aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.
Upstream Patch: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a
Gentoo Security Padawan
*** Bug 679482 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s):
Author: Michał Górny <email@example.com>
AuthorDate: 2019-04-05 17:13:34 +0000
Commit: Michał Górny <firstname.lastname@example.org>
CommitDate: 2019-04-05 17:13:45 +0000
net-misc/aria2: Backport the fix for CVE-2019-3500
Backport fix for potential password leakage in logs (CVE-2019-3500).
Ideally this would be a fresh snapshot but autoreconf fails on aria2
Signed-off-by: Michał Górny <email@example.com>
net-misc/aria2/aria2-1.34.0-r1.ebuild | 155 +++++++++++++++++++++
.../aria2/files/aria2-1.34.0-mask-headers.patch | 46 ++++++
2 files changed, 201 insertions(+)
@maintainer(s), please let us know when you are ready to stabilize.
Let's go for it.
Tree is clean