Bug 2446476

Summary:	CVE-2026-3783 rustup: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42]
Product:	[Fedora] Fedora	Reporter:	Vipul Nair <vinair>
Component:	rustup	Assignee:	Rust SIG <rust-sig>
Status:	CLOSED CANTFIX	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	42	CC:	decathorpe, rust-sig, suraj.ghimire7
Target Milestone:	---	Keywords:	Security, SecurityTracking
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	{"flaws": ["db5eec15-4e34-401b-8310-3c003d3cd346"]}
Fixed In Version:		Doc Type:	---
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2026-03-11 14:07:06 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2173769, 2446450

Description Vipul Nair 2026-03-11 12:08:53 UTC

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Fabio Valentini 2026-03-11 14:07:06 UTC

This package is dynamically linked to libcurl via the `curl` / `curl-sys` Rust bindings and does not include curl itself.
The bug needs to be addressed in the curl package and nothing needs to be done here.