Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2015-3153

Publication date 29 April 2015

Last updated 24 July 2024


Ubuntu priority

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

Read the notes from the security team

Status

Package Ubuntu Release Status
curl 15.04 vivid
Fixed 7.38.0-3ubuntu2.2
14.10 utopic
Fixed 7.37.1-1ubuntu3.4
14.04 LTS trusty Ignored
12.04 LTS precise Ignored
10.04 LTS lucid Ignored end of life

Notes


mdeslaur

in curl versions before 7.37.0, the same headers are always sent to both the destination server and the proxy. In 7.37.0, two new options were introduced to control which headers are sent to the server and which headers are sent to the proxy: CURLOPT_HEADEROPT and CURLOPT_PROXYHEADER. The default is to send the headers to both servers, contrary to expectations. The fix is to change the default to send separate headers. Introducing split header functionality in older versions of curl is intrusive, and will change behaviour. We will not be fixing this issue in Ubuntu 14.04 LTS and earlier.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

References

Related Ubuntu Security Notices (USN)

Other references