Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1670 curl security update 18 May 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-22876 Reference: ESB-2021.1461 ESB-2021.1178 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2664-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler May 17, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : curl Version : 7.52.1-5+deb9u14 CVE ID : CVE-2021-22876 Debian Bug : 986269 Viktor Szakats reported that libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request. For Debian 9 stretch, this problem has been fixed in version 7.52.1-5+deb9u14. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCifwYACgkQDTl9HeUl XjBIzw//QUTAucSm3wA2RJQgLiDPMCf5m87S6tQgQOMZWjrNlUXZc41j/WrC5Dre rhJQc5XLhuulpAts6PcLHyMD7ee8+GxdXmhc+i7BpWXQ5u/I9oFQsQFNpnk1s2Ug RWXE8dnnDIB9PK5Zg9MI4/9/+L24pK2AJSAfqWjm4nASjI0iIPzNZ1Dg6cTl0Rg3 P5RwxsnuQ3vlM+4766V2+7TNqfE7xvsk/D5r8qxlisPaqTQmbY5KqHe2JKopxbk0 gIyaiQThZnfP6q44TYUfyu1HnqyCYzpwaPPyti/4s35x35NRpmH4mDFU29221JVA 1yMKFkYSPa0izFs/CmcSa8q3b0DF9FVCToI5mcGnrt9WdyDcwxmqGwGXT58UaWI6 3Bq5HzBJQ2FUvl42vXDGj44X5bmdstjUgNi0Xd3pqC1l0VqRYOms/F6mD2BL2VAu 8buzsx7+qosDbM7ZIWG02L5Khyps2OXFZ7MXIn/6MMXBKgN5aQbCKJxGajx0qw07 h1ngja7B3w6IzsL9Y8+7QnRNpUfwxKZ0sFOnvtGUM3mF2k2zMUyDKnROdpWc70Z1 Sl5gykPpxO4EC4KgXWjivMnirsMu6t4tnIcrwjTrZkUmVmEfJChD1qZ29splq5a/ BwZY4QK7LQV7KfW9jE5UaZBEt1JgwvMg+D9En/OCTQB4Sid7LX4= =7ZhP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYKM27+NLKJtyKPYoAQjWcA//U3dF1bAI/kmtAV5CsxJp6sI27gazXSbC hdnpzAzEqcpWzW8qhKnUujJxGHm7XV8C4Zhkp6lTQ577BG+amH9Pa2zfI9HaZE5M LkqOdbG9hUx3uK4N4DY5LWTuPVjR7PcEC1ZutB/Kbh9wmC8t1HodxI7RjjgHxiOI q16lpFFKg+2ZP3NECtA9v7ZJjW5TXGF6PVNmkgi/zxsWVVATbJzaqylGEDuRonXs tdOtv+A4o5PojFqpZrx7uuYYNR+xbbwAJCAIkZM/eEyPIw8hymrHHM1VKxFoKeNu +TF2uZNxcYsT4kDI8w6UuVDeRAIKClu4fMdeSn/K6ZK4UZBMd+5K9gCcIoUNgXR5 Dk9svGZzRYa3UMy6QTauUbgv7b6amJrBp8MJanF22MAWEzBp8oyWJG09+6hefz/p IuFml0x+ztvQb9BQhWJ//R+qo8Q+xLklYzKkdUokI/5tv1opoBi+0YoIbZtWFqiS TIKRDehRpLPFSusCp6O/m1EnVVeFclJkN0pA9KA+BTa4ESa3wPGHUc4Vtu5Shcng wWYopDgRhW6fPQRle/zAo4WrFh+vH4welVqGezVl/MJmnkszLNBadBnTvQWuMO5I Ha86WSizQB6htBY2p41etRa0+er7C+2HlW4N9DkjiyP42pDuIsE2/7Kc6ujPh3XH agd1Ea6lsWA= =s/OB -----END PGP SIGNATURE-----