-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 15 May 2021 18:11:21 +0200 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source Version: 7.52.1-5+deb9u14 Distribution: stretch-security Urgency: high Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Changes: curl (7.52.1-5+deb9u14) stretch-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Backport URL API which is a pre-requisite for CVE-2021-22876. * Reference new symbols. * CVE-2021-22876: curl is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. Checksums-Sha1: 1f7187f76558b43136aabc9a87b063a2127fb27f 2797 curl_7.52.1-5+deb9u14.dsc a081bd50e3865c83325c4f578f575c8d7829d205 62860 curl_7.52.1-5+deb9u14.debian.tar.xz 91dbe25cc2d8bdbcea4bcfcbbf5665734928515a 10776 curl_7.52.1-5+deb9u14_amd64.buildinfo Checksums-Sha256: eeddbe48282f5ce93ad24d3dd5a431ee294617e104d35ea274b38a0f09c2f568 2797 curl_7.52.1-5+deb9u14.dsc 1294a6c5f5411b05d4972b97b51b3a72cdc06f250f5d0ccdcf418c5cf3fab615 62860 curl_7.52.1-5+deb9u14.debian.tar.xz ca81bb8ceca76c27b3301436501f0bcd488b2895c4c2223d968b0d9535565794 10776 curl_7.52.1-5+deb9u14_amd64.buildinfo Files: d50ae090b8c15710c4915263538c4a88 2797 web optional curl_7.52.1-5+deb9u14.dsc 57b680fe19414e1e33352b9922adbe3a 62860 web optional curl_7.52.1-5+deb9u14.debian.tar.xz c6441044a9e3fadc49539ccc46f5c88f 10776 web optional curl_7.52.1-5+deb9u14_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCieNcACgkQDTl9HeUl XjCL9Q//cNiei9GFr9JhPtrr5itBlMDUoujlIhefWDY0u2RAlV6qRbLtToUQFpiz ovJmUplKHpUJsHddqd06yiWy5DCz5QhpiB+AbNnzUQ8Rw+Kw7L3gcQ8DFaMFdjzq PcGVRdcSG57ehLpsdL1lw2toh+ZuyE/yI1IVygFsMatFhOD3INO/IaQckziNgbn7 ZsbrsNENG6SdQZOM0+QAB/OJRq5TXSUoAXSSw3yr/Ed6mMg2DE9+WQt16RaJuEhc OlUPv/1TyjwlGGZGEbBKhBuWxYkX/ARFPZUWKwagZbvvjBx3EY/ph+G5MyPrYObY TGR2MM1N6yDUYfMbyFlXZb5mngW9JUh7ZtBgyuYrqNdS9CKZSVpuHsUbt14hoD1z afrG5Ch3lvGpIczKmmYmfrWQUMbq2wu41/kKMGi67QSlx64zPR9MXxuO8Ho8TD2P t/nmY5E5ODfI+H7xuU7aBT1TbG+b7XpqCzLLgI9wuvvBH151YkVz3VgdhbUNIGls o11UG6zQqCpV6WBvPFudhG5h0fVDmp3fQZt1Nt0ijvgIuqgxMTLaH/NdR+FCNZor 5KyOG/cTTLZj10t6sTczmq5XoJVpNsKmpznAqcivjkcwjnB/Az+h+dgMaNciuxMb 0H8K+M9mqlFyv1DqCe/HXL9U6Fq8pBTN9edtD0P1spoTGYttRW4= =LKjW -----END PGP SIGNATURE-----
