Summary: | <net-misc/curl-7.42.1: sensitive HTTP server headers also sent to proxies (CVE-2015-3153) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, gregkh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://curl.haxx.se/docs/adv_20150429.html | ||
Whiteboard: | B4 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Changing severity 3->4 due to information leakage, A->B due to specific nature requiring proxied setup through untrusted proxy and applications not making use of API to specify header severity. (In reply to Agostino Sarubbo from comment #0) > @maintainer(s): since the fixed package is already in the tree, please let > us know if it is ready for the stabilization or not. Its good to go KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" stable on arm, ppc and ppc64. Stable for HPPA. amd64 stable CVE-2015-3153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3153): The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. ia64 stable x86 stable alpha stable sparc stable Arches, Thank you for your work. Security Please Vote. First GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Ping on Cleanup! (In reply to Yury German from comment #12) > Ping on Cleanup! done Maintainer(s), Thank you for you for cleanup. GLSA Vote: No |