#6443 closed enhancement (fixed)
curl-7.42.1
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.8 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
This release comes bundled another security advisory:
CVE-2015-3153: sensitive HTTP server headers also sent to proxies:
http://curl.haxx.se/docs/adv_20150429.html
http://curl.haxx.se/download/curl-7.42.1.tar.lzma
http://curl.haxx.se/download/curl-7.42.1.tar.lzma.asc
http://curl.haxx.se/changes.html#7_42_1
Fixed in 7.42.1 - April 29 2015
Bugfixes:
• CURLOPT_HEADEROPT: default to separate
• dist: include {src,lib}/checksrc.whitelist
• connectionexists: fix build without NTLM
• docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
• curl -z: do not write empty file on unmet condition
• openssl: fix serial number output
• curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
• sws: init http2 state properly
• curl.1: fix typo
Change History (8)
comment:1 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 years ago
comment:3 by , 9 years ago
Committed patches-blfs/trunk/curl/curl-before-7.4.21-CVE_2015_3153-1.patch
Couldn't find a suitable name. Modifications are welcome.
This patch is not for curl-7.4.21.
comment:5 by , 9 years ago
The name of the patch is not a problem, but I don't know how users would find it. Do we need to add something to BLFS errata?
The actual change appears to be just adding one line. All the rest is documentations and regression tests.
comment:6 by , 9 years ago
Yes, now I see. Can't remember if it was this or the dovecot one, who reported did make a one line patch, then searching in the upstream site it was more complicated. But did not stop to think about which files were modified. Spent some half hour now, but could not find any more.
Often, forget the errata. You are right, something should go there.
Ah!
I misspelled the patch name (it is correct in the repository. Name is:
curl-before-7.42.1-CVE_2015_3153-1.patch
If it is only going in the 7.7 errata, perhaps could add a link in the repository:
ln -s curl-before-7.42.1-CVE_2015_3153-1.patch \ patches-blfs/trunk/curl/curl-7.40.0-CVE_2015_3153-1.patch
and the errata could be an sed and the link just for those who wished to run the tests.
Please, if you agree (or even if you prefer just the sed) would you mind do the errata?
About CVE-2015-3153.
If you need to keep a previous version of curl, there is a patch just to fix the security issue.
Repeating URL given in Description (above):
[http://curl.haxx.se/docs/adv_20150429.html]
AFFECTED VERSIONS This flaw is relevant for applications that use CURLOPT_HTTPHEADER to set headers with sensitive values and make HTTPS connections to the server via an HTTP proxy. Affected versions: libcurl 7.1 to and include 7.42.0 Not affected versions: libcurl >= 7.42.1 THE SOLUTION In version 7.37.0, libcurl introduced new options allowing applications to control which headers are sent to the proxy and which are sent only to the destination server - CURLOPT_HEADEROPT & CURLOPT_PROXYHEADER. Starting in 7.42.1, the new default for this option will be CURLHEADER_SEPARATE. This has the minor drawback to the rare applications that truly intend the headers to be sent to both parties, that they need to change this option in their application. curl of version >= 7.37 already sends headers that are set with '--header' option only to the destination server iff --proxy-header is also used. A patch for this problem that changes the default is available at (URL will be updated in final advisory): http://curl.haxx.se/CVE-2015-3153.patch RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.42.1 B - Apply the patch to your version and rebuild C - Set CURLOPT_HEADEROPT to CURLHEADER_SEPARATE