CVE-2015-3153

Note

in curl versions before 7.37.0, the same headers are always
sent to both the destination server and the proxy. In 7.37.0,
two new options were introduced to control which headers are
sent to the server and which headers are sent to the proxy:
CURLOPT_HEADEROPT and CURLOPT_PROXYHEADER. The default is to
send the headers to both servers, contrary to expectations. The
fix is to change the default to send separate headers.

Introducing split header functionality in older versions of
curl is intrusive, and will change behaviour. We will not be
fixing this issue in Ubuntu 14.04 LTS and earlier.

Package	Release	Status
curl Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Ignored
	trusty	Ignored
	upstream	Released (7.42.1)
	utopic	Released (7.37.1-1ubuntu3.4)
	vivid	Released (7.38.0-3ubuntu2.2)
	Patches: upstream: http://curl.haxx.se/CVE-2015-3153.patch upstream: https://github.com/bagder/curl/commit/ac887eedbc17a0d78b11ff467858c76a5127d1f4 upstream: https://github.com/bagder/curl/commit/ef6be35bae1fe501fecd9a2a21eb5d03ddff4243 upstream: https://github.com/bagder/curl/commit/fa0a5e6812f9e460f4f2d9aae0ca9900fd50add4 upstream: https://github.com/bagder/curl/commit/4946ea05e2ae14bd84332bd1fde5e3b5e468cef2 upstream: https://github.com/bagder/curl/commit/20f61cd12c9b7960a9e5489154744af6c7583aac upstream: https://github.com/bagder/curl/commit/d3d27551e716e4899ef8fea7ac416f1d6c654f96 upstream: https://github.com/bagder/curl/commit/74851340bd7b4edbdc749e74562fc1ebcef9930f upstream: https://github.com/bagder/curl/commit/109e94c51cf813eb3f69e22556cb990d4eec5ac3 upstream: https://github.com/bagder/curl/commit/c877c50e13ad43459de12a4092bd95872e549dfb

CVE-2015-3153

Notes

Priority

Status

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading