Viktor Szakats reported that libcurl, an URL transfer library, does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. Sensitive authentication data may leak to the server that is the target of the second HTTP request.
For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u20.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/