Amazon Linux 2023 Security Advisory: ALAS2023-2026-1375
Advisory Released Date: 2026-02-18
Advisory Updated Date: 2026-02-18
FAQs regarding Amazon Linux ALAS/CVE Severity
No QUIC certificate pinning with GnuTLS
NOTE: https://curl.se/docs/CVE-2025-13034.html
NOTE: Introduced with: https://github.com/curl/curl/commit/3210101088dfa3d6a125d213226b092f2f866722 (curl-8_8_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9 (rc-8_18_0-1, curl-8_18_0) (CVE-2025-13034)
broken TLS options for threaded LDAPS
NOTE: https://curl.se/docs/CVE-2025-14017.html
NOTE: Introduced with: https://github.com/curl/curl/commit/ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34 (curl-7_17_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d (rc-8_18_0-1, curl-8_18_0)
NOTE: Built with OpenLDAP (only affects the legacy LDAP support) (CVE-2025-14017)
bearer token leak on cross-protocol redirect
NOTE: https://curl.se/docs/CVE-2025-14524.html
NOTE: Introduced with: https://github.com/curl/curl/commit/06c1bea72faabb6fad4b7ef818aafaa336c9a7aa (curl-7_33_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640 (rc-8_18_0-2, curl-8_18_0) (CVE-2025-14524)
OpenSSL partial chain store policy bypass
NOTE: https://curl.se/docs/CVE-2025-14819.html
NOTE: Introduced with: https://github.com/curl/curl/commit/3c16697ebd796f799227be293e8689aec5f8190d (curl-7_87_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d (rc-8_18_0-3, curl-8_18_0) (CVE-2025-14819)
libssh global knownhost override
NOTE: https://curl.se/docs/CVE-2025-15079.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479 (rc-8_18_0-3, curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend (CVE-2025-15079)
libssh key passphrase bypass without agent set
NOTE: https://curl.se/docs/CVE-2025-15224.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa (curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend (CVE-2025-15224)
Affected Packages:
curl
Issue Correction:
Run dnf update curl --releasever 2023.10.20260216 or dnf update --advisory ALAS2023-2026-1375 --releasever 2023.10.20260216 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libcurl-debuginfo-8.17.0-1.amzn2023.0.1.aarch64
curl-minimal-debuginfo-8.17.0-1.amzn2023.0.1.aarch64
libcurl-minimal-debuginfo-8.17.0-1.amzn2023.0.1.aarch64
libcurl-8.17.0-1.amzn2023.0.1.aarch64
curl-minimal-8.17.0-1.amzn2023.0.1.aarch64
curl-debugsource-8.17.0-1.amzn2023.0.1.aarch64
curl-debuginfo-8.17.0-1.amzn2023.0.1.aarch64
curl-8.17.0-1.amzn2023.0.1.aarch64
libcurl-minimal-8.17.0-1.amzn2023.0.1.aarch64
libcurl-devel-8.17.0-1.amzn2023.0.1.aarch64
src:
curl-8.17.0-1.amzn2023.0.1.src
x86_64:
curl-debuginfo-8.17.0-1.amzn2023.0.1.x86_64
libcurl-debuginfo-8.17.0-1.amzn2023.0.1.x86_64
curl-8.17.0-1.amzn2023.0.1.x86_64
libcurl-minimal-debuginfo-8.17.0-1.amzn2023.0.1.x86_64
libcurl-8.17.0-1.amzn2023.0.1.x86_64
curl-minimal-debuginfo-8.17.0-1.amzn2023.0.1.x86_64
libcurl-minimal-8.17.0-1.amzn2023.0.1.x86_64
curl-minimal-8.17.0-1.amzn2023.0.1.x86_64
curl-debugsource-8.17.0-1.amzn2023.0.1.x86_64
libcurl-devel-8.17.0-1.amzn2023.0.1.x86_64