curl: NTLM credentials not-checked for proxy connection re-use (CVE-2016-0755)
A vulnerability was found in a way libcurl uses NTLM-authenticated proxy
connections.
Libcurl will reuse NTLM-authenticated proxy connections without properly
making sure,
that the connection was authenticated with the same credentials as set
for this transfer.
Affected versions:
libcurl 7.10.7 to and including 7.46.0
Upgrade curl and libcurl to version 7.47.0
References:
https://curl.haxx.se/docs/adv\_20160127A.html
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0755
Patch:
http://curl.haxx.se/CVE-2016-0755.patch
(from redmine: issue id 5068, created on 2016-02-04, closed on 2016-06-23)
- Relations:
- child #5069 (closed)
- child #5070 (closed)
- child #5071 (closed)
- child #5072 (closed)