Bug 1847916 (CVE-2020-8169)

Summary: CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, erik-fedora, gzaronik, hhorak, hvyas, jclere, john.j5live, jorton, jwon, kanderso, kdudka, krathod, luhliari, mbabacek, mike, mjg, msekleta, mturk, omajid, paul, pjindal, rakesh.pandit, rwagner, security-response-team, svashisht, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.71.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libcurl. A part of a password may be prepended to the host name before the host name is resolved, leading to a leak of the partial password over the network and to DNS servers. This highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-17 15:03:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1851435, 1851436, 1851437    
Bug Blocks: 1847917    

Description msiddiqu 2020-06-17 10:45:54 UTC 
libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s).
Comment 2 Stefan Cornelius 2020-06-26 13:47:32 UTC 
External References:

https://curl.haxx.se/docs/CVE-2020-8169.html
Comment 3 Stefan Cornelius 2020-06-26 13:50:06 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1851435]


Created flickcurl tracking bugs for this issue:

Affects: fedora-all [bug 1851437]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1851436]
Comment 4 errata-xmlrpc 2021-06-17 11:35:31 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
Comment 5 errata-xmlrpc 2021-06-17 11:45:00 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
Comment 6 Product Security DevOps Team 2021-06-17 15:03:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8169