openSUSE-SU-2025:20090-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20090-1.json

JSON Data

https://api.osv.dev/v1/vulns/openSUSE-SU-2025:20090-1

Upstream

CVE-2025-10148

CVE-2025-11563

CVE-2025-9086

Related

Published

2025-11-26T14:30:14Z

Modified

2026-03-23T04:54:16.757459Z

Summary

Security update for curl

Details

This update for curl fixes the following issues:

CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757)
CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348)

Other fixes: - tool_operate: fix return code when --retry is used but not triggered (bsc#1249367)

References

Affected packages

openSUSE:Leap 16.0 / curl

Package

Name: curl
Purl: pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.14.1-160000.3.1

Ecosystem specific

{
    "binaries": [
        {
            "curl-fish-completion": "8.14.1-160000.3.1",
            "libcurl4": "8.14.1-160000.3.1",
            "libcurl-devel-doc": "8.14.1-160000.3.1",
            "libcurl-devel": "8.14.1-160000.3.1",
            "curl-zsh-completion": "8.14.1-160000.3.1",
            "curl": "8.14.1-160000.3.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20090-1.json"