SUSE SLED15 / SLES15 / openSUSE 15 Security Update : curl (SUSE-SU-2025:03198-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03198-1 advisory. Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: – CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). – CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). – CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). – CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). – CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). – CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). – CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: – Fix wrong return code when –retry is used (bsc#1249367). * tool_operate: fix return code when –retry is used but not triggered [b42776b] – Fix the –ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix –ftp-pasv [5f805ee] – Fixed with version…Read More