Quoting https://curl.se/docs/CVE-2024-11053.html When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low Affected versions: curl 6.5 to and including 8.11.0. o/ emanuele6
For security bugs, the summary should be the first fixed version in tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b71955ecbcbbc8427caedb8f66eb36f44841e44 commit 5b71955ecbcbbc8427caedb8f66eb36f44841e44 Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-12-12 08:17:34 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-12-12 08:17:53 +0000 net-misc/curl: add 8.11.1 Bug: https://bugs.gentoo.org/946291 Signed-off-by: Matt Jolly <kangie@gentoo.org> net-misc/curl/Manifest | 2 + net-misc/curl/curl-8.11.1.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 385 insertions(+)