curl 7.88.1 is susceptible to a OOB read in the cookie handler. The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. https://curl.se/docs/CVE-2025-9086.html
curl-8.15.0-1.mga10 is susceptible to this as well as CVE-2025-10148, predictable WebSocket mask. Since websocket support is disabled in the mga9 version, it's not applicable there.
CVE: (none) => CVE-2025-9086Status: NEW => ASSIGNED
curl-8.16.0-1.mga10 is available in Cauldron to fix these two issues. curl-7.88.1-4.8.mga9 is available in 9/updates_testing. Suggested advisory description ------------------------------ curl is susceptible to an out-of-bounds read in the cookie handler that could either cause a crash or potentially make allow a clear-text site to override the contents of a secure cookie. This release also fixes a rare memory leak in HTTP trailers. RPMS ---- curl-7.88.1-4.8.mga9 lib64curl4-7.88.1-4.8.mga9 lib64curl-devel-7.88.1-4.8.mga9 curl-examples-7.88.1-4.8.mga9 SRPMS ----- curl-7.88.1-4.8.mga9
Assignee: dan => qa-bugs
Keywords: (none) => advisory
RH i586 installing curl-7.88.1-4.8.mga9.i586.rpm libcurl-devel-7.88.1-4.8.mga9.i586.rpm libcurl4-7.88.1-4.8.mga9.i586.rpm from //home/katnatek/qa-testing/i586 Preparing... ####################################################################################### 1/3: libcurl4 ####################################################################################### 2/3: libcurl-devel ####################################################################################### 3/3: curl ####################################################################################### 1/3: removing libcurl-devel-1:7.88.1-4.6.mga9.i586 ####################################################################################### 2/3: removing curl-1:7.88.1-4.6.mga9.i586 ####################################################################################### 3/3: removing libcurl4-1:7.88.1-4.6.mga9.i586 ####################################################################################### curl is set as dowloder for urpmi LC_ALL=C urpmi.update -a --debug -ff
(In reply to katnatek from comment #3) > RH i586 > curl is set as dowloder for urpmi > > LC_ALL=C urpmi.update -a --debug -ff It works OK
MGA9-64 Plasma. No installation issues. Made sure curl was selected as the downloader in drakrpm-edit-media, then used drakrpm to download and install a half-dozen games from our repos, with no issues. Played the games, giving a dismal account of myself, but the games are OK Giving this OKs, and validating.
Whiteboard: (none) => MGA9-32-OK MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0232.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED