On Wed, Jan 02, 2019 at 09:57:11PM +0100, Salvatore Bonaccorso wrote: > Source: aria2 > Version: 1.30.0-2 > Severity: normal > Tags: security upstream > Forwarded: https://github.com/aria2/aria2/issues/1329 > Control: found -1 1.34.0-3 > > Hi, > > The following vulnerability was published for aria2. > > CVE-2019-3500[0]: > | aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic > | Authentication username and password in a file, which might allow local > | users to obtain sensitive information by reading this file. > > The security impact is somehow disputable/limited, still reporting it > for tracking purpose with regard of the upstream issue. Once a fix > available it can land in Debian a well.
Fixed in https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a Can we get that in before buster? Cheers, Moritz
