Advisories » MGASA-2015-0020

Updated curl packages fix CVE-2014-8150

Publication date: 09 Jan 2015
Modification date: 09 Jan 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-8150

Description

Updated curl packages fix security vulnerability:

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off. If the given URL contains line
feeds and carriage returns those will be sent along to the proxy too, which
allows the program to for example send a separate HTTP request injected
embedded in the URL (CVE-2014-8150).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14985
• http://curl.haxx.se/docs/adv_20150108B.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150

SRPMS

4/core

• curl-7.34.0-1.5.mga4