Date: Fri, 26 Jan 2018 14:28:07 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r459993 - head/security/vuxml Message-ID: <201801261428.w0QES7Wq097879@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Fri Jan 26 14:28:07 2018 New Revision: 459993 URL: https://svnweb.freebsd.org/changeset/ports/459993 Log: Document curl issue Submitted by: Roger Marquis <marquis@roble.com> Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jan 26 14:14:09 2018 (r459992) +++ head/security/vuxml/vuln.xml Fri Jan 26 14:28:07 2018 (r459993) @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="0cbf0fa6-dcb7-469c-b87a-f94cffd94583"> + <topic>cURL -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>curl</name> + <range><lt>7.58.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The cURL project reports:</p> + <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000007"> + <p>libcurl 7.1 through 7.57.0 might accidentally leak authentication + data to third parties. When asked to send custom headers in its HTTP + requests, libcurl will send that set of headers first to the host in + the initial URL but also, if asked to follow redirects and a 30X HTTP + response code is returned, to the host mentioned in URL in the + `Location:` response header value. Sending the same set of headers to + subsequest hosts is in particular a problem for applications that pass + on custom `Authorization:` headers, as this header often contains + privacy sensitive information or data that could allow others to + impersonate the libcurl-using client's request.</p> + </blockquote> + </body> + </description> + <references> + <url>https://curl.haxx.se/docs/adv_2018-b3bf.html</url> + <cvename>CVE-2018-1000007</cvename> + </references> + <dates> + <discovery>2018-01-24</discovery> + <entry>2018-01-26</entry> + </dates> + </vuln> + <vuln vid="b464f61b-84c7-4e1c-8ad4-6cf9efffd025"> <topic>clamav -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801261428.w0QES7Wq097879>