A curl security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where sensitive authentication data may leak to the server that is the target of the second HTTP request.
ELA-431-1 curl security update
Package curl
ELA-431-1 curl security update
Version 7.38.0-4+deb8u20
Related CVEs CVE-2021-22876
Viktor Szakats reported that libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request.
For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u20.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
