Source: curl Version: 7.74.0-1.1 Severity: serious Tags: security upstream Justification: security regression from stable X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 7.64.0-4 Control: fixed -1 7.64.0-4+deb10u2
Hi, The following vulnerability was published for curl, filling it as RC so it appears on the radar for issues to be fixed before bullseye release. CVE-2021-22876[0]: | curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of | Private Personal Information to an Unauthorized Actor" by leaking | credentials in the HTTP Referer: header. libcurl does not strip off | user credentials from the URL when automatically populating the | Referer: HTTP request header field in outgoing HTTP requests, and | therefore risks leaking sensitive data to the server that is the | target of the second HTTP request. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876 [1] https://curl.se/docs/CVE-2021-22876.html Salvatore
