ALT Linux Team

Branch c10f2 update on 2025-02-16

2025-02-16

ALT-BU-2025-2852-1

Branch c10f2 update bulletin.

ALT-PU-2025-2748-2

Package curl updated to version 8.12.1-alt1 for branch c10f2 in task 374305.

Closed vulnerabilities

Published: 2025-02-05
Modified: 2025-03-07

CVE-2025-0167

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

References:
Published: 2025-02-05
Modified: 2025-03-18

CVE-2025-0665

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

References:
Published: 2025-02-05
Modified: 2025-03-07

CVE-2025-0725

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top