Debian Security Advisory
DSA-3240-1 curl -- security update
- Date Reported:
- 29 Apr 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-3153.
- More information:
It was discovered that cURL, an URL transfer library, if configured to use a proxy server with the HTTPS protocol, by default could send to the proxy the same HTTP headers it sends to the destination server, possibly leaking sensitive information.
For the stable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u2.
For the testing distribution (stretch), this problem will be fixed in version 7.42.1-1.
For the unstable distribution (sid), this problem has been fixed in version 7.42.1-1.
We recommend that you upgrade your curl packages.