ALT-PU-2025-8757-1
Package curl updated to version 8.14.1-alt2 for branch sisyphus_e2k.
Closed vulnerabilities
Published: 2025-05-28
Modified: 2025-06-26
Modified: 2025-06-26
CVE-2025-4947
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2025-06-07
Modified: 2025-07-30
Modified: 2025-07-30
CVE-2025-5399
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Closed bugs
curl 8.14.1: не работает параметр --ftp-pasv