libcurl upstream reports: """ When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL. Many programs allow some kind of external sources to set the URL or provide partial pieces for the URL to request, and if the URL (as received from the user) is not stripped good enough - this flaw allows malicious users to do additional requests in a way that was not intended, or to insert request headers into the request that the program didn't intend. We are not aware of any public exploits of this flaw. """ External References: http://curl.haxx.se/docs/adv_20150108B.html Acknowledgements: Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Andrey Labunets of Facebook as the original reporter.
Created attachment 976325 [details] 0001-url-parsing-reject-CRLFs-within-URLs.patch
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1180062]
Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1180063] Affects: epel-7 [bug 1180064]
Fixed now in curl 7.40.0: http://curl.haxx.se/mail/archive-2015-01/0019.html Upstream commits (fix + test): https://github.com/bagder/curl/commit/178bd7db34f77e020fb8562890c5625ccbd67093 https://github.com/bagder/curl/commit/3df8e78860d3a3d3cf95252bd2b4ad5fd53360cd
curl-7.32.0-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.37.0-12.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1254 https://rhn.redhat.com/errata/RHSA-2015-1254.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2159 https://rhn.redhat.com/errata/RHSA-2015-2159.html