ALT-PU-2025-8757-1

Package update curl in branch sisyphus_e2k

Version8.14.1-alt2

Task#0

Published2025-06-30

Max severityHIGH

Severity:

Closed issues (2)

MEDIUM6.5

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Published: 2025-05-28Modified: 2025-06-26

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

HIGH7.5

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

Published: 2025-06-07Modified: 2025-07-30

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Closed bugs (1)

curl 8.14.1: не работает параметр --ftp-pasv