An update for curl is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1192 Final 1.0 1.0 2026-01-23 Initial 2026-01-23 2026-01-23 openEuler SA Tool V1.0 2026-01-23 curl security update An update for curl is now available for openEuler-24.03-LTS-SP3 cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.(CVE-2025-14524) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.(CVE-2025-14819) When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.(CVE-2025-15079) When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.(CVE-2025-15224) An update for curl is now available for openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium curl https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1192 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-14524 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-14819 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-15079 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-15224 https://nvd.nist.gov/vuln/detail/CVE-2025-14524 https://nvd.nist.gov/vuln/detail/CVE-2025-14819 https://nvd.nist.gov/vuln/detail/CVE-2025-15079 https://nvd.nist.gov/vuln/detail/CVE-2025-15224 openEuler-24.03-LTS-SP3 curl-8.4.0-26.oe2403sp3.aarch64.rpm curl-debuginfo-8.4.0-26.oe2403sp3.aarch64.rpm curl-debugsource-8.4.0-26.oe2403sp3.aarch64.rpm libcurl-8.4.0-26.oe2403sp3.aarch64.rpm libcurl-devel-8.4.0-26.oe2403sp3.aarch64.rpm curl-8.4.0-26.oe2403sp3.src.rpm curl-8.4.0-26.oe2403sp3.x86_64.rpm curl-debuginfo-8.4.0-26.oe2403sp3.x86_64.rpm curl-debugsource-8.4.0-26.oe2403sp3.x86_64.rpm libcurl-8.4.0-26.oe2403sp3.x86_64.rpm libcurl-devel-8.4.0-26.oe2403sp3.x86_64.rpm curl-help-8.4.0-26.oe2403sp3.noarch.rpm When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. 2026-01-23 CVE-2025-14524 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N curl security update 2026-01-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1192 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. 2026-01-23 CVE-2025-14819 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N curl security update 2026-01-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1192 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. 2026-01-23 CVE-2025-15079 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N curl security update 2026-01-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1192 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. 2026-01-23 CVE-2025-15224 openEuler-24.03-LTS-SP3 Low 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N curl security update 2026-01-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1192