Alpine: curl: security update to 8.12.0-r0

critical Tenable Cloud Security Plugin ID 420840

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the
password used for the first host to the followed-to host under certain circumstances. This flaw only
manifests itself if the netrc file has a `default` entry that omits both login and password. A rare
circumstance. (CVE-2025-0167)

- libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel
after having completed a threaded name resolve. (CVE-2025-0665)

- When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the
`CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow
would make libcurl perform a buffer overflow. (CVE-2025-0725)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-0167

https://security.alpinelinux.org/vuln/CVE-2025-0665

https://security.alpinelinux.org/vuln/CVE-2025-0725

Plugin Details

Severity: Critical

ID: 420840

Version: Revision 1.9

Type: Local

Published: 2/7/2025

Updated: 11/19/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.62

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-0665

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/5/2025

Reference Information

CVE: CVE-2025-0167, CVE-2025-0665, CVE-2025-0725

IAVA: 2025-A-0085