34944 – curl new security issues CVE-2025-13034, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224

Bug 34944 - curl new security issues CVE-2025-13034, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224

Summary: curl new security issues CVE-2025-13034, CVE-2025-14017, CVE-2025-14524, CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-07 10:52 CET by Nicolas Salguero
Modified:	2026-01-10 06:08 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	curl-8.17.0-1.mga10.src.rpm, curl-7.88.1-4.8.mga9.src.rpm
CVE:	CVE-2025-13034, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224
Status comment:	Fixed upstream in 8.18.0

Flags:	nicolas.salguero: affects_mga9+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-07 10:52:20 CET

References:
https://www.openwall.com/lists/oss-security/2026/01/07/2
https://www.openwall.com/lists/oss-security/2026/01/07/3
https://www.openwall.com/lists/oss-security/2026/01/07/4
https://www.openwall.com/lists/oss-security/2026/01/07/5
https://www.openwall.com/lists/oss-security/2026/01/07/6
https://www.openwall.com/lists/oss-security/2026/01/07/7

Comment 1 Nicolas Salguero 2026-01-07 10:53:48 CET

CVE-2025-13034 only affects Cauldron.

Source RPM: (none) => curl-8.17.0-1.mga10.src.rpm, curl-7.88.1-4.8.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-13034, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224
Status comment: (none) => Fixed upstream in 8.18.0
Flags: (none) => affects_mga9+

Comment 2 Dan Fandrich 2026-01-07 20:06:36 CET

Note that Mageia curl is not susceptible to CVE-2025-13034 (no QUIC) and CVE-2025-14017 (non-susceptible LDAP back-end).

curl-8.18.0-1.mga10 is available in Cauldron that fixes these issues.

CC: (none) => dan
Status: NEW => ASSIGNED
Assignee: bugsquad => dan

Comment 3 Dan Fandrich 2026-01-08 21:58:25 CET

curl-7.88.1-4.9.mga9 is available in 9/updates_testing. I'm not aware of any public proofs of concept for testing these issues, although most should be pretty easy to verify by reading the details in the curl security reports (see https://curl.se/docs/vuln-7.88.1.html). I can assist if someone wants to do so.

Suggested advisory description
------------------------------
curl is susceptible to a number of low severity security vulnerabilities:
CVE-2025-14524: bearer token leak on cross-protocol redirect
CVE-2025-14819: OpenSSL partial chain store policy bypass
CVE-2025-15079: libssh knownhosts file vulnerability
CVE-2025-15224: libssh key passphrase bypass vulnerability
This release fixes these issues.

RPMS
----
curl-7.88.1-4.9.mga9
lib64curl4-7.88.1-4.9.mga9
lib64curl-devel-7.88.1-4.9.mga9
curl-examples-7.88.1-4.9.mga9


SRPMS
-----
curl-7.88.1-4.9.mga9

Assignee: dan => qa-bugs

katnatek 2026-01-09 01:47:44 CET

Keywords: (none) => advisory
Version: Cauldron => 9

Comment 4 katnatek 2026-01-09 02:25:31 CET

RH x86_64

installing lib64curl4-7.88.1-4.9.mga9.x86_64.rpm curl-7.88.1-4.9.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.9.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     #####################################################################################
      1/3: lib64curl4            #####################################################################################
      2/3: curl                  #####################################################################################
      3/3: lib64curl-devel       #####################################################################################
      1/3: removing lib64curl-devel-1:7.88.1-4.8.mga9.x86_64
                                 #####################################################################################
      2/3: removing curl-1:7.88.1-4.8.mga9.x86_64
                                 #####################################################################################
      3/3: removing lib64curl4-1:7.88.1-4.8.mga9.x86_64
                                 #####################################################################################

set curl as downloader in drakrpm-editmedia

urpmi.update --ff -a --debug

Show that works
Good for me

Comment 5 Herman Viaene 2026-01-09 10:55:10 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 33844 Comments 4 and 54 for testing.

$ curl -I https://www.mageia.org/fr/
HTTP/1.1 200 OK
Date: Fri, 09 Jan 2026 09:51:52 GMT
Server: Apache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8

$ curl -O https://geex.freeboxos.fr/distrib/9/x86_64/install/images/Mageia-9-netinstall-x86_64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 70.0M  100 70.0M    0     0  6208k      0  0:00:11  0:00:11 --:--:-- 6330k
 All looks OK

Whiteboard: MGA9TOO => MGA9TOO, MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2026-01-10 01:50:53 CET

Validating.

Whiteboard: MGA9TOO, MGA9-64-OK => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2026-01-10 06:08:51 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0003.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.