[SECURITY] [DLA 2664-1] curl security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2664-1] curl security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 17 May 2021 18:31:27 +0200
Message-id: <[🔎] 20210517163127.GA29529@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2664-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
May 17, 2021                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : curl
Version        : 7.52.1-5+deb9u14
CVE ID         : CVE-2021-22876
Debian Bug     : 986269

Viktor Szakats reported that libcurl, an URL transfer library, does
not strip off user credentials from the URL when automatically
populating the Referer HTTP request header field in outgoing HTTP
requests. Sensitive authentication data may leak to the server that is
the target of the second HTTP request.

For Debian 9 stretch, this problem has been fixed in version
7.52.1-5+deb9u14.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCifwYACgkQDTl9HeUl
XjBIzw//QUTAucSm3wA2RJQgLiDPMCf5m87S6tQgQOMZWjrNlUXZc41j/WrC5Dre
rhJQc5XLhuulpAts6PcLHyMD7ee8+GxdXmhc+i7BpWXQ5u/I9oFQsQFNpnk1s2Ug
RWXE8dnnDIB9PK5Zg9MI4/9/+L24pK2AJSAfqWjm4nASjI0iIPzNZ1Dg6cTl0Rg3
P5RwxsnuQ3vlM+4766V2+7TNqfE7xvsk/D5r8qxlisPaqTQmbY5KqHe2JKopxbk0
gIyaiQThZnfP6q44TYUfyu1HnqyCYzpwaPPyti/4s35x35NRpmH4mDFU29221JVA
1yMKFkYSPa0izFs/CmcSa8q3b0DF9FVCToI5mcGnrt9WdyDcwxmqGwGXT58UaWI6
3Bq5HzBJQ2FUvl42vXDGj44X5bmdstjUgNi0Xd3pqC1l0VqRYOms/F6mD2BL2VAu
8buzsx7+qosDbM7ZIWG02L5Khyps2OXFZ7MXIn/6MMXBKgN5aQbCKJxGajx0qw07
h1ngja7B3w6IzsL9Y8+7QnRNpUfwxKZ0sFOnvtGUM3mF2k2zMUyDKnROdpWc70Z1
Sl5gykPpxO4EC4KgXWjivMnirsMu6t4tnIcrwjTrZkUmVmEfJChD1qZ29splq5a/
BwZY4QK7LQV7KfW9jE5UaZBEt1JgwvMg+D9En/OCTQB4Sid7LX4=
=7ZhP
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2663-1] libimage-exiftool-perl security update
Next by Date: [SECURITY] [DLA 2665-1] ring security update
Previous by thread: [SECURITY] [DLA 2663-1] libimage-exiftool-perl security update
Next by thread: [SECURITY] [DLA 2665-1] ring security update
Index(es):
- Date
- Thread