HCE3-SA-2025-0197
An update for curl is now available for HCE 3.0
Important
HCE 3.0
Security Fix(es):
1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path=_x27;/_x27;`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay. (CVE-2025-9086)
curl_x27;s websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy. (CVE-2025-10148)
curl_x27;s code for managing SSH connections when SFTP was done using the wolfSSH
powered backend was flawed and missed host verification mechanisms.
This prevents curl from detecting MITM attackers and more. (CVE-2025-10966)
HCE 3.0
curl-8.4.0-14.r11.hce3.x86_64.rpm
curl-help-8.4.0-14.r11.hce3.noarch.rpm
libcurl-8.4.0-14.r11.hce3.x86_64.rpm
libcurl-devel-8.4.0-14.r11.hce3.x86_64.rpm
curl-8.4.0-14.r11.hce3.aarch64.rpm
libcurl-8.4.0-14.r11.hce3.aarch64.rpm
libcurl-devel-8.4.0-14.r11.hce3.aarch64.rpm