-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2664-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler May 17, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : curl Version : 7.52.1-5+deb9u14 CVE ID : CVE-2021-22876 Debian Bug : 986269 Viktor Szakats reported that libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request. For Debian 9 stretch, this problem has been fixed in version 7.52.1-5+deb9u14. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCifwYACgkQDTl9HeUl XjBIzw//QUTAucSm3wA2RJQgLiDPMCf5m87S6tQgQOMZWjrNlUXZc41j/WrC5Dre rhJQc5XLhuulpAts6PcLHyMD7ee8+GxdXmhc+i7BpWXQ5u/I9oFQsQFNpnk1s2Ug RWXE8dnnDIB9PK5Zg9MI4/9/+L24pK2AJSAfqWjm4nASjI0iIPzNZ1Dg6cTl0Rg3 P5RwxsnuQ3vlM+4766V2+7TNqfE7xvsk/D5r8qxlisPaqTQmbY5KqHe2JKopxbk0 gIyaiQThZnfP6q44TYUfyu1HnqyCYzpwaPPyti/4s35x35NRpmH4mDFU29221JVA 1yMKFkYSPa0izFs/CmcSa8q3b0DF9FVCToI5mcGnrt9WdyDcwxmqGwGXT58UaWI6 3Bq5HzBJQ2FUvl42vXDGj44X5bmdstjUgNi0Xd3pqC1l0VqRYOms/F6mD2BL2VAu 8buzsx7+qosDbM7ZIWG02L5Khyps2OXFZ7MXIn/6MMXBKgN5aQbCKJxGajx0qw07 h1ngja7B3w6IzsL9Y8+7QnRNpUfwxKZ0sFOnvtGUM3mF2k2zMUyDKnROdpWc70Z1 Sl5gykPpxO4EC4KgXWjivMnirsMu6t4tnIcrwjTrZkUmVmEfJChD1qZ29splq5a/ BwZY4QK7LQV7KfW9jE5UaZBEt1JgwvMg+D9En/OCTQB4Sid7LX4= =7ZhP -----END PGP SIGNATURE-----