CVE-2015-3153: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy…

CVE-2015-3153 [MEDIUM] CWE-200 GHSA-hwj5-x3jv-hmff: The default configuration for cURL and libcurl before 7 The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

CVE-2015-3153 [MEDIUM] CVE-2015-3153: The default configuration for cURL and libcurl before 7 The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

CVE-2015-3143 [MEDIUM] curl vulnerabilities curl vulnerabilities Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Böck discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Böck discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of serv

CVE-2015-3143 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Böck discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Böck discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use thi

CVE-2015-3153 [MEDIUM] CWE-201 curl: sensitive HTTP server headers also sent to proxies curl: sensitive HTTP server headers also sent to proxies The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. Package: curl (Red Hat Ceph Storage 1.2) - Will not fix Package: curl (Red Hat Enterprise Linux 5) - Will not fix Package: curl (Red Hat Enterprise Linux 6) - Will not fix Package: curl (Red Hat Enterprise Linux 7) - Will not fix Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Will not fix

CVE-2015-3153 [MEDIUM] CVE-2015-3153: curl - The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP h... The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. Scope: local bookworm: resolved (fixed in 7.42.1-1) bullseye: resolved (fixed in 7.42.1-1) forky: resolved (fixed in 7.42.1-1) sid: resolved (fixed in 7.42.1-1) trixie: resolved (fixed in 7.42.1-1)

CVE-2015-3153 [MEDIUM] CVE-2015-3153: OS X Yosemite v10.10.5 and Security Update 2015-006 Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 Product: OS X Yosemite v10.10.5 and Security Update 2015-006 CVE: CVE-2015-3153 Component: CVE-2015-3153

CVE-2015-3153 [MEDIUM] CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [epel-7] CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. epel-7 tracking bug for mingw-curl: s

CVE-2015-3153 [MEDIUM] CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies The following flaw was found in curl: libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers. Such tunneling over a proxy is done for example when using the HTTPS protocol - or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method. While libcurl provides the

CVE-2015-3153 [MEDIUM] CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [fedora-all] CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supp

CVE-2015-3153 [MEDIUM] CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies [fedora-all] CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versio