An update for curl is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1021 Final 1.0 1.0 2025-01-10 Initial 2025-01-10 2025-01-10 openEuler SA Tool V1.0 2025-01-10 curl security update An update for curl is now available for openEuler-24.03-LTS cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): A vulnerability has been found in cURL (Network Utility Software) and classified as problematic. Affected by this vulnerability is an unknown code block of the component netrc File Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.(CVE-2024-11053) An update for curl is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Low curl https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1021 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-11053 https://nvd.nist.gov/vuln/detail/CVE-2024-11053 openEuler-24.03-LTS curl-8.4.0-14.oe2403.src.rpm curl-8.4.0-14.oe2403.x86_64.rpm curl-debuginfo-8.4.0-14.oe2403.x86_64.rpm curl-debugsource-8.4.0-14.oe2403.x86_64.rpm libcurl-8.4.0-14.oe2403.x86_64.rpm libcurl-devel-8.4.0-14.oe2403.x86_64.rpm curl-help-8.4.0-14.oe2403.noarch.rpm curl-8.4.0-14.oe2403.aarch64.rpm curl-debuginfo-8.4.0-14.oe2403.aarch64.rpm curl-debugsource-8.4.0-14.oe2403.aarch64.rpm libcurl-8.4.0-14.oe2403.aarch64.rpm libcurl-devel-8.4.0-14.oe2403.aarch64.rpm When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. 2025-01-10 CVE-2024-11053 openEuler-24.03-LTS Low 3.4 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N curl security update 2025-01-10 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1021