[3.2] curl: Multiple issues (CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621 CVE-2016-8622, CVE-2016-8623, CVE-2016-8624)
CVE-2016-8615: Cookie injection for other servers
CVE-2016-8616: Case insensitive password comparison
CVE-2016-8617: Out-of-bounds write via unchecked multiplication
CVE-2016-8618: Double-free in curl_maprintf
CVE-2016-8619: Double-free in krb5 code
CVE-2016-8620: Glob parser write/read out of bounds
CVE-2016-8621: curl_getdate out-of-bounds read
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: curl: Use-after-free via shared cookies
CVE-2016-8624: Invalid URL parsing with ‘#’
Fixed In Version:
curl 7.51.0
References:
https://curl.haxx.se/docs/adv\_20161102A.html
https://curl.haxx.se/docs/adv\_20161102B.html
https://curl.haxx.se/docs/adv\_20161102C.html
https://curl.haxx.se/docs/adv\_20161102D.html
https://curl.haxx.se/docs/adv\_20161102E.html
https://curl.haxx.se/docs/adv\_20161102F.html
https://curl.haxx.se/docs/adv\_20161102G.html
https://curl.haxx.se/docs/adv\_20161102H.html
https://curl.haxx.se/docs/adv\_20161102I.html
https://curl.haxx.se/docs/adv\_20161102J.html
Patches:
https://curl.haxx.se/CVE-2016-8615.patch
https://curl.haxx.se/CVE-2016-8616.patch
https://curl.haxx.se/CVE-2016-8617.patch
https://curl.haxx.se/CVE-2016-8618.patch
https://curl.haxx.se/CVE-2016-8619.patch
https://curl.haxx.se/CVE-2016-8620.patch
https://curl.haxx.se/CVE-2016-8621.patch
https://curl.haxx.se/CVE-2016-8622.patch
https://curl.haxx.se/CVE-2016-8623.patch
https://curl.haxx.se/CVE-2016-8624.patch
(from redmine: issue id 6436, created on 2016-11-08, closed on 2016-12-27)
- Relations:
- parent #6433 (closed)
- Changesets:
- Revision 4cbdd0cf by Sergei Lukin on 2016-12-13T14:07:32Z:
main/curl: security upgrade - fixes #6436
CVE-2016-8615
CVE-2016-8616
CVE-2016-8617
CVE-2016-8618
CVE-2016-8619
CVE-2016-8620
CVE-2016-8621
CVE-2016-8622
CVE-2016-8623
CVE-2016-8624