When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug.
This is public now: https://seclists.org/oss-sec/2023/q4/262 https://daniel.haxx.se/blog/2023/12/06/curl-8-5-0/
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2253143]
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:1316 https://access.redhat.com/errata/RHSA-2024:1316