max limits
    • content_encoding: drop support for zlib before 1.2.0.4
    • content_encoding: namespace GZIP flag constants
    • content_encoding: put the decomp buffers into the writer structs
    • content_encoding: support use of custom libzstd memory functions
    • cookie: cap expire times to 400 days
    • cookie: parse only the exact expire date
    • curl: return error if etag options are used with multiple URLs
    • curlmultifdset: include the shutdown connections in the set
    • curlsha512256: rename symbols to the curl namespace
    • curlurlset.md: adjust the added-in to 7.62.0
    • doh: send HTTPS RR requests for all HTTP(S) transfers
    • easy: allow connect-only handle reuse with easy_perform
    • easy: make curleasyperform() return error if connection still there
    • easy_lock: use Sleep(1) for thread yield on old Windows
    • ECH: update APIs to those agreed with OpenSSL maintainers
    • GnuTLS: fix 'time_appconnect' for early data
    • HTTP/2: strip TE request header
    • http2: fix data_pending check
    • http2: fix value stored to 'result' is never read
    • http: ignore invalid Retry-After times
    • httpawssigv4: Fix invalid compare function handling zero-length pairs
    • https-connect: start next immediately on failure
    • lib: redirect handling by protocol handler
    • multi: fix curlmultiwaitfds reporting of fd_count
    • netrc: 'default' with no credentials is not a match
    • netrc: fix password-only entries
    • netrc: restore _netrc fallback logic
    • ngtcp2: fix memory leak on connect failure
    • openssl: define HAVE_KEYLOG_CALLBACK before use
    • openssl: fix ECH logic
    • osslq: use SSL_poll to determine writeability of QUIC streams
    • sectransp: free certificate on error
    • select: avoid a NULL deref in cwfdsaddsock
    • src: omit hugehelp and ca-embed from libcurltool
    • ssl session cache: change cache dimensions
    • system.h: add 64-bit curlofft definitions for NonStop
    • telnet: handle single-byte input option
    • TLS: check connection for SSL use, not handler
    • toolformparse.c: make curlxuztoso a static in here
    • tool_formparse: accept digits in --form type= strings
    • tool_getparam: ECH param parsing refix
    • tool_getparam: fail --hostpubsha256 if libssh2 is not used
    • tool_getparam: fix "Ignored Return Value"
    • toolgetparam: fix memory leak on error in parseech
    • tool_getparam: fix the ECH parser
    • tool_operate: make --etag-compare always accept a non-existing file
    • transfer: fix CURLOPT_CURLU override logic
    • urlapi: fix redirect to a new fragment or query (only)
    • vquic: make vquicsendpackets not return without setting psent
    • vtls: fix default SSL backend as a fallback
    • vtls: only remember the expiry timestamp in session cache
    • websocket: fix message send corruption
    • x509asn1: add parse recursion limit

Update to 8.11.1:

  • Security fixes:

    • netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]

  • Bugfixes:

    • build: fix ECH to always enable HTTPS RR
    • cookie: treat cookie name case sensitively
    • curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
    • curl: use realtime in trace timestamps
    • digest: produce a shorter cnonce in Digest headers
    • docs: document default 'User-Agent'
    • docs: suggest --ssl-reqd instead of --ftp-ssl
    • duphandle: also init netrc
    • hostip: don't use the resolver for FQDN localhost
    • http_negotiate: allow for a one byte larger channel binding buffer
    • krb5: fix socket/sockindex confusion, MSVC compiler warnings
    • libssh: use libssh sftp_aio to upload file
    • libssh: when using IPv6 numerical address, add brackets
    • mime: fix reader stall on small read lengths
    • mk-ca-bundle: remove CKANSSSERVERDISTRUSTAFTER conditions
    • mprintf: fix the integer overflow checks
    • multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
    • netrc: address several netrc parser flaws
    • netrc: support large file, longer lines, longer tokens
    • nghttp2: use custom memory functions
    • OpenSSL: improvde error message on expired certificate
    • openssl: remove three "Useless Assignments"
    • openssl: stop using SSLCTX function prefix for our functions
    • pytest: add test for use of CURLMOPTMAXHOST_CONNECTIONS
    • rtsp: check EOS in the RTSP receive and return an error code
    • schannel: remove TLS 1.3 ciphersuite-list support
    • setopt: fix CURLOPTHTTPCONTENT_DECODING
    • setopt: fix missing options for builds without HTTP & MQTT
    • socket: handle binding to "host!<ip>"
    • socketpair: fix enabling 'USE_EVENTFD'
    • strtok: use namespaced 'strtok_r' macro instead of redefining it

