CVE-2015-3153 Information

Description

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server which might allow remote proxy servers to obtain sensitive information by reading the header contents.

Reference

http://curl.haxx.se/docs/adv_20150429.html http://curl.haxx.se/docs/adv_20150429.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html http://www.debian.org/security/2015/dsa-3240 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://www.securityfocus.com/bid/74408 http://www.securitytracker.com/id/1032233 http://www.ubuntu.com/usn/USN-2591-1 https://kc.mcafee.com/corporate/index?page=content&id=SB10131 https://support.apple.com/kb/HT205031 The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server which might allow remote proxy servers to obtain sensitive information by reading the header contents. cpe:2.3:a:haxx:curl:::::::: cpe:2.3:a:haxx:libcurl::::::::