ALAS2023-2025-1351

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1351
Advisory Released Date: 2026-01-07
Advisory Updated Date: 2026-01-07

Severity: Medium

References: CVE-2024-11053 CVE-2025-0167 CVE-2025-10148 CVE-2025-10966 CVE-2025-9086
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password. (CVE-2024-11053)

When asked to use a `.netrc` file for credentials **and** to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a `default` entry that
omits both login and password. A rare circumstance. (CVE-2025-0167)

predictable WebSocket mask

NOTE: https://curl.se/docs/CVE-2025-10148.html
NOTE: Fixed by: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa7fa806fa0f2 (curl-8_16_0) (CVE-2025-10148)

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more. (CVE-2025-10966)

Out of bounds read for cookie path

NOTE: https://curl.se/docs/CVE-2025-9086.html
NOTE: Introduced with: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d (curl-7_31_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1) (CVE-2025-9086)

Affected Packages:

curl

Issue Correction:
Run dnf update curl --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1351 --releasever 2023.10.20260105 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    libcurl-debuginfo-8.15.0-4.amzn2023.0.1.aarch64
    curl-minimal-debuginfo-8.15.0-4.amzn2023.0.1.aarch64
    curl-debuginfo-8.15.0-4.amzn2023.0.1.aarch64
    libcurl-minimal-debuginfo-8.15.0-4.amzn2023.0.1.aarch64
    curl-8.15.0-4.amzn2023.0.1.aarch64
    libcurl-minimal-8.15.0-4.amzn2023.0.1.aarch64
    curl-minimal-8.15.0-4.amzn2023.0.1.aarch64
    libcurl-8.15.0-4.amzn2023.0.1.aarch64
    curl-debugsource-8.15.0-4.amzn2023.0.1.aarch64
    libcurl-devel-8.15.0-4.amzn2023.0.1.aarch64

src:
    curl-8.15.0-4.amzn2023.0.1.src

x86_64:
    libcurl-debuginfo-8.15.0-4.amzn2023.0.1.x86_64
    curl-minimal-8.15.0-4.amzn2023.0.1.x86_64
    libcurl-minimal-debuginfo-8.15.0-4.amzn2023.0.1.x86_64
    curl-debuginfo-8.15.0-4.amzn2023.0.1.x86_64
    curl-debugsource-8.15.0-4.amzn2023.0.1.x86_64
    curl-minimal-debuginfo-8.15.0-4.amzn2023.0.1.x86_64
    libcurl-minimal-8.15.0-4.amzn2023.0.1.x86_64
    curl-8.15.0-4.amzn2023.0.1.x86_64
    libcurl-8.15.0-4.amzn2023.0.1.x86_64
    libcurl-devel-8.15.0-4.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-11053, CVE-2025-0167, CVE-2025-10148, CVE-2025-10966, CVE-2025-9086

Mitre: CVE-2024-11053, CVE-2025-0167, CVE-2025-10148, CVE-2025-10966, CVE-2025-9086