Update to 8.11.0:

  • Security fixes: [bsc#1232528, CVE-2024-9681]

    • curl: HSTS subdomain overwrites parent cache entry

  • Changes:

    • curl: --create-dirs works for --dump-header as well
    • gtls: Add P12 format support
    • ipfs: add options to disable
    • TLS: TLSv1.3 earlydata support for curl
    • WebSockets: make support official (non-experimental)

  • Bugfixes:

    • build: clarify CA embed is for curl tool, mark default, improve summary
    • build: show if CA bundle to embed was found
    • build: tidy up and improve versioned-symbols options
    • cmake/FindNGTCP2: use library path as hint for finding crypto module
    • cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
    • cmake: rename LDAP dependency config variables to match Find modules
    • cmake: replace 'checkincludefile_concat()' for LDAP and GSS detection
    • cmake: use OpenSSL for LDAP detection only if available
    • curl: add build options for safe/no CA bundle search (Windows)
    • curl: detect ECH support dynamically, not at build time
    • curl_addrinfo: support operating systems with only getaddrinfo(3)
    • ftp: fix 0-length last write on upload from stdin
    • gnutls: use session cache for QUIC
    • hsts: improve subdomain handling
    • hsts: support "implied LWS" properly around max-age
    • http2: auto reset stream on server eos
    • json.md: cli-option '--json' is an alias of '--data-binary'
    • lib: move curl_path.[ch] into vssh/
    • lib: remove function pointer typecasts for hmac/sha256/md5
    • libssh.c: handle EGAINS during proto-connect correctly
    • libssh2: use the filename buffer when getting the homedir
    • multi.c: warn/assert on stall only without timer
    • negotiate: conditional check around GSS & SSL specific code
    • netrc: cache the netrc file in memory
    • ngtcp2: do not loop on recv
    • ngtcp2: set max window size to 10x of initial (128KB)
    • openssl quic: populate x509 store before handshake
    • openssl: extend the OpenSSL error messages
    • openssl: improve retries on shutdown
    • quic: use send/recvmmsg when available
    • schannel: fix TLS cert verification by IP SAN
    • schannel: ignore error on recv beyond close notify
    • select: use poll() if existing, avoid poll() with no sockets
    • sendf: add condition to max-filesize check
    • server/mqttd: fix two memory leaks
    • setopt: return error for bad input to CURLOPTRTSPREQUEST
    • setopt_cptr: make overflow check only done when needed
    • tls: avoid abusing CURLESSLENGINE_INITFAILED
    • tool: support --show-headers AND --remote-header-name
    • tool_operate: make --skip-existing work for --parallel
    • url: connection reuse on h3 connections
    • url: use same credentials on redirect
    • urlapi: normalize the IPv6 address
    • version: say quictls in MSH3 builds
    • vquic: fix compiler warning with gcc + MUSL
    • vquic: recv_mmsg, use fewer, but larger buffers
    • vtls: convert Curlpinpeer_pubkey to use dynbuf
    • vtls: convert pubkeypemto_der to use dynbuf

Update to 8.10.1:

  • Bugfixes:

