curl 8.17 in 26.1.5 —> several CVEs

[Rene78]

Hi,

Just did a post-upgrade security audit on the packages. Noticed that curl 8.17 is vulnerable with multiple CVEs. I am not knowledgeable enough to check if these CVEs can be an issue for curl use in OPNsense, but just to flag this one as curl is widely used.

Is it planned to be upgraded in the next release?   

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 26.1.5 (amd64) at Thu Mar 26 21:53:45 CET 2026
vulnxml file up-to-date
curl-8.17.0 is vulnerable:
  curl -- Multiple vulnerabilties
  CVE: CVE-2026-1965
  CVE: CVE-2026-3783
  CVE: CVE-2026-3784
  CVE: CVE-2026-3805
  WWW: https://vuxml.freebsd.org/freebsd/1933737d-1d46-11f1-81da-8447094a420f.html

  curl -- Multiple vulnerabilities
  CVE: CVE-2025-13034
  CVE: CVE-2025-14017
  CVE: CVE-2025-14524
  CVE: CVE-2025-14819
  CVE: CVE-2025-15079
  CVE: CVE-2025-15224
  WWW: https://vuxml.freebsd.org/freebsd/086d53fa-1d47-11f1-81da-8447094a420f.html

2 problem(s) in 1 package(s) found.
***DONE***

[newsense]

Curl was just updated today after a 3 month hiatus that skipped 8.18

https://www.freshports.org/ftp/curl/


It will definitely be in 26.1.6. There's no immediate danger in OPNsense in the meantime.