Univention Bugzilla – Bug 53324
curl: Multiple issues (4.4)
Last modified: 2021-05-26 15:34:05 CEST
New Debian curl 7.52.1-5+deb9u14 fixes: This update addresses the following issue: * Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)
--- mirror/ftp/4.4/unmaintained/4.4-8/source/curl_7.52.1-5+deb9u13.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/curl_7.52.1-5+deb9u14.dsc @@ -1,3 +1,15 @@ +7.52.1-5+deb9u14 [Sat, 15 May 2021 18:11:21 +0200] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * Backport URL API which is a pre-requisite for CVE-2021-22876. + * Reference new symbols. + * CVE-2021-22876: curl is vulnerable to an "Exposure of Private Personal + Information to an Unauthorized Actor" by leaking credentials in the + HTTP Referer: header. libcurl does not strip off user credentials from + the URL when automatically populating the Referer: HTTP request header + field in outgoing HTTP requests, and therefore risks leaking sensitive + data to the server that is the target of the second HTTP request. + 7.52.1-5+deb9u13 [Thu, 17 Dec 2020 14:12:07 -0500] Roberto C. Sánchez <roberto@debian.org>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/4.4-8/#8640689909867410947>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] e15fef2c23 Bug #53324: curl 7.52.1-5+deb9u14 doc/errata/staging/curl.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x980>