OESA-2026-1192
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1192
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2026-1192.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2026-1192
- Upstream
- Published
- 2026-01-23T12:22:48Z
- Modified
- 2026-01-23T12:45:01.485633Z
- Summary
- curl security update
- Details
-
cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
Security Fix(es):
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.(CVE-2025-14524)
When doing TLS related transfers with reused easy or multi handles and altering the
CURLSSLOPT_NO_PARTIALCHAINoption, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.(CVE-2025-14819)When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* knownhosts file.(CVE-2025-15079)
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.(CVE-2025-15224)
- Database specific
{ "severity": "Medium" }- References
Affected packages
openEuler:24.03-LTS-SP3 / curl
Package
- Name
- curl
- Purl
- pkg:rpm/openEuler/curl&distro=openEuler-24.03-LTS-SP3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.4.0-26.oe2403sp3
Ecosystem specific
{
"aarch64": [
"curl-8.4.0-26.oe2403sp3.aarch64.rpm",
"curl-debuginfo-8.4.0-26.oe2403sp3.aarch64.rpm",
"curl-debugsource-8.4.0-26.oe2403sp3.aarch64.rpm",
"libcurl-8.4.0-26.oe2403sp3.aarch64.rpm",
"libcurl-devel-8.4.0-26.oe2403sp3.aarch64.rpm"
],
"src": [
"curl-8.4.0-26.oe2403sp3.src.rpm"
],
"x86_64": [
"curl-8.4.0-26.oe2403sp3.x86_64.rpm",
"curl-debuginfo-8.4.0-26.oe2403sp3.x86_64.rpm",
"curl-debugsource-8.4.0-26.oe2403sp3.x86_64.rpm",
"libcurl-8.4.0-26.oe2403sp3.x86_64.rpm",
"libcurl-devel-8.4.0-26.oe2403sp3.x86_64.rpm"
],
"noarch": [
"curl-help-8.4.0-26.oe2403sp3.noarch.rpm"
]
}