Source: httpie Version: 2.6.0-1.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for httpie. CVE-2022-24737[0]: | HTTPie is a command-line HTTP client. HTTPie has the practical concept | of sessions, which help users to persistently store some of the state | that belongs to the outgoing requests and incoming responses on the | disk for further usage. Before 3.1.0, HTTPie didn&#8216;t | distinguish between cookies and hosts they belonged. This behavior | resulted in the exposure of some cookies when there are redirects | originating from the actual host to a third party website. Users are | advised to upgrade. There are no known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24737 [1] https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq [2] https://github.com/httpie/httpie/commit/65ab7d5caaaf2f95e61f9dd65441801c2ddee38b Please adjust the affected versions in the BTS as needed. Regards, Salvatore
