[Git][security-tracker-team/security-tracker][master] Add final release tag for CVE-2025-9086/curl

Wed Jan 14 05:00:51 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6ef710a9 by Salvatore Bonaccorso at 2026-01-14T06:00:24+01:00
Add final release tag for CVE-2025-9086/curl

As upstream appears to remove the rc ones add the final one, but keep
here the rc version so we can properly match to the unstable upload
including the fix, while the security issue was not yet announced.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -47965,7 +47965,7 @@ CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target
 	[bookworm] - curl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://curl.se/docs/CVE-2025-9086.html
 	NOTE: Introduced with: https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 (curl-8_13_0)
-	NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1, curl-8_16_0)
 CVE-2025-10148 (curl's websocket code did not update the 32 bit mask pattern for each  ...)
 	- curl 8.16.0-1
 	[trixie] - curl 8.14.1-2+deb13u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ef710a939ee1bc52e0c7876b061bae9410e5556

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ef710a939ee1bc52e0c7876b061bae9410e5556
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260114/1c802978/attachment.htm>
