Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1847916 (CVE-2020-8169)

Summary: CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, erik-fedora, gzaronik, hhorak, hvyas, jclere, john.j5live, jorton, jwon, kanderso, kdudka, krathod, luhliari, mbabacek, mike, mjg, msekleta, mturk, omajid, paul, pjindal, rakesh.pandit, rwagner, security-response-team, svashisht, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.71.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libcurl. A part of a password may be prepended to the host name before the host name is resolved, leading to a leak of the partial password over the network and to DNS servers. This highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-17 15:03:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1851435, 1851436, 1851437    
Bug Blocks:    

Description msiddiqu 2020-06-17 10:45:54 UTC
libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s).

Comment 2 Stefan Cornelius 2020-06-26 13:47:32 UTC
External References:

https://curl.haxx.se/docs/CVE-2020-8169.html

Comment 3 Stefan Cornelius 2020-06-26 13:50:06 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1851435]


Created flickcurl tracking bugs for this issue:

Affects: fedora-all [bug 1851437]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1851436]

Comment 4 errata-xmlrpc 2021-06-17 11:35:31 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 5 errata-xmlrpc 2021-06-17 11:45:00 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472

Comment 6 Product Security DevOps Team 2021-06-17 15:03:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8169