{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "curl", "intel-microcode", "libcurl4t64" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1", "version": "8.14.1-2ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: cookie path out-of-bounds read", " - debian/patches/CVE-2025-9086.patch: don't treat the", " leading slash as trailing in lib/cookie.c", " - CVE-2025-9086", " * SECURITY UPDATE: predictable websocket frame mask", " - debian/patches/CVE-2025-10148.patch: get a new mask for each", " new outgoing frame in lib/ws.c", " - CVE-2025-10148", " * SECURITY UPDATE: wcurl output file directory escape", " - debian/patches/CVE-2025-11563.patch: dont percent-decode", " '/' or '\\' in output file name in scripts/wcurl.c", " - CVE-2025-11563", " * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS", " - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver", " unconditionally in lib/vquic/vquic-tls.c.", " - CVE-2025-13034", " * SECURITY UPDATE: multi-threaded TSL options leak", " - debian/patches/CVE-2025-14017.patch: call ldap_init() before", " setting the options in lib/ldap.c", " - CVE-2025-14017", " * SECURITY UPDATE: bearer token leak on cross-protocol redirect", " - debian/patches/CVE-2025-14524.patch: if redirected,", " require permission to use bearer in lib/curl_sasl.c", " - CVE-2025-14524", " * SECURITY UPDATE: OpenSSL partial chain store policy bypass", " - debian/patches/CVE-2025-14819.patch: toggling", " CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in", " lib/vtls/openssl.c.", " - CVE-2025-14819", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Elise Hlady ", "date": "Tue, 17 Feb 2026 15:07:06 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "intel-microcode", "from_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20250812.0ubuntu0.25.10.1", "version": "3.20250812.0ubuntu0.25.10.1" }, "to_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20260210.0ubuntu0.25.10.1", "version": "3.20260210.0ubuntu0.25.10.1" }, "cves": [ { "cve": "CVE-2025-31648", "url": "https://ubuntu.com/security/CVE-2025-31648", "cve_description": "Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (low), integrity (low) and availability (none) impacts.", "cve_priority": "low", "cve_public_date": "2026-02-10 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-31648", "url": "https://ubuntu.com/security/CVE-2025-31648", "cve_description": "Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (low), integrity (low) and availability (none) impacts.", "cve_priority": "low", "cve_public_date": "2026-02-10 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: New upstream microcode datafile 20260210", " - New microcodes:", " sig 0x000a06e1, pf_mask 0x97, 2025-11-03, rev 0x10002f3, size 1645568", " - Updated microcodes:", " sig 0x000606a6, pf_mask 0x87, 2025-08-19, rev 0xd000421, size 309248", " sig 0x000606c1, pf_mask 0x10, 2025-08-19, rev 0x10002f1, size 301056", " sig 0x000706e5, pf_mask 0x80, 2025-07-24, rev 0x00cc, size 115712", " sig 0x000806c1, pf_mask 0x80, 2025-07-24, rev 0x00be, size 112640", " sig 0x000806c2, pf_mask 0xc2, 2025-07-24, rev 0x003e, size 99328", " sig 0x000806d1, pf_mask 0xc2, 2025-07-24, rev 0x0058, size 105472", " sig 0x000806f4, pf_mask 0x10, 2025-08-25, rev 0x2c000421, size 626688", " sig 0x000806f4, pf_mask 0x87, 2025-08-25, rev 0x2b000661, size 595968", " sig 0x000806f5, pf_mask 0x10, 2025-08-25, rev 0x2c000421, size 626688", " sig 0x000806f5, pf_mask 0x87, 2025-08-25, rev 0x2b000661, size 595968", " sig 0x000806f6, pf_mask 0x10, 2025-08-25, rev 0x2c000421, size 626688", " sig 0x000806f6, pf_mask 0x87, 2025-08-25, rev 0x2b000661, size 595968", " sig 0x000806f7, pf_mask 0x87, 2025-08-25, rev 0x2b000661, size 595968", " sig 0x000806f8, pf_mask 0x10, 2025-08-25, rev 0x2c000421, size 626688", " sig 0x000806f8, pf_mask 0x87, 2025-08-25, rev 0x2b000661, size 595968", " sig 0x00090672, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x00090675, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x000906a3, pf_mask 0x80, 2025-10-12, rev 0x043b, size 225280", " sig 0x000906a4, pf_mask 0x40, 2025-07-10, rev 0x000c, size 119808", " sig 0x000906a4, pf_mask 0x80, 2025-10-12, rev 0x043b, size 225280", " sig 0x000a0671, pf_mask 0x02, 2025-07-24, rev 0x0065, size 108544", " sig 0x000a06a4, pf_mask 0xe6, 2025-09-24, rev 0x0028, size 141312", " sig 0x000a06d1, pf_mask 0x20, 2025-10-09, rev 0xa000133, size 1643520", " sig 0x000a06d1, pf_mask 0x95, 2025-10-31, rev 0x1000405, size 1672192", " sig 0x000a06f3, pf_mask 0x01, 2025-07-30, rev 0x3000382, size 1534976", " sig 0x000b0650, pf_mask 0x80, 2025-09-25, rev 0x000d, size 137216", " sig 0x000b0671, pf_mask 0x32, 2025-10-08, rev 0x0133, size 219136", " sig 0x000b0674, pf_mask 0x32, 2025-10-08, rev 0x0133, size 219136", " sig 0x000b06a2, pf_mask 0xe0, 2025-10-08, rev 0x6134, size 224256", " sig 0x000b06a3, pf_mask 0xe0, 2025-10-08, rev 0x6134, size 224256", " sig 0x000b06a8, pf_mask 0xe0, 2025-10-08, rev 0x6134, size 224256", " sig 0x000b06d1, pf_mask 0x80, 2025-08-28, rev 0x0125, size 80896", " sig 0x000b06e0, pf_mask 0x19, 2025-09-12, rev 0x0021, size 142336", " sig 0x000b06f2, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x000b06f5, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x000b06f6, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x000b06f7, pf_mask 0x07, 2025-10-12, rev 0x003e, size 227328", " sig 0x000c0652, pf_mask 0x82, 2025-08-03, rev 0x011b, size 91136", " sig 0x000c0662, pf_mask 0x82, 2025-08-03, rev 0x011b, size 91136", " sig 0x000c0664, pf_mask 0x82, 2025-08-03, rev 0x011b, size 91136", " sig 0x000c06a2, pf_mask 0x82, 2025-08-03, rev 0x011b, size 91136", " sig 0x000c06f1, pf_mask 0x87, 2025-08-25, rev 0x210002d3, size 566272", " sig 0x000c06f2, pf_mask 0x87, 2025-08-25, rev 0x210002d3, size 566272", " - CVE-2025-31648 (INTEL-SA-01396)", " * source: update symlinks to reflect id of the latest release, 20260210", " * changelog: sync with debian 3.20260210.1 for content consistency", "" ], "package": "intel-microcode", "version": "3.20260210.0ubuntu0.25.10.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Rodrigo Figueiredo Zaiden ", "date": "Fri, 27 Feb 2026 11:02:57 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1", "version": "8.14.1-2ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: cookie path out-of-bounds read", " - debian/patches/CVE-2025-9086.patch: don't treat the", " leading slash as trailing in lib/cookie.c", " - CVE-2025-9086", " * SECURITY UPDATE: predictable websocket frame mask", " - debian/patches/CVE-2025-10148.patch: get a new mask for each", " new outgoing frame in lib/ws.c", " - CVE-2025-10148", " * SECURITY UPDATE: wcurl output file directory escape", " - debian/patches/CVE-2025-11563.patch: dont percent-decode", " '/' or '\\' in output file name in scripts/wcurl.c", " - CVE-2025-11563", " * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS", " - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver", " unconditionally in lib/vquic/vquic-tls.c.", " - CVE-2025-13034", " * SECURITY UPDATE: multi-threaded TSL options leak", " - debian/patches/CVE-2025-14017.patch: call ldap_init() before", " setting the options in lib/ldap.c", " - CVE-2025-14017", " * SECURITY UPDATE: bearer token leak on cross-protocol redirect", " - debian/patches/CVE-2025-14524.patch: if redirected,", " require permission to use bearer in lib/curl_sasl.c", " - CVE-2025-14524", " * SECURITY UPDATE: OpenSSL partial chain store policy bypass", " - debian/patches/CVE-2025-14819.patch: toggling", " CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in", " lib/vtls/openssl.c.", " - CVE-2025-14819", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Elise Hlady ", "date": "Tue, 17 Feb 2026 15:07:06 -0800" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from release image serial 20260218 to 20260304", "from_series": "questing", "to_series": "questing", "from_serial": "20260218", "to_serial": "20260304", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }