Debian 10261 Published by

A curl security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where sensitive authentication data may leak to the server that is the target of the second HTTP request.



ELA-431-1 curl security update

Package curl
Version 7.38.0-4+deb8u20
Related CVEs CVE-2021-22876

Viktor Szakats reported that libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request.

For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u20.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-431-1 curl security update