An update for curl is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2319 Final 1.0 1.0 2025-09-19 Initial 2025-09-19 2025-09-19 openEuler SA Tool V1.0 2025-09-19 curl security update An update for curl is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4 cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): curl contains an out-of-bounds read vulnerability in cookie path comparison logic. When a secure cookie is set via HTTPS and then the client is redirected to an insecure HTTP site using the same cookie name with path="/", a bug in path comparison logic causes reading beyond heap buffer boundaries. This may result in crashes or incorrectly allowing insecure sites to override secure cookie contents, contrary to security expectations. The attacker needs control of an HTTP site with the same name as the HTTPS version or MITM capability.(CVE-2025-9086) An update for curl is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High curl https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2319 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-9086 https://nvd.nist.gov/vuln/detail/CVE-2025-9086 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 curl-7.79.1-42.oe2203sp3.x86_64.rpm curl-debuginfo-7.79.1-42.oe2203sp3.x86_64.rpm curl-debugsource-7.79.1-42.oe2203sp3.x86_64.rpm libcurl-7.79.1-42.oe2203sp3.x86_64.rpm libcurl-devel-7.79.1-42.oe2203sp3.x86_64.rpm curl-7.79.1-42.oe2203sp4.x86_64.rpm curl-debuginfo-7.79.1-42.oe2203sp4.x86_64.rpm curl-debugsource-7.79.1-42.oe2203sp4.x86_64.rpm libcurl-7.79.1-42.oe2203sp4.x86_64.rpm libcurl-devel-7.79.1-42.oe2203sp4.x86_64.rpm curl-8.4.0-22.oe2403.x86_64.rpm curl-debuginfo-8.4.0-22.oe2403.x86_64.rpm curl-debugsource-8.4.0-22.oe2403.x86_64.rpm libcurl-8.4.0-22.oe2403.x86_64.rpm libcurl-devel-8.4.0-22.oe2403.x86_64.rpm curl-8.4.0-22.oe2403sp1.x86_64.rpm curl-debuginfo-8.4.0-22.oe2403sp1.x86_64.rpm curl-debugsource-8.4.0-22.oe2403sp1.x86_64.rpm libcurl-8.4.0-22.oe2403sp1.x86_64.rpm libcurl-devel-8.4.0-22.oe2403sp1.x86_64.rpm curl-8.4.0-22.oe2403sp2.x86_64.rpm curl-debuginfo-8.4.0-22.oe2403sp2.x86_64.rpm curl-debugsource-8.4.0-22.oe2403sp2.x86_64.rpm libcurl-8.4.0-22.oe2403sp2.x86_64.rpm libcurl-devel-8.4.0-22.oe2403sp2.x86_64.rpm curl-7.71.1-43.oe2003sp4.x86_64.rpm curl-debuginfo-7.71.1-43.oe2003sp4.x86_64.rpm curl-debugsource-7.71.1-43.oe2003sp4.x86_64.rpm libcurl-7.71.1-43.oe2003sp4.x86_64.rpm libcurl-devel-7.71.1-43.oe2003sp4.x86_64.rpm curl-help-7.79.1-42.oe2203sp3.noarch.rpm curl-help-7.79.1-42.oe2203sp4.noarch.rpm curl-help-8.4.0-22.oe2403.noarch.rpm curl-help-8.4.0-22.oe2403sp1.noarch.rpm curl-help-8.4.0-22.oe2403sp2.noarch.rpm curl-help-7.71.1-43.oe2003sp4.noarch.rpm curl-7.79.1-42.oe2203sp3.aarch64.rpm curl-debuginfo-7.79.1-42.oe2203sp3.aarch64.rpm curl-debugsource-7.79.1-42.oe2203sp3.aarch64.rpm libcurl-7.79.1-42.oe2203sp3.aarch64.rpm libcurl-devel-7.79.1-42.oe2203sp3.aarch64.rpm curl-7.79.1-42.oe2203sp4.aarch64.rpm curl-debuginfo-7.79.1-42.oe2203sp4.aarch64.rpm curl-debugsource-7.79.1-42.oe2203sp4.aarch64.rpm libcurl-7.79.1-42.oe2203sp4.aarch64.rpm libcurl-devel-7.79.1-42.oe2203sp4.aarch64.rpm curl-8.4.0-22.oe2403.aarch64.rpm curl-debuginfo-8.4.0-22.oe2403.aarch64.rpm curl-debugsource-8.4.0-22.oe2403.aarch64.rpm libcurl-8.4.0-22.oe2403.aarch64.rpm libcurl-devel-8.4.0-22.oe2403.aarch64.rpm curl-8.4.0-22.oe2403sp1.aarch64.rpm curl-debuginfo-8.4.0-22.oe2403sp1.aarch64.rpm curl-debugsource-8.4.0-22.oe2403sp1.aarch64.rpm libcurl-8.4.0-22.oe2403sp1.aarch64.rpm libcurl-devel-8.4.0-22.oe2403sp1.aarch64.rpm curl-8.4.0-22.oe2403sp2.aarch64.rpm curl-debuginfo-8.4.0-22.oe2403sp2.aarch64.rpm curl-debugsource-8.4.0-22.oe2403sp2.aarch64.rpm libcurl-8.4.0-22.oe2403sp2.aarch64.rpm libcurl-devel-8.4.0-22.oe2403sp2.aarch64.rpm curl-7.71.1-43.oe2003sp4.aarch64.rpm curl-debuginfo-7.71.1-43.oe2003sp4.aarch64.rpm curl-debugsource-7.71.1-43.oe2003sp4.aarch64.rpm libcurl-7.71.1-43.oe2003sp4.aarch64.rpm libcurl-devel-7.71.1-43.oe2003sp4.aarch64.rpm curl-7.79.1-42.oe2203sp3.src.rpm curl-7.79.1-42.oe2203sp4.src.rpm curl-8.4.0-22.oe2403.src.rpm curl-8.4.0-22.oe2403sp1.src.rpm curl-8.4.0-22.oe2403sp2.src.rpm curl-7.71.1-43.oe2003sp4.src.rpm curl contains an out-of-bounds read vulnerability in cookie path comparison logic. When a secure cookie is set via HTTPS and then the client is redirected to an insecure HTTP site using the same cookie name with path="/", a bug in path comparison logic causes reading beyond heap buffer boundaries. This may result in crashes or incorrectly allowing insecure sites to override secure cookie contents, contrary to security expectations. The attacker needs control of an HTTP site with the same name as the HTTPS version or MITM capability. 2025-09-19 CVE-2025-9086 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H curl security update 2025-09-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2319