FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cURL -- sensitive HTTP server headers also sent to proxies

Affected packages
curl < 7.42.1

Details

VuXML ID 27f742f6-03f4-11e5-aab1-d050996490d0
Discovery 2015-04-29
Entry 2015-05-26

cURL reports:

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.

References

CVE Name CVE-2015-3153
URL http://curl.haxx.se/docs/adv_20150429.html