diff -Nru curl-7.37.1/debian/changelog curl-7.37.1/debian/changelog --- curl-7.37.1/debian/changelog 2015-04-22 12:23:23.000000000 +0000 +++ curl-7.37.1/debian/changelog 2015-04-29 14:23:55.000000000 +0000 @@ -1,4 +1,4 @@ -curl (7.37.1-1ubuntu3.3) utopic-security; urgency=medium +curl (7.37.1-1ubuntu3.4) utopic-security; urgency=medium * SECURITY UPDATE: NTLM connection reuse when unauthenticated - debian/patches/CVE-2015-3143.patch: require credentials to match in @@ -17,8 +17,13 @@ each exchange and close Negotiate connections when done in lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c. - CVE-2015-3148 + * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies + - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in + docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c, + tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c. + - CVE-2015-3153 - -- Marc Deslauriers Wed, 22 Apr 2015 08:20:39 -0400 + -- Marc Deslauriers Wed, 29 Apr 2015 10:23:26 -0400 curl (7.37.1-1ubuntu3.2) utopic-security; urgency=medium diff -Nru curl-7.37.1/debian/patches/CVE-2015-3153.patch curl-7.37.1/debian/patches/CVE-2015-3153.patch --- curl-7.37.1/debian/patches/CVE-2015-3153.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.37.1/debian/patches/CVE-2015-3153.patch 2015-04-29 14:23:00.000000000 +0000 @@ -0,0 +1,96 @@ +From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Apr 2015 15:58:21 +0200 +Subject: [PATCH] CURLOPT_HEADEROPT: default to separate + +Make the HTTP headers separated by default for improved security and +reduced risk for information leakage. + +Bug: http://curl.haxx.se/docs/adv_20150429.html +Reported-by: Yehezkel Horowitz, Oren Souroujon +--- + docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------ + lib/url.c | 1 + + tests/data/test1527 | 2 +- + tests/data/test287 | 2 +- + tests/libtest/lib1527.c | 1 + + 5 files changed, 10 insertions(+), 8 deletions(-) + +Index: curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3 +=================================================================== +--- curl-7.37.1.orig/docs/libcurl/opts/CURLOPT_HEADEROPT.3 2015-04-29 10:22:57.773720734 -0400 ++++ curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3 2015-04-29 10:22:57.765720654 -0400 +@@ -31,10 +31,10 @@ + Pass a long that is a bitmask of options of how to deal with headers. The two + mutually exclusive options are: + +-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means +-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers +-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not +-have any effect. ++\fBCURLHEADER_UNIFIED\fP - the headers specified in ++\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and ++proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have ++any effect. + + \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get + sent to a server and not to a proxy. Proxy headers must be set with +@@ -44,7 +44,7 @@ + headers only do the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to + the server. + .SH DEFAULT +-CURLHEADER_UNIFIED ++CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then) + .SH PROTOCOLS + HTTP + .SH EXAMPLE +Index: curl-7.37.1/lib/url.c +=================================================================== +--- curl-7.37.1.orig/lib/url.c 2015-04-29 10:22:57.773720734 -0400 ++++ curl-7.37.1/lib/url.c 2015-04-29 10:22:57.765720654 -0400 +@@ -585,6 +585,7 @@ + set->ssl_enable_alpn = TRUE; + + set->expect_100_timeout = 1000L; /* Wait for a second by default. */ ++ set->sep_headers = TRUE; /* separated header lists by default */ + return res; + } + +Index: curl-7.37.1/tests/data/test1527 +=================================================================== +--- curl-7.37.1.orig/tests/data/test1527 2015-04-29 10:22:57.773720734 -0400 ++++ curl-7.37.1/tests/data/test1527 2015-04-29 10:22:57.769720694 -0400 +@@ -45,7 +45,7 @@ + lib1527 + + +-Check same headers are generated without CURLOPT_PROXYHEADER ++Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED + + + http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT +Index: curl-7.37.1/tests/data/test287 +=================================================================== +--- curl-7.37.1.orig/tests/data/test287 2015-04-29 10:22:57.773720734 -0400 ++++ curl-7.37.1/tests/data/test287 2015-04-29 10:22:57.769720694 -0400 +@@ -28,7 +28,7 @@ + HTTP proxy CONNECT with custom User-Agent header + + +-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel ++http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007" + + + +Index: curl-7.37.1/tests/libtest/lib1527.c +=================================================================== +--- curl-7.37.1.orig/tests/libtest/lib1527.c 2015-04-29 10:22:57.773720734 -0400 ++++ curl-7.37.1/tests/libtest/lib1527.c 2015-04-29 10:22:57.769720694 -0400 +@@ -83,6 +83,7 @@ + test_setopt(curl, CURLOPT_READFUNCTION, read_callback); + test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); + test_setopt(curl, CURLOPT_INFILESIZE, strlen(data)); ++ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED); + + res = curl_easy_perform(curl); + diff -Nru curl-7.37.1/debian/patches/series curl-7.37.1/debian/patches/series --- curl-7.37.1/debian/patches/series 2015-04-22 12:44:05.000000000 +0000 +++ curl-7.37.1/debian/patches/series 2015-04-29 14:24:29.000000000 +0000 @@ -14,6 +14,7 @@ CVE-2015-3144.patch CVE-2015-3145.patch CVE-2015-3148.patch +CVE-2015-3153.patch # the following two patches are reverted during build # any new patches must be added before them