[ubuntu/noble-updates] curl 8.5.0-2ubuntu10.7 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Wed Feb 25 00:02:33 UTC 2026
curl (8.5.0-2ubuntu10.7) noble-security; urgency=medium
* SECURITY UPDATE: predictable websocket frame mask
- debian/patches/CVE-2025-10148.patch: get a new mask for each
new outgoing frame in lib/ws.c
- CVE-2025-10148
* SECURITY UPDATE: multi-threaded TSL options leak
- debian/patches/CVE-2025-14017.patch: call ldap_init() before
setting the options in lib/ldap.c
- CVE-2025-14017
* SECURITY UPDATE: bearer token leak on cross-protocol redirect
- debian/patches/CVE-2025-14524.patch: if redirected,
require permission to use bearer in lib/curl_sasl.c
- CVE-2025-14524
* SECURITY UPDATE: OpenSSL partial chain store policy bypass
- debian/patches/CVE-2025-14819.patch: toggling
CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in
lib/vtls/openssl.c.
- CVE-2025-14819
* SECURITY UPDATE: ssh known_hosts validation bypass
- debian/patches/CVE-2025-15079.patch: set both knownhosts
options to the same file in lib/vssh/libssh.c
- CVE-2025-15079
* SECURITY UPDATE: improper local ssh agent authentication
- debian/patches/CVE-2025-15224.patch: require private key
or user-agent for public key auth in lib/vssh/libssh.c
- CVE-2025-15224
Date: 2026-02-21 01:05:12.910137+00:00
Changed-By: Elise Hlady <elise.hlady at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.7
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list