(https://nvd.nist.gov/vuln/detail/CVE-2019-3500): aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file. Upstream Patch: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a Gentoo Security Padawan (domhnall)
*** Bug 679482 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e0415382f55c1c392facd407a21555b6b55c8c commit e0e0415382f55c1c392facd407a21555b6b55c8c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-05 17:13:34 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-05 17:13:45 +0000 net-misc/aria2: Backport the fix for CVE-2019-3500 Backport fix for potential password leakage in logs (CVE-2019-3500). Ideally this would be a fresh snapshot but autoreconf fails on aria2 git. Bug: https://bugs.gentoo.org/674622 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-misc/aria2/aria2-1.34.0-r1.ebuild | 155 +++++++++++++++++++++ .../aria2/files/aria2-1.34.0-mask-headers.patch | 46 ++++++ 2 files changed, 201 insertions(+)
@maintainer(s), please let us know when you are ready to stabilize.
Let's go for it.
amd64 stable
x86 stable
Tree is clean