Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1217341 - (CVE-2015-3153) CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies
CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150429,repor...
: Security
Depends On: 1217343 1217344 1217345
Blocks: 1217347
  Show dependency treegraph
 
Reported: 2015-04-30 03:58 EDT by Martin Prpič
Modified: 2016-01-25 09:45 EST (History)
21 users (show)

See Also:
Fixed In Version: curl 7.42.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-01 04:23:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-04-30 03:58:23 EDT 
The following flaw was found in curl:

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.

Such tunneling over a proxy is done for example when using the HTTPS protocol - or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method.

While libcurl provides the CURLOPT_HEADEROPT option to allow applications to tell libcurl if the headers should be sent to host and the proxy or use separate lists to the different destinations, it has still defaulted to sending the same headers to both parties for the sake of compatibility.

If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.

Note: this problem doesn't exist when using the CURLOPT_COOKIE option (or the '--cookie' option) or the HTTP auth options, which are always sent only to the destination server.

This flaw is fixed in version 7.42.1 of curl.

Upstream patch:

http://curl.haxx.se/CVE-2015-3153.patch

External References:

http://curl.haxx.se/docs/adv_20150429.html
Comment 1 Martin Prpič 2015-04-30 04:00:17 EDT 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1217343]
Comment 2 Martin Prpič 2015-04-30 04:00:21 EDT 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1217344]
Affects: epel-7 [bug 1217345]
Comment 3 Kamil Dudka 2015-04-30 04:02:34 EDT 
This is already fixed in rawhide.  I would prefer not to change the default in stable releases.  As stated in the advisory, libcurl works as documented.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.