Mageia: 2021-0186 Critical: Curl Data Leak and TLS Session Issues
mageia
April 12, 2021
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking...
Summary
libcurl does not strip off user credentials from the URL when automatically
populating the Referer: HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request. (CVE-2021-22876)
TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890)
References
- https://bugs.mageia.org/show_bug.cgi?id=28688
- https://curl.se/docs/CVE-2021-22876.html
- https://curl.se/docs/CVE-2021-22890.html
- https://curl.se/changes.html
- https://www.cve.org/CVERecord?id=CVE-2021-22876
- https://www.cve.org/CVERecord?id=CVE-2021-22890
Topics Covered
Resolution
SRPMS
- 7/core/curl-7.71.0-1.2.mga7
- 8/core/curl-7.74.0-1.1.mga8
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 12 Apr 2021
URL: https://advisories.mageia.org/MGASA-2021-0186.html
Type: security
CVE: CVE-2021-22876, CVE-2021-22890
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!