Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2425-1 Final 1 1 2021-07-21T09:26:20Z current 2021-07-21T09:26:20Z 2021-07-21T09:26:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles12sp4:latest-2021-2425,Image SLES12-SP4-Azure-BYOS-2021-2425,Image SLES12-SP4-EC2-HVM-BYOS-2021-2425,Image SLES12-SP4-GCE-BYOS-2021-2425,Image SLES12-SP4-SAP-Azure-2021-2425,Image SLES12-SP4-SAP-Azure-BYOS-2021-2425,Image SLES12-SP4-SAP-Azure-LI-BYOS-Production-2021-2425,Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production-2021-2425,Image SLES12-SP4-SAP-EC2-HVM-2021-2425,Image SLES12-SP4-SAP-EC2-HVM-BYOS-2021-2425,Image SLES12-SP4-SAP-GCE-2021-2425,Image SLES12-SP4-SAP-GCE-BYOS-2021-2425,SUSE-2021-2425,SUSE-OpenStack-Cloud-9-2021-2425,SUSE-OpenStack-Cloud-Crowbar-9-2021-2425,SUSE-SLE-SAP-12-SP4-2021-2425,SUSE-SLE-SERVER-12-SP4-LTSS-2021-2425 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212425-1/ Link for SUSE-SU-2021:2425-1 https://lists.suse.com/pipermail/sle-security-updates/2021-July/009187.html E-Mail link for SUSE-SU-2021:2425-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188217 SUSE Bug 1188217 https://bugzilla.suse.com/1188218 SUSE Bug 1188218 https://bugzilla.suse.com/1188219 SUSE Bug 1188219 https://bugzilla.suse.com/1188220 SUSE Bug 1188220 https://www.suse.com/security/cve/CVE-2021-22922/ SUSE CVE CVE-2021-22922 page https://www.suse.com/security/cve/CVE-2021-22923/ SUSE CVE CVE-2021-22923 page https://www.suse.com/security/cve/CVE-2021-22924/ SUSE CVE CVE-2021-22924 page https://www.suse.com/security/cve/CVE-2021-22925/ SUSE CVE CVE-2021-22925 page Container suse/sles12sp4:latest Image SLES12-SP4-Azure-BYOS Image SLES12-SP4-EC2-HVM-BYOS Image SLES12-SP4-GCE-BYOS Image SLES12-SP4-SAP-Azure Image SLES12-SP4-SAP-Azure-BYOS Image SLES12-SP4-SAP-Azure-LI-BYOS-Production Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production Image SLES12-SP4-SAP-EC2-HVM Image SLES12-SP4-SAP-EC2-HVM-BYOS Image SLES12-SP4-SAP-GCE Image SLES12-SP4-SAP-GCE-BYOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 libcurl4-7.60.0-4.25.1 curl-7.60.0-4.25.1 curl-mini-7.60.0-4.25.1 libcurl-devel-7.60.0-4.25.1 libcurl-devel-32bit-7.60.0-4.25.1 libcurl-devel-64bit-7.60.0-4.25.1 libcurl-mini-devel-7.60.0-4.25.1 libcurl4-32bit-7.60.0-4.25.1 libcurl4-64bit-7.60.0-4.25.1 libcurl4-mini-7.60.0-4.25.1 libcurl4-7.60.0-4.25.1 as a component of Container suse/sles12sp4:latest curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-Azure-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-Azure-BYOS curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-EC2-HVM-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-EC2-HVM-BYOS curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-GCE-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-GCE-BYOS curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-BYOS curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-LI-BYOS-Production libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-LI-BYOS-Production curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-EC2-HVM libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-EC2-HVM curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-EC2-HVM-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-EC2-HVM-BYOS curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-GCE libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-GCE curl-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-GCE-BYOS libcurl4-7.60.0-4.25.1 as a component of Image SLES12-SP4-SAP-GCE-BYOS curl-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libcurl4-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libcurl4-32bit-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS curl-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libcurl4-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libcurl4-32bit-7.60.0-4.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 curl-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud 9 libcurl4-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud 9 libcurl4-32bit-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud 9 curl-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud Crowbar 9 libcurl4-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud Crowbar 9 libcurl4-32bit-7.60.0-4.25.1 as a component of SUSE OpenStack Cloud Crowbar 9 When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. CVE-2021-22922 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.25.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212425-1/ https://www.suse.com/security/cve/CVE-2021-22922.html CVE-2021-22922 https://bugzilla.suse.com/1188217 SUSE Bug 1188217 https://bugzilla.suse.com/1192447 SUSE Bug 1192447 When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. CVE-2021-22923 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.25.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212425-1/ https://www.suse.com/security/cve/CVE-2021-22923.html CVE-2021-22923 https://bugzilla.suse.com/1188218 SUSE Bug 1188218 https://bugzilla.suse.com/1192447 SUSE Bug 1192447 libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. CVE-2021-22924 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.25.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212425-1/ https://www.suse.com/security/cve/CVE-2021-22924.html CVE-2021-22924 https://bugzilla.suse.com/1188219 SUSE Bug 1188219 https://bugzilla.suse.com/1192447 SUSE Bug 1192447 https://bugzilla.suse.com/1200196 SUSE Bug 1200196 curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. CVE-2021-22925 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.25.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.25.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.25.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212425-1/ https://www.suse.com/security/cve/CVE-2021-22925.html CVE-2021-22925 https://bugzilla.suse.com/1188220 SUSE Bug 1188220 https://bugzilla.suse.com/1192447 SUSE Bug 1192447 https://bugzilla.suse.com/1200196 SUSE Bug 1200196