Debian Security Advisory
DLA-1937-1 httpie -- LTS security update
- Date Reported:
- 30 Sep 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 940058.
In Mitre's CVE dictionary: CVE-2019-10751.
- More information:
An open redirect, that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control, was found and reported in CVE-2019-10751. This was patched upstream and so when `--download` without `--output` results in a redirect, now only the initial URL is considered, not the final one.
For Debian 8
Jessie, this problem has been fixed in version 0.8.0-1+deb8u1.
We recommend that you upgrade your httpie packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS