CVE-2015-3153

Priority
Description
The default configuration for cURL and libcurl before 7.42.1 sends custom
HTTP headers to both the proxy and destination server, which might allow
remote proxy servers to obtain sensitive information by reading the header
contents.
Notes
 mdeslaur> in curl versions before 7.37.0, the same headers are always
 mdeslaur> sent to both the destination server and the proxy. In 7.37.0,
 mdeslaur> two new options were introduced to control which headers are
 mdeslaur> sent to the server and which headers are sent to the proxy:
 mdeslaur> CURLOPT_HEADEROPT and CURLOPT_PROXYHEADER. The default is to
 mdeslaur> send the headers to both servers, contrary to expectations. The
 mdeslaur> fix is to change the default to send separate headers.
 mdeslaur>
 mdeslaur> Introducing split header functionality in older versions of
 mdeslaur> curl is intrusive, and will change behaviour. We will not be
 mdeslaur> fixing this issue in Ubuntu 14.04 LTS and earlier.
Assigned-to
mdeslaur
More Information

Updated: 2019-03-19 12:18:48 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)