advisories/28688.adv

type: security
subject: Updated curl packages fix security vulnerabilities
CVE:
 - CVE-2021-22876
 - CVE-2021-22890
src:
  7:
   core:
     - curl-7.71.0-1.2.mga7
  8:
   core:
     - curl-7.74.0-1.1.mga8
description: |
  libcurl does not strip off user credentials from the URL when automatically
  populating the Referer: HTTP request header field in outgoing HTTP requests,
  and therefore risks leaking sensitive data to the server that is the target of
  the second HTTP request. (CVE-2021-22876)
  
  TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28688
 - https://curl.se/docs/CVE-2021-22876.html
 - https://curl.se/docs/CVE-2021-22890.html
 - https://curl.se/changes.html
ID: MGASA-2021-0186
1	type: security
2	subject: Updated curl packages fix security vulnerabilities
3	CVE:
4	- CVE-2021-22876
5	- CVE-2021-22890
6	src:
7	7:
8	core:
9	- curl-7.71.0-1.2.mga7
10	8:
11	core:
12	- curl-7.74.0-1.1.mga8
13	description: \|
14	libcurl does not strip off user credentials from the URL when automatically
15	populating the Referer: HTTP request header field in outgoing HTTP requests,
16	and therefore risks leaking sensitive data to the server that is the target of
17	the second HTTP request. (CVE-2021-22876)
18
19	TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890)
20	references:
21	- https://bugs.mageia.org/show_bug.cgi?id=28688
22	- https://curl.se/docs/CVE-2021-22876.html
23	- https://curl.se/docs/CVE-2021-22890.html
24	- https://curl.se/changes.html
25	ID: MGASA-2021-0186