Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1937-1 httpie

Debian Security Advisory

DLA-1937-1 httpie -- LTS security update

Date Reported:

30 Sep 2019

Affected Packages:

httpie

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 940058.
In Mitre's CVE dictionary: CVE-2019-10751.

More information:

An open redirect, that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control, was found and reported in CVE-2019-10751. This was patched upstream and so when `--download` without `--output` results in a redirect, now only the initial URL is considered, not the final one.

For Debian 8 Jessie, this problem has been fixed in version 0.8.0-1+deb8u1.

We recommend that you upgrade your httpie packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS