Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1847916 (CVE-2020-8169)
Summary: | CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | andrew.slice, bodavis, csutherl, dbhole, erik-fedora, gzaronik, hhorak, hvyas, jclere, john.j5live, jorton, jwon, kanderso, kdudka, krathod, luhliari, mbabacek, mike, mjg, msekleta, mturk, omajid, paul, pjindal, rakesh.pandit, rwagner, security-response-team, svashisht, walter.pete |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.71.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in libcurl. A part of a password may be prepended to the host name before the host name is resolved, leading to a leak of the partial password over the network and to DNS servers. This highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-17 15:03:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1851435, 1851436, 1851437 | ||
Bug Blocks: |
Description
msiddiqu
2020-06-17 10:45:54 UTC
External References: https://curl.haxx.se/docs/CVE-2020-8169.html Created curl tracking bugs for this issue: Affects: fedora-all [bug 1851435] Created flickcurl tracking bugs for this issue: Affects: fedora-all [bug 1851437] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1851436] This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8169 |