CVE-2014-8150

NameCVE-2014-8150
DescriptionCRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-134-1, DSA-3122-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u12fixed
bullseye (security)7.74.0-1.3+deb11u11fixed
bookworm7.88.1-10+deb12u6fixed
bookworm (security)7.88.1-10+deb12u5fixed
trixie8.8.0-4fixed
sid8.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcesqueeze7.21.0-2.1+squeeze11DLA-134-1
curlsourcewheezy7.26.0-1+wheezy12DSA-3122-1
curlsource(unstable)7.38.0-4

Notes

http://curl.haxx.se/docs/adv_20150108B.html
Search for package or bug name: Reporting problems