1
PublicDateAtUSN: 2018-01-24
2
Candidate: CVE-2018-1000007
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007
6
https://curl.haxx.se/docs/adv_2018-b3bf.html
7
https://usn.ubuntu.com/usn/usn-3554-1
8
https://usn.ubuntu.com/usn/usn-3554-2
10
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to
11
third parties. When asked to send custom headers in its HTTP requests,
12
libcurl will send that set of headers first to the host in the initial URL
13
but also, if asked to follow redirects and a 30X HTTP response code is
14
returned, to the host mentioned in URL in the `Location:` response header
15
value. Sending the same set of headers to subsequest hosts is in particular
16
a problem for applications that pass on custom `Authorization:` headers, as
17
this header often contains privacy sensitive information or data that could
18
allow others to impersonate the libcurl-using client's request.
21
leosilva> for precise some files that patch the code are not present
29
patch: https://github.com/curl/curl/commit/af32cd3859336ab.patch
30
upstream_curl: released (7.58.0-1)
31
precise/esm_curl: released (7.22.0-3ubuntu4.20)
32
trusty_curl: released (7.35.0-1ubuntu2.14)
33
xenial_curl: released (7.47.0-1ubuntu2.6)
34
artful_curl: released (7.55.1-1ubuntu2.3)
35
devel_curl: not-affected (7.58.0-2ubuntu1)