curl-7.76.1-35.el9_7.3
エラータID: AXSA:2026-147:01
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: libcurl: Curl out of bounds read for cookie path (CVE-2025-9086)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-9086
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Update packages.
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
N/A
SRPMS
- curl-7.76.1-35.el9_7.3.src.rpm
MD5: dbae5c33d5b40461017724e5c294ebfa
SHA-256: e52fa40ba0054f106c7e532424586edbede21b9fad1e646f003b074e54b13a3f
Size: 2.45 MB
Asianux Server 9 for x86_64
- curl-7.76.1-35.el9_7.3.x86_64.rpm
MD5: 0845cb4425cc494e7289c63dc4b927cf
SHA-256: 11712240a4bd1699c4af321925fc10ac402051733fce7ec1a2c97d22724cbff1
Size: 292.37 kB - curl-minimal-7.76.1-35.el9_7.3.x86_64.rpm
MD5: 20204585d9203af57da52e765feaa062
SHA-256: 4dc592ee77ec8d3921c20b36015556a259c74f6f392cff85bb2c10d6aa4674d0
Size: 125.73 kB - libcurl-7.76.1-35.el9_7.3.i686.rpm
MD5: 29a08a597e72a11a375a7a74677c73f4
SHA-256: 672e0ca187184ba8b6b922d92dd52877e4effaa3845e809646d999e6bce4d91d
Size: 309.02 kB - libcurl-7.76.1-35.el9_7.3.x86_64.rpm
MD5: 815a438aa8894dd8b5a26c455d3e521b
SHA-256: fbc18662688b5fa928fed0aa132b5d6794be203601dfb8643f9ceb72b2a35fba
Size: 282.45 kB - libcurl-devel-7.76.1-35.el9_7.3.i686.rpm
MD5: 49782186a604cc16b4386980b83a23a3
SHA-256: d8cd92dc23fb5f4162b30c92be6a3af6860ef7e8aa1b9374d149fd7ca32f6352
Size: 0.96 MB - libcurl-devel-7.76.1-35.el9_7.3.x86_64.rpm
MD5: 011ce6c3ab6c08c79b965994a441fc23
SHA-256: 078ddcee72104eca2dbbd4ee8c75a2c87e67f0c3486a795f7ee350817142acc9
Size: 0.96 MB - libcurl-minimal-7.76.1-35.el9_7.3.i686.rpm
MD5: 8241dcbd4f154f49f975a79aef23e174
SHA-256: 2522d5298fd001da2b0c8d87c909d4ab7ec1585346ab3ccbcb74a10aedc4a7fa
Size: 244.16 kB - libcurl-minimal-7.76.1-35.el9_7.3.x86_64.rpm
MD5: 20d28ccdea54a66feb381a217e9980ba
SHA-256: 9c3afcfc5d6371231737b7a3abd40365ca18d33bb9c1599805a08dabb4ca3cd4
Size: 223.41 kB