All errata/sisyphus_loongarch64/ALT-PU-2025-2467-1
ALT-PU-2025-2467-1

Package update curl in branch sisyphus_loongarch64

Version8.12.0-alt1
Task#0
Published2025-02-05
Max severityHIGH
Severity:

Closed issues (3)

CVE-2025-0167
LOW3.4

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

Published: 2025-02-05Modified: 2025-07-30
CVSS 3.xLOW 3.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
References
CVE-2025-0665
HIGH7.0

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

Published: 2025-02-05Modified: 2026-03-17
CVSS 3.xHIGH 7.0
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
References
CVE-2025-0725
HIGH7.3

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

Published: 2025-02-05Modified: 2025-06-27
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References