    • autotools: fix --with-ca-embed build rule
    • cmake: ensure CURL_USE_OPENSSL/USE_OPENSSL_QUIC are set in sync
    • cmake: fix MSH3 to appear on the feature list
    • connect: store connection info when really done
    • FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
    • http2: when uploading data from stdin, fix eos forwarding
    • http: make max-filesize check not count ignored bodies
    • lib: fix AFINET6 use outside of USEIPV6
    • multi: check that the multi handle is valid in curlmultiassign
    • QUIC: on connect, keep on trying on draining server
    • request: correctly reset the eos_sent flag
    • setopt: remove superfluous use of ternary expressions
    • singleuse: drop Curl_memrchr() for no-HTTP builds
    • toolcbwrt: use "curl_response" if no file name in URL
    • transfer: fix sendrecv() without interim poll
    • vtls: fix Curl_ssl_conn_config_match doc param

Update to version 8.10.0:

  • Security fixes:

    • [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS

  • Changes:

    • curl: make --rate accept "number of units"
    • curl: make --show-headers the same as --include
    • curl: support --dump-header % to direct to stderr
    • curl: support embedding a CA bundle and --dump-ca-embed
    • curl: support repeated use of the verbose option; -vv etc
    • curl: use libuv for parallel transfers with --test-event
    • vtls: stop offering alpn http/1.1 for http2-prior-knowledge

  • Bugfixes:

    • curl: allow 500MB data URL encode strings
    • curl: warn on unsupported SSL options
    • Curlrandbytes to control env override
    • curlsha512256: fix symbol collisions with nettle library
    • dist: fix reproducible build from release tarball
    • http2: fix GOAWAY message sent to server
    • http2: improve rate limiting of downloads
    • INSTALL.md: MultiSSL and QUIC are mutually exclusive
    • lib: add eos flag to send methods
    • lib: make SSPI global symbols use Curl_ prefix
    • lib: prefer CURL_SHA256_DIGEST_LENGTH over the unprefixed name
    • lib: remove the final strncpy() calls
    • lib: remove use of RANDOM_FILE
    • Makefile.mk: fixup enabling libidn2
    • max-filesize.md: mention zero disables the limit
    • mime: avoid inifite loop in client reader
    • ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
    • openssl quic: fix memory leak
    • openssl: certinfo errors now fail correctly
    • openssl: fix the data race when sharing an SSL session between threads
    • openssl: improve shutdown handling
    • POP3: fix multi-line responses
    • pop3: use the protocol handler ->write_resp
    • progress: ratelimit/progress tweaks
    • rand: only provide weak random when needed
    • sectransp: fix setting tls version
    • setopt: make CURLOPTTFTPBLKSIZE accept bad values
    • sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
    • sigpipe: init the struct so that first apply ignores
    • smb: convert superflous assign into assert
    • smtp: add tracing feature
    • spnego_gssapi: implement TLS channel bindings for openssl
    • src: delete curlx_m*printf() aliases
    • ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
    • tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
    • tool_paramhlp: bump maximum post data size in memory to 16GB
    • transfer: skip EOS read when download done
    • url: fix connection reuse for HTTP/2 upgrades
    • urlapi: verify URL decoded hostname when set
    • urldata: introduce data->mid, a unique identifier inside a multi
    • vtls: add SSLSUPPCIPHERLIST
    • vtls: fix static function name collisions between TLS backends
    • vtls: init ssl peer only once
    • websocket: introduce blocking sends
    • ws: flags to opcodes should ignore CURLWS_CONT flag
    • x509asn1: raise size limit for x509 certification information
References

Affected packages

SUSE:Linux Micro 6.1 / curl

Package

Name
curl
Purl
pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.12.1-slfo.1.1_1.1

Ecosystem specific 

{
    "binaries": [
        {
            "libcurl4": "8.12.1-slfo.1.1_1.1",
            "curl": "8.12.1-slfo.1.1_1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20239-1.json"