SB2025091301 - SUSE update for curl

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2024-6874)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the curl_url_get() function when parsing IDN URLs. A remote attacker can pass a specially crafted URL to the application, trigger an out-of-bounds read error and read contents of memory on the system.

2) Resource management error (CVE-ID: CVE-2025-0665)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when built with the threaded resolver. A remote attacker can force the application to wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve

3) Use of insufficiently random values (CVE-ID: CVE-2025-10148)

The vulnerability allows a remote attacker to perform cache poisoning. 

The vulnerability exists due to the websocket code does not update the 32 bit mask pattern for each new outgoing frame as the specification says.Instead it used a fixed mask that persisted and was used throughout the entire connection. As a result, a malicious server can induce traffic between the two communicating parties that can be interpreted by an involved proxy and poison cached content. 

4) Improper Certificate Validation (CVE-ID: CVE-2025-4947)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing certificate validation for QUIC connections when connecting to a host specified as an IP address in the URL. A remote attacker can perform Man-in-the-middle (MitM) attack.

Note, successful exploitation of the vulnerability requires wolfSSL to be used as the TLS backend for QUIC to trigger.

5) Improper Certificate Validation (CVE-ID: CVE-2025-5025)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to libcurl does not perform pinning of the server certificate public key for HTTPS transfers when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. A remote attacker can perform Man-in-the-middle (MitM) attack and track the victim into connecting to a malicious server.

6) Infinite loop (CVE-ID: CVE-2025-5399)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the WebSocket code. A malicious web server can send a specially crafted packet to the libcurl application and perform a denial of service (DoS) attack.

7) Out-of-bounds read (CVE-ID: CVE-2025-9086)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when reading cookie path. A malicious server can set a specially crafted cookie path using the secure keyword, trigger an out-of-bounds read error and crash the application.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2025/suse-su-202503198-1/